diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b2c5bf3..6c1fe19 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Move domain, files, and corecommands modules to kernel
+  layer to resolve some layering inconsistencies.
 - Move policy build options out of Makefile into build.conf.
 - Add yppasswd to nis module.
 - Change optional_policy() to refer to the module name
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
new file mode 100644
index 0000000..8fca398
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -0,0 +1,202 @@
+
+#
+# /bin
+#
+/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
+/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ls				--	gen_context(system_u:object_r:ls_exec_t,s0)
+/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /dev
+#
+/dev/MAKEDEV			--	gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /emul
+#
+ifdef(`distro_redhat',`
+/emul/ia32-linux/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr(/.*)?/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?	gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr/libexec(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /etc
+#
+/etc/hotplug/.*agent		--	gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:sbin_t,s0)
+
+/etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:sbin_t,s0)
+
+/etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xinit(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_debian',`
+/etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`targeted_policy',`
+/etc/X11/prefdm			--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /lib
+#
+
+ifdef(`distro_gentoo',`
+/lib/rcscripts/sh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin(/.*)?				gen_context(system_u:object_r:sbin_t,s0)
+/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:sbin_t,s0)
+/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /opt
+#
+/opt(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/opt(/.*)?/libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/opt(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /usr
+#
+/usr(/.*)?/Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/usr(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/usr(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+# these two lines are separate because of a
+# sorting issue with the java module
+/usr/lib/jvm/java.*/bin -d		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java.*/bin/.*		gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/debug/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/usr/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/X11R6/lib/X11/xkb/xkbcomp	--	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-lvm/system-config-lvm.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ssh/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /var
+#
+/var/mailman/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/var/ftp/bin/ls			--	gen_context(system_u:object_r:ls_exec_t,s0)
+
+/usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
+')
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
new file mode 100644
index 0000000..0033679
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -0,0 +1,569 @@
+## <summary>
+## Core policy for shells, and generic programs
+## in /bin, /sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <required val="true">
+##	Contains the base bin and sbin directory types
+##	which need to be searched for the kernel to
+##	run init.
+## </required>
+
+########################################
+## <summary>
+##	Create a aliased type to generic bin files.
+## </summary>
+## <desc>
+##	<p>
+##	Create a aliased type to generic bin files.
+##	</p>
+##	<p>
+##	This is added to support targeted policy.  Its
+##	use should be limited.  It has no effect
+##	on the strict policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Alias type for bin_t.
+## </param>
+interface(`corecmd_bin_alias',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type bin_t;
+		')
+
+		typealias bin_t alias $1;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
+
+########################################
+## <summary>
+##	Make the shell an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	The domain for which the shell is an entrypoint.
+## </param>
+interface(`corecmd_shell_entry_type',`
+	gen_require(`
+		type shell_exec_t;
+	')
+
+	domain_entry_file($1,shell_exec_t)
+')
+
+########################################
+#
+# corecmd_search_bin(domain)
+#
+interface(`corecmd_search_bin',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+	')
+
+	allow $1 bin_t:dir search;
+')
+
+########################################
+#
+# corecmd_list_bin(domain)
+#
+interface(`corecmd_list_bin',`
+	gen_require(`
+		type bin_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_getattr_bin_file',`
+	gen_require(`
+		type bin_t;
+		class file getattr;
+	')
+
+	allow $1 bin_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read files in bin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_file',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in bin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_symlink',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read pipes in bin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_pipe',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named sockets in bin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_socket',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:sock_file r_file_perms;
+')
+
+########################################
+#
+# corecmd_exec_bin(domain)
+#
+interface(`corecmd_exec_bin',`
+	gen_require(`
+		type bin_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file r_file_perms;
+	can_exec($1,bin_t)
+
+')
+
+########################################
+## <summary>
+##	Execute a file in a bin directory
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a bin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:lnk_file { getattr read };
+
+	domain_auto_trans($1,bin_t,$2)
+')
+
+########################################
+#
+# corecmd_search_sbin(domain)
+#
+interface(`corecmd_search_sbin',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	allow $1 sbin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	sbin directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`corecmd_dontaudit_search_sbin',`
+	gen_require(`
+		type sbin_t;
+	')
+
+	dontaudit $1 sbin_t:dir search_dir_perms;
+')
+
+########################################
+#
+# corecmd_list_sbin(domain)
+#
+interface(`corecmd_list_sbin',`
+	gen_require(`
+		type sbin_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 sbin_t:dir r_dir_perms;
+')
+
+########################################
+#
+# corecmd_getattr_sbin_file(domain)
+#
+interface(`corecmd_getattr_sbin_file',`
+	gen_require(`
+		type sbin_t;
+		class file getattr;
+	')
+
+	allow $1 sbin_t:file getattr;
+')
+
+########################################
+#
+# corecmd_dontaudit_getattr_sbin_file(domain)
+#
+interface(`corecmd_dontaudit_getattr_sbin_file',`
+	gen_require(`
+		type sbin_t;
+		class file getattr;
+	')
+
+	dontaudit $1 sbin_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read files in sbin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_file',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in sbin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_symlink',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named pipes in sbin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_pipe',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named sockets in sbin directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_socket',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:sock_file r_file_perms;
+')
+
+########################################
+#
+# corecmd_exec_sbin(domain)
+#
+interface(`corecmd_exec_sbin',`
+	gen_require(`
+		type sbin_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir r_dir_perms;
+	allow $1 sbin_t:lnk_file r_file_perms;
+	can_exec($1,sbin_t)
+
+')
+
+########################################
+## <summary>
+##	Execute a file in a sbin directory
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a sbin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`corecmd_sbin_domtrans',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:lnk_file { getattr read };
+
+	domain_auto_trans($1,sbin_t,$2)
+')
+
+########################################
+## <summary>
+##	Check if a shell is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_check_exec_shell',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 shell_exec_t:file execute;
+')
+
+########################################
+#
+# corecmd_exec_shell(domain)
+#
+interface(`corecmd_exec_shell',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file r_file_perms;
+	can_exec($1,shell_exec_t)
+')
+
+########################################
+#
+# corecmd_exec_ls(domain)
+#
+interface(`corecmd_exec_ls',`
+	gen_require(`
+		type bin_t, ls_exec_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file r_file_perms;
+	can_exec($1,ls_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a shell in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Execute a shell in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="target_domain">
+##	The type of the shell process.
+## </param>
+#
+interface(`corecmd_shell_spec_domtrans',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file r_file_perms;
+
+	domain_trans($1,shell_exec_t,$2)
+')
+
+########################################
+## <summary>
+##	Execute a shell in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a shell in the specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="target_domain">
+##	The type of the shell process.
+## </param>
+#
+interface(`corecmd_shell_domtrans',`
+	gen_require(`
+		type shell_exec_t;
+	')
+
+	corecmd_shell_spec_domtrans($1,$2)
+	type_transition $1 shell_exec_t:process $2;
+')
+
+########################################
+#
+# corecmd_exec_chroot(domain)
+#
+interface(`corecmd_exec_chroot',`
+	gen_require(`
+		type chroot_exec_t;
+		class capability sys_chroot;
+	')
+
+	can_exec($1,chroot_exec_t)
+	allow $1 self:capability sys_chroot;
+')
+
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
new file mode 100644
index 0000000..2dde3dc
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -0,0 +1,37 @@
+
+policy_module(corecommands,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+#
+# bin_t is the type of files in the system bin directories.
+#
+type bin_t;
+files_type(bin_t)
+
+#
+# sbin_t is the type of files in the system sbin directories.
+#
+type sbin_t;
+files_type(sbin_t)
+
+#
+# ls_exec_t is the type of the ls program.
+#
+type ls_exec_t;
+files_type(ls_exec_t)
+
+#cjp: temp
+typeattribute ls_exec_t entry_type;
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t;
+files_type(shell_exec_t)
+
+type chroot_exec_t;
+files_type(chroot_exec_t)
diff --git a/refpolicy/policy/modules/kernel/domain.fc b/refpolicy/policy/modules/kernel/domain.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/domain.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
new file mode 100644
index 0000000..78f2d87
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -0,0 +1,1095 @@
+## <summary>Core policy for domains.</summary>
+## <required val="true">
+##	Contains the concept of a domain.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a basic domain.
+##	</p>
+##	<p>
+##	This is primarily used for kernel threads;
+##	generally the domain_type() interface is
+##	more appropriate for userland processes.
+##	</p>
+## </desc>
+## <param name="type">
+##	Type to be used as a basic domain type.
+## </param>
+#
+interface(`domain_base_type',`
+	gen_require(`
+		attribute domain;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+		class file rw_file_perms;
+		class process { fork sigchld };
+	')
+
+	# mark as a domain
+	typeattribute $1 domain;
+
+	# allow the domain to read its /proc/pid entries
+	allow $1 self:dir r_dir_perms;
+	allow $1 self:lnk_file r_file_perms;
+	allow $1 self:file rw_file_perms;
+
+	# allow $1 to create child processes in this domain
+	allow $1 self:process { fork sigchld };
+
+	ifdef(`targeted_policy',`
+		tunable_policy(`allow_execmem',`
+			allow $1 self:process execmem;
+		')
+
+		# FIXME:
+		# hack until role dominance is fixed in
+		# the module compiler
+		role secadm_r types $1;
+		role sysadm_r types $1;
+		role user_r types $1;
+		role staff_r types $1;
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a domain.
+## </summary>
+## <param name="type">
+##	Type to be used as a domain type.
+## </param>
+#
+interface(`domain_type',`
+	# start with basic domain
+	domain_base_type($1)
+
+	# Use trusted objects in /dev
+	dev_rw_null_dev($1)
+	dev_rw_zero_dev($1)
+	term_use_controlling_term($1)
+
+	# read the root directory
+	files_list_root($1)
+
+	# send init a sigchld and signull
+	init_sigchld($1)
+	init_signull($1)
+
+	ifdef(`targeted_policy',`
+		unconfined_use_fd($1)
+		unconfined_sigchld($1)
+	')
+
+	tunable_policy(`allow_ptrace',`
+		userdom_sigchld_sysadm($1)
+	')
+
+	# allow any domain to connect to the LDAP server
+	optional_policy(`ldap',`
+		ldap_use($1)
+	')
+
+	# these 3 seem highly questionable:
+	optional_policy(`rpm',`
+		rpm_use_fd($1)
+		rpm_read_pipe($1)
+	')
+
+	optional_policy(`selinux',`
+		selinux_dontaudit_read_fs($1)
+	')
+
+	optional_policy(`selinuxutil',`
+		seutil_dontaudit_read_config($1)
+	')
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as
+##	an entry point for the domain.
+## </summary>
+## <param name="domain">
+##	Domain to be entered.
+## </param>
+## <param name="type">
+##	Type of program used for entering
+##	the domain.
+## </param>
+#
+interface(`domain_entry_file',`
+	gen_require(`
+		attribute entry_type;
+		class file entrypoint;
+	')
+
+	files_type($2)
+
+	allow $1 $2:file entrypoint;
+	allow $1 $2:file rx_file_perms;
+
+	typeattribute $2 entry_type;
+')
+
+########################################
+#
+# domain_wide_inherit_fd(domain)
+#
+interface(`domain_wide_inherit_fd',`
+	gen_require(`
+		attribute privfd;
+	')
+
+	typeattribute $1 privfd;
+')
+
+########################################
+#
+# domain_dyntrans_type(domain)
+#
+interface(`domain_dyntrans_type',`
+	gen_require(`
+		attribute set_curr_context;
+	')
+
+	typeattribute $1 set_curr_context;
+')
+
+########################################
+## <summary>
+##	Makes caller and execption to the constraint
+##	preventing changing to the system user
+##	identity and system role.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_system_change_exempt',`
+	gen_require(`
+		attribute can_system_change;
+	')
+
+	typeattribute $1 can_system_change;
+')
+
+########################################
+## <summary>
+##	Makes caller an exception to the constraint preventing
+##	changing of user identity.
+## </summary>
+## <param name="domain">
+##	The process type to make an exception to the constraint.
+## </param>
+#
+interface(`domain_subj_id_change_exempt',`
+	gen_require(`
+		attribute can_change_process_identity;
+	')
+
+	typeattribute $1 can_change_process_identity;
+')
+
+########################################
+## <summary>
+##	Makes caller an exception to the constraint preventing
+##	changing of role.
+## </summary>
+## <param name="domain">
+##	The process type to make an exception to the constraint.
+## </param>
+#
+interface(`domain_role_change_exempt',`
+	gen_require(`
+		attribute can_change_process_role;
+	')
+
+	typeattribute $1 can_change_process_role;
+')
+
+########################################
+## <summary>
+##	Makes caller an exception to the constraint preventing
+##	changing the user identity in object contexts.
+## </summary>
+## <param name="domain">
+##	The process type to make an exception to the constraint.
+## </param>
+#
+interface(`domain_obj_id_change_exempt',`
+	gen_require(`
+		attribute can_change_object_identity;
+	')
+
+	typeattribute $1 can_change_object_identity;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the target of
+##	the user domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the target of
+##	the user domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the user domains from the base module.
+##	It should not be used other than on
+##	user domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain target for user exemption.
+## </param>
+#
+interface(`domain_user_exemption_target',`
+	gen_require(`
+		attribute process_user_target;
+	')
+
+	typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the source of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the source of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the cron domains from the base module.
+##	It should not be used other than on
+##	cron domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+	gen_require(`
+		attribute cron_source_domain;
+	')
+
+	typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the target of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the target of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the cron domains from the base module.
+##	It should not be used other than on
+##	user cron jobs.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+	gen_require(`
+		attribute cron_job_domain;
+	')
+
+	typeattribute $1 cron_job_domain;
+')
+
+########################################
+#
+# domain_use_wide_inherit_fd(domain)
+#
+interface(`domain_use_wide_inherit_fd',`
+	gen_require(`
+		attribute privfd;
+		class fd use;
+	')
+
+	allow $1 privfd:fd use;
+')
+
+########################################
+#
+# domain_dontaudit_use_wide_inherit_fd(domain)
+#
+interface(`domain_dontaudit_use_wide_inherit_fd',`
+	gen_require(`
+		attribute privfd;
+		class fd use;
+	')
+
+	dontaudit $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to domains whose file
+##	discriptors are widely inheritable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_wide_inherit_fd',`
+	gen_require(`
+		attribute privfd;
+	')
+
+	allow $1 privfd:process sigchld;
+')
+
+########################################
+#
+# domain_setpriority_all_domains(domain)
+#
+interface(`domain_setpriority_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process setsched;
+	')
+
+	allow $1 domain:process setsched;
+')
+
+########################################
+## <summary>
+##	Send general signals to all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_signal_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process signal;
+	')
+
+	allow $1 domain:process signal;
+')
+
+########################################
+## <summary>
+##	Send a null signal to all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_signull_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process signull;
+	')
+
+	allow $1 domain:process signull;
+')
+
+########################################
+## <summary>
+##	Send a stop signal to all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_sigstop_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process sigstop;
+	')
+
+	allow $1 domain:process sigstop;
+')
+
+########################################
+## <summary>
+##	Send a child terminated signal to all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_sigchld_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process sigchld;
+	')
+
+	allow $1 domain:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a kill signal to all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_kill_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process sigkill;
+		class capability kill;
+	')
+
+	allow $1 domain:process sigkill;
+	allow $1 self:capability kill;
+')
+
+########################################
+## <summary>
+##	Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+	gen_require(`
+		attribute domain;
+		class dir search;
+	')
+
+	kernel_search_proc($1)
+	allow $1 domain:dir search;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the process
+##	state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_read_all_domains_state',`
+	gen_require(`
+		attribute domain;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+		class file r_file_perms;
+	')
+
+	kernel_search_proc($1)
+	allow $1 domain:dir r_dir_perms;
+	allow $1 domain:lnk_file r_file_perms;
+	allow $1 domain:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process getattr;
+	')
+
+	allow $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all confined domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_read_confined_domains_state',`
+	gen_require(`
+		attribute domain, unconfined_domain;
+	')
+
+	kernel_search_proc($1)
+	allow $1 { domain -unconfined_domain }:dir r_dir_perms;
+	allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
+	allow $1 { domain -unconfined_domain }:file r_file_perms;
+
+	dontaudit $1 unconfined_domain:dir search;
+	dontaudit $1 unconfined_domain:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Get the attributes of all confined domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_confined_domains',`
+	gen_require(`
+		attribute domain, unconfined_domain;
+		class process getattr;
+	')
+
+	allow $1 { domain -unconfined_domain }:process getattr;
+')
+
+########################################
+## <summary>
+##	Ptrace all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_ptrace_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ptrace all domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to ptrace all domains.
+##	</p>
+##	<p>
+##	Generally this needs to be suppressed because procps tries to access
+##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
+##	(2.4 and 2.6).
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_ptrace_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ptrace confined domains.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to ptrace confined domains.
+##	</p>
+##	<p>
+##	Generally this needs to be suppressed because procps tries to access
+##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
+##	(2.4 and 2.6).
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_ptrace_confined_domains',`
+	gen_require(`
+		attribute domain, unconfined_domain;
+		class process ptrace;
+	')
+
+	dontaudit $1 { domain -unconfined_domain }:process ptrace;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the process
+##	state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir r_dir_perms;
+	dontaudit $1 domain:lnk_file r_file_perms;
+	dontaudit $1 domain:file r_file_perms;
+
+	# cjp: these should be removed:
+	dontaudit $1 domain:sock_file r_file_perms;
+	dontaudit $1 domain:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read the process state
+##	directories of all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_list_all_domains_proc',`
+	gen_require(`
+		attribute domain;
+		class dir r_dir_perms;
+	')
+
+	dontaudit $1 domain:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the session ID of all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_getsession_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process getsession;
+	')
+
+	allow $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	session ID of all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process getsession;
+	')
+
+	dontaudit $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains
+##	sockets, for all socket types.
+## </summary>
+## <desc>
+##	<p>
+##	Get the attributes of all domains
+##	sockets, for all socket types.
+##	</p>
+##	<p>
+##	This is commonly used for domains
+##	that can use lsof on all domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_sockets',`
+	gen_require(`
+		gen_require_set(getattr,socket_class_set)
+	')
+
+	allow $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains sockets, for all socket types.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to get the attributes
+##	of all domains sockets, for all socket types.
+##	</p>
+##	<p>
+##	This interface was added for PCMCIA cardmgr
+##	and is probably excessive.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		gen_require_set(getattr,socket_class_set)
+	')
+
+	dontaudit $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+	gen_require(`
+		attribute domain;
+		class tcp_socket getattr;
+	')
+
+	dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains UDP sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_udp_sockets',`
+	gen_require(`
+		attribute domain;
+		class udp_socket getattr;
+	')
+
+	dontaudit $1 domain:udp_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all domains UDP sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_rw_all_udp_sockets',`
+	gen_require(`
+		attribute domain;
+		class udp_socket { read write };
+	')
+
+	dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains IPSEC key management sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:key_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains packet sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_packet_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:packet_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains raw sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_raw_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:rawip_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all domains key sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+	gen_require(`
+		attribute domain;
+		class key_socket { read write };
+	')
+
+	dontaudit $1 domain:key_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_dgram_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_stream_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unnamed pipes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute domain;
+		class fifo_file getattr;
+	')
+
+	dontaudit $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of entry point
+##	files for all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+		class file getattr;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 entry_type:lnk_file getattr;
+	allow $1 entry_type:file r_file_perms;
+')
+
+########################################
+#
+# domain_read_all_entry_files(domain)
+#
+interface(`domain_read_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+		class file r_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 entry_type:lnk_file r_file_perms;
+	allow $1 entry_type:file r_file_perms;
+')
+
+########################################
+#
+# domain_exec_all_entry_files(domain)
+#
+interface(`domain_exec_all_entry_files',`
+	gen_require(`
+		attribute entry_type;
+	')
+
+	can_exec($1,entry_type)
+')
+
+########################################
+## <summary>
+##	Unconfined access to domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_unconfined',`
+	gen_require(`
+		attribute domain, set_curr_context;
+		attribute can_change_process_identity;
+		attribute can_change_process_role;
+		attribute can_change_object_identity;
+		attribute unconfined_domain;
+	')
+
+	typeattribute $1 unconfined_domain;
+
+	# pass all constraints
+	typeattribute $1 can_change_process_identity;
+	typeattribute $1 can_change_process_role;
+	typeattribute $1 can_change_object_identity;
+	typeattribute $1 set_curr_context;
+
+	# Use/sendto/connectto sockets created by any domain.
+	allow $1 domain:{ socket_class_set socket key_socket } *;
+
+	# Use descriptors and pipes created by any domain.
+	allow $1 domain:fd use;
+	allow $1 domain:fifo_file rw_file_perms;
+
+	# Act upon any other process.
+	allow $1 domain:process ~{ transition dyntransition execmem };
+
+	# Create/access any System V IPC objects.
+	allow $1 domain:{ sem msgq shm } *;
+	allow $1 domain:msg { send receive };
+
+	# For /proc/pid
+	allow $1 domain:dir r_dir_perms;
+	allow $1 domain:file r_file_perms;
+	allow $1 domain:lnk_file r_file_perms;
+')
+
+#
+# These next macros are not templates, but actually are 
+# support macros.  Due to the domain_ prefix, they 
+# are placed in this module, to try to prevent confusion.
+# They are called templates since regular m4 defines
+# wont work here.
+#
+
+########################################
+#
+# domain_trans(source_domain,entrypoint_file,target_domain)
+#
+template(`domain_trans',`
+	allow $1 $2:file { getattr read execute };
+	allow $1 $3:process transition;
+	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# domain_auto_trans(source_domain,entrypoint_file,target_domain)
+#
+template(`domain_auto_trans',`
+	domain_trans($1,$2,$3)
+	type_transition $1 $2:process $3;
+')
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
new file mode 100644
index 0000000..a368df8
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -0,0 +1,69 @@
+
+policy_module(domain,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# Mark process types as domains
+attribute domain;
+
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that are unconfined
+attribute unconfined_domain;
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility.  If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
+# entrypoint executables
+attribute entry_type;
+
+# widely-inheritable file descriptors
+attribute privfd;
+
+#
+# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
+attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
+attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
+attribute can_change_object_identity;
+
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
+
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt;	# add userhelperdomain to this one
+
+# TODO:
+# cjp: also need to except correctly for SEFramework
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
new file mode 100644
index 0000000..0c19f57
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -0,0 +1,216 @@
+
+#
+# /
+#
+/.*				gen_context(system_u:object_r:default_t,s0)
+/			-d	gen_context(system_u:object_r:root_t,s0)
+/\.journal			<<none>>
+
+ifdef(`distro_redhat',`
+/\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/fastboot 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/forcefsck 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/poweroff		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_suse',`
+/success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# /boot
+#
+/boot/\.journal			<<none>>
+/boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+/boot/lost\+found/.*		<<none>>
+
+#
+# /emul
+#
+
+ifdef(`distro_redhat',`
+/emul(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+')
+
+#
+# /etc
+#
+/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
+/etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/asound\.state	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/blkid\.tab.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
+/etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
+
+/etc/init\.d/functions	--	gen_context(system_u:object_r:etc_t,s0)
+
+/etc/ipsec\.d/examples(/.*)?	gen_context(system_u:object_r:etc_t,s0)
+
+/etc/network/ifstate	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/ptal/ptal-printd-like -- 	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
+
+/etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ifdef(`distro_gentoo', `
+/etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/csh\.env		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/rhgb(/.*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+')
+
+ifdef(`distro_suse',`
+/etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# HOME_ROOT
+# expanded by genhomedircon
+#
+HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0)
+HOME_ROOT/\.journal		<<none>>
+HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+HOME_ROOT/lost\+found/.*	<<none>>
+
+#
+# /initrd
+#
+# initrd mount point, only used during boot
+/initrd			-d	gen_context(system_u:object_r:root_t,s0)
+
+#
+# /lost+found
+#
+/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,s0)
+/lost\+found/.*			<<none>>
+
+#
+# /media
+#
+# Mount points; do not relabel subdirectories, since
+# we don't want to change any removable media by default.
+/media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*/.*			<<none>>
+
+#
+# /mnt
+#
+/mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+/mnt/[^/]*/.*			<<none>>
+
+#
+# /opt
+#
+/opt(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+
+/opt(/.*)?/var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
+
+#
+# /proc
+#
+/proc(/.*)?                     <<none>>
+
+#
+# /selinux
+#
+/selinux(/.*)?                  <<none>>
+
+#
+# /srv
+#
+/srv(/.*)?			gen_context(system_u:object_r:var_t,s0)
+
+#
+# /sys
+#
+/sys(/.*)?                      <<none>>
+
+#
+# /tmp
+#
+/tmp			-d	gen_context(system_u:object_r:tmp_t,s0)
+/tmp/.*				<<none>>
+/tmp/\.journal			<<none>>
+
+/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+/tmp/lost\+found/.*		<<none>>
+
+#
+# /usr
+#
+/usr(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/usr/\.journal			<<none>>
+
+/usr/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
+
+/usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
+
+/usr/local/\.journal		<<none>>
+
+/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+/usr/local/lost\+found/.*	<<none>>
+
+/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
+
+/usr/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+/usr/lost\+found/.*		<<none>>
+
+/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+
+/usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
+
+/usr/tmp		-d	gen_context(system_u:object_r:tmp_t,s0)
+/usr/tmp/.*			<<none>>
+
+#
+# /var
+#
+/var(/.*)?			gen_context(system_u:object_r:var_t,s0)
+/var/\.journal			<<none>>
+
+/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
+
+/var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
+
+/var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
+
+/var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
+
+/var/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+/var/lost\+found/.*		<<none>>
+
+/var/run(/.*)?			gen_context(system_u:object_r:var_run_t,s0)
+/var/run/.*\.*pid		<<none>>
+
+/var/spool(/.*)?		gen_context(system_u:object_r:var_spool_t,s0)
+
+/var/tmp		-d	gen_context(system_u:object_r:tmp_t,s0)
+/var/tmp/.*			<<none>>
+/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
+/var/tmp/lost\+found/.*		<<none>>
+/var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
new file mode 100644
index 0000000..c43fa98
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -0,0 +1,3104 @@
+## <summary>
+## Basic filesystem types and interfaces.
+## </summary>
+## <desc>
+## <p>
+## This module contains basic filesystem types and interfaces. This
+## includes:
+## <ul>
+##	<li>The concept of different file types including basic
+##	files, mount points, tmp files, etc.</li>
+##	<li>Access to groups of files and all files.</li>
+##	<li>Types and interfaces for the basic filesystem layout
+##	(/, /etc, /tmp, /usr, etc.).</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+##	Contains the concept of a file.
+##	Comains the file initial SID.
+## </required>
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	in a filesystem.
+## </summary>
+## <param name="type">
+##	Type to be used for files.
+## </param>
+#
+interface(`files_type',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	fs_associate($1)
+	fs_associate_noxattr($1)
+	typeattribute $1 file_type;
+')
+
+########################################
+#
+# files_lock_file(type)
+#
+interface(`files_lock_file',`
+	gen_require(`
+		attribute lockfile;
+	')
+
+	files_type($1)
+	typeattribute $1 lockfile;
+')
+
+########################################
+#
+# files_mountpoint(type)
+#
+interface(`files_mountpoint',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	files_type($1)
+	typeattribute $1 mountpoint;
+')
+
+########################################
+#
+# files_pid_file(type)
+#
+interface(`files_pid_file',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	files_type($1)
+	typeattribute $1 pidfile;
+')
+
+########################################
+## <summary>
+##	Make the specified type a 
+##	configuration file.
+## </summary>
+## <param name="file_type">
+##	Type to be used as a configuration file.
+## </param>
+#
+interface(`files_config_file',`
+	gen_require(`
+		attribute usercanread;
+	')
+
+	files_type($1)
+
+	# this is a hack and should be removed.
+	typeattribute $1 usercanread;
+')
+
+########################################
+## <summary>
+##	Make the specified type a 
+##	polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	polyinstantiated directory.
+## </param>
+#
+interface(`files_poly',`
+	gen_require(`
+		attribute polydir;
+	')
+
+	files_type($1)
+	typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+##	Make the specified type a parent
+##	of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	parent directory.
+## </param>
+#
+interface(`files_poly_parent',`
+	gen_require(`
+		attribute polyparent;
+	')
+
+	files_type($1)
+	typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+##	Make the specified type a
+##	polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	member directory.
+## </param>
+#
+interface(`files_poly_member',`
+	gen_require(`
+		attribute polymember;
+	')
+
+	files_type($1)
+	typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+##	Make the domain use the specified
+##	type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+##	Domain using the polyinstantiated
+##	directory.
+## </param>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	member directory.
+## </param>
+#
+interface(`files_poly_member_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	type_member $1 tmp_t:dir $2;
+')
+
+########################################
+## <summary>
+##	Make the specified type a file that
+##	should not be dontaudited from
+##	browsing from user domains.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	member directory.
+## </param>
+#
+interface(`files_security_file',`
+	gen_require(`
+		attribute security_file_type;
+	')
+
+	files_type($1)
+	typeattribute $1 security_file_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a file
+##	used for temporary files.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	temporary file.
+## </param>
+#
+interface(`files_tmp_file',`
+	gen_require(`
+		attribute tmpfile;
+		type tmp_t;
+	')
+
+	files_type($1)
+	files_poly_member($1)
+	fs_associate_tmpfs($1)
+	typeattribute $1 tmpfile;
+	allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Transform the type into a file, for use on a
+##	virtual memory filesystem (tmpfs).
+## </summary>
+## <param name="type">
+##	The type to be transformed.
+## </param>
+#
+interface(`files_tmpfs_file',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	files_type($1)
+	fs_associate_tmpfs($1)
+	typeattribute $1 tmpfsfile;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: this is an odd interface, because to getattr
+# all dirs, you need to search all the parent directories
+#
+interface(`files_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir { getattr search };
+	')
+
+	allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir getattr;
+	')
+
+	dontaudit $1 file_type:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_search_all',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+##	List the contents of all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir r_dir_perms;
+	')
+
+	allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list all
+##	non security directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_non_security',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_files',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all sockets
+##	with the type of a file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for initrc_t/distro_redhat.  I
+# do not think it has any effect.
+interface(`files_getattr_all_file_type_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:file getattr;
+')
+
+########################################
+## <summary>
+##	Read all files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_files',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:file r_file_perms;
+
+	optional_policy(`authlogin',`
+		auth_read_shadow($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_files_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir search;
+	allow $1 { file_type $2 }:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+##	Read all symbloic links on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir search;
+	allow $1 { file_type $2 }:lnk_file r_file_perms;
+
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class lnk_file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class lnk_file getattr;
+	')
+
+	dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security block devices.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_blk_dev',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security character devices.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_chr_dev',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class fifo_file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute file_type;
+		class fifo_file getattr;
+	')
+
+	dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security named pipes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class sock_file getattr;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named sockets.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute file_type;
+		class sock_file getattr;
+	')
+
+	dontaudit $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security named sockets.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+')
+
+########################################
+## <summary>
+##	Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_blk_nodes',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read all character nodes with file types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_chr_nodes',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Relabel all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_relabel_all_files',`
+	gen_require(`
+		attribute file_type;
+		class dir { r_dir_perms relabelfrom relabelto };
+		class file { relabelfrom relabelto };
+		class lnk_file { relabelfrom relabelto };
+		class fifo_file { relabelfrom relabelto };
+		class sock_file { relabelfrom relabelto };
+		class blk_file relabelfrom;
+		class chr_file relabelfrom;
+	')
+
+	allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
+	allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+	allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+	allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+	allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+	allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+	allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+
+	# satisfy the assertions:
+	seutil_relabelto_binary_pol($1)
+')
+
+########################################
+## <summary>
+##	Manage all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_manage_all_files',`
+	gen_require(`
+		attribute file_type;
+		class dir create_dir_perms;
+		class file create_file_perms;
+		class lnk_file create_lnk_perms;
+		class fifo_file create_file_perms;
+		class sock_file create_file_perms;
+	')
+
+	allow $1 { file_type $2 }:dir create_dir_perms;
+	allow $1 { file_type $2 }:file create_file_perms;
+	allow $1 { file_type $2 }:lnk_file create_lnk_perms;
+	allow $1 { file_type $2 }:fifo_file create_file_perms;
+	allow $1 { file_type $2 }:sock_file create_file_perms;
+
+	# satisfy the assertions:
+	seutil_create_binary_pol($1)
+	bootloader_manage_kernel_modules($1)
+')
+
+########################################
+#
+# files_search_all_dirs(domain)
+#
+interface(`files_search_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+	')
+
+	allow $1 file_type:dir search;
+')
+
+########################################
+#
+# files_list_all_dirs(domain)
+#
+interface(`files_list_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir r_dir_perms;
+	')
+
+	allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+#
+# files_dontaudit_search_all_dirs(domain)
+#
+interface(`files_dontaudit_search_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+	')
+
+	dontaudit $1 file_type:dir search;
+')
+
+#######################################
+#
+# files_relabelto_all_file_type_fs(domain)
+#
+interface(`files_relabelto_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+		class filesystem relabelto;
+	')
+
+	allow $1 file_type:filesystem relabelto;
+')
+
+#######################################
+#
+# files_mount_all_file_type_fs(domain)
+#
+interface(`files_mount_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+		class filesystem mount;
+	')
+
+	allow $1 file_type:filesystem mount;
+')
+
+#######################################
+#
+# files_unmount_all_file_type_fs(domain)
+#
+interface(`files_unmount_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+		class filesystem unmount;
+	')
+
+	allow $1 file_type:filesystem unmount;
+')
+
+########################################
+#
+# files_mounton_all_mountpoints(domain)
+#
+interface(`files_mounton_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+		class dir { getattr search mounton };
+		class file { getattr mounton };
+	')
+
+	allow $1 mountpoint:dir { getattr search mounton };
+	allow $1 mountpoint:file { getattr mounton };
+')
+
+########################################
+#
+# files_list_root(domain)
+#
+interface(`files_list_root',`
+	gen_require(`
+		type root_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 root_t:dir r_dir_perms;
+	allow $1 root_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in the root directory, with a private
+##	type.  If no object class is specified, the
+##	default is file.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="private type" optional="true">
+##	The type of the object to be created.  If no type
+##	is specified, the type of the root directory will
+##	be used.
+## </param>
+## <param name="object" optional="true">
+##	The object class of the object being created.  If
+##	no class is specified, file will be used.
+## </param>
+#
+interface(`files_create_root',`
+	gen_require(`
+		type root_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 root_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		ifelse(`$2',`',`
+			allow $1 root_t:file create_file_perms;
+		',`
+			type_transition $1 root_t:file $2;
+		')
+	',`
+		ifelse(`$2',`',`
+			allow $1 root_t:$3 create_file_perms;
+		',`
+			type_transition $1 root_t:$3 $2;
+		')
+	')
+')
+
+########################################
+#
+# files_dontaudit_read_root_file(domain)
+#
+interface(`files_dontaudit_read_root_file',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:file { getattr read };
+')
+
+########################################
+#
+# files_dontaudit_rw_root_file(domain)
+#
+interface(`files_dontaudit_rw_root_file',`
+	gen_require(`
+		type root_t;
+		class file { read write };
+	')
+
+	dontaudit $1 root_t:file { read write };
+')
+
+########################################
+#
+# files_dontaudit_rw_root_chr_dev(domain)
+#
+interface(`files_dontaudit_rw_root_chr_dev',`
+	gen_require(`
+		type root_t;
+		class chr_file { read write };
+	')
+
+	dontaudit $1 root_t:chr_file { read write };
+')
+
+########################################
+#
+# files_delete_root_dir_entry(domain)
+#
+interface(`files_delete_root_dir_entry',`
+	gen_require(`
+		type root_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+#
+# files_unmount_rootfs(domain)
+#
+interface(`files_unmount_rootfs',`
+	gen_require(`
+		type root_t;
+		class filesystem unmount;
+	')
+
+	allow $1 root_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_default_dir',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_search_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir search;
+')
+
+########################################
+## <summary>
+##	List contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list contents of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on a directory with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_mounton_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:dir { getattr search mounton };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	files with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read files with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	allow $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_default_symlinks',`
+	gen_require(`
+		type default_t;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 default_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read sockets with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_default_sockets',`
+	gen_require(`
+		type default_t;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 default_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named pipes with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_default_pipes',`
+	gen_require(`
+		type default_t;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 default_t:fifo_file r_file_perms;
+')
+
+########################################
+#
+# files_search_etc(domain)
+#
+interface(`files_search_etc',`
+	gen_require(`
+		type etc_t;
+		class dir search;
+	')
+
+	allow $1 etc_t:dir search;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the /etc directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_setattr_etc_dir',`
+	gen_require(`
+		type etc_t;
+		class dir setattr;
+	')
+
+	allow $1 etc_t:dir setattr;
+')
+
+########################################
+#
+# files_list_etc(domain)
+#
+interface(`files_list_etc',`
+	gen_require(`
+		type etc_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+')
+
+########################################
+#
+# files_read_etc_files(domain)
+#
+interface(`files_read_etc_files',`
+	gen_require(`
+		type etc_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_t:file r_file_perms;
+	allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+#
+# files_rw_etc_files(domain)
+#
+interface(`files_rw_etc_files',`
+	gen_require(`
+		type etc_t;
+		class dir r_dir_perms;
+		class file rw_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_t:file rw_file_perms;
+	allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+#
+# files_manage_etc_files(domain)
+#
+interface(`files_manage_etc_files',`
+	gen_require(`
+		type etc_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	allow $1 etc_t:file create_file_perms;
+	allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_delete_etc_files',`
+	gen_require(`
+		type etc_t;
+		class dir rw_dir_perms;
+		class file unlink;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	allow $1 etc_t:file unlink;
+')
+
+########################################
+#
+# files_exec_etc_files(domain)
+#
+interface(`files_exec_etc_files',`
+	gen_require(`
+		type etc_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_t:lnk_file r_file_perms;
+	can_exec($1,etc_t)
+
+')
+
+#######################################
+## <summary>
+##	Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_relabel_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	allow $1 etc_t:file { relabelfrom relabelto };
+')
+
+########################################
+#
+# files_create_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_create_boot_flag',`
+	gen_require(`
+		type root_t, etc_runtime_t;
+		class dir rw_dir_perms;
+		class file { create read write setattr unlink};
+	')
+
+	allow $1 root_t:dir rw_dir_perms;
+	allow $1 etc_runtime_t:file { create read write setattr unlink };
+	type_transition $1 root_t:file etc_runtime_t;
+')
+
+########################################
+## <summary>
+##	Read files in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_runtime_t:file r_file_perms;
+	allow $1 etc_runtime_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+		class file { getattr read };
+	')
+
+	dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read and write files in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_rw_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+		class dir r_dir_perms;
+		class file rw_file_perms;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_runtime_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in
+##	/etc that are dynamically created on boot,
+##	such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	allow $1 etc_runtime_t:file create_file_perms;
+	type_transition $1 etc_t:file etc_runtime_t;
+')
+
+########################################
+#
+# files_create_etc_config(domain,privatetype,[class(es)])
+#
+interface(`files_create_etc_config',`
+	gen_require(`
+		type etc_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	ifelse(`$3',`',`
+		type_transition $1 etc_t:file $2;
+	',`
+		type_transition $1 etc_t:$3 $2;
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_search_isid_type_dir',`
+	gen_require(`
+		type file_t;
+	')
+
+	dontaudit $1 file_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_list_isid_type_dir',`
+	gen_require(`
+		type file_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 file_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_isid_type_dir',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_dir',`
+	gen_require(`
+		type file_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 file_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on a directory on new filesystems
+##	that has not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_mounton_isid_type_dir',`
+	gen_require(`
+		type file_t;
+		class dir { getattr search mounton };
+	')
+
+	allow $1 file_t:dir { getattr search mounton };
+')
+
+########################################
+## <summary>
+##	Read files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_isid_type_file',`
+	gen_require(`
+		type file_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 file_t:dir search;
+	allow $1 file_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_file',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_symlink',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##	Read and write block device nodes on new filesystems 
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_isid_type_blk_node',`
+	gen_require(`
+		type file_t;
+		class dir search;
+		class blk_file rw_file_perms;
+	')
+
+	allow $1 file_t:dir search;
+	allow $1 file_t:blk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete block device nodes
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_blk_node',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class blk_file create_file_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete character device nodes
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_chr_node',`
+	gen_require(`
+		type file_t;
+		class dir rw_dir_perms;
+		class chr_file create_file_perms;
+	')
+
+	allow $1 file_t:dir rw_dir_perms;
+	allow $1 file_t:chr_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the home directories root
+##	(/home).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the home directories root
+##	(/home).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search home directories root (/home).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	home directories root (/home).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get listing of home directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_list_home',`
+	gen_require(`
+		type home_root_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 home_root_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create home directories
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="home_type">
+##	The type of the home directory
+## </param>
+#
+interface(`files_create_home_dirs',`
+	gen_require(`
+		type home_root_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 home_root_t:dir rw_dir_perms;
+	type_transition $1 home_root_t:dir $2;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete objects in
+##	lost+found directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_lost_found',`
+	gen_require(`
+		type lost_found_t;
+		class dir create_dir_perms;
+		class file create_file_perms;
+		class sock_file create_file_perms;
+		class fifo_file create_file_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 lost_found_t:dir create_dir_perms;
+	allow $1 lost_found_t:file create_file_perms;
+	allow $1 lost_found_t:sock_file create_file_perms;
+	allow $1 lost_found_t:fifo_file create_file_perms;
+	allow $1 lost_found_t:lnk_file create_lnk_perms;
+')
+
+########################################
+#
+# files_search_mnt(domain)
+#
+interface(`files_search_mnt',`
+	gen_require(`
+		type mnt_t;
+		class dir search;
+	')
+
+	allow $1 mnt_t:dir search;
+')
+
+########################################
+#
+# files_list_mnt(domain)
+#
+interface(`files_list_mnt',`
+	gen_require(`
+		type mnt_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 mnt_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_mounton_mnt',`
+	gen_require(`
+		type mnt_t;
+		class dir { search mounton };
+	')
+
+	allow $1 mnt_t:dir { search mounton };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories in /mnt.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_mnt_dirs',`
+	gen_require(`
+		type mnt_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 mnt_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in /mnt.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_mnt_files',`
+	gen_require(`
+		type mnt_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 mnt_t:dir rw_dir_perms;
+	allow $1 mnt_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_mnt_symlinks',`
+	gen_require(`
+		type mnt_t;
+		class dir rw_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 mnt_t:dir rw_dir_perms;
+	allow $1 mnt_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##	List world-readable directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_world_readable',`
+	gen_require(`
+		type readable_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 readable_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_files',`
+	gen_require(`
+		type readable_t;
+		class file r_file_perms;
+	')
+
+	allow $1 readable_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_symlinks',`
+	gen_require(`
+		type readable_t;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 readable_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable named pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_pipes',`
+	gen_require(`
+		type readable_t;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 readable_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_sockets',`
+	gen_require(`
+		type readable_t;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 readable_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified type to associate
+##	to a filesystem with the type of the
+##	temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+##	Type of the file to associate.
+## </param>
+#
+interface(`files_associate_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Get the	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Allow domain to getattr on /tmp directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+		class dir getattr;
+	')
+
+	allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_tmp',`
+	gen_require(`
+		type tmp_t;
+		class dir search;
+	')
+
+	allow $1 tmp_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_list_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_generic_tmp_files',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir search_dir_perms;
+	allow $1 tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_generic_tmp_symlinks',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir search_dir_perms;
+	allow $1 tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_setattr_all_tmp_dirs',`
+	gen_require(`
+		attribute tmpfile;
+		class dir { search setattr };
+	')
+
+	allow $1 tmpfile:dir { search getattr };
+')
+
+########################################
+#
+# files_create_tmp_files(domain,private_type,[object class(es)])
+#
+interface(`files_create_tmp_files',`
+	gen_require(`
+		type tmp_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 tmp_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 tmp_t:file $2;
+	',`
+		type_transition $1 tmp_t:$3 $2;
+	')
+')
+
+########################################
+#
+# files_purge_tmp(domain)
+#
+interface(`files_purge_tmp',`
+	gen_require(`
+		attribute tmpfile;
+		class dir { rw_dir_perms rmdir };
+		gen_require_set({ getattr unlink },notdevfile_class_set)
+	')
+
+	allow $1 tmpfile:dir { rw_dir_perms rmdir };
+	allow $1 tmpfile:notdevfile_class_set { getattr unlink };
+')
+
+########################################
+#
+# files_search_usr(domain)
+#
+interface(`files_search_usr',`
+	gen_require(`
+		type usr_t;
+		class dir search;
+	')
+
+	allow $1 usr_t:dir search;
+')
+
+########################################
+## <summary>
+##	List the contents of generic
+##	directories in /usr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_usr',`
+	gen_require(`
+		type usr_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 usr_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of files in /usr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_usr_files',`
+	gen_require(`
+		type usr_t;
+		class dir search;
+		class file getattr;
+	')
+
+	allow $1 usr_t:dir search;
+	allow $1 usr_t:file getattr;
+')
+
+########################################
+#
+# files_read_usr_files(domain)
+#
+interface(`files_read_usr_files',`
+	gen_require(`
+		type usr_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 usr_t:dir r_dir_perms;
+	allow $1 usr_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute generic programs in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_exec_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir r_dir_perms;
+	allow $1 usr_t:lnk_file r_file_perms;
+	can_exec($1,usr_t)
+
+')
+
+########################################
+## <summary>
+##	Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+	gen_require(`
+		type usr_t;
+		class file relabelto;
+	')
+
+	allow $1 usr_t:file relabelto;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in /usr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_usr_symlinks',`
+	gen_require(`
+		type usr_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 usr_t:dir search;
+	allow $1 usr_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in the /usr directory
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`files_create_usr',`
+	gen_require(`
+		type usr_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 usr_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 usr_t:file $2;
+	',`
+		type_transition $1 usr_t:$3 $2;
+	')
+')
+
+########################################
+## <summary>
+##	Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	allow $1 usr_t:dir search;
+	allow $1 src_t:dir r_dir_perms;
+	allow $1 src_t:lnk_file r_file_perms;
+	can_exec($1,src_t)
+')
+
+########################################
+#
+# files_dontaudit_search_src(domain)
+#
+interface(`files_dontaudit_search_src',`
+	gen_require(`
+		type src_t;
+	')
+
+	dontaudit $1 src_t:dir search;
+')
+
+########################################
+#
+# files_read_usr_src_files(domain)
+#
+interface(`files_read_usr_src_files',`
+	gen_require(`
+		type usr_t, src_t;
+	')
+
+	allow $1 usr_t:dir search;
+	allow $1 src_t:dir r_dir_perms;
+	allow $1 src_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+##	Search the contents of /var.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_search_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the contents of /var.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	dontaudit $1 var_t:dir search;
+')
+
+########################################
+## <summary>
+##	List the contents of /var.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_dirs',`
+	gen_require(`
+		type var_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 var_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the /var directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_files',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_var_symlink',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in the /var directory
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`files_create_var',`
+	gen_require(`
+		type var_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 var_t:file $2;
+	',`
+		type_transition $1 var_t:$3 $2;
+	')
+')
+
+########################################
+## <summary>
+##	Search directories in /var/lib.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_var_lib_dir',`
+	gen_require(`
+		type var_t, var_lib_t;
+		class dir search;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_lib_t:dir search;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_var_lib_dir',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_var_lib',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 { var_t var_lib_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_var_lib',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in the /var/lib directory
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`files_create_var_lib',`
+	gen_require(`
+		type var_t, var_lib_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 var_lib_t:file $2;
+	',`
+		type_transition $1 var_lib_t:$3 $2;
+	')
+')
+
+########################################
+## <summary>
+##	Read generic files in /var/lib.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_var_lib_files',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 { var_t var_lib_t }:dir search_dir_perms;
+	allow $1 var_lib_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read generic symbolic links in /var/lib
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 { var_t var_lib_t }:dir search_dir_perms;
+	allow $1 var_lib_t:lnk_file { getattr read };
+')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way.  They really neeed their own types.
+
+########################################
+#
+# files_manage_urandom_seed(domain)
+#
+interface(`files_manage_urandom_seed',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir rw_dir_perms;
+	allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to manage mount tables
+##	necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_mounttab',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir rw_dir_perms;
+	allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+#
+# files_search_locks(domain)
+#
+interface(`files_search_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	dontaudit $1 var_lock_t:dir search;
+')
+
+########################################
+## <summary>
+##	Add and remove entries in the /var/lock
+##	directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_rw_locks_dir',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:dir rw_dir_perms;
+')
+
+########################################
+#
+# files_getattr_generic_locks(domain)
+#
+interface(`files_getattr_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:dir r_dir_perms;
+	allow $1 var_lock_t:file getattr;
+')
+
+########################################
+#
+# files_manage_generic_locks(domain)
+#
+interface(`files_manage_generic_locks',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
+	allow $1 var_lock_t:file { getattr create read write setattr unlink };
+')
+
+########################################
+#
+# files_delete_all_locks(domain)
+#
+interface(`files_delete_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		class dir rw_dir_perms;
+		class file { getattr unlink };
+	')
+
+	allow $1 lockfile:dir rw_dir_perms;
+	allow $1 lockfile:file { getattr unlink };
+')
+
+########################################
+#
+# files_create_lock(domain,private_type,[object class(es)])
+#
+interface(`files_create_lock',`
+	gen_require(`
+		type var_t, var_lock_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_lock_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 var_lock_t:file $2;
+	',`
+		type_transition $1 var_lock_t:$3 $2;
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_pid_dir',`
+	gen_require(`
+		type var_run_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
+#
+# files_search_pids(domain)
+#
+interface(`files_search_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the /var/run directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:dir search;
+')
+
+########################################
+#
+# files_list_pids(domain)
+#
+interface(`files_list_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:dir r_dir_perms;
+')
+
+########################################
+#
+# files_create_pid(domain,pidfile,[object class(es)])
+#
+interface(`files_create_pid',`
+	gen_require(`
+		type var_t, var_run_t;
+		class dir rw_dir_perms;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 var_run_t:file $2;
+	',`
+		type_transition $1 var_run_t:$3 $2;
+	')
+')
+
+########################################
+#
+# files_rw_generic_pids(domain)
+#
+interface(`files_rw_generic_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+		class dir r_dir_perms;
+		class file rw_file_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_run_t:dir r_dir_perms;
+	allow $1 var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_write_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	dontaudit $1 pidfile:file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_ioctl_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+#
+# files_read_all_pids(domain)
+#
+interface(`files_read_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 pidfile:dir r_dir_perms;
+	allow $1 pidfile:file r_file_perms;
+')
+
+########################################
+#
+# files_delete_all_pids(domain)
+#
+interface(`files_delete_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_t, var_run_t;
+		class dir rw_dir_perms;
+		class file { getattr unlink };
+		class lnk_file { getattr unlink };
+		class sock_file { getattr unlink };
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+	allow $1 var_run_t:dir rmdir;
+	allow $1 pidfile:dir rw_dir_perms;
+	allow $1 pidfile:file { getattr unlink };
+	allow $1 pidfile:sock_file { getattr unlink };
+')
+
+########################################
+#
+# files_delete_all_pid_dirs(domain)
+#
+interface(`files_delete_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+		type var_t;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 pidfile:dir { rw_dir_perms rmdir };
+')
+
+########################################
+#
+# files_search_spool(domain)
+#
+interface(`files_search_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+#
+# files_list_spool(domain)
+#
+interface(`files_list_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_spool_t:dir r_dir_perms;
+')
+
+########################################
+#
+# files_manage_generic_spool_dirs(domain)
+#
+interface(`files_manage_generic_spool_dirs',`
+	gen_require(`
+		type var_t, var_spool_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_spool_t:dir create_dir_perms;
+')
+
+########################################
+#
+# files_read_generic_spools(domain)
+#
+interface(`files_read_generic_spools',`
+	gen_require(`
+		type var_t, var_spool_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_spool_t:dir r_dir_perms;
+	allow $1 var_spool_t:file r_file_perms;
+')
+
+########################################
+#
+# files_manage_generic_spools(domain)
+#
+interface(`files_manage_generic_spools',`
+	gen_require(`
+		type var_t, var_spool_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_spool_t:dir rw_dir_perms;
+	allow $1 var_spool_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Unconfined access to files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_unconfined',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	# Create/access any file in a labeled filesystem;
+	allow $1 file_type:{ file chr_file } ~execmod;
+	allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+	# Mount/unmount any filesystem with the context= option. 
+	allow $1 file_type:filesystem *;
+
+	# Bind to any network address.
+	# cjp: need to check this, I dont think this has any effect.
+	allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+	ifdef(`targeted_policy',`
+		tunable_policy(`allow_execmod',`
+			allow $1 file_type:file execmod;
+		')
+	')
+')
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
new file mode 100644
index 0000000..46260eb
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -0,0 +1,169 @@
+
+policy_module(files,1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute file_type;
+
+# cjp: should handle this different
+allow file_type self:filesystem associate;
+
+attribute lockfile;
+attribute mountpoint;
+attribute pidfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# this is a hack and should be changed
+attribute usercanread;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+
+attribute tmpfile;
+attribute tmpfsfile;
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t, file_type, mountpoint;
+fs_associate(default_t)
+fs_associate_noxattr(default_t)
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, file_type;
+fs_associate(etc_t)
+fs_associate_noxattr(etc_t)
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t, file_type;
+fs_associate(etc_runtime_t)
+fs_associate_noxattr(etc_runtime_t)
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t, file_type, mountpoint;
+fs_associate(file_t)
+fs_associate_noxattr(file_t)
+kernel_rootfs_mountpoint(file_t)
+sid file gen_context(system_u:object_r:file_t,s0)
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t, file_type, mountpoint; #, polyparent
+fs_associate(home_root_t)
+fs_associate_noxattr(home_root_t)
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t, file_type;
+fs_associate(lost_found_t)
+fs_associate_noxattr(lost_found_t)
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+#
+type mnt_t, file_type, mountpoint;
+fs_associate(mnt_t)
+fs_associate_noxattr(mnt_t)
+
+type no_access_t, file_type;
+fs_associate(no_access_t)
+fs_associate_noxattr(no_access_t)
+
+type poly_t, file_type;
+fs_associate(poly_t)
+fs_associate_noxattr(poly_t)
+
+type readable_t, file_type;
+fs_associate(readable_t)
+fs_associate_noxattr(readable_t)
+
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t, file_type, mountpoint; #, polyparent
+fs_associate(root_t)
+fs_associate_noxattr(root_t)
+kernel_rootfs_mountpoint(root_t)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t, file_type, mountpoint;
+fs_associate(src_t)
+fs_associate_noxattr(src_t)
+
+#
+# tmp_t is the type of the temporary directories
+#
+type tmp_t, mountpoint; #, polydir
+files_tmp_file(tmp_t)
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t, file_type, mountpoint;
+fs_associate(usr_t)
+fs_associate_noxattr(usr_t)
+
+#
+# var_t is the type of /var
+#
+type var_t, file_type, mountpoint;
+fs_associate(var_t)
+fs_associate_noxattr(var_t)
+
+#
+# var_lib_t is the type of /var/lib
+#
+type var_lib_t, file_type, mountpoint;
+fs_associate(var_lib_t)
+fs_associate_noxattr(var_lib_t)
+
+#
+# var_lock_t is tye type of /var/lock
+#
+type var_lock_t, file_type, lockfile;
+fs_associate(var_lock_t)
+fs_associate_noxattr(var_lock_t)
+
+#
+# var_run_t is the type of /var/run, usually
+# used for pid and other runtime files.
+#
+type var_run_t, file_type, pidfile;
+fs_associate(var_run_t)
+fs_associate_noxattr(var_run_t)
+
+#
+# var_spool_t is the type of /var/spool
+#
+type var_spool_t;
+files_tmp_file(var_spool_t)
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
deleted file mode 100644
index 8fca398..0000000
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ /dev/null
@@ -1,202 +0,0 @@
-
-#
-# /bin
-#
-/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
-/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ls				--	gen_context(system_u:object_r:ls_exec_t,s0)
-/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
-
-#
-# /dev
-#
-/dev/MAKEDEV			--	gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /emul
-#
-ifdef(`distro_redhat',`
-/emul/ia32-linux/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
-/emul/ia32-linux/usr(/.*)?/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)?	gen_context(system_u:object_r:sbin_t,s0)
-/emul/ia32-linux/usr/libexec(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /etc
-#
-/etc/hotplug/.*agent		--	gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:sbin_t,s0)
-
-/etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:sbin_t,s0)
-
-/etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
-
-/etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xinit(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_debian',`
-/etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`targeted_policy',`
-/etc/X11/prefdm			--	gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /lib
-#
-
-ifdef(`distro_gentoo',`
-/lib/rcscripts/sh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /sbin
-#
-/sbin(/.*)?				gen_context(system_u:object_r:sbin_t,s0)
-/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:sbin_t,s0)
-/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /opt
-#
-/opt(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-
-/opt(/.*)?/libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-
-/opt(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /usr
-#
-/usr(/.*)?/Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-
-/usr(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-
-/usr(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-# these two lines are separate because of a
-# sorting issue with the java module
-/usr/lib/jvm/java.*/bin -d		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/jvm/java.*/bin/.*		gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/debug/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(64)?/debug/usr/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
-
-/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-
-/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
-
-/usr/X11R6/lib/X11/xkb/xkbcomp	--	gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`distro_redhat', `
-/usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-lvm/system-config-lvm.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`distro_suse', `
-/usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ssh/.*		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /var
-#
-/var/mailman/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-
-/var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/var/ftp/bin/ls			--	gen_context(system_u:object_r:ls_exec_t,s0)
-
-/usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
deleted file mode 100644
index 0033679..0000000
--- a/refpolicy/policy/modules/system/corecommands.if
+++ /dev/null
@@ -1,569 +0,0 @@
-## <summary>
-## Core policy for shells, and generic programs
-## in /bin, /sbin, /usr/bin, and /usr/sbin.
-## </summary>
-## <required val="true">
-##	Contains the base bin and sbin directory types
-##	which need to be searched for the kernel to
-##	run init.
-## </required>
-
-########################################
-## <summary>
-##	Create a aliased type to generic bin files.
-## </summary>
-## <desc>
-##	<p>
-##	Create a aliased type to generic bin files.
-##	</p>
-##	<p>
-##	This is added to support targeted policy.  Its
-##	use should be limited.  It has no effect
-##	on the strict policy.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Alias type for bin_t.
-## </param>
-interface(`corecmd_bin_alias',`
-	ifdef(`targeted_policy',`
-		gen_require(`
-			type bin_t;
-		')
-
-		typealias bin_t alias $1;
-	',`
-		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
-	')
-')
-
-########################################
-## <summary>
-##	Make the shell an entrypoint for the specified domain.
-## </summary>
-## <param name="domain">
-##	The domain for which the shell is an entrypoint.
-## </param>
-interface(`corecmd_shell_entry_type',`
-	gen_require(`
-		type shell_exec_t;
-	')
-
-	domain_entry_file($1,shell_exec_t)
-')
-
-########################################
-#
-# corecmd_search_bin(domain)
-#
-interface(`corecmd_search_bin',`
-	gen_require(`
-		type bin_t;
-		class dir search;
-	')
-
-	allow $1 bin_t:dir search;
-')
-
-########################################
-#
-# corecmd_list_bin(domain)
-#
-interface(`corecmd_list_bin',`
-	gen_require(`
-		type bin_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 bin_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Get the attributes of files in bin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_getattr_bin_file',`
-	gen_require(`
-		type bin_t;
-		class file getattr;
-	')
-
-	allow $1 bin_t:file getattr;
-')
-
-########################################
-## <summary>
-##	Read files in bin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_file',`
-	gen_require(`
-		type bin_t;
-		class dir search;
-		class file r_file_perms;
-	')
-
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read symbolic links in bin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_symlink',`
-	gen_require(`
-		type bin_t;
-		class dir search;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read pipes in bin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_pipe',`
-	gen_require(`
-		type bin_t;
-		class dir search;
-		class fifo_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read named sockets in bin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_socket',`
-	gen_require(`
-		type bin_t;
-		class dir search;
-		class sock_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:sock_file r_file_perms;
-')
-
-########################################
-#
-# corecmd_exec_bin(domain)
-#
-interface(`corecmd_exec_bin',`
-	gen_require(`
-		type bin_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
-	can_exec($1,bin_t)
-
-')
-
-########################################
-## <summary>
-##	Execute a file in a bin directory
-##	in the specified domain.
-## </summary>
-## <desc>
-##	<p>
-##	Execute a file in a bin directory
-##	in the specified domain.  This allows
-##	the specified domain to execute any file
-##	on these filesystems in the specified
-##	domain.  This is not suggested.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-##	<p>
-##	This interface was added to handle
-##	the ssh-agent policy.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="target_domain">
-##	The type of the new process.
-## </param>
-#
-interface(`corecmd_bin_domtrans',`
-	gen_require(`
-		type bin_t;
-		class dir search;
-		class lnk_file { getattr read };
-	')
-
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:lnk_file { getattr read };
-
-	domain_auto_trans($1,bin_t,$2)
-')
-
-########################################
-#
-# corecmd_search_sbin(domain)
-#
-interface(`corecmd_search_sbin',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	allow $1 sbin_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	sbin directories.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`corecmd_dontaudit_search_sbin',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	dontaudit $1 sbin_t:dir search_dir_perms;
-')
-
-########################################
-#
-# corecmd_list_sbin(domain)
-#
-interface(`corecmd_list_sbin',`
-	gen_require(`
-		type sbin_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 sbin_t:dir r_dir_perms;
-')
-
-########################################
-#
-# corecmd_getattr_sbin_file(domain)
-#
-interface(`corecmd_getattr_sbin_file',`
-	gen_require(`
-		type sbin_t;
-		class file getattr;
-	')
-
-	allow $1 sbin_t:file getattr;
-')
-
-########################################
-#
-# corecmd_dontaudit_getattr_sbin_file(domain)
-#
-interface(`corecmd_dontaudit_getattr_sbin_file',`
-	gen_require(`
-		type sbin_t;
-		class file getattr;
-	')
-
-	dontaudit $1 sbin_t:file getattr;
-')
-
-########################################
-## <summary>
-##	Read files in sbin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_file',`
-	gen_require(`
-		type sbin_t;
-		class dir search;
-		class file r_file_perms;
-	')
-
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read symbolic links in sbin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_symlink',`
-	gen_require(`
-		type sbin_t;
-		class dir search;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read named pipes in sbin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_pipe',`
-	gen_require(`
-		type sbin_t;
-		class dir search;
-		class fifo_file r_file_perms;
-	')
-
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read named sockets in sbin directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_socket',`
-	gen_require(`
-		type sbin_t;
-		class dir search;
-		class sock_file r_file_perms;
-	')
-
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:sock_file r_file_perms;
-')
-
-########################################
-#
-# corecmd_exec_sbin(domain)
-#
-interface(`corecmd_exec_sbin',`
-	gen_require(`
-		type sbin_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 sbin_t:dir r_dir_perms;
-	allow $1 sbin_t:lnk_file r_file_perms;
-	can_exec($1,sbin_t)
-
-')
-
-########################################
-## <summary>
-##	Execute a file in a sbin directory
-##	in the specified domain.
-## </summary>
-## <desc>
-##	<p>
-##	Execute a file in a sbin directory
-##	in the specified domain.  This allows
-##	the specified domain to execute any file
-##	on these filesystems in the specified
-##	domain.  This is not suggested.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-##	<p>
-##	This interface was added to handle
-##	the ssh-agent policy.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="target_domain">
-##	The type of the new process.
-## </param>
-#
-interface(`corecmd_sbin_domtrans',`
-	gen_require(`
-		type sbin_t;
-		class dir search;
-		class lnk_file { getattr read };
-	')
-
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:lnk_file { getattr read };
-
-	domain_auto_trans($1,sbin_t,$2)
-')
-
-########################################
-## <summary>
-##	Check if a shell is executable (DAC-wise).
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`corecmd_check_exec_shell',`
-	gen_require(`
-		type bin_t, shell_exec_t;
-	')
-
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
-	allow $1 shell_exec_t:file execute;
-')
-
-########################################
-#
-# corecmd_exec_shell(domain)
-#
-interface(`corecmd_exec_shell',`
-	gen_require(`
-		type bin_t, shell_exec_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
-	can_exec($1,shell_exec_t)
-')
-
-########################################
-#
-# corecmd_exec_ls(domain)
-#
-interface(`corecmd_exec_ls',`
-	gen_require(`
-		type bin_t, ls_exec_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
-	can_exec($1,ls_exec_t)
-')
-
-########################################
-## <summary>
-##	Execute a shell in the target domain.  This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-## </summary>
-## <desc>
-##	<p>
-##	Execute a shell in the target domain.  This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="target_domain">
-##	The type of the shell process.
-## </param>
-#
-interface(`corecmd_shell_spec_domtrans',`
-	gen_require(`
-		type bin_t, shell_exec_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
-
-	domain_trans($1,shell_exec_t,$2)
-')
-
-########################################
-## <summary>
-##	Execute a shell in the specified domain.
-## </summary>
-## <desc>
-##	<p>
-##	Execute a shell in the specified domain.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="target_domain">
-##	The type of the shell process.
-## </param>
-#
-interface(`corecmd_shell_domtrans',`
-	gen_require(`
-		type shell_exec_t;
-	')
-
-	corecmd_shell_spec_domtrans($1,$2)
-	type_transition $1 shell_exec_t:process $2;
-')
-
-########################################
-#
-# corecmd_exec_chroot(domain)
-#
-interface(`corecmd_exec_chroot',`
-	gen_require(`
-		type chroot_exec_t;
-		class capability sys_chroot;
-	')
-
-	can_exec($1,chroot_exec_t)
-	allow $1 self:capability sys_chroot;
-')
-
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
deleted file mode 100644
index 2dde3dc..0000000
--- a/refpolicy/policy/modules/system/corecommands.te
+++ /dev/null
@@ -1,37 +0,0 @@
-
-policy_module(corecommands,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-#
-# bin_t is the type of files in the system bin directories.
-#
-type bin_t;
-files_type(bin_t)
-
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t;
-files_type(sbin_t)
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t;
-files_type(ls_exec_t)
-
-#cjp: temp
-typeattribute ls_exec_t entry_type;
-
-#
-# shell_exec_t is the type of user shells such as /bin/bash.
-#
-type shell_exec_t;
-files_type(shell_exec_t)
-
-type chroot_exec_t;
-files_type(chroot_exec_t)
diff --git a/refpolicy/policy/modules/system/domain.fc b/refpolicy/policy/modules/system/domain.fc
deleted file mode 100644
index 7be4ddf..0000000
--- a/refpolicy/policy/modules/system/domain.fc
+++ /dev/null
@@ -1 +0,0 @@
-# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
deleted file mode 100644
index 78f2d87..0000000
--- a/refpolicy/policy/modules/system/domain.if
+++ /dev/null
@@ -1,1095 +0,0 @@
-## <summary>Core policy for domains.</summary>
-## <required val="true">
-##	Contains the concept of a domain.
-## </required>
-
-########################################
-## <summary>
-##	Make the specified type usable as a basic domain.
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified type usable as a basic domain.
-##	</p>
-##	<p>
-##	This is primarily used for kernel threads;
-##	generally the domain_type() interface is
-##	more appropriate for userland processes.
-##	</p>
-## </desc>
-## <param name="type">
-##	Type to be used as a basic domain type.
-## </param>
-#
-interface(`domain_base_type',`
-	gen_require(`
-		attribute domain;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-		class file rw_file_perms;
-		class process { fork sigchld };
-	')
-
-	# mark as a domain
-	typeattribute $1 domain;
-
-	# allow the domain to read its /proc/pid entries
-	allow $1 self:dir r_dir_perms;
-	allow $1 self:lnk_file r_file_perms;
-	allow $1 self:file rw_file_perms;
-
-	# allow $1 to create child processes in this domain
-	allow $1 self:process { fork sigchld };
-
-	ifdef(`targeted_policy',`
-		tunable_policy(`allow_execmem',`
-			allow $1 self:process execmem;
-		')
-
-		# FIXME:
-		# hack until role dominance is fixed in
-		# the module compiler
-		role secadm_r types $1;
-		role sysadm_r types $1;
-		role user_r types $1;
-		role staff_r types $1;
-	')
-')
-
-########################################
-## <summary>
-##	Make the specified type usable as a domain.
-## </summary>
-## <param name="type">
-##	Type to be used as a domain type.
-## </param>
-#
-interface(`domain_type',`
-	# start with basic domain
-	domain_base_type($1)
-
-	# Use trusted objects in /dev
-	dev_rw_null_dev($1)
-	dev_rw_zero_dev($1)
-	term_use_controlling_term($1)
-
-	# read the root directory
-	files_list_root($1)
-
-	# send init a sigchld and signull
-	init_sigchld($1)
-	init_signull($1)
-
-	ifdef(`targeted_policy',`
-		unconfined_use_fd($1)
-		unconfined_sigchld($1)
-	')
-
-	tunable_policy(`allow_ptrace',`
-		userdom_sigchld_sysadm($1)
-	')
-
-	# allow any domain to connect to the LDAP server
-	optional_policy(`ldap',`
-		ldap_use($1)
-	')
-
-	# these 3 seem highly questionable:
-	optional_policy(`rpm',`
-		rpm_use_fd($1)
-		rpm_read_pipe($1)
-	')
-
-	optional_policy(`selinux',`
-		selinux_dontaudit_read_fs($1)
-	')
-
-	optional_policy(`selinuxutil',`
-		seutil_dontaudit_read_config($1)
-	')
-')
-
-########################################
-## <summary>
-##	Make the specified type usable as
-##	an entry point for the domain.
-## </summary>
-## <param name="domain">
-##	Domain to be entered.
-## </param>
-## <param name="type">
-##	Type of program used for entering
-##	the domain.
-## </param>
-#
-interface(`domain_entry_file',`
-	gen_require(`
-		attribute entry_type;
-		class file entrypoint;
-	')
-
-	files_type($2)
-
-	allow $1 $2:file entrypoint;
-	allow $1 $2:file rx_file_perms;
-
-	typeattribute $2 entry_type;
-')
-
-########################################
-#
-# domain_wide_inherit_fd(domain)
-#
-interface(`domain_wide_inherit_fd',`
-	gen_require(`
-		attribute privfd;
-	')
-
-	typeattribute $1 privfd;
-')
-
-########################################
-#
-# domain_dyntrans_type(domain)
-#
-interface(`domain_dyntrans_type',`
-	gen_require(`
-		attribute set_curr_context;
-	')
-
-	typeattribute $1 set_curr_context;
-')
-
-########################################
-## <summary>
-##	Makes caller and execption to the constraint
-##	preventing changing to the system user
-##	identity and system role.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_system_change_exempt',`
-	gen_require(`
-		attribute can_system_change;
-	')
-
-	typeattribute $1 can_system_change;
-')
-
-########################################
-## <summary>
-##	Makes caller an exception to the constraint preventing
-##	changing of user identity.
-## </summary>
-## <param name="domain">
-##	The process type to make an exception to the constraint.
-## </param>
-#
-interface(`domain_subj_id_change_exempt',`
-	gen_require(`
-		attribute can_change_process_identity;
-	')
-
-	typeattribute $1 can_change_process_identity;
-')
-
-########################################
-## <summary>
-##	Makes caller an exception to the constraint preventing
-##	changing of role.
-## </summary>
-## <param name="domain">
-##	The process type to make an exception to the constraint.
-## </param>
-#
-interface(`domain_role_change_exempt',`
-	gen_require(`
-		attribute can_change_process_role;
-	')
-
-	typeattribute $1 can_change_process_role;
-')
-
-########################################
-## <summary>
-##	Makes caller an exception to the constraint preventing
-##	changing the user identity in object contexts.
-## </summary>
-## <param name="domain">
-##	The process type to make an exception to the constraint.
-## </param>
-#
-interface(`domain_obj_id_change_exempt',`
-	gen_require(`
-		attribute can_change_object_identity;
-	')
-
-	typeattribute $1 can_change_object_identity;
-')
-
-########################################
-## <summary>
-##	Make the specified domain the target of
-##	the user domain exception of the
-##	SELinux role and identity change
-##	constraints.
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified domain the target of
-##	the user domain exception of the
-##	SELinux role and identity change
-##	constraints.
-##	</p>
-##	<p>
-##	This interface is needed to decouple
-##	the user domains from the base module.
-##	It should not be used other than on
-##	user domains.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain target for user exemption.
-## </param>
-#
-interface(`domain_user_exemption_target',`
-	gen_require(`
-		attribute process_user_target;
-	')
-
-	typeattribute $1 process_user_target;
-')
-
-########################################
-## <summary>
-##	Make the specified domain the source of
-##	the cron domain exception of the
-##	SELinux role and identity change
-##	constraints.
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified domain the source of
-##	the cron domain exception of the
-##	SELinux role and identity change
-##	constraints.
-##	</p>
-##	<p>
-##	This interface is needed to decouple
-##	the cron domains from the base module.
-##	It should not be used other than on
-##	cron domains.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain target for user exemption.
-## </param>
-#
-interface(`domain_cron_exemption_source',`
-	gen_require(`
-		attribute cron_source_domain;
-	')
-
-	typeattribute $1 cron_source_domain;
-')
-
-########################################
-## <summary>
-##	Make the specified domain the target of
-##	the cron domain exception of the
-##	SELinux role and identity change
-##	constraints.
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified domain the target of
-##	the cron domain exception of the
-##	SELinux role and identity change
-##	constraints.
-##	</p>
-##	<p>
-##	This interface is needed to decouple
-##	the cron domains from the base module.
-##	It should not be used other than on
-##	user cron jobs.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain target for user exemption.
-## </param>
-#
-interface(`domain_cron_exemption_target',`
-	gen_require(`
-		attribute cron_job_domain;
-	')
-
-	typeattribute $1 cron_job_domain;
-')
-
-########################################
-#
-# domain_use_wide_inherit_fd(domain)
-#
-interface(`domain_use_wide_inherit_fd',`
-	gen_require(`
-		attribute privfd;
-		class fd use;
-	')
-
-	allow $1 privfd:fd use;
-')
-
-########################################
-#
-# domain_dontaudit_use_wide_inherit_fd(domain)
-#
-interface(`domain_dontaudit_use_wide_inherit_fd',`
-	gen_require(`
-		attribute privfd;
-		class fd use;
-	')
-
-	dontaudit $1 privfd:fd use;
-')
-
-########################################
-## <summary>
-##	Send a SIGCHLD signal to domains whose file
-##	discriptors are widely inheritable.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-# cjp: this was added because of newrole
-interface(`domain_sigchld_wide_inherit_fd',`
-	gen_require(`
-		attribute privfd;
-	')
-
-	allow $1 privfd:process sigchld;
-')
-
-########################################
-#
-# domain_setpriority_all_domains(domain)
-#
-interface(`domain_setpriority_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process setsched;
-	')
-
-	allow $1 domain:process setsched;
-')
-
-########################################
-## <summary>
-##	Send general signals to all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_signal_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process signal;
-	')
-
-	allow $1 domain:process signal;
-')
-
-########################################
-## <summary>
-##	Send a null signal to all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_signull_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process signull;
-	')
-
-	allow $1 domain:process signull;
-')
-
-########################################
-## <summary>
-##	Send a stop signal to all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_sigstop_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process sigstop;
-	')
-
-	allow $1 domain:process sigstop;
-')
-
-########################################
-## <summary>
-##	Send a child terminated signal to all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_sigchld_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process sigchld;
-	')
-
-	allow $1 domain:process sigchld;
-')
-
-########################################
-## <summary>
-##	Send a kill signal to all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_kill_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process sigkill;
-		class capability kill;
-	')
-
-	allow $1 domain:process sigkill;
-	allow $1 self:capability kill;
-')
-
-########################################
-## <summary>
-##	Search the process state directory (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_search_all_domains_state',`
-	gen_require(`
-		attribute domain;
-		class dir search;
-	')
-
-	kernel_search_proc($1)
-	allow $1 domain:dir search;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search the process
-##	state directory (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`domain_dontaudit_search_all_domains_state',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read the process state (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_read_all_domains_state',`
-	gen_require(`
-		attribute domain;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-		class file r_file_perms;
-	')
-
-	kernel_search_proc($1)
-	allow $1 domain:dir r_dir_perms;
-	allow $1 domain:lnk_file r_file_perms;
-	allow $1 domain:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all domains of all domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process getattr;
-	')
-
-	allow $1 domain:process getattr;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all domains of all domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_domains',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:process getattr;
-')
-
-########################################
-## <summary>
-##	Read the process state (/proc/pid) of all confined domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_read_confined_domains_state',`
-	gen_require(`
-		attribute domain, unconfined_domain;
-	')
-
-	kernel_search_proc($1)
-	allow $1 { domain -unconfined_domain }:dir r_dir_perms;
-	allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
-	allow $1 { domain -unconfined_domain }:file r_file_perms;
-
-	dontaudit $1 unconfined_domain:dir search;
-	dontaudit $1 unconfined_domain:file { getattr read };
-')
-
-########################################
-## <summary>
-##	Get the attributes of all confined domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_confined_domains',`
-	gen_require(`
-		attribute domain, unconfined_domain;
-		class process getattr;
-	')
-
-	allow $1 { domain -unconfined_domain }:process getattr;
-')
-
-########################################
-## <summary>
-##	Ptrace all domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_ptrace_all_domains',`
-	gen_require(`
-		attribute domain;
-	')
-
-	allow $1 domain:process ptrace;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to ptrace all domains.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to ptrace all domains.
-##	</p>
-##	<p>
-##	Generally this needs to be suppressed because procps tries to access
-##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
-##	(2.4 and 2.6).
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_dontaudit_ptrace_all_domains',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:process ptrace;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to ptrace confined domains.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to ptrace confined domains.
-##	</p>
-##	<p>
-##	Generally this needs to be suppressed because procps tries to access
-##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
-##	(2.4 and 2.6).
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_dontaudit_ptrace_confined_domains',`
-	gen_require(`
-		attribute domain, unconfined_domain;
-		class process ptrace;
-	')
-
-	dontaudit $1 { domain -unconfined_domain }:process ptrace;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read the process
-##	state (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_read_all_domains_state',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:dir r_dir_perms;
-	dontaudit $1 domain:lnk_file r_file_perms;
-	dontaudit $1 domain:file r_file_perms;
-
-	# cjp: these should be removed:
-	dontaudit $1 domain:sock_file r_file_perms;
-	dontaudit $1 domain:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read the process state
-##	directories of all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_list_all_domains_proc',`
-	gen_require(`
-		attribute domain;
-		class dir r_dir_perms;
-	')
-
-	dontaudit $1 domain:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Get the session ID of all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_getsession_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process getsession;
-	')
-
-	allow $1 domain:process getsession;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the
-##	session ID of all domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getsession_all_domains',`
-	gen_require(`
-		attribute domain;
-		class process getsession;
-	')
-
-	dontaudit $1 domain:process getsession;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all domains
-##	sockets, for all socket types.
-## </summary>
-## <desc>
-##	<p>
-##	Get the attributes of all domains
-##	sockets, for all socket types.
-##	</p>
-##	<p>
-##	This is commonly used for domains
-##	that can use lsof on all domains.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_all_sockets',`
-	gen_require(`
-		gen_require_set(getattr,socket_class_set)
-	')
-
-	allow $1 domain:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all domains sockets, for all socket types.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to get the attributes
-##	of all domains sockets, for all socket types.
-##	</p>
-##	<p>
-##	This interface was added for PCMCIA cardmgr
-##	and is probably excessive.
-##	</p>
-## </desc>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_sockets',`
-	gen_require(`
-		gen_require_set(getattr,socket_class_set)
-	')
-
-	dontaudit $1 domain:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all domains TCP sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_tcp_sockets',`
-	gen_require(`
-		attribute domain;
-		class tcp_socket getattr;
-	')
-
-	dontaudit $1 domain:tcp_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all domains UDP sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_udp_sockets',`
-	gen_require(`
-		attribute domain;
-		class udp_socket getattr;
-	')
-
-	dontaudit $1 domain:udp_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read or write
-##	all domains UDP sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_rw_all_udp_sockets',`
-	gen_require(`
-		attribute domain;
-		class udp_socket { read write };
-	')
-
-	dontaudit $1 domain:udp_socket { read write };
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get attribues of
-##	all domains IPSEC key management sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_key_sockets',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:key_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get attribues of
-##	all domains packet sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_packet_sockets',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:packet_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get attribues of
-##	all domains raw sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_raw_sockets',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:rawip_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read or write
-##	all domains key sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_rw_all_key_sockets',`
-	gen_require(`
-		attribute domain;
-		class key_socket { read write };
-	')
-
-	dontaudit $1 domain:key_socket { read write };
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all domains unix datagram sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_dgram_sockets',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:unix_dgram_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all domains unix datagram sockets.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_stream_sockets',`
-	gen_require(`
-		attribute domain;
-	')
-
-	dontaudit $1 domain:unix_stream_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all domains unnamed pipes.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_pipes',`
-	gen_require(`
-		attribute domain;
-		class fifo_file getattr;
-	')
-
-	dontaudit $1 domain:fifo_file getattr;
-')
-
-########################################
-## <summary>
-##	Get the attributes of entry point
-##	files for all domains.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_all_entry_files',`
-	gen_require(`
-		attribute entry_type;
-		class file getattr;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 entry_type:lnk_file getattr;
-	allow $1 entry_type:file r_file_perms;
-')
-
-########################################
-#
-# domain_read_all_entry_files(domain)
-#
-interface(`domain_read_all_entry_files',`
-	gen_require(`
-		attribute entry_type;
-		class file r_file_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 entry_type:lnk_file r_file_perms;
-	allow $1 entry_type:file r_file_perms;
-')
-
-########################################
-#
-# domain_exec_all_entry_files(domain)
-#
-interface(`domain_exec_all_entry_files',`
-	gen_require(`
-		attribute entry_type;
-	')
-
-	can_exec($1,entry_type)
-')
-
-########################################
-## <summary>
-##	Unconfined access to domains.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`domain_unconfined',`
-	gen_require(`
-		attribute domain, set_curr_context;
-		attribute can_change_process_identity;
-		attribute can_change_process_role;
-		attribute can_change_object_identity;
-		attribute unconfined_domain;
-	')
-
-	typeattribute $1 unconfined_domain;
-
-	# pass all constraints
-	typeattribute $1 can_change_process_identity;
-	typeattribute $1 can_change_process_role;
-	typeattribute $1 can_change_object_identity;
-	typeattribute $1 set_curr_context;
-
-	# Use/sendto/connectto sockets created by any domain.
-	allow $1 domain:{ socket_class_set socket key_socket } *;
-
-	# Use descriptors and pipes created by any domain.
-	allow $1 domain:fd use;
-	allow $1 domain:fifo_file rw_file_perms;
-
-	# Act upon any other process.
-	allow $1 domain:process ~{ transition dyntransition execmem };
-
-	# Create/access any System V IPC objects.
-	allow $1 domain:{ sem msgq shm } *;
-	allow $1 domain:msg { send receive };
-
-	# For /proc/pid
-	allow $1 domain:dir r_dir_perms;
-	allow $1 domain:file r_file_perms;
-	allow $1 domain:lnk_file r_file_perms;
-')
-
-#
-# These next macros are not templates, but actually are 
-# support macros.  Due to the domain_ prefix, they 
-# are placed in this module, to try to prevent confusion.
-# They are called templates since regular m4 defines
-# wont work here.
-#
-
-########################################
-#
-# domain_trans(source_domain,entrypoint_file,target_domain)
-#
-template(`domain_trans',`
-	allow $1 $2:file { getattr read execute };
-	allow $1 $3:process transition;
-	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-')
-
-########################################
-#
-# domain_auto_trans(source_domain,entrypoint_file,target_domain)
-#
-template(`domain_auto_trans',`
-	domain_trans($1,$2,$3)
-	type_transition $1 $2:process $3;
-')
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
deleted file mode 100644
index a368df8..0000000
--- a/refpolicy/policy/modules/system/domain.te
+++ /dev/null
@@ -1,69 +0,0 @@
-
-policy_module(domain,1.0)
-
-########################################
-#
-# Declarations
-#
-
-# Mark process types as domains
-attribute domain;
-
-# Transitions only allowed from domains to other domains
-neverallow domain ~domain:process { transition dyntransition };
-
-# Domains that are unconfined
-attribute unconfined_domain;
-
-# Domains that can set their current context
-# (perform dynamic transitions)
-attribute set_curr_context;
-
-# enabling setcurrent breaks process tranquility.  If you do not
-# know what this means or do not understand the implications of a
-# dynamic transition, you should not be using it!!!
-neverallow { domain -set_curr_context } self:process setcurrent;
-
-# entrypoint executables
-attribute entry_type;
-
-# widely-inheritable file descriptors
-attribute privfd;
-
-#
-# constraint related attributes
-#
-
-# [1] types that can change SELinux identity on transition
-attribute can_change_process_identity;
-
-# [2] types that can change SELinux role on transition
-attribute can_change_process_role;
-
-# [3] types that can change the SELinux identity on a filesystem
-# object or a socket object on a create or relabel
-attribute can_change_object_identity;
-
-# [3] types that can change to system_u:system_r
-attribute can_system_change;
-
-# [4] types that have attribute 1 can change the SELinux
-# identity only if the target domain has this attribute.
-# Types that have attribute 2 can change the SELinux role
-# only if the target domain has this attribute.
-attribute process_user_target;
-
-# For cron jobs
-# [5] types used for cron daemons
-attribute cron_source_domain;
-# [6] types used for cron jobs
-attribute cron_job_domain;
-
-# [7] types that are unconditionally exempt from
-# SELinux identity and role change constraints
-attribute process_uncond_exempt;	# add userhelperdomain to this one
-
-# TODO:
-# cjp: also need to except correctly for SEFramework
-neverallow { domain unlabeled_t } file_type:process *;
-neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
deleted file mode 100644
index 0c19f57..0000000
--- a/refpolicy/policy/modules/system/files.fc
+++ /dev/null
@@ -1,216 +0,0 @@
-
-#
-# /
-#
-/.*				gen_context(system_u:object_r:default_t,s0)
-/			-d	gen_context(system_u:object_r:root_t,s0)
-/\.journal			<<none>>
-
-ifdef(`distro_redhat',`
-/\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/fastboot 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/forcefsck 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/poweroff		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_suse',`
-/success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
-# /boot
-#
-/boot/\.journal			<<none>>
-/boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-/boot/lost\+found/.*		<<none>>
-
-#
-# /emul
-#
-
-ifdef(`distro_redhat',`
-/emul(/.*)?			gen_context(system_u:object_r:usr_t,s0)
-')
-
-#
-# /etc
-#
-/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
-/etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/blkid\.tab.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
-
-/etc/init\.d/functions	--	gen_context(system_u:object_r:etc_t,s0)
-
-/etc/ipsec\.d/examples(/.*)?	gen_context(system_u:object_r:etc_t,s0)
-
-/etc/network/ifstate	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/ptal/ptal-printd-like -- 	gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
-
-/etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
-
-ifdef(`distro_gentoo', `
-/etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/csh\.env		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_redhat',`
-/etc/rhgb(/.*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-')
-
-ifdef(`distro_suse',`
-/etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
-# HOME_ROOT
-# expanded by genhomedircon
-#
-HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0)
-HOME_ROOT/\.journal		<<none>>
-HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-HOME_ROOT/lost\+found/.*	<<none>>
-
-#
-# /initrd
-#
-# initrd mount point, only used during boot
-/initrd			-d	gen_context(system_u:object_r:root_t,s0)
-
-#
-# /lost+found
-#
-/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,s0)
-/lost\+found/.*			<<none>>
-
-#
-# /media
-#
-# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
-/media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-/media/[^/]*/.*			<<none>>
-
-#
-# /mnt
-#
-/mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-/mnt/[^/]*/.*			<<none>>
-
-#
-# /opt
-#
-/opt(/.*)?			gen_context(system_u:object_r:usr_t,s0)
-
-/opt(/.*)?/var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
-
-#
-# /proc
-#
-/proc(/.*)?                     <<none>>
-
-#
-# /selinux
-#
-/selinux(/.*)?                  <<none>>
-
-#
-# /srv
-#
-/srv(/.*)?			gen_context(system_u:object_r:var_t,s0)
-
-#
-# /sys
-#
-/sys(/.*)?                      <<none>>
-
-#
-# /tmp
-#
-/tmp			-d	gen_context(system_u:object_r:tmp_t,s0)
-/tmp/.*				<<none>>
-/tmp/\.journal			<<none>>
-
-/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-/tmp/lost\+found/.*		<<none>>
-
-#
-# /usr
-#
-/usr(/.*)?			gen_context(system_u:object_r:usr_t,s0)
-/usr/\.journal			<<none>>
-
-/usr/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
-
-/usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
-
-/usr/local/\.journal		<<none>>
-
-/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-/usr/local/lost\+found/.*	<<none>>
-
-/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
-
-/usr/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-/usr/lost\+found/.*		<<none>>
-
-/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
-
-/usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
-
-/usr/tmp		-d	gen_context(system_u:object_r:tmp_t,s0)
-/usr/tmp/.*			<<none>>
-
-#
-# /var
-#
-/var(/.*)?			gen_context(system_u:object_r:var_t,s0)
-/var/\.journal			<<none>>
-
-/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
-
-/var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
-
-/var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
-
-/var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
-
-/var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
-
-/var/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-/var/lost\+found/.*		<<none>>
-
-/var/run(/.*)?			gen_context(system_u:object_r:var_run_t,s0)
-/var/run/.*\.*pid		<<none>>
-
-/var/spool(/.*)?		gen_context(system_u:object_r:var_spool_t,s0)
-
-/var/tmp		-d	gen_context(system_u:object_r:tmp_t,s0)
-/var/tmp/.*			<<none>>
-/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s0)
-/var/tmp/lost\+found/.*		<<none>>
-/var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
deleted file mode 100644
index c43fa98..0000000
--- a/refpolicy/policy/modules/system/files.if
+++ /dev/null
@@ -1,3104 +0,0 @@
-## <summary>
-## Basic filesystem types and interfaces.
-## </summary>
-## <desc>
-## <p>
-## This module contains basic filesystem types and interfaces. This
-## includes:
-## <ul>
-##	<li>The concept of different file types including basic
-##	files, mount points, tmp files, etc.</li>
-##	<li>Access to groups of files and all files.</li>
-##	<li>Types and interfaces for the basic filesystem layout
-##	(/, /etc, /tmp, /usr, etc.).</li>
-## </ul>
-## </p>
-## </desc>
-## <required val="true">
-##	Contains the concept of a file.
-##	Comains the file initial SID.
-## </required>
-
-########################################
-## <summary>
-##	Make the specified type usable for files
-##	in a filesystem.
-## </summary>
-## <param name="type">
-##	Type to be used for files.
-## </param>
-#
-interface(`files_type',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	fs_associate($1)
-	fs_associate_noxattr($1)
-	typeattribute $1 file_type;
-')
-
-########################################
-#
-# files_lock_file(type)
-#
-interface(`files_lock_file',`
-	gen_require(`
-		attribute lockfile;
-	')
-
-	files_type($1)
-	typeattribute $1 lockfile;
-')
-
-########################################
-#
-# files_mountpoint(type)
-#
-interface(`files_mountpoint',`
-	gen_require(`
-		attribute mountpoint;
-	')
-
-	files_type($1)
-	typeattribute $1 mountpoint;
-')
-
-########################################
-#
-# files_pid_file(type)
-#
-interface(`files_pid_file',`
-	gen_require(`
-		attribute pidfile;
-	')
-
-	files_type($1)
-	typeattribute $1 pidfile;
-')
-
-########################################
-## <summary>
-##	Make the specified type a 
-##	configuration file.
-## </summary>
-## <param name="file_type">
-##	Type to be used as a configuration file.
-## </param>
-#
-interface(`files_config_file',`
-	gen_require(`
-		attribute usercanread;
-	')
-
-	files_type($1)
-
-	# this is a hack and should be removed.
-	typeattribute $1 usercanread;
-')
-
-########################################
-## <summary>
-##	Make the specified type a 
-##	polyinstantiated directory.
-## </summary>
-## <param name="file_type">
-##	Type of the file to be used as a
-##	polyinstantiated directory.
-## </param>
-#
-interface(`files_poly',`
-	gen_require(`
-		attribute polydir;
-	')
-
-	files_type($1)
-	typeattribute $1 polydir;
-')
-
-########################################
-## <summary>
-##	Make the specified type a parent
-##	of a polyinstantiated directory.
-## </summary>
-## <param name="file_type">
-##	Type of the file to be used as a
-##	parent directory.
-## </param>
-#
-interface(`files_poly_parent',`
-	gen_require(`
-		attribute polyparent;
-	')
-
-	files_type($1)
-	typeattribute $1 polyparent;
-')
-
-########################################
-## <summary>
-##	Make the specified type a
-##	polyinstantiation member directory.
-## </summary>
-## <param name="file_type">
-##	Type of the file to be used as a
-##	member directory.
-## </param>
-#
-interface(`files_poly_member',`
-	gen_require(`
-		attribute polymember;
-	')
-
-	files_type($1)
-	typeattribute $1 polymember;
-')
-
-########################################
-## <summary>
-##	Make the domain use the specified
-##	type of polyinstantiated directory.
-## </summary>
-## <param name="domain">
-##	Domain using the polyinstantiated
-##	directory.
-## </param>
-## <param name="file_type">
-##	Type of the file to be used as a
-##	member directory.
-## </param>
-#
-interface(`files_poly_member_tmp',`
-	gen_require(`
-		type tmp_t;
-	')
-
-	type_member $1 tmp_t:dir $2;
-')
-
-########################################
-## <summary>
-##	Make the specified type a file that
-##	should not be dontaudited from
-##	browsing from user domains.
-## </summary>
-## <param name="file_type">
-##	Type of the file to be used as a
-##	member directory.
-## </param>
-#
-interface(`files_security_file',`
-	gen_require(`
-		attribute security_file_type;
-	')
-
-	files_type($1)
-	typeattribute $1 security_file_type;
-')
-
-########################################
-## <summary>
-##	Make the specified type a file
-##	used for temporary files.
-## </summary>
-## <param name="file_type">
-##	Type of the file to be used as a
-##	temporary file.
-## </param>
-#
-interface(`files_tmp_file',`
-	gen_require(`
-		attribute tmpfile;
-		type tmp_t;
-	')
-
-	files_type($1)
-	files_poly_member($1)
-	fs_associate_tmpfs($1)
-	typeattribute $1 tmpfile;
-	allow $1 tmp_t:filesystem associate;
-')
-
-########################################
-## <summary>
-##	Transform the type into a file, for use on a
-##	virtual memory filesystem (tmpfs).
-## </summary>
-## <param name="type">
-##	The type to be transformed.
-## </param>
-#
-interface(`files_tmpfs_file',`
-	gen_require(`
-		attribute tmpfsfile;
-	')
-
-	files_type($1)
-	fs_associate_tmpfs($1)
-	typeattribute $1 tmpfsfile;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-# cjp: this is an odd interface, because to getattr
-# all dirs, you need to search all the parent directories
-#
-interface(`files_getattr_all_dirs',`
-	gen_require(`
-		attribute file_type;
-		class dir { getattr search };
-	')
-
-	allow $1 file_type:dir { getattr search };
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all directories.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_dirs',`
-	gen_require(`
-		attribute file_type;
-		class dir getattr;
-	')
-
-	dontaudit $1 file_type:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search all directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_search_all',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 file_type:dir { getattr search };
-')
-
-########################################
-## <summary>
-##	List the contents of all directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_list_all_dirs',`
-	gen_require(`
-		attribute file_type;
-		class dir r_dir_perms;
-	')
-
-	allow $1 file_type:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list all
-##	non security directories.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_list_non_security',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all files.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_files',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-		class file getattr;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:file getattr;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all sockets
-##	with the type of a file.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-# cjp: added for initrc_t/distro_redhat.  I
-# do not think it has any effect.
-interface(`files_getattr_all_file_type_sockets',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 file_type:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all files.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_files',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	dontaudit $1 file_type:file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of non security files.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_files',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:file getattr;
-')
-
-########################################
-## <summary>
-##	Read all files.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_all_files',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-		class file r_file_perms;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:file r_file_perms;
-
-	optional_policy(`authlogin',`
-		auth_read_shadow($1)
-	')
-')
-
-########################################
-## <summary>
-##	Read all directories on the filesystem, except
-##	the listed exceptions.
-## </summary>
-## <param name="domain">
-##	The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-## </param>
-#
-interface(`files_read_all_dirs_except',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 { file_type $2 }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read all files on the filesystem, except
-##	the listed exceptions.
-## </summary>
-## <param name="domain">
-##	The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-## </param>
-#
-interface(`files_read_all_files_except',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 { file_type $2 }:dir search;
-	allow $1 { file_type $2 }:file r_file_perms;
-
-')
-
-########################################
-## <summary>
-##	Read all symbloic links on the filesystem, except
-##	the listed exceptions.
-## </summary>
-## <param name="domain">
-##	The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-## </param>
-#
-interface(`files_read_all_symlinks_except',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 { file_type $2 }:dir search;
-	allow $1 { file_type $2 }:lnk_file r_file_perms;
-
-')
-
-########################################
-## <summary>
-##	Get the attributes of all symbolic links.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_symlinks',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-		class lnk_file getattr;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all symbolic links.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_symlinks',`
-	gen_require(`
-		attribute file_type;
-		class lnk_file getattr;
-	')
-
-	dontaudit $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of non security symbolic links.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_symlinks',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of non security block devices.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_blk_dev',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:blk_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of non security character devices.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_chr_dev',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:chr_file getattr;
-')
-
-########################################
-## <summary>
-##	Read all symbolic links.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_all_symlinks',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-		class lnk_file { getattr read };
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Get the attributes of all named pipes.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_pipes',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-		class fifo_file getattr;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all named pipes.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_pipes',`
-	gen_require(`
-		attribute file_type;
-		class fifo_file getattr;
-	')
-
-	dontaudit $1 file_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of non security named pipes.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_pipes',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
-')
-
-########################################
-## <summary>
-##	Get the attributes of all named sockets.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_sockets',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-		class sock_file getattr;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all named sockets.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_sockets',`
-	gen_require(`
-		attribute file_type;
-		class sock_file getattr;
-	')
-
-	dontaudit $1 file_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of non security named sockets.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_sockets',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
-')
-
-########################################
-## <summary>
-##	Read all block nodes with file types.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_all_blk_nodes',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:blk_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Read all character nodes with file types.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_all_chr_nodes',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 file_type:dir search;
-	allow $1 file_type:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Relabel all files on the filesystem, except
-##	the listed exceptions.
-## </summary>
-## <param name="domain">
-##	The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-## </param>
-#
-interface(`files_relabel_all_files',`
-	gen_require(`
-		attribute file_type;
-		class dir { r_dir_perms relabelfrom relabelto };
-		class file { relabelfrom relabelto };
-		class lnk_file { relabelfrom relabelto };
-		class fifo_file { relabelfrom relabelto };
-		class sock_file { relabelfrom relabelto };
-		class blk_file relabelfrom;
-		class chr_file relabelfrom;
-	')
-
-	allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
-	allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
-	allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
-	allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
-	allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
-	allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
-	allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
-
-	# satisfy the assertions:
-	seutil_relabelto_binary_pol($1)
-')
-
-########################################
-## <summary>
-##	Manage all files on the filesystem, except
-##	the listed exceptions.
-## </summary>
-## <param name="domain">
-##	The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-## </param>
-#
-interface(`files_manage_all_files',`
-	gen_require(`
-		attribute file_type;
-		class dir create_dir_perms;
-		class file create_file_perms;
-		class lnk_file create_lnk_perms;
-		class fifo_file create_file_perms;
-		class sock_file create_file_perms;
-	')
-
-	allow $1 { file_type $2 }:dir create_dir_perms;
-	allow $1 { file_type $2 }:file create_file_perms;
-	allow $1 { file_type $2 }:lnk_file create_lnk_perms;
-	allow $1 { file_type $2 }:fifo_file create_file_perms;
-	allow $1 { file_type $2 }:sock_file create_file_perms;
-
-	# satisfy the assertions:
-	seutil_create_binary_pol($1)
-	bootloader_manage_kernel_modules($1)
-')
-
-########################################
-#
-# files_search_all_dirs(domain)
-#
-interface(`files_search_all_dirs',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-	')
-
-	allow $1 file_type:dir search;
-')
-
-########################################
-#
-# files_list_all_dirs(domain)
-#
-interface(`files_list_all_dirs',`
-	gen_require(`
-		attribute file_type;
-		class dir r_dir_perms;
-	')
-
-	allow $1 file_type:dir r_dir_perms;
-')
-
-########################################
-#
-# files_dontaudit_search_all_dirs(domain)
-#
-interface(`files_dontaudit_search_all_dirs',`
-	gen_require(`
-		attribute file_type;
-		class dir search;
-	')
-
-	dontaudit $1 file_type:dir search;
-')
-
-#######################################
-#
-# files_relabelto_all_file_type_fs(domain)
-#
-interface(`files_relabelto_all_file_type_fs',`
-	gen_require(`
-		attribute file_type;
-		class filesystem relabelto;
-	')
-
-	allow $1 file_type:filesystem relabelto;
-')
-
-#######################################
-#
-# files_mount_all_file_type_fs(domain)
-#
-interface(`files_mount_all_file_type_fs',`
-	gen_require(`
-		attribute file_type;
-		class filesystem mount;
-	')
-
-	allow $1 file_type:filesystem mount;
-')
-
-#######################################
-#
-# files_unmount_all_file_type_fs(domain)
-#
-interface(`files_unmount_all_file_type_fs',`
-	gen_require(`
-		attribute file_type;
-		class filesystem unmount;
-	')
-
-	allow $1 file_type:filesystem unmount;
-')
-
-########################################
-#
-# files_mounton_all_mountpoints(domain)
-#
-interface(`files_mounton_all_mountpoints',`
-	gen_require(`
-		attribute mountpoint;
-		class dir { getattr search mounton };
-		class file { getattr mounton };
-	')
-
-	allow $1 mountpoint:dir { getattr search mounton };
-	allow $1 mountpoint:file { getattr mounton };
-')
-
-########################################
-#
-# files_list_root(domain)
-#
-interface(`files_list_root',`
-	gen_require(`
-		type root_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 root_t:dir r_dir_perms;
-	allow $1 root_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Create an object in the root directory, with a private
-##	type.  If no object class is specified, the
-##	default is file.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-## <param name="private type" optional="true">
-##	The type of the object to be created.  If no type
-##	is specified, the type of the root directory will
-##	be used.
-## </param>
-## <param name="object" optional="true">
-##	The object class of the object being created.  If
-##	no class is specified, file will be used.
-## </param>
-#
-interface(`files_create_root',`
-	gen_require(`
-		type root_t;
-		class dir create_dir_perms;
-	')
-
-	allow $1 root_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		ifelse(`$2',`',`
-			allow $1 root_t:file create_file_perms;
-		',`
-			type_transition $1 root_t:file $2;
-		')
-	',`
-		ifelse(`$2',`',`
-			allow $1 root_t:$3 create_file_perms;
-		',`
-			type_transition $1 root_t:$3 $2;
-		')
-	')
-')
-
-########################################
-#
-# files_dontaudit_read_root_file(domain)
-#
-interface(`files_dontaudit_read_root_file',`
-	gen_require(`
-		type root_t;
-	')
-
-	dontaudit $1 root_t:file { getattr read };
-')
-
-########################################
-#
-# files_dontaudit_rw_root_file(domain)
-#
-interface(`files_dontaudit_rw_root_file',`
-	gen_require(`
-		type root_t;
-		class file { read write };
-	')
-
-	dontaudit $1 root_t:file { read write };
-')
-
-########################################
-#
-# files_dontaudit_rw_root_chr_dev(domain)
-#
-interface(`files_dontaudit_rw_root_chr_dev',`
-	gen_require(`
-		type root_t;
-		class chr_file { read write };
-	')
-
-	dontaudit $1 root_t:chr_file { read write };
-')
-
-########################################
-#
-# files_delete_root_dir_entry(domain)
-#
-interface(`files_delete_root_dir_entry',`
-	gen_require(`
-		type root_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 root_t:dir rw_dir_perms;
-')
-
-########################################
-#
-# files_unmount_rootfs(domain)
-#
-interface(`files_unmount_rootfs',`
-	gen_require(`
-		type root_t;
-		class filesystem unmount;
-	')
-
-	allow $1 root_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes of
-##	directories with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_default_dir',`
-	gen_require(`
-		type default_t;
-	')
-
-	dontaudit $1 default_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search the contents of directories with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_search_default',`
-	gen_require(`
-		type default_t;
-	')
-
-	allow $1 default_t:dir search;
-')
-
-########################################
-## <summary>
-##	List contents of directories with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_list_default',`
-	gen_require(`
-		type default_t;
-	')
-
-	allow $1 default_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list contents of
-##	directories with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_list_default',`
-	gen_require(`
-		type default_t;
-	')
-
-	dontaudit $1 default_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Mount a filesystem on a directory with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_mounton_default',`
-	gen_require(`
-		type default_t;
-	')
-
-	allow $1 default_t:dir { getattr search mounton };
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes of
-##	files with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_default_files',`
-	gen_require(`
-		type default_t;
-	')
-
-	dontaudit $1 default_t:file getattr;
-')
-
-########################################
-## <summary>
-##	Read files with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_default_files',`
-	gen_require(`
-		type default_t;
-	')
-
-	allow $1 default_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read files
-##	with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_read_default_files',`
-	gen_require(`
-		type default_t;
-	')
-
-	dontaudit $1 default_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read symbolic links with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_default_symlinks',`
-	gen_require(`
-		type default_t;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 default_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read sockets with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_default_sockets',`
-	gen_require(`
-		type default_t;
-		class sock_file r_file_perms;
-	')
-
-	allow $1 default_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read named pipes with the default file type.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_default_pipes',`
-	gen_require(`
-		type default_t;
-		class fifo_file r_file_perms;
-	')
-
-	allow $1 default_t:fifo_file r_file_perms;
-')
-
-########################################
-#
-# files_search_etc(domain)
-#
-interface(`files_search_etc',`
-	gen_require(`
-		type etc_t;
-		class dir search;
-	')
-
-	allow $1 etc_t:dir search;
-')
-
-########################################
-## <summary>
-##	Set the attributes of the /etc directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_setattr_etc_dir',`
-	gen_require(`
-		type etc_t;
-		class dir setattr;
-	')
-
-	allow $1 etc_t:dir setattr;
-')
-
-########################################
-#
-# files_list_etc(domain)
-#
-interface(`files_list_etc',`
-	gen_require(`
-		type etc_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-')
-
-########################################
-#
-# files_read_etc_files(domain)
-#
-interface(`files_read_etc_files',`
-	gen_require(`
-		type etc_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_t:file r_file_perms;
-	allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-#
-# files_rw_etc_files(domain)
-#
-interface(`files_rw_etc_files',`
-	gen_require(`
-		type etc_t;
-		class dir r_dir_perms;
-		class file rw_file_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_t:file rw_file_perms;
-	allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-#
-# files_manage_etc_files(domain)
-#
-interface(`files_manage_etc_files',`
-	gen_require(`
-		type etc_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 etc_t:dir rw_dir_perms;
-	allow $1 etc_t:file create_file_perms;
-	allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Delete system configuration files in /etc.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_delete_etc_files',`
-	gen_require(`
-		type etc_t;
-		class dir rw_dir_perms;
-		class file unlink;
-	')
-
-	allow $1 etc_t:dir rw_dir_perms;
-	allow $1 etc_t:file unlink;
-')
-
-########################################
-#
-# files_exec_etc_files(domain)
-#
-interface(`files_exec_etc_files',`
-	gen_require(`
-		type etc_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_t:lnk_file r_file_perms;
-	can_exec($1,etc_t)
-
-')
-
-#######################################
-## <summary>
-##	Relabel from and to generic files in /etc.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_relabel_etc_files',`
-	gen_require(`
-		type etc_t;
-	')
-
-	allow $1 etc_t:dir list_dir_perms;
-	allow $1 etc_t:file { relabelfrom relabelto };
-')
-
-########################################
-#
-# files_create_boot_flag(domain)
-#
-# /halt, /.autofsck, etc
-#
-interface(`files_create_boot_flag',`
-	gen_require(`
-		type root_t, etc_runtime_t;
-		class dir rw_dir_perms;
-		class file { create read write setattr unlink};
-	')
-
-	allow $1 root_t:dir rw_dir_perms;
-	allow $1 etc_runtime_t:file { create read write setattr unlink };
-	type_transition $1 root_t:file etc_runtime_t;
-')
-
-########################################
-## <summary>
-##	Read files in /etc that are dynamically
-##	created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_etc_runtime_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_runtime_t:file r_file_perms;
-	allow $1 etc_runtime_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read files
-##	in /etc that are dynamically
-##	created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime_files',`
-	gen_require(`
-		type etc_runtime_t;
-		class file { getattr read };
-	')
-
-	dontaudit $1 etc_runtime_t:file { getattr read };
-')
-
-########################################
-## <summary>
-##	Read and write files in /etc that are dynamically
-##	created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_rw_etc_runtime_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-		class dir r_dir_perms;
-		class file rw_file_perms;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_runtime_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete files in
-##	/etc that are dynamically created on boot,
-##	such as mtab.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_etc_runtime_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-	')
-
-	allow $1 etc_t:dir rw_dir_perms;
-	allow $1 etc_runtime_t:file create_file_perms;
-	type_transition $1 etc_t:file etc_runtime_t;
-')
-
-########################################
-#
-# files_create_etc_config(domain,privatetype,[class(es)])
-#
-interface(`files_create_etc_config',`
-	gen_require(`
-		type etc_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 etc_t:dir rw_dir_perms;
-	ifelse(`$3',`',`
-		type_transition $1 etc_t:file $2;
-	',`
-		type_transition $1 etc_t:$3 $2;
-	')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search directories on new filesystems
-##	that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_search_isid_type_dir',`
-	gen_require(`
-		type file_t;
-	')
-
-	dontaudit $1 file_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	List the contents of directories on new filesystems
-##	that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_list_isid_type_dir',`
-	gen_require(`
-		type file_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 file_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read and write directories on new filesystems
-##	that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_rw_isid_type_dir',`
-	gen_require(`
-		type file_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 file_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete directories
-##	on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_dir',`
-	gen_require(`
-		type file_t;
-		class dir create_dir_perms;
-	')
-
-	allow $1 file_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-##	Mount a filesystem on a directory on new filesystems
-##	that has not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_mounton_isid_type_dir',`
-	gen_require(`
-		type file_t;
-		class dir { getattr search mounton };
-	')
-
-	allow $1 file_t:dir { getattr search mounton };
-')
-
-########################################
-## <summary>
-##	Read files on new filesystems
-##	that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_read_isid_type_file',`
-	gen_require(`
-		type file_t;
-		class dir search;
-		class file r_file_perms;
-	')
-
-	allow $1 file_t:dir search;
-	allow $1 file_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete files
-##	on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_file',`
-	gen_require(`
-		type file_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-	')
-
-	allow $1 file_t:dir rw_dir_perms;
-	allow $1 file_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete symbolic links
-##	on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_symlink',`
-	gen_require(`
-		type file_t;
-		class dir rw_dir_perms;
-		class lnk_file create_lnk_perms;
-	')
-
-	allow $1 file_t:dir rw_dir_perms;
-	allow $1 file_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-##	Read and write block device nodes on new filesystems 
-##	that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_rw_isid_type_blk_node',`
-	gen_require(`
-		type file_t;
-		class dir search;
-		class blk_file rw_file_perms;
-	')
-
-	allow $1 file_t:dir search;
-	allow $1 file_t:blk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete block device nodes
-##	on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_blk_node',`
-	gen_require(`
-		type file_t;
-		class dir rw_dir_perms;
-		class blk_file create_file_perms;
-	')
-
-	allow $1 file_t:dir rw_dir_perms;
-	allow $1 file_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete character device nodes
-##	on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_chr_node',`
-	gen_require(`
-		type file_t;
-		class dir rw_dir_perms;
-		class chr_file create_file_perms;
-	')
-
-	allow $1 file_t:dir rw_dir_perms;
-	allow $1 file_t:chr_file create_file_perms;
-')
-
-########################################
-## <summary>
-##	Get the attributes of the home directories root
-##	(/home).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_home_dir',`
-	gen_require(`
-		type home_root_t;
-	')
-
-	allow $1 home_root_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the
-##	attributes of the home directories root
-##	(/home).
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_home_dir',`
-	gen_require(`
-		type home_root_t;
-	')
-
-	dontaudit $1 home_root_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search home directories root (/home).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_search_home',`
-	gen_require(`
-		type home_root_t;
-	')
-
-	allow $1 home_root_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	home directories root (/home).
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_home',`
-	gen_require(`
-		type home_root_t;
-	')
-
-	dontaudit $1 home_root_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Get listing of home directories.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_list_home',`
-	gen_require(`
-		type home_root_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 home_root_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create home directories
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-## <param name="home_type">
-##	The type of the home directory
-## </param>
-#
-interface(`files_create_home_dirs',`
-	gen_require(`
-		type home_root_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 home_root_t:dir rw_dir_perms;
-	type_transition $1 home_root_t:dir $2;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete objects in
-##	lost+found directories.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_lost_found',`
-	gen_require(`
-		type lost_found_t;
-		class dir create_dir_perms;
-		class file create_file_perms;
-		class sock_file create_file_perms;
-		class fifo_file create_file_perms;
-		class lnk_file create_lnk_perms;
-	')
-
-	allow $1 lost_found_t:dir create_dir_perms;
-	allow $1 lost_found_t:file create_file_perms;
-	allow $1 lost_found_t:sock_file create_file_perms;
-	allow $1 lost_found_t:fifo_file create_file_perms;
-	allow $1 lost_found_t:lnk_file create_lnk_perms;
-')
-
-########################################
-#
-# files_search_mnt(domain)
-#
-interface(`files_search_mnt',`
-	gen_require(`
-		type mnt_t;
-		class dir search;
-	')
-
-	allow $1 mnt_t:dir search;
-')
-
-########################################
-#
-# files_list_mnt(domain)
-#
-interface(`files_list_mnt',`
-	gen_require(`
-		type mnt_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 mnt_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Mount a filesystem on /mnt.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_mounton_mnt',`
-	gen_require(`
-		type mnt_t;
-		class dir { search mounton };
-	')
-
-	allow $1 mnt_t:dir { search mounton };
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete directories in /mnt.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_mnt_dirs',`
-	gen_require(`
-		type mnt_t;
-		class dir create_dir_perms;
-	')
-
-	allow $1 mnt_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete files in /mnt.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_mnt_files',`
-	gen_require(`
-		type mnt_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-	')
-
-	allow $1 mnt_t:dir rw_dir_perms;
-	allow $1 mnt_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete symbolic links in /mnt.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_mnt_symlinks',`
-	gen_require(`
-		type mnt_t;
-		class dir rw_dir_perms;
-		class lnk_file create_lnk_perms;
-	')
-
-	allow $1 mnt_t:dir rw_dir_perms;
-	allow $1 mnt_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-##	List world-readable directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_list_world_readable',`
-	gen_require(`
-		type readable_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 readable_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read world-readable files.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_files',`
-	gen_require(`
-		type readable_t;
-		class file r_file_perms;
-	')
-
-	allow $1 readable_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read world-readable symbolic links.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_symlinks',`
-	gen_require(`
-		type readable_t;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 readable_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read world-readable named pipes.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_pipes',`
-	gen_require(`
-		type readable_t;
-		class fifo_file r_file_perms;
-	')
-
-	allow $1 readable_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read world-readable sockets.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_sockets',`
-	gen_require(`
-		type readable_t;
-		class sock_file r_file_perms;
-	')
-
-	allow $1 readable_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Allow the specified type to associate
-##	to a filesystem with the type of the
-##	temporary directory (/tmp).
-## </summary>
-## <param name="file_type">
-##	Type of the file to associate.
-## </param>
-#
-interface(`files_associate_tmp',`
-	gen_require(`
-		type tmp_t;
-	')
-
-	allow $1 tmp_t:filesystem associate;
-')
-
-########################################
-## <summary>
-##	Get the	attributes of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_getattr_tmp_dir',`
-	gen_require(`
-		type tmp_t;
-	')
-
-	allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the
-##	attributes of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_getattr_tmp_dir',`
-	gen_require(`
-		type tmp_t;
-		class dir getattr;
-	')
-
-	dontaudit $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Allow domain to getattr on /tmp directory.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_tmp_dir',`
-	gen_require(`
-		type tmp_t;
-		class dir getattr;
-	')
-
-	allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_search_tmp',`
-	gen_require(`
-		type tmp_t;
-		class dir search;
-	')
-
-	allow $1 tmp_t:dir search;
-')
-
-########################################
-## <summary>
-##	Read the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_list_tmp',`
-	gen_require(`
-		type tmp_t;
-	')
-
-	allow $1 tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read files in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_read_generic_tmp_files',`
-	gen_require(`
-		type tmp_t;
-	')
-
-	allow $1 tmp_t:dir search_dir_perms;
-	allow $1 tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read symbolic links in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_read_generic_tmp_symlinks',`
-	gen_require(`
-		type tmp_t;
-	')
-
-	allow $1 tmp_t:dir search_dir_perms;
-	allow $1 tmp_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Set the attributes of all tmp directories.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_setattr_all_tmp_dirs',`
-	gen_require(`
-		attribute tmpfile;
-		class dir { search setattr };
-	')
-
-	allow $1 tmpfile:dir { search getattr };
-')
-
-########################################
-#
-# files_create_tmp_files(domain,private_type,[object class(es)])
-#
-interface(`files_create_tmp_files',`
-	gen_require(`
-		type tmp_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 tmp_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 tmp_t:file $2;
-	',`
-		type_transition $1 tmp_t:$3 $2;
-	')
-')
-
-########################################
-#
-# files_purge_tmp(domain)
-#
-interface(`files_purge_tmp',`
-	gen_require(`
-		attribute tmpfile;
-		class dir { rw_dir_perms rmdir };
-		gen_require_set({ getattr unlink },notdevfile_class_set)
-	')
-
-	allow $1 tmpfile:dir { rw_dir_perms rmdir };
-	allow $1 tmpfile:notdevfile_class_set { getattr unlink };
-')
-
-########################################
-#
-# files_search_usr(domain)
-#
-interface(`files_search_usr',`
-	gen_require(`
-		type usr_t;
-		class dir search;
-	')
-
-	allow $1 usr_t:dir search;
-')
-
-########################################
-## <summary>
-##	List the contents of generic
-##	directories in /usr.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_list_usr',`
-	gen_require(`
-		type usr_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 usr_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Get the attributes of files in /usr.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_getattr_usr_files',`
-	gen_require(`
-		type usr_t;
-		class dir search;
-		class file getattr;
-	')
-
-	allow $1 usr_t:dir search;
-	allow $1 usr_t:file getattr;
-')
-
-########################################
-#
-# files_read_usr_files(domain)
-#
-interface(`files_read_usr_files',`
-	gen_require(`
-		type usr_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
-		class lnk_file r_file_perms;
-	')
-
-	allow $1 usr_t:dir r_dir_perms;
-	allow $1 usr_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-##	Execute generic programs in /usr in the caller domain.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_exec_usr_files',`
-	gen_require(`
-		type usr_t;
-	')
-
-	allow $1 usr_t:dir r_dir_perms;
-	allow $1 usr_t:lnk_file r_file_perms;
-	can_exec($1,usr_t)
-
-')
-
-########################################
-## <summary>
-##	Relabel a file to the type used in /usr.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_relabelto_usr_files',`
-	gen_require(`
-		type usr_t;
-		class file relabelto;
-	')
-
-	allow $1 usr_t:file relabelto;
-')
-
-########################################
-## <summary>
-##	Read symbolic links in /usr.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_usr_symlinks',`
-	gen_require(`
-		type usr_t;
-		class dir search;
-		class file r_file_perms;
-	')
-
-	allow $1 usr_t:dir search;
-	allow $1 usr_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Create objects in the /usr directory
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="file_type">
-##	The type of the object to be created
-## </param>
-## <param name="object_class" optional="true">
-##	The object class.  If not specified, file is used.
-## </param>
-#
-interface(`files_create_usr',`
-	gen_require(`
-		type usr_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 usr_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 usr_t:file $2;
-	',`
-		type_transition $1 usr_t:$3 $2;
-	')
-')
-
-########################################
-## <summary>
-##	Execute programs in /usr/src in the caller domain.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_exec_usr_src_files',`
-	gen_require(`
-		type usr_t, src_t;
-	')
-
-	allow $1 usr_t:dir search;
-	allow $1 src_t:dir r_dir_perms;
-	allow $1 src_t:lnk_file r_file_perms;
-	can_exec($1,src_t)
-')
-
-########################################
-#
-# files_dontaudit_search_src(domain)
-#
-interface(`files_dontaudit_search_src',`
-	gen_require(`
-		type src_t;
-	')
-
-	dontaudit $1 src_t:dir search;
-')
-
-########################################
-#
-# files_read_usr_src_files(domain)
-#
-interface(`files_read_usr_src_files',`
-	gen_require(`
-		type usr_t, src_t;
-	')
-
-	allow $1 usr_t:dir search;
-	allow $1 src_t:dir r_dir_perms;
-	allow $1 src_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-##	Search the contents of /var.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_search_var',`
-	gen_require(`
-		type var_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	the contents of /var.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_var',`
-	gen_require(`
-		type var_t;
-	')
-
-	dontaudit $1 var_t:dir search;
-')
-
-########################################
-## <summary>
-##	List the contents of /var.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_list_var',`
-	gen_require(`
-		type var_t;
-	')
-
-	allow $1 var_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete directories
-##	in the /var directory.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_var_dirs',`
-	gen_require(`
-		type var_t;
-		class dir create_dir_perms;
-	')
-
-	allow $1 var_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read files in the /var directory.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_read_var_files',`
-	gen_require(`
-		type var_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete files in the /var directory.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_var_files',`
-	gen_require(`
-		type var_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-	')
-
-	allow $1 var_t:dir rw_dir_perms;
-	allow $1 var_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-##	Read symbolic links in the /var directory.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_var_symlink',`
-	gen_require(`
-		type var_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete symbolic
-##	links in the /var directory.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_var_symlinks',`
-	gen_require(`
-		type var_t;
-	')
-
-	allow $1 var_t:dir rw_dir_perms;
-	allow $1 var_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-##	Create objects in the /var directory
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="file_type">
-##	The type of the object to be created
-## </param>
-## <param name="object_class" optional="true">
-##	The object class.  If not specified, file is used.
-## </param>
-#
-interface(`files_create_var',`
-	gen_require(`
-		type var_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 var_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_t:file $2;
-	',`
-		type_transition $1 var_t:$3 $2;
-	')
-')
-
-########################################
-## <summary>
-##	Search directories in /var/lib.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_search_var_lib_dir',`
-	gen_require(`
-		type var_t, var_lib_t;
-		class dir search;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_lib_t:dir search;
-')
-
-########################################
-## <summary>
-##	Get the attributes of the /var/lib directory.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_var_lib_dir',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lib_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search the /var/lib directory.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_search_var_lib',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 { var_t var_lib_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	List the contents of the /var/lib directory.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_list_var_lib',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lib_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create objects in the /var/lib directory
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-## <param name="file_type">
-##	The type of the object to be created
-## </param>
-## <param name="object_class" optional="true">
-##	The object class.  If not specified, file is used.
-## </param>
-#
-interface(`files_create_var_lib',`
-	gen_require(`
-		type var_t, var_lib_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lib_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_lib_t:file $2;
-	',`
-		type_transition $1 var_lib_t:$3 $2;
-	')
-')
-
-########################################
-## <summary>
-##	Read generic files in /var/lib.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_var_lib_files',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 { var_t var_lib_t }:dir search_dir_perms;
-	allow $1 var_lib_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read generic symbolic links in /var/lib
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_read_var_lib_symlinks',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 { var_t var_lib_t }:dir search_dir_perms;
-	allow $1 var_lib_t:lnk_file { getattr read };
-')
-
-# cjp: the next two interfaces really need to be fixed
-# in some way.  They really neeed their own types.
-
-########################################
-#
-# files_manage_urandom_seed(domain)
-#
-interface(`files_manage_urandom_seed',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lib_t:dir rw_dir_perms;
-	allow $1 var_lib_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-##	Allow domain to manage mount tables
-##	necessary for rpcd, nfsd, etc.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_manage_mounttab',`
-	gen_require(`
-		type var_t, var_lib_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lib_t:dir rw_dir_perms;
-	allow $1 var_lib_t:file manage_file_perms;
-')
-
-########################################
-#
-# files_search_locks(domain)
-#
-interface(`files_search_locks',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search the
-##	locks directory (/var/lock).
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_locks',`
-	gen_require(`
-		type var_lock_t;
-	')
-
-	dontaudit $1 var_lock_t:dir search;
-')
-
-########################################
-## <summary>
-##	Add and remove entries in the /var/lock
-##	directories.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_rw_locks_dir',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:dir rw_dir_perms;
-')
-
-########################################
-#
-# files_getattr_generic_locks(domain)
-#
-interface(`files_getattr_generic_locks',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:dir r_dir_perms;
-	allow $1 var_lock_t:file getattr;
-')
-
-########################################
-#
-# files_manage_generic_locks(domain)
-#
-interface(`files_manage_generic_locks',`
-	gen_require(`
-		type var_lock_t;
-	')
-
-	allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
-	allow $1 var_lock_t:file { getattr create read write setattr unlink };
-')
-
-########################################
-#
-# files_delete_all_locks(domain)
-#
-interface(`files_delete_all_locks',`
-	gen_require(`
-		attribute lockfile;
-		class dir rw_dir_perms;
-		class file { getattr unlink };
-	')
-
-	allow $1 lockfile:dir rw_dir_perms;
-	allow $1 lockfile:file { getattr unlink };
-')
-
-########################################
-#
-# files_create_lock(domain,private_type,[object class(es)])
-#
-interface(`files_create_lock',`
-	gen_require(`
-		type var_t, var_lock_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_lock_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_lock_t:file $2;
-	',`
-		type_transition $1 var_lock_t:$3 $2;
-	')
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of the /var/run directory.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_pid_dir',`
-	gen_require(`
-		type var_run_t;
-		class dir getattr;
-	')
-
-	dontaudit $1 var_run_t:dir getattr;
-')
-
-########################################
-#
-# files_search_pids(domain)
-#
-interface(`files_search_pids',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search
-##	the /var/run directory.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_pids',`
-	gen_require(`
-		type var_run_t;
-	')
-
-	dontaudit $1 var_run_t:dir search;
-')
-
-########################################
-#
-# files_list_pids(domain)
-#
-interface(`files_list_pids',`
-	gen_require(`
-		type var_t, var_run_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:dir r_dir_perms;
-')
-
-########################################
-#
-# files_create_pid(domain,pidfile,[object class(es)])
-#
-interface(`files_create_pid',`
-	gen_require(`
-		type var_t, var_run_t;
-		class dir rw_dir_perms;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_run_t:file $2;
-	',`
-		type_transition $1 var_run_t:$3 $2;
-	')
-')
-
-########################################
-#
-# files_rw_generic_pids(domain)
-#
-interface(`files_rw_generic_pids',`
-	gen_require(`
-		type var_t, var_run_t;
-		class dir r_dir_perms;
-		class file rw_file_perms;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_run_t:dir r_dir_perms;
-	allow $1 var_run_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to write to daemon runtime data files.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_write_all_pids',`
-	gen_require(`
-		attribute pidfile;
-	')
-
-	dontaudit $1 pidfile:file write;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to ioctl daemon runtime data files.
-## </summary>
-## <param name="domain">
-##	The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_ioctl_all_pids',`
-	gen_require(`
-		attribute pidfile;
-	')
-
-	dontaudit $1 pidfile:file ioctl;
-')
-
-########################################
-#
-# files_read_all_pids(domain)
-#
-interface(`files_read_all_pids',`
-	gen_require(`
-		attribute pidfile;
-		type var_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 pidfile:dir r_dir_perms;
-	allow $1 pidfile:file r_file_perms;
-')
-
-########################################
-#
-# files_delete_all_pids(domain)
-#
-interface(`files_delete_all_pids',`
-	gen_require(`
-		attribute pidfile;
-		type var_t, var_run_t;
-		class dir rw_dir_perms;
-		class file { getattr unlink };
-		class lnk_file { getattr unlink };
-		class sock_file { getattr unlink };
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
-	allow $1 var_run_t:dir rmdir;
-	allow $1 pidfile:dir rw_dir_perms;
-	allow $1 pidfile:file { getattr unlink };
-	allow $1 pidfile:sock_file { getattr unlink };
-')
-
-########################################
-#
-# files_delete_all_pid_dirs(domain)
-#
-interface(`files_delete_all_pid_dirs',`
-	gen_require(`
-		attribute pidfile;
-		type var_t;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 pidfile:dir { rw_dir_perms rmdir };
-')
-
-########################################
-#
-# files_search_spool(domain)
-#
-interface(`files_search_spool',`
-	gen_require(`
-		type var_t, var_spool_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_spool_t:dir search_dir_perms;
-')
-
-########################################
-#
-# files_list_spool(domain)
-#
-interface(`files_list_spool',`
-	gen_require(`
-		type var_t, var_spool_t;
-		class dir r_dir_perms;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir r_dir_perms;
-')
-
-########################################
-#
-# files_manage_generic_spool_dirs(domain)
-#
-interface(`files_manage_generic_spool_dirs',`
-	gen_require(`
-		type var_t, var_spool_t;
-		class dir create_dir_perms;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir create_dir_perms;
-')
-
-########################################
-#
-# files_read_generic_spools(domain)
-#
-interface(`files_read_generic_spools',`
-	gen_require(`
-		type var_t, var_spool_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir r_dir_perms;
-	allow $1 var_spool_t:file r_file_perms;
-')
-
-########################################
-#
-# files_manage_generic_spools(domain)
-#
-interface(`files_manage_generic_spools',`
-	gen_require(`
-		type var_t, var_spool_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
-	')
-
-	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir rw_dir_perms;
-	allow $1 var_spool_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-##	Unconfined access to files.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`files_unconfined',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	# Create/access any file in a labeled filesystem;
-	allow $1 file_type:{ file chr_file } ~execmod;
-	allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-
-	# Mount/unmount any filesystem with the context= option. 
-	allow $1 file_type:filesystem *;
-
-	# Bind to any network address.
-	# cjp: need to check this, I dont think this has any effect.
-	allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-
-	ifdef(`targeted_policy',`
-		tunable_policy(`allow_execmod',`
-			allow $1 file_type:file execmod;
-		')
-	')
-')
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
deleted file mode 100644
index 46260eb..0000000
--- a/refpolicy/policy/modules/system/files.te
+++ /dev/null
@@ -1,169 +0,0 @@
-
-policy_module(files,1.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute file_type;
-
-# cjp: should handle this different
-allow file_type self:filesystem associate;
-
-attribute lockfile;
-attribute mountpoint;
-attribute pidfile;
-
-# For labeling types that are to be polyinstantiated
-attribute polydir;
-
-# this is a hack and should be changed
-attribute usercanread;
-
-# And for labeling the parent directories of those polyinstantiated directories
-# This is necessary for remounting the original in the parent to give
-# security aware apps access
-attribute polyparent;
-
-# And labeling for the member directories
-attribute polymember;
-
-# sensitive security files whose accesses should
-# not be dontaudited for uses
-attribute security_file_type;
-
-attribute tmpfile;
-attribute tmpfsfile;
-
-# default_t is the default type for files that do not
-# match any specification in the file_contexts configuration
-# other than the generic /.* specification.
-type default_t, file_type, mountpoint;
-fs_associate(default_t)
-fs_associate_noxattr(default_t)
-
-#
-# etc_t is the type of the system etc directories.
-#
-type etc_t, file_type;
-fs_associate(etc_t)
-fs_associate_noxattr(etc_t)
-
-#
-# etc_runtime_t is the type of various
-# files in /etc that are automatically
-# generated during initialization.
-#
-type etc_runtime_t, file_type;
-fs_associate(etc_runtime_t)
-fs_associate_noxattr(etc_runtime_t)
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t, file_type, mountpoint;
-fs_associate(file_t)
-fs_associate_noxattr(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
-
-#
-# home_root_t is the type for the directory where user home directories
-# are created
-#
-type home_root_t, file_type, mountpoint; #, polyparent
-fs_associate(home_root_t)
-fs_associate_noxattr(home_root_t)
-
-#
-# lost_found_t is the type for the lost+found directories.
-#
-type lost_found_t, file_type;
-fs_associate(lost_found_t)
-fs_associate_noxattr(lost_found_t)
-
-#
-# mnt_t is the type for mount points such as /mnt/cdrom
-#
-type mnt_t, file_type, mountpoint;
-fs_associate(mnt_t)
-fs_associate_noxattr(mnt_t)
-
-type no_access_t, file_type;
-fs_associate(no_access_t)
-fs_associate_noxattr(no_access_t)
-
-type poly_t, file_type;
-fs_associate(poly_t)
-fs_associate_noxattr(poly_t)
-
-type readable_t, file_type;
-fs_associate(readable_t)
-fs_associate_noxattr(readable_t)
-
-#
-# root_t is the type for rootfs and the root directory.
-#
-type root_t, file_type, mountpoint; #, polyparent
-fs_associate(root_t)
-fs_associate_noxattr(root_t)
-kernel_rootfs_mountpoint(root_t)
-genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
-
-#
-# src_t is the type of files in the system src directories.
-#
-type src_t, file_type, mountpoint;
-fs_associate(src_t)
-fs_associate_noxattr(src_t)
-
-#
-# tmp_t is the type of the temporary directories
-#
-type tmp_t, mountpoint; #, polydir
-files_tmp_file(tmp_t)
-
-#
-# usr_t is the type for /usr.
-#
-type usr_t, file_type, mountpoint;
-fs_associate(usr_t)
-fs_associate_noxattr(usr_t)
-
-#
-# var_t is the type of /var
-#
-type var_t, file_type, mountpoint;
-fs_associate(var_t)
-fs_associate_noxattr(var_t)
-
-#
-# var_lib_t is the type of /var/lib
-#
-type var_lib_t, file_type, mountpoint;
-fs_associate(var_lib_t)
-fs_associate_noxattr(var_lib_t)
-
-#
-# var_lock_t is tye type of /var/lock
-#
-type var_lock_t, file_type, lockfile;
-fs_associate(var_lock_t)
-fs_associate_noxattr(var_lock_t)
-
-#
-# var_run_t is the type of /var/run, usually
-# used for pid and other runtime files.
-#
-type var_run_t, file_type, pidfile;
-fs_associate(var_run_t)
-fs_associate_noxattr(var_run_t)
-
-#
-# var_spool_t is the type of /var/spool
-#
-type var_spool_t;
-files_tmp_file(var_spool_t)