diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..5b6e7c6
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Changelog b/Changelog
new file mode 100644
index 0000000..c79ac18
--- /dev/null
+++ b/Changelog
@@ -0,0 +1,409 @@
+- Change eventpollfs to task SID labeling.
+- Add key support from Michael LeMay.
+- Add ftpdctl domain to ftp, from Paul Howarth.
+- Fix build system to not move type declarations out of optionals.
+- Add gcc-config domain to portage.
+- Add packet object class and support in corenetwork.
+- Add a copy of genhomedircon for monolithic policy building, so that a
+ policycoreutils package update is not required for RHEL4 systems.
+- Add appletalk sockets for use in cups.
+- Add Make target to validate module linking.
+- Make duplicate template and interface declarations a fatal error.
+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
+- Move xconsole_device_t from devices to xserver since it is
+ not actually a device, it is a named pipe.
+- Handle nonexistant .fc and .if files in devel Makefile by
+ automatically creating empty files.
+- Remove unused devfs_control_t.
+- Add rhel4 distro, which also implies redhat distro.
+- Remove unneeded range_transition for su_exec_t and move the
+ type declaration back to the su module.
+- Constrain transitions in MCS so unconfined_t cannot have
+ arbitrary category sets.
+- Change reiserfs from xattr filesystem to genfscon as it's xattrs
+ are currently nonfunctional.
+- Change files and filesystem modules to use their own interfaces.
+- Add user fonts to xserver.
+- Additional interfaces in corecommands, miscfiles, and userdomain
+ from Joy Latten.
+- Miscellaneous fixes from Thomas Bleher.
+- Deprecate module name as first parameter of optional_policy()
+ now that optionals are allowed everywhere.
+- Enable optional blocks in base module and monolithic policy.
+ This requires checkpolicy 1.30.1.
+- Fix vpn module declaration.
+- Numerous fixes from Dan Walsh.
+- Change build order to preserve m4 line number information so policy
+ compile errors are useful again.
+- Additional MLS interfaces from Chad Hanson.
+- Move some rules out of domain_type() and domain_base_type()
+ to the TE file, to use the domain attribute to take advantage
+ of space savings from attribute use.
+- Add global stack smashing protector rule for urandom access from
+ Petre Rodan.
+- Fix temporary rules at the bottom of portmap.
+- Updated comments in mls file from Chad Hanson.
+- Patches from Dan Walsh:
+ Fri, 17 Mar 2006
+ Wed, 29 Mar 2006
+ Tue, 11 Apr 2006
+ Fri, 14 Apr 2006
+ Tue, 18 Apr 2006
+ Thu, 20 Apr 2006
+ Tue, 02 May 2006
+ Mon, 15 May 2006
+ Thu, 18 May 2006
+ Tue, 06 Jun 2006
+ Mon, 12 Jun 2006
+ Tue, 20 Jun 2006
+- Added modules:
+ afs
+ amavis (Erich Schubert)
+ apt (Erich Schubert)
+ asterisk
+ audioentropy
+ authbind
+ backup
+ calamaris
+ cipe
+ clamav (Erich Schubert)
+ clockspeed (Petre Rodan)
+ courier
+ dante
+ dcc
+ ddclient
+ dpkg (Erich Schubert)
+ dnsmasq
+ ethereal
+ evolution
+ games
+ gatekeeper
+ gift
+ imaze
+ ircd
+ jabber
+ monop
+ mozilla
+ mplayer
+ munin
+ nagios
+ nessus
+ nsd
+ ntop
+ nx
+ oav
+ openca
+ openvpn (Petre Rodan)
+ perdition
+ portslave
+ postgrey
+ pxe
+ pyzor (Dan Walsh)
+ qmail (Petre Rodan)
+ razor
+ resmgr
+ rhgb
+ rssh
+ snort
+ soundserver
+ speedtouch
+ sxid
+ thunderbird
+ tor (Erich Schubert)
+ transproxy
+ tripwire
+ uptime
+ uwimap
+ vmware
+ watchdog
+ xen (Dan Walsh)
+ xprint
+ yam
+
+* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+ and move bootloader to admin layer.
+- Add semanage policy for semodule from Dan Walsh.
+- Remove allow_execmem from targeted policy domain_base_type().
+- Add users_extra and seusers support.
+- Postfix fixes from Serge Hallyn.
+- Run python and shell directly to interpret scripts so policy
+ sources need not be executable.
+- Add desc tag XML to booleans and tunables, and add summary
+ to param XML tag, to make future translations possible.
+- Remove unused lvm_vg_t.
+- Many interface renames to improve naming consistency.
+- Merge xdm into xserver.
+- Remove kernel module reversed interfaces.
+- Add filename attribute to module XML tag and lineno attribute to
+ interface XML tag.
+- Changed QUIET build option to a yes or no option.
+- Add a Makefile used for compiling loadable modules in a
+ user's development environment, building against policy headers.
+- Add Make target for installing policy headers.
+- Separate per-userdomain template expansion from the userdomain
+ module and add infrastructure to expand templates in the modules
+ that own the template.
+- Enable secadm only for MLS policies.
+- Remove role change rules in su and sudo since this functionality has been
+ removed from these programs.
+- Add ctags Make target from Thomas Bleher.
+- Collapse commands with grep piped to sed into one sed command.
+- Fix type_change bug in term_user_pty().
+- Move ice_tmp_t from miscfiles to xserver.
+- Login fixes from Serge Hallyn.
+- Move xserver_log_t from xdm to xserver.
+- Add lpr per-userdomain policy to lpd.
+- Miscellaneous fixes from Dan Walsh.
+- Change initrc_var_run_t interface noun from script_pid to utmp,
+ for greater clarity.
+- Added modules:
+ certwatch
+ mono (Dan Walsh)
+ mrtg
+ portage
+ tvtime
+ userhelper
+ usernetctl
+ wine (Dan Walsh)
+ xserver
+
+* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
+- Adds support for generating corenetwork interfaces based on attributes
+ in addition to types.
+- Permits the listing of multiple nodes in a network_node() that will be
+ given the same type.
+- Add two new permission sets for stream sockets.
+- Rename file type transition interfaces verb from create to
+ filetrans to differentiate it from create interfaces without
+ type transitions.
+- Fix expansion of interfaces from disabled modules.
+- Rsync can be long running from init,
+ added rules to allow this.
+- Add polyinstantiation build option.
+- Add setcontext to the association object class.
+- Add apache relay and db connect tunables.
+- Rename texrel_shlib_t to textrel_shlib_t.
+- Add swat to samba module.
+- Numerous miscellaneous fixes from Dan Walsh.
+- Added modules:
+ alsa
+ automount
+ cdrecord
+ daemontools (Petre Rodan)
+ ddcprobe
+ djbdns (Petre Rodan)
+ fetchmail
+ irc
+ java
+ lockdev
+ logwatch (Dan Walsh)
+ openct
+ prelink (Dan Walsh)
+ publicfile (Petre Rodan)
+ readahead
+ roundup
+ screen
+ slocate (Dan Walsh)
+ slrnpull
+ smartmon
+ sysstat
+ ucspitcp (Petre Rodan)
+ usbmodules
+ vbetool (Dan Walsh)
+
+* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
+- Add unlabeled IPSEC association rule to domains with
+ networking permissions.
+- Merge systemuser back in to users, as these files
+ do not need to be split.
+- Add check for duplicate interface/template definitions.
+- Move domain, files, and corecommands modules to kernel
+ layer to resolve some layering inconsistencies.
+- Move policy build options out of Makefile into build.conf.
+- Add yppasswd to nis module.
+- Change optional_policy() to refer to the module name
+ rather than modulename.te.
+- Fix labeling targets to use installed file_contexts rather
+ than partial file_contexts in the policy source directory.
+- Fix build process to use make's internal vpath functions
+ to detect modules rather than using subshells and find.
+- Add install target for modular policy.
+- Add load target for modular policy.
+- Add appconfig dependency to the load target.
+- Miscellaneous fixes from Dan Walsh.
+- Fix corenetwork gen_context()'s to expand during the policy
+ build phase instead of during the generation phase.
+- Added policies:
+ amanda
+ avahi
+ canna
+ cyrus
+ dbskk
+ dovecot
+ distcc
+ i18n_input
+ irqbalance
+ lpd
+ networkmanager
+ pegasus
+ postfix
+ procmail
+ radius
+ rdisc
+ rpc
+ spamassassin
+ timidity
+ xdm
+ xfs
+
+* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
+- Many fixes to make loadable modules build.
+- Add targets for sechecker.
+- Updated to sedoctool to read bool files and tunable
+ files separately.
+- Changed the xml tag of <boolean> to <bool> to be consistent
+ with gen_bool().
+- Modified the implementation of segenxml to use regular
+ expressions.
+- Rename context_template() to gen_context() to clarify
+ that its not a Reference Policy template, but a support
+ macro.
+- Add disable_*_trans bool support for targeted policy.
+- Add MLS module to handle MLS constraint exceptions,
+ such as reading up and writing down.
+- Fix errors uncovered by sediff.
+- Added policies:
+ anaconda
+ apache
+ apm
+ arpwatch
+ bluetooth
+ dmidecode
+ finger
+ ftp
+ kudzu
+ mailman
+ ppp
+ radvd
+ sasl
+ webalizer
+
+* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
+- Make logrotate, sendmail, sshd, and rpm policies
+ unconfined in the targeted policy so no special
+ modules.conf is required.
+- Add experimental MCS support.
+- Add appconfig for MLS.
+- Add equivalents for old can_resolve(), can_ldap(), and
+ can_portmap() to sysnetwork.
+- Fix base module compile issues.
+- Added policies:
+ cpucontrol
+ cvs
+ ktalk
+ portmap
+ postgresql
+ rlogin
+ samba
+ snmp
+ stunnel
+ telnet
+ tftp
+ uucp
+ vpn
+ zebra
+
+* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
+- Fix errors uncovered by sediff.
+- Doc tool will explicitly say a module does not have interfaces
+ or templates on the module page.
+- Added policies:
+ comsat
+ dbus
+ dhcp
+ dictd
+ hal
+ inn
+ ntp
+ squid
+
+* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
+- Add Makefile support for building loadable modules.
+- Add genclassperms.py tool to add require blocks
+ for loadable modules.
+- Change sedoctool to make required modules part of base
+ by default, otherwise make as modules, in modules.conf.
+- Fix segenxml to handle modules with no interfaces.
+- Rename ipsec connect interface for consistency.
+- Add missing parts of unix stream socket connect interface
+ of ipsec.
+- Rename inetd connect interface for consistency.
+- Rename interface for purging contents of tmp, for clarity,
+ since it allows deletion of classes other than file.
+- Misc. cleanups.
+- Added policies:
+ acct
+ bind
+ firstboot
+ gpm
+ howl
+ ldap
+ loadkeys
+ mysql
+ privoxy
+ quota
+ rshd
+ rsync
+ su
+ sudo
+ tcpd
+ tmpreaper
+ updfstab
+
+* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
+- Fix comparison bug in fc_sort.
+- Fix handling of ordered and unordered HTML lists.
+- Corenetwork now supports multiple network interfaces having the
+ same type.
+- Doc tool now creates pages for global Booleans and global tunables.
+- Doc tool now links directly to the interface/template in the
+ module page when it is selected in the interface/template index.
+- Added support for layer summaries.
+- Added policies:
+ ipsec
+ nscd
+ pcmcia
+ raid
+
+* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
+- Changed xml to have modules encapsulated by layer tags, rather
+ than putting layer="foo" in the module tags. Also in the future
+ we can put a summary and description for each layer.
+- Added tool to infer interface, module, and layer tags. This will
+ now list all interfaces, even if they are missing xml docs.
+- Shortened xml tag names.
+- Added macros to declare interfaces and templates.
+- Added interface call trace.
+- Updated all xml documentation for shorter and inferred tags.
+- Doc tool now displays templates in the web pages.
+- Doc tool retains the user's settings in modules.conf and
+ tunables.conf if the files already exist.
+- Modules.conf behavior has been changed to be a list of all
+ available modules, and the user can specify if the module is
+ built as a loadable module, included in the monolithic policy,
+ or excluded.
+- Added policies:
+ fstools (fsck, mkfs, swapon, etc. tools)
+ logrotate
+ inetd
+ kerberos
+ nis (ypbind and ypserv)
+ ssh (server, client, and agent)
+ unconfined
+- Added infrastructure for targeted policy support, only missing
+ transition boolean support.
+
+* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
+ - Initial release
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000..0b2632c
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,48 @@
+Reference Policy has a requirement of checkpolicy 1.28. Red Hat
+Enterprise Linux 4 and Fedora Core 4 RPMs are available on
+the Reference Policy download page at http://serefpolicy.sf.net,
+and can be installed thusly:
+
+Red Hat Enterprise Linux 4:
+
+ rpm -i libsepol-1.11.7-1.i386.rpm
+ rpm -U checkpolicy-1.28-4.i386.rpm
+
+Fedora Core 4:
+
+ rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
+
+To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
+
+ make install-src
+
+This will back up a pre-existing source policy to the
+/etc/selinux/refpolicy/src/policy.bak directory.
+
+If you do not have a modules.conf, one can be generated:
+
+ make conf
+
+This will create a default modules.conf. Options for the policy
+build process can be found in build.conf. After installing the policy sources,
+the old Make targets have been maintained for the monolithic policy:
+
+Local policy development:
+
+ make policy
+
+Compile and install the policy:
+
+ make install
+
+Compile, install, and load the policy:
+
+ make load
+
+Filesystem labeling:
+
+ make relabel
+ make checklabels
+ make restorelabels
+
+See the README for more information on available make targets.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..51304e9
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,609 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# relabel - relabel filesystems based on the file contexts configuration.
+# checklabels - check filesystems against the file context configuration
+# restorelabels - check filesystems against the file context configuration
+# and restore the label of files with incorrect labels
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+#
+# Please see build.conf for policy build options.
+#
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# Include the local build.conf if it exists, otherwise
+# include the configuration of the root directory.
+include build.conf
+
+ifdef LOCAL_ROOT
+ -include $(LOCAL_ROOT)/build.conf
+endif
+
+# refpolicy version
+VERSION = $(shell cat VERSION)
+
+ifdef LOCAL_ROOT
+BUILDDIR := $(LOCAL_ROOT)/
+TMPDIR := $(LOCAL_ROOT)/tmp
+TAGS := $(LOCAL_ROOT)/tags
+else
+TMPDIR := tmp
+TAGS := tags
+endif
+
+# executable paths
+BINDIR ?= /usr/bin
+SBINDIR ?= /usr/sbin
+ifdef TEST_TOOLCHAIN
+tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+else
+tc_bindir := $(BINDIR)
+tc_sbindir := $(SBINDIR)
+endif
+CHECKPOLICY ?= $(tc_bindir)/checkpolicy
+CHECKMODULE ?= $(tc_bindir)/checkmodule
+SEMODULE ?= $(tc_sbindir)/semodule
+SEMOD_PKG ?= $(tc_bindir)/semodule_package
+SEMOD_LNK ?= $(tc_bindir)/semodule_link
+SEMOD_EXP ?= $(tc_bindir)/semodule_expand
+LOADPOLICY ?= $(tc_sbindir)/load_policy
+SETFILES ?= $(tc_sbindir)/setfiles
+XMLLINT ?= $(BINDIR)/xmllint
+SECHECK ?= $(BINDIR)/sechecker
+
+# interpreters and aux tools
+AWK ?= gawk
+GREP ?= egrep
+M4 ?= m4
+PYTHON ?= python
+SED ?= sed
+SORT ?= LC_ALL=C sort
+
+CFLAGS += -Wall
+
+# policy source layout
+POLDIR := policy
+MODDIR := $(POLDIR)/modules
+FLASKDIR := $(POLDIR)/flask
+SECCLASS := $(FLASKDIR)/security_classes
+ISIDS := $(FLASKDIR)/initial_sids
+AVS := $(FLASKDIR)/access_vectors
+
+# local source layout
+ifdef LOCAL_ROOT
+LOCAL_POLDIR := $(LOCAL_ROOT)/policy
+LOCAL_MODDIR := $(LOCAL_POLDIR)/modules
+endif
+
+# policy building support tools
+SUPPORT := support
+GENXML := $(PYTHON) $(SUPPORT)/segenxml.py
+GENDOC := $(PYTHON) $(SUPPORT)/sedoctool.py
+GENPERM := $(PYTHON) $(SUPPORT)/genclassperms.py
+FCSORT := $(TMPDIR)/fc_sort
+SETBOOLS := $(AWK) -f $(SUPPORT)/set_bools_tuns.awk
+get_type_attr_decl := $(SED) -r -f $(SUPPORT)/get_type_attr_decl.sed
+comment_move_decl := $(SED) -r -f $(SUPPORT)/comment_move_decl.sed
+gennetfilter := $(PYTHON) $(SUPPORT)/gennetfilter.py
+# use our own genhomedircon to make sure we have a known usable one,
+# so policycoreutils updates are not required (RHEL4)
+genhomedircon := $(PYTHON) $(SUPPORT)/genhomedircon
+
+# documentation paths
+DOCS := doc
+XMLDTD = $(DOCS)/policy.dtd
+LAYERXML = metadata.xml
+DOCTEMPLATE = $(DOCS)/templates
+DOCFILES = $(DOCS)/Makefile.example $(addprefix $(DOCS)/,example.te example.if example.fc)
+
+ifndef LOCAL_ROOT
+POLXML = $(DOCS)/policy.xml
+TUNXML = $(DOCS)/global_tunables.xml
+BOOLXML = $(DOCS)/global_booleans.xml
+HTMLDIR = $(DOCS)/html
+else
+POLXML = $(LOCAL_ROOT)/doc/policy.xml
+TUNXML = $(LOCAL_ROOT)/doc/global_tunables.xml
+BOOLXML = $(LOCAL_ROOT)/doc/global_booleans.xml
+HTMLDIR = $(LOCAL_ROOT)/doc/html
+endif
+
+# config file paths
+GLOBALTUN = $(POLDIR)/global_tunables
+GLOBALBOOL = $(POLDIR)/global_booleans
+TUNABLES = $(POLDIR)/tunables.conf
+ROLEMAP = $(POLDIR)/rolemap
+USER_FILES := $(POLDIR)/users
+
+# local config file paths
+ifndef LOCAL_ROOT
+MOD_CONF = $(POLDIR)/modules.conf
+BOOLEANS = $(POLDIR)/booleans.conf
+else
+MOD_CONF = $(LOCAL_POLDIR)/modules.conf
+BOOLEANS = $(LOCAL_POLDIR)/booleans.conf
+endif
+
+# install paths
+PKGNAME ?= refpolicy-$(VERSION)
+PREFIX = $(DESTDIR)/usr
+TOPDIR = $(DESTDIR)/etc/selinux
+INSTALLDIR = $(TOPDIR)/$(NAME)
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+SHAREDIR = $(PREFIX)/share/selinux
+MODPKGDIR = $(SHAREDIR)/$(NAME)
+HEADERDIR = $(MODPKGDIR)/include
+DOCSDIR = $(PREFIX)/share/doc/$(PKGNAME)
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -m
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -c
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# rhel4 also implies redhat
+ifeq "$(DISTRO)" "rhel4"
+ M4PARAM += -D distro_redhat
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+ M4PARAM += -D enable_polyinstantiation
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+ CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+# if not set, use the type as the name.
+NAME ?= $(TYPE)
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq ($(QUIET),y)
+ verbose = @
+endif
+
+M4PARAM += -D hide_broken_symptoms
+
+# we need exuberant ctags; unfortunately it is named
+# differently on different distros
+ifeq ($(DISTRO),debian)
+ CTAGS := ctags-exuberant
+endif
+
+ifeq ($(DISTRO),gentoo)
+ CTAGS := exuberant-ctags
+endif
+
+CTAGS ?= ctags
+
+# determine the policy version and current kernel version if possible
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+KV := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq ($(KV),)
+ KV := $(PV)
+endif
+
+M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
+ifdef LOCAL_ROOT
+M4SUPPORT += $(wildcard $(LOCAL_POLDIR)/support/*.spt)
+endif
+
+APPCONF := config/appconfig-$(TYPE)
+SEUSERS := $(APPCONF)/seusers
+APPDIR := $(CONTEXTPATH)
+APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
+CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
+net_contexts := $(BUILDDIR)net_contexts
+
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
+ifdef LOCAL_ROOT
+ALL_LAYERS += $(filter-out $(LOCAL_MODDIR)/CVS,$(shell find $(wildcard $(LOCAL_MODDIR)/*) -maxdepth 0 -type d))
+endif
+
+GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
+GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
+GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
+
+# modules.conf setting for base module
+MODBASE := base
+
+# modules.conf setting for loadable module
+MODMOD := module
+
+# modules.conf setting for unused module
+MODUNUSED := off
+
+# test for module overrides from command line
+MOD_TEST = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
+MOD_TEST += $(filter $(APPS_MODS), $(APPS_BASE))
+ifneq ($(strip $(MOD_TEST)),)
+ $(error Applications must be base, module, or off, and not in more than one list! $(strip $(MOD_TEST)) found in multiple lists!)
+endif
+
+# add on suffix to modules specified on command line
+CMDLINE_BASE := $(addsuffix .te,$(APPS_BASE))
+CMDLINE_MODS := $(addsuffix .te,$(APPS_MODS))
+CMDLINE_OFF := $(addsuffix .te,$(APPS_OFF))
+
+# extract settings from modules.conf
+MOD_CONF_BASE := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null)))
+MOD_CONF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null)))
+MOD_CONF_OFF := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null)))
+
+BASE_MODS := $(CMDLINE_BASE)
+MOD_MODS := $(CMDLINE_MODS)
+OFF_MODS := $(CMDLINE_OFF)
+
+BASE_MODS += $(filter-out $(CMDLINE_OFF) $(CMDLINE_BASE) $(CMDLINE_MODS), $(MOD_CONF_BASE))
+MOD_MODS += $(filter-out $(CMDLINE_OFF) $(CMDLINE_BASE) $(CMDLINE_MODS), $(MOD_CONF_MODS))
+OFF_MODS += $(filter-out $(CMDLINE_OFF) $(CMDLINE_BASE) $(CMDLINE_MODS), $(MOD_CONF_OFF))
+
+# add modules not in modules.conf to the off list
+OFF_MODS += $(filter-out $(BASE_MODS) $(MOD_MODS) $(OFF_MODS),$(notdir $(DETECTED_MODS)))
+
+# filesystems to be used in labeling targets
+FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) m4 $(M4PARAM) $(ROLEMAP) | \
+ awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+ include Rules.monolithic
+else
+ include Rules.modular
+endif
+
+########################################
+#
+# Generated files
+#
+# NOTE: There is no "local" version of these files.
+#
+generate: $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
+
+$(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/kernel/corenetwork.if.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
+ $(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
+ | m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
+ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ \
+ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+########################################
+#
+# Network packet labeling
+#
+$(net_contexts): $(MODDIR)/kernel/corenetwork.te.in
+ @echo "Creating netfilter network labeling rules"
+ $(verbose) $(gennetfilter) $^ > $@
+
+########################################
+#
+# Create config files
+#
+conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
+
+$(MOD_CONF) $(BOOLEANS): $(POLXML)
+ @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
+ $(verbose) $(GENDOC) -b $(BOOLEANS) -m $(MOD_CONF) -x $(POLXML)
+
+########################################
+#
+# Generate the fc_sort program
+#
+$(FCSORT) : $(SUPPORT)/fc_sort.c
+ $(verbose) $(CC) $(CFLAGS) $(SUPPORT)/fc_sort.c -o $(FCSORT)
+
+########################################
+#
+# Documentation generation
+#
+
+# minimal dependencies here, because we don't want to rebuild
+# this and its dependents every time the dependencies
+# change. Also use all .if files here, rather then just the
+# enabled modules.
+xml: $(POLXML)
+$(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXML))
+ @echo "Creating $(@F)"
+ @test -d $(dir $(POLXML)) || mkdir -p $(dir $(POLXML))
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
+ $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
+ $(XMLLINT) --noout --path $(dir $(XMLDTD)) --dtdvalid $(XMLDTD) $@ ;\
+ fi
+
+$(TUNXML) $(BOOLXML): $(POLXML)
+
+html $(TMPDIR)/html: $(POLXML)
+ @echo "Building html interface reference documentation in $(HTMLDIR)"
+ @test -d $(HTMLDIR) || mkdir -p $(HTMLDIR)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(GENDOC) -d $(HTMLDIR) -T $(DOCTEMPLATE) -x $(POLXML)
+ $(verbose) cp $(DOCTEMPLATE)/*.css $(HTMLDIR)
+ @touch $(TMPDIR)/html
+
+########################################
+#
+# Runtime binary policy patching of users
+#
+$(USERPATH)/system.users: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(USER_FILES)
+ @mkdir -p $(TMPDIR)
+ @mkdir -p $(USERPATH)
+ @echo "Installing system.users"
+ @echo "# " > $(TMPDIR)/system.users
+ @echo "# Do not edit this file. " >> $(TMPDIR)/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> $(TMPDIR)/system.users
+ @echo "# Please edit local.users to make local changes." >> $(TMPDIR)/system.users
+ @echo "#" >> $(TMPDIR)/system.users
+ $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \
+ -e '/^[[:blank:]]*($$|#)/d' >> $(TMPDIR)/system.users
+ $(verbose) install -m 644 $(TMPDIR)/system.users $@
+
+$(USERPATH)/local.users: config/local.users
+ @mkdir -p $(USERPATH)
+ @echo "Installing local.users"
+ $(verbose) install -b -m 644 $< $@
+
+########################################
+#
+# Appconfig files
+#
+install-appconfig: $(APPFILES)
+
+$(INSTALLDIR)/booleans: $(BOOLEANS)
+ @mkdir -p $(TMPDIR)
+ @mkdir -p $(INSTALLDIR)
+ $(verbose) sed -r -e 's/false/0/g' -e 's/true/1/g' \
+ -e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | sort > $(TMPDIR)/booleans
+ $(verbose) install -m 644 $(TMPDIR)/booleans $@
+
+$(CONTEXTPATH)/files/media: $(APPCONF)/media
+ @mkdir -p $(CONTEXTPATH)/files/
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/default_contexts: $(APPCONF)/default_contexts
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/removable_context: $(APPCONF)/removable_context
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/default_type: $(APPCONF)/default_type
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/initrc_context: $(APPCONF)/initrc_context
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
+ @mkdir -p $(APPDIR)
+ $(verbose) install -m 644 $< $@
+
+$(APPDIR)/users/root: $(APPCONF)/root_default_contexts
+ @mkdir -p $(APPDIR)/users
+ $(verbose) install -m 644 $< $@
+
+########################################
+#
+# Install policy headers
+#
+install-headers: $(TUNXML) $(BOOLXML)
+ @mkdir -p $(HEADERDIR)
+ @echo "Installing $(TYPE) policy headers."
+ $(verbose) install -m 644 $(TUNXML) $(BOOLXML) $(HEADERDIR)
+ $(verbose) m4 $(M4PARAM) $(ROLEMAP) > $(HEADERDIR)/$(notdir $(ROLEMAP))
+ $(verbose) mkdir -p $(HEADERDIR)/support
+ $(verbose) install -m 644 $(M4SUPPORT) $(word $(words $(GENXML)),$(GENXML)) $(XMLDTD) $(HEADERDIR)/support
+ $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/support/all_perms.spt
+ $(verbose) for i in $(notdir $(ALL_LAYERS)); do \
+ mkdir -p $(HEADERDIR)/$$i ;\
+ install -m 644 $(MODDIR)/$$i/*.if \
+ $(MODDIR)/$$i/metadata.xml \
+ $(HEADERDIR)/$$i ;\
+ done
+ $(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf
+ $(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf
+ifneq "$(DISTRO)" ""
+ $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf
+endif
+ $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
+ $(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
+
+########################################
+#
+# Install policy documentation
+#
+install-docs: $(TMPDIR)/html
+ @mkdir -p $(DOCSDIR)/html
+ @echo "Installing policy documentation"
+ $(verbose) install -m 644 $(DOCFILES) $(DOCSDIR)
+ $(verbose) install -m 644 $(wildcard $(HTMLDIR)/*) $(DOCSDIR)/html
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+ rm -rf $(SRCPATH)/policy.old
+ -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
+ mkdir -p $(SRCPATH)/policy
+ cp -R . $(SRCPATH)/policy
+
+########################################
+#
+# Generate tags file
+#
+tags: $(TAGS)
+$(TAGS):
+ @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+ @LC_ALL=C $(CTAGS) -f $(TAGS) --langdef=te --langmap=te:..te.if.spt \
+ --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
+ --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+ --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
+ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+ --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
+ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
+
+########################################
+#
+# Filesystem labeling
+#
+checklabels:
+ @echo "Checking labels on filesystem types: ext2 ext3 xfs jfs"
+ @if test -z "$(FILESYSTEMS)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS)
+
+restorelabels:
+ @echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
+ @if test -z "$(FILESYSTEMS)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS)
+
+relabel:
+ @echo "Relabeling filesystem types: ext2 ext3 xfs jfs"
+ @if test -z "$(FILESYSTEMS)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) $(FCPATH) $(FILESYSTEMS)
+
+resetlabels:
+ @echo "Resetting labels on filesystem types: ext2 ext3 xfs jfs"
+ @if test -z "$(FILESYSTEMS)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -F $(FCPATH) $(FILESYSTEMS)
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+ rm -f $(POLXML)
+ rm -f $(TUNXML)
+ rm -f $(BOOLXML)
+ rm -f $(MOD_CONF)
+ rm -f $(BOOLEANS)
+ rm -fR $(HTMLDIR)
+ rm -f $(TAGS)
+# don't remove these files if we're given a local root
+ifndef LOCAL_ROOT
+ rm -f $(FCSORT)
+ rm -f $(SUPPORT)/*.pyc
+ifneq ($(GENERATED_TE),)
+ rm -f $(GENERATED_TE)
+endif
+ifneq ($(GENERATED_IF),)
+ rm -f $(GENERATED_IF)
+endif
+ifneq ($(GENERATED_FC),)
+ rm -f $(GENERATED_FC)
+endif
+endif
+
+.PHONY: install-src install-appconfig generate xml conf html bare tags
+.SUFFIXES:
+.SUFFIXES: .c
diff --git a/README b/README
new file mode 100644
index 0000000..9b43465
--- /dev/null
+++ b/README
@@ -0,0 +1,209 @@
+1) Reference Policy make targets:
+
+General Make targets:
+
+install-src Install the policy sources into
+ /etc/selinux/NAME/src/policy, where NAME is defined in
+ the Makefile. If not defined, the TYPE, as defined in
+ the Makefile, is used. The default NAME is refpolicy.
+ A pre-existing source policy will be moved to
+ /etc/selinux/NAME/src/policy.bak.
+
+conf Regenerate policy.xml, and update/create modules.conf
+ and booleans.conf. This should be done after adding
+ or removing modules, or after running the bare target.
+ If the configuration files exist, their settings will
+ be preserved. This must be ran on policy sources that
+ are checked out from the CVS repository before they can
+ be used.
+
+clean Delete all temporary files, compiled policies,
+ and file_contexts. Configuration files are left intact.
+
+bare Do the clean make target and also delete configuration
+ files, web page documentation, and policy.xml.
+
+html Regenerate policy.xml and create web page documentation
+ in the doc/html directory.
+
+Make targets specific to modular (loadable modules) policies:
+
+base Compile and package the base module. This is the
+ default target for modular policies.
+
+modules Compile and package all Reference Policy modules
+ configured to be built as loadable modules.
+
+MODULENAME.pp Compile and package the MODULENAME Reference Policy
+ module.
+
+all Compile and package the base module and all Reference
+ Policy modules configured to be built as loadable
+ modules.
+
+install Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules.
+
+load Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules, then insert them into the module
+ store.
+
+validate Validate if the configured modules can successfully
+ link and expand.
+
+Make targets specific to monolithic policies:
+
+policy Compile a policy locally for development and testing.
+ This is the default target for monolithic policies.
+
+install Compile and install the policy and file contexts.
+
+load Compile and install the policy and file contexts, then
+ load the policy.
+
+enableaudit Remove all dontaudit rules from policy.conf.
+
+relabel Relabel the filesystem.
+
+checklabels Check the labels on the filesystem, and report when
+ a file would be relabeled, but do not change its label.
+
+restorelabels Relabel the filesystem and report each file that is
+ relabeled.
+
+
+2) Reference Policy Build Options (build.conf)
+
+TYPE String. Available options are strict, targeted,
+ strict-mls, targeted-mls, strict-mcs, and targeted-mcs.
+ This sets the policy type as strict or targeted, and
+ optionally enables multi-leve security (MLS) or
+ multi-category security (MCS) features. This option
+ controls strict_policy, targeted_policy, enable_mls,
+ and enable_mcs policy blocks.
+
+NAME String (optional). Sets the name of the policy; the
+ NAME is used when installing files to e.g.,
+ /etc/selinux/NAME and /usr/share/selinux/NAME. If not
+ set, the policy type (TYPE) is used.
+
+DISTRO String (optional). Enable distribution-specific policy.
+ Available options are redhat, rhel4, gentoo, debian,
+ and suse. This option controls distro_redhat,
+ distro_rhel4, distro_gentoo, distro_debian, and
+ distro_suse policy blocks.
+
+MONOLITHIC Boolean. If set, a monolithic policy is built,
+ otherwise a modular policy is built.
+
+DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
+ run init scripts, instead of requiring the run_init
+ tool. This is a build option instead of a tunable since
+ role transitions do not work in conditional policy.
+ This option controls direct_sysadm_daemon policy
+ blocks.
+
+POLY Boolean. If set, policy for polyinstantiated
+ directories will be enabled. This option controls
+ enable_polyinstantiation policy blocks.
+
+OUTPUT_POLICY Integer. Set the version of the policy created when
+ building a monolithic policy. This option has no effect
+ on modular policy.
+
+QUIET Boolean. If set, the build system will only display
+ status messages and error messages. This option has no
+ effect on policy.
+
+
+3) Reference Policy Files and Directories
+All directories relative to the root of the Reference Policy sources directory.
+
+Makefile General rules for building the policy.
+
+Rules.modular Makefile rules specific to building loadable module
+ policies.
+
+Rules.monolithic Makefile rules specific to building monolithic policies.
+
+build.conf Options which influence the building of the policy,
+ such as the policy type (strict, targeted, etc.)
+ and distribution.
+
+config/appconfig-* Application configuration files for all configurations
+ of the Reference Policy (targeted/strict with or without
+ MLS or MCS). These are used by SELinux-aware programs.
+
+config/local.users The file read by load policy for adding SELinux users
+ to the policy on the fly.
+
+doc/html/* This contains the contents of the in-policy XML
+ documentation, presented in web page form.
+
+doc/policy.dtd The doc/policy.xml file is validated against this DTD.
+
+doc/policy.xml This file is generated/updated by the conf and html make
+ targets. It contains the complete XML documentation
+ included in the policy.
+
+doc/templates/* Templates used for documentation web pages.
+
+policy/booleans.conf This file is generated/updated by the conf make target.
+ It contains the booleans in the policy, and their
+ default values. If tunables are implemented as
+ booleans, tunables will also be included. This file
+ will be installed as the /etc/selinux/NAME/booleans
+ file.
+
+policy/constraints This file defines additional constraints on permissions
+ in the form of boolean expressions that must be
+ satisfied in order for specified permissions to be
+ granted. These constraints are used to further refine
+ the type enforcement rules and the role allow rules.
+ Typically, these constraints are used to restrict
+ changes in user identity or role to certain domains.
+
+policy/global_booleans This file defines all booleans that have a global scope,
+ their default value, and documentation.
+
+policy/global_tunables This file defines all tunables that have a global scope,
+ their default value, and documentation.
+
+policy/flask/initial_sids This file has declarations for each initial SID.
+
+policy/flask/security_classes This file has declarations for each security class.
+
+policy/flask/access_vectors This file defines the access vectors. Common
+ prefixes for access vectors may be defined at the
+ beginning of the file. After the common prefixes are
+ defined, an access vector may be defined for each
+ security class.
+
+policy/mcs The multi-category security (MCS) configuration.
+
+policy/mls The multi-level security (MLS) configuration.
+
+policy/modules/* Each directory represents a layer in Reference Policy
+ all of the modules are contained in one of these layers.
+
+policy/modules.conf This file contains a listing of available modules, and
+ how they will be used when building Reference Policy. To
+ prevent a module from being used, set the module to
+ "off". For monolithic policies, modules set to "base"
+ and "module" will be included in the policy. For
+ modular policies, modules set to "base" will be included
+ in the base module; those set to "module" will be
+ compiled as individual loadable modules.
+
+policy/rolemap This file contains prefix and user domain type that
+ corresponds to each user role. The contents of this
+ file will be used to expand the per-user domain
+ templates for each module.
+
+policy/support/* Support macros.
+
+policy/users This file defines the users included in the policy.
+
+support/* Tools used in the build process.
diff --git a/Rules.modular b/Rules.modular
new file mode 100644
index 0000000..9962498
--- /dev/null
+++ b/Rules.modular
@@ -0,0 +1,231 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+ALL_MODULES := $(BASE_MODS) $(MOD_MODS) $(OFF_MODS)
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+
+BASE_PKG := $(BUILDDIR)base.pp
+BASE_FC := $(BUILDDIR)base.fc
+BASE_CONF := $(BUILDDIR)base.conf
+BASE_MOD := $(TMPDIR)/base.mod
+
+USERS_EXTRA := $(TMPDIR)/users_extra
+
+BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/global_bools.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
+
+BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+BASE_TE_FILES := $(BASE_MODS)
+BASE_POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
+BASE_FC_FILES := $(BASE_MODS:.te=.fc)
+
+MOD_MODULES := $(MOD_MODS:.te=.mod)
+MOD_PKGS := $(addprefix $(BUILDDIR),$(notdir $(MOD_MODS:.te=.pp)))
+
+# policy packages to install
+INSTPKG := $(addprefix $(MODPKGDIR)/,$(notdir $(BASE_PKG)) $(MOD_PKGS))
+
+# search layer dirs for source files
+vpath %.te $(ALL_LAYERS)
+vpath %.if $(ALL_LAYERS)
+vpath %.fc $(ALL_LAYERS)
+
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# default action: create all module packages
+#
+default: policy
+
+all policy: base modules
+
+base: $(BASE_PKG)
+
+modules: $(MOD_PKGS)
+
+install: $(INSTPKG) $(APPFILES)
+
+########################################
+#
+# Load all configured modules
+#
+load: $(INSTPKG) $(APPFILES)
+ @echo "Loading configured modules."
+ $(verbose) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(notdir $(BASE_PKG)) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod))
+
+########################################
+#
+# Install policy packages
+#
+$(MODPKGDIR)/%.pp: $(BUILDDIR)%.pp
+ @mkdir -p $(MODPKGDIR)
+ @echo "Installing $(NAME) $(@F) policy package."
+ $(verbose) install -m 0644 $^ $(MODPKGDIR)
+
+########################################
+#
+# Build module packages
+#
+$(TMPDIR)/%.mod: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+$(TMPDIR)/%.mod.fc: $(M4SUPPORT) %.fc
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $(M4SUPPORT) $^ > $@
+
+$(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+########################################
+#
+# Create a base module package
+#
+$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS)
+ @echo "Creating $(NAME) base module package"
+ @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS)
+
+$(BASE_MOD): $(BASE_CONF)
+ @echo "Compiling $(NAME) base module"
+ $(verbose) $(CHECKMODULE) $^ -o $@
+
+$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
+ $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+
+########################################
+#
+# Construct a base.conf
+#
+$(BASE_CONF): $(BASE_SECTIONS)
+ @echo "Creating $(NAME) base module $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) cat $^ > $@
+
+$(TMPDIR)/pre_te_files.conf: M4PARAM += -D self_contained_policy
+$(TMPDIR)/pre_te_files.conf: $(BASE_PRE_TE_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(TMPDIR)/generated_definitions.conf: $(BASE_TE_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+# define all available object classes
+ $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@
+# per-userdomain templates
+ $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
+ $(verbose) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
+ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
+ >> $@ ;\
+ done
+ $(verbose) echo "')" >> $@
+ $(verbose) test -f $(BOOLEANS) && $(SETBOOLS) $(BOOLEANS) >> $@ || true
+
+$(TMPDIR)/global_bools.conf: M4PARAM += -D self_contained_policy
+$(TMPDIR)/global_bools.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(GLOBALBOOL) $(GLOBALTUN)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(TMPDIR)/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(TMPDIR)/iferror.m4
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ $(TMPDIR)/iferror.m4 >> $(TMPDIR)/$(@F).tmp
+ $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(TMPDIR)/$(@F).tmp >> $@
+ @echo "divert" >> $@
+
+$(TMPDIR)/rolemap.conf: M4PARAM += -D self_contained_policy
+$(TMPDIR)/rolemap.conf: $(ROLEMAP)
+ $(call parse-rolemap,base,$@)
+
+$(TMPDIR)/all_te_files.conf: M4PARAM += -D self_contained_policy
+$(TMPDIR)/all_te_files.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(BASE_TE_FILES) $(TMPDIR)/rolemap.conf
+ifeq "$(strip $(BASE_TE_FILES))" ""
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(TMPDIR)/post_te_files.conf: M4PARAM += -D self_contained_policy
+$(TMPDIR)/post_te_files.conf: $(M4SUPPORT) $(BASE_POST_TE_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(TMPDIR)/all_attrs_types.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf: $(TMPDIR)/all_te_files.conf $(TMPDIR)/post_te_files.conf
+ $(verbose) $(get_type_attr_decl) $(TMPDIR)/all_te_files.conf | $(SORT) > $(TMPDIR)/all_attrs_types.conf
+ $(verbose) cat $(TMPDIR)/post_te_files.conf > $(TMPDIR)/all_post.conf
+# these have to run individually because order matters:
+ $(verbose) $(GREP) '^sid ' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^genfscon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^portcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^netifcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^nodecon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(comment_move_decl) $(TMPDIR)/all_te_files.conf > $(TMPDIR)/only_te_rules.conf
+
+########################################
+#
+# Construct a base.fc
+#
+$(BASE_FC): $(TMPDIR)/$(notdir $(BASE_FC)).tmp $(FCSORT)
+ $(verbose) $(FCSORT) $< $@
+
+$(TMPDIR)/$(notdir $(BASE_FC)).tmp: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(BASE_FC_FILES)
+ifeq ($(BASE_FC_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) base module file contexts."
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+########################################
+#
+# Remove the dontaudit rules from the base.conf
+#
+enableaudit: $(BASE_CONF)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ @echo "Removing dontaudit rules from $(^F)"
+ $(verbose) $(GREP) -v dontaudit $(BASE_CONF) > $(TMPDIR)/base.audit
+ $(verbose) mv $(TMPDIR)/base.audit $(BASE_CONF)
+
+########################################
+#
+# Appconfig files
+#
+$(APPDIR)/customizable_types: $(BASE_CONF)
+ @mkdir -p $(APPDIR)
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+ $(verbose) install -m 644 $(TMPDIR)/customizable_types $@
+
+########################################
+#
+# Validate linking and expanding of modules
+#
+validate: $(BASE_PKG) $(MOD_PKGS)
+ @echo "Validating policy linking."
+ $(verbose) $(SEMOD_LNK) -o $(TMPDIR)/test.lnk $^
+ $(verbose) $(SEMOD_EXP) $(TMPDIR)/test.lnk $(TMPDIR)/policy.bin
+ @echo "Success."
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -f $(BASE_CONF)
+ rm -f $(BASE_FC)
+ rm -f $(BUILDDIR)*.pp
+ rm -f $(net_contexts)
+ rm -fR $(TMPDIR)
+
+.PHONY: default all policy base modules install load clean validate
diff --git a/Rules.monolithic b/Rules.monolithic
new file mode 100644
index 0000000..b066653
--- /dev/null
+++ b/Rules.monolithic
@@ -0,0 +1,236 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+POLICY_CONF = $(BUILDDIR)policy.conf
+FC = $(BUILDDIR)file_contexts
+POLVER = $(BUILDDIR)policy.$(PV)
+HOMEDIR_TEMPLATE = $(BUILDDIR)homedir_template
+
+M4PARAM += -D self_contained_policy
+
+# install paths
+POLICYPATH = $(INSTALLDIR)/policy
+LOADPATH = $(POLICYPATH)/$(notdir $(POLVER))
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+APPFILES += $(INSTALLDIR)/booleans
+
+# for monolithic policy use all base and module to create policy
+ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
+# off module interfaces included to make sure all interfaces are expanded.
+ALL_INTERFACES := $(ALL_MODULES:.te=.if) $(OFF_MODS:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
+ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
+
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
+
+POLICY_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/global_bools.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
+
+# search layer dirs for source files
+vpath %.te $(ALL_LAYERS)
+vpath %.if $(ALL_LAYERS)
+vpath %.fc $(ALL_LAYERS)
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(POLVER)
+
+install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+
+load: $(TMPDIR)/load
+
+checklabels: $(FCPATH)
+restorelabels: $(FCPATH)
+relabel: $(FCPATH)
+resetlabels: $(FCPATH)
+
+########################################
+#
+# Build a binary policy locally
+#
+$(POLVER): $(POLICY_CONF)
+ @echo "Compiling $(NAME) $(POLVER)"
+ifneq ($(PV),$(KV))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+$(LOADPATH): $(POLICY_CONF)
+ @mkdir -p $(POLICYPATH)
+ @echo "Compiling and installing $(NAME) $(LOADPATH)"
+ifneq ($(PV),$(KV))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload $(TMPDIR)/load: $(LOADPATH) $(FCPATH) $(APPFILES)
+ @echo "Loading $(NAME) $(LOADPATH)"
+ $(verbose) $(LOADPOLICY) -q $(LOADPATH)
+ @touch $(TMPDIR)/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+$(POLICY_CONF): $(POLICY_SECTIONS)
+ @echo "Creating $(NAME) $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) cat $^ > $@
+
+$(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+# define all available object classes
+ $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@
+# per-userdomain templates:
+ $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
+ $(verbose) $(foreach mod,$(basename $(notdir $(ALL_MODULES))), \
+ echo "ifdef(\`""$(mod)""_per_userdomain_template',\`""$(mod)""_per_userdomain_template("'$$*'")')" >> $@ ;)
+ $(verbose) echo "')" >> $@
+ $(verbose) test -f $(BOOLEANS) && $(SETBOOLS) $(BOOLEANS) >> $@ || true
+
+$(TMPDIR)/global_bools.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(GLOBALBOOL) $(GLOBALTUN)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(TMPDIR)/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(TMPDIR)/iferror.m4
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ $(TMPDIR)/iferror.m4 >> $(TMPDIR)/$(@F).tmp
+ $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(TMPDIR)/$(@F).tmp >> $@
+ @echo "divert" >> $@
+
+$(TMPDIR)/rolemap.conf: $(ROLEMAP)
+ $(call parse-rolemap,base,$@)
+
+$(TMPDIR)/all_te_files.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(ALL_TE_FILES) $(TMPDIR)/rolemap.conf
+ifeq "$(strip $(ALL_TE_FILES))" ""
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(TMPDIR)/post_te_files.conf: $(M4SUPPORT) $(POST_TE_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(TMPDIR)/all_attrs_types.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf: $(TMPDIR)/all_te_files.conf $(TMPDIR)/post_te_files.conf
+ $(verbose) $(get_type_attr_decl) $(TMPDIR)/all_te_files.conf | $(SORT) > $(TMPDIR)/all_attrs_types.conf
+ $(verbose) cat $(TMPDIR)/post_te_files.conf > $(TMPDIR)/all_post.conf
+# these have to run individually because order matters:
+ $(verbose) $(GREP) '^sid ' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^genfscon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^portcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^netifcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(GREP) ^nodecon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
+ $(verbose) $(comment_move_decl) $(TMPDIR)/all_te_files.conf > $(TMPDIR)/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: $(POLICY_CONF)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ @echo "Removing dontaudit rules from $(notdir $(POLICY_CONF))"
+ $(verbose) $(GREP) -v dontaudit $^ > $(TMPDIR)/policy.audit
+ $(verbose) mv $(TMPDIR)/policy.audit $(POLICY_CONF)
+
+########################################
+#
+# Construct file_contexts
+#
+$(FC): $(TMPDIR)/$(notdir $(FC)).tmp $(FCSORT)
+ $(verbose) $(FCSORT) $< $@
+ $(verbose) $(GREP) -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE)
+ $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d $@
+
+$(TMPDIR)/$(notdir $(FC)).tmp: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(ALL_FC_FILES)
+ifeq ($(ALL_FC_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) file_contexts."
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(HOMEDIR_TEMPLATE): $(FC)
+
+########################################
+#
+# Install file_contexts
+#
+$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
+ @echo "Validating $(NAME) file_contexts."
+ $(verbose) $(SETFILES) -q -c $(LOADPATH) $(FC)
+ @echo "Installing file_contexts."
+ @mkdir -p $(CONTEXTPATH)/files
+ $(verbose) install -m 644 $(FC) $(FCPATH)
+ $(verbose) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+ $(verbose) $(genhomedircon) -d $(TOPDIR) -t $(NAME) $(USEPWD)
+ifeq "$(DISTRO)" "rhel4"
+# Setfiles in RHEL4 does not look at file_contexts.homedirs.
+ $(verbose) cat $@.homedirs >> $@
+# Delete the file_contexts.homedirs in case the toolchain has
+# been updated, to prevent duplicate match errors.
+ $(verbose) rm -f $@.homedirs
+endif
+
+########################################
+#
+# Run policy source checks
+#
+check: $(BUILDDIR)check.res
+$(BUILDDIR)check.res: $(POLICY_CONF) $(FC)
+ $(SECHECK) -s --profile=development --policy=$(POLICY_CONF) --fcfile=$(FC) > $@
+
+longcheck: $(BUILDDIR)longcheck.res
+$(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
+ $(SECHECK) -s --profile=all --policy=$(POLICY_CONF) --fcfile=$(FC) > $@
+
+########################################
+#
+# Appconfig files
+#
+$(APPDIR)/customizable_types: $(POLICY_CONF)
+ @mkdir -p $(APPDIR)
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+ $(verbose) install -m 644 $(TMPDIR)/customizable_types $@
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -f $(POLICY_CONF)
+ rm -f $(POLVER)
+ rm -f $(FC)
+ rm -f $(HOMEDIR_TEMPLATE)
+ rm -f $(net_contexts)
+ rm -f *.res
+ rm -fR $(TMPDIR)
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..5caa3c8
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+20060307
diff --git a/build.conf b/build.conf
new file mode 100644
index 0000000..7bfd7e7
--- /dev/null
+++ b/build.conf
@@ -0,0 +1,51 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 18
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = strict
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+#DISTRO = redhat
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=n
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC=y
+
+# Polyinstantiation
+# Enable polyinstantiated directory support.
+POLY=n
+
+# Set this to y to only display status messages
+# during build.
+QUIET=n
diff --git a/config/appconfig-strict-mcs/dbus_contexts b/config/appconfig-strict-mcs/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-strict-mcs/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-strict-mcs/default_contexts b/config/appconfig-strict-mcs/default_contexts
new file mode 100644
index 0000000..7bf43ff
--- /dev/null
+++ b/config/appconfig-strict-mcs/default_contexts
@@ -0,0 +1,12 @@
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mcs/default_type b/config/appconfig-strict-mcs/default_type
new file mode 100644
index 0000000..5212ca4
--- /dev/null
+++ b/config/appconfig-strict-mcs/default_type
@@ -0,0 +1,3 @@
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
diff --git a/config/appconfig-strict-mcs/failsafe_context b/config/appconfig-strict-mcs/failsafe_context
new file mode 100644
index 0000000..999abd9
--- /dev/null
+++ b/config/appconfig-strict-mcs/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-strict-mcs/initrc_context b/config/appconfig-strict-mcs/initrc_context
new file mode 100644
index 0000000..30ab971
--- /dev/null
+++ b/config/appconfig-strict-mcs/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0
diff --git a/config/appconfig-strict-mcs/media b/config/appconfig-strict-mcs/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/config/appconfig-strict-mcs/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-strict-mcs/removable_context b/config/appconfig-strict-mcs/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/config/appconfig-strict-mcs/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-strict-mcs/root_default_contexts b/config/appconfig-strict-mcs/root_default_contexts
new file mode 100644
index 0000000..e9d95e8
--- /dev/null
+++ b/config/appconfig-strict-mcs/root_default_contexts
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mcs/seusers b/config/appconfig-strict-mcs/seusers
new file mode 100644
index 0000000..c400c79
--- /dev/null
+++ b/config/appconfig-strict-mcs/seusers
@@ -0,0 +1,2 @@
+root:root:s0-s0:c0.c255
+__default__:user_u:s0
diff --git a/config/appconfig-strict-mcs/userhelper_context b/config/appconfig-strict-mcs/userhelper_context
new file mode 100644
index 0000000..dc37a69
--- /dev/null
+++ b/config/appconfig-strict-mcs/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-strict-mls/dbus_contexts b/config/appconfig-strict-mls/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-strict-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-strict-mls/default_contexts b/config/appconfig-strict-mls/default_contexts
new file mode 100644
index 0000000..7bf43ff
--- /dev/null
+++ b/config/appconfig-strict-mls/default_contexts
@@ -0,0 +1,12 @@
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mls/default_type b/config/appconfig-strict-mls/default_type
new file mode 100644
index 0000000..c3315fe
--- /dev/null
+++ b/config/appconfig-strict-mls/default_type
@@ -0,0 +1,5 @@
+sysadm_r:sysadm_t
+secadm_r:secadm_t
+staff_r:staff_t
+user_r:user_t
+auditadm_r:auditadm_t
diff --git a/config/appconfig-strict-mls/failsafe_context b/config/appconfig-strict-mls/failsafe_context
new file mode 100644
index 0000000..999abd9
--- /dev/null
+++ b/config/appconfig-strict-mls/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-strict-mls/initrc_context b/config/appconfig-strict-mls/initrc_context
new file mode 100644
index 0000000..5435ea4
--- /dev/null
+++ b/config/appconfig-strict-mls/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0-s15:c0.c255
diff --git a/config/appconfig-strict-mls/media b/config/appconfig-strict-mls/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/config/appconfig-strict-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-strict-mls/removable_context b/config/appconfig-strict-mls/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/config/appconfig-strict-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-strict-mls/root_default_contexts b/config/appconfig-strict-mls/root_default_contexts
new file mode 100644
index 0000000..e9d95e8
--- /dev/null
+++ b/config/appconfig-strict-mls/root_default_contexts
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mls/seusers b/config/appconfig-strict-mls/seusers
new file mode 100644
index 0000000..9a0516d
--- /dev/null
+++ b/config/appconfig-strict-mls/seusers
@@ -0,0 +1,2 @@
+root:root:s0-s15:c0.c255
+__default__:user_u:s0
diff --git a/config/appconfig-strict-mls/userhelper_context b/config/appconfig-strict-mls/userhelper_context
new file mode 100644
index 0000000..dc37a69
--- /dev/null
+++ b/config/appconfig-strict-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-strict/dbus_contexts b/config/appconfig-strict/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-strict/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-strict/default_contexts b/config/appconfig-strict/default_contexts
new file mode 100644
index 0000000..3ea48aa
--- /dev/null
+++ b/config/appconfig-strict/default_contexts
@@ -0,0 +1,12 @@
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
+system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/config/appconfig-strict/default_type b/config/appconfig-strict/default_type
new file mode 100644
index 0000000..5212ca4
--- /dev/null
+++ b/config/appconfig-strict/default_type
@@ -0,0 +1,3 @@
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
diff --git a/config/appconfig-strict/failsafe_context b/config/appconfig-strict/failsafe_context
new file mode 100644
index 0000000..2f96c9f
--- /dev/null
+++ b/config/appconfig-strict/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/config/appconfig-strict/initrc_context b/config/appconfig-strict/initrc_context
new file mode 100644
index 0000000..7fcf70b
--- /dev/null
+++ b/config/appconfig-strict/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/config/appconfig-strict/media b/config/appconfig-strict/media
new file mode 100644
index 0000000..de2a652
--- /dev/null
+++ b/config/appconfig-strict/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/config/appconfig-strict/removable_context b/config/appconfig-strict/removable_context
new file mode 100644
index 0000000..d4921f0
--- /dev/null
+++ b/config/appconfig-strict/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/config/appconfig-strict/root_default_contexts b/config/appconfig-strict/root_default_contexts
new file mode 100644
index 0000000..acdcc08
--- /dev/null
+++ b/config/appconfig-strict/root_default_contexts
@@ -0,0 +1,9 @@
+system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-strict/seusers b/config/appconfig-strict/seusers
new file mode 100644
index 0000000..f7c5bd2
--- /dev/null
+++ b/config/appconfig-strict/seusers
@@ -0,0 +1,2 @@
+root:root
+__default__:user_u
diff --git a/config/appconfig-strict/userhelper_context b/config/appconfig-strict/userhelper_context
new file mode 100644
index 0000000..081e93b
--- /dev/null
+++ b/config/appconfig-strict/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/config/appconfig-targeted-mcs/dbus_contexts b/config/appconfig-targeted-mcs/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-targeted-mcs/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-targeted-mcs/default_contexts b/config/appconfig-targeted-mcs/default_contexts
new file mode 100644
index 0000000..b3dddce
--- /dev/null
+++ b/config/appconfig-targeted-mcs/default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0 system_r:unconfined_t:s0
+system_r:local_login_t:s0 system_r:unconfined_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0
+system_r:rshd_t:s0 system_r:unconfined_t:s0
+system_r:sshd_t:s0 system_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mcs/default_type b/config/appconfig-targeted-mcs/default_type
new file mode 100644
index 0000000..7ba74a9
--- /dev/null
+++ b/config/appconfig-targeted-mcs/default_type
@@ -0,0 +1 @@
+system_r:unconfined_t
diff --git a/config/appconfig-targeted-mcs/failsafe_context b/config/appconfig-targeted-mcs/failsafe_context
new file mode 100644
index 0000000..30fd6c0
--- /dev/null
+++ b/config/appconfig-targeted-mcs/failsafe_context
@@ -0,0 +1 @@
+system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mcs/initrc_context b/config/appconfig-targeted-mcs/initrc_context
new file mode 100644
index 0000000..f185cd4
--- /dev/null
+++ b/config/appconfig-targeted-mcs/initrc_context
@@ -0,0 +1 @@
+user_u:system_r:initrc_t:s0
diff --git a/config/appconfig-targeted-mcs/media b/config/appconfig-targeted-mcs/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/config/appconfig-targeted-mcs/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-targeted-mcs/removable_context b/config/appconfig-targeted-mcs/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/config/appconfig-targeted-mcs/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-targeted-mcs/root_default_contexts b/config/appconfig-targeted-mcs/root_default_contexts
new file mode 100644
index 0000000..7326fba
--- /dev/null
+++ b/config/appconfig-targeted-mcs/root_default_contexts
@@ -0,0 +1,2 @@
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0 system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mcs/seusers b/config/appconfig-targeted-mcs/seusers
new file mode 100644
index 0000000..c400c79
--- /dev/null
+++ b/config/appconfig-targeted-mcs/seusers
@@ -0,0 +1,2 @@
+root:root:s0-s0:c0.c255
+__default__:user_u:s0
diff --git a/config/appconfig-targeted-mcs/userhelper_context b/config/appconfig-targeted-mcs/userhelper_context
new file mode 100644
index 0000000..01f02a3
--- /dev/null
+++ b/config/appconfig-targeted-mcs/userhelper_context
@@ -0,0 +1 @@
+system_u:system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mls/dbus_contexts b/config/appconfig-targeted-mls/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-targeted-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-targeted-mls/default_contexts b/config/appconfig-targeted-mls/default_contexts
new file mode 100644
index 0000000..b3dddce
--- /dev/null
+++ b/config/appconfig-targeted-mls/default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0 system_r:unconfined_t:s0
+system_r:local_login_t:s0 system_r:unconfined_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0
+system_r:rshd_t:s0 system_r:unconfined_t:s0
+system_r:sshd_t:s0 system_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mls/default_type b/config/appconfig-targeted-mls/default_type
new file mode 100644
index 0000000..7ba74a9
--- /dev/null
+++ b/config/appconfig-targeted-mls/default_type
@@ -0,0 +1 @@
+system_r:unconfined_t
diff --git a/config/appconfig-targeted-mls/failsafe_context b/config/appconfig-targeted-mls/failsafe_context
new file mode 100644
index 0000000..30fd6c0
--- /dev/null
+++ b/config/appconfig-targeted-mls/failsafe_context
@@ -0,0 +1 @@
+system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mls/initrc_context b/config/appconfig-targeted-mls/initrc_context
new file mode 100644
index 0000000..63a0923
--- /dev/null
+++ b/config/appconfig-targeted-mls/initrc_context
@@ -0,0 +1 @@
+user_u:system_r:initrc_t:s0-s15:c0.c255
diff --git a/config/appconfig-targeted-mls/media b/config/appconfig-targeted-mls/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/config/appconfig-targeted-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-targeted-mls/removable_context b/config/appconfig-targeted-mls/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/config/appconfig-targeted-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-targeted-mls/root_default_contexts b/config/appconfig-targeted-mls/root_default_contexts
new file mode 100644
index 0000000..7326fba
--- /dev/null
+++ b/config/appconfig-targeted-mls/root_default_contexts
@@ -0,0 +1,2 @@
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0 system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted-mls/seusers b/config/appconfig-targeted-mls/seusers
new file mode 100644
index 0000000..9a0516d
--- /dev/null
+++ b/config/appconfig-targeted-mls/seusers
@@ -0,0 +1,2 @@
+root:root:s0-s15:c0.c255
+__default__:user_u:s0
diff --git a/config/appconfig-targeted-mls/userhelper_context b/config/appconfig-targeted-mls/userhelper_context
new file mode 100644
index 0000000..01f02a3
--- /dev/null
+++ b/config/appconfig-targeted-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:system_r:unconfined_t:s0
diff --git a/config/appconfig-targeted/dbus_contexts b/config/appconfig-targeted/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-targeted/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-targeted/default_contexts b/config/appconfig-targeted/default_contexts
new file mode 100644
index 0000000..d91373a
--- /dev/null
+++ b/config/appconfig-targeted/default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t system_r:unconfined_t
+system_r:initrc_t system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t system_r:unconfined_t
+system_r:sshd_t system_r:unconfined_t
+system_r:sysadm_su_t system_r:unconfined_t
+system_r:unconfined_t system_r:unconfined_t
+system_r:xdm_t system_r:unconfined_t
diff --git a/config/appconfig-targeted/default_type b/config/appconfig-targeted/default_type
new file mode 100644
index 0000000..7ba74a9
--- /dev/null
+++ b/config/appconfig-targeted/default_type
@@ -0,0 +1 @@
+system_r:unconfined_t
diff --git a/config/appconfig-targeted/failsafe_context b/config/appconfig-targeted/failsafe_context
new file mode 100644
index 0000000..7ba74a9
--- /dev/null
+++ b/config/appconfig-targeted/failsafe_context
@@ -0,0 +1 @@
+system_r:unconfined_t
diff --git a/config/appconfig-targeted/initrc_context b/config/appconfig-targeted/initrc_context
new file mode 100644
index 0000000..505f810
--- /dev/null
+++ b/config/appconfig-targeted/initrc_context
@@ -0,0 +1 @@
+user_u:system_r:initrc_t
diff --git a/config/appconfig-targeted/media b/config/appconfig-targeted/media
new file mode 100644
index 0000000..de2a652
--- /dev/null
+++ b/config/appconfig-targeted/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/config/appconfig-targeted/removable_context b/config/appconfig-targeted/removable_context
new file mode 100644
index 0000000..d4921f0
--- /dev/null
+++ b/config/appconfig-targeted/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/config/appconfig-targeted/root_default_contexts b/config/appconfig-targeted/root_default_contexts
new file mode 100644
index 0000000..5e3e986
--- /dev/null
+++ b/config/appconfig-targeted/root_default_contexts
@@ -0,0 +1,2 @@
+system_r:unconfined_t system_r:unconfined_t
+system_r:initrc_t system_r:unconfined_t
diff --git a/config/appconfig-targeted/seusers b/config/appconfig-targeted/seusers
new file mode 100644
index 0000000..f7c5bd2
--- /dev/null
+++ b/config/appconfig-targeted/seusers
@@ -0,0 +1,2 @@
+root:root
+__default__:user_u
diff --git a/config/appconfig-targeted/userhelper_context b/config/appconfig-targeted/userhelper_context
new file mode 100644
index 0000000..4d47460
--- /dev/null
+++ b/config/appconfig-targeted/userhelper_context
@@ -0,0 +1 @@
+system_u:system_r:unconfined_t
diff --git a/config/local.users b/config/local.users
new file mode 100644
index 0000000..7e2bf7a
--- /dev/null
+++ b/config/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --git a/doc/Makefile.example b/doc/Makefile.example
new file mode 100644
index 0000000..9f2a8d5
--- /dev/null
+++ b/doc/Makefile.example
@@ -0,0 +1,8 @@
+
+AWK ?= gawk
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR := $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/Makefile
diff --git a/doc/example.fc b/doc/example.fc
new file mode 100644
index 0000000..9cf7c4c
--- /dev/null
+++ b/doc/example.fc
@@ -0,0 +1,6 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
diff --git a/doc/example.if b/doc/example.if
new file mode 100644
index 0000000..48f5bc9
--- /dev/null
+++ b/doc/example.if
@@ -0,0 +1,55 @@
+## <summary>Myapp example policy</summary>
+## <desc>
+## <p>
+## More descriptive text about myapp. The <desc>
+## tag can also use <p>, <ul>, and <ol>
+## html tags for formatting.
+## </p>
+## <p>
+## This policy supports the following myapp features:
+## <ul>
+## <li>Feature A</li>
+## <li>Feature B</li>
+## <li>Feature C</li>
+## </ul>
+## </p>
+## </desc>
+#
+
+########################################
+## <summary>
+## Execute a domain transition to run myapp.
+## </summary>
+## <param name="domain">
+## Domain allowed to transition.
+## </param>
+#
+interface(`myapp_domtrans',`
+ gen_require(`
+ type myapp_t, myapp_exec_t;
+ ')
+
+ domain_auto_trans($1,myapp_exec_t,myapp_t)
+
+ allow $1 myapp_t:fd use;
+ allow myapp_t $1:fd use;
+ allow $1 myapp_t:fifo_file rw_file_perms;
+ allow $1 myapp_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read myapp log files.
+## </summary>
+## <param name="domain">
+## Domain allowed to read the log files.
+## </param>
+#
+interface(`myapp_read_log',`
+ gen_require(`
+ type myapp_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file r_file_perms;
+')
diff --git a/doc/example.te b/doc/example.te
new file mode 100644
index 0000000..d624e0c
--- /dev/null
+++ b/doc/example.te
@@ -0,0 +1,28 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file ra_file_perms;
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
diff --git a/doc/policy.dtd b/doc/policy.dtd
new file mode 100644
index 0000000..7990cff
--- /dev/null
+++ b/doc/policy.dtd
@@ -0,0 +1,41 @@
+<!ENTITY % inline.class "pre|p|ul|ol|li">
+
+<!ELEMENT policy (layer+,(tunable|bool)*)>
+<!ELEMENT layer (summary,module+)>
+<!ATTLIST layer
+ name CDATA #REQUIRED>
+<!ELEMENT module (summary,desc?,required?,(interface|template)*)>
+<!ATTLIST module
+ name CDATA #REQUIRED
+ filename CDATA #REQUIRED>
+<!ELEMENT required (#PCDATA)>
+<!ATTLIST required
+ val (true|false) "false">
+<!ELEMENT tunable (desc)>
+<!ATTLIST tunable
+ name CDATA #REQUIRED
+ dftval CDATA #REQUIRED>
+<!ELEMENT bool (desc)>
+<!ATTLIST bool
+ name CDATA #REQUIRED
+ dftval CDATA #REQUIRED>
+<!ELEMENT summary (#PCDATA)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?)>
+<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT template (summary,desc?,param+)>
+<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT desc (#PCDATA|%inline.class;)*>
+<!ELEMENT param (summary)>
+<!ATTLIST param
+ name CDATA #REQUIRED
+ optional (true|false) "false">
+<!ELEMENT infoflow EMPTY>
+<!ATTLIST infoflow
+ type CDATA #REQUIRED
+ weight CDATA #IMPLIED>
+
+<!ATTLIST pre caption CDATA #IMPLIED>
+<!ELEMENT p (#PCDATA|%inline.class;)*>
+<!ELEMENT ul (li+)>
+<!ELEMENT ol (li+)>
+<!ELEMENT li (#PCDATA|%inline.class;)*>
diff --git a/doc/templates/global_bool_list.html b/doc/templates/global_bool_list.html
new file mode 100644
index 0000000..a8065af
--- /dev/null
+++ b/doc/templates/global_bool_list.html
@@ -0,0 +1,14 @@
+<h3>Global booleans:</h3>
+
+[[for bool in booleans]]
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/global_tun_list.html b/doc/templates/global_tun_list.html
new file mode 100644
index 0000000..6ed8013
--- /dev/null
+++ b/doc/templates/global_tun_list.html
@@ -0,0 +1,14 @@
+<h3>Global tunables:</h3>
+
+[[for tun in tunables]]
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/header.html b/doc/templates/header.html
new file mode 100644
index 0000000..9ef487c
--- /dev/null
+++ b/doc/templates/header.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+<title>
+ Security Enhanced Linux Reference Policy
+ </title>
+<style type="text/css" media="all">@import "style.css";</style>
+</head>
+<body>
+<div id="Header">Security Enhanced Linux Reference Policy</div>
+[[menu]]
+<div id="Content">
+[[content]]
+</div>
+</body>
+</html>
diff --git a/doc/templates/int_list.html b/doc/templates/int_list.html
new file mode 100644
index 0000000..b95c343
--- /dev/null
+++ b/doc/templates/int_list.html
@@ -0,0 +1,33 @@
+<h3>Master interface index:</h3>
+
+[[for int in interfaces]]
+<div id="interfacesmall">
+Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
+[[int['mod_name']]]</a><p/>
+Layer: <a href='[[int['mod_layer']]].html'>
+[[int['mod_layer']]]</a><p/>
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[int['interface_name']]]</b>(
+ [[for arg in int['interface_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+[[if int['interface_summary']]]
+<div id="description">
+[[int['interface_summary']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/interface.html b/doc/templates/interface.html
new file mode 100644
index 0000000..ae7bf49
--- /dev/null
+++ b/doc/templates/interface.html
@@ -0,0 +1,52 @@
+[[for int in interfaces]]
+<a name="link_[[int['interface_name']]]"></a>
+<div id="interface">
+[[if int.has_key("mod_layer")]]
+ Layer: [[mod_layer]]<br>
+[[end]]
+[[if int.has_key("mod_name")]]
+ Module: [[mod_name]]<br>
+[[end]]
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[int['interface_name']]]</b>(
+ [[for arg in int['interface_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+<div id="description">
+[[if int['interface_summary']]]
+<h5>Summary</h5>
+[[int['interface_summary']]]
+[[end]]
+[[if int['interface_desc']]]
+<h5>Description</h5>
+[[int['interface_desc']]]
+[[end]]
+<h5>Parameters</h5>
+<table border="1" cellspacing="0" cellpadding="3" width="80%">
+<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
+[[for arg in int['interface_parameters']]]
+<tr><td>
+[[arg['name']]]
+</td><td>
+[[arg['desc']]]
+</td><td>
+[[arg['optional']]]
+</td></tr>
+[[end]]
+</table>
+</div>
+</div>
+[[end]]
diff --git a/doc/templates/menu.html b/doc/templates/menu.html
new file mode 100644
index 0000000..6d2cce3
--- /dev/null
+++ b/doc/templates/menu.html
@@ -0,0 +1,22 @@
+<div id='Menu'>
+ [[for layer_name, layer_mods in menulist]]
+ <a href="[[layer_name]].html">+
+ [[layer_name]]</a></br/>
+ <div id='subitem'>
+ [[for module, s in layer_mods]]
+ - <a href='[[layer_name + "_" + module]].html'>
+ [[module]]</a><br/>
+ [[end]]
+ </div>
+ [[end]]
+ <br/><p/>
+ <a href="global_booleans.html">* Global Booleans </a>
+ <br/><p/>
+ <a href="global_tunables.html">* Global Tunables </a>
+ <p/><br/><p/>
+ <a href="index.html">* Layer Index</a>
+ <br/><p/>
+ <a href="interfaces.html">* Interface Index</a>
+ <br/><p/>
+ <a href="templates.html">* Template Index</a>
+</div>
diff --git a/doc/templates/module.html b/doc/templates/module.html
new file mode 100644
index 0000000..71341fe
--- /dev/null
+++ b/doc/templates/module.html
@@ -0,0 +1,31 @@
+<a name="top":></a>
+<h1>Layer: [[mod_layer]]</h1><p/>
+<h2>Module: [[mod_name]]</h2><p/>
+[[if interfaces and templates]]
+<a href=#interfaces>Interfaces</a>
+<a href=#templates>Templates</a>
+[[end]]
+<h3>Description:</h3>
+[[if mod_desc]]
+<p>[[mod_desc]]</p>
+[[else]]
+<p>[[mod_summary]]</p>
+[[end]]
+[[if mod_req]]
+<p>This module is required to be included in all policies.</p>
+[[end]]
+[[if interfaces]]
+<a name="interfaces"></a>
+<h3>Interfaces: </h3>
+[[interfaces]]
+<a href=#top>Return</a>
+[[end]]
+[[if templates]]
+<a name="templates"></a>
+<h3>Templates: </h3>
+[[templates]]
+<a href=#top>Return</a>
+[[end]]
+[[if not templates and not interfaces]]
+<h3>No interfaces or templates.</h3>
+[[end]]
diff --git a/doc/templates/module_list.html b/doc/templates/module_list.html
new file mode 100644
index 0000000..7317a6b
--- /dev/null
+++ b/doc/templates/module_list.html
@@ -0,0 +1,19 @@
+[[if mod_layer]]
+<h1>Layer: [[mod_layer]]</h1><p/>
+[[if layer_summary]]
+<p>[[layer_summary]]</p><br/>
+[[end]]
+[[end]]
+<table border="1" cellspacing="0" cellpadding="3" width="75%">
+<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
+ [[for layer_name, layer_mods in menulist]]
+ [[for module, s in layer_mods]]
+ <tr><td>
+ <a href='[[layer_name + "_" + module]].html'>
+ [[module]]</a></td>
+ <td>[[s]]</td>
+ [[end]]
+ </td></tr>
+ [[end]]
+</table>
+<p/><br/><br/>
diff --git a/doc/templates/style.css b/doc/templates/style.css
new file mode 100644
index 0000000..9bac0d9
--- /dev/null
+++ b/doc/templates/style.css
@@ -0,0 +1,216 @@
+body {
+ margin:0px;
+ padding:0px;
+ font-family:verdana, arial, helvetica, sans-serif;
+ color:#333;
+ background-color:white;
+ }
+h1 {
+ margin:0px 0px 5px 0px;
+ padding:0px;
+ font-size:150%
+ line-height:28px;
+ font-weight:900;
+ color:#ccc;
+ }
+h2 {
+ font-size:125%;
+ margin:0px;
+ padding:5px 0px 10px 0px;
+ }
+h3 {
+ font-size:110%;
+ margin:0px;
+ padding:5px 0px 10px 5px;
+ }
+h4 {
+ font-size:100%;
+ margin:0px;
+ padding:5px 0px 10px 5px;
+ }
+h5 {
+ font-size:100%;
+ margin:0px;
+ font-weight:600;
+ padding:0px 0px 5px 0px;
+ margin:0px 0px 0px 5px;
+}
+li {
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin:0px 0px 0px 10px;
+ padding:0px;
+ }
+p {
+ /* normal */
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin:0px 0px 0px 10px;
+ padding:0px;
+ }
+
+tt {
+ /* inline code */
+ font-family: monospace;
+ }
+
+table {
+ background-color:#efefef;
+ /*background-color: white;*/
+ border-style:solid;
+ border-color:black;
+ border-width:0px 1px 1px 0px;
+ color: black;
+ text-align: left;
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin-left: 5%;
+ margin-right: 5%;
+}
+
+th {
+ font-weight:500;
+ background-color: #eaeaef;
+ text-align: center;
+}
+
+td.header {
+ font-weight: bold;
+}
+
+#Content>p {margin:0px;}
+#Content>p+p {text-indent:30px;}
+a {
+ color:#09c;
+ font-size:11px;
+ text-decoration:none;
+ font-weight:600;
+ font-family:verdana, arial, helvetica, sans-serif;
+ }
+a:link {color:#09c;}
+a:visited {color:#07a;}
+a:hover {background-color:#eee;}
+
+#Codeblock {
+ margin:5px 50px 5px 10px;
+ padding:5px 0px 5px 15px;
+ border-style:solid;
+ border-color:lightgrey;
+ border-width:1px 1px 1px 1px;
+ background-color:#f5f5ff;
+ font-size:100%;
+ font-weight:600;
+ text-decoration:none;
+ font-family:monospace;
+}
+#Interface {
+ margin:5px 0px 25px 5px;
+ padding:5px 0px 5px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Interfacesmall {
+ margin:0px 0px 5px 0px;
+ padding:5px 0px 0px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Template {
+ margin:5px 0px 25px 5px;
+ padding:5px 0px 5px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Templatesmall {
+ margin:0px 0px 5px 0px;
+ padding:5px 0px 0px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Description {
+ margin:0px 0px 0px 5px;
+ padding:0px 0px 0px 5px;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+ font-size:12px;
+ font-weight:400;
+}
+pre {
+ margin:0px;
+ padding:0px;
+ font-size:14px;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+dl {
+ /* definition text block */
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin:0px 0px 16px 0px;
+ padding:0px;
+ }
+dt {
+ /* definition term */
+ font-weight: bold;
+ }
+
+#Header {
+ margin:50px 0px 10px 0px;
+ padding:17px 0px 0px 20px;
+ /* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
+ height:33px; /* 14px + 17px + 2px = 33px */
+ border-style:solid;
+ border-color:black;
+ border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
+ line-height:11px;
+ font-size:110%;
+ background-color:#eee;
+ voice-family: "\"}\"";
+ voice-family:inherit;
+ height:14px; /* the correct height */
+ }
+body>#Header {height:14px;}
+#Content {
+ margin:0px 50px 0px 200px;
+ padding:10px;
+ }
+
+#Menu {
+ position:absolute;
+ top:100px;
+ left:20px;
+ width:162px;
+ padding:10px;
+ background-color:#eee;
+ border:1px solid #aaa;
+ line-height:17px;
+ text-align:left;
+ voice-family: "\"}\"";
+ voice-family:inherit;
+ width:160px;
+ }
+#Menu subitem {
+ font-size: 5px;
+}
+
+body>#Menu {width:160px;}
diff --git a/doc/templates/temp_list.html b/doc/templates/temp_list.html
new file mode 100644
index 0000000..9d635d8
--- /dev/null
+++ b/doc/templates/temp_list.html
@@ -0,0 +1,33 @@
+<h3>Master template index:</h3>
+
+[[for temp in templates]]
+<div id="templatesmall">
+Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
+[[temp['mod_name']]]</a><p/>
+Layer: <a href='[[temp['mod_layer']]].html'>
+[[temp['mod_layer']]]</a><p/>
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[temp['template_name']]]</b>(
+ [[for arg in temp['template_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+[[if temp['template_summary']]]
+<div id="description">
+[[temp['template_summary']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/template.html b/doc/templates/template.html
new file mode 100644
index 0000000..c24a83e
--- /dev/null
+++ b/doc/templates/template.html
@@ -0,0 +1,52 @@
+[[for temp in templates]]
+<a name="link_[[temp['template_name']]]"></a>
+<div id="template">
+[[if temp.has_key("mod_layer")]]
+ Layer: [[mod_layer]]<br>
+[[end]]
+[[if temp.has_key("mod_name")]]
+ Module: [[mod_name]]<br>
+[[end]]
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[temp['template_name']]]</b>(
+ [[for arg in temp['template_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+<div id="description">
+[[if temp['template_summary']]]
+<h5>Summary</h5>
+[[temp['template_summary']]]
+[[end]]
+[[if temp['template_desc']]]
+<h5>Description</h5>
+[[temp['template_desc']]]
+[[end]]
+<h5>Parameters</h5>
+<table border="1" cellspacing="0" cellpadding="3" width="80%">
+<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
+[[for arg in temp['template_parameters']]]
+<tr><td>
+[[arg['name']]]
+</td><td>
+[[arg['desc']]]
+</td><td>
+[[arg['optional']]]
+</td></tr>
+[[end]]
+</table>
+</div>
+</div>
+[[end]]
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
new file mode 100644
index 0000000..017b212
--- /dev/null
+++ b/man/man8/ftpd_selinux.8
@@ -0,0 +1,56 @@
+.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
+.SH "NAME"
+ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the ftpd server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
+.TP
+chcon -R -t public_content_t /var/ftp
+.TP
+If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
+.TP
+chcon -t public_content_rw_t /var/ftp/incoming
+.TP
+You must also turn on the boolean allow_ftpd_anon_write.
+.TP
+setsebool -P allow_ftpd_anon_write=1
+.TP
+If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/ftp(/.*)? system_u:object_r:public_content_t
+/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
+
+.SH BOOLEANS
+SELinux ftp daemon policy is customizable based on least access required. So by
+default SElinux does not allow users to login and read their home directories.
+.br
+If you are setting up this machine as a ftpd server and wish to allow users to access their home
+directorories, you need to set the ftp_home_dir boolean.
+.TP
+setsebool -P ftp_home_dir 1
+.TP
+ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
+.TP
+setsebool -P ftpd_is_daemon 1
+.TP
+You can disable SELinux protection for the ftpd daemon by executing:
+.TP
+setsebool -P ftpd_disable_trans 1
+.br
+service vsftpd restart
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), ftpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
new file mode 100644
index 0000000..e9d4774
--- /dev/null
+++ b/man/man8/httpd_selinux.8
@@ -0,0 +1,123 @@
+.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.SH "NAME"
+httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the httpd server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
+.TP
+The following file contexts types are defined for httpd:
+.br
+
+httpd_sys_content_t
+.br
+- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
+.br
+
+httpd_sys_script_exec_t
+.br
+- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
+.br
+
+httpd_sys_script_ro_t
+.br
+- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
+.br
+
+httpd_sys_script_rw_t
+.br
+- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+.br
+
+httpd_sys_script_ra_t
+.br
+- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
+
+httpd_unconfined_script_exec_t
+.br
+- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
+.br
+
+.SH NOTE
+With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
+
+setsebool -P allow_httpd_anon_write=1
+
+or
+
+setsebool -P allow_httpd_sys_script_anon_write=1
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. So by
+default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+.TP
+httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
+.br
+
+setsebool -P httpd_enable_cgi 1
+
+.TP
+httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
+.br
+
+setsebool -P httpd_enable_homedirs 1
+.br
+chcon -R -t httpd_sys_content_t ~user/public_html
+
+.TP
+httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+.br
+
+setsebool -P httpd_tty_comm 1
+
+.TP
+httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
+.br
+
+setsebool -P httpd_unified 0
+
+.TP
+httpd can be configured to turn off internal scripting (PHP). PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+.br
+
+setsebool -P httpd_builtin_scripting 0
+
+.TP
+httpd scripts by default are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking
+other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+.br
+
+setsebool -P httpd_can_network_connect 1
+
+.TP
+You can disable suexec transition, set httpd_suexec_disable_trans deny this
+.br
+
+setsebool -P httpd_suexec_disable_trans 1
+
+.TP
+You can disable SELinux protection for the httpd daemon by executing:
+.br
+
+setsebool -P httpd_disable_trans 1
+.br
+service httpd restart
+
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), httpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
new file mode 100644
index 0000000..94b3228
--- /dev/null
+++ b/man/man8/kerberos_selinux.8
@@ -0,0 +1,31 @@
+.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.SH "NAME"
+kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the system via flexible mandatory access
+control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.
+.SH BOOLEANS
+.TP
+You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
+.TP
+setsebool -P allow_kerberos 1
+.TP
+If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans.
+.br
+
+setsebool -P krb5kdc_disable_trans 1
+.br
+service krb5kdc restart
+.br
+setsebool -P kadmind_disable_trans booleans 1
+.br
+service kadmind restart
+
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
new file mode 100644
index 0000000..2381614
--- /dev/null
+++ b/man/man8/named_selinux.8
@@ -0,0 +1,29 @@
+.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.SH "NAME"
+named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the named server via flexible mandatory access
+control.
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. So by
+default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
+.TP
+.br
+setsebool -P named_write_master_zones 1
+
+.TP
+You can disable SELinux protection for the named daemon by executing:
+.TP
+setsebool -P named_disable_trans 1
+.br
+service named restart
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), named(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
new file mode 100644
index 0000000..422f042
--- /dev/null
+++ b/man/man8/nfs_selinux.8
@@ -0,0 +1,30 @@
+.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.SH "NAME"
+nfs_selinux \- Security Enhanced Linux Policy for NFS
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the nfs server via flexible mandatory access
+control.
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. So by
+default SElinux policy does not allow nfs to share files. If you want to
+setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
+
+.TP
+setsebool -P nfs_export_all_ro 1
+.TP
+If you want to share files read/write you must set the nfs_export_all_rw boolean.
+.TP
+setsebool -P nfs_export_all_rw 1
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
+.TP
+setsebool -P use_nfs_home_dirs 1
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSpppO"
+selinux(8), chcon(1), setsebool(8)
diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8
new file mode 100644
index 0000000..6271c95
--- /dev/null
+++ b/man/man8/nis_selinux.8
@@ -0,0 +1 @@
+.so man8/ypbind_selinux.8
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
new file mode 100644
index 0000000..8ff4429
--- /dev/null
+++ b/man/man8/rsync_selinux.8
@@ -0,0 +1,41 @@
+.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.SH "NAME"
+rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the rsync server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
+would need to label the directory with the chcon tool.
+.TP
+chcon -t public_content_t /var/rsync
+.TP
+If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/rsync(/.*)? system_u:object_r:public_content_t
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
+
+setsebool -P allow_rsync_anon_write=1
+
+
+.SH BOOLEANS
+.TP
+You can disable SELinux protection for the rsync daemon by executing:
+.TP
+setsebool -P rsync_disable_trans 1
+.br
+service xinetd restart
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), rsync(1), chcon(1), setsebool(8)
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
new file mode 100644
index 0000000..f0268cc
--- /dev/null
+++ b/man/man8/samba_selinux.8
@@ -0,0 +1,60 @@
+.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "NAME"
+samba_selinux \- Security Enhanced Linux Policy for Samba
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the Samba server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files other than home directories, those files must be
+labeled samba_share_t. So if you created a special directory /var/eng, you
+would need to label the directory with the chcon tool.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/eng(/.*)? system_u:object_r:samba_share_t
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH BOOLEANS
+.br
+SELinux policy is customizable based on least access required. So by
+default SElinux policy turns off SELinux sharing of home directories and
+the use of Samba shares from a remote machine as a home directory.
+.TP
+If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+.br
+
+setsebool -P use_samba_home_dirs 1
+.TP
+You can disable SELinux protection for the samba daemon by executing:
+.br
+
+setsebool -P smbd_disable_trans 1
+.br
+service smb restart
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+
+
+
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), samba(7), chcon(1), setsebool(8)
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
new file mode 100644
index 0000000..ed07681
--- /dev/null
+++ b/man/man8/ypbind_selinux.8
@@ -0,0 +1,19 @@
+.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
+.SH "NAME"
+ypbind_selinux \- Security Enhanced Linux Policy for NIS.
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the system via flexible mandatory access
+control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
+.SH BOOLEANS
+.TP
+You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
+.TP
+setsebool -P allow_ypbind 1
+.TP
+system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/policy/constraints b/policy/constraints
new file mode 100644
index 0000000..d4dab72
--- /dev/null
+++ b/policy/constraints
@@ -0,0 +1,92 @@
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_op r2
+# | t1 op t2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+#
+# op : == | !=
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# SELinux process identity change constraint:
+#
+constrain process transition
+ ( u1 == u2
+
+ifdef(`targeted_policy',`
+ or t1 == can_change_process_identity
+',`
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
+
+ or ( t1 == cron_source_domain
+ and ( t2 == cron_job_domain or u2 == system_u )
+ )
+
+ or (t1 == process_uncond_exempt)
+
+ or (t1 == can_system_change and u2 == system_u )
+')
+);
+
+#
+# SELinux process role change constraint:
+#
+constrain process transition
+ ( r1 == r2
+
+ifdef(`targeted_policy',`
+ or t1 == can_change_process_role
+',`
+ or ( t1 == can_change_process_role and t2 == process_user_target )
+
+ or ( t1 == cron_source_domain and t2 == cron_job_domain )
+
+ or ( t1 == process_uncond_exempt )
+
+ # FIXME:
+ ifdef(`postfix.te',`
+ ifdef(`direct_sysadm_daemon',`
+ or (
+ t1 == sysadm_mail_t
+ and t2 == system_mail_t
+ and r2 == system_r
+ )
+ ')
+ ')
+
+ or (t1 == can_system_change and r2 == system_r )
+')
+);
+
+#
+# SELinux dynamic transition constraint:
+#
+constrain process dyntransition
+ ( u1 == u2 and r1 == r2 );
+
+#
+# SElinux object identity change constraint:
+#
+constrain dir_file_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == can_change_object_identity );
+
+constrain socket_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == can_change_object_identity );
diff --git a/policy/flask/Makefile b/policy/flask/Makefile
new file mode 100644
index 0000000..970b9fe
--- /dev/null
+++ b/policy/flask/Makefile
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+ install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+ install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+ install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:
+ rm -f $(FLASK_H_FILES)
+ rm -f $(AV_H_FILES)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
new file mode 100644
index 0000000..6a847d1
--- /dev/null
+++ b/policy/flask/access_vectors
@@ -0,0 +1,631 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+}
+
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class drawable
+{
+ create
+ destroy
+ draw
+ copy
+ getattr
+}
+
+class gc
+{
+ create
+ free
+ getattr
+ setattr
+}
+
+class window
+{
+ addchild
+ create
+ destroy
+ map
+ unmap
+ chstack
+ chproplist
+ chprop
+ listprop
+ getattr
+ setattr
+ setfocus
+ move
+ chselection
+ chparent
+ ctrllife
+ enumerate
+ transparent
+ mousemotion
+ clientcomevent
+ inputevent
+ drawevent
+ windowchangeevent
+ windowchangerequest
+ serverchangeevent
+ extensionevent
+}
+
+class font
+{
+ load
+ free
+ getattr
+ use
+}
+
+class colormap
+{
+ create
+ free
+ install
+ uninstall
+ list
+ read
+ store
+ getattr
+ setattr
+}
+
+class property
+{
+ create
+ free
+ read
+ write
+}
+
+class cursor
+{
+ create
+ createglyph
+ free
+ assign
+ setattr
+}
+
+class xclient
+{
+ kill
+}
+
+class xinput
+{
+ lookup
+ getattr
+ setattr
+ setfocus
+ warppointer
+ activegrab
+ passivegrab
+ ungrab
+ bell
+ mousemotion
+ relabelinput
+}
+
+class xserver
+{
+ screensaver
+ gethostlist
+ sethostlist
+ getfontpath
+ setfontpath
+ getattr
+ grab
+ ungrab
+}
+
+class xextension
+{
+ query
+ use
+}
+
+#
+# Define the access vector interpretation for controlling
+# PaX flags
+#
+class pax
+{
+ pageexec # Paging based non-executable pages
+ emutramp # Emulate trampolines
+ mprotect # Restrict mprotect()
+ randmmap # Randomize mmap() base
+ randexec # Randomize ET_EXEC base
+ segmexec # Segmentation based non-executable pages
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
new file mode 100644
index 0000000..95894eb
--- /dev/null
+++ b/policy/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/policy/flask/mkaccess_vector.sh b/policy/flask/mkaccess_vector.sh
new file mode 100755
index 0000000..b5da734
--- /dev/null
+++ b/policy/flask/mkaccess_vector.sh
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$av_permissions\"
+ inheritfile = \"$av_inherit\"
+ cpermfile = \"$common_perm_to_string\"
+ avpermfile = \"$av_perm_to_string\"
+ "'
+ nextstate = "COMMON_OR_AV";
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
+;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "common" {
+ if (nextstate != "COMMON_OR_AV")
+ {
+ printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in common_defined)
+ {
+ printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ common_defined[$2] = 1;
+
+ tclass = $2;
+ common_name = $2;
+ permission = 1;
+
+ printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
+
+ nextstate = "COMMON-OPENBRACKET";
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "COMMON_OR_AV" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ tclass = $2;
+
+ if (tclass in av_defined)
+ {
+ printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+ next;
+ }
+ av_defined[tclass] = 1;
+
+ inherits = "";
+ permission = 1;
+
+ nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "inherits" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
+ next;
+ }
+
+ if (!($2 in common_defined))
+ {
+ printf("COMMON %s is not defined (line %d).\n", $2, NR);
+ next;
+ }
+
+ inherits = $2;
+ permission = common_base[$2];
+
+ for (combined in common_perms)
+ {
+ split(combined,separate, SUBSEP);
+ if (separate[1] == inherits)
+ {
+ inherited_perms[common_perms[combined]] = separate[2];
+ }
+ }
+
+ j = 1;
+ for (i in inherited_perms) {
+ ind[j] = i + 0;
+ j++;
+ }
+ n = asort(ind);
+ for (i = 1; i <= n; i++) {
+ perm = inherited_perms[ind[i]];
+ printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
+ spaces = 40 - (length(perm) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+ for (j = 0; j < spaces; j++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
+ printf("\n") > outfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+ printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
+
+ nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "{" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "COMMON-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected { on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "COMMON-OPENBRACKET")
+ nextstate = "COMMON-CLOSEBRACKET";
+ }
+/[a-z][a-z_]*/ {
+ if (nextstate != "COMMON-CLOSEBRACKET" &&
+ nextstate != "CLASS-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ if ((common_name,$1) in common_perms)
+ {
+ printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+ next;
+ }
+
+ common_perms[common_name,$1] = permission;
+
+ printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
+
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
+ }
+ else
+ {
+ if ((tclass,$1) in av_perms)
+ {
+ printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+ next;
+ }
+
+ av_perms[tclass,$1] = permission;
+
+ if (inherits != "")
+ {
+ if ((inherits,$1) in common_perms)
+ {
+ printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+ next;
+ }
+ }
+
+ printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
+
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ }
+
+ spaces = 40 - (length($1) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+
+ for (i = 0; i < spaces; i++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
+ }
+$1 == "}" {
+ if (nextstate != "CLASS-CLOSEBRACKET" &&
+ nextstate != "COMMON-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected } on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ common_base[common_name] = permission;
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
+ }
+
+ printf("\n") > outfile;
+
+ nextstate = "COMMON_OR_AV";
+ }
+END {
+ if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ printf("Parse error: Unexpected end of file\n");
+
+ }'
+
+# FLASK
diff --git a/policy/flask/mkflask.sh b/policy/flask/mkflask.sh
new file mode 100755
index 0000000..9c84754
--- /dev/null
+++ b/policy/flask/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$output_file\"
+ debugfile = \"$debug_file\"
+ debugfile2 = \"$debug_file2\"
+ "'
+ nextstate = "CLASS";
+
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
+ printf("/*\n * Security object class definitions\n */\n") > debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
+ printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+ printf(" \"null\",\n") > debugfile2;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "CLASS")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in class_found)
+ {
+ printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ class_found[$2] = 1;
+
+ class_value++;
+
+ printf("#define SECCLASS_%s", toupper($2)) > outfile;
+ for (i = 0; i < 40 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", class_value) > outfile;
+
+ printf(" S_(\"%s\")\n", $2) > debugfile;
+ }
+$1 == "sid" {
+ if (nextstate == "CLASS")
+ {
+ nextstate = "SID";
+ printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
+ }
+
+ if ($2 in sid_found)
+ {
+ printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ sid_found[$2] = 1;
+ sid_value++;
+
+ printf("#define SECINITSID_%s", toupper($2)) > outfile;
+ for (i = 0; i < 37 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf(" \"%s\",\n", $2) > debugfile2;
+ }
+END {
+ if (nextstate != "SID")
+ printf("Parse error: Unexpected end of file\n");
+
+ printf("\n#define SECINITSID_NUM") > outfile;
+ for (i = 0; i < 34; i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf("\n#endif\n") > outfile;
+ printf("};\n\n") > debugfile2;
+ }'
+
+# FLASK
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
new file mode 100644
index 0000000..57f49bc
--- /dev/null
+++ b/policy/flask/security_classes
@@ -0,0 +1,96 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd # userspace
+
+# SE-X Windows stuff
+class drawable # userspace
+class window # userspace
+class gc # userspace
+class font # userspace
+class colormap # userspace
+class property # userspace
+class cursor # userspace
+class xclient # userspace
+class xinput # userspace
+class xserver # userspace
+class xextension # userspace
+
+# pax flags
+class pax
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus # userspace
+class nscd # userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
new file mode 100644
index 0000000..111d004
--- /dev/null
+++ b/policy/global_booleans
@@ -0,0 +1,30 @@
+#
+# This file is for the declaration of global booleans.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
+## <desc>
+## <p>
+## Enabling secure mode disallows programs, such as
+## newrole, from transitioning to administrative
+## user domains.
+## </p>
+## </desc>
+gen_bool(secure_mode,false)
+
+## <desc>
+## <p>
+## Disable transitions to insmod.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod,false)
+
+## <desc>
+## <p>
+## boolean to determine whether the system permits loading policy, setting
+## enforcing mode, and changing boolean values. Set this to true and you
+## have to reboot to set it back
+## </p>
+## </desc>
+gen_bool(secure_mode_policyload,false)
diff --git a/policy/global_tunables b/policy/global_tunables
new file mode 100644
index 0000000..ec5cc93
--- /dev/null
+++ b/policy/global_tunables
@@ -0,0 +1,587 @@
+#
+# This file is for the declaration of global tunables.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
+########################################
+#
+# Common tunables
+#
+
+## <desc>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
+## </desc>
+#
+gen_tunable(allow_cvs_read_shadow,false)
+
+## <desc>
+## <p>
+## Allow making the heap executable.
+## </p>
+## </desc>
+gen_tunable(allow_execheap,false)
+
+## <desc>
+## <p>
+## Allow making anonymous memory executable, e.g.
+## for runtime-code generation or executable stack.
+## </p>
+## </desc>
+gen_tunable(allow_execmem,false)
+
+## <desc>
+## <p>
+## Allow making a modified private file
+## mapping executable (text relocation).
+## </p>
+## </desc>
+gen_tunable(allow_execmod,false)
+
+## <desc>
+## <p>
+## Allow making the stack executable via mprotect.
+## Also requires allow_execmem.
+## </p>
+## </desc>
+gen_tunable(allow_execstack,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_nfs,false)
+
+## <desc>
+## <p>
+## Allow gssd to read temp directory.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_read_tmp,true)
+
+## <desc>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow java executable stack
+## </p>
+## </desc>
+gen_tunable(allow_java_execstack,false)
+
+## <desc>
+## <p>
+## Allow system to run with kerberos
+## </p>
+## </desc>
+gen_tunable(allow_kerberos,false)
+
+## <desc>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_rsync_anon_write,false)
+
+## <desc>
+## <p>
+## Allow sasl to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_saslauthd_read_shadow,false)
+
+## <desc>
+## <p>
+## Allow samba to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_smbd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+## <desc>
+## <p>
+## Allow system to run with NIS
+## </p>
+## </desc>
+gen_tunable(allow_ypbind,false)
+
+## <desc>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
+## </desc>
+gen_tunable(fcron_crond,false)
+
+## <desc>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
+## </desc>
+gen_tunable(ftp_home_dir,false)
+
+## <desc>
+## <p>
+## Allow ftpd to run directly without inetd
+## </p>
+## </desc>
+gen_tunable(ftpd_is_daemon,false)
+
+## <desc>
+## <p>
+## Enable reading of urandom for all domains.
+## </p>
+## <p>
+## This should be enabled when all programs
+## are compiled with ProPolice/SSP
+## stack smashing protection. All domains will
+## be allowed to read from /dev/urandom.
+## </p>
+## </desc>
+gen_tunable(global_ssp,false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting,false)
+
+## <desc>
+## <p>
+## Allow http daemon to tcp connect
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect,false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to mysql/posgresql
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_relay, false)
+
+## <desc>
+## <p>
+## Allow httpd cgi support
+## </p>
+## </desc>
+gen_tunable(httpd_enable_cgi,false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
+## </desc>
+gen_tunable(httpd_enable_ftp_server,false)
+
+## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
+## </desc>
+gen_tunable(httpd_enable_homedirs,false)
+
+## <desc>
+## <p>
+## Run SSI execs in system CGI script domain.
+## </p>
+## </desc>
+gen_tunable(httpd_ssi_exec,false)
+
+## <desc>
+## <p>
+## Allow http daemon to communicate with the TTY
+## </p>
+## </desc>
+gen_tunable(httpd_tty_comm,false)
+
+## <desc>
+## <p>
+## Run CGI in the main httpd domain
+## </p>
+## </desc>
+gen_tunable(httpd_unified,false)
+
+## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS.
+## </p>
+## </desc>
+gen_tunable(named_write_master_zones,false)
+
+## <desc>
+## <p>
+## Allow nfs to be exported read/write.
+## </p>
+## </desc>
+gen_tunable(nfs_export_all_rw,false)
+
+## <desc>
+## <p>
+## Allow nfs to be exported read only
+## </p>
+## </desc>
+gen_tunable(nfs_export_all_ro,false)
+
+## <desc>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
+## </desc>
+gen_tunable(pppd_can_insmod,false)
+
+## <desc>
+## <p>
+## Allow reading of default_t files.
+## </p>
+## </desc>
+gen_tunable(read_default_t,false)
+
+## <desc>
+## <p>
+## Allow ssh to run from inetd instead of as a daemon.
+## </p>
+## </desc>
+gen_tunable(run_ssh_inetd,false)
+
+## <desc>
+## <p>
+## Allow samba to export user home directories.
+## </p>
+## </desc>
+gen_tunable(samba_enable_home_dirs,false)
+
+## <desc>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs,false)
+
+## <desc>
+## <p>
+## Allow spamassassin to do DNS lookups
+## </p>
+## </desc>
+gen_tunable(spamassasin_can_network,false)
+
+## <desc>
+## <p>
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(squid_connect_any,false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
+## <desc>
+## <p>
+## Configure stunnel to be a standalone daemon or
+## inetd service.
+## </p>
+## </desc>
+gen_tunable(stunnel_is_daemon,false)
+
+## <desc>
+## <p>
+## Support NFS home directories
+## </p>
+## </desc>
+gen_tunable(use_nfs_home_dirs,false)
+
+## <desc>
+## <p>
+## Support SAMBA home directories
+## </p>
+## </desc>
+gen_tunable(use_samba_home_dirs,false)
+
+## <desc>
+## <p>
+## Control users use of ping and traceroute
+## </p>
+## </desc>
+gen_tunable(user_ping,false)
+
+########################################
+#
+# Strict policy specific
+#
+
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow gpg executable stack
+## </p>
+## </desc>
+gen_tunable(allow_gpg_execstack,false)
+
+## <desc>
+## <p>
+## Allow mplayer executable stack
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack,false)
+
+## <desc>
+## <p>
+## allow host key based authentication
+## </p>
+## </desc>
+gen_tunable(allow_ssh_keysign,false)
+
+## <desc>
+## <p>
+## Allow users to connect to mysql
+## </p>
+## </desc>
+gen_tunable(allow_user_mysql_connect,false)
+
+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm,false)
+
+## <desc>
+## <p>
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(cdrecord_read_content,false)
+
+## <desc>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
+## </desc>
+gen_tunable(cron_can_relabel,false)
+
+## <desc>
+## <p>
+## force to games to run in user_t
+## mapping executable (text relocation).
+## </p>
+## </desc>
+gen_tunable(disable_games_trans,false)
+
+## <desc>
+## <p>
+## Disable transitions to evolution domains.
+## </p>
+## </desc>
+gen_tunable(disable_evolution_trans,false)
+
+## <desc>
+## <p>
+## Disable transitions to user mozilla domains
+## </p>
+## </desc>
+gen_tunable(disable_mozilla_trans,false)
+
+## <desc>
+## <p>
+## Disable transitions to user thunderbird domains
+## </p>
+## </desc>
+gen_tunable(disable_thunderbird_trans,false)
+
+## <desc>
+## <p>
+## Allow email client to various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(mail_read_content,false)
+
+## <desc>
+## <p>
+## Control mozilla content access
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content,false)
+
+## <desc>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
+## </desc>
+gen_tunable(pppd_for_user,false)
+
+## <desc>
+## <p>
+## Allow applications to read untrusted content
+## If this is disallowed, Internet content has
+## to be manually relabeled for read access to be granted
+## </p>
+## </desc>
+gen_tunable(read_untrusted_content,false)
+
+## <desc>
+## <p>
+## Allow user spamassassin clients to use the network.
+## </p>
+## </desc>
+gen_tunable(spamassassin_can_network,false)
+
+## <desc>
+## <p>
+## Allow staff_r users to search the sysadm home
+## dir and read files (such as ~/.bashrc)
+## </p>
+## </desc>
+gen_tunable(staff_read_sysadm_file,false)
+
+## <desc>
+## <p>
+## Allow regular users direct mouse access
+## </p>
+## </desc>
+gen_tunable(user_direct_mouse,false)
+
+## <desc>
+## <p>
+## Allow users to read system messages.
+## </p>
+## </desc>
+gen_tunable(user_dmesg,false)
+
+## <desc>
+## <p>
+## Allow users to control network interfaces
+## (also needs USERCTL=true)
+## </p>
+## </desc>
+gen_tunable(user_net_control,false)
+
+## <desc>
+## <p>
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_rw_noexattrfile,false)
+
+## <desc>
+## <p>
+## Allow users to rw usb devices
+## </p>
+## </desc>
+gen_tunable(user_rw_usb,false)
+
+## <desc>
+## <p>
+## Allow users to run TCP servers (bind to ports and accept connection from
+## the same domain and outside users) disabling this forces FTP passive mode
+## and may change other protocols.
+## </p>
+## </desc>
+gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow w to display everyone
+## </p>
+## </desc>
+gen_tunable(user_ttyfile_stat,false)
+
+## <desc>
+## <p>
+## Allow applications to write untrusted content
+## If this is disallowed, no Internet content
+## will be stored.
+## </p>
+## </desc>
+gen_tunable(write_untrusted_content,false)
+
+## <desc>
+## <p>
+## Allow xdm logins as sysadm
+## </p>
+## </desc>
+gen_tunable(xdm_sysadm_login,false)
+')
+
+########################################
+#
+# Targeted policy specific
+#
+
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow mount to mount any file
+## </p>
+## </desc>
+gen_tunable(allow_mount_anyfile,false)
+
+## <desc>
+## <p>
+## Allow spammd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs,true)
+')
diff --git a/policy/mcs b/policy/mcs
new file mode 100644
index 0000000..c33b667
--- /dev/null
+++ b/policy/mcs
@@ -0,0 +1,168 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+category c24; category c25; category c26; category c27;
+category c28; category c29; category c30; category c31;
+category c32; category c33; category c34; category c35;
+category c36; category c37; category c38; category c39;
+category c40; category c41; category c42; category c43;
+category c44; category c45; category c46; category c47;
+category c48; category c49; category c50; category c51;
+category c52; category c53; category c54; category c55;
+category c56; category c57; category c58; category c59;
+category c60; category c61; category c62; category c63;
+category c64; category c65; category c66; category c67;
+category c68; category c69; category c70; category c71;
+category c72; category c73; category c74; category c75;
+category c76; category c77; category c78; category c79;
+category c80; category c81; category c82; category c83;
+category c84; category c85; category c86; category c87;
+category c88; category c89; category c90; category c91;
+category c92; category c93; category c94; category c95;
+category c96; category c97; category c98; category c99;
+category c100; category c101; category c102; category c103;
+category c104; category c105; category c106; category c107;
+category c108; category c109; category c110; category c111;
+category c112; category c113; category c114; category c115;
+category c116; category c117; category c118; category c119;
+category c120; category c121; category c122; category c123;
+category c124; category c125; category c126; category c127;
+category c128; category c129; category c130; category c131;
+category c132; category c133; category c134; category c135;
+category c136; category c137; category c138; category c139;
+category c140; category c141; category c142; category c143;
+category c144; category c145; category c146; category c147;
+category c148; category c149; category c150; category c151;
+category c152; category c153; category c154; category c155;
+category c156; category c157; category c158; category c159;
+category c160; category c161; category c162; category c163;
+category c164; category c165; category c166; category c167;
+category c168; category c169; category c170; category c171;
+category c172; category c173; category c174; category c175;
+category c176; category c177; category c178; category c179;
+category c180; category c181; category c182; category c183;
+category c184; category c185; category c186; category c187;
+category c188; category c189; category c190; category c191;
+category c192; category c193; category c194; category c195;
+category c196; category c197; category c198; category c199;
+category c200; category c201; category c202; category c203;
+category c204; category c205; category c206; category c207;
+category c208; category c209; category c210; category c211;
+category c212; category c213; category c214; category c215;
+category c216; category c217; category c218; category c219;
+category c220; category c221; category c222; category c223;
+category c224; category c225; category c226; category c227;
+category c228; category c229; category c230; category c231;
+category c232; category c233; category c234; category c235;
+category c236; category c237; category c238; category c239;
+category c240; category c241; category c242; category c243;
+category c244; category c245; category c246; category c247;
+category c248; category c249; category c250; category c251;
+category c252; category c253; category c254; category c255;
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file. We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Note that getattr on files is always permitted.
+#
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain file { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+# At this time we do not restrict "ps" type operations via MCS. This
+# will probably change in future.
+mlsconstrain file { read }
+ (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+
+# new file labels must be dominated by the relabeling subject clearance
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+ ( h1 dom h2 );
+
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
+
+mlsconstrain process { ptrace }
+ ( h1 dom h2 );
+
+mlsconstrain process { sigkill sigstop }
+ (( h1 dom h2 ) or ( t1 == mcskillall ));
+
+') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
new file mode 100644
index 0000000..3a35bde
--- /dev/null
+++ b/policy/mls
@@ -0,0 +1,674 @@
+
+ifdef(`enable_mls',`
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+category c24; category c25; category c26; category c27;
+category c28; category c29; category c30; category c31;
+category c32; category c33; category c34; category c35;
+category c36; category c37; category c38; category c39;
+category c40; category c41; category c42; category c43;
+category c44; category c45; category c46; category c47;
+category c48; category c49; category c50; category c51;
+category c52; category c53; category c54; category c55;
+category c56; category c57; category c58; category c59;
+category c60; category c61; category c62; category c63;
+category c64; category c65; category c66; category c67;
+category c68; category c69; category c70; category c71;
+category c72; category c73; category c74; category c75;
+category c76; category c77; category c78; category c79;
+category c80; category c81; category c82; category c83;
+category c84; category c85; category c86; category c87;
+category c88; category c89; category c90; category c91;
+category c92; category c93; category c94; category c95;
+category c96; category c97; category c98; category c99;
+category c100; category c101; category c102; category c103;
+category c104; category c105; category c106; category c107;
+category c108; category c109; category c110; category c111;
+category c112; category c113; category c114; category c115;
+category c116; category c117; category c118; category c119;
+category c120; category c121; category c122; category c123;
+category c124; category c125; category c126; category c127;
+category c128; category c129; category c130; category c131;
+category c132; category c133; category c134; category c135;
+category c136; category c137; category c138; category c139;
+category c140; category c141; category c142; category c143;
+category c144; category c145; category c146; category c147;
+category c148; category c149; category c150; category c151;
+category c152; category c153; category c154; category c155;
+category c156; category c157; category c158; category c159;
+category c160; category c161; category c162; category c163;
+category c164; category c165; category c166; category c167;
+category c168; category c169; category c170; category c171;
+category c172; category c173; category c174; category c175;
+category c176; category c177; category c178; category c179;
+category c180; category c181; category c182; category c183;
+category c184; category c185; category c186; category c187;
+category c188; category c189; category c190; category c191;
+category c192; category c193; category c194; category c195;
+category c196; category c197; category c198; category c199;
+category c200; category c201; category c202; category c203;
+category c204; category c205; category c206; category c207;
+category c208; category c209; category c210; category c211;
+category c212; category c213; category c214; category c215;
+category c216; category c217; category c218; category c219;
+category c220; category c221; category c222; category c223;
+category c224; category c225; category c226; category c227;
+category c228; category c229; category c230; category c231;
+category c232; category c233; category c234; category c235;
+category c236; category c237; category c238; category c239;
+category c240; category c241; category c242; category c243;
+category c244; category c245; category c246; category c247;
+category c248; category c249; category c250; category c251;
+category c252; category c253; category c254; category c255;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MLS policy for the file classes
+#
+
+# make sure these file classes are "single level"
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ ( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subjects clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+ ( h1 dom h2 );
+
+# the file "read" ops (note the check is dominance of the low level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir search
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# the "ranged" file "write" ops
+mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir { add_name remove_name reparent rmdir }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
+#
+# { file chr_file } { execute_no_trans entrypoint execmod }
+
+# the file upgrade/downgrade rule
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( h1 eq h2 ) or
+ (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
+# create can also require the upgrade/downgrade checks if the creating process
+# has used setfscreate (note that both the high and low level of the object
+# default to the process sensitivity level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
+ ((( l1 eq l2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( l1 eq h2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
+
+
+#
+# MLS policy for the filesystem class
+#
+
+# new filesystem labels must be dominated by the relabeling subjects clearance
+mlsconstrain filesystem relabelto
+ ( h1 dom h2 );
+
+# the filesystem "read" ops (implicit single level)
+mlsconstrain filesystem { getattr quotaget }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ));
+
+# all the filesystem "write" ops (implicit single level)
+mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ));
+
+# these access vectors have no MLS restrictions
+# filesystem { transition associate }
+
+
+
+
+#
+# MLS policy for the socket classes
+#
+
+# new socket labels must be dominated by the relabeling subjects clearance
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
+# the socket "read" ops (note the check is dominance of the low level)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+# the socket "write" ops
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+# these access vectors have no MLS restrictions
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+#
+# { tcp_socket udp_socket rawip_socket } node_bind
+#
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
+# tcp_socket name_connect
+#
+# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+#
+# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
+#
+# netlink_kobject_uevent_socket *
+#
+
+
+
+
+#
+# MLS policy for the ipc classes
+#
+
+# the ipc "read" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+mlsconstrain msg receive
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+# the ipc "write" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msgq enqueue
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain shm lock
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msg send
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+# these access vectors have no MLS restrictions
+# { ipc sem msgq shm } associate
+
+
+
+
+#
+# MLS policy for the fd class
+#
+
+# these access vectors have no MLS restrictions
+# fd use
+
+
+
+
+#
+# MLS policy for the network object classes
+#
+
+# the netif/node "read" ops (implicit single level socket doing the read)
+# (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+ (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+ (( l1 dom l2 ) and ( l1 domby h2 ));
+
+# these access vectors have no MLS restrictions
+# node enforce_dest
+
+
+
+
+#
+# MLS policy for the process class
+#
+
+# new process labels must be dominated by the relabeling subjects clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+ (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
+
+# all the process "read" ops
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (( l1 dom l2 ) or
+ (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsprocread ));
+
+# all the process "write" ops (note the check is equality on the low level)
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+ (( l1 eq l2 ) or
+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsprocwrite ));
+
+# these access vectors have no MLS restrictions
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
+
+
+
+
+#
+# MLS policy for the security class
+#
+
+# these access vectors have no MLS restrictions
+# security *
+
+
+
+
+#
+# MLS policy for the system class
+#
+
+# these access vectors have no MLS restrictions
+# system *
+
+
+
+
+#
+# MLS policy for the capability class
+#
+
+# these access vectors have no MLS restrictions
+# capability *
+
+
+
+
+#
+# MLS policy for the passwd class
+#
+
+# these access vectors have no MLS restrictions
+# passwd *
+
+
+
+
+#
+# MLS policy for the drawable class
+#
+
+# the drawable "read" ops (implicit single level)
+mlsconstrain drawable { getattr copy }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the drawable "write" ops (implicit single level)
+mlsconstrain drawable { create destroy draw copy }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the gc class
+#
+
+# the gc "read" ops (implicit single level)
+mlsconstrain gc getattr
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the gc "write" ops (implicit single level)
+mlsconstrain gc { create free setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the window class
+#
+
+# the window "read" ops (implicit single level)
+mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the window "write" ops (implicit single level)
+mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# window { map unmap }
+
+
+
+
+#
+# MLS policy for the font class
+#
+
+# the font "read" ops (implicit single level)
+mlsconstrain font { load getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the font "write" ops (implicit single level)
+mlsconstrain font free
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# font use
+
+
+
+
+#
+# MLS policy for the colormap class
+#
+
+# the colormap "read" ops (implicit single level)
+mlsconstrain colormap { list read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadcolormap ) or
+ ( t1 == mlsxwinread ));
+
+# the colormap "write" ops (implicit single level)
+mlsconstrain colormap { create free install uninstall store setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritecolormap ) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the property class
+#
+
+# the property "read" ops (implicit single level)
+mlsconstrain property { read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadproperty ) or
+ ( t1 == mlsxwinread ));
+
+# the property "write" ops (implicit single level)
+mlsconstrain property { create free write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwriteproperty ) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the cursor class
+#
+
+# the cursor "write" ops (implicit single level)
+mlsconstrain cursor { create createglyph free assign setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xclient class
+#
+
+# the xclient "write" ops (implicit single level)
+mlsconstrain xclient kill
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xinput class
+#
+
+# these access vectors have no MLS restrictions
+# xinput ~{ relabelinput setattr }
+
+# the xinput "write" ops (implicit single level)
+mlsconstrain xinput { setattr relabelinput }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritexinput ) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xserver class
+#
+
+# these access vectors have no MLS restrictions
+# xserver *
+
+
+
+
+#
+# MLS policy for the xextension class
+#
+
+# these access vectors have no MLS restrictions
+# xextension { query use }
+
+
+#
+# MLS policy for the pax class
+#
+
+# these access vectors have no MLS restrictions
+# pax { pageexec emutramp mprotect randmmap randexec segmexec }
+
+
+
+
+#
+# MLS policy for the dbus class
+#
+
+# these access vectors have no MLS restrictions
+# dbus { acquire_svc send_msg }
+
+
+
+
+#
+# MLS policy for the nscd class
+#
+
+# these access vectors have no MLS restrictions
+# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
+
+
+#
+# MLS policy for the association class
+#
+
+# these access vectors have no MLS restrictions
+# association *
+
+') dnl end enable_mls
diff --git a/policy/modules/admin/acct.fc b/policy/modules/admin/acct.fc
new file mode 100644
index 0000000..ab5b5e7
--- /dev/null
+++ b/policy/modules/admin/acct.fc
@@ -0,0 +1,8 @@
+
+/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
new file mode 100644
index 0000000..831295c
--- /dev/null
+++ b/policy/modules/admin/acct.if
@@ -0,0 +1,86 @@
+## <summary>Berkeley process accounting</summary>
+
+########################################
+## <summary>
+## Transition to the accounting management domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acct_domtrans',`
+ gen_require(`
+ type acct_t, acct_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,acct_exec_t,acct_t)
+
+ allow $1 acct_t:fd use;
+ allow acct_t $1:fd use;
+ allow acct_t $1:fifo_file rw_file_perms;
+ allow acct_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute accounting management tools in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`acct_exec',`
+ gen_require(`
+ type acct_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,acct_exec_t)
+')
+
+########################################
+## <summary>
+## Execute accounting management data in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+# cjp: this is added for logrotate, and does
+# not make sense to me.
+interface(`acct_exec_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ files_search_var($1)
+ can_exec($1,acct_data_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete process accounting data.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`acct_manage_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ files_search_var($1)
+ allow $1 acct_data_t:dir rw_dir_perms;
+ allow $1 acct_data_t:file create_file_perms;
+ allow $1 acct_data_t:lnk_file create_lnk_perms;
+')
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
new file mode 100644
index 0000000..7d06f6b
--- /dev/null
+++ b/policy/modules/admin/acct.te
@@ -0,0 +1,101 @@
+
+policy_module(acct,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type acct_t;
+type acct_exec_t;
+init_system_domain(acct_t,acct_exec_t)
+
+type acct_data_t;
+logging_log_file(acct_data_t)
+
+########################################
+#
+# Local Policy
+#
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability { sys_pacct chown fsetid };
+# not sure why we need kill, the command "last" is reported as using it
+dontaudit acct_t self:capability { kill sys_tty_config };
+
+allow acct_t self:fifo_file { read write getattr };
+allow acct_t self:process signal_perms;
+
+allow acct_t acct_data_t:dir rw_dir_perms;
+allow acct_t acct_data_t:file create_file_perms;
+allow acct_t acct_data_t:lnk_file create_lnk_perms;
+
+can_exec(acct_t,acct_exec_t)
+
+kernel_list_proc(acct_t)
+kernel_read_system_state(acct_t)
+kernel_read_kernel_sysctls(acct_t)
+
+dev_read_sysfs(acct_t)
+# for SSP
+dev_read_urand(acct_t)
+
+fs_search_auto_mountpoints(acct_t)
+fs_getattr_xattr_fs(acct_t)
+
+term_dontaudit_use_console(acct_t)
+
+corecmd_search_sbin(acct_t)
+corecmd_exec_bin(acct_t)
+corecmd_exec_shell(acct_t)
+
+domain_use_interactive_fds(acct_t)
+
+files_read_etc_files(acct_t)
+files_read_etc_runtime_files(acct_t)
+files_list_usr(acct_t)
+# for nscd
+files_dontaudit_search_pids(acct_t)
+
+init_use_fds(acct_t)
+init_use_script_ptys(acct_t)
+init_exec_script_files(acct_t)
+
+libs_use_ld_so(acct_t)
+libs_use_shared_libs(acct_t)
+
+logging_send_syslog_msg(acct_t)
+
+miscfiles_read_localization(acct_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(acct_t)
+userdom_dontaudit_use_unpriv_user_fds(acct_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(acct_t)
+ term_dontaudit_use_generic_ptys(acct_t)
+ files_dontaudit_read_root_files(acct_t)
+')
+
+optional_policy(`
+ optional_policy(`
+ # for monthly cron job
+ auth_log_filetrans_login_records(acct_t)
+ auth_manage_login_records(acct_t)
+ ')
+
+ cron_system_entry(acct_t,acct_exec_t)
+')
+
+optional_policy(`
+ nscd_socket_use(acct_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acct_t)
+')
+
+optional_policy(`
+ udev_read_db(acct_t)
+')
+
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
new file mode 100644
index 0000000..99c414d
--- /dev/null
+++ b/policy/modules/admin/alsa.fc
@@ -0,0 +1,4 @@
+
+/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
new file mode 100644
index 0000000..0381c21
--- /dev/null
+++ b/policy/modules/admin/alsa.if
@@ -0,0 +1,81 @@
+## <summary>Ainit ALSA configuration tool</summary>
+
+########################################
+## <summary>
+## Domain transition to alsa
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_domtrans',`
+ gen_require(`
+ type alsa_t;
+ type alsa_exec_t;
+ ')
+
+ domain_auto_trans($1, alsa_exec_t, alsa_t)
+
+ allow $1 alsa_t:fd use;
+ allow alsa_t $1:fd use;
+ allow alsa_t $1:fifo_file rw_file_perms;
+ allow alsa_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow read and write access to alsa semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_rw_semaphores',`
+ gen_require(`
+ type alsa_t;
+ ')
+
+ allow $1 alsa_t:sem { unix_read unix_write associate read write };
+')
+
+########################################
+## <summary>
+## Allow read and write access to alsa shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_rw_shared_mem',`
+ gen_require(`
+ type alsa_t;
+ ')
+
+ allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
+')
+
+########################################
+## <summary>
+## Read alsa writable config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_rw_config',`
+ gen_require(`
+ type alsa_etc_rw_t;
+ ')
+
+ allow $1 alsa_etc_rw_t:dir r_dir_perms;
+ allow $1 alsa_etc_rw_t:file r_file_perms;
+ allow $1 alsa_etc_rw_t:lnk_file { getattr read };
+')
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
new file mode 100644
index 0000000..e93af95
--- /dev/null
+++ b/policy/modules/admin/alsa.te
@@ -0,0 +1,51 @@
+
+policy_module(alsa,1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type alsa_t;
+type alsa_exec_t;
+domain_type(alsa_t)
+domain_entry_file(alsa_t, alsa_exec_t)
+role system_r types alsa_t;
+
+type alsa_etc_rw_t;
+files_type(alsa_etc_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow alsa_t self:capability { setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:sem create_sem_perms;
+allow alsa_t self:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+
+allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
+allow alsa_t alsa_etc_rw_t:file create_file_perms;
+allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
+
+files_read_etc_files(alsa_t)
+
+term_use_generic_ptys(alsa_t)
+term_dontaudit_use_unallocated_ttys(alsa_t)
+
+libs_use_ld_so(alsa_t)
+libs_use_shared_libs(alsa_t)
+
+logging_send_syslog_msg(alsa_t)
+
+miscfiles_read_localization(alsa_t)
+
+userdom_manage_unpriv_user_semaphores(alsa_t)
+userdom_manage_unpriv_user_shared_mem(alsa_t)
+
+optional_policy(`
+ nscd_socket_use(alsa_t)
+')
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
new file mode 100644
index 0000000..2780ecb
--- /dev/null
+++ b/policy/modules/admin/amanda.fc
@@ -0,0 +1,72 @@
+
+/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+
+/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
+
+/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
+
+/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+
+/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
+/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
+/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
+/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
+
+/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
new file mode 100644
index 0000000..f7b1645
--- /dev/null
+++ b/policy/modules/admin/amanda.if
@@ -0,0 +1,129 @@
+## <summary>Automated backup program.</summary>
+
+########################################
+## <summary>
+## Execute amrecover in the amanda_recover domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`amanda_domtrans_recover',`
+ gen_require(`
+ type amanda_recover_t, amanda_recover_exec_t;
+ ')
+
+ domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
+
+ allow $1 amanda_recover_t:fd use;
+ allow amanda_recover_t $1:fd use;
+ allow amanda_recover_t $1:fifo_file rw_file_perms;
+ allow amanda_recover_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute amrecover in the amanda_recover domain, and
+## allow the specified role the amanda_recover domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the amanda_recover domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the amanda_recover domain to use.
+## </summary>
+## </param>
+#
+interface(`amanda_run_recover',`
+ gen_require(`
+ type amanda_recover_t;
+ ')
+
+ amanda_domtrans_recover($1)
+ role $2 types amanda_recover_t;
+ allow amanda_recover_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Search amanda library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`amanda_search_lib',`
+ gen_require(`
+ type amanda_usr_lib_t;
+ ')
+
+ allow $1 amanda_usr_lib_t:dir search;
+ files_search_usr($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read /etc/dumpdates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`amanda_dontaudit_read_dumpdates',`
+ gen_require(`
+ type amanda_dumpdates_t;
+ ')
+
+ dontaudit $1 amanda_dumpdates_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow read/writing /etc/dumpdates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+ gen_require(`
+ type amanda_dumpdates_t;
+ ')
+
+ allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+########################################
+## <summary>
+## Allow read/writing amanda logs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+ gen_require(`
+ type amanda_log_t;
+ ')
+
+ allow $1 amanda_log_t:file ra_file_perms;
+')
+
+
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
new file mode 100644
index 0000000..cf3b552
--- /dev/null
+++ b/policy/modules/admin/amanda.te
@@ -0,0 +1,257 @@
+
+policy_module(amanda,1.3.4)
+
+#######################################
+#
+# Declarations
+#
+
+type amanda_t;
+type amanda_inetd_exec_t;
+inetd_service_domain(amanda_t,amanda_inetd_exec_t)
+role system_r types amanda_t;
+
+type amanda_exec_t;
+domain_entry_file(amanda_t,amanda_exec_t)
+
+type amanda_log_t;
+logging_log_file(amanda_log_t)
+
+# type for amanda configurations files
+type amanda_config_t;
+files_type(amanda_config_t)
+
+# type for files in /usr/lib/amanda
+type amanda_usr_lib_t;
+files_type(amanda_usr_lib_t)
+
+# type for all files in /var/lib/amanda
+type amanda_var_lib_t;
+files_type(amanda_var_lib_t)
+
+# type for all files in /var/lib/amanda/gnutar-lists/
+type amanda_gnutarlists_t;
+files_type(amanda_gnutarlists_t)
+
+# type for user startable files
+type amanda_user_exec_t;
+corecmd_executable_file(amanda_user_exec_t)
+
+# type for same awk and other scripts
+type amanda_script_exec_t;
+corecmd_executable_file(amanda_script_exec_t)
+
+# type for the shell configuration files
+type amanda_shellconfig_t;
+files_type(amanda_shellconfig_t)
+
+type amanda_tmp_t;
+files_tmp_file(amanda_tmp_t)
+
+# type for /etc/amandates
+type amanda_amandates_t;
+files_type(amanda_amandates_t)
+
+# type for /etc/dumpdates
+type amanda_dumpdates_t;
+files_type(amanda_dumpdates_t)
+
+# type for amanda data
+type amanda_data_t;
+files_type(amanda_data_t)
+
+# type for amrecover
+type amanda_recover_t;
+type amanda_recover_exec_t;
+domain_type(amanda_recover_t)
+domain_entry_file(amanda_recover_t,amanda_recover_exec_t)
+role system_r types amanda_recover_t;
+
+# type for recover files ( restored data )
+type amanda_recover_dir_t;
+files_type(amanda_recover_dir_t)
+
+optional_policy(`
+ prelink_object_file(amanda_usr_lib_t)
+')
+
+########################################
+#
+# Amanda local policy
+#
+
+allow amanda_t self:capability { chown dac_override setuid kill };
+allow amanda_t self:process { setpgid signal };
+allow amanda_t self:fifo_file { getattr read write ioctl lock };
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
+allow amanda_t self:tcp_socket create_stream_socket_perms;
+allow amanda_t self:udp_socket create_socket_perms;
+
+# access to amanda_amandates_t
+allow amanda_t amanda_amandates_t:file { getattr lock read write };
+
+# configuration files -> read only
+allow amanda_t amanda_config_t:file { getattr read };
+
+# access to amandas data structure
+allow amanda_t amanda_data_t:dir { read search write };
+allow amanda_t amanda_data_t:file { read write };
+
+# access to amanda_dumpdates_t
+allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
+
+can_exec(amanda_t,amanda_exec_t)
+
+# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
+allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
+allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
+
+allow amanda_t amanda_log_t:file create_file_perms;
+allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
+
+allow amanda_t amanda_tmp_t:dir create_dir_perms;
+allow amanda_t amanda_tmp_t:file create_file_perms;
+files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
+kernel_read_system_state(amanda_t)
+kernel_read_kernel_sysctls(amanda_t)
+kernel_dontaudit_getattr_unlabeled_files(amanda_t)
+kernel_dontaudit_read_proc_symlinks(amanda_t)
+
+# Added for targeted policy
+term_use_unallocated_ttys(amanda_t)
+
+corenet_non_ipsec_sendrecv(amanda_t)
+corenet_tcp_sendrecv_all_if(amanda_t)
+corenet_udp_sendrecv_all_if(amanda_t)
+corenet_raw_sendrecv_all_if(amanda_t)
+corenet_tcp_sendrecv_all_nodes(amanda_t)
+corenet_udp_sendrecv_all_nodes(amanda_t)
+corenet_raw_sendrecv_all_nodes(amanda_t)
+corenet_tcp_sendrecv_all_ports(amanda_t)
+corenet_udp_sendrecv_all_ports(amanda_t)
+corenet_tcp_bind_all_nodes(amanda_t)
+corenet_udp_bind_all_nodes(amanda_t)
+
+dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_chr_files(amanda_t)
+
+fs_getattr_xattr_fs(amanda_t)
+fs_list_all(amanda_t)
+
+storage_raw_read_fixed_disk(amanda_t)
+
+files_read_etc_files(amanda_t)
+files_read_etc_runtime_files(amanda_t)
+files_list_all(amanda_t)
+files_read_all_files(amanda_t)
+files_read_all_symlinks(amanda_t)
+files_read_all_blk_files(amanda_t)
+files_read_all_chr_files(amanda_t)
+files_getattr_all_pipes(amanda_t)
+files_getattr_all_sockets(amanda_t)
+
+corecmd_exec_shell(amanda_t)
+corecmd_exec_sbin(amanda_t)
+corecmd_exec_bin(amanda_t)
+
+libs_use_ld_so(amanda_t)
+libs_use_shared_libs(amanda_t)
+
+sysnet_read_config(amanda_t)
+
+optional_policy(`
+ auth_read_shadow(amanda_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(amanda_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(amanda_t)
+')
+
+optional_policy(`
+ nscd_socket_use(amanda_t)
+')
+
+########################################
+#
+# Amanda recover local policy
+
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
+allow amanda_recover_t self:udp_socket create_socket_perms;
+
+allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
+allow amanda_recover_t amanda_log_t:file manage_file_perms;
+allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
+
+# access to amanda_recover_dir_t
+allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
+allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
+allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
+allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
+allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
+userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
+
+allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
+allow amanda_recover_t amanda_tmp_t:file create_file_perms;
+allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
+allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
+allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
+files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_system_state(amanda_recover_t)
+kernel_read_kernel_sysctls(amanda_recover_t)
+
+corenet_non_ipsec_sendrecv(amanda_recover_t)
+corenet_tcp_sendrecv_all_if(amanda_recover_t)
+corenet_udp_sendrecv_all_if(amanda_recover_t)
+corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
+corenet_udp_sendrecv_all_nodes(amanda_recover_t)
+corenet_tcp_sendrecv_all_ports(amanda_recover_t)
+corenet_udp_sendrecv_all_ports(amanda_recover_t)
+corenet_tcp_bind_all_nodes(amanda_recover_t)
+corenet_udp_bind_all_nodes(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
+corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+
+corecmd_exec_shell(amanda_recover_t)
+corecmd_exec_bin(amanda_recover_t)
+
+domain_use_interactive_fds(amanda_recover_t)
+
+files_read_etc_files(amanda_recover_t)
+files_read_etc_runtime_files(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
+files_search_pids(amanda_recover_t)
+
+fstools_domtrans(amanda_t)
+
+libs_use_ld_so(amanda_recover_t)
+libs_use_shared_libs(amanda_recover_t)
+
+logging_search_logs(amanda_recover_t)
+
+miscfiles_read_localization(amanda_recover_t)
+
+sysnet_read_config(amanda_recover_t)
+
+userdom_search_sysadm_home_content_dirs(amanda_recover_t)
+
+optional_policy(`
+ nis_use_ypbind(amanda_recover_t)
+')
+
+optional_policy(`
+ nscd_socket_use(amanda_recover_t)
+')
diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc
new file mode 100644
index 0000000..3afd63b
--- /dev/null
+++ b/policy/modules/admin/anaconda.fc
@@ -0,0 +1,5 @@
+#
+# Currently anaconda does not have any file context since it is
+# started during install. This is a placeholder to satisfy
+# the policy Makefile dependencies.
+#
diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if
new file mode 100644
index 0000000..18491c8
--- /dev/null
+++ b/policy/modules/admin/anaconda.if
@@ -0,0 +1 @@
+## <summary>Policy for the Anaconda installer.</summary>
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
new file mode 100644
index 0000000..9ec5e44
--- /dev/null
+++ b/policy/modules/admin/anaconda.te
@@ -0,0 +1,59 @@
+
+policy_module(anaconda,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type anaconda_t;
+domain_type(anaconda_t)
+domain_obj_id_change_exemption(anaconda_t)
+role system_r types anaconda_t;
+
+########################################
+#
+# Local policy
+#
+
+# Run other rc scripts in the anaconda_t domain.
+init_domtrans_script(anaconda_t)
+
+libs_domtrans_ldconfig(anaconda_t)
+
+logging_send_syslog_msg(anaconda_t)
+
+modutils_domtrans_insmod(anaconda_t)
+
+unconfined_domain(anaconda_t)
+
+ifdef(`distro_redhat',`
+ bootloader_create_runtime_file(anaconda_t)
+')
+
+optional_policy(`
+ dmesg_domtrans(anaconda_t)
+')
+
+optional_policy(`
+ kudzu_domtrans(anaconda_t)
+')
+
+optional_policy(`
+ rpm_domtrans(anaconda_t)
+')
+
+optional_policy(`
+ udev_domtrans(anaconda_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_admin_passwd(anaconda_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`
+ role system_r types sysadm_ssh_agent_t;
+ domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+')
+')
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
new file mode 100644
index 0000000..d31952b
--- /dev/null
+++ b/policy/modules/admin/apt.fc
@@ -0,0 +1,13 @@
+/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
+# apt-shell is redhat specific
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
+# other package managers
+/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+# package cache repository
+/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+
+# package list repository
+/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
new file mode 100644
index 0000000..180f05e
--- /dev/null
+++ b/policy/modules/admin/apt.if
@@ -0,0 +1,178 @@
+## <summary>APT advanced package toll.</summary>
+
+########################################
+## <summary>
+## Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_domtrans',`
+ gen_require(`
+ type apt_t, apt_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,apt_exec_t,apt_t)
+
+ # allow basic communication
+ allow $1 apt_t:fd use;
+ allow apt_t $1:fd use;
+ allow apt_t $1:fifo_file rw_file_perms;
+ allow apt_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the apt domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the apt domain to use.
+## </summary>
+## </param>
+#
+interface(`apt_run',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ apt_domtrans($1)
+ role $2 types apt_t;
+ allow apt_t $3:chr_file rw_term_perms;
+ # TODO: likely have to add dpkg_run here.
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fd use;
+ # TODO: enforce dpkg_use_fd?
+')
+
+########################################
+## <summary>
+## Read from an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_read_pipes',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fifo_file r_file_perms;
+ # TODO: enforce dpkg_read_pipes?
+')
+
+########################################
+## <summary>
+## Read and write an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_rw_pipes',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fifo_file rw_file_perms;
+ # TODO: enforce dpkg_rw_pipes?
+')
+
+########################################
+## <summary>
+## Read the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_read_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 apt_var_lib_t:dir r_dir_perms;
+ allow $1 apt_var_lib_t:file { getattr read };
+ allow $1 apt_var_lib_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_manage_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 apt_var_lib_t:dir rw_dir_perms;
+ allow $1 apt_var_lib_t:file { getattr create read write append unlink };
+ allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_manage_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 apt_var_lib_t:file create_file_perms;
+ dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
+')
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
new file mode 100644
index 0000000..995ede0
--- /dev/null
+++ b/policy/modules/admin/apt.te
@@ -0,0 +1,137 @@
+
+policy_module(apt,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type apt_t;
+type apt_exec_t;
+init_system_domain(apt_t,apt_exec_t)
+domain_system_change_exemption(apt_t)
+domain_getattr_all_domains(apt_t)
+role system_r types apt_t;
+
+type apt_tmp_t;
+files_tmp_file(apt_tmp_t)
+
+type apt_tmpfs_t;
+files_tmpfs_file(apt_tmpfs_t)
+
+# status files
+type apt_var_lib_t alias var_lib_apt_t;
+files_type(apt_var_lib_t)
+
+# package cache
+type apt_var_cache_t alias var_cache_apt_t;
+files_type(apt_var_cache_t)
+
+########################################
+#
+# apt Local policy
+#
+
+allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:process { signal setpgid fork };
+allow apt_t self:fd use;
+allow apt_t self:fifo_file rw_file_perms;
+allow apt_t self:unix_dgram_socket create_socket_perms;
+allow apt_t self:unix_stream_socket rw_stream_socket_perms;
+allow apt_t self:unix_dgram_socket sendto;
+allow apt_t self:unix_stream_socket connectto;
+allow apt_t self:udp_socket { connect create_socket_perms };
+allow apt_t self:tcp_socket create_stream_socket_perms;
+allow apt_t self:shm create_shm_perms;
+allow apt_t self:sem create_sem_perms;
+allow apt_t self:msgq create_msgq_perms;
+allow apt_t self:msg { send receive };
+
+# Access /var/cache/apt files
+allow apt_t apt_var_cache_t:file create_file_perms;
+allow apt_t apt_var_cache_t:dir rw_dir_perms;
+files_var_filetrans(apt_t,apt_var_cache_t,dir)
+
+allow apt_t apt_tmp_t:dir create_dir_perms;
+allow apt_t apt_tmp_t:file create_file_perms;
+files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
+
+allow apt_t apt_tmpfs_t:dir create_dir_perms;
+allow apt_t apt_tmpfs_t:file create_file_perms;
+allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
+allow apt_t apt_tmpfs_t:sock_file create_file_perms;
+allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
+fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/apt files
+allow apt_t apt_var_lib_t:file create_file_perms;
+allow apt_t apt_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
+
+kernel_read_system_state(apt_t)
+kernel_read_kernel_sysctls(apt_t)
+
+# to launch dpkg-preconfigure
+corecmd_exec_bin(apt_t)
+corecmd_exec_shell(apt_t)
+corecmd_exec_sbin(apt_t)
+
+corenet_non_ipsec_sendrecv(apt_t)
+corenet_tcp_sendrecv_all_if(apt_t)
+corenet_udp_sendrecv_all_if(apt_t)
+corenet_tcp_sendrecv_all_nodes(apt_t)
+corenet_udp_sendrecv_all_nodes(apt_t)
+corenet_tcp_sendrecv_all_ports(apt_t)
+corenet_udp_sendrecv_all_ports(apt_t)
+# TODO: reall allow all these?
+corenet_tcp_bind_all_nodes(apt_t)
+corenet_udp_bind_all_nodes(apt_t)
+corenet_tcp_connect_all_ports(apt_t)
+corenet_sendrecv_all_client_packets(apt_t)
+
+dev_read_urand(apt_t)
+
+files_exec_usr_files(apt_t)
+files_read_etc_files(apt_t)
+files_read_etc_runtime_files(apt_t)
+
+term_list_ptys(apt_t)
+term_use_all_terms(apt_t)
+
+libs_use_ld_so(apt_t)
+libs_use_shared_libs(apt_t)
+libs_exec_ld_so(apt_t)
+libs_exec_lib_files(apt_t)
+
+logging_send_syslog_msg(apt_t)
+
+miscfiles_read_localization(apt_t)
+
+seutil_use_newrole_fds(apt_t)
+
+sysnet_read_config(apt_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(apt_t)
+')
+
+# with boolean, for cron-apt and such?
+#optional_policy(`
+# cron_system_entry(apt_t,apt_exec_t)
+#')
+
+optional_policy(`
+ # dpkg interaction
+ dpkg_read_db(apt_t)
+ dpkg_domtrans(apt_t)
+ dpkg_lock_db(apt_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(apt_t)
+')
+
+optional_policy(`
+ rpm_read_db(apt_t)
+ rpm_domtrans(apt_t)
+')
diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc
new file mode 100644
index 0000000..b4671ae
--- /dev/null
+++ b/policy/modules/admin/backup.fc
@@ -0,0 +1,7 @@
+# backup
+# label programs that do backups to other files on disk (IE a cron job that
+# calls tar) in backup_exec_t and label the directory for storing them as
+# backup_store_t, Debian uses /var/backups
+
+#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0)
+/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
new file mode 100644
index 0000000..64beebe
--- /dev/null
+++ b/policy/modules/admin/backup.if
@@ -0,0 +1,53 @@
+## <summary>System backup scripts</summary>
+
+########################################
+## <summary>
+## Execute backup in the backup domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`backup_domtrans',`
+ gen_require(`
+ type backup_t, backup_exec_t;
+ ')
+
+ domain_auto_trans($1,backup_exec_t,backup_t)
+ allow backup_t $1:fd use;
+ allow backup_t $1:fifo_file rw_file_perms;
+ allow backup_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute backup in the backup domain, and
+## allow the specified role the backup domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the backup domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`backup_run',`
+ gen_require(`
+ type backup_t;
+ ')
+
+ backup_domtrans($1)
+ role $2 types backup_t;
+ allow backup_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
new file mode 100644
index 0000000..c37f701
--- /dev/null
+++ b/policy/modules/admin/backup.te
@@ -0,0 +1,84 @@
+
+policy_module(backup,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type backup_t;
+type backup_exec_t;
+domain_type(backup_t)
+domain_entry_file(backup_t,backup_exec_t)
+role system_r types backup_t;
+
+type backup_store_t;
+files_type(backup_store_t)
+
+########################################
+#
+# Local policy
+#
+
+allow backup_t self:capability dac_override;
+allow backup_t self:process signal;
+allow backup_t self:fifo_file rw_file_perms;
+allow backup_t self:tcp_socket create_socket_perms;
+allow backup_t self:udp_socket create_socket_perms;
+
+allow backup_t backup_store_t:dir ra_dir_perms;
+allow backup_t backup_store_t:file { create rw_file_perms setattr };
+allow backup_t backup_store_t:lnk_file { getattr read };
+
+kernel_read_system_state(backup_t)
+kernel_read_kernel_sysctls(backup_t)
+
+corecmd_exec_bin(backup_t)
+
+corenet_non_ipsec_sendrecv(backup_t)
+corenet_tcp_sendrecv_generic_if(backup_t)
+corenet_udp_sendrecv_generic_if(backup_t)
+corenet_raw_sendrecv_generic_if(backup_t)
+corenet_tcp_sendrecv_all_nodes(backup_t)
+corenet_udp_sendrecv_all_nodes(backup_t)
+corenet_raw_sendrecv_all_nodes(backup_t)
+corenet_tcp_sendrecv_all_ports(backup_t)
+corenet_udp_sendrecv_all_ports(backup_t)
+corenet_tcp_connect_all_ports(backup_t)
+corenet_sendrecv_all_client_packets(backup_t)
+
+dev_getattr_all_blk_files(backup_t)
+dev_getattr_all_chr_files(backup_t)
+# for SSP
+dev_read_urand(backup_t)
+
+domain_use_interactive_fds(backup_t)
+
+files_read_all_files(backup_t)
+files_read_all_symlinks(backup_t)
+files_getattr_all_pipes(backup_t)
+files_getattr_all_sockets(backup_t)
+
+fs_getattr_xattr_fs(backup_t)
+fs_list_all(backup_t)
+
+auth_read_shadow(backup_t)
+
+libs_use_ld_so(backup_t)
+libs_use_shared_libs(backup_t)
+
+logging_send_syslog_msg(backup_t)
+
+sysnet_read_config(backup_t)
+
+optional_policy(`
+ cron_system_entry(backup_t,backup_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(backup_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(backup_t)
+')
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
new file mode 100644
index 0000000..bcedf95
--- /dev/null
+++ b/policy/modules/admin/bootloader.fc
@@ -0,0 +1,12 @@
+
+/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
new file mode 100644
index 0000000..8f6707b
--- /dev/null
+++ b/policy/modules/admin/bootloader.if
@@ -0,0 +1,134 @@
+## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+
+########################################
+## <summary>
+## Execute bootloader in the bootloader domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bootloader_domtrans',`
+ gen_require(`
+ type bootloader_t, bootloader_exec_t;
+ ')
+
+ domain_auto_trans($1, bootloader_exec_t, bootloader_t)
+
+ allow $1 bootloader_t:fd use;
+ allow bootloader_t $1:fd use;
+ allow bootloader_t $1:fifo_file rw_file_perms;
+ allow bootloader_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute bootloader interactively and do
+## a domain transition to the bootloader domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the bootloader domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the bootloader domain to use.
+## </summary>
+## </param>
+#
+interface(`bootloader_run',`
+ gen_require(`
+ type bootloader_t;
+ ')
+
+ bootloader_domtrans($1)
+
+ role $2 types bootloader_t;
+ allow bootloader_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the bootloader configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bootloader_read_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+ allow $1 bootloader_etc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the bootloader
+## configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bootloader_rw_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+ allow $1 bootloader_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the bootloader
+## temporary data in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bootloader_rw_tmp_files',`
+ gen_require(`
+ type bootloader_tmp_t;
+ ')
+
+ # FIXME: read tmp_t dir
+ allow $1 bootloader_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the bootloader
+## temporary data in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bootloader_create_runtime_file',`
+ gen_require(`
+ type boot_t, boot_runtime_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_runtime_t:file { rw_file_perms create unlink };
+ type_transition $1 boot_t:file boot_runtime_t;
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
new file mode 100644
index 0000000..41b4027
--- /dev/null
+++ b/policy/modules/admin/bootloader.te
@@ -0,0 +1,216 @@
+
+policy_module(bootloader,1.2.4)
+
+########################################
+#
+# Declarations
+#
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for Red Hat
+#
+type boot_runtime_t;
+files_type(boot_runtime_t)
+
+type bootloader_t;
+domain_type(bootloader_t)
+role system_r types bootloader_t;
+
+type bootloader_exec_t;
+domain_entry_file(bootloader_t,bootloader_exec_t)
+
+#
+# bootloader_etc_t is the configuration file,
+# grub.conf, lilo.conf, etc.
+#
+type bootloader_etc_t alias etc_bootloader_t;
+files_type(bootloader_etc_t)
+
+#
+# The temp file is used for initrd creation;
+# it consists of files and device nodes
+#
+type bootloader_tmp_t;
+files_tmp_file(bootloader_tmp_t)
+dev_node(bootloader_tmp_t)
+
+#
+# /var/log/ksyms
+# cjp: this probably can be removed, I do not
+# think it is used on 2.6 kernels
+type var_log_ksyms_t;
+logging_log_file(var_log_ksyms_t)
+
+########################################
+#
+# bootloader local policy
+#
+
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:process { sigkill sigstop signull signal execmem };
+allow bootloader_t self:fifo_file rw_file_perms;
+
+allow bootloader_t bootloader_etc_t:file r_file_perms;
+# uncomment the following lines if you use "lilo -p"
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
+
+allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
+allow bootloader_t bootloader_tmp_t:file create_file_perms;
+allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
+files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
+# for tune2fs (cjp: ?)
+files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
+
+kernel_getattr_core_if(bootloader_t)
+kernel_read_system_state(bootloader_t)
+kernel_read_software_raid_state(bootloader_t)
+kernel_read_kernel_sysctls(bootloader_t)
+
+storage_raw_read_fixed_disk(bootloader_t)
+storage_raw_write_fixed_disk(bootloader_t)
+storage_raw_read_removable_device(bootloader_t)
+storage_raw_write_removable_device(bootloader_t)
+
+dev_getattr_all_chr_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
+dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
+dev_read_rand(bootloader_t)
+dev_read_urand(bootloader_t)
+dev_read_sysfs(bootloader_t)
+# for reading BIOS data
+dev_read_raw_memory(bootloader_t)
+
+fs_getattr_xattr_fs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
+
+mls_file_read_up(bootloader_t)
+
+term_getattr_all_user_ttys(bootloader_t)
+term_dontaudit_manage_pty_dirs(bootloader_t)
+
+corecmd_exec_all_executables(bootloader_t)
+
+domain_use_interactive_fds(bootloader_t)
+
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
+files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
+files_read_usr_src_files(bootloader_t)
+files_read_usr_files(bootloader_t)
+files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
+# for nscd
+files_dontaudit_search_pids(bootloader_t)
+# for blkid.tab
+files_manage_etc_runtime_files(bootloader_t)
+files_etc_filetrans_etc_runtime(bootloader_t,file)
+files_dontaudit_search_home(bootloader_t)
+
+init_getattr_initctl(bootloader_t)
+init_use_script_ptys(bootloader_t)
+init_use_script_fds(bootloader_t)
+init_rw_script_pipes(bootloader_t)
+
+libs_use_ld_so(bootloader_t)
+libs_use_shared_libs(bootloader_t)
+libs_read_lib_files(bootloader_t)
+libs_exec_lib_files(bootloader_t)
+
+logging_send_syslog_msg(bootloader_t)
+logging_rw_generic_logs(bootloader_t)
+
+miscfiles_read_localization(bootloader_t)
+
+modutils_domtrans_insmod_uncond(bootloader_t)
+
+seutil_read_bin_policy(bootloader_t)
+seutil_read_loadpolicy(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
+
+ifdef(`distro_debian',`
+ allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+ fs_list_tmpfs(bootloader_t)
+
+ files_relabel_kernel_modules(bootloader_t)
+ files_relabelfrom_boot_files(bootloader_t)
+ files_delete_kernel_modules(bootloader_t)
+ files_relabelto_usr_files(bootloader_t)
+ files_search_var_lib(bootloader_t)
+ # for /usr/share/initrd-tools/scripts
+ files_exec_usr_files(bootloader_t)
+
+ fstools_manage_entry_files(bootloader_t)
+ fstools_relabelto_entry_files(bootloader_t)
+
+ libs_relabelto_lib_files(bootloader_t)
+')
+
+ifdef(`distro_redhat',`
+ # for memlock
+ allow bootloader_t self:capability ipc_lock;
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+
+ # mkinitrd mount initrd on bootloader temp dir
+ files_mountpoint(bootloader_tmp_t)
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ files_manage_isid_type_dirs(bootloader_t)
+ files_manage_isid_type_files(bootloader_t)
+ files_manage_isid_type_symlinks(bootloader_t)
+ files_manage_isid_type_blk_files(bootloader_t)
+ files_manage_isid_type_chr_files(bootloader_t)
+
+ # for mke2fs
+ mount_domtrans(bootloader_t)
+')
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(bootloader_t)
+ term_use_generic_ptys(bootloader_t)
+')
+
+optional_policy(`
+ fstools_exec(bootloader_t)
+')
+
+optional_policy(`
+ kudzu_domtrans(bootloader_t)
+')
+
+optional_policy(`
+ dev_rw_lvm_control(bootloader_t)
+
+ lvm_domtrans(bootloader_t)
+ lvm_read_config(bootloader_t)
+')
+
+optional_policy(`
+ modutils_exec_insmod(bootloader_t)
+ modutils_read_module_deps(bootloader_t)
+ modutils_read_module_config(bootloader_t)
+ modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
+')
+
+optional_policy(`
+ nscd_socket_use(bootloader_t)
+')
+
+optional_policy(`
+ rpm_rw_pipes(bootloader_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+ userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+')
diff --git a/policy/modules/admin/certwatch.fc b/policy/modules/admin/certwatch.fc
new file mode 100644
index 0000000..b8a3414
--- /dev/null
+++ b/policy/modules/admin/certwatch.fc
@@ -0,0 +1 @@
+/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0)
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
new file mode 100644
index 0000000..84e3852
--- /dev/null
+++ b/policy/modules/admin/certwatch.if
@@ -0,0 +1,59 @@
+## <summary>Digital Certificate Tracking</summary>
+
+########################################
+## <summary>
+## Domain transition to certwatch.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certwatch_domtrans',`
+ gen_require(`
+ type certwatch_exec_t, certwatch_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,certwatch_exec_t,certwatch_t)
+
+ allow $1 certwatch_t:fd use;
+ allow certwatch_t $1:fd use;
+ allow certwatch_t $1:fifo_file rw_file_perms;
+ allow certwatch_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute certwatch in the certwatch domain, and
+## allow the specified role the certwatch domain,
+## and use the caller's terminal. Has a sigchld
+## backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the certwatch domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the certwatch domain to use.
+## </summary>
+## </param>
+#
+interface(`certwatach_run',`
+ gen_require(`
+ type certwatch_t;
+ ')
+
+ certwatch_domtrans($1)
+ role $2 types certwatch_t;
+ allow certwatch_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
new file mode 100644
index 0000000..daca9e1
--- /dev/null
+++ b/policy/modules/admin/certwatch.te
@@ -0,0 +1,34 @@
+
+policy_module(certwatch,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type certwatch_t;
+type certwatch_exec_t;
+domain_type(certwatch_t)
+domain_entry_file(certwatch_t,certwatch_exec_t)
+role system_r types certwatch_t;
+
+########################################
+#
+# Local policy
+#
+
+files_read_etc_files(certwatch_t)
+
+libs_use_ld_so(certwatch_t)
+libs_use_shared_libs(certwatch_t)
+
+logging_send_syslog_msg(certwatch_t)
+
+miscfiles_read_certs(certwatch_t)
+miscfiles_read_localization(certwatch_t)
+
+apache_exec_modules(certwatch_t)
+
+optional_policy(`
+ cron_system_entry(certwatch_t,certwatch_exec_t)
+')
diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
new file mode 100644
index 0000000..b7f053b
--- /dev/null
+++ b/policy/modules/admin/consoletype.fc
@@ -0,0 +1,2 @@
+
+/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
new file mode 100644
index 0000000..58a2018
--- /dev/null
+++ b/policy/modules/admin/consoletype.if
@@ -0,0 +1,77 @@
+## <summary>
+## Determine of the console connected to the controlling terminal.
+## </summary>
+
+########################################
+## <summary>
+## Execute consoletype in the consoletype domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`consoletype_domtrans',`
+ gen_require(`
+ type consoletype_t, consoletype_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,consoletype_exec_t,consoletype_t)
+
+ allow $1 consoletype_t:fd use;
+ allow consoletype_t $1:fd use;
+ allow consoletype_t $1:fifo_file rw_file_perms;
+ allow consoletype_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute consoletype in the consoletype domain, and
+## allow the specified role the consoletype domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the consoletype domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the consoletype domain to use.
+## </summary>
+## </param>
+#
+interface(`consoletype_run',`
+ gen_require(`
+ type consoletype_t;
+ ')
+
+ consoletype_domtrans($1)
+ role $2 types consoletype_t;
+ allow consoletype_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute consoletype in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`consoletype_exec',`
+ gen_require(`
+ type consoletype_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,consoletype_exec_t)
+')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
new file mode 100644
index 0000000..84a5306
--- /dev/null
+++ b/policy/modules/admin/consoletype.te
@@ -0,0 +1,116 @@
+
+policy_module(consoletype,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type consoletype_t;
+type consoletype_exec_t;
+init_domain(consoletype_t,consoletype_exec_t)
+mls_file_read_up(consoletype_t)
+mls_file_write_down(consoletype_t)
+role system_r types consoletype_t;
+
+ifdef(`targeted_policy',`',`
+ init_system_domain(consoletype_t,consoletype_exec_t)
+')
+
+########################################
+#
+# Local declarations
+#
+
+allow consoletype_t self:capability sys_admin;
+allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow consoletype_t self:fd use;
+allow consoletype_t self:fifo_file rw_file_perms;
+allow consoletype_t self:sock_file r_file_perms;
+allow consoletype_t self:unix_dgram_socket create_socket_perms;
+allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
+allow consoletype_t self:unix_dgram_socket sendto;
+allow consoletype_t self:unix_stream_socket connectto;
+allow consoletype_t self:shm create_shm_perms;
+allow consoletype_t self:sem create_sem_perms;
+allow consoletype_t self:msgq create_msgq_perms;
+allow consoletype_t self:msg { send receive };
+
+kernel_use_fds(consoletype_t)
+kernel_dontaudit_read_system_state(consoletype_t)
+
+fs_getattr_all_fs(consoletype_t)
+fs_search_auto_mountpoints(consoletype_t)
+fs_write_nfs_files(consoletype_t)
+
+term_use_console(consoletype_t)
+term_use_unallocated_ttys(consoletype_t)
+
+init_use_fds(consoletype_t)
+init_use_script_ptys(consoletype_t)
+init_use_script_fds(consoletype_t)
+init_write_script_pipes(consoletype_t)
+
+domain_use_interactive_fds(consoletype_t)
+
+files_dontaudit_read_root_files(consoletype_t)
+files_list_usr(consoletype_t)
+
+libs_use_ld_so(consoletype_t)
+libs_use_shared_libs(consoletype_t)
+
+userdom_use_sysadm_terms(consoletype_t)
+userdom_use_sysadm_fds(consoletype_t)
+userdom_rw_sysadm_pipes(consoletype_t)
+
+ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files(consoletype_t)
+')
+
+optional_policy(`
+ apm_use_fds(consoletype_t)
+ apm_write_pipes(consoletype_t)
+')
+
+optional_policy(`
+ auth_read_pam_pid(consoletype_t)
+')
+
+optional_policy(`
+ cron_read_pipes(consoletype_t)
+ cron_use_system_job_fds(consoletype_t)
+')
+
+optional_policy(`
+ files_read_etc_files(consoletype_t)
+ firstboot_use_fds(consoletype_t)
+ firstboot_write_pipes(consoletype_t)
+')
+
+optional_policy(`
+ logrotate_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
+ lpd_read_config(consoletype_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(consoletype_t)
+')
+
+optional_policy(`
+ # Commonly used from postinst scripts
+ rpm_read_pipes(consoletype_t)
+')
+
+optional_policy(`
+ userdom_use_unpriv_users_fds(consoletype_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(consoletype_t)
+ kernel_write_xen_state(consoletype_t)
+ xen_append_log(consoletype_t)
+ xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+')
diff --git a/policy/modules/admin/ddcprobe.fc b/policy/modules/admin/ddcprobe.fc
new file mode 100644
index 0000000..a38ca33
--- /dev/null
+++ b/policy/modules/admin/ddcprobe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
new file mode 100644
index 0000000..875b7d2
--- /dev/null
+++ b/policy/modules/admin/ddcprobe.if
@@ -0,0 +1,55 @@
+## <summary>ddcprobe retrieves monitor and graphics card information</summary>
+
+########################################
+## <summary>
+## Execute ddcprobe in the ddcprobe domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ddcprobe_domtrans',`
+ gen_require(`
+ type ddcprobe_t, ddcprobe_exec_t;
+ ')
+
+ domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
+
+ allow $1 ddcprobe_t:fd use;
+ allow ddcprobe_t $1:fd use;
+ allow ddcprobe_t $1:fifo_file rw_file_perms;
+ allow ddcprobe_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute ddcprobe in the ddcprobe domain, and
+## allow the specified role the ddcprobe domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role to be authenticated for ddcprobe domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the clock domain to use.
+## </summary>
+## </param>
+#
+interface(`ddcprobe_run',`
+ gen_require(`
+ type ddcprobe_t;
+ ')
+
+ ddcprobe_domtrans($1)
+ role $2 types ddcprobe_t;
+ allow ddcprobe_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
new file mode 100644
index 0000000..67982aa
--- /dev/null
+++ b/policy/modules/admin/ddcprobe.te
@@ -0,0 +1,55 @@
+
+policy_module(ddcprobe,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddcprobe_t;
+type ddcprobe_exec_t;
+domain_type(ddcprobe_t)
+domain_entry_file(ddcprobe_t,ddcprobe_exec_t)
+role system_r types ddcprobe_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:process execmem;
+
+kernel_read_system_state(ddcprobe_t)
+kernel_read_kernel_sysctls(ddcprobe_t)
+kernel_change_ring_buffer_level(ddcprobe_t)
+
+files_search_kernel_modules(ddcprobe_t)
+
+corecmd_list_sbin(ddcprobe_t)
+corecmd_list_bin(ddcprobe_t)
+corecmd_exec_sbin(ddcprobe_t)
+
+dev_read_urand(ddcprobe_t)
+dev_read_raw_memory(ddcprobe_t)
+dev_wx_raw_memory(ddcprobe_t)
+
+files_read_etc_files(ddcprobe_t)
+files_read_etc_runtime_files(ddcprobe_t)
+files_read_usr_files(ddcprobe_t)
+
+term_use_all_user_ttys(ddcprobe_t)
+term_use_all_user_ptys(ddcprobe_t)
+
+libs_read_lib_files(ddcprobe_t)
+libs_use_ld_so(ddcprobe_t)
+libs_use_shared_libs(ddcprobe_t)
+
+miscfiles_read_localization(ddcprobe_t)
+
+modutils_read_module_deps(ddcprobe_t)
+
+userdom_use_all_users_fds(ddcprobe_t)
+
+#reh why? this does not seem even necessary to function properly
+kudzu_getattr_exec_files(ddcprobe_t)
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
new file mode 100644
index 0000000..d6cc2d9
--- /dev/null
+++ b/policy/modules/admin/dmesg.fc
@@ -0,0 +1,2 @@
+
+/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
new file mode 100644
index 0000000..0ca1319
--- /dev/null
+++ b/policy/modules/admin/dmesg.if
@@ -0,0 +1,60 @@
+## <summary>Policy for dmesg.</summary>
+
+########################################
+## <summary>
+## Execute dmesg in the dmesg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dmesg_domtrans',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type dmesg_exec_t;
+ ')
+
+ # $0(): disabled in targeted policy as there
+ # is no dmesg domain.
+ ',`
+ gen_require(`
+ type dmesg_t, dmesg_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,dmesg_exec_t,dmesg_t)
+
+ allow $1 dmesg_t:fd use;
+ allow dmesg_t $1:fd use;
+ allow dmesg_t $1:fifo_file rw_file_perms;
+ allow dmesg_t $1:process sigchld;
+ ')
+')
+
+########################################
+## <summary>
+## Execute dmesg in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dmesg_exec',`
+ ifdef(`targeted_policy',`
+ # $0(): the dmesg program is an alias
+ # of generic bin programs.
+ corecmd_exec_bin($1)
+ ',`
+ gen_require(`
+ type dmesg_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,dmesg_exec_t)
+ ')
+')
+
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
new file mode 100644
index 0000000..150feec
--- /dev/null
+++ b/policy/modules/admin/dmesg.te
@@ -0,0 +1,74 @@
+
+policy_module(dmesg,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+ifdef(`strict_policy',`
+ type dmesg_t;
+ type dmesg_exec_t;
+ init_system_domain(dmesg_t,dmesg_exec_t)
+ role system_r types dmesg_t;
+')
+
+ifdef(`targeted_policy',`
+ # dmesg domain is disabled in the
+ # targeted policy. for compatibility
+ # with strict:
+ corecmd_bin_alias(dmesg_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`strict_policy',`
+ allow dmesg_t self:capability sys_admin;
+ dontaudit dmesg_t self:capability sys_tty_config;
+
+ allow dmesg_t self:process signal_perms;
+
+ kernel_read_kernel_sysctls(dmesg_t)
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
+ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
+
+ dev_read_sysfs(dmesg_t)
+
+ fs_search_auto_mountpoints(dmesg_t)
+
+ term_dontaudit_use_console(dmesg_t)
+
+ domain_use_interactive_fds(dmesg_t)
+
+ files_list_etc(dmesg_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(dmesg_t)
+
+ init_use_fds(dmesg_t)
+ init_use_script_ptys(dmesg_t)
+
+ libs_use_ld_so(dmesg_t)
+ libs_use_shared_libs(dmesg_t)
+
+ logging_send_syslog_msg(dmesg_t)
+ logging_write_generic_logs(dmesg_t)
+
+ miscfiles_read_localization(dmesg_t)
+
+ userdom_use_sysadm_terms(dmesg_t)
+ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(dmesg_t)
+ ')
+')
diff --git a/policy/modules/admin/dmidecode.fc b/policy/modules/admin/dmidecode.fc
new file mode 100644
index 0000000..016e6b8
--- /dev/null
+++ b/policy/modules/admin/dmidecode.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
new file mode 100644
index 0000000..70d6044
--- /dev/null
+++ b/policy/modules/admin/dmidecode.if
@@ -0,0 +1,55 @@
+## <summary>Decode DMI data for x86/ia64 bioses.</summary>
+
+########################################
+## <summary>
+## Execute dmidecode in the dmidecode domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dmidecode_domtrans',`
+ gen_require(`
+ type dmidecode_t, dmidecode_exec_t;
+ ')
+
+ domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
+
+ allow $1 dmidecode_t:fd use;
+ allow dmidecode_t $1:fd use;
+ allow dmidecode_t $1:fifo_file rw_file_perms;
+ allow dmidecode_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dmidecode in the dmidecode domain, and
+## allow the specified role the dmidecode domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the dmidecode domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the dmidecode domain to use.
+## </summary>
+## </param>
+#
+interface(`dmidecode_run',`
+ gen_require(`
+ type dmidecode_t;
+ ')
+
+ dmidecode_domtrans($1)
+ role $2 types dmidecode_t;
+ allow dmidecode_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
new file mode 100644
index 0000000..ae975cd
--- /dev/null
+++ b/policy/modules/admin/dmidecode.te
@@ -0,0 +1,40 @@
+
+policy_module(dmidecode,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type dmidecode_t;
+domain_type(dmidecode_t)
+role system_r types dmidecode_t;
+
+type dmidecode_exec_t;
+domain_entry_file(dmidecode_t,dmidecode_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dmidecode_t self:capability sys_rawio;
+
+# Allow dmidecode to read /dev/mem
+dev_read_raw_memory(dmidecode_t)
+
+mls_file_read_up(dmidecode_t)
+
+term_list_ptys(dmidecode_t)
+
+files_list_usr(dmidecode_t)
+
+libs_use_ld_so(dmidecode_t)
+libs_use_shared_libs(dmidecode_t)
+
+locallogin_use_fds(dmidecode_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(dmidecode_t)
+ term_use_unallocated_ttys(dmidecode_t)
+')
diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc
new file mode 100644
index 0000000..6d0f9ee
--- /dev/null
+++ b/policy/modules/admin/dpkg.fc
@@ -0,0 +1,12 @@
+# Debian package manager
+/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+# not sure if dselect should be in apt instead?
+/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+
+/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+# lockfile is treated specially, since used by apt, too
+/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
+
+/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
new file mode 100644
index 0000000..5d494be
--- /dev/null
+++ b/policy/modules/admin/dpkg.if
@@ -0,0 +1,240 @@
+## <summary>Policy for the Debian package manager.</summary>
+# TODO: need debconf policy
+# TODO: need install-menu policy
+
+########################################
+## <summary>
+## Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_domtrans',`
+ gen_require(`
+ type dpkg_t, dpkg_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,dpkg_exec_t,dpkg_t)
+
+ # allow basic communication
+ allow $1 dpkg_t:fd use;
+ allow dpkg_t $1:fd use;
+ allow dpkg_t $1:fifo_file rw_file_perms;
+ allow dpkg_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dpkg_script programs in the dpkg_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_domtrans_script',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ # transition to dpkg script:
+ corecmd_shell_domtrans($1,dpkg_script_t)
+
+ allow $1 dpkg_script_t:fd use;
+ allow dpkg_script_t $1:fd use;
+ allow dpkg_script_t $1:fifo_file rw_file_perms;
+ allow dpkg_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the dpkg domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the dpkg domain to use.
+## </summary>
+## </param>
+#
+interface(`dpkg_run',`
+ gen_require(`
+ type dpkg_t, dpkg_script_t;
+ ')
+
+ dpkg_domtrans($1)
+ role $2 types dpkg_t;
+ role $2 types dpkg_script_t;
+ seutil_run_loadpolicy(dpkg_script_t,$2,$3)
+ allow dpkg_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from dpkg.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_use_fds',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fd use;
+')
+
+########################################
+## <summary>
+## Read from an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_rw_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_use_script_fds',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+')
+
+########################################
+## <summary>
+## Read the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir r_dir_perms;
+ allow $1 dpkg_var_lib_t:file { getattr read };
+ allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir rw_dir_perms;
+ allow $1 dpkg_var_lib_t:file manage_file_perms;
+ allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dpkg_dontaudit_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
+ dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Lock the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_lock_db',`
+ gen_require(`
+ type dpkg_lock_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir r_dir_perms;
+ allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
+')
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
new file mode 100644
index 0000000..12a842b
--- /dev/null
+++ b/policy/modules/admin/dpkg.te
@@ -0,0 +1,339 @@
+
+policy_module(dpkg,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type dpkg_t;
+type dpkg_exec_t;
+# dpkg can start/stop services
+init_system_domain(dpkg_t,dpkg_exec_t)
+# dpkg can change file labels, roles, IO
+domain_obj_id_change_exemption(dpkg_t)
+domain_role_change_exemption(dpkg_t)
+domain_system_change_exemption(dpkg_t)
+domain_interactive_fd(dpkg_t)
+role system_r types dpkg_t;
+
+# lockfile
+type dpkg_lock_t;
+files_type(dpkg_lock_t)
+
+type dpkg_tmp_t;
+files_tmp_file(dpkg_tmp_t)
+
+type dpkg_tmpfs_t;
+files_tmpfs_file(dpkg_tmpfs_t)
+
+# status files
+type dpkg_var_lib_t alias var_lib_dpkg_t;
+files_type(dpkg_var_lib_t)
+
+# package scripts
+type dpkg_script_t;
+domain_type(dpkg_script_t)
+domain_entry_file(dpkg_t, dpkg_var_lib_t)
+corecmd_shell_entry_type(dpkg_script_t)
+domain_obj_id_change_exemption(dpkg_script_t)
+domain_system_change_exemption(dpkg_script_t)
+domain_interactive_fd(dpkg_script_t)
+role system_r types dpkg_script_t;
+
+type dpkg_script_tmp_t;
+files_tmp_file(dpkg_script_tmp_t)
+
+type dpkg_script_tmpfs_t;
+files_tmpfs_file(dpkg_script_tmpfs_t)
+
+########################################
+#
+# dpkg Local policy
+#
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:fd use;
+allow dpkg_t self:fifo_file rw_file_perms;
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connectto;
+allow dpkg_t self:udp_socket { connect create_socket_perms };
+allow dpkg_t self:tcp_socket create_stream_socket_perms;
+allow dpkg_t self:shm create_shm_perms;
+allow dpkg_t self:sem create_sem_perms;
+allow dpkg_t self:msgq create_msgq_perms;
+allow dpkg_t self:msg { send receive };
+
+allow dpkg_t dpkg_lock_t:file manage_file_perms;
+
+allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
+allow dpkg_t dpkg_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+
+allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
+allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
+allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
+allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
+allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/dpkg files
+allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
+allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
+
+kernel_read_system_state(dpkg_t)
+kernel_read_kernel_sysctls(dpkg_t)
+
+corecmd_exec_all_executables(dpkg_t)
+
+# TODO: do we really need all networking?
+corenet_non_ipsec_sendrecv(dpkg_t)
+corenet_tcp_sendrecv_all_if(dpkg_t)
+corenet_raw_sendrecv_all_if(dpkg_t)
+corenet_udp_sendrecv_all_if(dpkg_t)
+corenet_tcp_sendrecv_all_nodes(dpkg_t)
+corenet_raw_sendrecv_all_nodes(dpkg_t)
+corenet_udp_sendrecv_all_nodes(dpkg_t)
+corenet_tcp_sendrecv_all_ports(dpkg_t)
+corenet_udp_sendrecv_all_ports(dpkg_t)
+corenet_tcp_connect_all_ports(dpkg_t)
+corenet_sendrecv_all_client_packets(dpkg_t)
+
+dev_list_sysfs(dpkg_t)
+dev_list_usbfs(dpkg_t)
+dev_read_urand(dpkg_t)
+#devices_manage_all_device_types(dpkg_t)
+
+domain_read_all_domains_state(dpkg_t)
+domain_getattr_all_domains(dpkg_t)
+domain_dontaudit_ptrace_all_domains(dpkg_t)
+domain_use_interactive_fds(dpkg_t)
+domain_dontaudit_getattr_all_pipes(dpkg_t)
+domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
+domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
+domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
+domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
+
+fs_manage_nfs_dirs(dpkg_t)
+fs_manage_nfs_files(dpkg_t)
+fs_manage_nfs_symlinks(dpkg_t)
+fs_getattr_all_fs(dpkg_t)
+fs_search_auto_mountpoints(dpkg_t)
+
+mls_file_read_up(dpkg_t)
+mls_file_write_down(dpkg_t)
+mls_file_upgrade(dpkg_t)
+
+selinux_get_fs_mount(dpkg_t)
+selinux_validate_context(dpkg_t)
+selinux_compute_access_vector(dpkg_t)
+selinux_compute_create_context(dpkg_t)
+selinux_compute_relabel_context(dpkg_t)
+selinux_compute_user_contexts(dpkg_t)
+
+storage_raw_write_fixed_disk(dpkg_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(dpkg_t)
+
+term_list_ptys(dpkg_t)
+
+auth_relabel_all_files_except_shadow(dpkg_t)
+auth_manage_all_files_except_shadow(dpkg_t)
+auth_dontaudit_read_shadow(dpkg_t)
+
+files_exec_etc_files(dpkg_t)
+
+init_domtrans_script(dpkg_t)
+
+libs_use_ld_so(dpkg_t)
+libs_use_shared_libs(dpkg_t)
+libs_exec_ld_so(dpkg_t)
+libs_exec_lib_files(dpkg_t)
+libs_domtrans_ldconfig(dpkg_t)
+
+logging_send_syslog_msg(dpkg_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(dpkg_t)
+seutil_manage_bin_policy(dpkg_t)
+
+sysnet_read_config(dpkg_t)
+
+userdom_use_unpriv_users_fds(dpkg_t)
+
+# transition to dpkg script:
+dpkg_domtrans_script(dpkg_t)
+# since the scripts aren't labeled correctly yet...
+allow dpkg_t dpkg_var_lib_t:file execute;
+
+ifdef(`targeted_policy',`
+ unconfined_domain(dpkg_t)
+')
+
+# TODO: allow?
+#optional_policy(`
+# cron_system_entry(dpkg_t,dpkg_exec_t)
+#')
+
+optional_policy(`
+ nis_use_ypbind(dpkg_t)
+')
+
+# TODO: the following was copied from dpkg_script_t, and could probably
+# be removed again when dpkg_script_t is actually used...
+domain_signal_all_domains(dpkg_t)
+domain_signull_all_domains(dpkg_t)
+files_read_etc_runtime_files(dpkg_t)
+files_exec_usr_files(dpkg_t)
+miscfiles_read_localization(dpkg_t)
+modutils_domtrans_depmod(dpkg_t)
+modutils_domtrans_insmod(dpkg_t)
+seutil_domtrans_loadpolicy(dpkg_t)
+seutil_domtrans_restorecon(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ mta_send_mail(dpkg_t)
+')
+optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
+')
+
+########################################
+#
+# dpkg-script Local policy
+#
+# TODO: actually use dpkg_script_t
+
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:fd use;
+allow dpkg_script_t self:fifo_file rw_file_perms;
+allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_script_t self:unix_dgram_socket sendto;
+allow dpkg_script_t self:unix_stream_socket connectto;
+allow dpkg_script_t self:shm create_shm_perms;
+allow dpkg_script_t self:sem create_sem_perms;
+allow dpkg_script_t self:msgq create_msgq_perms;
+allow dpkg_script_t self:msg { send receive };
+
+allow dpkg_script_t dpkg_tmp_t:file r_file_perms;
+
+allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
+allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
+
+allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(dpkg_script_t)
+kernel_read_system_state(dpkg_script_t)
+
+corecmd_exec_all_executables(dpkg_script_t)
+
+dev_list_sysfs(dpkg_script_t)
+# ideally we would not need this
+dev_manage_generic_blk_files(dpkg_script_t)
+dev_manage_generic_chr_files(dpkg_script_t)
+dev_manage_all_blk_files(dpkg_script_t)
+dev_manage_all_chr_files(dpkg_script_t)
+
+domain_read_all_domains_state(dpkg_script_t)
+domain_getattr_all_domains(dpkg_script_t)
+domain_dontaudit_ptrace_all_domains(dpkg_script_t)
+domain_use_interactive_fds(dpkg_script_t)
+domain_signal_all_domains(dpkg_script_t)
+domain_signull_all_domains(dpkg_script_t)
+
+files_exec_etc_files(dpkg_script_t)
+files_read_etc_runtime_files(dpkg_script_t)
+files_exec_usr_files(dpkg_script_t)
+
+fs_manage_nfs_files(dpkg_script_t)
+fs_getattr_nfs(dpkg_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(dpkg_script_t)
+fs_mount_xattr_fs(dpkg_script_t)
+fs_unmount_xattr_fs(dpkg_script_t)
+fs_search_auto_mountpoints(dpkg_script_t)
+
+mls_file_read_up(dpkg_script_t)
+mls_file_write_down(dpkg_script_t)
+
+selinux_get_fs_mount(dpkg_script_t)
+selinux_validate_context(dpkg_script_t)
+selinux_compute_access_vector(dpkg_script_t)
+selinux_compute_create_context(dpkg_script_t)
+selinux_compute_relabel_context(dpkg_script_t)
+selinux_compute_user_contexts(dpkg_script_t)
+
+storage_raw_read_fixed_disk(dpkg_script_t)
+storage_raw_write_fixed_disk(dpkg_script_t)
+
+term_getattr_unallocated_ttys(dpkg_script_t)
+term_list_ptys(dpkg_script_t)
+term_use_all_terms(dpkg_script_t)
+
+auth_dontaudit_getattr_shadow(dpkg_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_shadow(dpkg_script_t)
+
+init_domtrans_script(dpkg_script_t)
+
+libs_use_ld_so(dpkg_script_t)
+libs_use_shared_libs(dpkg_script_t)
+libs_exec_ld_so(dpkg_script_t)
+libs_exec_lib_files(dpkg_script_t)
+libs_domtrans_ldconfig(dpkg_script_t)
+
+logging_send_syslog_msg(dpkg_script_t)
+
+miscfiles_read_localization(dpkg_script_t)
+
+modutils_domtrans_depmod(dpkg_script_t)
+modutils_domtrans_insmod(dpkg_script_t)
+
+seutil_domtrans_loadpolicy(dpkg_script_t)
+seutil_domtrans_restorecon(dpkg_script_t)
+
+userdom_use_all_users_fds(dpkg_script_t)
+
+ifdef(`distro_redhat',`
+ unconfined_domain(dpkg_script_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(dpkg_script_t)
+',`
+ optional_policy(`
+ bootloader_domtrans(dpkg_script_t)
+ ')
+')
+
+tunable_policy(`allow_execmem',`
+ allow dpkg_script_t self:process execmem;
+')
+
+optional_policy(`
+ mta_send_mail(dpkg_script_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dpkg_script_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_script_t)
+ usermanage_domtrans_useradd(dpkg_script_t)
+')
diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc
new file mode 100644
index 0000000..ab57cde
--- /dev/null
+++ b/policy/modules/admin/firstboot.fc
@@ -0,0 +1,5 @@
+# firstboot
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot gen_context(system_u:object_r:firstboot_rw_t,s0)
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
new file mode 100644
index 0000000..ceb0580
--- /dev/null
+++ b/policy/modules/admin/firstboot.if
@@ -0,0 +1,130 @@
+## <summary>
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+## </summary>
+
+########################################
+## <summary>
+## Execute firstboot in the firstboot domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`firstboot_domtrans',`
+ gen_require(`
+ type firstboot_t, firstboot_exec_t;
+ ')
+
+ domain_auto_trans($1,firstboot_exec_t,firstboot_t)
+
+ allow $1 firstboot_t:fd use;
+ allow firstboot_t $1:fd use;
+ allow firstboot_t $1:fifo_file rw_file_perms;
+ allow firstboot_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the firstboot domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the firstboot domain to use.
+## </summary>
+## </param>
+#
+interface(`firstboot_run',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ firstboot_domtrans($1)
+ role $2 types firstboot_t;
+ allow firstboot_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`firstboot_use_fds',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit a
+## file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firstboot_dontaudit_use_fds',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+## Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`firstboot_write_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fifo_file write;
+')
+########################################
+## <summary>
+## Read firstboot writable config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`firstboot_read_rw_files',`
+ gen_require(`
+ type firstboot_rw_t;
+ ')
+
+ allow $1 firstboot_rw_t:file r_file_perms;
+')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
new file mode 100644
index 0000000..b03616f
--- /dev/null
+++ b/policy/modules/admin/firstboot.te
@@ -0,0 +1,138 @@
+
+policy_module(firstboot,1.1.2)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t,firstboot_exec_t)
+domain_obj_id_change_exemption(firstboot_t)
+domain_subj_id_change_exemption(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t;
+files_config_file(firstboot_etc_t)
+
+type firstboot_rw_t;
+files_type(firstboot_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:file { read write };
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file { getattr read };
+
+allow firstboot_t firstboot_rw_t:dir create_dir_perms;
+allow firstboot_t firstboot_rw_t:file create_file_perms;
+files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
+
+# The big hammer
+unconfined_domain(firstboot_t)
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctls(firstboot_t)
+
+corenet_non_ipsec_sendrecv(firstboot_t)
+corenet_tcp_sendrecv_all_if(firstboot_t)
+corenet_tcp_sendrecv_all_nodes(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_read_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_domtrans_script(firstboot_t)
+init_rw_utmp(firstboot_t)
+
+libs_use_ld_so(firstboot_t)
+libs_use_shared_libs(firstboot_t)
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fds(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_read_module_config(firstboot_t)
+modutils_read_module_deps(firstboot_t)
+
+# Add/remove user home directories
+userdom_manage_generic_user_home_content_dirs(firstboot_t)
+userdom_manage_generic_user_home_content_files(firstboot_t)
+userdom_manage_generic_user_home_content_symlinks(firstboot_t)
+userdom_manage_generic_user_home_content_pipes(firstboot_t)
+userdom_manage_generic_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_generic_user_home_dir(firstboot_t)
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+
+ifdef(`targeted_policy',`
+ unconfined_domtrans(firstboot_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(firstboot_t)
+')
+
+optional_policy(`
+ samba_rw_config(firstboot_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_chfn(firstboot_t)
+ usermanage_domtrans_groupadd(firstboot_t)
+ usermanage_domtrans_passwd(firstboot_t)
+ usermanage_domtrans_useradd(firstboot_t)
+')
+
+ifdef(`TODO',`
+allow firstboot_t proc_t:file write;
+
+ifdef(`printconf.te', `
+ can_exec(firstboot_t, printconf_t)
+')
+
+ifdef(`userhelper.te', `
+ role system_r types sysadm_userhelper_t;
+ domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+ifdef(`xserver.te', `
+ domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
+')
+') dnl end TODO
diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc
new file mode 100644
index 0000000..dd88f74
--- /dev/null
+++ b/policy/modules/admin/kudzu.fc
@@ -0,0 +1,5 @@
+
+/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
+/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
new file mode 100644
index 0000000..605a394
--- /dev/null
+++ b/policy/modules/admin/kudzu.if
@@ -0,0 +1,74 @@
+## <summary>Hardware detection and configuration tools</summary>
+
+########################################
+## <summary>
+## Execute kudzu in the kudzu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`kudzu_domtrans',`
+ gen_require(`
+ type kudzu_t, kudzu_exec_t;
+ ')
+
+ domain_auto_trans($1,kudzu_exec_t,kudzu_t)
+
+ allow $1 kudzu_t:fd use;
+ allow kudzu_t $1:fd use;
+ allow kudzu_t $1:fifo_file rw_file_perms;
+ allow kudzu_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute kudzu in the kudzu domain, and
+## allow the specified role the kudzu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the kudzu domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the kudzu domain to use.
+## </summary>
+## </param>
+#
+interface(`kudzu_run',`
+ gen_require(`
+ type kudzu_t;
+ ')
+
+ kudzu_domtrans($1)
+ role $2 types kudzu_t;
+ allow kudzu_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Get attributes of kudzu executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+# cjp: added for ddcprobe
+interface(`kudzu_getattr_exec_files',`
+ gen_require(`
+ type kudzu_exec_t;
+ ')
+
+ allow $1 kudzu_exec_t:file getattr;
+')
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
new file mode 100644
index 0000000..481f0d5
--- /dev/null
+++ b/policy/modules/admin/kudzu.te
@@ -0,0 +1,169 @@
+
+policy_module(kudzu,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type kudzu_t;
+type kudzu_exec_t;
+init_system_domain(kudzu_t,kudzu_exec_t)
+
+type kudzu_tmp_t;
+files_tmp_file(kudzu_tmp_t)
+
+type kudzu_var_run_t;
+files_pid_file(kudzu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
+allow kudzu_t self:process { signal_perms execmem };
+allow kudzu_t self:fifo_file rw_file_perms;
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+allow kudzu_t self:udp_socket { create ioctl };
+
+allow kudzu_t kudzu_tmp_t:dir create_file_perms;
+allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
+files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
+
+allow kudzu_t kudzu_var_run_t:file create_file_perms;
+allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
+files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
+
+kernel_change_ring_buffer_level(kudzu_t)
+kernel_list_proc(kudzu_t)
+kernel_read_device_sysctls(kudzu_t)
+kernel_read_kernel_sysctls(kudzu_t)
+kernel_read_proc_symlinks(kudzu_t)
+kernel_read_network_state(kudzu_t)
+kernel_read_system_state(kudzu_t)
+kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_kernel_sysctl(kudzu_t)
+
+files_read_kernel_modules(kudzu_t)
+
+dev_list_sysfs(kudzu_t)
+dev_read_usbfs(kudzu_t)
+dev_read_sysfs(kudzu_t)
+dev_rx_raw_memory(kudzu_t)
+dev_wx_raw_memory(kudzu_t)
+dev_rw_mouse(kudzu_t)
+dev_rwx_zero(kudzu_t)
+
+fs_search_auto_mountpoints(kudzu_t)
+fs_search_ramfs(kudzu_t)
+fs_write_ramfs_sockets(kudzu_t)
+
+mls_file_read_up(kudzu_t)
+mls_file_write_down(kudzu_t)
+
+modutils_read_module_deps(kudzu_t)
+modutils_read_module_config(kudzu_t)
+modutils_rename_module_config(kudzu_t)
+
+storage_read_scsi_generic(kudzu_t)
+storage_read_tape(kudzu_t)
+storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_write_removable_device(kudzu_t)
+storage_raw_read_fixed_disk(kudzu_t)
+storage_raw_read_removable_device(kudzu_t)
+
+term_search_ptys(kudzu_t)
+term_dontaudit_use_console(kudzu_t)
+# so it can write messages to the console
+term_use_unallocated_ttys(kudzu_t)
+
+corecmd_exec_all_executables(kudzu_t)
+
+domain_use_interactive_fds(kudzu_t)
+
+files_search_var(kudzu_t)
+files_search_locks(kudzu_t)
+files_manage_etc_files(kudzu_t)
+files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t,file)
+files_manage_mnt_files(kudzu_t)
+files_manage_mnt_symlinks(kudzu_t)
+files_dontaudit_search_src(kudzu_t)
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+files_read_usr_files(kudzu_t)
+# for /etc/sysconfig/hwconf - probably need a new type
+files_rw_etc_runtime_files(kudzu_t)
+# for file systems that are not yet mounted
+files_dontaudit_search_isid_type_dirs(kudzu_t)
+
+init_use_fds(kudzu_t)
+init_use_script_ptys(kudzu_t)
+init_stream_connect_script(kudzu_t)
+
+libs_use_ld_so(kudzu_t)
+libs_use_shared_libs(kudzu_t)
+# Read /usr/lib/gconv/gconv-modules.*
+libs_read_lib_files(kudzu_t)
+
+logging_send_syslog_msg(kudzu_t)
+
+miscfiles_read_hwdata(kudzu_t)
+miscfiles_read_localization(kudzu_t)
+
+modutils_read_module_config(kudzu_t)
+modutils_domtrans_insmod(kudzu_t)
+
+sysnet_read_config(kudzu_t)
+
+userdom_search_sysadm_home_dirs(kudzu_t)
+userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(kudzu_t)
+ term_dontaudit_use_generic_ptys(kudzu_t)
+ files_dontaudit_read_root_files(kudzu_t)
+
+ # cjp: this was originally in the else block
+ # of ifdef userhelper.te, but it seems to
+ # make more sense here. also, require
+ # blocks curently do not work in the
+ # else block of optionals
+ unconfined_domain(kudzu_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(kudzu_t)
+')
+
+optional_policy(`
+ nscd_socket_use(kudzu_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(kudzu_t)
+')
+
+optional_policy(`
+ udev_read_db(kudzu_t)
+')
+
+ifdef(`TODO',`
+allow kudzu_t modules_conf_t:file unlink;
+optional_policy(`
+ allow kudzu_t printconf_t:file { getattr read };
+')
+optional_policy(`
+ allow kudzu_t xserver_exec_t:file getattr;
+')
+optional_policy(`
+ allow kudzu_t rhgb_t:unix_stream_socket connectto;
+')
+optional_policy(`
+ role system_r types sysadm_userhelper_t;
+ domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+')
diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc
new file mode 100644
index 0000000..483c261
--- /dev/null
+++ b/policy/modules/admin/logrotate.fc
@@ -0,0 +1,16 @@
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+/usr/sbin/logcheck -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+
+# using a hard-coded name under /var/tmp is a bug - new version fixes it
+/var/tmp/logcheck -d gen_context(system_u:object_r:logrotate_tmp_t,s0)
+
+ifdef(`distro_debian', `
+/usr/bin/savelog -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+', `
+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
new file mode 100644
index 0000000..988ddfc
--- /dev/null
+++ b/policy/modules/admin/logrotate.if
@@ -0,0 +1,128 @@
+## <summary>Rotate and archive system logs</summary>
+
+########################################
+## <summary>
+## Execute logrotate in the logrotate domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`logrotate_domtrans',`
+ gen_require(`
+ type logrotate_t, logrotate_exec_t;
+ ')
+
+ domain_auto_trans($1,logrotate_exec_t,logrotate_t)
+
+ allow $1 logrotate_t:fd use;
+ allow logrotate_t $1:fd use;
+ allow logrotate_t $1:fifo_file rw_file_perms;
+ allow logrotate_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the logrotate domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the logrotate domain to use.
+## </summary>
+## </param>
+#
+interface(`logrotate_run',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ logrotate_domtrans($1)
+ role $2 types logrotate_t;
+ allow logrotate_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute logrotate in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`logrotate_exec',`
+ gen_require(`
+ type logrotate_exec_t;
+ ')
+
+ can_exec($1,logrotate_exec_t)
+')
+
+########################################
+## <summary>
+## Inherit and use logrotate file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logrotate_use_fds',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ allow $1 logrotate_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit logrotate file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`logrotate_dontaudit_use_fds',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ dontaudit $1 logrotate_t:fd use;
+')
+
+########################################
+## <summary>
+## Read a logrotate temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`logrotate_read_tmp_files',`
+ gen_require(`
+ type logrotate_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logrotate_tmp_t:file r_file_perms;
+')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
new file mode 100644
index 0000000..0352a4c
--- /dev/null
+++ b/policy/modules/admin/logrotate.te
@@ -0,0 +1,211 @@
+
+policy_module(logrotate,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type logrotate_t;
+domain_type(logrotate_t)
+domain_obj_id_change_exemption(logrotate_t)
+domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
+domain_entry_file(logrotate_t,logrotate_exec_t)
+
+type logrotate_lock_t;
+files_lock_file(logrotate_lock_t)
+
+type logrotate_tmp_t;
+files_tmp_file(logrotate_tmp_t)
+
+type logrotate_var_lib_t;
+files_type(logrotate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
+allow logrotate_t self:fd use;
+allow logrotate_t self:fifo_file rw_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+allow logrotate_t self:unix_dgram_socket sendto;
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:shm create_shm_perms;
+allow logrotate_t self:sem create_sem_perms;
+allow logrotate_t self:msgq create_msgq_perms;
+allow logrotate_t self:msg { send receive };
+
+allow logrotate_t logrotate_lock_t:file create_file_perms;
+files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
+
+can_exec(logrotate_t, logrotate_tmp_t)
+
+allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
+allow logrotate_t logrotate_tmp_t:file create_file_perms;
+files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
+allow logrotate_t logrotate_var_lib_t:file create_file_perms;
+files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+
+kernel_read_system_state(logrotate_t)
+kernel_read_kernel_sysctls(logrotate_t)
+
+dev_read_urand(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+
+mls_file_read_up(logrotate_t)
+mls_file_write_down(logrotate_t)
+mls_file_upgrade(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+
+# Run helper programs.
+corecmd_exec_bin(logrotate_t)
+corecmd_exec_sbin(logrotate_t)
+corecmd_exec_shell(logrotate_t)
+corecmd_exec_ls(logrotate_t)
+
+domain_signal_all_domains(logrotate_t)
+domain_use_interactive_fds(logrotate_t)
+domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logrotate_t)
+
+files_read_usr_files(logrotate_t)
+files_read_etc_files(logrotate_t)
+files_read_etc_runtime_files(logrotate_t)
+files_read_all_pids(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
+files_manage_generic_spool(logrotate_t)
+files_manage_generic_spool_dirs(logrotate_t)
+
+# cjp: why is this needed?
+init_domtrans_script(logrotate_t)
+
+logging_manage_all_logs(logrotate_t)
+logging_send_syslog_msg(logrotate_t)
+# cjp: why is this needed?
+logging_exec_all_logs(logrotate_t)
+
+libs_use_ld_so(logrotate_t)
+libs_use_shared_libs(logrotate_t)
+
+miscfiles_read_localization(logrotate_t)
+
+seutil_dontaudit_read_config(logrotate_t)
+
+sysnet_read_config(logrotate_t)
+
+userdom_use_unpriv_users_fds(logrotate_t)
+
+cron_system_entry(logrotate_t, logrotate_exec_t)
+cron_search_spool(logrotate_t)
+
+mta_send_mail(logrotate_t)
+
+ifdef(`distro_debian', `
+ allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(logrotate_t)
+')
+
+optional_policy(`
+ acct_domtrans(logrotate_t)
+ acct_manage_data(logrotate_t)
+ acct_exec_data(logrotate_t)
+')
+
+optional_policy(`
+ apache_read_config(logrotate_t)
+ apache_domtrans(logrotate_t)
+ apache_signull(logrotate_t)
+')
+
+optional_policy(`
+ consoletype_exec(logrotate_t)
+')
+
+optional_policy(`
+ cups_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ hostname_exec(logrotate_t)
+')
+
+optional_policy(`
+ samba_exec_log(logrotate_t)
+')
+
+optional_policy(`
+ mailman_exec(logrotate_t)
+ mailman_search_data(logrotate_t)
+ mailman_manage_log(logrotate_t)
+')
+
+optional_policy(`
+ munin_read_config(logrotate_t)
+ munin_stream_connect(logrotate_t)
+ munin_search_lib(logrotate_t)
+')
+
+optional_policy(`
+ mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
+ mysql_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(logrotate_t)
+')
+
+optional_policy(`
+ nscd_socket_use(logrotate_t)
+')
+
+optional_policy(`
+ slrnpull_manage_spool(logrotate_t)
+')
+
+optional_policy(`
+ # cjp: why?
+ squid_domtrans(logrotate_t)
+')
+
+ifdef(`TODO',`
+# it should not require this
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
+
+# for /var/backups on Debian
+ifdef(`backup.te', `
+rw_dir_create_file(logrotate_t, backup_store_t)
+')
+
+allow logrotate_t syslogd_exec_t:file r_file_perms;
+') dnl end TODO
diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
new file mode 100644
index 0000000..67ff2c1
--- /dev/null
+++ b/policy/modules/admin/logwatch.fc
@@ -0,0 +1,4 @@
+
+/usr/share/logwatch/scripts/logwatch.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if
new file mode 100644
index 0000000..3de6722
--- /dev/null
+++ b/policy/modules/admin/logwatch.if
@@ -0,0 +1,20 @@
+## <summary>System log analyzer and reporter</summary>
+
+########################################
+## <summary>
+## Read logwatch temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logwatch_read_tmp_files',`
+ gen_require(`
+ type logwatch_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logwatch_tmp_t:file r_file_perms;
+')
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
new file mode 100644
index 0000000..d879781
--- /dev/null
+++ b/policy/modules/admin/logwatch.te
@@ -0,0 +1,113 @@
+
+policy_module(logwatch,1.1.2)
+
+#################################
+#
+# Declarations
+#
+
+type logwatch_t;
+type logwatch_exec_t;
+domain_type(logwatch_t)
+domain_entry_file(logwatch_t,logwatch_exec_t)
+role system_r types logwatch_t;
+
+type logwatch_cache_t;
+files_type(logwatch_cache_t)
+
+type logwatch_tmp_t;
+files_tmp_file(logwatch_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
+allow logwatch_t self:fifo_file rw_file_perms;
+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+allow logwatch_t logwatch_cache_t:dir create_dir_perms;
+allow logwatch_t logwatch_cache_t:file create_file_perms;
+
+allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
+allow logwatch_t logwatch_tmp_t:file create_file_perms;
+files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
+kernel_read_fs_sysctls(logwatch_t)
+kernel_read_kernel_sysctls(logwatch_t)
+kernel_read_system_state(logwatch_t)
+
+corecmd_read_sbin_symlinks(logwatch_t)
+corecmd_read_sbin_files(logwatch_t)
+corecmd_exec_bin(logwatch_t)
+corecmd_exec_shell(logwatch_t)
+
+dev_read_urand(logwatch_t)
+
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logwatch_t)
+
+files_read_etc_files(logwatch_t)
+files_read_etc_runtime_files(logwatch_t)
+files_read_usr_files(logwatch_t)
+files_search_spool(logwatch_t)
+files_search_mnt(logwatch_t)
+files_dontaudit_search_home(logwatch_t)
+
+fs_getattr_all_fs(logwatch_t)
+
+term_dontaudit_getattr_pty_dirs(logwatch_t)
+term_dontaudit_list_ptys(logwatch_t)
+
+auth_dontaudit_read_shadow(logwatch_t)
+
+libs_use_ld_so(logwatch_t)
+libs_use_shared_libs(logwatch_t)
+libs_read_lib_files(logwatch_t)
+
+logging_read_all_logs(logwatch_t)
+
+miscfiles_read_localization(logwatch_t)
+
+selinux_dontaudit_getattr_dir(logwatch_t)
+
+sysnet_dns_name_resolve(logwatch_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
+userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
+
+mta_send_mail(logwatch_t)
+
+optional_policy(`
+ apache_read_log(logwatch_t)
+')
+
+optional_policy(`
+ bind_read_config(logwatch_t)
+ bind_read_zone(logwatch_t)
+')
+
+optional_policy(`
+ cron_system_entry(logwatch_t, logwatch_exec_t)
+')
+
+optional_policy(`
+ mta_getattr_spool(logwatch_t)
+')
+
+optional_policy(`
+ nscd_socket_use(logwatch_t)
+')
+
+optional_policy(`
+ ntp_domtrans(logwatch_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(logwatch_t)
+')
+
+optional_policy(`
+ samba_read_log(logwatch_t)
+')
diff --git a/policy/modules/admin/metadata.xml b/policy/modules/admin/metadata.xml
new file mode 100644
index 0000000..bd8d174
--- /dev/null
+++ b/policy/modules/admin/metadata.xml
@@ -0,0 +1,3 @@
+<summary>
+ Policy modules for administrative functions, such as package management.
+</summary>
diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc
new file mode 100644
index 0000000..c59caa5
--- /dev/null
+++ b/policy/modules/admin/mrtg.fc
@@ -0,0 +1,18 @@
+#
+# /etc
+#
+/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0)
+/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0)
+
+#
+# /var
+#
+/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
+
diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if
new file mode 100644
index 0000000..fab860b
--- /dev/null
+++ b/policy/modules/admin/mrtg.if
@@ -0,0 +1,19 @@
+## <summary>Network traffic graphing</summary>
+
+########################################
+## <summary>
+## Create and append mrtg logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_append_create_logs',`
+ gen_require(`
+ type mrtg_log_t;
+ ')
+ allow $1 mrtg_log_t:dir rw_dir_perms;
+ allow $1 mrtg_log_t:file { create append getattr };
+')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
new file mode 100644
index 0000000..3625067
--- /dev/null
+++ b/policy/modules/admin/mrtg.te
@@ -0,0 +1,169 @@
+
+policy_module(mrtg,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type mrtg_t;
+type mrtg_exec_t;
+init_system_domain(mrtg_t,mrtg_exec_t)
+
+type mrtg_etc_t;
+files_config_file(mrtg_etc_t)
+
+type mrtg_lock_t;
+files_lock_file(mrtg_lock_t)
+
+type mrtg_log_t;
+logging_log_file(mrtg_log_t)
+
+type mrtg_var_lib_t;
+files_type(mrtg_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mrtg_t self:capability { setgid setuid };
+dontaudit mrtg_t self:capability sys_tty_config;
+allow mrtg_t self:process signal_perms;
+allow mrtg_t self:fifo_file { getattr read write ioctl };
+allow mrtg_t self:unix_stream_socket create_socket_perms;
+allow mrtg_t self:tcp_socket create_socket_perms;
+allow mrtg_t self:udp_socket create_socket_perms;
+
+allow mrtg_t mrtg_etc_t:file r_file_perms;
+allow mrtg_t mrtg_etc_t:dir r_dir_perms;
+allow mrtg_t mrtg_etc_t:lnk_file { getattr read };
+files_search_etc(mrtg_t)
+
+allow mrtg_t mrtg_lock_t:dir rw_dir_perms;
+allow mrtg_t mrtg_lock_t:file create_file_perms;
+allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms;
+
+allow mrtg_t mrtg_log_t:file create_file_perms;
+allow mrtg_t mrtg_log_t:dir rw_dir_perms;
+logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
+
+allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
+allow mrtg_t mrtg_var_lib_t:file create_file_perms;
+allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
+
+# read config files
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+files_read_etc_files(mrtg_t)
+
+kernel_read_system_state(mrtg_t)
+kernel_read_network_state(mrtg_t)
+kernel_read_kernel_sysctls(mrtg_t)
+
+corecmd_exec_bin(mrtg_t)
+corecmd_exec_sbin(mrtg_t)
+corecmd_exec_shell(mrtg_t)
+
+corenet_non_ipsec_sendrecv(mrtg_t)
+corenet_tcp_sendrecv_generic_if(mrtg_t)
+corenet_udp_sendrecv_generic_if(mrtg_t)
+corenet_tcp_sendrecv_all_nodes(mrtg_t)
+corenet_udp_sendrecv_all_nodes(mrtg_t)
+corenet_tcp_sendrecv_all_ports(mrtg_t)
+corenet_udp_sendrecv_all_ports(mrtg_t)
+corenet_tcp_connect_all_ports(mrtg_t)
+corenet_sendrecv_all_client_packets(mrtg_t)
+
+dev_read_sysfs(mrtg_t)
+dev_read_urand(mrtg_t)
+
+domain_use_interactive_fds(mrtg_t)
+
+files_read_usr_files(mrtg_t)
+files_search_var(mrtg_t)
+files_search_locks(mrtg_t)
+files_search_var_lib(mrtg_t)
+files_search_spool(mrtg_t)
+files_getattr_tmp_dirs(mrtg_t)
+# for uptime
+files_read_etc_runtime_files(mrtg_t)
+
+fs_search_auto_mountpoints(mrtg_t)
+fs_getattr_xattr_fs(mrtg_t)
+
+term_dontaudit_use_console(mrtg_t)
+
+init_use_fds(mrtg_t)
+init_use_script_ptys(mrtg_t)
+# for uptime
+init_read_utmp(mrtg_t)
+init_dontaudit_write_utmp(mrtg_t)
+
+libs_read_lib_files(mrtg_t)
+libs_use_ld_so(mrtg_t)
+libs_use_shared_libs(mrtg_t)
+
+logging_send_syslog_msg(mrtg_t)
+
+miscfiles_read_localization(mrtg_t)
+
+selinux_dontaudit_getattr_dir(mrtg_t)
+
+# Use the network.
+sysnet_read_config(mrtg_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_use_sysadm_terms(mrtg_t)
+
+ifdef(`distro_redhat',`
+ allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
+ allow mrtg_t mrtg_lock_t:file create_file_perms;
+ type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t;
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(mrtg_t)
+ term_dontaudit_use_generic_ptys(mrtg_t)
+ files_dontaudit_read_root_files(mrtg_t)
+')
+
+optional_policy(`
+ apache_manage_sys_content(mrtg_t)
+')
+
+optional_policy(`
+ cron_system_entry(mrtg_t,mrtg_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(mrtg_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(mrtg_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mrtg_t)
+')
+
+optional_policy(`
+ quota_dontaudit_getattr_db(mrtg_t)
+')
+
+optional_policy(`
+ snmp_udp_chat(mrtg_t)
+ snmp_read_snmp_var_lib_files(mrtg_t)
+')
+
+optional_policy(`
+ udev_read_db(mrtg_t)
+')
+
+ifdef(`TODO',`
+ # should not need this!
+ dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+ dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+ dontaudit mrtg_t root_t:lnk_file getattr;
+')
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
new file mode 100644
index 0000000..a2fecb4
--- /dev/null
+++ b/policy/modules/admin/netutils.fc
@@ -0,0 +1,14 @@
+
+/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+
+/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
new file mode 100644
index 0000000..9fdfc1f
--- /dev/null
+++ b/policy/modules/admin/netutils.if
@@ -0,0 +1,323 @@
+## <summary>Network analysis utilities</summary>
+
+########################################
+## <summary>
+## Execute network utilities in the netutils domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans',`
+ gen_require(`
+ type netutils_t, netutils_exec_t;
+ ')
+
+ domain_auto_trans($1,netutils_exec_t,netutils_t)
+
+ allow $1 netutils_t:fd use;
+ allow netutils_t $1:fd use;
+ allow netutils_t $1:fifo_file rw_file_perms;
+ allow netutils_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute network utilities in the netutils domain, and
+## allow the specified role the netutils domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the netutils domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the netutils domain to use.
+## </summary>
+## </param>
+#
+interface(`netutils_run',`
+ gen_require(`
+ type netutils_t;
+ ')
+
+ netutils_domtrans($1)
+ role $2 types netutils_t;
+ allow netutils_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute network utilities in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_exec',`
+ gen_require(`
+ type netutils_exec_t;
+ ')
+
+ can_exec($1,netutils_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ping in the ping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans_ping',`
+ gen_require(`
+ type ping_t, ping_exec_t;
+ ')
+
+ domain_auto_trans($1,ping_exec_t,ping_t)
+
+ allow $1 ping_t:fd use;
+ allow ping_t $1:fd use;
+ allow ping_t $1:fifo_file rw_file_perms;
+ allow ping_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill (SIGKILL) signal to ping.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_kill_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ allow $1 ping_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send generic signals to ping.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_signal_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ allow $1 ping_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute ping in the ping domain, and
+## allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ping domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ping domain to use.
+## </summary>
+## </param>
+#
+interface(`netutils_run_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ netutils_domtrans_ping($1)
+ role $2 types ping_t;
+ allow ping_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Conditionally execute ping in the ping domain, and
+## allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ping domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ping domain to use.
+## </summary>
+## </param>
+#
+interface(`netutils_run_ping_cond',`
+ gen_require(`
+ type ping_t;
+ bool user_ping;
+ ')
+
+ role $2 types ping_t;
+
+ if ( user_ping ) {
+ netutils_domtrans_ping($1)
+ allow ping_t $3:chr_file rw_term_perms;
+ }
+')
+
+########################################
+## <summary>
+## Execute ping in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_exec_ping',`
+ gen_require(`
+ type ping_exec_t;
+ ')
+
+ can_exec($1,ping_exec_t)
+')
+
+########################################
+## <summary>
+## Execute traceroute in the traceroute domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans_traceroute',`
+ gen_require(`
+ type traceroute_t, traceroute_exec_t;
+ ')
+
+ domain_auto_trans($1,traceroute_exec_t,traceroute_t)
+
+ allow $1 traceroute_t:fd use;
+ allow traceroute_t $1:fd use;
+ allow traceroute_t $1:fifo_file rw_file_perms;
+ allow traceroute_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute traceroute in the traceroute domain, and
+## allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the traceroute domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the traceroute domain to use.
+## </summary>
+## </param>
+#
+interface(`netutils_run_traceroute',`
+ gen_require(`
+ type traceroute_t;
+ ')
+
+ netutils_domtrans_traceroute($1)
+ role $2 types traceroute_t;
+ allow traceroute_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Conditionally execute traceroute in the traceroute domain, and
+## allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the traceroute domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the traceroute domain to use.
+## </summary>
+## </param>
+#
+interface(`netutils_run_traceroute_cond',`
+ gen_require(`
+ type traceroute_t;
+ bool user_ping;
+ ')
+
+ role $2 types traceroute_t;
+
+ if( user_ping ) {
+ netutils_domtrans_traceroute($1)
+ allow traceroute_t $3:chr_file rw_term_perms;
+ }
+')
+
+########################################
+## <summary>
+## Execute traceroute in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_exec_traceroute',`
+ gen_require(`
+ type traceroute_exec_t;
+ ')
+
+ can_exec($1,traceroute_exec_t)
+')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
new file mode 100644
index 0000000..d5766aa
--- /dev/null
+++ b/policy/modules/admin/netutils.te
@@ -0,0 +1,227 @@
+
+policy_module(netutils,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+type netutils_t;
+type netutils_exec_t;
+init_system_domain(netutils_t,netutils_exec_t)
+role system_r types netutils_t;
+
+type netutils_tmp_t;
+files_tmp_file(netutils_tmp_t)
+
+type ping_t;
+type ping_exec_t;
+init_system_domain(ping_t,ping_exec_t)
+role system_r types ping_t;
+
+type traceroute_t;
+type traceroute_exec_t;
+init_system_domain(traceroute_t,traceroute_exec_t)
+role system_r types traceroute_t;
+
+########################################
+#
+# Netutils local policy
+#
+
+# Perform network administration operations and have raw access to the network.
+allow netutils_t self:capability { net_admin net_raw setuid setgid };
+allow netutils_t self:process { sigkill sigstop signull signal };
+allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow netutils_t self:packet_socket create_socket_perms;
+allow netutils_t self:udp_socket create_socket_perms;
+allow netutils_t self:tcp_socket create_stream_socket_perms;
+
+allow netutils_t netutils_tmp_t:dir create_dir_perms;
+allow netutils_t netutils_tmp_t:file create_file_perms;
+files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+kernel_search_proc(netutils_t)
+
+corenet_non_ipsec_sendrecv(netutils_t)
+corenet_tcp_sendrecv_all_if(netutils_t)
+corenet_raw_sendrecv_all_if(netutils_t)
+corenet_udp_sendrecv_all_if(netutils_t)
+corenet_tcp_sendrecv_all_nodes(netutils_t)
+corenet_raw_sendrecv_all_nodes(netutils_t)
+corenet_udp_sendrecv_all_nodes(netutils_t)
+corenet_tcp_sendrecv_all_ports(netutils_t)
+corenet_udp_sendrecv_all_ports(netutils_t)
+corenet_tcp_connect_all_ports(netutils_t)
+corenet_sendrecv_all_client_packets(netutils_t)
+corenet_udp_bind_generic_node(netutils_t)
+
+fs_getattr_xattr_fs(netutils_t)
+
+domain_use_interactive_fds(netutils_t)
+
+files_read_etc_files(netutils_t)
+# for nscd
+files_dontaudit_search_var(netutils_t)
+
+init_use_fds(netutils_t)
+init_use_script_ptys(netutils_t)
+
+libs_use_ld_so(netutils_t)
+libs_use_shared_libs(netutils_t)
+
+logging_send_syslog_msg(netutils_t)
+
+miscfiles_read_localization(netutils_t)
+
+sysnet_read_config(netutils_t)
+
+userdom_use_all_users_fds(netutils_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(netutils_t)
+ term_use_unallocated_ttys(netutils_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(netutils_t)
+')
+
+########################################
+#
+# Ping local policy
+#
+
+allow ping_t self:capability { setuid net_raw };
+dontaudit ping_t self:capability sys_tty_config;
+
+allow ping_t self:tcp_socket create_socket_perms;
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+
+corenet_non_ipsec_sendrecv(ping_t)
+corenet_tcp_sendrecv_all_if(ping_t)
+corenet_raw_sendrecv_all_if(ping_t)
+corenet_raw_sendrecv_all_nodes(ping_t)
+corenet_tcp_sendrecv_all_nodes(ping_t)
+corenet_tcp_sendrecv_all_ports(ping_t)
+
+fs_dontaudit_getattr_xattr_fs(ping_t)
+
+domain_use_interactive_fds(ping_t)
+
+files_read_etc_files(ping_t)
+files_dontaudit_search_var(ping_t)
+
+libs_use_ld_so(ping_t)
+libs_use_shared_libs(ping_t)
+
+sysnet_read_config(ping_t)
+sysnet_dns_name_resolve(ping_t)
+
+logging_send_syslog_msg(ping_t)
+
+ifdef(`hide_broken_symptoms',`
+ init_dontaudit_use_fds(ping_t)
+')
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(ping_t)
+ term_use_generic_ptys(ping_t)
+ term_use_all_user_ttys(ping_t)
+ term_use_all_user_ptys(ping_t)
+',`
+ tunable_policy(`user_ping',`
+ term_use_all_user_ttys(ping_t)
+ term_use_all_user_ptys(ping_t)
+ ')
+')
+
+optional_policy(`
+ nis_use_ypbind(ping_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ping_t)
+')
+
+optional_policy(`
+ pcmcia_use_cardmgr_fds(ping_t)
+')
+
+optional_policy(`
+ hotplug_use_fds(ping_t)
+')
+
+########################################
+#
+# Traceroute local policy
+#
+
+allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:rawip_socket create_socket_perms;
+allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow traceroute_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(traceroute_t)
+kernel_read_network_state(traceroute_t)
+
+corenet_non_ipsec_sendrecv(traceroute_t)
+corenet_tcp_sendrecv_all_if(traceroute_t)
+corenet_udp_sendrecv_all_if(traceroute_t)
+corenet_raw_sendrecv_all_if(traceroute_t)
+corenet_tcp_sendrecv_all_nodes(traceroute_t)
+corenet_udp_sendrecv_all_nodes(traceroute_t)
+corenet_raw_sendrecv_all_nodes(traceroute_t)
+corenet_tcp_sendrecv_all_ports(traceroute_t)
+corenet_udp_sendrecv_all_ports(traceroute_t)
+corenet_udp_bind_all_nodes(traceroute_t)
+corenet_tcp_bind_all_nodes(traceroute_t)
+# traceroute needs this but not tracepath
+corenet_raw_bind_all_nodes(traceroute_t)
+corenet_udp_bind_traceroute_port(traceroute_t)
+corenet_tcp_connect_all_ports(traceroute_t)
+corenet_sendrecv_all_client_packets(traceroute_t)
+corenet_sendrecv_traceroute_server_packets(traceroute_t)
+
+fs_dontaudit_getattr_xattr_fs(traceroute_t)
+
+domain_use_interactive_fds(traceroute_t)
+
+files_read_etc_files(traceroute_t)
+files_dontaudit_search_var(traceroute_t)
+
+init_use_fds(traceroute_t)
+
+libs_use_ld_so(traceroute_t)
+libs_use_shared_libs(traceroute_t)
+
+logging_send_syslog_msg(traceroute_t)
+
+miscfiles_read_localization(traceroute_t)
+
+#rules needed for nmap
+dev_read_rand(traceroute_t)
+dev_read_urand(traceroute_t)
+files_read_usr_files(traceroute_t)
+
+sysnet_read_config(traceroute_t)
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(traceroute_t)
+ term_use_generic_ptys(traceroute_t)
+')
+
+tunable_policy(`user_ping',`
+ term_use_all_user_ttys(traceroute_t)
+ term_use_all_user_ptys(traceroute_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(traceroute_t)
+')
+
+optional_policy(`
+ nscd_socket_use(traceroute_t)
+')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
new file mode 100644
index 0000000..76d3408
--- /dev/null
+++ b/policy/modules/admin/portage.fc
@@ -0,0 +1,22 @@
+/etc/make.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
+
+/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/ebuild.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+
+/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
+/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/log/emerge.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
new file mode 100644
index 0000000..39407bc
--- /dev/null
+++ b/policy/modules/admin/portage.if
@@ -0,0 +1,409 @@
+## <summary>
+## Portage Package Management System. The primary package management and
+## distribution system for Gentoo.
+## </summary>
+
+########################################
+## <summary>
+## Execute emerge in the portage domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portage_domtrans',`
+ gen_require(`
+ type portage_t, portage_t.merge, portage_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ # constraining domain
+ domain_trans($1,portage_exec_t,portage_t)
+ allow portage_t $1:fd use;
+ allow portage_t $1:fifo_file rw_file_perms;
+ allow portage_t $1:process sigchld;
+
+ # transition to portage
+ domain_auto_trans($1,portage_exec_t,portage_t.merge)
+ allow portage_t.merge $1:fd use;
+ allow portage_t.merge $1:fifo_file rw_file_perms;
+ allow portage_t.merge $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute emerge in the portage domain, and
+## allow the specified role the portage domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the portage domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow for portage to use.
+## </summary>
+## </param>
+#
+interface(`portage_run',`
+ gen_require(`
+ type portage_t;
+ type portage_t.merge, portage_t.fetch, portage_t.sandbox;
+ ')
+
+ portage_domtrans($1)
+
+ # constraining access
+ role $2 types portage_t;
+ allow portage_t $3:chr_file rw_term_perms;
+
+ # specific access
+ role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
+ allow portage_t.merge $3:chr_file rw_term_perms;
+ allow portage_t.fetch $3:chr_file rw_term_perms;
+ allow portage_t.sandbox $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Template for portage sandbox.
+## </summary>
+## <desc>
+## <p>
+## Template for portage sandbox. Portage
+## does all compiling in the sandbox.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain Allowed Access
+## </summary>
+## </param>
+#
+interface(`portage_compile_domain',`
+
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ dontaudit $1 self:capability sys_chroot;
+ allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
+ allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1 self:fd use;
+ allow $1 self:fifo_file rw_file_perms;
+ allow $1 self:shm create_shm_perms;
+ allow $1 self:sem create_sem_perms;
+ allow $1 self:msgq create_msgq_perms;
+ allow $1 self:msg { send receive };
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket sendto;
+ allow $1 self:unix_stream_socket connectto;
+ # really shouldnt need this
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+ # misc networking stuff (esp needed for compiling perl):
+ allow $1 self:rawip_socket { create ioctl };
+ allow $1 self:udp_socket recvfrom;
+ # needed for merging dbus:
+ allow $1 self:netlink_selinux_socket { bind create read };
+ allow $1 self:dbus send_msg;
+
+ allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty($1,portage_devpts_t)
+
+ # write compile logs
+ allow $1 portage_log_t:dir setattr;
+ allow $1 portage_log_t:file { append write setattr };
+
+ # run scripts out of the build directory
+ can_exec(portage_sandbox_t,portage_tmp_t)
+
+ allow $1 portage_tmp_t:dir manage_dir_perms;
+ allow $1 portage_tmp_t:file manage_file_perms;
+ allow $1 portage_tmp_t:lnk_file create_lnk_perms;
+ allow $1 portage_tmp_t:fifo_file manage_file_perms;
+ allow $1 portage_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1 portage_tmpfs_t:dir rw_dir_perms;
+ allow $1 portage_tmpfs_t:file manage_file_perms;
+ allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1 portage_tmpfs_t:sock_file manage_file_perms;
+ allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ kernel_read_system_state($1)
+ kernel_read_network_state($1)
+ kernel_read_software_raid_state($1)
+ kernel_getattr_core_if($1)
+ kernel_getattr_message_if($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_all_executables($1)
+
+ # really shouldnt need this but some packages test
+ # network access, such as during configure
+ # also distcc--need to reinvestigate confining distcc client
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_raw_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_distccd_port($1)
+
+ dev_read_sysfs($1)
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_exec_etc_files($1)
+ files_exec_usr_src_files($1)
+
+ fs_getattr_xattr_fs($1)
+ fs_list_noxattr_fs($1)
+ fs_read_noxattr_fs_files($1)
+ fs_read_noxattr_fs_symlinks($1)
+ fs_search_auto_mountpoints($1)
+
+ # needed for merging dbus:
+ selinux_compute_access_vector($1)
+
+ auth_read_all_dirs_except_shadow($1)
+ auth_read_all_files_except_shadow($1)
+ auth_read_all_symlinks_except_shadow($1)
+
+ libs_use_ld_so($1)
+ libs_use_shared_libs($1)
+ libs_exec_lib_files($1)
+ # some config scripts use ldd
+ libs_exec_ld_so($1)
+ # this violates the idea of sandbox, but
+ # regular sandbox allows it
+ libs_domtrans_ldconfig($1)
+
+ logging_send_syslog_msg($1)
+
+ ifdef(`TODO',`
+ # some gui ebuilds want to interact with X server, like xawtv
+ optional_policy(`
+ allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
+ allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+ ')
+ ') dnl end TODO
+')
+
+########################################
+## <summary>
+## Template for portage fetch.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain Allowed Access
+## </summary>
+## </param>
+#
+interface(`portage_fetch_domain',`
+
+ allow $1 self:capability dac_override;
+ dontaudit $1 self:capability { fowner fsetid };
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_socket_perms;
+ allow $1 self:tcp_socket create_stream_socket_perms;
+
+ allow $1 portage_conf_t:dir list_dir_perms;
+ allow $1 portage_conf_t:file read_file_perms;
+
+ allow $1 portage_ebuild_t:dir manage_dir_perms;
+ allow $1 portage_ebuild_t:file manage_file_perms;
+
+ allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
+ allow $1 portage_fetch_tmp_t:file manage_file_perms;
+
+ # portage makes home dir the portage tmp dir, so
+ # wget looks for .wgetrc there
+ dontaudit $1 portage_tmp_t:dir search_dir_perms;
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_sbin($1)
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ # would rather not connect to unspecified ports, but
+ # it occasionally comes up
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_generic_port($1)
+
+ dev_dontaudit_read_rand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_search_var($1)
+ files_dontaudit_search_pids($1)
+
+ term_search_ptys($1)
+
+ libs_use_ld_so($1)
+ libs_use_shared_libs($1)
+
+ miscfiles_read_localization($1)
+
+ sysnet_read_config($1)
+ sysnet_dns_name_resolve($1)
+
+ userdom_dontaudit_read_sysadm_home_content_files($1)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit $1 portage_cache_t:file read;
+ ')
+')
+
+########################################
+## <summary>
+## Template for portage main.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain Allowed Access
+## </summary>
+## </param>
+#
+interface(`portage_main_domain',`
+
+ # - setfscreate for merging to live fs
+ # - setexec to run portage fetch
+ allow $1 self:process { setfscreate setexec };
+
+ # if sesandbox is disabled, compiles are
+ # performed in the main domain
+ portage_compile_domain($1)
+
+ allow $1 portage_log_t:file create_file_perms;
+ logging_log_filetrans($1,portage_log_t,file)
+
+ # run scripts out of the build directory
+ can_exec($1,portage_tmp_t)
+
+ # merging baselayout will need this:
+ kernel_write_proc_files($1)
+
+ domain_dontaudit_read_all_domains_state($1)
+
+ # modify any files in the system
+ files_manage_all_files($1)
+
+ selinux_get_fs_mount($1)
+
+ auth_manage_shadow($1)
+
+ # merging baselayout will need this:
+ init_exec($1)
+
+ # run setfiles -r
+ seutil_domtrans_setfiles($1)
+
+ portage_domtrans_gcc_config($1)
+
+ optional_policy(`
+ bootloader_domtrans($1)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_depmod($1)
+ modutils_domtrans_update_mods($1)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+ usermanage_domtrans_groupadd($1)
+ usermanage_domtrans_useradd($1)
+ ')
+
+ ifdef(`TODO',`
+ # seems to work ok without these
+ dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+ dontaudit portage_t proc_t:dir setattr;
+ dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Execute gcc-config in the gcc_config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portage_domtrans_gcc_config',`
+ gen_require(`
+ type gcc_config_t, gcc_config_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
+ allow gcc_config_t $1:fd use;
+ allow gcc_config_t $1:fifo_file rw_file_perms;
+ allow gcc_config_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute gcc-config in the gcc_config domain, and
+## allow the specified role the gcc_config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the gcc_config domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow for gcc_config to use.
+## </summary>
+## </param>
+#
+interface(`portage_run_gcc_config',`
+ gen_require(`
+ type gcc_config_t;
+ ')
+
+ portage_domtrans_gcc_config($1)
+
+ # constraining access
+ role $2 types gcc_config_t;
+ allow gcc_config_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
new file mode 100644
index 0000000..00351d1
--- /dev/null
+++ b/policy/modules/admin/portage.te
@@ -0,0 +1,194 @@
+
+policy_module(portage,1.0.4)
+
+########################################
+#
+# Declarations
+#
+
+type gcc_config_t;
+type gcc_config_exec_t;
+domain_type(gcc_config_t)
+domain_entry_file(gcc_config_t,gcc_config_exec_t)
+
+# constraining type
+type portage_t;
+type portage_exec_t;
+domain_type(portage_t)
+domain_entry_file(portage_t,portage_exec_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+domain_entry_file(portage_t,portage_exec_t)
+
+# portage domain for merging packages to the live fs
+type portage_t.merge;
+domain_type(portage_t.merge)
+domain_entry_file(portage_t.merge,portage_exec_t)
+domain_obj_id_change_exemption(portage_t.merge)
+
+# portage compile sandbox domain
+type portage_t.sandbox alias portage_sandbox_t;
+domain_type(portage_t.sandbox)
+# the shell is the entrypoint if regular sandbox is disabled
+# portage_exec_t is the entrypoint if regular sandbox is enabled
+corecmd_shell_entry_type(portage_t.sandbox)
+domain_entry_file(portage_t.sandbox,portage_exec_t)
+
+# portage package fetching domain
+type portage_t.fetch alias portage_fetch_t;
+domain_type(portage_t.fetch)
+corecmd_shell_entry_type(portage_t.fetch)
+rsync_entry_type(portage_t.fetch)
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
+
+type portage_ebuild_t;
+files_type(portage_ebuild_t)
+
+type portage_fetch_tmp_t;
+files_tmp_file(portage_fetch_tmp_t)
+
+type portage_db_t;
+files_type(portage_db_t)
+
+type portage_conf_t;
+files_type(portage_conf_t)
+
+type portage_cache_t;
+files_type(portage_cache_t)
+
+type portage_log_t;
+logging_log_file(portage_log_t)
+
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+allow gcc_config_t portage_cache_t:dir rw_dir_perms;
+allow gcc_config_t portage_cache_t:file create_file_perms;
+
+allow gcc_config_t portage_conf_t:dir search_dir_perms;
+allow gcc_config_t portage_conf_t:file read_file_perms;
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+allow gcc_config_t portage_ebuild_t:file read_file_perms;
+
+allow gcc_config_t portage_exec_t:file { execute getattr };
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_ls(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_exec_sbin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+corecmd_read_sbin_symlinks(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_rw_etc_runtime_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+term_search_ptys(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_use_ld_so(gcc_config_t)
+libs_use_shared_libs(gcc_config_t)
+libs_read_lib_files(gcc_config_t)
+libs_domtrans_ldconfig(gcc_config_t)
+libs_manage_shared_libs(gcc_config_t)
+files_lib_filetrans_shared_lib(gcc_config_t,file)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+optional_policy(`
+ seutil_use_newrole_fds(gcc_config_t)
+')
+
+########################################
+#
+# Portage Constraining Rules
+#
+
+portage_main_domain(portage_t)
+portage_compile_domain(portage_t)
+portage_fetch_domain(portage_t)
+
+# transition between child domains on shells and rsync
+corecmd_shell_spec_domtrans(portage_t,portage_t)
+rsync_entry_spec_domtrans(portage_t,portage_t)
+
+########################################
+#
+# Portage Merging Rules
+#
+
+portage_main_domain(portage_t.merge)
+
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t.merge)
+
+allow portage_t.merge portage_t.fetch:process signal;
+
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
+rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
+allow portage_t.fetch portage_t.merge:fd use;
+allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
+allow portage_t.fetch portage_t.merge:process sigchld;
+
+# transition to sandbox for compiling
+domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
+corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
+allow portage_t.sandbox portage_t.merge:fd use;
+allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
+allow portage_t.sandbox portage_t.merge:process sigchld;
+
+##########################################
+#
+# Portage fetch domain
+# - for rsync and distfile fetching
+#
+
+portage_fetch_domain(portage_t.fetch)
+
+# this rule is outside of the above macro to fix conflicting type
+# transitions seen in the rules for the constraining type (portage_t)
+files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
+
+##########################################
+#
+# Portage sandbox domain
+# - SELinux-enforced sandbox
+#
+
+portage_compile_domain(portage_t.sandbox)
+
+ifdef(`hide_broken_symptoms',`
+ # leaked descriptors
+ dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
+ dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
+')
diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc
new file mode 100644
index 0000000..7d2b81b
--- /dev/null
+++ b/policy/modules/admin/prelink.fc
@@ -0,0 +1,7 @@
+
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
new file mode 100644
index 0000000..899fc9d
--- /dev/null
+++ b/policy/modules/admin/prelink.if
@@ -0,0 +1,102 @@
+## <summary>Prelink ELF shared library mappings.</summary>
+
+########################################
+## <summary>
+## Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_domtrans',`
+ gen_require(`
+ type prelink_t, prelink_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, prelink_exec_t, prelink_t)
+
+ allow $1 prelink_t:fd use;
+ allow prelink_t $1:fd use;
+ allow prelink_t $1:fifo_file rw_file_perms;
+ allow prelink_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Make the specified file type prelinkable.
+## </summary>
+## <param name="file_type">
+## <summary>
+## File type to be prelinked.
+## </summary>
+## </param>
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+ gen_require(`
+ attribute prelink_object;
+ ')
+
+ typeattribute $1 prelink_object;
+')
+
+########################################
+## <summary>
+## Read the prelink cache.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_read_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 prelink_cache_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Delete the prelink cache.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_delete_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ allow $1 prelink_cache_t:file unlink;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## prelink log files.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_manage_log',`
+ gen_require(`
+ type prelink_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 prelink_log_t:dir rw_dir_perms;
+ allow $1 prelink_log_t:file create_file_perms;
+')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
new file mode 100644
index 0000000..506215a
--- /dev/null
+++ b/policy/modules/admin/prelink.te
@@ -0,0 +1,78 @@
+
+policy_module(prelink,1.1.4)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t,prelink_exec_t)
+domain_obj_id_change_exemption(prelink_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:process { execheap execmem execstack };
+allow prelink_t self:fifo_file rw_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_etc_filetrans(prelink_t, prelink_cache_t, file)
+files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
+allow prelink_t prelink_log_t:file { create ra_file_perms };
+allow prelink_t prelink_log_t:lnk_file read;
+logging_log_filetrans(prelink_t, prelink_log_t, file)
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
+
+kernel_read_system_state(prelink_t)
+kernel_dontaudit_search_kernel_sysctl(prelink_t)
+kernel_dontaudit_search_sysctl(prelink_t)
+
+corecmd_manage_all_executables(prelink_t)
+corecmd_relabel_all_executables(prelink_t)
+corecmd_mmap_all_executables(prelink_t)
+corecmd_read_sbin_symlinks(prelink_t)
+
+dev_read_urand(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_files(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+libs_use_ld_so(prelink_t)
+libs_exec_ld_so(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_use_shared_libs(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_use_lib_files(prelink_t)
+libs_manage_lib_files(prelink_t)
+libs_relabel_lib_files(prelink_t)
+libs_delete_lib_symlinks(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+optional_policy(`
+ cron_system_entry(prelink_t, prelink_exec_t)
+')
diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
new file mode 100644
index 0000000..b760aa3
--- /dev/null
+++ b/policy/modules/admin/quota.fc
@@ -0,0 +1,14 @@
+
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+')
+
+HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
new file mode 100644
index 0000000..8d3bac7
--- /dev/null
+++ b/policy/modules/admin/quota.if
@@ -0,0 +1,95 @@
+## <summary>File system quota management</summary>
+
+########################################
+## <summary>
+## Execute quota management tools in the quota domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`quota_domtrans',`
+ gen_require(`
+ type quota_t, quota_exec_t;
+ ')
+
+ domain_auto_trans($1,quota_exec_t,quota_t)
+
+ allow $1 quota_t:fd use;
+ allow quota_t $1:fd use;
+ allow quota_t $1:fifo_file rw_file_perms;
+ allow quota_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the quota domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the quota domain to use.
+## </summary>
+## </param>
+#
+interface(`quota_run',`
+ gen_require(`
+ type quota_t;
+ ')
+
+ quota_domtrans($1)
+ role $2 types quota_t;
+ allow quota_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`quota_dontaudit_getattr_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
+
+ dontaudit $1 quota_db_t:file getattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete quota
+## flag files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`quota_manage_flags',`
+ gen_require(`
+ type quota_flag_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 quota_flag_t:dir rw_dir_perms;
+ allow $1 quota_flag_t:file create_file_perms;
+')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
new file mode 100644
index 0000000..4f188d2
--- /dev/null
+++ b/policy/modules/admin/quota.te
@@ -0,0 +1,85 @@
+
+policy_module(quota,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type quota_t;
+type quota_exec_t;
+init_system_domain(quota_t,quota_exec_t)
+
+type quota_db_t;
+files_type(quota_db_t)
+
+type quota_flag_t;
+files_type(quota_flag_t)
+
+allow quota_t self:capability { sys_admin dac_override };
+dontaudit quota_t self:capability sys_tty_config;
+allow quota_t self:process signal_perms;
+
+# for /quota.*
+allow quota_t quota_db_t:file { read write quotaon };
+
+kernel_list_proc(quota_t)
+kernel_read_proc_symlinks(quota_t)
+kernel_read_kernel_sysctls(quota_t)
+
+dev_read_sysfs(quota_t)
+dev_getattr_all_blk_files(quota_t)
+dev_getattr_all_chr_files(quota_t)
+
+fs_get_xattr_fs_quotas(quota_t)
+fs_set_xattr_fs_quotas(quota_t)
+fs_getattr_xattr_fs(quota_t)
+fs_remount_xattr_fs(quota_t)
+fs_search_auto_mountpoints(quota_t)
+
+storage_raw_read_fixed_disk(quota_t)
+
+term_dontaudit_use_console(quota_t)
+
+domain_use_interactive_fds(quota_t)
+
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_use_fds(quota_t)
+init_use_script_ptys(quota_t)
+
+libs_use_ld_so(quota_t)
+libs_use_shared_libs(quota_t)
+
+logging_send_syslog_msg(quota_t)
+
+userdom_dontaudit_use_unpriv_user_fds(quota_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(quota_t)
+ term_dontaudit_use_generic_ptys(quota_t)
+ files_dontaudit_read_root_files(quota_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(quota_t)
+')
+
+optional_policy(`
+ udev_read_db(quota_t)
+')
+
+ifdef(`TODO',`
+# quotacheck creates new quota_db_t files
+file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
+
+allow quota_t file_t:file quotaon;
+
+allow quota_t proc_t:file getattr;
+') dnl end TODO
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
new file mode 100644
index 0000000..26c1128
--- /dev/null
+++ b/policy/modules/admin/readahead.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
new file mode 100644
index 0000000..47c4723
--- /dev/null
+++ b/policy/modules/admin/readahead.if
@@ -0,0 +1 @@
+## <summary>Readahead, read files into page cache for improved performance</summary>
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
new file mode 100644
index 0000000..7f91460
--- /dev/null
+++ b/policy/modules/admin/readahead.te
@@ -0,0 +1,81 @@
+
+policy_module(readahead,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type readahead_t;
+type readahead_exec_t;
+init_daemon_domain(readahead_t,readahead_exec_t)
+
+type readahead_var_run_t;
+files_pid_file(readahead_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
+allow readahead_t self:process signal_perms;
+
+allow readahead_t readahead_var_run_t:file create_file_perms;
+allow readahead_t readahead_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(readahead_t,readahead_var_run_t,file)
+
+kernel_read_kernel_sysctls(readahead_t)
+kernel_read_system_state(readahead_t)
+kernel_dontaudit_getattr_core_if(readahead_t)
+
+dev_read_sysfs(readahead_t)
+dev_getattr_generic_chr_files(readahead_t)
+dev_getattr_generic_blk_files(readahead_t)
+dev_getattr_all_chr_files(readahead_t)
+dev_getattr_all_blk_files(readahead_t)
+dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_dev(readahead_t)
+
+domain_use_interactive_fds(readahead_t)
+
+files_dontaudit_getattr_all_sockets(readahead_t)
+files_list_non_security(readahead_t)
+files_read_non_security_files(readahead_t)
+
+fs_getattr_all_fs(readahead_t)
+fs_search_auto_mountpoints(readahead_t)
+fs_getattr_all_pipes(readahead_t)
+fs_getattr_all_files(readahead_t)
+fs_dontaudit_search_ramfs(readahead_t)
+fs_dontaudit_read_ramfs_pipes(readahead_t)
+fs_dontaudit_read_ramfs_files(readahead_t)
+fs_read_tmpfs_symlinks(readahead_t)
+
+term_dontaudit_use_console(readahead_t)
+
+auth_dontaudit_read_shadow(readahead_t)
+
+init_use_fds(readahead_t)
+init_use_script_ptys(readahead_t)
+init_getattr_initctl(readahead_t)
+
+libs_use_ld_so(readahead_t)
+libs_use_shared_libs(readahead_t)
+
+logging_send_syslog_msg(readahead_t)
+
+miscfiles_read_localization(readahead_t)
+
+userdom_dontaudit_use_unpriv_user_fds(readahead_t)
+userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(readahead_t)
+ term_dontaudit_use_unallocated_ttys(readahead_t)
+ term_dontaudit_use_generic_ptys(readahead_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(readahead_t)
+')
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
new file mode 100644
index 0000000..384715c
--- /dev/null
+++ b/policy/modules/admin/rpm.fc
@@ -0,0 +1,41 @@
+
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
+
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+')
+
+ifdef(`enable_mls',`
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
new file mode 100644
index 0000000..00f1b98
--- /dev/null
+++ b/policy/modules/admin/rpm.if
@@ -0,0 +1,258 @@
+## <summary>Policy for the RPM package manager.</summary>
+
+########################################
+## <summary>
+## Execute rpm programs in the rpm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_domtrans',`
+ gen_require(`
+ type rpm_t, rpm_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,rpm_exec_t,rpm_t)
+
+ allow $1 rpm_t:fd use;
+ allow rpm_t $1:fd use;
+ allow rpm_t $1:fifo_file rw_file_perms;
+ allow rpm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute rpm_script programs in the rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_domtrans_script',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ # transition to rpm script:
+ corecmd_shell_domtrans($1,rpm_script_t)
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute RPM programs in the RPM domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the RPM domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the RPM domain to use.
+## </summary>
+## </param>
+#
+interface(`rpm_run',`
+ gen_require(`
+ type rpm_t, rpm_script_t;
+ ')
+
+ rpm_domtrans($1)
+ role $2 types rpm_t;
+ role $2 types rpm_script_t;
+ seutil_run_loadpolicy(rpm_script_t,$2,$3)
+ seutil_run_semanage(rpm_script_t,$2,$3)
+ seutil_run_setfiles(rpm_script_t,$2,$3)
+ seutil_run_restorecon(rpm_script_t,$2,$3)
+ allow rpm_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute the rpm client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_exec',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,rpm_exec_t)
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from RPM.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_use_fds',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fd use;
+')
+
+########################################
+## <summary>
+## Read from an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_read_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 rpm_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_use_script_fds',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:fd use;
+')
+
+########################################
+## <summary>
+## Read the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_read_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 rpm_var_lib_t:dir r_dir_perms;
+ allow $1 rpm_var_lib_t:file { getattr read };
+ allow $1 rpm_var_lib_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 rpm_var_lib_t:dir rw_dir_perms;
+ allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
+ allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_manage_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file create_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
new file mode 100644
index 0000000..a12a0d4
--- /dev/null
+++ b/policy/modules/admin/rpm.te
@@ -0,0 +1,396 @@
+
+policy_module(rpm,1.3.9)
+
+########################################
+#
+# Declarations
+#
+
+type rpm_t;
+type rpm_exec_t;
+init_system_domain(rpm_t,rpm_exec_t)
+domain_obj_id_change_exemption(rpm_t)
+domain_role_change_exemption(rpm_t)
+domain_system_change_exemption(rpm_t)
+domain_interactive_fd(rpm_t)
+role system_r types rpm_t;
+
+type rpm_file_t;
+files_type(rpm_file_t)
+
+type rpm_tmp_t;
+files_tmp_file(rpm_tmp_t)
+
+type rpm_tmpfs_t;
+files_tmpfs_file(rpm_tmpfs_t)
+
+type rpm_log_t;
+logging_log_file(rpm_log_t)
+
+type rpm_var_lib_t;
+files_type(rpm_var_lib_t)
+typealias rpm_var_lib_t alias var_lib_rpm_t;
+
+type rpm_script_t;
+type rpm_script_exec_t;
+domain_obj_id_change_exemption(rpm_script_t)
+domain_system_change_exemption(rpm_script_t)
+corecmd_shell_entry_type(rpm_script_t)
+domain_type(rpm_script_t)
+domain_entry_file(rpm_t,rpm_script_exec_t)
+domain_interactive_fd(rpm_script_t)
+role system_r types rpm_script_t;
+
+type rpm_script_tmp_t;
+files_tmp_file(rpm_script_tmp_t)
+
+type rpm_script_tmpfs_t;
+files_tmpfs_file(rpm_script_tmpfs_t)
+
+########################################
+#
+# rpm Local policy
+#
+
+allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+allow rpm_t self:fd use;
+allow rpm_t self:fifo_file rw_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_t self:unix_dgram_socket sendto;
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
+allow rpm_t self:shm create_shm_perms;
+allow rpm_t self:sem create_sem_perms;
+allow rpm_t self:msgq create_msgq_perms;
+allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
+
+allow rpm_t rpm_tmp_t:dir create_dir_perms;
+allow rpm_t rpm_tmp_t:file create_file_perms;
+files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+
+allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
+allow rpm_t rpm_tmpfs_t:file create_file_perms;
+allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
+allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
+allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
+fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/rpm files
+allow rpm_t rpm_var_lib_t:file create_file_perms;
+allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
+
+kernel_read_system_state(rpm_t)
+kernel_read_kernel_sysctls(rpm_t)
+
+corecmd_exec_all_executables(rpm_t)
+
+corenet_non_ipsec_sendrecv(rpm_t)
+corenet_tcp_sendrecv_all_if(rpm_t)
+corenet_raw_sendrecv_all_if(rpm_t)
+corenet_udp_sendrecv_all_if(rpm_t)
+corenet_tcp_sendrecv_all_nodes(rpm_t)
+corenet_raw_sendrecv_all_nodes(rpm_t)
+corenet_udp_sendrecv_all_nodes(rpm_t)
+corenet_tcp_sendrecv_all_ports(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
+
+dev_list_sysfs(rpm_t)
+dev_list_usbfs(rpm_t)
+dev_read_urand(rpm_t)
+#devices_manage_all_device_types(rpm_t)
+
+fs_manage_nfs_dirs(rpm_t)
+fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_symlinks(rpm_t)
+fs_getattr_all_fs(rpm_t)
+fs_search_auto_mountpoints(rpm_t)
+
+mls_file_read_up(rpm_t)
+mls_file_write_down(rpm_t)
+mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
+
+selinux_get_fs_mount(rpm_t)
+selinux_validate_context(rpm_t)
+selinux_compute_access_vector(rpm_t)
+selinux_compute_create_context(rpm_t)
+selinux_compute_relabel_context(rpm_t)
+selinux_compute_user_contexts(rpm_t)
+
+storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(rpm_t)
+
+term_list_ptys(rpm_t)
+
+auth_relabel_all_files_except_shadow(rpm_t)
+auth_manage_all_files_except_shadow(rpm_t)
+auth_dontaudit_read_shadow(rpm_t)
+
+# transition to rpm script:
+rpm_domtrans_script(rpm_t)
+
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_dontaudit_ptrace_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
+init_domtrans_script(rpm_t)
+
+libs_use_ld_so(rpm_t)
+libs_use_shared_libs(rpm_t)
+libs_exec_ld_so(rpm_t)
+libs_exec_lib_files(rpm_t)
+libs_domtrans_ldconfig(rpm_t)
+
+logging_send_syslog_msg(rpm_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(rpm_t)
+seutil_manage_bin_policy(rpm_t)
+
+sysnet_read_config(rpm_t)
+
+userdom_use_unpriv_users_fds(rpm_t)
+
+ifdef(`distro_redhat',`
+ unconfined_domain(rpm_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(rpm_t)
+',`
+ # cjp: these are here to stop type_transition
+ # conflicts since rpm_t is an alias of
+ # unconfined in the targeted policy
+ allow rpm_t rpm_log_t:file create_file_perms;
+ logging_log_filetrans(rpm_t,rpm_log_t,file)
+')
+
+optional_policy(`
+ cron_system_entry(rpm_t,rpm_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rpm_t)
+')
+
+ifdef(`TODO',`
+# read/write/create any files in the system
+dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+allow rpm_t ttyfile:chr_file unlink;
+
+# needs rw permission to the directory for an rpm package that includes a mount
+# point
+allow rpm_t fs_type:dir { setattr rw_dir_perms };
+
+allow rpm_t mount_t:tcp_socket write;
+
+allow rpm_t rpc_pipefs_t:dir search;
+
+optional_policy(`
+allow rpm_t sysadm_gph_t:fd use;
+')
+') dnl endif TODO
+
+########################################
+#
+# rpm-script Local policy
+#
+
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_script_t self:fd use;
+allow rpm_script_t self:fifo_file rw_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_script_t self:unix_dgram_socket sendto;
+allow rpm_script_t self:unix_stream_socket connectto;
+allow rpm_script_t self:shm create_shm_perms;
+allow rpm_script_t self:sem create_sem_perms;
+allow rpm_script_t self:msgq create_msgq_perms;
+allow rpm_script_t self:msg { send receive };
+
+allow rpm_script_t rpm_tmp_t:file r_file_perms;
+
+allow rpm_script_t rpm_script_tmp_t:dir mounton;
+allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
+allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
+files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+
+allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
+allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
+allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
+allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
+allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
+fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow rpm_t rpm_script_t:fd use;
+allow rpm_script_t rpm_t:fd use;
+allow rpm_script_t rpm_t:fifo_file rw_file_perms;
+allow rpm_script_t rpm_t:process sigchld;
+
+kernel_read_kernel_sysctls(rpm_script_t)
+kernel_read_system_state(rpm_script_t)
+
+dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
+dev_manage_generic_blk_files(rpm_script_t)
+dev_manage_generic_chr_files(rpm_script_t)
+dev_manage_all_blk_files(rpm_script_t)
+dev_manage_all_chr_files(rpm_script_t)
+
+fs_manage_nfs_files(rpm_script_t)
+fs_getattr_nfs(rpm_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(rpm_script_t)
+fs_mount_xattr_fs(rpm_script_t)
+fs_unmount_xattr_fs(rpm_script_t)
+fs_search_auto_mountpoints(rpm_script_t)
+
+mls_file_read_up(rpm_script_t)
+mls_file_write_down(rpm_script_t)
+
+selinux_get_fs_mount(rpm_script_t)
+selinux_validate_context(rpm_script_t)
+selinux_compute_access_vector(rpm_script_t)
+selinux_compute_create_context(rpm_script_t)
+selinux_compute_relabel_context(rpm_script_t)
+selinux_compute_user_contexts(rpm_script_t)
+
+storage_raw_read_fixed_disk(rpm_script_t)
+storage_raw_write_fixed_disk(rpm_script_t)
+
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
+
+auth_dontaudit_getattr_shadow(rpm_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_shadow(rpm_script_t)
+
+corecmd_exec_all_executables(rpm_script_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_dontaudit_ptrace_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+
+init_domtrans_script(rpm_script_t)
+
+libs_use_ld_so(rpm_script_t)
+libs_use_shared_libs(rpm_script_t)
+libs_exec_ld_so(rpm_script_t)
+libs_exec_lib_files(rpm_script_t)
+libs_domtrans_ldconfig(rpm_script_t)
+
+logging_send_syslog_msg(rpm_script_t)
+
+miscfiles_read_localization(rpm_script_t)
+
+modutils_domtrans_depmod(rpm_script_t)
+modutils_domtrans_insmod(rpm_script_t)
+
+seutil_domtrans_loadpolicy(rpm_script_t)
+seutil_domtrans_restorecon(rpm_script_t)
+seutil_domtrans_semanage(rpm_script_t)
+
+userdom_use_all_users_fds(rpm_script_t)
+
+ifdef(`distro_redhat',`
+ unconfined_domain(rpm_script_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(rpm_script_t)
+
+ optional_policy(`
+ java_domtrans(rpm_script_t)
+ ')
+
+ optional_policy(`
+ mono_domtrans(rpm_script_t)
+ ')
+
+ optional_policy(`
+ unconfined_domtrans(rpm_script_t)
+ ')
+')
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ mta_send_mail(rpm_script_t)
+ ')
+')
+
+tunable_policy(`allow_execmem',`
+ allow rpm_script_t self:process execmem;
+')
+
+optional_policy(`
+ bootloader_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rpm_script_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(rpm_script_t)
+ usermanage_domtrans_useradd(rpm_script_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`
+can_exec(rpm_script_t,printconf_t)
+')
+
+optional_policy(`
+allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
+allow cupsd_t rpm_var_lib_t:file r_file_perms;
+allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
+allow cupsd_t initrc_exec_t:file r_file_perms;
+domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
+')
+
+optional_policy(`
+domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+')
+
+optional_policy(`
+domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
+')
+
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
+ ')
+')
+
+') dnl end TODO
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
new file mode 100644
index 0000000..688abc2
--- /dev/null
+++ b/policy/modules/admin/su.fc
@@ -0,0 +1,5 @@
+
+/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+
+/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
new file mode 100644
index 0000000..5fb85ce
--- /dev/null
+++ b/policy/modules/admin/su.if
@@ -0,0 +1,342 @@
+## <summary>Run shells with substitute user and group</summary>
+
+#######################################
+## <summary>
+## Restricted su domain template.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to change the linux user id, to run shells as a different
+## user.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`su_restricted_domain_template', `
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ type $1_su_t;
+ domain_entry_file($1_su_t,su_exec_t)
+ domain_type($1_su_t)
+ domain_interactive_fd($1_su_t)
+ role $3 types $1_su_t;
+
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2, su_exec_t, $1_su_t)
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t,$2)
+ allow $2 $1_su_t:fd use;
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ files_read_etc_files($1_su_t)
+ files_read_etc_runtime_files($1_su_t)
+ files_search_var_lib($1_su_t)
+ files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+ # for the rootok check
+ selinux_compute_access_vector($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+
+ domain_use_interactive_fds($1_su_t)
+
+ init_dontaudit_use_fds($1_su_t)
+ init_dontaudit_use_script_ptys($1_su_t)
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+
+ libs_use_ld_so($1_su_t)
+ libs_use_shared_libs($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+ domain_obj_id_change_exemption($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_su_t)
+ ')
+
+ ifdef(`TODO',`
+ # Caused by su - init scripts
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The per user domain template for the su module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to change the linux user id, to run shells as a different
+## user.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`su_per_userdomain_template',`
+ gen_require(`
+ type su_exec_t;
+ bool secure_mode;
+ ')
+
+ type $1_su_t;
+ domain_entry_file($1_su_t,su_exec_t)
+ domain_type($1_su_t)
+ domain_interactive_fd($1_su_t)
+ role $3 types $1_su_t;
+
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2, su_exec_t, $1_su_t)
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t,$2)
+ allow $2 $1_su_t:fd use;
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ fs_search_auto_mountpoints($1_su_t)
+
+ auth_domtrans_user_chk_passwd($1,$1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+
+ corecmd_search_bin($1_su_t)
+ corecmd_search_sbin($1_su_t)
+
+ domain_use_interactive_fds($1_su_t)
+
+ files_read_etc_files($1_su_t)
+ files_read_etc_runtime_files($1_su_t)
+ files_search_var_lib($1_su_t)
+ files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+ init_dontaudit_use_fds($1_su_t)
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+
+ libs_use_ld_so($1_su_t)
+ libs_use_shared_libs($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ userdom_use_user_terminals($1,$1_su_t)
+ userdom_search_user_home_dirs($1,$1_su_t)
+
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+ domain_obj_id_change_exemption($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ # Relabel ttys and ptys.
+ term_relabel_all_user_ttys($1_su_t)
+ term_relabel_all_user_ptys($1_su_t)
+ # Close and re-open ttys and ptys to get the fd into the correct domain.
+ term_use_all_user_ttys($1_su_t)
+ term_use_all_user_ptys($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ ifdef(`strict_policy',`
+ if(secure_mode) {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+ ')
+
+ ifdef(`targeted_policy',`
+ unconfined_domtrans($1_su_t)
+ unconfined_signal($1_su_t)
+ ')
+ ')
+
+ ifdef(`enable_polyinstantiation',`
+ fs_mount_xattr_fs($1_su_t)
+ fs_unmount_xattr_fs($1_su_t)
+ ')
+
+ ifdef(`targeted_policy',`
+ # allow user to suspend terminal.
+ # does not work in strict since the
+ # parent may not be able to use
+ # the terminal if we newrole,
+ # which relabels the terminal.
+ allow $1_su_t self:process sigstop;
+
+ corecmd_exec_bin($1_su_t)
+ userdom_manage_all_users_home_content_files($1_su_t)
+ userdom_manage_all_users_home_content_symlinks($1_su_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs($1_su_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs($1_su_t)
+ ')
+
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_su_t)
+ ')
+
+ # Modify .Xauthority file (via xauth program).
+ optional_policy(`
+# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+ xserver_domtrans_user_xauth($1, $1_su_t)
+ ')
+
+ ifdef(`TODO',`
+ allow $1_su_t $1_home_t:file create_file_perms;
+
+ # Access sshd cookie files.
+ allow $1_su_t sshd_tmp_t:file rw_file_perms;
+ file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## Execute su in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`su_exec',`
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ can_exec($1,su_exec_t)
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
new file mode 100644
index 0000000..d9ef86a
--- /dev/null
+++ b/policy/modules/admin/su.te
@@ -0,0 +1,10 @@
+
+policy_module(su,1.3.3)
+
+########################################
+#
+# Declarations
+#
+
+type su_exec_t;
+corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
new file mode 100644
index 0000000..7bddc02
--- /dev/null
+++ b/policy/modules/admin/sudo.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
new file mode 100644
index 0000000..e0ff588
--- /dev/null
+++ b/policy/modules/admin/sudo.if
@@ -0,0 +1,153 @@
+## <summary>Execute a command with a substitute user</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the sudo module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to change the linux user id, to run commands as a different
+## user.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`sudo_per_userdomain_template',`
+
+ gen_require(`
+ type sudo_exec_t;
+ bool secure_mode;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_sudo_t;
+ domain_type($1_sudo_t)
+ domain_entry_file($1_sudo_t,sudo_exec_t)
+ domain_interactive_fd($1_sudo_t)
+ role $3 types $1_sudo_t;
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ # Use capabilities.
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+ allow $1_sudo_t self:fifo_file rw_file_perms;
+ allow $1_sudo_t self:shm create_shm_perms;
+ allow $1_sudo_t self:sem create_sem_perms;
+ allow $1_sudo_t self:msgq create_msgq_perms;
+ allow $1_sudo_t self:msg { send receive };
+ allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+ allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
+ # Enter this derived domain from the user domain
+ domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
+ allow $1_sudo_t $2:fd use;
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t,$2)
+ allow $2 $1_sudo_t:fd use;
+ allow $1_sudo_t $2:fd use;
+ allow $1_sudo_t $2:fifo_file rw_file_perms;
+ allow $1_sudo_t $2:process sigchld;
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
+
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+ auth_domtrans_chk_passwd($1_sudo_t)
+
+ corecmd_getattr_bin_files($1_sudo_t)
+ corecmd_read_sbin_symlinks($1_sudo_t)
+ corecmd_getattr_sbin_files($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
+ domain_getattr_all_entry_files($1_sudo_t)
+
+ files_read_etc_files($1_sudo_t)
+ files_read_var_files($1_sudo_t)
+ files_read_usr_symlinks($1_sudo_t)
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ libs_use_ld_so($1_sudo_t)
+ libs_use_shared_libs($1_sudo_t)
+
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
+ userdom_manage_user_home_content_files($1,$1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+ userdom_manage_user_tmp_files($1,$1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
+ userdom_use_user_terminals($1,$1_sudo_t)
+ userdom_use_unpriv_users_fds($1_sudo_t)
+ # for some PAM modules and for cwd
+ userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_sudo_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_sudo_t)
+ ')
+
+ ifdef(`TODO',`
+ # for when the network connection is killed
+ dontaudit unpriv_userdomain $1_sudo_t:process signal;
+
+ ifdef(`mta.te', `
+ domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+ ')
+
+ ifdef(`pam.te', `
+ allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
+ allow $1_sudo_t pam_var_run_t:file create_file_perms;
+ ')
+ ') dnl end TODO
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
new file mode 100644
index 0000000..54c1f3c
--- /dev/null
+++ b/policy/modules/admin/sudo.te
@@ -0,0 +1,11 @@
+
+policy_module(sudo,1.0.0)
+
+########################################
+#
+# Declarations
+
+type sudo_exec_t;
+files_type(sudo_exec_t)
+
+# Remaining policy in per user domain template.
diff --git a/policy/modules/admin/sxid.fc b/policy/modules/admin/sxid.fc
new file mode 100644
index 0000000..bc3797b
--- /dev/null
+++ b/policy/modules/admin/sxid.fc
@@ -0,0 +1,6 @@
+/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
+/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
+
+/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0)
diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if
new file mode 100644
index 0000000..36c3a48
--- /dev/null
+++ b/policy/modules/admin/sxid.if
@@ -0,0 +1,21 @@
+## <summary>SUID/SGID program monitoring</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## sxid log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sxid_read_log',`
+ gen_require(`
+ type sxid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 sxid_log_t:file r_file_perms;
+')
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
new file mode 100644
index 0000000..bf3ef84
--- /dev/null
+++ b/policy/modules/admin/sxid.te
@@ -0,0 +1,107 @@
+
+policy_module(sxid,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type sxid_t;
+type sxid_exec_t;
+domain_type(sxid_t)
+domain_entry_file(sxid_t,sxid_exec_t)
+
+type sxid_log_t;
+logging_log_file(sxid_log_t)
+
+type sxid_tmp_t;
+files_tmp_file(sxid_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sxid_t self:capability { dac_override dac_read_search fsetid };
+dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+allow sxid_t self:process signal_perms;
+allow sxid_t self:fifo_file rw_file_perms;
+allow sxid_t self:tcp_socket create_stream_socket_perms;
+allow sxid_t self:udp_socket create_socket_perms;
+
+allow sxid_t sxid_log_t:file create_file_perms;
+logging_log_filetrans(sxid_t,sxid_log_t,file)
+
+allow sxid_t sxid_tmp_t:dir create_dir_perms;
+allow sxid_t sxid_tmp_t:file create_file_perms;
+files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
+
+kernel_read_system_state(sxid_t)
+kernel_read_kernel_sysctls(sxid_t)
+
+corecmd_exec_bin(sxid_t)
+corecmd_exec_sbin(sxid_t)
+corecmd_exec_shell(sxid_t)
+
+corenet_non_ipsec_sendrecv(sxid_t)
+corenet_tcp_sendrecv_generic_if(sxid_t)
+corenet_udp_sendrecv_generic_if(sxid_t)
+corenet_tcp_sendrecv_all_nodes(sxid_t)
+corenet_udp_sendrecv_all_nodes(sxid_t)
+corenet_tcp_sendrecv_all_ports(sxid_t)
+corenet_udp_sendrecv_all_ports(sxid_t)
+
+dev_read_sysfs(sxid_t)
+dev_getattr_all_blk_files(sxid_t)
+dev_getattr_all_blk_files(sxid_t)
+
+domain_use_interactive_fds(sxid_t)
+
+files_list_all(sxid_t)
+files_getattr_all_symlinks(sxid_t)
+files_getattr_all_pipes(sxid_t)
+files_getattr_all_sockets(sxid_t)
+
+fs_getattr_xattr_fs(sxid_t)
+fs_search_auto_mountpoints(sxid_t)
+fs_list_all(sxid_t)
+
+term_dontaudit_use_console(sxid_t)
+
+auth_read_all_files_except_shadow(sxid_t)
+
+init_use_fds(sxid_t)
+init_use_script_ptys(sxid_t)
+
+libs_use_ld_so(sxid_t)
+libs_use_shared_libs(sxid_t)
+
+logging_send_syslog_msg(sxid_t)
+
+miscfiles_read_localization(sxid_t)
+
+mount_exec(sxid_t)
+
+sysnet_read_config(sxid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sxid_t)
+
+cron_system_entry(sxid_t,sxid_exec_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(sxid_t)
+ term_dontaudit_use_generic_ptys(sxid_t)
+ files_dontaudit_read_root_files(sxid_t)
+')
+
+optional_policy(`
+ mta_send_mail(sxid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(sxid_t)
+')
+
+optional_policy(`
+ udev_read_db(sxid_t)
+')
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
new file mode 100644
index 0000000..81077db
--- /dev/null
+++ b/policy/modules/admin/tmpreaper.fc
@@ -0,0 +1,2 @@
+/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/admin/tmpreaper.if b/policy/modules/admin/tmpreaper.if
new file mode 100644
index 0000000..d43b117
--- /dev/null
+++ b/policy/modules/admin/tmpreaper.if
@@ -0,0 +1,21 @@
+## <summary>Manage temporary directory sizes and file ages</summary>
+
+########################################
+## <summary>
+## Execute tmpreaper in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`tmpreaper_exec',`
+ gen_require(`
+ type tmpreaper_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ can_exec($1,tmpreaper_exec_t)
+')
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
new file mode 100644
index 0000000..8809daf
--- /dev/null
+++ b/policy/modules/admin/tmpreaper.te
@@ -0,0 +1,49 @@
+
+policy_module(tmpreaper,1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type tmpreaper_t;
+role system_r types tmpreaper_t;
+domain_type(tmpreaper_t)
+
+type tmpreaper_exec_t;
+domain_entry_file(tmpreaper_t,tmpreaper_exec_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow tmpreaper_t self:process { fork sigchld };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
+dev_read_urand(tmpreaper_t)
+
+fs_getattr_xattr_fs(tmpreaper_t)
+
+files_read_etc_files(tmpreaper_t)
+files_read_var_lib_files(tmpreaper_t)
+files_purge_tmp(tmpreaper_t)
+# why does it need setattr?
+files_setattr_all_tmp_dirs(tmpreaper_t)
+
+mls_file_read_up(tmpreaper_t)
+mls_file_write_down(tmpreaper_t)
+
+libs_use_ld_so(tmpreaper_t)
+libs_use_shared_libs(tmpreaper_t)
+
+logging_send_syslog_msg(tmpreaper_t)
+
+miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
+
+cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
+
+optional_policy(`
+ lpd_manage_spool(tmpreaper_t)
+')
diff --git a/policy/modules/admin/tripwire.fc b/policy/modules/admin/tripwire.fc
new file mode 100644
index 0000000..962662f
--- /dev/null
+++ b/policy/modules/admin/tripwire.fc
@@ -0,0 +1,10 @@
+
+/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
+
+/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
+
+/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0)
+/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0)
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
new file mode 100644
index 0000000..a8b38c0
--- /dev/null
+++ b/policy/modules/admin/tripwire.if
@@ -0,0 +1,222 @@
+## <summary>Tripwire file integrity checker.</summary>
+## <desc>
+## <p>
+## Tripwire file integrity checker.
+## </p>
+## <p>
+## NOTE: Tripwire creates temp file in its current working directory.
+## This policy does not allow write access to home directories, so
+## users will need to either cd to a directory where they have write
+## permission, or set the TEMPDIRECTORY variable in the tripwire config
+## file. The latter is preferable, as then the file_type_auto_trans
+## rules will kick in and label the files as private to tripwire.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute tripwire in the tripwire domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_tripwire',`
+ gen_require(`
+ type tripwire_t, tripwire_exec_t;
+ ')
+
+ domain_auto_trans($1,tripwire_exec_t,tripwire_t)
+ allow tripwire_t $1:fd use;
+ allow tripwire_t $1:fifo_file rw_file_perms;
+ allow tripwire_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute tripwire in the tripwire domain, and
+## allow the specified role the tripwire domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the tripwire domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the tripwire domain to use.
+## </summary>
+## </param>
+#
+interface(`tripwire_run_tripwire',`
+ gen_require(`
+ type tripwire_t;
+ ')
+
+ tripwire_domtrans_tripwire($1)
+ role $2 types tripwire_t;
+ allow tripwire_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute twadmin in the twadmin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_twadmin',`
+ gen_require(`
+ type twadmin_t, twadmin_exec_t;
+ ')
+
+ domain_auto_trans($1,twadmin_exec_t,twadmin_t)
+ allow twadmin_t $1:fd use;
+ allow twadmin_t $1:fifo_file rw_file_perms;
+ allow twadmin_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute twadmin in the twadmin domain, and
+## allow the specified role the twadmin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the twadmin domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the twadmin domain to use.
+## </summary>
+## </param>
+#
+interface(`tripwire_run_twadmin',`
+ gen_require(`
+ type twadmin_t;
+ ')
+
+ tripwire_domtrans_twadmin($1)
+ role $2 types twadmin_t;
+ allow twadmin_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute twprint in the twprint domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_twprint',`
+ gen_require(`
+ type twprint_t, twprint_exec_t;
+ ')
+
+ domain_auto_trans($1,twprint_exec_t,twprint_t)
+ allow twprint_t $1:fd use;
+ allow twprint_t $1:fifo_file rw_file_perms;
+ allow twprint_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute twprint in the twprint domain, and
+## allow the specified role the twprint domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the twprint domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the twprint domain to use.
+## </summary>
+## </param>
+#
+interface(`tripwire_run_twprint',`
+ gen_require(`
+ type twprint_t;
+ ')
+
+ tripwire_domtrans_twprint($1)
+ role $2 types twprint_t;
+ allow twprint_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute siggen in the siggen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_siggen',`
+ gen_require(`
+ type siggen_t, siggen_exec_t;
+ ')
+
+ domain_auto_trans($1,siggen_exec_t,siggen_t)
+ allow siggen_t $1:fd use;
+ allow siggen_t $1:fifo_file rw_file_perms;
+ allow siggen_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute siggen in the siggen domain, and
+## allow the specified role the siggen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the siggen domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the siggen domain to use.
+## </summary>
+## </param>
+#
+interface(`tripwire_run_siggen',`
+ gen_require(`
+ type siggen_t;
+ ')
+
+ tripwire_domtrans_siggen($1)
+ role $2 types siggen_t;
+ allow siggen_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
new file mode 100644
index 0000000..cb6a7c5
--- /dev/null
+++ b/policy/modules/admin/tripwire.te
@@ -0,0 +1,160 @@
+
+policy_module(tripwire,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type siggen_t;
+type siggen_exec_t;
+domain_type(siggen_t)
+domain_entry_file(siggen_t,siggen_exec_t)
+
+type tripwire_t;
+type tripwire_exec_t;
+domain_type(tripwire_t)
+domain_entry_file(tripwire_t,tripwire_exec_t)
+role system_r types tripwire_t;
+
+type tripwire_etc_t;
+files_config_file(tripwire_etc_t)
+
+type tripwire_report_t;
+files_type(tripwire_report_t)
+
+type tripwire_tmp_t;
+files_tmp_file(tripwire_tmp_t)
+
+type tripwire_var_lib_t;
+files_type(tripwire_var_lib_t)
+
+type twadmin_t;
+type twadmin_exec_t;
+domain_type(twadmin_t)
+domain_entry_file(twadmin_t,twadmin_exec_t)
+
+type twprint_t;
+type twprint_exec_t;
+domain_type(twprint_t)
+domain_entry_file(twprint_t,twprint_exec_t)
+
+########################################
+#
+# Tripwire local policy
+#
+
+allow tripwire_t self:capability { setgid setuid dac_override };
+
+allow tripwire_t tripwire_etc_t:file r_file_perms;
+allow tripwire_t tripwire_etc_t:dir r_dir_perms;
+allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
+files_search_etc(tripwire_t)
+
+allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
+allow tripwire_t tripwire_tmp_t:file manage_file_perms;
+files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
+
+# Tripwire report files
+allow tripwire_t tripwire_report_t:dir manage_dir_perms;
+allow tripwire_t tripwire_report_t:file manage_file_perms;
+allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
+
+allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
+allow tripwire_t tripwire_tmp_t:file manage_file_perms;
+allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
+allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
+allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
+files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
+
+allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
+allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
+
+kernel_read_system_state(tripwire_t)
+kernel_read_network_state(tripwire_t)
+kernel_read_software_raid_state(tripwire_t)
+kernel_getattr_core_if(tripwire_t)
+kernel_getattr_message_if(tripwire_t)
+kernel_read_kernel_sysctls(tripwire_t)
+
+corecmd_exec_shell(tripwire_t)
+corecmd_exec_sbin(tripwire_t)
+
+domain_use_interactive_fds(tripwire_t)
+
+files_read_all_files(tripwire_t)
+files_read_all_symlinks(tripwire_t)
+files_getattr_all_pipes(tripwire_t)
+files_getattr_all_sockets(tripwire_t)
+
+libs_use_ld_so(tripwire_t)
+libs_use_shared_libs(tripwire_t)
+
+logging_send_syslog_msg(tripwire_t)
+
+optional_policy(`
+ cron_system_entry(tripwire_t,tripwire_exec_t)
+')
+
+########################################
+#
+# Twadmin local policy
+#
+
+allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
+allow twadmin_t tripwire_etc_t:file manage_file_perms;
+allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
+
+domain_use_interactive_fds(twadmin_t)
+
+libs_use_ld_so(twadmin_t)
+libs_use_shared_libs(twadmin_t)
+
+logging_send_syslog_msg(twadmin_t)
+
+miscfiles_read_localization(twadmin_t)
+
+########################################
+#
+# Twprint local policy
+#
+
+allow twprint_t tripwire_etc_t:dir r_dir_perms;
+allow twprint_t tripwire_etc_t:file r_file_perms;
+allow twprint_t tripwire_etc_t:lnk_file { getattr read };
+
+allow twprint_t tripwire_report_t:dir r_dir_perms;
+allow twprint_t tripwire_report_t:file r_file_perms;
+allow twprint_t tripwire_report_t:lnk_file { getattr read };
+
+allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
+allow twprint_t tripwire_var_lib_t:file r_file_perms;
+allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
+files_search_var_lib(twprint_t)
+
+domain_use_interactive_fds(twprint_t)
+
+libs_use_ld_so(twprint_t)
+libs_use_shared_libs(twprint_t)
+
+logging_send_syslog_msg(twprint_t)
+
+miscfiles_read_localization(twprint_t)
+
+########################################
+#
+# Siggen local policy
+#
+
+domain_use_interactive_fds(siggen_t)
+
+# Need permission to read files
+files_read_all_files(siggen_t)
+
+libs_use_ld_so(siggen_t)
+libs_use_shared_libs(siggen_t)
+
+logging_send_syslog_msg(siggen_t)
+
+miscfiles_read_localization(siggen_t)
diff --git a/policy/modules/admin/updfstab.fc b/policy/modules/admin/updfstab.fc
new file mode 100644
index 0000000..e534c88
--- /dev/null
+++ b/policy/modules/admin/updfstab.fc
@@ -0,0 +1,3 @@
+
+/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if
new file mode 100644
index 0000000..dad4bef
--- /dev/null
+++ b/policy/modules/admin/updfstab.if
@@ -0,0 +1,26 @@
+## <summary>Red Hat utility to change /etc/fstab.</summary>
+
+########################################
+## <summary>
+## Execute updfstab in the updfstab domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`updfstab_domtrans',`
+ gen_require(`
+ type updfstab_t, updfstab_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,updfstab_exec_t,updfstab_t)
+
+ allow $1 updfstab_t:fd use;
+ allow updfstab_t $1:fd use;
+ allow updfstab_t $1:fifo_file rw_file_perms;
+ allow updfstab_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
new file mode 100644
index 0000000..9bc2278
--- /dev/null
+++ b/policy/modules/admin/updfstab.te
@@ -0,0 +1,130 @@
+
+policy_module(updfstab,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type updfstab_t;
+type updfstab_exec_t;
+init_system_domain(updfstab_t,updfstab_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow updfstab_t self:capability dac_override;
+dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
+allow updfstab_t self:process signal_perms;
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+
+kernel_use_fds(updfstab_t)
+kernel_read_kernel_sysctls(updfstab_t)
+kernel_dontaudit_write_kernel_sysctl(updfstab_t)
+# for /proc/partitions
+kernel_read_system_state(updfstab_t)
+# cjp: why is this required
+kernel_change_ring_buffer_level(updfstab_t)
+
+dev_read_sysfs(updfstab_t)
+dev_manage_generic_symlinks(updfstab_t)
+
+fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
+fs_getattr_tmpfs_dirs(updfstab_t)
+fs_search_auto_mountpoints(updfstab_t)
+
+selinux_get_fs_mount(updfstab_t)
+selinux_validate_context(updfstab_t)
+selinux_compute_access_vector(updfstab_t)
+selinux_compute_create_context(updfstab_t)
+selinux_compute_relabel_context(updfstab_t)
+selinux_compute_user_contexts(updfstab_t)
+
+storage_raw_read_fixed_disk(updfstab_t)
+storage_raw_write_fixed_disk(updfstab_t)
+storage_raw_read_removable_device(updfstab_t)
+storage_raw_write_removable_device(updfstab_t)
+storage_read_scsi_generic(updfstab_t)
+storage_write_scsi_generic(updfstab_t)
+
+term_dontaudit_use_console(updfstab_t)
+
+corecmd_exec_bin(updfstab_t)
+corecmd_exec_sbin(updfstab_t)
+corecmd_exec_ls(updfstab_t)
+
+domain_use_interactive_fds(updfstab_t)
+
+files_manage_mnt_files(updfstab_t)
+files_manage_mnt_dirs(updfstab_t)
+files_manage_mnt_symlinks(updfstab_t)
+files_manage_etc_files(updfstab_t)
+files_dontaudit_search_home(updfstab_t)
+# for /etc/mtab
+files_read_etc_runtime_files(updfstab_t)
+
+init_use_fds(updfstab_t)
+init_use_script_ptys(updfstab_t)
+
+libs_use_ld_so(updfstab_t)
+libs_use_shared_libs(updfstab_t)
+
+logging_send_syslog_msg(updfstab_t)
+logging_search_logs(updfstab_t)
+
+miscfiles_read_localization(updfstab_t)
+
+seutil_read_config(updfstab_t)
+seutil_read_default_contexts(updfstab_t)
+seutil_read_file_contexts(updfstab_t)
+
+userdom_use_sysadm_ttys(updfstab_t)
+userdom_dontaudit_search_all_users_home_content(updfstab_t)
+userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(updfstab_t)
+ term_dontaudit_use_generic_ptys(updfstab_t)
+ files_dontaudit_read_root_files(updfstab_t)
+')
+
+optional_policy(`
+ auth_domtrans_pam_console(updfstab_t)
+')
+
+optional_policy(`
+ init_dbus_chat_script(updfstab_t)
+
+ dbus_system_bus_client_template(updfstab,updfstab_t)
+ dbus_send_system_bus(updfstab_t)
+')
+
+optional_policy(`
+ fstools_getattr_swap_files(updfstab_t)
+')
+
+optional_policy(`
+ hal_stream_connect(updfstab_t)
+ hal_dbus_chat(updfstab_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(updfstab_t)
+ modutils_exec_insmod(updfstab_t)
+ modutils_read_module_deps(updfstab_t)
+')
+
+optional_policy(`
+ nscd_socket_use(updfstab_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(updfstab_t)
+')
+
+optional_policy(`
+ udev_read_db(updfstab_t)
+')
diff --git a/policy/modules/admin/usbmodules.fc b/policy/modules/admin/usbmodules.fc
new file mode 100644
index 0000000..a008efb
--- /dev/null
+++ b/policy/modules/admin/usbmodules.fc
@@ -0,0 +1,9 @@
+#
+# /sbin
+#
+/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
new file mode 100644
index 0000000..b27fb16
--- /dev/null
+++ b/policy/modules/admin/usbmodules.if
@@ -0,0 +1,57 @@
+## <summary>List kernel modules of USB devices</summary>
+
+########################################
+## <summary>
+## Execute usbmodules in the usbmodules domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usbmodules_domtrans',`
+ gen_require(`
+ type usbmodules_t, usbmodules_exec_t;
+ ')
+
+ domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
+
+ allow $1 usbmodules_t:fd use;
+ allow usbmodules_t $1:fd use;
+ allow usbmodules_t $1:fifo_file rw_file_perms;
+ allow usbmodules_t $1:process sigchld;
+
+')
+
+########################################
+## <summary>
+## Execute usbmodules in the usbmodules domain, and
+## allow the specified role the usbmodules domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the usbmodules domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the usbmodules domain to use.
+## </summary>
+## </param>
+#
+interface(`usbmodules_run',`
+ gen_require(`
+ type usbmodules_t;
+ ')
+
+ usbmodules_domtrans($1)
+ role $2 types usbmodules_t;
+ allow usbmodules_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
new file mode 100644
index 0000000..76d5c5b
--- /dev/null
+++ b/policy/modules/admin/usbmodules.te
@@ -0,0 +1,48 @@
+
+policy_module(usbmodules,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmodules_t;
+type usbmodules_exec_t;
+init_system_domain(usbmodules_t,usbmodules_exec_t)
+role system_r types usbmodules_t;
+
+########################################
+#
+# Local policy
+#
+
+
+kernel_list_proc(usbmodules_t)
+
+files_list_kernel_modules(usbmodules_t)
+
+dev_list_usbfs(usbmodules_t)
+# allow usb device access
+dev_rw_usbfs(usbmodules_t)
+
+files_list_etc(usbmodules_t)
+# needs etc_t read access for the hotplug config, maybe should have a new type
+files_read_etc_files(usbmodules_t)
+
+term_read_console(usbmodules_t)
+term_write_console(usbmodules_t)
+
+init_use_fds(usbmodules_t)
+
+libs_use_ld_so(usbmodules_t)
+libs_use_shared_libs(usbmodules_t)
+
+modutils_read_module_deps(usbmodules_t)
+
+optional_policy(`
+ hotplug_read_config(usbmodules_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(usbmodules_t)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
new file mode 100644
index 0000000..c467144
--- /dev/null
+++ b/policy/modules/admin/usermanage.fc
@@ -0,0 +1,33 @@
+ifdef(`distro_gentoo',`
+/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
+')
+
+/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+/usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
+
+/var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
new file mode 100644
index 0000000..9a1c41e
--- /dev/null
+++ b/policy/modules/admin/usermanage.if
@@ -0,0 +1,301 @@
+## <summary>Policy for managing user accounts.</summary>
+
+########################################
+## <summary>
+## Execute chfn in the chfn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_chfn',`
+ gen_require(`
+ type chfn_t, chfn_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,chfn_exec_t,chfn_t)
+
+ allow $1 chfn_t:fd use;
+ allow chfn_t $1:fd use;
+ allow chfn_t $1:fifo_file rw_file_perms;
+ allow chfn_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute chfn in the chfn domain, and
+## allow the specified role the chfn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the chfn domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the chfn domain to use.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_chfn',`
+ gen_require(`
+ type chfn_t;
+ ')
+
+ usermanage_domtrans_chfn($1)
+ role $2 types chfn_t;
+ allow chfn_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute groupadd in the groupadd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_groupadd',`
+ gen_require(`
+ type groupadd_t, groupadd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,groupadd_exec_t,groupadd_t)
+
+ allow $1 groupadd_t:fd use;
+ allow groupadd_t $1:fd use;
+ allow groupadd_t $1:fifo_file rw_file_perms;
+ allow groupadd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute groupadd in the groupadd domain, and
+## allow the specified role the groupadd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the groupadd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the groupadd domain to use.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_groupadd',`
+ gen_require(`
+ type groupadd_t;
+ ')
+
+ usermanage_domtrans_groupadd($1)
+ role $2 types groupadd_t;
+ allow groupadd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute passwd in the passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_passwd',`
+ gen_require(`
+ type passwd_t, passwd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,passwd_exec_t,passwd_t)
+
+ allow $1 passwd_t:fd use;
+ allow passwd_t $1:fd use;
+ allow passwd_t $1:fifo_file rw_file_perms;
+ allow passwd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute passwd in the passwd domain, and
+## allow the specified role the passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the passwd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the passwd domain to use.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_passwd',`
+ gen_require(`
+ type passwd_t;
+ ')
+
+ usermanage_domtrans_passwd($1)
+ role $2 types passwd_t;
+ allow passwd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute password admin functions in
+## the admin passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_admin_passwd',`
+ gen_require(`
+ type sysadm_passwd_t, admin_passwd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t)
+
+ allow $1 sysadm_passwd_t:fd use;
+ allow sysadm_passwd_t $1:fd use;
+ allow sysadm_passwd_t $1:fifo_file rw_file_perms;
+ allow sysadm_passwd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute passwd admin functions in the admin
+## passwd domain, and allow the specified role
+## the admin passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the admin passwd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the admin passwd domain to use.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_admin_passwd',`
+ gen_require(`
+ type sysadm_passwd_t;
+ ')
+
+ usermanage_domtrans_admin_passwd($1)
+ role $2 types sysadm_passwd_t;
+ allow sysadm_passwd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute useradd in the useradd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_useradd',`
+ gen_require(`
+ type useradd_t, useradd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,useradd_exec_t,useradd_t)
+
+ allow $1 useradd_t:fd use;
+ allow useradd_t $1:fd use;
+ allow useradd_t $1:fifo_file rw_file_perms;
+ allow useradd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute useradd in the useradd domain, and
+## allow the specified role the useradd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the useradd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the useradd domain to use.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_useradd',`
+ gen_require(`
+ type useradd_t;
+ ')
+
+ usermanage_domtrans_useradd($1)
+ role $2 types useradd_t;
+ allow useradd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read the crack database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`usermanage_read_crack_db',`
+ gen_require(`
+ type crack_db_t;
+ ')
+
+ allow $1 crack_db_t:file r_file_perms;
+')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
new file mode 100644
index 0000000..446197e
--- /dev/null
+++ b/policy/modules/admin/usermanage.te
@@ -0,0 +1,543 @@
+
+policy_module(usermanage,1.3.6)
+
+########################################
+#
+# Declarations
+#
+
+type admin_passwd_exec_t;
+files_type(admin_passwd_exec_t)
+
+type chfn_t;
+domain_obj_id_change_exemption(chfn_t)
+domain_type(chfn_t)
+role system_r types chfn_t;
+
+type chfn_exec_t;
+domain_entry_file(chfn_t,chfn_exec_t)
+
+type crack_t;
+domain_type(crack_t)
+role system_r types crack_t;
+
+type crack_exec_t;
+domain_entry_file(crack_t,crack_exec_t)
+
+type crack_db_t;
+files_type(crack_db_t)
+
+type crack_tmp_t;
+files_tmp_file(crack_tmp_t)
+
+type groupadd_t;
+type groupadd_exec_t;
+domain_obj_id_change_exemption(groupadd_t)
+init_system_domain(groupadd_t,groupadd_exec_t)
+role system_r types groupadd_t;
+
+type passwd_t;
+domain_obj_id_change_exemption(passwd_t)
+domain_type(passwd_t)
+role system_r types passwd_t;
+
+type passwd_exec_t;
+domain_entry_file(passwd_t,passwd_exec_t)
+
+type sysadm_passwd_t;
+domain_obj_id_change_exemption(sysadm_passwd_t)
+domain_type(sysadm_passwd_t)
+domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
+role system_r types sysadm_passwd_t;
+
+type sysadm_passwd_tmp_t;
+files_tmp_file(sysadm_passwd_tmp_t)
+
+type useradd_t;
+type useradd_exec_t;
+domain_obj_id_change_exemption(useradd_t)
+init_system_domain(useradd_t,useradd_exec_t)
+role system_r types useradd_t;
+
+########################################
+#
+# Chfn local policy
+#
+
+allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow chfn_t self:process { setrlimit setfscreate };
+allow chfn_t self:fd use;
+allow chfn_t self:fifo_file rw_file_perms;
+allow chfn_t self:sock_file r_file_perms;
+allow chfn_t self:shm create_shm_perms;
+allow chfn_t self:sem create_sem_perms;
+allow chfn_t self:msgq create_msgq_perms;
+allow chfn_t self:msg { send receive };
+allow chfn_t self:unix_dgram_socket create_socket_perms;
+allow chfn_t self:unix_stream_socket create_stream_socket_perms;
+allow chfn_t self:unix_dgram_socket sendto;
+allow chfn_t self:unix_stream_socket connectto;
+
+kernel_read_system_state(chfn_t)
+kernel_read_kernel_sysctls(chfn_t)
+
+selinux_get_fs_mount(chfn_t)
+selinux_validate_context(chfn_t)
+selinux_compute_access_vector(chfn_t)
+selinux_compute_create_context(chfn_t)
+selinux_compute_relabel_context(chfn_t)
+selinux_compute_user_contexts(chfn_t)
+
+term_use_all_user_ttys(chfn_t)
+term_use_all_user_ptys(chfn_t)
+
+fs_getattr_xattr_fs(chfn_t)
+fs_search_auto_mountpoints(chfn_t)
+
+# for SSP
+dev_read_urand(chfn_t)
+
+auth_domtrans_chk_passwd(chfn_t)
+auth_dontaudit_read_shadow(chfn_t)
+
+# can exec /sbin/unix_chkpwd
+corecmd_search_bin(chfn_t)
+corecmd_search_sbin(chfn_t)
+# allow checking if a shell is executable
+corecmd_check_exec_shell(chfn_t)
+
+domain_use_interactive_fds(chfn_t)
+
+files_manage_etc_files(chfn_t)
+files_read_etc_runtime_files(chfn_t)
+files_dontaudit_search_var(chfn_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(chfn_t)
+
+libs_use_ld_so(chfn_t)
+libs_use_shared_libs(chfn_t)
+
+miscfiles_read_localization(chfn_t)
+
+logging_send_syslog_msg(chfn_t)
+
+# uses unix_chkpwd for checking passwords
+seutil_dontaudit_search_config(chfn_t)
+
+userdom_use_unpriv_users_fds(chfn_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home_content(chfn_t)
+
+optional_policy(`
+ nis_use_ypbind(chfn_t)
+')
+
+optional_policy(`
+ nscd_socket_use(chfn_t)
+')
+
+########################################
+#
+# Crack local policy
+#
+
+allow crack_t self:process { sigkill sigstop signull signal };
+allow crack_t self:fifo_file rw_file_perms;
+
+allow crack_t crack_db_t:dir rw_dir_perms;
+allow crack_t crack_db_t:file create_file_perms;
+allow crack_t crack_db_t:lnk_file create_file_perms;
+files_search_var(crack_t)
+
+allow crack_t crack_tmp_t:dir create_dir_perms;
+allow crack_t crack_tmp_t:file create_file_perms;
+files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
+
+kernel_read_system_state(crack_t)
+
+# for SSP
+dev_read_urand(crack_t)
+
+fs_getattr_xattr_fs(crack_t)
+
+files_read_etc_files(crack_t)
+files_read_etc_runtime_files(crack_t)
+# for dictionaries
+files_read_usr_files(crack_t)
+
+corecmd_exec_bin(crack_t)
+
+libs_use_ld_so(crack_t)
+libs_use_shared_libs(crack_t)
+
+logging_send_syslog_msg(crack_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(crack_t)
+
+optional_policy(`
+ cron_system_entry(crack_t,crack_exec_t)
+')
+
+########################################
+#
+# Groupadd local policy
+#
+
+allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
+dontaudit groupadd_t self:capability fsetid;
+allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow groupadd_t self:process { setrlimit setfscreate };
+allow groupadd_t self:fd use;
+allow groupadd_t self:fifo_file rw_file_perms;
+allow groupadd_t self:shm create_shm_perms;
+allow groupadd_t self:sem create_sem_perms;
+allow groupadd_t self:msgq create_msgq_perms;
+allow groupadd_t self:msg { send receive };
+allow groupadd_t self:unix_dgram_socket create_socket_perms;
+allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+allow groupadd_t self:unix_dgram_socket sendto;
+allow groupadd_t self:unix_stream_socket connectto;
+allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+fs_getattr_xattr_fs(groupadd_t)
+fs_search_auto_mountpoints(groupadd_t)
+
+# Allow access to context for shadow file
+selinux_get_fs_mount(groupadd_t)
+selinux_validate_context(groupadd_t)
+selinux_compute_access_vector(groupadd_t)
+selinux_compute_create_context(groupadd_t)
+selinux_compute_relabel_context(groupadd_t)
+selinux_compute_user_contexts(groupadd_t)
+
+term_use_all_user_ttys(groupadd_t)
+term_use_all_user_ptys(groupadd_t)
+
+init_use_fds(groupadd_t)
+init_read_utmp(groupadd_t)
+init_dontaudit_write_utmp(groupadd_t)
+
+domain_use_interactive_fds(groupadd_t)
+
+files_manage_etc_files(groupadd_t)
+files_relabel_etc_files(groupadd_t)
+files_read_etc_runtime_files(groupadd_t)
+
+libs_use_ld_so(groupadd_t)
+libs_use_shared_libs(groupadd_t)
+
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+corecmd_exec_bin(groupadd_t)
+corecmd_exec_sbin(groupadd_t)
+
+logging_send_syslog_msg(groupadd_t)
+
+miscfiles_read_localization(groupadd_t)
+
+auth_manage_shadow(groupadd_t)
+auth_relabel_shadow(groupadd_t)
+auth_etc_filetrans_shadow(groupadd_t)
+auth_rw_lastlog(groupadd_t)
+auth_use_nsswitch(groupadd_t)
+
+seutil_read_config(groupadd_t)
+
+userdom_use_unpriv_users_fds(groupadd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
+
+optional_policy(`
+ dpkg_use_fds(groupadd_t)
+ dpkg_rw_pipes(groupadd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(groupadd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(groupadd_t)
+')
+
+optional_policy(`
+ rpm_use_fds(groupadd_t)
+ rpm_rw_pipes(groupadd_t)
+')
+
+########################################
+#
+# Passwd local policy
+#
+
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
+allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow passwd_t self:process { setrlimit setfscreate };
+allow passwd_t self:fd use;
+allow passwd_t self:fifo_file rw_file_perms;
+allow passwd_t self:sock_file r_file_perms;
+allow passwd_t self:unix_dgram_socket create_socket_perms;
+allow passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow passwd_t self:unix_dgram_socket sendto;
+allow passwd_t self:unix_stream_socket connectto;
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow passwd_t self:shm create_shm_perms;
+allow passwd_t self:sem create_sem_perms;
+allow passwd_t self:msgq create_msgq_perms;
+allow passwd_t self:msg { send receive };
+
+allow passwd_t crack_db_t:dir r_dir_perms;
+allow passwd_t crack_db_t:file r_file_perms;
+
+kernel_read_kernel_sysctls(passwd_t)
+
+# for SSP
+dev_read_urand(passwd_t)
+
+fs_getattr_xattr_fs(passwd_t)
+fs_search_auto_mountpoints(passwd_t)
+
+mls_file_write_down(passwd_t)
+mls_file_downgrade(passwd_t)
+
+selinux_get_fs_mount(passwd_t)
+selinux_validate_context(passwd_t)
+selinux_compute_access_vector(passwd_t)
+selinux_compute_create_context(passwd_t)
+selinux_compute_relabel_context(passwd_t)
+selinux_compute_user_contexts(passwd_t)
+
+term_use_all_user_ttys(passwd_t)
+term_use_all_user_ptys(passwd_t)
+
+auth_manage_shadow(passwd_t)
+auth_relabel_shadow(passwd_t)
+auth_etc_filetrans_shadow(passwd_t)
+
+# allow checking if a shell is executable
+corecmd_check_exec_shell(passwd_t)
+
+domain_use_interactive_fds(passwd_t)
+
+files_read_etc_runtime_files(passwd_t)
+files_manage_etc_files(passwd_t)
+files_search_var(passwd_t)
+files_dontaudit_search_pids(passwd_t)
+files_relabel_etc_files(passwd_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(passwd_t)
+
+libs_use_ld_so(passwd_t)
+libs_use_shared_libs(passwd_t)
+
+logging_send_syslog_msg(passwd_t)
+
+miscfiles_read_localization(passwd_t)
+
+seutil_dontaudit_search_config(passwd_t)
+
+userdom_use_unpriv_users_fds(passwd_t)
+# make sure that getcon succeeds
+userdom_getattr_all_users(passwd_t)
+userdom_read_all_users_state(passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home_content(passwd_t)
+
+optional_policy(`
+ nis_use_ypbind(passwd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(passwd_t)
+')
+
+########################################
+#
+# Password admin local policy
+#
+
+allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sysadm_passwd_t self:process { setrlimit setfscreate };
+allow sysadm_passwd_t self:fd use;
+allow sysadm_passwd_t self:fifo_file rw_file_perms;
+allow sysadm_passwd_t self:sock_file r_file_perms;
+allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
+allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow sysadm_passwd_t self:unix_dgram_socket sendto;
+allow sysadm_passwd_t self:unix_stream_socket connectto;
+allow sysadm_passwd_t self:shm create_shm_perms;
+allow sysadm_passwd_t self:sem create_sem_perms;
+allow sysadm_passwd_t self:msgq create_msgq_perms;
+allow sysadm_passwd_t self:msg { send receive };
+
+# allow vipw to create temporary files under /var/tmp/vi.recover
+allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
+allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
+files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
+files_search_var(sysadm_passwd_t)
+
+kernel_read_kernel_sysctls(sysadm_passwd_t)
+# for /proc/meminfo
+kernel_read_system_state(sysadm_passwd_t)
+
+selinux_get_fs_mount(sysadm_passwd_t)
+selinux_validate_context(sysadm_passwd_t)
+selinux_compute_access_vector(sysadm_passwd_t)
+selinux_compute_create_context(sysadm_passwd_t)
+selinux_compute_relabel_context(sysadm_passwd_t)
+selinux_compute_user_contexts(sysadm_passwd_t)
+
+# for SSP
+dev_read_urand(sysadm_passwd_t)
+
+fs_getattr_xattr_fs(sysadm_passwd_t)
+fs_search_auto_mountpoints(sysadm_passwd_t)
+
+term_use_all_user_ttys(sysadm_passwd_t)
+term_use_all_user_ptys(sysadm_passwd_t)
+
+auth_manage_shadow(sysadm_passwd_t)
+auth_relabel_shadow(sysadm_passwd_t)
+auth_etc_filetrans_shadow(sysadm_passwd_t)
+
+# allow checking if a shell is executable
+corecmd_check_exec_shell(sysadm_passwd_t)
+# allow vipw to exec the editor
+corecmd_search_sbin(sysadm_passwd_t)
+corecmd_exec_bin(sysadm_passwd_t)
+corecmd_exec_shell(sysadm_passwd_t)
+files_read_usr_files(sysadm_passwd_t)
+
+domain_use_interactive_fds(sysadm_passwd_t)
+
+files_manage_etc_files(sysadm_passwd_t)
+files_relabel_etc_files(sysadm_passwd_t)
+files_read_etc_runtime_files(sysadm_passwd_t)
+# for nscd lookups
+files_dontaudit_search_pids(sysadm_passwd_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(sysadm_passwd_t)
+
+libs_use_ld_so(sysadm_passwd_t)
+libs_use_shared_libs(sysadm_passwd_t)
+
+miscfiles_read_localization(sysadm_passwd_t)
+
+logging_send_syslog_msg(sysadm_passwd_t)
+
+seutil_dontaudit_search_config(sysadm_passwd_t)
+
+userdom_use_unpriv_users_fds(sysadm_passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+
+optional_policy(`
+ nis_use_ypbind(sysadm_passwd_t)
+')
+
+########################################
+#
+# Useradd local policy
+#
+
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow useradd_t self:process setfscreate;
+allow useradd_t self:fd use;
+allow useradd_t self:fifo_file rw_file_perms;
+allow useradd_t self:shm create_shm_perms;
+allow useradd_t self:sem create_sem_perms;
+allow useradd_t self:msgq create_msgq_perms;
+allow useradd_t self:msg { send receive };
+allow useradd_t self:unix_dgram_socket create_socket_perms;
+allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+allow useradd_t self:unix_dgram_socket sendto;
+allow useradd_t self:unix_stream_socket connectto;
+allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+# Allow access to context for shadow file
+selinux_get_fs_mount(useradd_t)
+selinux_validate_context(useradd_t)
+selinux_compute_access_vector(useradd_t)
+selinux_compute_create_context(useradd_t)
+selinux_compute_relabel_context(useradd_t)
+selinux_compute_user_contexts(useradd_t)
+# for getting the number of groups
+kernel_read_kernel_sysctls(useradd_t)
+
+fs_search_auto_mountpoints(useradd_t)
+fs_getattr_xattr_fs(useradd_t)
+
+term_use_all_user_ttys(useradd_t)
+term_use_all_user_ptys(useradd_t)
+
+auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
+auth_etc_filetrans_shadow(useradd_t)
+auth_rw_lastlog(useradd_t)
+auth_use_nsswitch(useradd_t)
+
+corecmd_exec_shell(useradd_t)
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+corecmd_exec_bin(useradd_t)
+corecmd_exec_sbin(useradd_t)
+
+domain_use_interactive_fds(useradd_t)
+
+files_manage_etc_files(useradd_t)
+files_search_var_lib(useradd_t)
+files_relabel_etc_files(useradd_t)
+files_read_etc_runtime_files(useradd_t)
+
+init_use_fds(useradd_t)
+init_rw_utmp(useradd_t)
+
+libs_use_ld_so(useradd_t)
+libs_use_shared_libs(useradd_t)
+
+logging_send_syslog_msg(useradd_t)
+
+miscfiles_read_localization(useradd_t)
+
+seutil_read_config(useradd_t)
+seutil_read_file_contexts(useradd_t)
+
+userdom_use_unpriv_users_fds(useradd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
+# Add/remove user home directories
+userdom_home_filetrans_generic_user_home_dir(useradd_t)
+userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_generic_user_home_content_files(useradd_t)
+userdom_manage_staff_home_dirs(useradd_t)
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+
+mta_manage_spool(useradd_t)
+
+optional_policy(`
+ dpkg_use_fds(useradd_t)
+ dpkg_rw_pipes(useradd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(useradd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(useradd_t)
+')
+
+optional_policy(`
+ rpm_use_fds(useradd_t)
+ rpm_rw_pipes(useradd_t)
+')
diff --git a/policy/modules/admin/vbetool.fc b/policy/modules/admin/vbetool.fc
new file mode 100644
index 0000000..d00970f
--- /dev/null
+++ b/policy/modules/admin/vbetool.fc
@@ -0,0 +1 @@
+/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
new file mode 100644
index 0000000..729e9a0
--- /dev/null
+++ b/policy/modules/admin/vbetool.if
@@ -0,0 +1,26 @@
+## <summary>run real-mode video BIOS code to alter hardware state</summary>
+
+########################################
+## <summary>
+## Execute vbetool application in the vbetool domain.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`vbetool_domtrans',`
+ gen_require(`
+ type vbetool_t, vbetool_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,vbetool_exec_t,vbetool_t)
+
+ allow $1 vbetool_t:fd use;
+ allow vbetool_t $1:fd use;
+ allow vbetool_t $1:fifo_file rw_file_perms;
+ allow vbetool_t $1:process sigchld;
+
+')
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
new file mode 100644
index 0000000..bdeef88
--- /dev/null
+++ b/policy/modules/admin/vbetool.te
@@ -0,0 +1,35 @@
+
+policy_module(vbetool,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t,vbetool_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vbetool_t self:capability { sys_tty_config sys_admin };
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero(vbetool_t)
+dev_read_sysfs(vbetool_t)
+
+term_use_unallocated_ttys(vbetool_t)
+
+libs_use_ld_so(vbetool_t)
+libs_use_shared_libs(vbetool_t)
+
+miscfiles_read_localization(vbetool_t)
+
+optional_policy(`
+ hal_rw_pid_files(vbetool_t)
+')
diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc
new file mode 100644
index 0000000..e323978
--- /dev/null
+++ b/policy/modules/admin/vpn.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+#
+# sbin
+#
+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
new file mode 100644
index 0000000..eb9b4eb
--- /dev/null
+++ b/policy/modules/admin/vpn.if
@@ -0,0 +1,73 @@
+## <summary>Virtual Private Networking client</summary>
+
+########################################
+## <summary>
+## Execute VPN clients in the vpnc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_domtrans',`
+ gen_require(`
+ type vpnc_t, vpnc_exec_t;
+ ')
+
+ domain_auto_trans($1,vpnc_exec_t,vpnc_t)
+
+ allow $1 vpnc_t:fd use;
+ allow vpnc_t $1:fd use;
+ allow vpnc_t $1:fifo_file rw_file_perms;
+ allow vpnc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute VPN clients in the vpnc domain, and
+## allow the specified role the vpnc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the vpnc domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the vpnc domain to use.
+## </summary>
+## </param>
+#
+interface(`vpn_run',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ vpn_domtrans($1)
+ role $2 types vpnc_t;
+ allow vpnc_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Send generic signals to VPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_signal',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process signal;
+')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
new file mode 100644
index 0000000..0c6b877
--- /dev/null
+++ b/policy/modules/admin/vpn.te
@@ -0,0 +1,121 @@
+
+policy_module(vpn,1.2.3)
+
+########################################
+#
+# Declarations
+#
+
+type vpnc_t;
+domain_type(vpnc_t)
+
+type vpnc_exec_t;
+domain_entry_file(vpnc_t,vpnc_exec_t)
+role system_r types vpnc_t;
+
+type vpnc_tmp_t;
+files_tmp_file(vpnc_tmp_t)
+
+type vpnc_var_run_t;
+files_pid_file(vpnc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:process getsched;
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+# cjp: this needs to be fixed
+allow vpnc_t self:socket create_socket_perms;
+
+allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
+allow vpnc_t vpnc_tmp_t:file create_file_perms;
+files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
+
+allow vpnc_t vpnc_var_run_t:file create_file_perms;
+allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
+
+kernel_read_system_state(vpnc_t)
+kernel_read_network_state(vpnc_t)
+kernel_read_kernel_sysctls(vpnc_t)
+kernel_rw_net_sysctls(vpnc_t)
+
+corenet_non_ipsec_sendrecv(vpnc_t)
+corenet_tcp_sendrecv_all_if(vpnc_t)
+corenet_udp_sendrecv_all_if(vpnc_t)
+corenet_raw_sendrecv_all_if(vpnc_t)
+corenet_tcp_sendrecv_all_nodes(vpnc_t)
+corenet_udp_sendrecv_all_nodes(vpnc_t)
+corenet_raw_sendrecv_all_nodes(vpnc_t)
+corenet_tcp_sendrecv_all_ports(vpnc_t)
+corenet_udp_sendrecv_all_ports(vpnc_t)
+corenet_udp_bind_all_nodes(vpnc_t)
+corenet_udp_bind_generic_port(vpnc_t)
+corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_tcp_connect_all_ports(vpnc_t)
+corenet_sendrecv_all_client_packets(vpnc_t)
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
+corenet_sendrecv_generic_server_packets(vpnc_t)
+corenet_rw_tun_tap_dev(vpnc_t)
+
+dev_read_rand(vpnc_t)
+dev_read_urand(vpnc_t)
+dev_read_sysfs(vpnc_t)
+
+fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
+
+term_use_all_user_ptys(vpnc_t)
+term_use_all_user_ttys(vpnc_t)
+
+corecmd_exec_all_executables(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_read_etc_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
+
+libs_exec_ld_so(vpnc_t)
+libs_exec_lib_files(vpnc_t)
+libs_use_ld_so(vpnc_t)
+libs_use_shared_libs(vpnc_t)
+
+locallogin_use_fds(vpnc_t)
+
+logging_send_syslog_msg(vpnc_t)
+
+miscfiles_read_localization(vpnc_t)
+
+seutil_dontaudit_search_config(vpnc_t)
+
+sysnet_exec_ifconfig(vpnc_t)
+sysnet_etc_filetrans_config(vpnc_t)
+sysnet_manage_config(vpnc_t)
+
+userdom_use_all_users_fds(vpnc_t)
+userdom_dontaudit_search_all_users_home_content(vpnc_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(vpnc,vpnc_t)
+ dbus_send_system_bus(vpnc_t)
+ optional_policy(`
+ networkmanager_dbus_chat(vpnc_t)
+ ')
+')
+
+optional_policy(`
+ nis_use_ypbind(vpnc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(vpnc_t)
+')
diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc
new file mode 100644
index 0000000..01a8572
--- /dev/null
+++ b/policy/modules/apps/ada.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+ifdef(`targeted_policy',`
+/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
+')
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
new file mode 100644
index 0000000..6d8950f
--- /dev/null
+++ b/policy/modules/apps/ada.if
@@ -0,0 +1,29 @@
+## <summary>GNAT Ada95 compiler</summary>
+
+########################################
+## <summary>
+## Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ada_domtrans',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type ada_t, ada_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, ada_exec_t, ada_t)
+
+ allow $1 ada_t:fd use;
+ allow ada_t $1:fd use;
+ allow ada_t $1:fifo_file rw_file_perms;
+ allow ada_t $1:process sigchld;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
new file mode 100644
index 0000000..f8167b8
--- /dev/null
+++ b/policy/modules/apps/ada.te
@@ -0,0 +1,23 @@
+
+policy_module(ada,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ada_t;
+type ada_exec_t;
+domain_type(ada_t)
+domain_entry_file(ada_t,ada_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow ada_t self:process { execstack execmem };
+ unconfined_domain_noaudit(ada_t)
+ role system_r types ada_t;
+')
diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc
new file mode 100644
index 0000000..48cf11b
--- /dev/null
+++ b/policy/modules/apps/authbind.fc
@@ -0,0 +1,3 @@
+/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
+
+/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/apps/authbind.if b/policy/modules/apps/authbind.if
new file mode 100644
index 0000000..84134d0
--- /dev/null
+++ b/policy/modules/apps/authbind.if
@@ -0,0 +1,23 @@
+## <summary>Tool for non-root processes to bind to reserved ports</summary>
+
+########################################
+## <summary>
+## Use authbind to bind to a reserved port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`authbind_domtrans',`
+ gen_require(`
+ type authbind_t, authbind_exec_t;
+ ')
+
+ domain_auto_trans($1,authbind_exec_t,authbind_t)
+ allow authbind_t $1:fd use;
+ allow authbind_t $1:fifo_file rw_file_perms;
+ allow authbind_t $1:process sigchld;
+ allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te
new file mode 100644
index 0000000..292dda2
--- /dev/null
+++ b/policy/modules/apps/authbind.te
@@ -0,0 +1,36 @@
+
+policy_module(authbind,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authbind_t;
+type authbind_exec_t;
+domain_type(authbind_t)
+domain_entry_file(authbind_t,authbind_exec_t)
+role system_r types authbind_t;
+
+type authbind_etc_t;
+files_config_file(authbind_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow authbind_t self:capability net_bind_service;
+
+can_exec(authbind_t, authbind_etc_t)
+allow authbind_t authbind_etc_t:file r_file_perms;
+allow authbind_t authbind_etc_t:dir r_dir_perms;
+allow authbind_t authbind_etc_t:lnk_file { getattr read };
+files_list_etc(authbind_t)
+
+term_use_console(authbind_t)
+
+logging_send_syslog_msg(authbind_t)
+
+libs_use_ld_so(authbind_t)
+libs_use_shared_libs(authbind_t)
diff --git a/policy/modules/apps/calamaris.fc b/policy/modules/apps/calamaris.fc
new file mode 100644
index 0000000..9cbd0a0
--- /dev/null
+++ b/policy/modules/apps/calamaris.fc
@@ -0,0 +1,10 @@
+#
+# /etc
+#
+/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0)
+
+#
+# /var
+#
+/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0)
+/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0)
diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if
new file mode 100644
index 0000000..e180a59
--- /dev/null
+++ b/policy/modules/apps/calamaris.if
@@ -0,0 +1,21 @@
+## <summary>Squid log analysis</summary>
+
+#######################################
+## <summary>
+## Allow domain to read calamaris www files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`calamaris_read_www_files',`
+ gen_require(`
+ type calamaris_www_t;
+ ')
+
+ allow $1 calamaris_www_t:dir r_dir_perms;
+ allow $1 calamaris_www_t:file r_file_perms;
+ allow $1 calamaris_www_t:lnk_file { getattr read };
+')
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
new file mode 100644
index 0000000..a680581
--- /dev/null
+++ b/policy/modules/apps/calamaris.te
@@ -0,0 +1,93 @@
+
+policy_module(calamaris,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type calamaris_t;
+type calamaris_exec_t;
+init_system_domain(calamaris_t,calamaris_exec_t)
+
+type calamaris_www_t;
+files_type(calamaris_www_t)
+
+type calamaris_log_t;
+logging_log_file(calamaris_log_t)
+
+########################################
+#
+# Local policy
+#
+
+# for when squid has a different UID
+allow calamaris_t self:capability dac_override;
+allow calamaris_t self:process { fork signal_perms setsched };
+allow calamaris_t self:fifo_file { getattr read write ioctl };
+allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
+allow calamaris_t self:tcp_socket create_stream_socket_perms;
+allow calamaris_t self:udp_socket create_socket_perms;
+
+allow calamaris_t calamaris_www_t:dir rw_dir_perms;
+allow calamaris_t calamaris_www_t:file manage_file_perms;
+allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms;
+
+allow calamaris_t calamaris_log_t:file create_file_perms;
+allow calamaris_t calamaris_log_t:dir rw_dir_perms;
+logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
+
+kernel_read_all_sysctls(calamaris_t)
+kernel_read_system_state(calamaris_t)
+
+corecmd_exec_bin(calamaris_t)
+
+corenet_non_ipsec_sendrecv(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_all_nodes(calamaris_t)
+corenet_udp_sendrecv_all_nodes(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
+dev_read_urand(calamaris_t)
+
+files_search_pids(calamaris_t)
+files_read_etc_files(calamaris_t)
+files_read_usr_files(calamaris_t)
+files_read_var_files(calamaris_t)
+files_read_etc_runtime_files(calamaris_t)
+
+libs_read_lib_files(calamaris_t)
+libs_use_ld_so(calamaris_t)
+libs_use_shared_libs(calamaris_t)
+
+logging_send_syslog_msg(calamaris_t)
+
+miscfiles_read_localization(calamaris_t)
+
+sysnet_read_config(calamaris_t)
+
+userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
+
+squid_read_log(calamaris_t)
+
+optional_policy(`
+ apache_search_sys_content(calamaris_t)
+')
+
+optional_policy(`
+ bind_udp_chat_named(calamaris_t)
+')
+
+optional_policy(`
+ cron_system_entry(calamaris_t,calamaris_exec_t)
+')
+
+optional_policy(`
+ mta_send_mail(calamaris_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(calamaris_t)
+')
diff --git a/policy/modules/apps/cdrecord.fc b/policy/modules/apps/cdrecord.fc
new file mode 100644
index 0000000..12deb68
--- /dev/null
+++ b/policy/modules/apps/cdrecord.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
new file mode 100644
index 0000000..f756bc4
--- /dev/null
+++ b/policy/modules/apps/cdrecord.if
@@ -0,0 +1,203 @@
+## <summary>Policy for cdrecord</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the cdrecord module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for cdrecord.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`cdrecord_per_userdomain_template', `
+
+ gen_require(`
+ type cdrecord_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_cdrecord_t;
+ domain_type($1_cdrecord_t)
+ domain_entry_file($1_cdrecord_t,cdrecord_exec_t)
+ role $3 types $1_cdrecord_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+ allow $1_cdrecord_t self:process { getsched setsched sigkill };
+ allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
+ allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
+
+ # allow ps to show cdrecord and allow the user to kill it
+ allow $2 $1_cdrecord_t:dir { search getattr read };
+ allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
+ allow $2 $1_cdrecord_t:process getattr;
+ #We need to suppress this denial because procps
+ #tries to access /proc/pid/environ and this now
+ #triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps
+ #to not do this, or only if running in a privileged domain.
+ dontaudit $2 $1_cdrecord_t:process ptrace;
+ allow $2 $1_cdrecord_t:process signal;
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
+ allow $2 $1_cdrecord_t:fd use;
+ allow $1_cdrecord_t $2:fd use;
+ allow $1_cdrecord_t $2:fifo_file rw_file_perms;
+ allow $1_cdrecord_t $2:process sigchld;
+
+ # allow searching for cdrom-drive
+ dev_list_all_dev_nodes($1_cdrecord_t)
+
+ domain_interactive_fd($1_cdrecord_t)
+ domain_use_interactive_fds($1_cdrecord_t)
+
+ files_read_etc_files($1_cdrecord_t)
+
+ term_use_controlling_term($1_cdrecord_t)
+ term_list_ptys($1_cdrecord_t)
+
+ # allow cdrecord to write the CD
+ storage_raw_write_removable_device($1_cdrecord_t)
+ storage_write_scsi_generic($1_cdrecord_t)
+
+ libs_use_ld_so($1_cdrecord_t)
+ libs_use_shared_libs($1_cdrecord_t)
+
+ logging_send_syslog_msg($1_cdrecord_t)
+
+ miscfiles_read_localization($1_cdrecord_t)
+
+ # write to the user domain tty.
+ userdom_use_user_terminals($1,$1_cdrecord_t)
+ userdom_use_user_terminals($1,$2)
+
+ userdom_read_user_home_content_files($1,$1_cdrecord_t)
+
+ # Handle nfs home dirs
+ tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints($1_cdrecord_t)
+ files_list_home($1_cdrecord_t)
+ fs_read_nfs_files($1_cdrecord_t)
+ fs_read_nfs_symlinks($1_cdrecord_t)
+
+ ',`
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
+ fs_dontaudit_read_nfs_files($1_cdrecord_t)
+ fs_dontaudit_list_nfs($1_cdrecord_t)
+ ')
+ # Handle samba home dirs
+ tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints($1_cdrecord_t)
+ files_list_home($1_cdrecord_t)
+ fs_read_cifs_files($1_cdrecord_t)
+ fs_read_cifs_symlinks($1_cdrecord_t)
+ ',`
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
+ fs_dontaudit_read_cifs_files($1_cdrecord_t)
+ fs_dontaudit_list_cifs($1_cdrecord_t)
+ ')
+
+ # Handle removable media, /tmp, and /home
+ tunable_policy(`cdrecord_read_content',`
+ userdom_list_user_tmp($1,$1_cdrecord_t)
+ userdom_read_user_tmp_files($1,$1_cdrecord_t)
+ userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
+ userdom_search_user_home_dirs($1,$1_cdrecord_t)
+ userdom_read_user_home_content_files($1,$1_cdrecord_t)
+ userdom_read_user_home_content_symlinks($1,$1_cdrecord_t)
+
+ ifdef(`enable_mls',`
+ ',`
+ fs_search_removable($1_cdrecord_t)
+ fs_read_removable_files($1_cdrecord_t)
+ fs_read_removable_symlinks($1_cdrecord_t)
+ ')
+ ',`
+ files_dontaudit_list_tmp($1_cdrecord_t)
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_removable($1_cdrecord_t)
+ fs_dontaudit_read_removable_files($1_cdrecord_t)
+ userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t)
+ ')
+
+ # Handle default_t content
+ tunable_policy(`cdrecord_read_content && read_default_t',`
+ files_list_default($1_cdrecord_t)
+ files_read_default_files($1_cdrecord_t)
+ files_read_default_symlinks($1_cdrecord_t)
+ ',`
+ files_dontaudit_read_default_files($1_cdrecord_t)
+ files_dontaudit_list_default($1_cdrecord_t)
+ ')
+
+ # Handle untrusted content
+ tunable_policy(`cdrecord_read_content && read_untrusted_content',`
+ files_list_tmp($1_cdrecord_t)
+ files_list_home($1_cdrecord_t)
+ userdom_search_user_home_dirs($1,$1_cdrecord_t)
+
+ userdom_list_user_untrusted_content($1,$1_cdrecord_t)
+ userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)
+ ',`
+ files_dontaudit_list_tmp($1_cdrecord_t)
+ files_dontaudit_list_home($1_cdrecord_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt($1_cdrecord_t)
+ fs_read_nfs_files($1_cdrecord_t)
+ fs_read_nfs_symlinks($1_cdrecord_t)
+ ')
+
+ optional_policy(`
+ resmgr_stream_connect($1_cdrecord_t)
+ ')
+')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
new file mode 100644
index 0000000..8785b3c
--- /dev/null
+++ b/policy/modules/apps/cdrecord.te
@@ -0,0 +1,10 @@
+
+policy_module(cdrecord,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type cdrecord_exec_t;
+corecmd_executable_file(cdrecord_exec_t)
diff --git a/policy/modules/apps/ethereal.fc b/policy/modules/apps/ethereal.fc
new file mode 100644
index 0000000..12ae276
--- /dev/null
+++ b/policy/modules/apps/ethereal.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
+/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+')
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
new file mode 100644
index 0000000..6215059
--- /dev/null
+++ b/policy/modules/apps/ethereal.if
@@ -0,0 +1,303 @@
+## <summary>Ethereal packet capture tool.</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the ethereal module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for ethereal packet capture tool.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`ethereal_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Type for program
+ type $1_ethereal_t;
+ domain_type($1_ethereal_t)
+ domain_entry_file($1_ethereal_t,ethereal_exec_t)
+ role $3 types $1_ethereal_t;
+
+ type $1_ethereal_home_t alias $1_ethereal_rw_t;
+ files_poly_member($1_ethereal_home_t)
+ userdom_user_home_content($1,$1_ethereal_home_t)
+
+ type $1_ethereal_tmp_t;
+ files_tmp_file($1_ethereal_tmp_t)
+
+ type $1_ethereal_tmpfs_t;
+ files_tmpfs_file($1_ethereal_tmpfs_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_ethereal_t self:capability { net_admin net_raw setgid };
+ allow $1_ethereal_t self:process { signal getsched };
+ allow $1_ethereal_t self:fifo_file { getattr read write };
+ allow $1_ethereal_t self:shm destroy;
+ allow $1_ethereal_t self:shm create_shm_perms;
+ allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+ allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
+ allow $1_ethereal_t self:tcp_socket create_socket_perms;
+ allow $1_ethereal_t self:udp_socket create_socket_perms;
+
+ # Store temporary files
+ allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
+ allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
+
+ # Re-execute itself (why?)
+ can_exec($1_ethereal_t, ethereal_exec_t)
+ corecmd_search_sbin($1_ethereal_t)
+
+ # /home/.ethereal
+ allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
+ allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
+ allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
+ userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
+
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
+ allow $1_ethereal_t $2:fd use;
+ allow $1_ethereal_t $2:process sigchld;
+
+ allow $2 $1_ethereal_home_t:dir manage_dir_perms;
+ allow $2 $1_ethereal_home_t:file manage_file_perms;
+ allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ kernel_read_kernel_sysctls($1_ethereal_t)
+ kernel_read_system_state($1_ethereal_t)
+ kernel_read_sysctl($1_ethereal_t)
+
+ corecmd_search_bin($1_ethereal_t)
+
+ corenet_tcp_connect_generic_port($1_ethereal_t)
+ corenet_tcp_sendrecv_generic_if($1_ethereal_t)
+
+ dev_read_urand($1_ethereal_t)
+
+ files_read_etc_files($1_ethereal_t)
+ files_read_usr_files($1_ethereal_t)
+
+ fs_list_inotifyfs($1_ethereal_t)
+ fs_search_auto_mountpoints($1_ethereal_t)
+
+ libs_read_lib_files($1_ethereal_t)
+ libs_use_ld_so($1_ethereal_t)
+ libs_use_shared_libs($1_ethereal_t)
+
+ miscfiles_read_fonts($1_ethereal_t)
+ miscfiles_read_localization($1_ethereal_t)
+
+ seutil_use_newrole_fds($1_ethereal_t)
+
+ sysnet_read_config($1_ethereal_t)
+
+ userdom_manage_user_home_content_files($1,$1_ethereal_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_ethereal_t)
+ fs_manage_nfs_files($1_ethereal_t)
+ fs_manage_nfs_symlinks($1_ethereal_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_ethereal_t)
+ fs_manage_cifs_files($1_ethereal_t)
+ fs_manage_cifs_symlinks($1_ethereal_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_ethereal_t)
+ ')
+
+ # Manual transition from userhelper
+ optional_policy(`
+ userhelper_use_user_fd($1,$1_ethereal_t)
+ userhelper_sigchld_user($1,$1_ethereal_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
+ xserver_create_xdm_tmp_sockets($1_ethereal_t)
+ ')
+
+ ifdef(`TODO',`
+ # Why does it write this?
+ optional_policy(`
+ dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
+ ')
+ #TODO
+ gnome_application($1_ethereal, $1)
+ gnome_file_dialog($1_ethereal, $1)
+ # FIXME: policy is incomplete
+ ')
+
+')
+
+#######################################
+## <summary>
+## The administrative functions template for the ethereal module.
+## </summary>
+## <desc>
+## <p>
+## This template creates rules for administrating ethereal,
+## allowing the specified user to manage ethereal files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`ethereal_admin_template',`
+ gen_require(`
+ type $1_ethereal_t;
+ ')
+
+ # Create various types of sockets
+ allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
+ allow $1_ethereal_t self:udp_socket create_socket_perms;
+ allow $1_ethereal_t self:packet_socket create_socket_perms;
+ allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_ethereal_t self:tcp_socket create_socket_perms;
+
+ userdom_use_user_terminals($1,$1_ethereal_t)
+ # Ethereal tries to write to user terminal
+ userdom_dontaudit_use_user_terminals($1,$1_ethereal_t)
+')
+
+########################################
+## <summary>
+## Run ethereal in ethereal domain.
+## </summary>
+## <desc>
+## <p>
+## Run ethereal in ethereal domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`ethereal_domtrans_user_ethereal',`
+ gen_require(`
+ type $1_ethereal_t, ethereal_exec_t;
+ ')
+
+ domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
+
+ allow $2 $1_ethereal_t:fd use;
+ allow $1_ethereal_t $2:fd use;
+ allow $1_ethereal_t $2:fifo_file rw_file_perms;
+ allow $1_ethereal_t $2:process sigchld;
+')
+
+########################################
+## <summary>
+## Run tethereal in the tethereal domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`ethereal_domtrans_tethereal',`
+ gen_require(`
+ type tethereal_t, tethereal_exec_t;
+ ')
+
+ domain_auto_trans($1,tethereal_exec_t,tethereal_t)
+
+ allow $1 tethereal_t:fd use;
+ allow tethereal_t $1:fd use;
+ allow tethereal_t $1:fifo_file rw_file_perms;
+ allow tethereal_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute tethereal in the tethereal domain, and
+## allow the specified role the tethereal domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the tethereal domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the tethereal domain to use.
+## </summary>
+## </param>
+#
+interface(`ethereal_run_tethereal',`
+ gen_require(`
+ type tethereal_t;
+ ')
+
+ ethereal_domtrans_tethereal($1)
+ role $2 types tethereal_t;
+ allow tethereal_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te
new file mode 100644
index 0000000..6b8b6dd
--- /dev/null
+++ b/policy/modules/apps/ethereal.te
@@ -0,0 +1,57 @@
+
+policy_module(ethereal,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type ethereal_exec_t;
+corecmd_executable_file(ethereal_exec_t)
+
+type tethereal_t;
+type tethereal_exec_t;
+domain_type(tethereal_t)
+domain_entry_file(tethereal_t,tethereal_exec_t)
+
+type tethereal_tmp_t;
+files_tmp_file(tethereal_tmp_t)
+
+########################################
+#
+# Tethereal policy
+#
+
+allow tethereal_t tethereal_t : capability { dac_override dac_read_search setgid setuid net_raw };
+allow tethereal_t self:unix_stream_socket create_stream_socket_perms;
+allow tethereal_t self:netlink_route_socket create_netlink_socket_perms;
+allow tethereal_t self:packet_socket create_socket_perms;
+allow tethereal_t self:tcp_socket create_socket_perms;
+allow tethereal_t self:udp_socket create_socket_perms;
+
+# Store temporary files
+allow tethereal_t tethereal_tmp_t:dir create_dir_perms;
+allow tethereal_t tethereal_tmp_t:file create_file_perms;
+files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
+
+# /proc
+kernel_read_all_sysctls(tethereal_t)
+kernel_read_system_state(tethereal_t)
+
+# Read ethereal files in /usr
+files_read_usr_files(tethereal_t)
+# /etc/nsswitch.conf
+files_read_etc_files(tethereal_t)
+
+libs_use_ld_so(tethereal_t)
+libs_use_shared_libs(tethereal_t)
+
+miscfiles_read_localization(tethereal_t)
+
+seutil_use_newrole_fds(tethereal_t)
+
+sysnet_dns_name_resolve(tethereal_t)
+
+optional_policy(`
+ nscd_socket_use(tethereal_t)
+')
diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
new file mode 100644
index 0000000..c3ded67
--- /dev/null
+++ b/policy/modules/apps/evolution.fc
@@ -0,0 +1,20 @@
+
+#
+# /tmp
+#
+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
+
+#
+# /usr
+#
+/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0)
+
+/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
+/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
+/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+')
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
new file mode 100644
index 0000000..946a9fb
--- /dev/null
+++ b/policy/modules/apps/evolution.if
@@ -0,0 +1,820 @@
+## <summary>Evolution email client</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the evolution module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for evolution email client and other related evolution applications such as webcal and alarm
+## type is also created to protect the user evolution keys.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`evolution_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_evolution_t;
+ domain_type($1_evolution_t)
+ domain_entry_file($1_evolution_t,evolution_exec_t)
+ role $3 types $1_evolution_t;
+
+ type $1_evolution_tmpfs_t;
+ files_tmpfs_file($1_evolution_tmpfs_t)
+
+ type $1_evolution_home_t alias $1_evolution_rw_t;
+ files_poly_member($1_evolution_home_t)
+ userdom_user_home_content($1,$1_evolution_home_t)
+
+ type $1_evolution_orbit_tmp_t;
+ files_type($1_evolution_orbit_tmp_t)
+
+ type $1_evolution_alarm_t;
+ domain_type($1_evolution_alarm_t)
+ domain_entry_file($1_evolution_alarm_t,evolution_alarm_exec_t)
+ role $3 types $1_evolution_alarm_t;
+
+ type $1_evolution_alarm_tmpfs_t;
+ files_tmpfs_file($1_evolution_alarm_tmpfs_t)
+
+ type $1_evolution_alarm_orbit_tmp_t;
+ files_type($1_evolution_alarm_orbit_tmp_t)
+
+ type $1_evolution_exchange_t;
+ domain_type($1_evolution_exchange_t)
+ domain_entry_file($1_evolution_exchange_t,evolution_exchange_exec_t)
+ role $3 types $1_evolution_exchange_t;
+
+ type $1_evolution_exchange_tmpfs_t;
+ files_tmpfs_file($1_evolution_exchange_tmpfs_t)
+
+ type $1_evolution_exchange_tmp_t;
+ files_tmp_file($1_evolution_exchange_tmp_t)
+
+ type $1_evolution_exchange_orbit_tmp_t;
+ files_type($1_evolution_exchange_orbit_tmp_t)
+
+ type $1_evolution_server_t;
+ domain_type($1_evolution_server_t)
+ domain_entry_file($1_evolution_server_t,evolution_server_exec_t)
+ role $3 types $1_evolution_server_t;
+
+ type $1_evolution_server_orbit_tmp_t;
+ files_type($1_evolution_server_orbit_tmp_t)
+
+ type $1_evolution_webcal_t;
+ domain_type($1_evolution_webcal_t)
+ domain_entry_file($1_evolution_webcal_t,evolution_webcal_exec_t)
+ role $3 types $1_evolution_webcal_t;
+
+ type $1_evolution_webcal_tmpfs_t;
+ files_tmpfs_file($1_evolution_webcal_tmpfs_t)
+
+ type $1_orbit_tmp_t;
+ files_type($1_orbit_tmp_t)
+
+ ########################################
+ #
+ # Evolution local policy
+ #
+
+ allow $1_evolution_t self:capability { setuid setgid sys_nice };
+ allow $1_evolution_t self:process { signal getsched setsched };
+ allow $1_evolution_t self:fifo_file rw_file_perms;
+ allow $1_evolution_t self:tcp_socket create_socket_perms;
+ allow $1_evolution_t self:udp_socket create_socket_perms;
+
+ allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
+ allow $1_evolution_t $1_evolution_alarm_t:file read;
+
+ allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
+ allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
+
+ can_exec($1_evolution_t,evolution_alarm_exec_t)
+
+ allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
+ allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
+
+ allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
+ allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
+ allow $1_evolution_t $1_evolution_home_t:lnk_file create_lnk_perms;
+
+ allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
+ allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
+
+ allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
+ allow $1_evolution_t $1_evolution_server_t:file read;
+
+ allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
+ allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
+
+ can_exec($1_evolution_t,evolution_server_exec_t)
+
+ allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
+ allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
+ allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_file_perms;
+ allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_evolution_t $2:dir search;
+ allow $1_evolution_t $2:fd use;
+ allow $1_evolution_t $2:file read;
+ allow $1_evolution_t $2:lnk_file read;
+ allow $1_evolution_t $2:process sigchld;
+ allow $1_evolution_t $2:unix_stream_socket connectto;
+ allow $1_evolution_t $2:dir search;
+ allow $1_evolution_t $2:file read;
+
+ domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
+
+ allow $2 $1_evolution_t:unix_stream_socket connectto;
+ allow $2 $1_evolution_t:process noatsecure;
+ allow $2 $1_evolution_t:process signal_perms;
+
+ # Access .evolution
+ allow $2 $1_evolution_home_t:dir manage_dir_perms;
+ allow $2 $1_evolution_home_t:file manage_file_perms;
+ allow $2 $1_evolution_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ userdom_search_user_home_dirs($1,$1_evolution_t)
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_evolution_t:dir { search getattr read };
+ allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
+ allow $2 $1_evolution_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_evolution_t:process ptrace;
+
+ #FIXME check to see if really needed
+ kernel_read_kernel_sysctls($1_evolution_t)
+ kernel_read_system_state($1_evolution_t)
+ # Allow netstat
+ kernel_read_network_state($1_evolution_t)
+ kernel_read_net_sysctls($1_evolution_t)
+
+ corecmd_exec_shell($1_evolution_t)
+ # Run various programs
+ corecmd_exec_bin($1_evolution_t)
+ corecmd_exec_sbin($1_evolution_t)
+
+ corenet_non_ipsec_sendrecv($1_evolution_t)
+ corenet_tcp_sendrecv_generic_if($1_evolution_t)
+ corenet_udp_sendrecv_generic_if($1_evolution_t)
+ corenet_raw_sendrecv_generic_if($1_evolution_t)
+ corenet_tcp_sendrecv_all_nodes($1_evolution_t)
+ corenet_udp_sendrecv_all_nodes($1_evolution_t)
+ corenet_tcp_sendrecv_pop_port($1_evolution_t)
+ corenet_udp_sendrecv_pop_port($1_evolution_t)
+ corenet_tcp_sendrecv_smtp_port($1_evolution_t)
+ corenet_udp_sendrecv_smtp_port($1_evolution_t)
+ corenet_tcp_sendrecv_innd_port($1_evolution_t)
+ corenet_udp_sendrecv_innd_port($1_evolution_t)
+ corenet_tcp_sendrecv_ldap_port($1_evolution_t)
+ corenet_udp_sendrecv_ldap_port($1_evolution_t)
+ corenet_tcp_sendrecv_ipp_port($1_evolution_t)
+ corenet_udp_sendrecv_ipp_port($1_evolution_t)
+ corenet_tcp_connect_pop_port($1_evolution_t)
+ corenet_tcp_connect_smtp_port($1_evolution_t)
+ corenet_tcp_connect_innd_port($1_evolution_t)
+ corenet_tcp_connect_ldap_port($1_evolution_t)
+ corenet_tcp_connect_ipp_port($1_evolution_t)
+ corenet_sendrecv_pop_client_packets($1_evolution_t)
+ corenet_sendrecv_smtp_client_packets($1_evolution_t)
+ corenet_sendrecv_innd_client_packets($1_evolution_t)
+ corenet_sendrecv_ldap_client_packets($1_evolution_t)
+ corenet_sendrecv_ipp_client_packets($1_evolution_t)
+ # not sure about this bind
+ corenet_udp_bind_all_nodes($1_evolution_t)
+ corenet_udp_bind_generic_port($1_evolution_t)
+
+ dev_read_urand($1_evolution_t)
+
+ files_read_etc_files($1_evolution_t)
+ files_read_usr_files($1_evolution_t)
+ files_read_usr_symlinks($1_evolution_t)
+ files_read_var_files($1_evolution_t)
+
+ fs_search_auto_mountpoints($1_evolution_t)
+
+ libs_use_ld_so($1_evolution_t)
+ libs_use_shared_libs($1_evolution_t)
+
+ logging_send_syslog_msg($1_evolution_t)
+
+ miscfiles_read_localization($1_evolution_t)
+
+ sysnet_read_config($1_evolution_t)
+ sysnet_dns_name_resolve($1_evolution_t)
+
+ udev_read_state($1_evolution_t)
+
+ userdom_rw_user_tmp_files($1,$1_evolution_t)
+ userdom_manage_user_tmp_dirs($1,$1_evolution_t)
+ userdom_manage_user_tmp_sockets($1,$1_evolution_t)
+ userdom_manage_user_tmp_files($1,$1_evolution_t)
+ # FIXME: suppress access to .local/.icons/.themes until properly implemented
+ # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+ # until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
+
+ mta_read_config($1_evolution_t)
+
+ xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_evolution_t)
+ fs_manage_nfs_files($1_evolution_t)
+ fs_manage_nfs_symlinks($1_evolution_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_evolution_t)
+ fs_manage_cifs_files($1_evolution_t)
+ fs_manage_cifs_symlinks($1_evolution_t)
+ ')
+
+ tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints($1_evolution_t)
+ files_list_home($1_evolution_t)
+ fs_read_nfs_files($1_evolution_t)
+ fs_read_nfs_symlinks($1_evolution_t)
+
+ ',`
+ files_dontaudit_list_home($1_evolution_t)
+ fs_dontaudit_list_auto_mountpoints($1_evolution_t)
+ fs_dontaudit_read_nfs_files($1_evolution_t)
+ fs_dontaudit_list_nfs($1_evolution_t)
+ ')
+
+ tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints($1_evolution_t)
+ files_list_home($1_evolution_t)
+ fs_read_cifs_files($1_evolution_t)
+ fs_read_cifs_symlinks($1_evolution_t)
+ ',`
+ files_dontaudit_list_home($1_evolution_t)
+ fs_dontaudit_list_auto_mountpoints($1_evolution_t)
+ fs_dontaudit_read_cifs_files($1_evolution_t)
+ fs_dontaudit_list_cifs($1_evolution_t)
+ ')
+
+ tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp($1,$1_evolution_t)
+ userdom_read_user_tmp_files($1,$1_evolution_t)
+ userdom_read_user_tmp_symlinks($1,$1_evolution_t)
+ userdom_search_user_home_dirs($1,$1_evolution_t)
+ userdom_read_user_home_content_files($1,$1_evolution_t)
+ userdom_read_user_home_content_symlinks($1,$1_evolution_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable($1_evolution_t)
+ fs_read_removable_files($1_evolution_t)
+ fs_read_removable_symlinks($1_evolution_t)
+ ')
+ ',`
+ files_dontaudit_list_tmp($1_evolution_t)
+ files_dontaudit_list_home($1_evolution_t)
+ fs_dontaudit_list_removable($1_evolution_t)
+ fs_dontaudit_read_removable_files($1_evolution_t)
+ userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
+ userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
+ ')
+
+ tunable_policy(`mail_read_content && read_default_t',`
+ files_list_default($1_evolution_t)
+ files_read_default_files($1_evolution_t)
+ files_read_default_symlinks($1_evolution_t)
+ ',`
+ files_dontaudit_read_default_files($1_evolution_t)
+ files_dontaudit_list_default($1_evolution_t)
+ ')
+
+ tunable_policy(`mail_read_content && read_untrusted_content',`
+ files_list_tmp($1_evolution_t)
+ files_list_home($1_evolution_t)
+ userdom_search_user_home_dirs($1,$1_evolution_t)
+
+ userdom_list_user_untrusted_content($1,$1_evolution_t)
+ userdom_read_user_untrusted_content_files($1,$1_evolution_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_evolution_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_evolution_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_evolution_t)
+ ',`
+ files_dontaudit_list_tmp($1_evolution_t)
+ files_dontaudit_list_home($1_evolution_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_evolution_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_evolution_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_evolution_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
+ ')
+
+ tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
+ files_search_home($1_evolution_t)
+
+ fs_search_auto_mountpoints($1_evolution_t)
+ fs_manage_nfs_dirs($1_evolution_t)
+ fs_manage_nfs_files($1_evolution_t)
+ fs_manage_nfs_symlinks($1_evolution_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_evolution_t)
+ fs_dontaudit_manage_nfs_dirs($1_evolution_t)
+ fs_dontaudit_manage_nfs_files($1_evolution_t)
+ ')
+
+ tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
+ files_search_home($1_evolution_t)
+
+ fs_search_auto_mountpoints($1_evolution_t)
+ fs_manage_cifs_dirs($1_evolution_t)
+ fs_manage_cifs_files($1_evolution_t)
+ fs_manage_cifs_symlinks($1_evolution_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_evolution_t)
+ fs_dontaudit_manage_cifs_dirs($1_evolution_t)
+ fs_dontaudit_manage_cifs_files($1_evolution_t)
+ ')
+
+ tunable_policy(`write_untrusted_content',`
+ files_search_home($1_evolution_t)
+
+ userdom_manage_user_untrusted_content_files($1,$1_evolution_t,{ dir file })
+ ',`
+ files_dontaudit_list_home($1_evolution_t)
+ files_dontaudit_list_tmp($1_evolution_t)
+
+ userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
+ #userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
+ #userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
+ #userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
+ ')
+
+ optional_policy(`
+ automount_read_state($1_evolution_t)
+ ')
+
+ # Allow printing the mail
+ optional_policy(`
+ cups_read_rw_config($1_evolution_t)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client_template($1_evolution,$1_evolution_t)
+ dbus_send_system_bus($1_evolution_t)
+ dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
+ dbus_send_user_bus($1,$1_evolution_t)
+ ')
+
+ # Encrypt mail
+ optional_policy(`
+ gpg_domtrans_user_gpg($1,$1_evolution_t)
+ gpg_signal_user_gpg($1,$1_evolution_t)
+ ')
+
+ optional_policy(`
+ lpd_domtrans_user_lpr($1,$1_evolution_t)
+ ')
+
+ # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+ optional_policy(`
+ nis_use_ypbind($1_evolution_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_evolution_exchange_t)
+ ')
+
+ ### Junk mail filtering (start spamd)
+ optional_policy(`
+ spamassassin_exec_spamd($1_evolution_t)
+ spamassassin_domtrans_user_client($1,$1_evolution_t)
+ spamassassin_domtrans_user_local_client($1,$1_evolution_t)
+ # Allow evolution to signal the daemon
+ # FIXME: Now evolution can read spamd temp files
+ spamassassin_read_spamd_tmp_files($1_evolution_t)
+ spamassassin_signal_spamd($1_evolution_t)
+ spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
+ ')
+
+ ifdef(`TODO',`
+
+ #dbus connect to
+ allow $1_evolution_t $1_dbusd_t:unix_stream_socket connectto;
+
+ # Gnome common stuff
+ gnome_application($1_evolution, $1)
+
+ #TODO gnome stuff
+ # Store passwords in .gnome2_private
+ # Type for storing secret data
+ # (different from home, not directly accessible from ROLE_t)
+ type $1_evolutioin_secret_t;
+ userdom_user_home_content($1,$1_evolutioin_secret_t)
+
+ # Put secret files in .gnome2_private
+ allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
+ allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms;
+ type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
+
+ allow $2 $1_evolution_secret_t:file unlink;
+
+ ifdef(`TODO',`
+ gnome_file_dialog($1_evolution, $1)
+ ')
+ # Start links in web browser
+ ifdef(`mozilla', `
+ corecmd_exec_shell($1_evolution_t)
+ domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
+ ')
+
+ ')
+
+ ########################################
+ #
+ # Evolution alarm local policy
+ #
+
+ allow $1_evolution_alarm_t self:fifo_file { read write };
+
+ allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
+ allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
+
+ allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
+ allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
+ allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_file_perms;
+ allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
+ allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
+
+ # Access evolution home
+ allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
+ allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
+ allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file create_lnk_perms;
+
+ allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
+ allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
+
+ domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
+ allow $1_evolution_alarm_t $2:fd use;
+
+ fs_search_auto_mountpoints($1_evolution_alarm_t)
+
+ miscfiles_read_localization($1_evolution_alarm_t)
+
+ # Access evolution home
+ userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
+ # FIXME: suppress access to .local/.icons/.themes until properly implemented
+ # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+ # until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_evolution_alarm_t)
+
+ xserver_user_client_template($1,$1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t)
+
+ # Access evolution home
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_evolution_alarm_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_evolution_alarm_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_evolution_alarm_t)
+ ')
+
+ ifdef(`TODO',`
+ # Gnome common stuff
+ gnome_application($1_evolution_alarm,$1)
+ ')
+
+ ########################################
+ #
+ # Evolution exchange connector local policy
+ #
+
+ allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
+ allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
+
+ allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
+ allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
+
+ allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
+ allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
+
+ # Access evolution home
+ allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms;
+ allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms;
+ allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
+
+ allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
+ allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
+
+ # /tmp/.exchange-$USER
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
+
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_file_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
+ #FIXME, who should own this. I dont think this module should
+ allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
+
+ # Clock applet talks to exchange (FIXME: Needs policy)
+ allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
+ allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
+
+ # Transition from user domain
+ domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
+
+ kernel_read_network_state($1_evolution_exchange_t)
+ kernel_read_net_sysctls($1_evolution_exchange_t)
+
+ # Allow netstat
+ corecmd_exec_bin($1_evolution_exchange_t)
+
+ # Access evolution home
+ fs_search_auto_mountpoints($1_evolution_exchange_t)
+
+ # Access evolution home
+ userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
+ # FIXME: suppress access to .local/.icons/.themes until properly implemented
+ # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+ # until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_evolution_exchange_t)
+
+ xserver_user_client_template($1,$1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t)
+
+ # Access evolution home
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_evolution_exchange_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_evolution_exchange_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_evolution_exchange_t)
+ ')
+
+ ifdef(`TODO',`
+ # Gnome common stuff
+ gnome_application($1_evolution_exchange, $1)
+ ')
+
+ ########################################
+ #
+ # Evolution data server local policy
+ #
+
+ allow $1_evolution_server_t self:fifo_file { read write };
+ allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
+ # Talk to ldap (address book),
+ # Obtain weather data via http (read server name from xml file in /usr)
+ allow $1_evolution_server_t self:tcp_socket create_socket_perms;
+
+ allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
+ allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
+
+ allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
+ allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
+
+ # Access evolution home
+ allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms;
+ allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms;
+ allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
+
+ allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
+ allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
+
+ allow $1_evolution_server_t $2:fd use;
+
+ kernel_read_system_state($1_evolution_server_t)
+
+ corecmd_exec_shell($1_evolution_server_t)
+
+ # Obtain weather data via http (read server name from xml file in /usr)
+ corenet_non_ipsec_sendrecv($1_evolution_server_t)
+ corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
+ corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
+ corenet_tcp_sendrecv_http_port($1_evolution_server_t)
+ corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
+ corenet_tcp_connect_http_cache_port($1_evolution_server_t)
+ corenet_tcp_connect_http_port($1_evolution_server_t)
+ corenet_sendrecv_http_client_packets($1_evolution_server_t)
+ corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
+
+ files_read_etc_files($1_evolution_server_t)
+ # Obtain weather data via http (read server name from xml file in /usr)
+ files_read_usr_files($1_evolution_server_t)
+
+ fs_search_auto_mountpoints($1_evolution_server_t)
+
+ libs_use_ld_so($1_evolution_server_t)
+ libs_use_shared_libs($1_evolution_server_t)
+
+ # Look in /etc/pki
+ miscfiles_read_certs($1_evolution_server_t)
+
+ # Talk to ldap (address book)
+ sysnet_read_config($1_evolution_server_t)
+ sysnet_dns_name_resolve($1_evolution_server_t)
+ sysnet_use_ldap($1_evolution_server_t)
+
+ # Access evolution home
+ userdom_search_user_home_dirs($1,$1_evolution_server_t)
+ # FIXME: suppress access to .local/.icons/.themes until properly implemented
+ # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+ # until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
+
+ # Transition from user type
+ tunable_policy(`!disable_evolution_trans',`
+ domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
+ ')
+
+ # Access evolution home
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_evolution_server_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_evolution_server_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_evolution_server_t)
+ ')
+
+ ifdef(`TODO',`
+ # Gnome common stuff
+ gnome_application($1_evolution_server, $1)
+ ')
+
+ ########################################
+ #
+ # Evolution webcal local policy
+ #
+
+ allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
+
+ # X/evolution common stuff
+ allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
+ allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
+ allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_file_perms;
+ allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ # Transition from user type
+ domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
+
+ corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
+ corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
+ corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
+ corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
+ corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
+ corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
+ corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
+ corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
+ corenet_tcp_connect_http_port($1_evolution_webcal_t)
+ corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
+ corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
+
+ # Networking capability - connect to website and handle ics link
+ sysnet_read_config($1_evolution_webcal_t)
+ sysnet_dns_name_resolve($1_evolution_webcal_t)
+
+ # Search home directory (?)
+ userdom_search_user_home_dirs($1,$1_evolution_webcal_t)
+ # FIXME: suppress access to .local/.icons/.themes until properly implemented
+ # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+ # until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_evolution_webcal_t)
+
+ xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
+
+ optional_policy(`
+ nscd_socket_use($1_evolution_webcal_t)
+ ')
+
+ ifdef(`TODO',`
+ # Gnome common stuff
+ gnome_application($1_evolution_webcal, $1)
+ ')
+')
+
+########################################
+## <summary>
+## Create objects in users evolution home folders.
+## </summary>
+## <desc>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created. If
+## no class is specified, dir will be used.
+## </summary>
+## </param>
+#
+template(`evolution_home_filetrans',`
+ gen_require(`
+ type $1_evolution_home_t;
+ ')
+
+ allow $2 $1_evolution_home_t:dir rw_dir_perms;
+ type_transition $2 $1_evolution_home_t:$4 $3;
+')
+
+########################################
+## <summary>
+## Connect to user evolution unix stream socket.
+## </summary>
+## <desc>
+## <p>
+## Connect to user evolution unix stream socket.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`evolution_stream_connect',`
+ gen_require(`
+ type $1_evolution_t, $1_evolution_home_t;
+ ')
+
+ allow $2 $1_evolution_t:unix_stream_socket connectto;
+ allow $2 $1_evolution_home_t:dir search;
+')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
new file mode 100644
index 0000000..727b694
--- /dev/null
+++ b/policy/modules/apps/evolution.te
@@ -0,0 +1,22 @@
+
+policy_module(evolution,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type evolution_exec_t;
+corecmd_executable_file(evolution_exec_t)
+
+type evolution_alarm_exec_t;
+corecmd_executable_file(evolution_alarm_exec_t)
+
+type evolution_exchange_exec_t;
+corecmd_executable_file(evolution_exchange_exec_t)
+
+type evolution_server_exec_t;
+corecmd_executable_file(evolution_server_exec_t)
+
+type evolution_webcal_exec_t;
+corecmd_executable_file(evolution_webcal_exec_t)
diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc
new file mode 100644
index 0000000..e35e2b5
--- /dev/null
+++ b/policy/modules/apps/games.fc
@@ -0,0 +1,67 @@
+#
+# /usr
+#
+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+
+ifdef(`distro_debian', `
+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+', `
+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
+')dnl end non-Debian section
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
new file mode 100644
index 0000000..6270276
--- /dev/null
+++ b/policy/modules/apps/games.if
@@ -0,0 +1,174 @@
+## <summary>Games</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the games module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for games.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`games_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_games_t;
+ domain_type($1_games_t)
+ domain_entry_file($1_games_t,games_exec_t)
+ role $3 types $1_games_t;
+
+ type $1_games_devpts_t;
+ term_pty($1_games_devpts_t)
+
+ type $1_games_tmpfs_t;
+ files_tmpfs_file($1_games_tmpfs_t)
+
+ type $1_games_tmp_t;
+ files_tmp_file($1_games_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_games_t self:sem create_sem_perms;
+ allow $1_games_t self:tcp_socket create_stream_socket_perms;
+ allow $1_games_t self:udp_socket create_socket_perms;
+ allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
+ allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
+
+ allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
+ allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
+ allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
+ allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
+ allow $1_games_t $1_games_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
+
+ allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty($1_games_t,$1_games_devpts_t)
+
+ allow $1_games_t games_data_t:dir rw_dir_perms;
+ allow $1_games_t games_data_t:file manage_file_perms;
+ allow $1_games_t games_data_t:lnk_file create_lnk_perms;
+
+ can_exec($1_games_t, games_exec_t)
+
+ allow $2 $1_games_t:unix_stream_socket connectto;
+ allow $1_games_t $2:unix_stream_socket connectto;
+
+ kernel_tcp_recvfrom($1_games_t)
+ kernel_tcp_recvfrom($1_games_t)
+ kernel_read_system_state($1_games_t)
+
+ corecmd_exec_bin($1_games_t)
+ corecmd_exec_sbin($1_games_t)
+
+ corenet_non_ipsec_sendrecv($1_games_t)
+ corenet_tcp_sendrecv_generic_if($1_games_t)
+ corenet_udp_sendrecv_generic_if($1_games_t)
+ corenet_tcp_sendrecv_all_nodes($1_games_t)
+ corenet_udp_sendrecv_all_nodes($1_games_t)
+ corenet_tcp_sendrecv_all_ports($1_games_t)
+ corenet_udp_sendrecv_all_ports($1_games_t)
+ corenet_tcp_bind_all_nodes($1_games_t)
+ corenet_tcp_bind_generic_port($1_games_t)
+ corenet_tcp_connect_generic_port($1_games_t)
+ corenet_sendrecv_generic_client_packets($1_games_t)
+ corenet_sendrecv_generic_server_packets($1_games_t)
+
+ dev_read_sound($1_games_t)
+ dev_write_sound($1_games_t)
+ dev_read_input($1_games_t)
+ dev_read_mouse($1_games_t)
+ dev_read_urand($1_games_t)
+
+ files_list_var($1_games_t)
+ files_search_var_lib($1_games_t)
+ files_dontaudit_search_var($1_games_t)
+ files_read_etc_files($1_games_t)
+ files_read_usr_files($1_games_t)
+ files_read_var_files($1_games_t)
+
+ init_dontaudit_rw_utmp($1_games_t)
+
+ logging_dontaudit_search_logs($1_games_t)
+
+ libs_use_shared_libs($1_games_t)
+ libs_use_ld_so($1_games_t)
+
+ miscfiles_read_man_pages($1_games_t)
+ miscfiles_read_localization($1_games_t)
+
+ sysnet_read_config($1_games_t)
+
+ userdom_manage_user_tmp_dirs($1,$1_games_t)
+ userdom_manage_user_tmp_files($1,$1_games_t)
+ userdom_manage_user_tmp_symlinks($1,$1_games_t)
+ userdom_manage_user_tmp_sockets($1,$1_games_t)
+ # Suppress .icons denial until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
+
+ # Type transition
+ tunable_policy(`!disable_games_trans',`
+ domain_auto_trans($2, games_exec_t, $1_games_t)
+ ')
+
+ tunable_policy(`allow_execmem',`
+ allow $1_games_t self:process execmem;
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_games_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
+ xserver_create_xdm_tmp_sockets($1_games_t)
+ xserver_read_xdm_lib_files($1_games_t)
+ ')
+
+ ifdef(`TODO',`
+ gnome_application($1_games, $1)
+ gnome_file_dialog($1_games, $1)
+ # Access /home/user/.gnome2
+ # FIXME: Change to use per app types
+ allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
+ allow $1_games_t $1_gnome_settings_t:file create_file_perms;
+ allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
+ #missing policy
+ optional_policy(`
+ dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
+ ')
+ ')
+')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
new file mode 100644
index 0000000..e0b6974
--- /dev/null
+++ b/policy/modules/apps/games.te
@@ -0,0 +1,77 @@
+
+policy_module(games,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type games_data_t;
+files_type(games_data_t)
+
+# games_t is for system operation of games, generic games daemons and
+# games recovery scripts
+type games_t;
+type games_exec_t;
+init_system_domain(games_t,games_exec_t)
+
+type games_var_run_t;
+files_pid_file(games_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit games_t self:capability sys_tty_config;
+allow games_t self:process signal_perms;
+
+allow games_t games_data_t:dir rw_dir_perms;
+allow games_t games_data_t:file manage_file_perms;
+allow games_t games_data_t:lnk_file create_lnk_perms;
+
+allow games_t games_var_run_t:file manage_file_perms;
+allow games_t games_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(games_t,games_var_run_t,file)
+
+can_exec(games_t,games_exec_t)
+
+kernel_read_kernel_sysctls(games_t)
+kernel_list_proc(games_t)
+kernel_read_proc_symlinks(games_t)
+
+dev_read_sysfs(games_t)
+
+fs_getattr_all_fs(games_t)
+fs_search_auto_mountpoints(games_t)
+
+term_dontaudit_use_console(games_t)
+
+domain_use_interactive_fds(games_t)
+
+init_use_fds(games_t)
+init_use_script_ptys(games_t)
+
+libs_use_ld_so(games_t)
+libs_use_shared_libs(games_t)
+
+logging_send_syslog_msg(games_t)
+
+miscfiles_read_localization(games_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_t)
+userdom_dontaudit_search_sysadm_home_dirs(games_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(games_t)
+ term_dontaudit_use_generic_ptys(games_t)
+ files_dontaudit_read_root_files(games_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(games_t)
+')
+
+optional_policy(`
+ udev_read_db(games_t)
+')
diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc
new file mode 100644
index 0000000..09d6a60
--- /dev/null
+++ b/policy/modules/apps/gift.fc
@@ -0,0 +1,8 @@
+/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
+/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+')
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
new file mode 100644
index 0000000..8ddc30c
--- /dev/null
+++ b/policy/modules/apps/gift.if
@@ -0,0 +1,205 @@
+## <summary>giFT peer to peer file sharing tool</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the gift module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for gift client sessions and gift daemons.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`gift_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_gift_t;
+ domain_type($1_gift_t)
+ domain_entry_file($1_gift_t,gift_exec_t)
+ role $3 types $1_gift_t;
+
+ type $1_gift_home_t alias $1_gift_rw_t;
+ files_poly_member($1_gift_home_t)
+ userdom_user_home_content($1,$1_gift_home_t)
+
+ type $1_gift_tmpfs_t;
+ files_tmpfs_file($1_gift_tmpfs_t)
+
+ type $1_giftd_t;
+ domain_type($1_giftd_t)
+ domain_entry_file($1_giftd_t,giftd_exec_t)
+ role $3 types $1_giftd_t;
+
+ ##############################
+ #
+ # giFT user interface local policy
+ #
+
+ allow $1_gift_t self:tcp_socket create_socket_perms;
+
+ allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms;
+ allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms;
+ allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms;
+ allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_gift_t $1_gift_home_t:dir manage_dir_perms;
+ allow $1_gift_t $1_gift_home_t:file manage_file_perms;
+ allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms;
+ userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
+
+ # Launch gift daemon
+ domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
+ allow $1_giftd_t $1_gift_t:fd use;
+ allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms;
+ allow $1_giftd_t $1_gift_t:process sigchld;
+
+ # transition from user domain
+ domain_auto_trans($2, gift_exec_t, $1_gift_t)
+ allow $1_gift_t $2:fd use;
+ allow $1_gift_t $2:fifo_file rw_file_perms;
+ allow $1_gift_t $2:process sigchld;
+
+ # user managed content
+ allow $2 $1_gift_home_t:dir manage_dir_perms;
+ allow $2 $1_gift_home_t:file manage_file_perms;
+ allow $2 $1_gift_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_gift_t:dir { search getattr read };
+ allow $2 $1_gift_t:{ file lnk_file } { read getattr };
+ allow $2 $1_gift_t:process { getattr signal_perms };
+
+ # Read /proc/meminfo
+ kernel_read_system_state($1_giftd_t)
+
+ # Connect to gift daemon
+ corenet_non_ipsec_sendrecv($1_gift_t)
+ corenet_tcp_sendrecv_generic_if($1_gift_t)
+ corenet_tcp_sendrecv_all_nodes($1_gift_t)
+ corenet_tcp_sendrecv_giftd_port($1_gift_t)
+ corenet_tcp_connect_giftd_port($1_gift_t)
+ corenet_sendrecv_giftd_client_packets($1_gift_t)
+
+ fs_search_auto_mountpoints($1_gift_t)
+
+ sysnet_read_config($1_gift_t)
+
+ # giftui looks in .icons, .themes.
+ userdom_dontaudit_read_user_home_content_files($1,$1_gift_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_gift_t)
+ fs_manage_nfs_files($1_gift_t)
+ fs_manage_nfs_symlinks($1_gift_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_gift_t)
+ fs_manage_cifs_files($1_gift_t)
+ fs_manage_cifs_symlinks($1_gift_t)
+ ')
+
+# optional_policy(`
+# gnome_user_application($1,$1_gift,$1_gift_t)
+# ')
+
+ optional_policy(`
+ nscd_socket_use($1_gift_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_gift_t,$1_gift_tmpfs_t)
+ ')
+
+ ##############################
+ #
+ # giFT server local policy
+ #
+
+ allow $1_giftd_t self:process { signal setsched };
+ allow $1_giftd_t self:unix_stream_socket create_socket_perms;
+ allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
+ allow $1_giftd_t self:udp_socket create_socket_perms;
+
+ allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms;
+ allow $1_giftd_t $1_gift_home_t:file manage_file_perms;
+ allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms;
+ userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
+
+ domain_auto_trans($2, giftd_exec_t, $1_giftd_t)
+ allow $1_giftd_t $2:fd use;
+ allow $1_giftd_t $2:fifo_file rw_file_perms;
+ allow $1_giftd_t $2:process sigchld;
+
+ kernel_read_system_state($1_giftd_t)
+ kernel_read_kernel_sysctls($1_giftd_t)
+
+ # Serve content on various p2p networks. Ports can be random.
+ corenet_non_ipsec_sendrecv($1_giftd_t)
+ corenet_tcp_sendrecv_generic_if($1_giftd_t)
+ corenet_udp_sendrecv_generic_if($1_giftd_t)
+ corenet_tcp_sendrecv_all_nodes($1_giftd_t)
+ corenet_udp_sendrecv_all_nodes($1_giftd_t)
+ corenet_tcp_sendrecv_all_ports($1_giftd_t)
+ corenet_udp_sendrecv_all_ports($1_giftd_t)
+ corenet_tcp_bind_all_nodes($1_giftd_t)
+ corenet_udp_bind_all_nodes($1_giftd_t)
+ corenet_tcp_bind_all_ports($1_giftd_t)
+ corenet_udp_bind_all_ports($1_giftd_t)
+ corenet_tcp_connect_all_ports($1_giftd_t)
+ corenet_sendrecv_all_client_packets($1_giftd_t)
+
+ files_read_usr_files($1_giftd_t)
+ # Read /etc/mtab
+ files_read_etc_runtime_files($1_giftd_t)
+
+ libs_use_ld_so($1_giftd_t)
+ libs_use_shared_libs($1_giftd_t)
+
+ miscfiles_read_localization($1_giftd_t)
+
+ sysnet_read_config($1_giftd_t)
+
+ userdom_use_user_terminals($1,$1_giftd_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_giftd_t)
+ fs_manage_nfs_files($1_giftd_t)
+ fs_manage_nfs_symlinks($1_giftd_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_giftd_t)
+ fs_manage_cifs_files($1_giftd_t)
+ fs_manage_cifs_symlinks($1_giftd_t)
+ ')
+')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
new file mode 100644
index 0000000..55e3bca
--- /dev/null
+++ b/policy/modules/apps/gift.te
@@ -0,0 +1,13 @@
+
+policy_module(gift,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gift_exec_t;
+corecmd_executable_file(gift_exec_t)
+
+type giftd_exec_t;
+corecmd_executable_file(giftd_exec_t)
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
new file mode 100644
index 0000000..78f8a10
--- /dev/null
+++ b/policy/modules/apps/gpg.fc
@@ -0,0 +1,12 @@
+
+/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+ifdef(`targeted_policy',`',`
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+')
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
new file mode 100644
index 0000000..9d49603
--- /dev/null
+++ b/policy/modules/apps/gpg.if
@@ -0,0 +1,404 @@
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the gpg module.
+## </summary>
+## <desc>
+## <p>
+## This template creates the types and rules for GPG,
+## GPG-agent, and GPG helper programs. This protects
+## the user keys and secrets, and runs the programs
+## in domains specific to the user type.
+## </p>
+## <p>
+## This is invoked automatically for each user and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="userdomain">
+## <summary>
+## The user domain.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role associated with the user.
+## </summary>
+## </param>
+#
+template(`gpg_per_userdomain_template',`
+ gen_require(`
+ type gpg_exec_t, gpg_helper_exec_t;
+ type gpg_agent_exec_t, pinentry_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_gpg_t;
+ domain_type($1_gpg_t)
+ domain_entry_file($1_gpg_t,gpg_exec_t)
+ role $3 types $1_gpg_t;
+
+ type $1_gpg_agent_t;
+ domain_type($1_gpg_agent_t)
+ domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
+ role $3 types $1_gpg_agent_t;
+
+ type $1_gpg_agent_tmp_t;
+ files_tmp_file($1_gpg_agent_tmp_t)
+
+ type $1_gpg_secret_t;
+ userdom_user_home_content($1,$1_gpg_secret_t)
+
+ type $1_gpg_helper_t;
+ domain_type($1_gpg_helper_t)
+ domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t)
+ role $3 types $1_gpg_helper_t;
+
+ type $1_gpg_pinentry_t;
+ domain_type($1_gpg_pinentry_t)
+ domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t)
+ role $3 types $1_gpg_pinentry_t;
+
+ ########################################
+ #
+ # GPG local policy
+ #
+
+ allow $1_gpg_t self:capability { ipc_lock setuid };
+ allow { $2 $1_gpg_t } $1_gpg_t:process signal;
+ # setrlimit is for ulimit -c 0
+ allow $1_gpg_t self:process { setrlimit setcap setpgid };
+
+ allow $1_gpg_t self:fifo_file rw_file_perms;
+ allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
+
+ allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
+ allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
+ allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+
+ # transition from the userdomain to the derived domain
+ domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
+ allow $1_gpg_t $2:fd use;
+ allow $1_gpg_t $2:fifo_file rw_file_perms;
+ allow $1_gpg_t $2:process sigchld;
+
+ # allow ps to show gpg
+ allow $2 $1_gpg_t:dir { search getattr read };
+ allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
+ allow $2 $1_gpg_t:process getattr;
+
+ corenet_non_ipsec_sendrecv($1_gpg_t)
+ corenet_tcp_sendrecv_all_if($1_gpg_t)
+ corenet_udp_sendrecv_all_if($1_gpg_t)
+ corenet_tcp_sendrecv_all_nodes($1_gpg_t)
+ corenet_udp_sendrecv_all_nodes($1_gpg_t)
+ corenet_tcp_sendrecv_all_ports($1_gpg_t)
+ corenet_udp_sendrecv_all_ports($1_gpg_t)
+ corenet_tcp_connect_all_ports($1_gpg_t)
+ corenet_sendrecv_all_client_packets($1_gpg_t)
+
+ dev_read_rand($1_gpg_t)
+ dev_read_urand($1_gpg_t)
+
+ fs_getattr_xattr_fs($1_gpg_t)
+
+ domain_use_interactive_fds($1_gpg_t)
+
+ files_read_etc_files($1_gpg_t)
+ files_read_usr_files($1_gpg_t)
+ files_dontaudit_search_var($1_gpg_t)
+
+ libs_use_shared_libs($1_gpg_t)
+ libs_use_ld_so($1_gpg_t)
+
+ miscfiles_read_localization($1_gpg_t)
+
+ logging_send_syslog_msg($1_gpg_t)
+
+ sysnet_read_config($1_gpg_t)
+
+ userdom_use_user_terminals($1,$1_gpg_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_gpg_t)
+ ')
+
+ ifdef(`TODO',`
+ # Read content to encrypt/decrypt/sign
+ read_content($1_gpg_t, $1)
+
+ # Write content to encrypt/decrypt/sign
+ write_trusted($1_gpg_t, $1)
+ ') dnl end TODO
+
+ ########################################
+ #
+ # GPG helper local policy
+ #
+
+ # for helper programs (which automatically fetch keys)
+ # Note: this is only tested with the hkp interface. If you use eg the
+ # mail interface you will likely need additional permissions.
+
+ # communicate with the user
+ allow $1_gpg_helper_t $2:fd use;
+ allow $1_gpg_helper_t $2:fifo_file write;
+
+ # transition from the gpg domain to the helper domain
+ domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
+ allow $1_gpg_helper_t $1_gpg_t:fd use;
+ allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
+ allow $1_gpg_helper_t $1_gpg_t:process sigchld;
+
+ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+ allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+ dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+
+ corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
+ corenet_raw_sendrecv_all_if($1_gpg_helper_t)
+ corenet_udp_sendrecv_all_if($1_gpg_helper_t)
+ corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
+ corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
+ corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
+ corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
+ corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
+ corenet_non_ipsec_sendrecv($1_gpg_helper_t)
+ corenet_tcp_bind_all_nodes($1_gpg_helper_t)
+ corenet_udp_bind_all_nodes($1_gpg_helper_t)
+ corenet_tcp_connect_all_ports($1_gpg_helper_t)
+
+ dev_read_urand($1_gpg_helper_t)
+
+ files_read_etc_files($1_gpg_helper_t)
+ # for nscd
+ files_dontaudit_search_var($1_gpg_helper_t)
+
+ libs_use_ld_so($1_gpg_helper_t)
+ libs_use_shared_libs($1_gpg_helper_t)
+
+ sysnet_read_config($1_gpg_helper_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_gpg_t)
+ xserver_rw_xdm_pipes($1_gpg_t)
+ ')
+
+ ########################################
+ #
+ # GPG agent local policy
+ #
+
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow $1_gpg_agent_t self:process setrlimit;
+
+ allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+ allow $1_gpg_agent_t self:fifo_file rw_file_perms;
+
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
+ allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
+ allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+
+ # allow gpg to connect to the gpg agent
+ allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+ allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+ allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
+
+ # allow ps to show gpg-agent
+ allow $2 $1_gpg_agent_t:dir { search getattr read };
+ allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
+ allow $2 $1_gpg_agent_t:process getattr;
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 $1_gpg_agent_t:process { signal sigkill };
+
+ allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
+ allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
+ allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
+ files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
+ allow $1_gpg_agent_t $2:fd use;
+ allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
+ allow $1_gpg_agent_t $2:process sigchld;
+
+ corecmd_search_bin($1_gpg_agent_t)
+
+ domain_use_interactive_fds($1_gpg_agent_t)
+
+ libs_use_ld_so($1_gpg_agent_t)
+ libs_use_shared_libs($1_gpg_agent_t)
+
+ miscfiles_read_localization($1_gpg_agent_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_gpg_agent_t)
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ userdom_search_user_home_dirs($1,$1_gpg_agent_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_gpg_agent_t)
+ fs_manage_nfs_files($1_gpg_agent_t)
+ fs_manage_nfs_symlinks($1_gpg_agent_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_gpg_agent_t)
+ fs_manage_cifs_files($1_gpg_agent_t)
+ fs_manage_cifs_symlinks($1_gpg_agent_t)
+ ')
+
+ ##############################
+ #
+ # Pinentry local policy
+ #
+
+ # we need to allow gpg-agent to call pinentry so it can get the passphrase
+ # from the user.
+ domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
+ allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
+
+ allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+ allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
+
+ # read /proc/meminfo
+ kernel_read_system_state($1_gpg_pinentry_t)
+
+ files_read_usr_files($1_gpg_pinentry_t)
+ # read /etc/X11/qtrc
+ files_read_etc_files($1_gpg_pinentry_t)
+
+ libs_use_ld_so($1_gpg_pinentry_t)
+ libs_use_shared_libs($1_gpg_pinentry_t)
+
+ miscfiles_read_fonts($1_gpg_pinentry_t)
+ miscfiles_read_localization($1_gpg_pinentry_t)
+
+ # for .Xauthority
+ userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_gpg_pinentry_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1_gpg_pinentry_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
+ ')
+
+ ifdef(`TODO',`
+ allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
+
+ # wants to put some lock files into the user home dir, seems to work fine without
+ dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
+ dontaudit $1_gpg_pinentry_t $1_home_t:file write;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ dontaudit $1_gpg_pinentry_t nfs_t:dir write;
+ dontaudit $1_gpg_pinentry_t nfs_t:file write;
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ dontaudit $1_gpg_pinentry_t cifs_t:dir write;
+ dontaudit $1_gpg_pinentry_t cifs_t:file write;
+ ')
+
+ dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
+ ') dnl end TODO
+')
+
+########################################
+## <summary>
+## Transition to a user gpg domain.
+## </summary>
+## <desc>
+## <p>
+## Transition to a user gpg domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gpg_domtrans_user_gpg',`
+ gen_require(`
+ type $1_gpg_t, gpg_exec_t;
+ ')
+
+ domain_auto_trans($2, gpg_exec_t, $1_gpg_t)
+ allow $2 $1_gpg_t:fd use;
+ allow $1_gpg_t $2:fd use;
+ allow $1_gpg_t $2:fifo_file rw_file_perms;
+ allow $1_gpg_t $2:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to user gpg processes.
+## </summary>
+## <desc>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gpg_signal_user_gpg',`
+ gen_require(`
+ type $1_gpg_t;
+ ')
+
+ allow $2 $1_gpg_t:process signal;
+')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
new file mode 100644
index 0000000..07760d0
--- /dev/null
+++ b/policy/modules/apps/gpg.te
@@ -0,0 +1,21 @@
+
+policy_module(gpg, 1.0.4)
+
+########################################
+#
+# Declarations
+#
+
+# Type for gpg or pgp executables.
+type gpg_exec_t;
+type gpg_helper_exec_t;
+corecmd_executable_file(gpg_exec_t)
+corecmd_executable_file(gpg_helper_exec_t)
+
+# Type for the gpg-agent executable.
+type gpg_agent_exec_t;
+corecmd_executable_file(gpg_agent_exec_t)
+
+# type for the pinentry executable
+type pinentry_exec_t;
+corecmd_executable_file(pinentry_exec_t)
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
new file mode 100644
index 0000000..4a2c7c7
--- /dev/null
+++ b/policy/modules/apps/irc.fc
@@ -0,0 +1,13 @@
+#
+# /home
+#
+ifdef(`strict_policy',`
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
+')
+
+#
+# /usr
+#
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
new file mode 100644
index 0000000..1cd0fbf
--- /dev/null
+++ b/policy/modules/apps/irc.if
@@ -0,0 +1,173 @@
+## <summary>IRC client policy</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the irc module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for an irc client sessions.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`irc_per_userdomain_template',`
+ gen_require(`
+ type irc_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_irc_t;
+ domain_type($1_irc_t)
+ domain_entry_file($1_irc_t,irc_exec_t)
+ role $3 types $1_irc_t;
+
+ type $1_irc_exec_t;
+ userdom_user_home_content($1,$1_irc_exec_t)
+ domain_entry_file($1_irc_t,$1_irc_exec_t)
+
+ type $1_irc_home_t;
+ userdom_user_home_content($1,$1_irc_home_t)
+
+ type $1_irc_tmp_t;
+ userdom_user_home_content($1,$1_irc_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_irc_t self:dir search;
+ allow $1_irc_t self:lnk_file read;
+ allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_irc_t self:tcp_socket create_socket_perms;
+ allow $1_irc_t self:udp_socket create_socket_perms;
+
+ allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
+ allow $1_irc_t $1_irc_home_t:file create_file_perms;
+ allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
+ userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
+
+ # access files under /tmp
+ allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
+ allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
+ allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
+ allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
+ allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
+ files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2,irc_exec_t,$1_irc_t)
+ allow $2 $1_irc_t:fd use;
+ allow $1_irc_t $2:fd use;
+ allow $1_irc_t $2:fifo_file rw_file_perms;
+ allow $1_irc_t $2:process sigchld;
+
+ allow $2 $1_irc_t:process signal;
+
+ allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
+
+ # allow ps to show irc
+ allow $2 $1_irc_t:dir { search getattr read };
+ allow $2 $1_irc_t:{ file lnk_file } { read getattr };
+ allow $2 $1_irc_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_irc_t:process ptrace;
+
+ kernel_read_proc_symlinks($1_irc_t)
+
+ corenet_non_ipsec_sendrecv($1_irc_t)
+ corenet_tcp_sendrecv_generic_if($1_irc_t)
+ corenet_udp_sendrecv_generic_if($1_irc_t)
+ corenet_tcp_sendrecv_all_nodes($1_irc_t)
+ corenet_udp_sendrecv_all_nodes($1_irc_t)
+ corenet_tcp_sendrecv_all_ports($1_irc_t)
+ corenet_udp_sendrecv_all_ports($1_irc_t)
+ corenet_sendrecv_ircd_client_packets($1_irc_t)
+ # cjp: this seems excessive:
+ corenet_tcp_connect_all_ports($1_irc_t)
+ corenet_sendrecv_all_client_packets($1_irc_t)
+
+ domain_use_interactive_fds($1_irc_t)
+
+ files_dontaudit_search_pids($1_irc_t)
+ files_search_var($1_irc_t)
+ files_read_etc_files($1_irc_t)
+ files_read_usr_files($1_irc_t)
+
+ fs_getattr_xattr_fs($1_irc_t)
+ fs_search_auto_mountpoints($1_irc_t)
+
+ term_use_controlling_term($1_irc_t)
+ term_list_ptys($1_irc_t)
+
+ # allow utmp access
+ init_read_utmp($1_irc_t)
+ init_dontaudit_lock_utmp($1_irc_t)
+
+ libs_use_ld_so($1_irc_t)
+ libs_use_shared_libs($1_irc_t)
+
+ miscfiles_read_localization($1_irc_t)
+
+ # Inherit and use descriptors from newrole.
+ seutil_use_newrole_fds($1_irc_t)
+
+ sysnet_read_config($1_irc_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_irc_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_irc_t)
+ fs_manage_nfs_files($1_irc_t)
+ fs_manage_nfs_symlinks($1_irc_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_irc_t)
+ fs_manage_cifs_files($1_irc_t)
+ fs_manage_cifs_symlinks($1_irc_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_irc_t)
+ ')
+
+ ifdef(`TODO',`
+ optional_policy(`
+ allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
+ allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1_irc_t)
+ kernel_tcp_recvfrom(ircd_t)
+ ')
+ ')
+')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
new file mode 100644
index 0000000..90753c0
--- /dev/null
+++ b/policy/modules/apps/irc.te
@@ -0,0 +1,10 @@
+
+policy_module(irc,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type irc_exec_t;
+corecmd_executable_file(irc_exec_t)
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
new file mode 100644
index 0000000..918774e
--- /dev/null
+++ b/policy/modules/apps/java.fc
@@ -0,0 +1,12 @@
+#
+# /opt
+#
+/opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+#
+# /usr
+#
+/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
new file mode 100644
index 0000000..c35bff5
--- /dev/null
+++ b/policy/modules/apps/java.if
@@ -0,0 +1,201 @@
+## <summary>Java virtual machine</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the java module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java plugins that are executed by a browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`java_per_userdomain_template',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_javaplugin_t;
+ domain_type($1_javaplugin_t)
+ domain_entry_file($1_javaplugin_t,java_exec_t)
+ role $3 types $1_javaplugin_t;
+
+ type $1_javaplugin_tmp_t;
+ files_tmp_file($1_javaplugin_tmp_t)
+
+ type $1_javaplugin_tmpfs_t;
+ files_tmpfs_file($1_javaplugin_tmpfs_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
+ allow $1_javaplugin_t self:fifo_file rw_file_perms;
+ allow $1_javaplugin_t self:tcp_socket create_socket_perms;
+ allow $1_javaplugin_t self:udp_socket create_socket_perms;
+
+ allow $1_javaplugin_t $2:unix_stream_socket connectto;
+ allow $1_javaplugin_t $2:unix_stream_socket { read write };
+ userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
+
+ allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
+ allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
+
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ # cjp: rw_dir_perms here doesnt make sense
+ allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
+ allow $1_javaplugin_t $1_home_t:file rw_file_perms;
+ allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
+
+ can_exec($1_javaplugin_t, java_exec_t)
+
+ # The user role is authorized for this domain.
+ domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
+ allow $1_javaplugin_t $2:fd use;
+ # Unrestricted inheritance from the caller.
+ allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
+ allow $1_javaplugin_t $2:process signull;
+
+ kernel_read_all_sysctls($1_javaplugin_t)
+ kernel_search_vm_sysctl($1_javaplugin_t)
+ kernel_read_network_state($1_javaplugin_t)
+ kernel_read_system_state($1_javaplugin_t)
+
+ # Search bin directory under javaplugin for javaplugin executable
+ corecmd_search_bin($1_javaplugin_t)
+
+ corenet_non_ipsec_sendrecv($1_javaplugin_t)
+ corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
+ corenet_udp_sendrecv_generic_if($1_javaplugin_t)
+ corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
+ corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
+ corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
+ corenet_udp_sendrecv_all_ports($1_javaplugin_t)
+ corenet_tcp_connect_all_ports($1_javaplugin_t)
+ corenet_sendrecv_all_client_packets($1_javaplugin_t)
+
+ dev_read_sound($1_javaplugin_t)
+ dev_write_sound($1_javaplugin_t)
+ dev_read_urand($1_javaplugin_t)
+ dev_read_rand($1_javaplugin_t)
+
+ files_read_etc_files($1_javaplugin_t)
+ files_read_usr_files($1_javaplugin_t)
+ files_search_home($1_javaplugin_t)
+ files_search_var_lib($1_javaplugin_t)
+ files_read_etc_runtime_files($1_javaplugin_t)
+ # Read global fonts and font config
+ files_read_etc_files($1_javaplugin_t)
+
+ fs_getattr_xattr_fs($1_javaplugin_t)
+ fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+
+ libs_use_ld_so($1_javaplugin_t)
+ libs_use_shared_libs($1_javaplugin_t)
+
+ logging_send_syslog_msg($1_javaplugin_t)
+
+ miscfiles_read_localization($1_javaplugin_t)
+ # Read global fonts and font config
+ miscfiles_read_fonts($1_javaplugin_t)
+
+ sysnet_read_config($1_javaplugin_t)
+
+ userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
+ userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
+ userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
+ userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
+ userdom_manage_user_home_content_files($1,$1_javaplugin_t)
+ userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
+ userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
+ userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
+
+ tunable_policy(`allow_java_execstack',`
+ allow $1_javaplugin_t self:process execstack;
+
+ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+
+ libs_legacy_use_shared_libs($1_javaplugin_t)
+ libs_legacy_use_ld_so($1_javaplugin_t)
+ libs_use_lib_files($1_javaplugin_t)
+
+ miscfiles_legacy_read_localization($1_javaplugin_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_javaplugin_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_javaplugin_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_domtrans',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, java_exec_t, java_t)
+
+ allow $1 java_t:fd use;
+ allow java_t $1:fd use;
+ allow java_t $1:fifo_file rw_file_perms;
+ allow java_t $1:process sigchld;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
new file mode 100644
index 0000000..0c6045d
--- /dev/null
+++ b/policy/modules/apps/java.te
@@ -0,0 +1,22 @@
+
+policy_module(java,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type java_t;
+type java_exec_t;
+init_system_domain(java_t,java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow java_t self:process { execstack execmem };
+ unconfined_domain_noaudit(java_t)
+ role system_r types java_t;
+')
diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc
new file mode 100644
index 0000000..8549f9f
--- /dev/null
+++ b/policy/modules/apps/loadkeys.fc
@@ -0,0 +1,3 @@
+
+/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
new file mode 100644
index 0000000..3d96369
--- /dev/null
+++ b/policy/modules/apps/loadkeys.if
@@ -0,0 +1,89 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+## Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`loadkeys_domtrans',`
+ ifdef(`targeted_policy',`
+ # $0(): disabled in targeted policy as there
+ # is no loadkeys domain.
+ ',`
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
+
+ allow $1 loadkeys_t:fd use;
+ allow loadkeys_t $1:fd use;
+ allow loadkeys_t $1:fifo_file rw_file_perms;
+ allow loadkeys_t $1:process sigchld;
+ ')
+')
+
+########################################
+## <summary>
+## Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the loadkeys domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the loadkeys domain to use.
+## </summary>
+## </param>
+#
+interface(`loadkeys_run',`
+ ifdef(`targeted_policy',`
+ # $0(): disabled in targeted policy as there
+ # is no loadkeys domain.
+ ',`
+ gen_require(`
+ type loadkeys_t;
+ ')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+ allow loadkeys_t $3:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Execute the loadkeys program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`loadkeys_exec',`
+ ifdef(`targeted_policy',`
+ # $0(): the loadkeys program is an alias
+ # of generic bin programs.
+ corecmd_exec_bin($1)
+ ',`
+ gen_require(`
+ type loadkeys_exec_t;
+ ')
+
+ can_exec($1,loadkeys_exec_t)
+ ')
+')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
new file mode 100644
index 0000000..8e7daf3
--- /dev/null
+++ b/policy/modules/apps/loadkeys.te
@@ -0,0 +1,48 @@
+
+policy_module(loadkeys,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+ifdef(`targeted_policy',`
+ # for compatibility with strict:
+ corecmd_bin_alias(loadkeys_exec_t)
+',`
+ # cjp: this should probably be rewritten
+ # per user domain, since it can rw
+ # all user domain ttys
+
+ type loadkeys_t;
+ domain_type(loadkeys_t)
+
+ type loadkeys_exec_t;
+ domain_entry_file(loadkeys_t,loadkeys_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ # loadkeys domain disabled in targeted policy
+',`
+ allow loadkeys_t self:capability { setuid sys_tty_config };
+ allow loadkeys_t self:fifo_file rw_file_perms;
+
+ kernel_read_system_state(loadkeys_t)
+
+ corecmd_exec_bin(loadkeys_t)
+ corecmd_exec_shell(loadkeys_t)
+
+ files_dontaudit_read_etc_runtime_files(loadkeys_t)
+
+ libs_use_ld_so(loadkeys_t)
+ libs_use_shared_libs(loadkeys_t)
+
+ locallogin_use_fds(loadkeys_t)
+
+ miscfiles_read_localization(loadkeys_t)
+')
diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc
new file mode 100644
index 0000000..8b5ce03
--- /dev/null
+++ b/policy/modules/apps/lockdev.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
new file mode 100644
index 0000000..ddf08c4
--- /dev/null
+++ b/policy/modules/apps/lockdev.if
@@ -0,0 +1,87 @@
+## <summary>device locking policy for lockdev</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the lockdev module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for lockdev. A derived type is also created to protect
+## the user's device locks.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`lockdev_per_userdomain_template',`
+ gen_require(`
+ type lockdev_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_lockdev_t;
+ domain_type($1_lockdev_t)
+ domain_entry_file($1_lockdev_t,lockdev_exec_t)
+ role $3 types $1_lockdev_t;
+
+ type $1_lockdev_lock_t;
+ files_lock_file($1_lockdev_lock_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ # Use capabilities.
+ allow $1_lockdev_t self:capability setgid;
+ allow $1_lockdev_t $2:process signull;
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
+ allow $2 $1_lockdev_t:fd use;
+ allow $1_lockdev_t $2:fd use;
+ allow $1_lockdev_t $2:fifo_file rw_file_perms;
+ allow $1_lockdev_t $2:process sigchld;
+
+ allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
+ files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
+
+ files_read_all_locks($1_lockdev_t)
+
+ fs_getattr_xattr_fs($1_lockdev_t)
+
+ libs_use_ld_so($1_lockdev_t)
+ libs_use_shared_libs($1_lockdev_t)
+
+ logging_send_syslog_msg($1_lockdev_t)
+
+ userdom_use_user_terminals($1, $1_lockdev_t)
+
+ optional_policy(`
+ logging_send_syslog_msg($1_t)
+ ')
+')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
new file mode 100644
index 0000000..7c08bba
--- /dev/null
+++ b/policy/modules/apps/lockdev.te
@@ -0,0 +1,10 @@
+
+policy_module(lockdev,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type lockdev_exec_t;
+corecmd_executable_file(lockdev_exec_t)
diff --git a/policy/modules/apps/metadata.xml b/policy/modules/apps/metadata.xml
new file mode 100644
index 0000000..a5ad4c0
--- /dev/null
+++ b/policy/modules/apps/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for applications</summary>
diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc
new file mode 100644
index 0000000..bc1c679
--- /dev/null
+++ b/policy/modules/apps/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
new file mode 100644
index 0000000..257fa43
--- /dev/null
+++ b/policy/modules/apps/mono.if
@@ -0,0 +1,25 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+########################################
+## <summary>
+## Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_domtrans',`
+ gen_require(`
+ type mono_t, mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, mono_exec_t, mono_t)
+
+ allow $1 mono_t:fd use;
+ allow mono_t $1:fd use;
+ allow mono_t $1:fifo_file rw_file_perms;
+ allow mono_t $1:process sigchld;
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
new file mode 100644
index 0000000..5769ceb
--- /dev/null
+++ b/policy/modules/apps/mono.te
@@ -0,0 +1,42 @@
+
+policy_module(mono,1.1.3)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+domain_type(mono_t)
+
+type mono_exec_t;
+domain_entry_file(mono_t,mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow mono_t self:process { execheap execmem };
+ unconfined_domain_noaudit(mono_t)
+ unconfined_dbus_chat(mono_t)
+
+ init_dbus_chat_script(mono_t)
+
+ optional_policy(`
+ avahi_dbus_chat(mono_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(mono_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_connect(mono_t)
+ ')
+')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
new file mode 100644
index 0000000..7218f9f
--- /dev/null
+++ b/policy/modules/apps/mozilla.fc
@@ -0,0 +1,34 @@
+#
+# /bin
+#
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+#
+# /etc
+#
+/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0)
+
+#
+# /lib
+#
+/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+# netscape/mozilla
+ifdef(`strict_policy',`
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
new file mode 100644
index 0000000..26e7bad
--- /dev/null
+++ b/policy/modules/apps/mozilla.if
@@ -0,0 +1,416 @@
+## <summary>Policy for Mozilla and related web browsers</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the mozilla module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mozilla web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`mozilla_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+ type $1_mozilla_t;
+ domain_type($1_mozilla_t)
+ domain_entry_file($1_mozilla_t,mozilla_exec_t)
+ role $3 types $1_mozilla_t;
+
+ type $1_mozilla_home_t alias $1_mozilla_rw_t;
+ files_poly_member($1_mozilla_home_t)
+ userdom_user_home_content($1,$1_mozilla_home_t)
+
+ type $1_mozilla_tmpfs_t;
+ files_tmpfs_file($1_mozilla_tmpfs_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+ allow $1_mozilla_t self:capability { sys_nice setgid setuid };
+ allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+ allow $1_mozilla_t self:fifo_file { getattr read write };
+ allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
+ allow $1_mozilla_t self:sem create_sem_perms;
+ allow $1_mozilla_t self:socket create_socket_perms;
+ allow $1_mozilla_t self:unix_stream_socket { listen accept };
+ # Browse the web, connect to printer
+ allow $1_mozilla_t self:tcp_socket create_socket_perms;
+
+ # for bash - old mozilla binary
+ can_exec($1_mozilla_t, mozilla_exec_t)
+
+ # X access, Home files
+ allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms;
+ allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms;
+ allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms;
+ fs_search_auto_mountpoints($1_mozilla_t)
+
+ # Mozpluggerrc
+ allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+
+ allow $1_mozilla_t $2:fd use;
+ allow $1_mozilla_t $2:process sigchld;
+ allow $1_mozilla_t $2:unix_stream_socket connectto;
+ allow $2 $1_mozilla_t:fd use;
+ allow $2 $1_mozilla_t:shm { associate getattr };
+ allow $2 $1_mozilla_t:shm { unix_read unix_write };
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ allow $2 $1_mozilla_home_t:dir manage_dir_perms;
+ allow $2 $1_mozilla_home_t:file manage_file_perms;
+ allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ userdom_search_user_home_dirs($1,$1_mozilla_t)
+
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms;
+ allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ # Unrestricted inheritance from the caller.
+ allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
+ allow $1_mozilla_t $2:process signull;
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_mozilla_t:dir { search getattr read };
+ allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
+ allow $2 $1_mozilla_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_mozilla_t:process ptrace;
+
+ allow $2 $1_mozilla_t:process signal_perms;
+
+ kernel_read_kernel_sysctls($1_mozilla_t)
+ kernel_read_network_state($1_mozilla_t)
+ # Access /proc, sysctl
+ kernel_read_system_state($1_mozilla_t)
+ kernel_read_net_sysctls($1_mozilla_t)
+
+ corecmd_search_sbin($1_mozilla_t)
+ # Look for plugins
+ corecmd_list_bin($1_mozilla_t)
+ # for bash - old mozilla binary
+ corecmd_exec_shell($1_mozilla_t)
+ corecmd_exec_bin($1_mozilla_t)
+
+ # Browse the web, connect to printer
+ corenet_non_ipsec_sendrecv($1_mozilla_t)
+ corenet_tcp_sendrecv_generic_if($1_mozilla_t)
+ corenet_raw_sendrecv_generic_if($1_mozilla_t)
+ corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
+ corenet_raw_sendrecv_all_nodes($1_mozilla_t)
+ corenet_tcp_sendrecv_http_port($1_mozilla_t)
+ corenet_tcp_sendrecv_http_cache_port($1_mozilla_t)
+ corenet_tcp_sendrecv_ftp_port($1_mozilla_t)
+ corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
+ corenet_tcp_connect_http_port($1_mozilla_t)
+ corenet_tcp_connect_http_cache_port($1_mozilla_t)
+ corenet_tcp_connect_ftp_port($1_mozilla_t)
+ corenet_tcp_connect_ipp_port($1_mozilla_t)
+ corenet_tcp_connect_generic_port($1_mozilla_t)
+ corenet_sendrecv_http_client_packets($1_mozilla_t)
+ corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
+ corenet_sendrecv_ftp_client_packets($1_mozilla_t)
+ corenet_sendrecv_ipp_client_packets($1_mozilla_t)
+ corenet_sendrecv_generic_client_packets($1_mozilla_t)
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
+ corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
+
+ dev_read_urand($1_mozilla_t)
+ dev_write_sound($1_mozilla_t)
+ dev_read_sound($1_mozilla_t)
+ dev_dontaudit_rw_dri($1_mozilla_t)
+
+ files_read_etc_runtime_files($1_mozilla_t)
+ files_read_usr_files($1_mozilla_t)
+ files_read_etc_files($1_mozilla_t)
+ # /var/lib
+ files_read_var_lib_files($1_mozilla_t)
+ # interacting with gstreamer
+ files_read_var_files($1_mozilla_t)
+ files_read_var_symlinks($1_mozilla_t)
+
+ fs_search_inotifyfs($1_mozilla_t)
+ fs_rw_tmpfs_files($1_mozilla_t)
+
+ libs_use_ld_so($1_mozilla_t)
+ libs_use_lib_files($1_mozilla_t)
+ libs_use_shared_libs($1_mozilla_t)
+
+ logging_send_syslog_msg($1_mozilla_t)
+
+ miscfiles_read_fonts($1_mozilla_t)
+
+ # Browse the web, connect to printer
+ sysnet_dns_name_resolve($1_mozilla_t)
+ sysnet_read_config($1_mozilla_t)
+
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+
+ xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
+
+ tunable_policy(`allow_execmem',`
+ allow $1_mozilla_t self:process { execmem execstack };
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_mozilla_t)
+ fs_manage_nfs_files($1_mozilla_t)
+ fs_manage_nfs_symlinks($1_mozilla_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_mozilla_t)
+ fs_manage_cifs_files($1_mozilla_t)
+ fs_manage_cifs_symlinks($1_mozilla_t)
+ ')
+
+ # Type transition
+ tunable_policy(`! disable_mozilla_trans',`
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ ')
+
+ # Uploads, local html
+ tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints($1_mozilla_t)
+ files_list_home($1_mozilla_t)
+ fs_read_nfs_files($1_mozilla_t)
+ fs_read_nfs_symlinks($1_mozilla_t)
+
+ ',`
+ files_dontaudit_list_home($1_mozilla_t)
+ fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
+ fs_dontaudit_read_nfs_files($1_mozilla_t)
+ fs_dontaudit_list_nfs($1_mozilla_t)
+ ')
+
+ tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints($1_mozilla_t)
+ files_list_home($1_mozilla_t)
+ fs_read_cifs_files($1_mozilla_t)
+ fs_read_cifs_symlinks($1_mozilla_t)
+ ',`
+ files_dontaudit_list_home($1_mozilla_t)
+ fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
+ fs_dontaudit_read_cifs_files($1_mozilla_t)
+ fs_dontaudit_list_cifs($1_mozilla_t)
+ ')
+
+ tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp($1,$1_mozilla_t)
+ userdom_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
+ userdom_search_user_home_dirs($1,$1_mozilla_t)
+ userdom_read_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mozilla_t)
+ fs_read_removable_files($1_mozilla_t)
+ fs_read_removable_symlinks($1_mozilla_t)
+ ')
+ ',`
+ files_dontaudit_list_tmp($1_mozilla_t)
+ files_dontaudit_list_home($1_mozilla_t)
+ fs_dontaudit_list_removable($1_mozilla_t)
+ fs_dontaudit_read_removable_files($1_mozilla_t)
+ userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
+ ')
+
+ tunable_policy(`mozilla_read_content && read_default_t',`
+ files_list_default($1_mozilla_t)
+ files_read_default_files($1_mozilla_t)
+ files_read_default_symlinks($1_mozilla_t)
+ ',`
+ files_dontaudit_read_default_files($1_mozilla_t)
+ files_dontaudit_list_default($1_mozilla_t)
+ ')
+
+ tunable_policy(`mozilla_read_content && read_untrusted_content',`
+ files_list_tmp($1_mozilla_t)
+ files_list_home($1_mozilla_t)
+ userdom_search_user_home_dirs($1,$1_mozilla_t)
+
+ userdom_list_user_untrusted_content($1,$1_mozilla_t)
+ userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
+ ',`
+ files_dontaudit_list_tmp($1_mozilla_t)
+ files_dontaudit_list_home($1_mozilla_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
+ ')
+
+ # Save web pages
+ tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
+ files_search_home($1_mozilla_t)
+
+ fs_search_auto_mountpoints($1_mozilla_t)
+ fs_manage_nfs_dirs($1_mozilla_t)
+ fs_manage_nfs_files($1_mozilla_t)
+ fs_manage_nfs_symlinks($1_mozilla_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
+ fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
+ fs_dontaudit_manage_nfs_files($1_mozilla_t)
+ ')
+
+ tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
+ files_search_home($1_mozilla_t)
+
+ fs_search_auto_mountpoints($1_mozilla_t)
+ fs_manage_cifs_dirs($1_mozilla_t)
+ fs_manage_cifs_files($1_mozilla_t)
+ fs_manage_cifs_symlinks($1_mozilla_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
+ fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
+ fs_dontaudit_manage_cifs_files($1_mozilla_t)
+ ')
+
+ tunable_policy(`write_untrusted_content',`
+ files_search_home($1_mozilla_t)
+ files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
+ files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
+
+ userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,file)
+ userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,dir)
+ ',`
+ files_dontaudit_list_home($1_mozilla_t)
+ files_dontaudit_list_tmp($1_mozilla_t)
+
+ userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
+ userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
+
+ ')
+
+ optional_policy(`
+ apache_read_user_scripts($1,$1_mozilla_t)
+ apache_read_user_content($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
+ cups_read_rw_config($1_mozilla_t)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
+ dbus_send_system_bus($1_mozilla_t)
+ ifdef(`TODO',`
+ optional_policy(`
+ allow cupsd_t $1_mozilla_t:dbus send_msg;
+ ')
+ ')
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_mozilla_t)
+ ')
+
+ optional_policy(`
+ squid_use($1_mozilla_t)
+ ')
+
+ optional_policy(`
+ lpd_domtrans_user_lpr($1,$1_mozilla_t)
+ ')
+
+ ifdef(`TODO',`
+ # Java plugin
+ optional_policy(`
+ #reh, these are hacked in types due to the use of the java_per_userdomain_template
+ type $1_mozilla_tmp_t;
+ files_tmp_file($1_mozilla_tmp_t)
+
+ #this looks even more ugly.
+ type $1_mozilla_tty_device_t;
+ term_tty($1_mozilla_t,$1_mozilla_tty_device_t)
+ type $1_mozilla_devpts_t;
+ term_pty($1_mozilla_devpts_t)
+ type $1_mozilla_home_dir_t;
+ userdom_user_home_content($1,$1_mozilla_home_dir_t)
+
+ java_per_userdomain_template($1_mozilla,$2,$3)
+ ')
+
+ ######### Launch mplayer
+ optional_policy(`
+ domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+ dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+ dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+ dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+ ')
+ #NOTE commented out in strict.
+ ######### Launch email client, and make webcal links work
+ #ifdef(`evolution.te', `
+ #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
+ #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+ #')
+ #NOTE commented out in strict
+ #ifdef(`thunderbird.te', `
+ #domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
+ #')
+
+ # Macros for mozilla/mozilla (or other browser) domains.
+ # FIXME: Rules were removed to centralize policy in a gnome_app macro
+ # A similar thing might be necessary for mozilla compiled without GNOME
+ # support (is this possible?).
+
+ # GNOME integration
+ optional_policy(`
+ gnome_application($1_mozilla, $1)
+ gnome_file_dialog($1_mozilla, $1)
+ ')
+ ')
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
new file mode 100644
index 0000000..7565167
--- /dev/null
+++ b/policy/modules/apps/mozilla.te
@@ -0,0 +1,13 @@
+
+policy_module(mozilla,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
+type mozilla_exec_t;
+corecmd_executable_file(mozilla_exec_t)
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
new file mode 100644
index 0000000..60db2e9
--- /dev/null
+++ b/policy/modules/apps/mplayer.fc
@@ -0,0 +1,14 @@
+#
+# /etc
+#
+/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
new file mode 100644
index 0000000..12e9260
--- /dev/null
+++ b/policy/modules/apps/mplayer.if
@@ -0,0 +1,458 @@
+## <summary>Mplayer media player and encoder</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the mplayer module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mplayer media player.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`mplayer_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_mencoder_t;
+ domain_type($1_mencoder_t)
+ domain_entry_file($1_mencoder_t,mencoder_exec_t)
+ role $3 types $1_mencoder_t;
+
+ type $1_mplayer_t;
+ domain_type($1_mplayer_t)
+ domain_entry_file($1_mplayer_t,mplayer_exec_t)
+ role $3 types $1_mplayer_t;
+
+ type $1_mplayer_home_t alias $1_mplayer_rw_t;
+ files_poly_member($1_mplayer_home_t)
+ userdom_user_home_content($1,$1_mplayer_home_t)
+
+ type $1_mplayer_tmpfs_t;
+ files_tmpfs_file($1_mplayer_tmpfs_t)
+
+ ########################################
+ #
+ # mencoder local policy
+ #
+
+ allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms;
+ allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms;
+ allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms;
+
+ # Read global config
+ allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms;
+ allow $1_mencoder_t mplayer_etc_t:file r_file_perms;
+ allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read };
+
+ # domain transition
+ domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t)
+ allow $2 $1_mencoder_t:fd use;
+ allow $1_mencoder_t $2:fd use;
+ allow $1_mencoder_t $2:fifo_file rw_file_perms;
+ allow $1_mencoder_t $2:process sigchld;
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_mencoder_t:dir { search getattr read };
+ allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
+ allow $2 $1_mencoder_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_mencoder_t:process ptrace;
+ allow $2 $1_mencoder_t:process signal_perms;
+
+ # Read /proc files and directories
+ # Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+ kernel_read_system_state($1_mencoder_t)
+ # Sysctl on kernel version
+ kernel_read_kernel_sysctls($1_mencoder_t)
+
+ # Required for win32 binary loader
+ dev_rwx_zero($1_mencoder_t)
+ # Access to DVD/CD/V4L
+ dev_read_video_dev($1_mencoder_t)
+
+ # Read data in /usr/share (fonts, icons..)
+ files_read_usr_files($1_mencoder_t)
+ files_read_usr_symlinks($1_mencoder_t)
+
+ fs_search_auto_mountpoints($1_mencoder_t)
+
+ # Access to DVD/CD/V4L
+ storage_raw_read_removable_device($1_mencoder_t)
+
+ libs_use_ld_so($1_mencoder_t)
+ libs_use_shared_libs($1_mencoder_t)
+
+ miscfiles_read_localization($1_mencoder_t)
+
+ userdom_use_user_terminals($1,$1_mencoder_t)
+ # Handle removable media, /tmp, and /home
+ userdom_list_user_tmp($1,$1_mencoder_t)
+ userdom_read_user_tmp_files($1,$1_mencoder_t)
+ userdom_read_user_tmp_symlinks($1,$1_mencoder_t)
+ userdom_read_user_home_content_files($1,$1_mencoder_t)
+ userdom_read_user_home_content_symlinks($1,$1_mencoder_t)
+
+ # Read content to encode
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mencoder_t)
+ fs_read_removable_files($1_mencoder_t)
+ fs_read_removable_symlinks($1_mencoder_t)
+ ')
+
+ tunable_policy(`allow_execmem',`
+ allow $1_mencoder_t self:process execmem;
+ ')
+
+ tunable_policy(`allow_execmod',`
+ dev_execmod_zero($1_mencoder_t)
+ ')
+
+ tunable_policy(`allow_mplayer_execstack',`
+ allow $1_mencoder_t self:process { execmem execstack };
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_mencoder_t)
+ fs_manage_nfs_files($1_mencoder_t)
+ fs_manage_nfs_symlinks($1_mencoder_t)
+
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_mencoder_t)
+ fs_manage_cifs_files($1_mencoder_t)
+ fs_manage_cifs_symlinks($1_mencoder_t)
+
+ ')
+
+ # Read content to encode
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints($1_mencoder_t)
+ files_list_home($1_mencoder_t)
+ fs_read_nfs_files($1_mencoder_t)
+ fs_read_nfs_symlinks($1_mencoder_t)
+
+ ',`
+ files_dontaudit_list_home($1_mencoder_t)
+ fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
+ fs_dontaudit_read_nfs_files($1_mencoder_t)
+ fs_dontaudit_list_nfs($1_mencoder_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints($1_mencoder_t)
+ files_list_home($1_mencoder_t)
+ fs_read_cifs_files($1_mencoder_t)
+ fs_read_cifs_symlinks($1_mencoder_t)
+ ',`
+ files_dontaudit_list_home($1_mencoder_t)
+ fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
+ fs_dontaudit_read_cifs_files($1_mencoder_t)
+ fs_dontaudit_list_cifs($1_mencoder_t)
+ ')
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_mencoder_t)
+ files_read_default_files($1_mencoder_t)
+ files_read_default_symlinks($1_mencoder_t)
+ ',`
+ files_dontaudit_read_default_files($1_mencoder_t)
+ files_dontaudit_list_default($1_mencoder_t)
+ ')
+
+ tunable_policy(`read_untrusted_content',`
+ files_list_tmp($1_mencoder_t)
+ files_list_home($1_mencoder_t)
+
+ userdom_list_user_untrusted_content($1,$1_mencoder_t)
+ userdom_read_user_untrusted_content_files($1,$1_mencoder_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_mencoder_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_mencoder_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mencoder_t)
+ ',`
+ files_dontaudit_list_tmp($1_mencoder_t)
+ files_dontaudit_list_home($1_mencoder_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_mencoder_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_mencoder_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mencoder_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
+ ')
+
+ # Save encoded files
+ tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
+ files_search_home($1_mencoder_t)
+
+ fs_search_auto_mountpoints($1_mencoder_t)
+ fs_manage_nfs_dirs($1_mencoder_t)
+ fs_manage_nfs_files($1_mencoder_t)
+ fs_manage_nfs_symlinks($1_mencoder_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
+ fs_dontaudit_manage_nfs_dirs($1_mencoder_t)
+ fs_dontaudit_manage_nfs_files($1_mencoder_t)
+ ')
+
+ tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
+ files_search_home($1_mencoder_t)
+
+ fs_search_auto_mountpoints($1_mencoder_t)
+ fs_manage_cifs_dirs($1_mencoder_t)
+ fs_manage_cifs_files($1_mencoder_t)
+ fs_manage_cifs_symlinks($1_mencoder_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
+ fs_dontaudit_manage_cifs_dirs($1_mencoder_t)
+ fs_dontaudit_manage_cifs_files($1_mencoder_t)
+ ')
+
+ tunable_policy(`write_untrusted_content',`
+ files_search_home($1_mencoder_t)
+ files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
+ files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
+
+ userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file)
+ userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir)
+
+ ',`
+ files_dontaudit_list_home($1_mencoder_t)
+ files_dontaudit_list_tmp($1_mencoder_t)
+
+ userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
+ userdom_dontaudit_manage_user_tmp_files($1,$1_mencoder_t)
+ userdom_dontaudit_manage_user_home_content_dirs($1,$1_mencoder_t)
+ ')
+
+ ########################################
+ #
+ # mplayer local policy
+ #
+
+ allow $1_mplayer_t self:process { signal_perms getsched };
+ allow $1_mplayer_t self:fifo_file rw_file_perms;
+
+ allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
+ allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
+ allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms;
+ userdom_search_user_home_dirs($1,$1_mplayer_t)
+
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms;
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms;
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms;
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ # Read global config
+ allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms;
+ allow $1_mplayer_t mplayer_etc_t:file r_file_perms;
+ allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read };
+
+ # Home access
+ allow $2 $1_mplayer_home_t:dir manage_dir_perms;
+ allow $2 $1_mplayer_home_t:file manage_file_perms;
+ allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ # domain transition
+ domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t)
+ allow $2 $1_mplayer_t:fd use;
+ allow $1_mplayer_t $2:fd use;
+ allow $1_mplayer_t $2:fifo_file rw_file_perms;
+ allow $1_mplayer_t $2:process sigchld;
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_mplayer_t:dir { search getattr read };
+ allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
+ allow $2 $1_mplayer_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_mplayer_t:process ptrace;
+ allow $2 $1_mplayer_t:process signal_perms;
+
+ kernel_dontaudit_list_unlabeled($1_mplayer_t)
+ kernel_dontaudit_getattr_unlabeled_files($1_mplayer_t)
+ kernel_dontaudit_read_unlabeled_files($1_mplayer_t)
+ # Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+ kernel_read_system_state($1_mplayer_t)
+ # Sysctl on kernel version
+ kernel_read_kernel_sysctls($1_mplayer_t)
+
+ # Run bash/sed (??)
+ corecmd_exec_bin($1_mplayer_t)
+ corecmd_exec_shell($1_mplayer_t)
+
+ # Required for win32 binary loader
+ dev_rwx_zero($1_mplayer_t)
+ # Access to DVD/CD/V4L
+ dev_read_video_dev($1_mplayer_t)
+ # Audio, alsa.conf
+ dev_read_sound_mixer($1_mplayer_t)
+ dev_write_sound_mixer($1_mplayer_t)
+ # RTC clock
+ dev_read_realtime_clock($1_mplayer_t)
+
+ # Access to DVD/CD/V4L
+ storage_raw_read_removable_device($1_mplayer_t)
+
+ files_read_etc_files($1_mplayer_t)
+ files_dontaudit_list_non_security($1_mplayer_t)
+ files_dontaudit_getattr_non_security_files($1_mplayer_t)
+ files_read_non_security_files($1_mplayer_t)
+ # Unfortunately the ancient file dialog starts in /
+ files_list_home($1_mplayer_t)
+ # Read /etc/mtab
+ files_read_etc_runtime_files($1_mplayer_t)
+ # Read data in /usr/share (fonts, icons..)
+ files_read_usr_files($1_mplayer_t)
+ files_read_usr_symlinks($1_mplayer_t)
+
+ fs_dontaudit_getattr_all_fs($1_mplayer_t)
+ fs_search_auto_mountpoints($1_mplayer_t)
+
+ libs_use_ld_so($1_mplayer_t)
+ libs_use_shared_libs($1_mplayer_t)
+
+ miscfiles_read_localization($1_mplayer_t)
+ miscfiles_read_fonts($1_mplayer_t)
+
+ userdom_use_user_terminals($1,$1_mplayer_t)
+ # Read media files
+ userdom_list_user_tmp($1,$1_mplayer_t)
+ userdom_read_user_tmp_files($1,$1_mplayer_t)
+ userdom_read_user_tmp_symlinks($1,$1_mplayer_t)
+ userdom_read_user_home_content_files($1,$1_mplayer_t)
+ userdom_read_user_home_content_symlinks($1,$1_mplayer_t)
+
+ xserver_user_client_template($1,$1_mplayer_t,$1_mplayer_tmpfs_t)
+
+ # Read songs
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mplayer_t)
+ fs_read_removable_files($1_mplayer_t)
+ fs_read_removable_symlinks($1_mplayer_t)
+ ')
+
+ tunable_policy(`allow_execmem',`
+ allow $1_mplayer_t self:process execmem;
+ ')
+
+ tunable_policy(`allow_execmod',`
+ dev_execmod_zero($1_mplayer_t)
+ ')
+
+ tunable_policy(`allow_mplayer_execstack',`
+ allow $1_mplayer_t self:process { execmem execstack };
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_mplayer_t)
+ fs_manage_nfs_files($1_mplayer_t)
+ fs_manage_nfs_symlinks($1_mplayer_t)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_mplayer_t)
+ fs_manage_cifs_files($1_mplayer_t)
+ fs_manage_cifs_symlinks($1_mplayer_t)
+ ')
+
+ # Legacy domain issues
+ tunable_policy(`allow_mplayer_execstack',`
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
+ ')
+
+ # Read songs
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints($1_mplayer_t)
+ files_list_home($1_mplayer_t)
+ fs_read_nfs_files($1_mplayer_t)
+ fs_read_nfs_symlinks($1_mplayer_t)
+
+ ',`
+ files_dontaudit_list_home($1_mplayer_t)
+ fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
+ fs_dontaudit_read_nfs_files($1_mplayer_t)
+ fs_dontaudit_list_nfs($1_mplayer_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints($1_mplayer_t)
+ files_list_home($1_mplayer_t)
+ fs_read_cifs_files($1_mplayer_t)
+ fs_read_cifs_symlinks($1_mplayer_t)
+ ',`
+ files_dontaudit_list_home($1_mplayer_t)
+ fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
+ fs_dontaudit_read_cifs_files($1_mplayer_t)
+ fs_dontaudit_list_cifs($1_mplayer_t)
+ ')
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_mplayer_t)
+ files_read_default_files($1_mplayer_t)
+ files_read_default_symlinks($1_mplayer_t)
+ ',`
+ files_dontaudit_read_default_files($1_mplayer_t)
+ files_dontaudit_list_default($1_mplayer_t)
+ ')
+
+ tunable_policy(`read_untrusted_content',`
+ files_list_tmp($1_mplayer_t)
+ files_list_home($1_mplayer_t)
+
+ userdom_list_user_untrusted_content($1,$1_mplayer_t)
+ userdom_read_user_untrusted_content_files($1,$1_mplayer_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_mplayer_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_mplayer_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mplayer_t)
+ ',`
+ files_dontaudit_list_tmp($1_mplayer_t)
+ files_dontaudit_list_home($1_mplayer_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_mplayer_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_mplayer_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_mplayer_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mplayer_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
+ ')
+
+ optional_policy(`
+ alsa_read_rw_config($1_mplayer_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_mplayer_t)
+ ')
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
new file mode 100644
index 0000000..adbb176
--- /dev/null
+++ b/policy/modules/apps/mplayer.te
@@ -0,0 +1,16 @@
+
+policy_module(mplayer,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type mplayer_exec_t;
+corecmd_executable_file(mplayer_exec_t)
+
+type mencoder_exec_t;
+corecmd_executable_file(mencoder_exec_t)
+
+type mplayer_etc_t;
+files_config_file(mplayer_etc_t)
diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc
new file mode 100644
index 0000000..4c091ca
--- /dev/null
+++ b/policy/modules/apps/rssh.fc
@@ -0,0 +1 @@
+/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
new file mode 100644
index 0000000..2a84766
--- /dev/null
+++ b/policy/modules/apps/rssh.if
@@ -0,0 +1,143 @@
+## <summary>Restricted (scp/sftp) only shell</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the rssh module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for rssh client sessions. Derived types are also created
+## for read-only and read-write file access.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`rssh_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
+ domain_type($1_rssh_t)
+ domain_entry_file($1_rssh_t,rssh_exec_t)
+ domain_user_exemption_target($1_t)
+ domain_interactive_fd($1_rssh_t)
+ role system_r types $1_rssh_t;
+
+ type $1_rssh_devpts_t alias rssh_$1_devpts_t;
+ term_user_pty($1_rssh_t,$1_rssh_devpts_t)
+
+ type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
+ userdom_user_home_content($1,$1_rssh_ro_t)
+
+ type $1_rssh_rw_t alias rssh_$1_rw_t;
+ userdom_user_home_content($1,$1_rssh_rw_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_rssh_t self:fd use;
+ allow $1_rssh_t self:fifo_file rw_file_perms;
+ allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
+ allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_rssh_t self:unix_dgram_socket sendto;
+ allow $1_rssh_t self:unix_stream_socket connectto;
+ allow $1_rssh_t self:shm create_shm_perms;
+ allow $1_rssh_t self:sem create_sem_perms;
+ allow $1_rssh_t self:msgq create_msgq_perms;
+ allow $1_rssh_t self:msg { send receive };
+
+ allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty($1_rssh_t,$1_rssh_devpts_t)
+
+ allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
+ allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
+
+ allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
+ allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
+
+ kernel_read_system_state($1_rssh_t)
+ kernel_read_kernel_sysctls($1_rssh_t)
+
+ files_read_etc_files($1_rssh_t)
+ files_read_etc_runtime_files($1_rssh_t)
+ files_list_home($1_rssh_t)
+ files_read_usr_files($1_rssh_t)
+ files_list_var($1_rssh_t)
+
+ fs_search_auto_mountpoints($1_rssh_t)
+
+ libs_use_ld_so($1_rssh_t)
+ libs_use_shared_libs($1_rssh_t)
+
+ logging_send_syslog_msg($1_rssh_t)
+
+ miscfiles_read_localization($1_rssh_t)
+
+ userdom_use_unpriv_users_fds($1_rssh_t)
+
+ ssh_rw_tcp_sockets($1_rssh_t)
+ ssh_rw_stream_sockets($1_rssh_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_rssh_t)
+ ')
+')
+
+########################################
+## <summary>
+## Transition to all user rssh domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_spec_domtrans_all_users',`
+ gen_require(`
+ attribute rssh_domain_type;
+ type rssh_exec_t;
+ ')
+
+ domain_trans($1,rssh_exec_t,rssh_domain_type)
+ allow rssh_domain_type $1:fd use;
+ allow rssh_domain_type $1:fifo_file rw_file_perms;
+ allow rssh_domain_type $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Read all users rssh read-only content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_read_all_users_ro_content',`
+ gen_require(`
+ attribute rssh_ro_content_type;
+ ')
+
+ allow $1 rssh_ro_content_type:dir r_dir_perms;
+ allow $1 rssh_ro_content_type:file r_file_perms;
+ allow $1 rssh_ro_content_type:lnk_file { getattr read };
+')
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
new file mode 100644
index 0000000..8419801
--- /dev/null
+++ b/policy/modules/apps/rssh.te
@@ -0,0 +1,13 @@
+
+policy_module(rssh,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute rssh_domain_type;
+attribute rssh_ro_content_type;
+
+type rssh_exec_t;
+corecmd_executable_file(rssh_exec_t)
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
new file mode 100644
index 0000000..fa622bc
--- /dev/null
+++ b/policy/modules/apps/screen.fc
@@ -0,0 +1,17 @@
+#
+# /home
+#
+ifdef(`strict_policy',`
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
+')
+
+#
+# /usr
+#
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+#
+# /var
+#
+/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
+/var/run/screens?/S-[^/]+/.* <<none>>
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
new file mode 100644
index 0000000..fa61d05
--- /dev/null
+++ b/policy/modules/apps/screen.if
@@ -0,0 +1,200 @@
+## <summary>GNU terminal multiplexer</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the screen module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for screen sessions.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`screen_per_userdomain_template',`
+ gen_require(`
+ type screen_dir_t, screen_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_screen_t;
+ domain_type($1_screen_t)
+ domain_entry_file($1_screen_t,screen_exec_t)
+ domain_interactive_fd($1_screen_t)
+ role $3 types $1_screen_t;
+
+ type $1_screen_tmp_t;
+ files_tmp_file($1_screen_tmp_t)
+
+ type $1_screen_ro_home_t;
+ files_type($1_screen_ro_home_t)
+
+ type $1_screen_var_run_t;;
+ files_pid_file($1_screen_var_run_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_screen_t self:capability { setuid setgid fsetid };
+ allow $1_screen_t self:process signal_perms;
+ allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+ allow $1_screen_t self:udp_socket create_socket_perms;
+ # Internal screen networking
+ allow $1_screen_t self:fd use;
+ allow $1_screen_t self:unix_stream_socket create_socket_perms;
+ allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+ allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
+ allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
+ allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
+ files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
+
+ # Create fifo
+ allow $1_screen_t screen_dir_t:dir rw_dir_perms;
+ allow $1_screen_t screen_dir_t:dir create_dir_perms;
+ allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
+ type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
+ files_pid_filetrans($1_screen_t,screen_dir_t,dir)
+
+ allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
+ allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
+ allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
+
+ domain_auto_trans($2, screen_exec_t, $1_screen_t)
+ allow $2 $1_screen_t:process signal;
+ allow $1_screen_t $2:process { signal sigchld };
+ allow $1_screen_t $2:fd use;
+ allow $1_screen_t $2:fifo_file rw_file_perms;
+ allow $1_screen_t $1_home_dir_t:dir { search getattr };
+
+ allow $2 $1_screen_ro_home_t:dir create_dir_perms;
+ allow $2 $1_screen_ro_home_t:file create_file_perms;
+ allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ kernel_read_system_state($1_screen_t)
+ kernel_read_kernel_sysctls($1_screen_t)
+
+ corecmd_list_bin($1_screen_t)
+ corecmd_read_bin_files($1_screen_t)
+ corecmd_read_bin_symlinks($1_screen_t)
+ corecmd_read_bin_pipes($1_screen_t)
+ corecmd_read_bin_sockets($1_screen_t)
+ corecmd_list_sbin($1_screen_t)
+ corecmd_read_sbin_symlinks($1_screen_t)
+ corecmd_read_sbin_files($1_screen_t)
+ corecmd_read_sbin_pipes($1_screen_t)
+ corecmd_read_sbin_sockets($1_screen_t)
+ # Revert to the user domain when a shell is executed.
+ corecmd_shell_domtrans($1_screen_t,$2)
+ corecmd_bin_domtrans($1_screen_t,$2)
+
+ corenet_non_ipsec_sendrecv($1_screen_t)
+ corenet_tcp_sendrecv_generic_if($1_screen_t)
+ corenet_udp_sendrecv_generic_if($1_screen_t)
+ corenet_tcp_sendrecv_all_nodes($1_screen_t)
+ corenet_udp_sendrecv_all_nodes($1_screen_t)
+ corenet_tcp_sendrecv_all_ports($1_screen_t)
+ corenet_udp_sendrecv_all_ports($1_screen_t)
+ corenet_tcp_connect_all_ports($1_screen_t)
+
+ dev_dontaudit_getattr_all_chr_files($1_screen_t)
+ dev_dontaudit_getattr_all_blk_files($1_screen_t)
+ # for SSP
+ dev_read_urand($1_screen_t)
+
+ domain_use_interactive_fds($1_screen_t)
+
+ files_search_tmp($1_screen_t)
+ files_search_home($1_screen_t)
+ files_list_home($1_screen_t)
+ files_read_usr_files($1_screen_t)
+ files_read_etc_files($1_screen_t)
+
+ fs_search_auto_mountpoints($1_screen_t)
+ fs_getattr_xattr_fs($1_screen_t)
+
+ auth_dontaudit_read_shadow($1_screen_t)
+ auth_dontaudit_exec_utempter($1_screen_t)
+
+ # Write to utmp.
+ init_rw_utmp($1_screen_t)
+
+ libs_use_ld_so($1_screen_t)
+ libs_use_shared_libs($1_screen_t)
+
+ logging_send_syslog_msg($1_screen_t)
+
+ miscfiles_read_localization($1_screen_t)
+
+ seutil_read_config($1_screen_t)
+
+ sysnet_read_config($1_screen_t)
+
+ userdom_use_user_terminals($1,$1_screen_t)
+ userdom_create_user_pty($1,$1_screen_t)
+ userdom_user_home_domtrans($1,$1_screen_t,$2)
+ userdom_setattr_user_ptys($1,$1_screen_t)
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_screen_t)
+ files_read_default_files($1_screen_t)
+ files_read_default_symlinks($1_screen_t)
+ files_read_default_sockets($1_screen_t)
+ files_read_default_pipes($1_screen_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t,$2)
+ fs_read_cifs_symlinks($1_screen_t)
+ fs_list_cifs($1_screen_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t,$2)
+ fs_list_nfs($1_screen_t)
+ fs_read_nfs_symlinks($1_screen_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_screen_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_screen_t)
+ ')
+
+ ifdef(`TODO',`
+ # Inherit and use descriptors from gnome-pty-helper.
+ optional_policy(`
+ allow $1_screen_t $1_gph_t:fd use;
+ ')
+ ') dnl TODO
+')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
new file mode 100644
index 0000000..ffec7ab
--- /dev/null
+++ b/policy/modules/apps/screen.te
@@ -0,0 +1,13 @@
+
+policy_module(screen,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type screen_dir_t;
+files_pid_file(screen_dir_t)
+
+type screen_exec_t;
+corecmd_executable_file(screen_exec_t)
diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc
new file mode 100644
index 0000000..1951c4b
--- /dev/null
+++ b/policy/modules/apps/slocate.fc
@@ -0,0 +1,2 @@
+/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
+/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if
new file mode 100644
index 0000000..4abc8b2
--- /dev/null
+++ b/policy/modules/apps/slocate.if
@@ -0,0 +1,21 @@
+## <summary>Update database for mlocate</summary>
+
+########################################
+## <summary>
+## Create the locate log with append mode.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`slocate_create_append_log',`
+ gen_require(`
+ type locate_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 locate_log_t:dir ra_dir_perms;
+ allow $1 locate_log_t:file { create append getattr };
+')
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
new file mode 100644
index 0000000..f5f337d
--- /dev/null
+++ b/policy/modules/apps/slocate.te
@@ -0,0 +1,56 @@
+
+policy_module(slocate,1.1.0)
+
+#################################
+#
+# Declarations
+#
+
+type locate_t;
+type locate_exec_t;
+init_system_domain(locate_t,locate_exec_t)
+
+type locate_log_t;
+logging_log_file(locate_log_t)
+
+type locate_var_lib_t;
+files_type(locate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:process { execmem execheap execstack };
+allow locate_t self:fifo_file rw_file_perms;
+allow locate_t self:unix_stream_socket create_socket_perms;
+
+allow locate_t locate_var_lib_t:dir create_dir_perms;
+allow locate_t locate_var_lib_t:file create_file_perms;
+
+kernel_read_system_state(locate_t)
+kernel_dontaudit_search_sysctl(locate_t)
+
+corecmd_exec_bin(locate_t)
+
+dev_getattr_all_blk_files(locate_t)
+dev_getattr_all_chr_files(locate_t)
+
+files_list_all(locate_t)
+files_getattr_all_files(locate_t)
+files_read_etc_runtime_files(locate_t)
+files_read_etc_files(locate_t)
+# mls Higher level directories will be refused, so dontaudit
+files_dontaudit_getattr_all_dirs(locate_t)
+
+fs_getattr_xattr_fs(locate_t)
+
+libs_use_shared_libs(locate_t)
+libs_use_ld_so(locate_t)
+
+miscfiles_read_localization(locate_t)
+
+optional_policy(`
+ cron_system_entry(locate_t, locate_exec_t)
+')
diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc
new file mode 100644
index 0000000..cd80a95
--- /dev/null
+++ b/policy/modules/apps/thunderbird.fc
@@ -0,0 +1,8 @@
+#
+# /usr
+#
+/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+')
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
new file mode 100644
index 0000000..2e197eb
--- /dev/null
+++ b/policy/modules/apps/thunderbird.if
@@ -0,0 +1,361 @@
+## <summary>Thunderbird email client</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the thunderbird module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is used
+## for the thunderbird email client.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`thunderbird_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_thunderbird_t;
+ domain_type($1_thunderbird_t)
+ domain_entry_file($1_thunderbird_t,thunderbird_exec_t)
+ role $3 types $1_thunderbird_t;
+
+ type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
+ files_poly_member($1_thunderbird_home_t)
+
+ type $1_thunderbird_tmpfs_t;
+ files_tmpfs_file($1_thunderbird_tmpfs_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_thunderbird_t self:capability sys_nice;
+ allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+ allow $1_thunderbird_t self:fifo_file { ioctl read write getattr };
+ allow $1_thunderbird_t self:unix_dgram_socket { create connect };
+ allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+ allow $1_thunderbird_t self:tcp_socket create_socket_perms;
+ allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
+
+ # Access ~/.thunderbird
+ allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
+ allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
+ allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
+ userdom_search_user_home_dirs($1,$1_thunderbird_t)
+
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms;
+ allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $2 $1_thunderbird_t:fd use;
+ allow $2 $1_thunderbird_t:shm { associate getattr };
+ allow $2 $1_thunderbird_t:unix_stream_socket connectto;
+ allow $1_thunderbird_t $2:fd use;
+ allow $1_thunderbird_t $2:process sigchld;
+ allow $1_thunderbird_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_thunderbird_t:dir { search getattr read };
+ allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
+ allow $2 $1_thunderbird_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_thunderbird_t:process ptrace;
+
+ # Access ~/.thunderbird
+ allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
+ allow $2 $1_thunderbird_home_t:file manage_file_perms;
+ allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ # Allow netstat
+ kernel_read_network_state($1_thunderbird_t)
+
+ corecmd_exec_shell($1_thunderbird_t)
+ # Startup shellscript
+ corecmd_exec_bin($1_thunderbird_t)
+
+ corenet_non_ipsec_sendrecv($1_thunderbird_t)
+ corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
+ corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
+ corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
+ corenet_tcp_sendrecv_ldap_port($1_thunderbird_t)
+ corenet_tcp_sendrecv_innd_port($1_thunderbird_t)
+ corenet_tcp_sendrecv_smtp_port($1_thunderbird_t)
+ corenet_tcp_sendrecv_pop_port($1_thunderbird_t)
+ corenet_tcp_sendrecv_http_port($1_thunderbird_t)
+ corenet_tcp_connect_ipp_port($1_thunderbird_t)
+ corenet_tcp_connect_ldap_port($1_thunderbird_t)
+ corenet_tcp_connect_innd_port($1_thunderbird_t)
+ corenet_tcp_connect_smtp_port($1_thunderbird_t)
+ corenet_tcp_connect_pop_port($1_thunderbird_t)
+ corenet_tcp_connect_http_port($1_thunderbird_t)
+ corenet_sendrecv_ipp_client_packets($1_thunderbird_t)
+ corenet_sendrecv_ldap_client_packets($1_thunderbird_t)
+ corenet_sendrecv_innd_client_packets($1_thunderbird_t)
+ corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
+ corenet_sendrecv_pop_client_packets($1_thunderbird_t)
+ corenet_sendrecv_http_client_packets($1_thunderbird_t)
+
+ files_list_tmp($1_thunderbird_t)
+ files_read_usr_files($1_thunderbird_t)
+ files_read_etc_files($1_thunderbird_t)
+
+ fs_getattr_xattr_fs($1_thunderbird_t)
+ # Access ~/.thunderbird
+ fs_search_auto_mountpoints($1_thunderbird_t)
+
+ libs_use_shared_libs($1_thunderbird_t)
+ libs_use_ld_so($1_thunderbird_t)
+
+ miscfiles_read_fonts($1_thunderbird_t)
+
+ sysnet_read_config($1_thunderbird_t)
+ # Allow DNS
+ sysnet_dns_name_resolve($1_thunderbird_t)
+
+ userdom_manage_user_tmp_dirs($1,$1_thunderbird_t)
+ userdom_read_user_tmp_files($1,$1_thunderbird_t)
+ userdom_write_user_tmp_sockets($1,$1_thunderbird_t)
+ userdom_manage_user_tmp_sockets($1,$1_thunderbird_t)
+ # .kde/....gtkrc
+ userdom_read_user_home_content_files($1,$1_thunderbird_t)
+
+ xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
+
+ # Transition from user type
+ tunable_policy(`! disable_thunderbird_trans',`
+ domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
+ ')
+
+ # Access ~/.thunderbird
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_thunderbird_t)
+ fs_manage_nfs_files($1_thunderbird_t)
+ fs_manage_nfs_symlinks($1_thunderbird_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_thunderbird_t)
+ fs_manage_cifs_files($1_thunderbird_t)
+ fs_manage_cifs_symlinks($1_thunderbird_t)
+ ')
+
+ tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ files_list_home($1_thunderbird_t)
+
+ fs_list_auto_mountpoints($1_thunderbird_t)
+ fs_read_nfs_files($1_thunderbird_t)
+ fs_read_nfs_symlinks($1_thunderbird_t)
+ ',`
+ files_dontaudit_list_home($1_thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
+ fs_dontaudit_list_nfs($1_thunderbird_t)
+ fs_dontaudit_read_nfs_files($1_thunderbird_t)
+ ')
+
+ tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ files_list_home($1_thunderbird_t)
+
+ fs_list_auto_mountpoints($1_thunderbird_t)
+ fs_read_cifs_files($1_thunderbird_t)
+ fs_read_cifs_symlinks($1_thunderbird_t)
+ ',`
+ files_dontaudit_list_home($1_thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
+ fs_dontaudit_read_cifs_files($1_thunderbird_t)
+ fs_dontaudit_list_cifs($1_thunderbird_t)
+ ')
+
+ tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp($1,$1_thunderbird_t)
+ userdom_read_user_tmp_files($1,$1_thunderbird_t)
+ userdom_read_user_tmp_symlinks($1,$1_thunderbird_t)
+ userdom_search_user_home_dirs($1,$1_thunderbird_t)
+ userdom_read_user_home_content_files($1,$1_thunderbird_t)
+ userdom_read_user_home_content_symlinks($1,$1_thunderbird_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable($1_thunderbird_t)
+ fs_read_removable_files($1_thunderbird_t)
+ fs_read_removable_symlinks($1_thunderbird_t)
+ ')
+ ',`
+ files_dontaudit_list_tmp($1_thunderbird_t)
+ files_dontaudit_list_home($1_thunderbird_t)
+
+ fs_dontaudit_list_removable($1_thunderbird_t)
+ fs_dontaudit_read_removable_files($1_thunderbird_t)
+
+ userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
+ userdom_dontaudit_read_user_home_content_files($1,$1_thunderbird_t)
+ ')
+
+ tunable_policy(`mail_read_content && read_default_t',`
+ files_list_default($1_thunderbird_t)
+ files_read_default_files($1_thunderbird_t)
+ files_read_default_symlinks($1_thunderbird_t)
+ ',`
+ files_dontaudit_read_default_files($1_thunderbird_t)
+ files_dontaudit_list_default($1_thunderbird_t)
+ ')
+
+ tunable_policy(`mail_read_content && read_untrusted_content',`
+ files_list_tmp($1_thunderbird_t)
+ files_list_home($1_thunderbird_t)
+
+ userdom_search_user_home_dirs($1,$1_thunderbird_t)
+ userdom_list_user_untrusted_content($1,$1_thunderbird_t)
+ userdom_read_user_untrusted_content_files($1,$1_thunderbird_t)
+ userdom_read_user_untrusted_content_symlinks($1,$1_thunderbird_t)
+ userdom_list_user_tmp_untrusted_content($1,$1_thunderbird_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t)
+ userdom_read_user_tmp_untrusted_content_symlinks($1,$1_thunderbird_t)
+ ',`
+ files_dontaudit_list_tmp($1_thunderbird_t)
+ files_dontaudit_list_home($1_thunderbird_t)
+
+ userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
+ userdom_dontaudit_list_user_untrusted_content($1,$1_thunderbird_t)
+ userdom_dontaudit_read_user_untrusted_content_files($1,$1_thunderbird_t)
+ userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_thunderbird_t)
+ userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t)
+ ')
+
+ # Manage nfs homedirs
+ tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
+ files_search_home($1_thunderbird_t)
+
+ fs_search_auto_mountpoints($1_thunderbird_t)
+ fs_manage_nfs_dirs($1_thunderbird_t)
+ fs_manage_nfs_files($1_thunderbird_t)
+ fs_manage_nfs_symlinks($1_thunderbird_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
+ fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
+ fs_dontaudit_manage_nfs_files($1_thunderbird_t)
+ ')
+
+ # Manage samba homedirs
+ tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
+ files_search_home($1_thunderbird_t)
+
+ fs_search_auto_mountpoints($1_thunderbird_t)
+ fs_manage_cifs_dirs($1_thunderbird_t)
+ fs_manage_cifs_files($1_thunderbird_t)
+ fs_manage_cifs_symlinks($1_thunderbird_t)
+ ',`
+ fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
+ fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
+ fs_dontaudit_manage_cifs_files($1_thunderbird_t)
+ ')
+
+ # Manage /tmp and /home
+ tunable_policy(`write_untrusted_content',`
+ files_search_home($1_thunderbird_t)
+ files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file)
+ files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir)
+
+ userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file)
+ userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir)
+ ',`
+ files_dontaudit_list_home($1_thunderbird_t)
+ files_dontaudit_list_tmp($1_thunderbird_t)
+
+ userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
+ userdom_dontaudit_manage_user_tmp_dirs($1,$1_thunderbird_t)
+ userdom_dontaudit_manage_user_tmp_files($1,$1_thunderbird_t)
+ userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
+ dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
+ dbus_send_system_bus($1_thunderbird_t)
+ dbus_send_user_bus($1,$1_thunderbird_t)
+ ')
+
+ optional_policy(`
+ lpd_domtrans_user_lpr($1,$1_thunderbird_t)
+ ')
+
+ optional_policy(`
+ cups_read_rw_config($1_thunderbird_t)
+ ')
+
+ optional_policy(`
+ gpg_domtrans_user_gpg($1,$1_thunderbird_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_thunderbird_t)
+ ')
+
+ ifdef(`TODO',`
+ # FIXME: Rules were removed to centralize policy in a gnome_app macro
+ # A similar thing might be necessary for mozilla compiled without GNOME
+ # support (is this possible?).
+
+ # FIXME: Why does it try to do that?
+ #dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
+
+ # Why is thunderbird looking in .mozilla ?
+ # FIXME: there are legitimate uses of invoking the browser - about -> release notes
+ dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
+
+ # Start links in web browser
+ ifdef(`mozilla.te', `
+ can_exec($1_thunderbird_t, shell_exec_t)
+ domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t)
+ ')
+
+ # GNOME support
+ optional_policy(`
+ gnome_application($1_thunderbird, $1)
+ gnome_file_dialog($1_thunderbird, $1)
+ allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
+ ')
+ optinal_policy(`dbus',`
+ allow $1_t $2_dbusd_t:dbus send_msg;
+ ifdef(`cups.te', `
+ allow cupsd_t $1_t:dbus send_msg;
+ ')
+ ')
+
+ ')
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
new file mode 100644
index 0000000..d224cd8
--- /dev/null
+++ b/policy/modules/apps/thunderbird.te
@@ -0,0 +1,10 @@
+
+policy_module(thunderbird,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type thunderbird_exec_t;
+corecmd_executable_file(thunderbird_exec_t)
diff --git a/policy/modules/apps/tvtime.fc b/policy/modules/apps/tvtime.fc
new file mode 100644
index 0000000..8698a61
--- /dev/null
+++ b/policy/modules/apps/tvtime.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
+
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
new file mode 100644
index 0000000..4a6899b
--- /dev/null
+++ b/policy/modules/apps/tvtime.if
@@ -0,0 +1,148 @@
+## <summary> tvtime - a high quality television application </summary>
+
+#######################################
+## <summary>
+## The per user domain template for the tvtime module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for tvtime.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`tvtime_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_tvtime_t;
+ domain_type($1_tvtime_t)
+ domain_entry_file($1_tvtime_t,tvtime_exec_t)
+ role $3 types $1_tvtime_t;
+
+ type $1_tvtime_home_t alias $1_tvtime_rw_t;
+ userdom_user_home_content($1,$1_tvtime_home_t)
+ files_poly_member($1_tvtime_home_t)
+
+ type $1_tvtime_tmp_t;
+ files_tmp_file($1_tvtime_tmp_t)
+
+ type $1_tvtime_tmpfs_t;
+ files_tmpfs_file($1_tvtime_tmpfs_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+ allow $1_tvtime_t self:process setsched;
+ allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
+ allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+ # X access, Home files
+ allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
+ allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
+ allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
+ type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
+ userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
+
+ allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
+ allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
+
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ # Type transition
+ domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
+ allow $2 $1_tvtime_t:fd use;
+ allow $1_tvtime_t $2:fd use;
+ allow $1_tvtime_t $2:fifo_file rw_file_perms;
+ allow $1_tvtime_t $2:process sigchld;
+
+ # X access, Home files
+ allow $2 $1_tvtime_home_t:dir manage_dir_perms;
+ allow $2 $1_tvtime_home_t:file manage_file_perms;
+ allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_tvtime_t:dir { search getattr read };
+ allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
+ allow $2 $1_tvtime_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_tvtime_t:process ptrace;
+ allow $2 $1_tvtime_t:process signal_perms;
+
+ kernel_read_all_sysctls($1_tvtime_t)
+ kernel_get_sysvipc_info($1_tvtime_t)
+
+ dev_read_urand($1_tvtime_t)
+ dev_read_realtime_clock($1_tvtime_t)
+ dev_read_sound($1_tvtime_t)
+
+ files_read_usr_files($1_tvtime_t)
+ files_search_pids($1_tvtime_t)
+ # Read /etc/tvtime
+ files_read_etc_files($1_tvtime_t)
+
+ # X access, Home files
+ fs_search_auto_mountpoints($1_tvtime_t)
+
+ libs_use_ld_so($1_tvtime_t)
+ libs_use_shared_libs($1_tvtime_t)
+
+ miscfiles_read_localization($1_tvtime_t)
+ miscfiles_read_fonts($1_tvtime_t)
+
+ userdom_use_user_terminals($1,$1_tvtime_t)
+ userdom_read_user_home_content_files($1,$1_tvtime_t)
+
+ # X access, Home files
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_tvtime_t)
+ fs_manage_nfs_files($1_tvtime_t)
+ fs_manage_nfs_symlinks($1_tvtime_t)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_tvtime_t)
+ fs_manage_cifs_files($1_tvtime_t)
+ fs_manage_cifs_symlinks($1_tvtime_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
+ ')
+')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
new file mode 100644
index 0000000..407a6a5
--- /dev/null
+++ b/policy/modules/apps/tvtime.te
@@ -0,0 +1,13 @@
+
+policy_module(tvtime,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type tvtime_exec_t;
+corecmd_executable_file(tvtime_exec_t)
+
+type tvtime_dir_t;
+files_pid_file(tvtime_dir_t)
diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc
new file mode 100644
index 0000000..2a4afa0
--- /dev/null
+++ b/policy/modules/apps/uml.fc
@@ -0,0 +1,13 @@
+#
+# /usr
+#
+/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
+
+#
+# /var
+#
+/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
+
+ifdef(`strict_policy',`
+ HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+')
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
new file mode 100644
index 0000000..abc568f
--- /dev/null
+++ b/policy/modules/apps/uml.if
@@ -0,0 +1,260 @@
+## <summary>Policy for UML</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the uml module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for uml program.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`uml_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+ type $1_uml_t;
+ domain_type($1_uml_t)
+ role $3 types $1_uml_t;
+
+ type $1_uml_exec_t;
+ domain_entry_file($1_uml_t,$1_uml_exec_t)
+
+ type $1_uml_ro_t;
+ files_type($1_uml_ro_t)
+
+ type $1_uml_rw_t;
+ files_type($1_uml_rw_t)
+
+ type $1_uml_tmp_t;
+ files_tmp_file($1_uml_tmp_t)
+
+ type $1_uml_tmpfs_t;
+ files_tmpfs_file($1_uml_tmpfs_t)
+
+ type $1_uml_devpts_t;
+ term_pty($1_uml_devpts_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+ allow $1_uml_t self:fifo_file rw_file_perms;
+ allow $1_uml_t self:process { signal_perms ptrace };
+ allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_uml_t self:unix_dgram_socket create_socket_perms;
+ # Use the network.
+ allow $1_uml_t self:tcp_socket create_stream_socket_perms;
+ allow $1_uml_t self:udp_socket create_socket_perms;
+
+ allow $1_uml_t $2:process sigchld;
+ allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
+
+ # allow the UML thing to happen
+ allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty($1_uml_t,$1_uml_devpts_t)
+
+ allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
+ allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
+ can_exec($1_uml_t, $1_uml_tmp_t)
+
+ allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ can_exec($1_uml_t, $1_uml_tmpfs_t)
+
+ # access config files
+ allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms;
+ allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms;
+ allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read };
+
+ allow $1_uml_t $1_uml_rw_t:dir create_dir_perms;
+ allow $1_uml_t $1_uml_rw_t:file create_file_perms;
+ allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
+ allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
+ allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
+ userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
+
+ allow $2 uml_ro_t:dir r_dir_perms;
+ allow $2 uml_ro_t:file r_file_perms;
+ allow $2 uml_ro_t:lnk_file { getattr read };
+
+ allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
+ allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
+ allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
+ allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
+
+ allow $2 $1_uml_t:process ptrace;
+ allow $2 $1_uml_t:process signal_perms;
+
+ # allow ps, ptrace, signal
+ allow $2 $1_uml_t:dir { search getattr read };
+ allow $2 $1_uml_t:{ file lnk_file } { read getattr };
+ allow $2 $1_uml_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_uml_t:process ptrace;
+
+ allow $2 $1_uml_tmp_t:dir create_dir_perms;
+ allow $2 $1_uml_tmp_t:file create_file_perms;
+ allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms;
+ allow $2 $1_uml_tmp_t:sock_file create_file_perms;
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
+ can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
+
+ # for mconsole
+ allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
+ allow $1_uml_t $2:unix_dgram_socket sendto;
+
+ kernel_read_system_state($1_uml_t)
+ # for SKAS - need something better
+ kernel_write_proc_files($1_uml_t)
+
+ # for xterm
+ corecmd_exec_bin($1_uml_t)
+ corecmd_exec_sbin($1_uml_t)
+
+ corenet_non_ipsec_sendrecv($1_uml_t)
+ corenet_tcp_sendrecv_generic_if($1_uml_t)
+ corenet_udp_sendrecv_generic_if($1_uml_t)
+ corenet_tcp_sendrecv_all_nodes($1_uml_t)
+ corenet_udp_sendrecv_all_nodes($1_uml_t)
+ corenet_tcp_sendrecv_all_ports($1_uml_t)
+ corenet_udp_sendrecv_all_ports($1_uml_t)
+ corenet_tcp_connect_all_ports($1_uml_t)
+ corenet_sendrecv_all_client_packets($1_uml_t)
+ corenet_rw_tun_tap_dev($1_uml_t)
+
+ domain_use_interactive_fds($1_uml_t)
+
+ # for xterm
+ files_read_etc_files($1_uml_t)
+ files_dontaudit_read_etc_runtime_files($1_uml_t)
+ # putting uml data under /var is usual...
+ files_search_var($1_uml_t)
+
+ fs_getattr_xattr_fs($1_uml_t)
+
+ init_read_utmp($1_uml_t)
+ init_dontaudit_write_utmp($1_uml_t)
+
+ # for xterm
+ libs_use_ld_so($1_uml_t)
+ libs_use_shared_libs($1_uml_t)
+ libs_exec_lib_files($1_uml_t)
+
+ # Inherit and use descriptors from newrole.
+ seutil_use_newrole_fds($1_uml_t)
+
+ # Use the network.
+ sysnet_read_config($1_uml_t)
+
+ userdom_use_user_terminals($1,$1_uml_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_uml_t)
+ ')
+
+ optional_policy(`
+ ssh_tcp_connect($1_uml_t)
+ ')
+
+ ifdef(`TODO',`
+ # for X
+ optional_policy(`
+ ifelse($1, sysadm,`
+ ',`
+ optional_policy(`
+ allow $1_uml_t xdm_xserver_tmp_t:dir search;
+ ')
+ allow $1_uml_t $1_xserver_tmp_t:sock_file write;
+ allow $1_uml_t $1_xserver_t:unix_stream_socket connectto;
+ ')
+ ')
+
+ optional_policy(`
+ # for uml_net
+ domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
+ allow uml_net_t $1_uml_t:unix_stream_socket { read write };
+ allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
+ dontaudit uml_net_t privfd:fd use;
+ can_access_pty(uml_net_t, $1_uml)
+ dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
+ ')
+ #TODO
+ optional_policy(`
+ allow $1_uml_t $1_xauth_home_t:file { getattr read };
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Set attributes on uml utility socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uml_setattr_util_sockets',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ allow $1 uml_switch_var_run_t:sock_file setattr;
+')
+
+########################################
+## <summary>
+## Manage uml utility files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uml_manage_util_files',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ allow $1 uml_switch_var_run_t:dir rw_dir_perms;
+ allow $1 uml_switch_var_run_t:file create_file_perms;
+ allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms;
+')
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
new file mode 100644
index 0000000..4b63b59
--- /dev/null
+++ b/policy/modules/apps/uml.te
@@ -0,0 +1,76 @@
+
+policy_module(uml,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type uml_exec_t;
+corecmd_executable_file(uml_exec_t)
+
+type uml_ro_t;
+files_type(uml_ro_t)
+
+type uml_switch_t;
+type uml_switch_exec_t;
+init_daemon_domain(uml_switch_t,uml_switch_exec_t)
+
+type uml_switch_var_run_t;
+files_pid_file(uml_switch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uml_switch_t self:capability sys_tty_config;
+allow uml_switch_t self:process signal_perms;
+allow uml_switch_t self:unix_dgram_socket create_socket_perms;
+allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
+
+allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
+allow uml_switch_t uml_switch_var_run_t:file create_file_perms;
+allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file)
+
+kernel_read_kernel_sysctls(uml_switch_t)
+kernel_list_proc(uml_switch_t)
+kernel_read_proc_symlinks(uml_switch_t)
+
+dev_read_sysfs(uml_switch_t)
+
+domain_use_interactive_fds(uml_switch_t)
+
+fs_getattr_all_fs(uml_switch_t)
+fs_search_auto_mountpoints(uml_switch_t)
+
+term_dontaudit_use_console(uml_switch_t)
+
+init_use_fds(uml_switch_t)
+init_use_script_ptys(uml_switch_t)
+
+libs_use_ld_so(uml_switch_t)
+libs_use_shared_libs(uml_switch_t)
+
+logging_send_syslog_msg(uml_switch_t)
+
+miscfiles_read_localization(uml_switch_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
+userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(uml_switch_t)
+
+ term_dontaudit_use_unallocated_ttys(uml_switch_t)
+ term_dontaudit_use_generic_ptys(uml_switch_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(uml_switch_t)
+')
+
+optional_policy(`
+ udev_read_db(uml_switch_t)
+')
diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc
new file mode 100644
index 0000000..0cd9dc4
--- /dev/null
+++ b/policy/modules/apps/userhelper.fc
@@ -0,0 +1,9 @@
+#
+# /etc
+#
+/etc/security/console.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
new file mode 100644
index 0000000..7447019
--- /dev/null
+++ b/policy/modules/apps/userhelper.if
@@ -0,0 +1,293 @@
+## <summary>SELinux utility to run a shell with a new role</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the userhelper module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for userhelper.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`userhelper_per_userdomain_template',`
+ gen_require(`
+ type userhelper_exec_t, userhelper_conf_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_userhelper_t;
+ domain_type($1_userhelper_t)
+ domain_entry_file($1_userhelper_t,userhelper_exec_t)
+ domain_role_change_exemption($1_userhelper_t)
+ domain_obj_id_change_exemption($1_userhelper_t)
+ domain_interactive_fd($1_userhelper_t)
+ domain_subj_id_change_exemption($1_userhelper_t)
+ role system_r types $1_userhelper_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:fd use;
+ allow $1_userhelper_t self:fifo_file rw_file_perms;
+ allow $1_userhelper_t self:shm create_shm_perms;
+ allow $1_userhelper_t self:sem create_sem_perms;
+ allow $1_userhelper_t self:msgq create_msgq_perms;
+ allow $1_userhelper_t self:msg { send receive };
+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file r_file_perms;
+
+ #Transition to the derived domain.
+ domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
+ allow $2 $1_userhelper_t:fd use;
+ allow $1_userhelper_t $2:fd use;
+ allow $1_userhelper_t $2:fifo_file rw_file_perms;
+ allow $1_userhelper_t $2:process sigchld;
+
+ allow $1_userhelper_t self:process setexec;
+
+ allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+
+ can_exec($1_userhelper_t, userhelper_exec_t)
+
+ dontaudit $2 $1_userhelper_t:process signal;
+
+ kernel_read_all_sysctls($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
+
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t,$2)
+ corecmd_sbin_domtrans($1_userhelper_t,$2)
+
+ # Inherit descriptors from the current session.
+ domain_use_interactive_fds($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_interactive_fds($1_userhelper_t)
+
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
+
+ files_list_var_lib($1_userhelper_t)
+ # Write to utmp.
+ files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
+ # Read /var.
+ files_read_var_files($1_userhelper_t)
+ files_read_var_symlinks($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
+
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
+
+ # Allow $1_userhelper to obtain contexts to relabel TTYs
+ selinux_get_fs_mount($1_userhelper_t)
+ selinux_validate_context($1_userhelper_t)
+ selinux_compute_access_vector($1_userhelper_t)
+ selinux_compute_create_context($1_userhelper_t)
+ selinux_compute_relabel_context($1_userhelper_t)
+ selinux_compute_user_contexts($1_userhelper_t)
+
+ # Read the devpts root directory.
+ term_list_ptys($1_userhelper_t)
+ # Relabel terminals.
+ term_relabel_all_user_ttys($1_userhelper_t)
+ term_relabel_all_user_ptys($1_userhelper_t)
+ # Access terminals.
+ term_use_all_user_ttys($1_userhelper_t)
+ term_use_all_user_ptys($1_userhelper_t)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
+
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+
+ libs_use_ld_so($1_userhelper_t)
+ libs_use_shared_libs($1_userhelper_t)
+
+ miscfiles_read_localization($1_userhelper_t)
+
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
+
+ userdom_use_unpriv_users_fds($1_userhelper_t)
+ # Allow $1_userhelper_t to transition to user domains.
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ # Allow transitioning to rpm_t, for up2date
+ rpm_domtrans($1_userhelper_t)
+ ')
+ ')
+
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
+ userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
+ userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ ethereal_domtrans_user_ethereal($1,$1_userhelper_t)
+ ')
+
+ optional_policy(`
+ logging_send_syslog_msg($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_userhelper_t)
+ ')
+
+ ifdef(`TODO',`
+ allow $1_userhelper_t xdm_t:fd use;
+ allow $1_userhelper_t xdm_var_run_t:dir search;
+ allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
+
+ optional_policy(`
+ allow $1_userhelper_t gphdomain:fd use;
+ ')
+ optional_policy(`
+ domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+ allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
+ ')
+ optional_policy(`
+ domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+ ')
+ # for when the network connection is killed
+ dontaudit unpriv_userdomain $1_userhelper_t:process signal;
+ ')
+')
+
+########################################
+## <summary>
+## Search the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to use userhelper file descriptor.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain, example user is the prefix of user_t.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userhelper_use_user_fd',`
+ gen_require(`
+ type $1_userhelper_t;
+ ')
+
+ allow $2 $1_userhelper_t:fd use;
+')
+########################################
+## <summary>
+## Allow domain to send sigchld to userhelper.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain, example user is the prefix of user_t.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userhelper_sigchld_user',`
+ gen_require(`
+ type $1_userhelper_t;
+ ')
+
+ allow $2 $1_userhelper_t:process sigchld;
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
new file mode 100644
index 0000000..140e6f1
--- /dev/null
+++ b/policy/modules/apps/userhelper.te
@@ -0,0 +1,13 @@
+
+policy_module(userhelper,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type userhelper_conf_t;
+files_type(userhelper_conf_t)
+
+type userhelper_exec_t;
+corecmd_executable_file(userhelper_exec_t)
diff --git a/policy/modules/apps/usernetctl.fc b/policy/modules/apps/usernetctl.fc
new file mode 100644
index 0000000..aa07e1e
--- /dev/null
+++ b/policy/modules/apps/usernetctl.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
new file mode 100644
index 0000000..06d73e3
--- /dev/null
+++ b/policy/modules/apps/usernetctl.if
@@ -0,0 +1,74 @@
+## <summary>User network interface configuration helper</summary>
+
+########################################
+## <summary>
+## Execute usernetctl in the usernetctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usernetctl_domtrans',`
+ gen_require(`
+ type usernetctl_t, usernetctl_exec_t;
+ ')
+
+ tunable_policy(`user_net_control',`
+ domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
+
+ allow $1 usernetctl_t:fd use;
+ allow usernetctl_t $1:fd use;
+ allow usernetctl_t $1:fifo_file rw_file_perms;
+ allow usernetctl_t $1:process sigchld;
+ ',`
+ can_exec($1,usernetctl_exec_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute usernetctl in the usernetctl domain, and
+## allow the specified role the usernetctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the usernetctl domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the usernetctl domain to use.
+## </summary>
+## </param>
+#
+interface(`usernetctl_run',`
+ gen_require(`
+ type usernetctl_t;
+ ')
+
+ usernetctl_domtrans($1)
+ role $2 types usernetctl_t;
+ allow usernetctl_t $3:chr_file rw_term_perms;
+
+ sysnet_run_ifconfig(usernetctl_t,$2,$3)
+ sysnet_run_dhcpc(usernetctl_t,$2,$3)
+
+ optional_policy(`
+ consoletype_run(usernetctl_t,$2,$3)
+ ')
+
+ optional_policy(`
+ iptables_run(usernetctl_t,$2,$3)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(usernetctl_t,$2,$3)
+ ')
+')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
new file mode 100644
index 0000000..8a51e3f
--- /dev/null
+++ b/policy/modules/apps/usernetctl.te
@@ -0,0 +1,70 @@
+
+policy_module(usernetctl,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usernetctl_t;
+type usernetctl_exec_t;
+domain_type(usernetctl_t)
+domain_entry_file(usernetctl_t,usernetctl_exec_t)
+domain_interactive_fd(usernetctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow usernetctl_t self:fd use;
+allow usernetctl_t self:fifo_file rw_file_perms;
+allow usernetctl_t self:shm create_shm_perms;
+allow usernetctl_t self:sem create_sem_perms;
+allow usernetctl_t self:msgq create_msgq_perms;
+allow usernetctl_t self:msg { send receive };
+allow usernetctl_t self:unix_dgram_socket create_socket_perms;
+allow usernetctl_t self:unix_stream_socket create_stream_socket_perms;
+allow usernetctl_t self:unix_dgram_socket sendto;
+allow usernetctl_t self:unix_stream_socket connectto;
+
+can_exec(usernetctl_t,usernetctl_exec_t)
+
+kernel_read_system_state(usernetctl_t)
+kernel_read_kernel_sysctls(usernetctl_t)
+
+corecmd_list_bin(usernetctl_t)
+corecmd_exec_bin(usernetctl_t)
+corecmd_list_sbin(usernetctl_t)
+corecmd_exec_sbin(usernetctl_t)
+corecmd_exec_shell(usernetctl_t)
+
+domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+files_read_etc_files(usernetctl_t)
+files_exec_etc_files(usernetctl_t)
+files_read_etc_runtime_files(usernetctl_t)
+files_list_pids(usernetctl_t)
+files_list_home(usernetctl_t)
+files_read_usr_files(usernetctl_t)
+
+fs_search_auto_mountpoints(usernetctl_t)
+
+libs_use_ld_so(usernetctl_t)
+libs_use_shared_libs(usernetctl_t)
+
+miscfiles_read_localization(usernetctl_t)
+
+seutil_read_config(usernetctl_t)
+
+sysnet_read_config(usernetctl_t)
+
+optional_policy(`
+ hostname_exec(usernetctl_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(usernetctl_t)
+')
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
new file mode 100644
index 0000000..ab5d266
--- /dev/null
+++ b/policy/modules/apps/vmware.fc
@@ -0,0 +1,52 @@
+#
+# HOME_DIR/
+#
+ifdef(`strict_policy',`
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
+')
+
+#
+# /etc
+#
+/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vmnet-bridg -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+')
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
new file mode 100644
index 0000000..1f63d96
--- /dev/null
+++ b/policy/modules/apps/vmware.if
@@ -0,0 +1,205 @@
+## <summary>VMWare Workstation virtual machines</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the vmware module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is used
+## for vmware sessions.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`vmware_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_vmware_t;
+ domain_type($1_vmware_t)
+ domain_entry_file($1_vmware_t,vmware_exec_t)
+ role $3 types $1_vmware_t;
+
+ type $1_vmware_conf_t;
+ userdom_user_home_content($1,$1_vmware_conf_t)
+
+ type $1_vmware_file_t;
+ userdom_user_home_content($1,$1_vmware_file_t)
+
+ type $1_vmware_tmp_t;
+ files_tmp_file($1_vmware_tmp_t)
+
+ type $1_vmware_tmpfs_t;
+ files_tmpfs_file($1_vmware_tmpfs_t)
+
+ type $1_vmware_var_run_t;
+ files_pid_file($1_vmware_var_run_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
+ allow $1_vmware_t $2:fd use;
+ allow $1_vmware_t $2:fifo_file rw_file_perms;
+ allow $1_vmware_t $2:process sigchld;
+
+ allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+ dontaudit $1_vmware_t self:capability sys_tty_config;
+ allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_vmware_t self:process { execmem execstack };
+ allow $1_vmware_t self:fd use;
+ allow $1_vmware_t self:fifo_file rw_file_perms;
+ allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
+ allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_vmware_t self:unix_dgram_socket sendto;
+ allow $1_vmware_t self:unix_stream_socket connectto;
+ allow $1_vmware_t self:shm create_shm_perms;
+ allow $1_vmware_t self:sem create_sem_perms;
+ allow $1_vmware_t self:msgq create_msgq_perms;
+ allow $1_vmware_t self:msg { send receive };
+
+ can_exec($1_vmware_t, vmware_exec_t)
+
+ # User configuration files
+ allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
+
+ # VMWare disks
+ allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
+ allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
+ allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
+
+ allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
+ allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
+ allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
+
+ allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
+ allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
+ allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
+ allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ # Read clobal configuration files
+ allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
+ allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
+ allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
+
+ allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
+ allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
+ allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
+ allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
+ files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
+
+ kernel_read_system_state($1_vmware_t)
+ kernel_read_network_state($1_vmware_t)
+ kernel_read_kernel_sysctls($1_vmware_t)
+
+ # startup scripts
+ corecmd_exec_bin($1_vmware_t)
+ corecmd_exec_shell($1_vmware_t)
+
+ dev_read_raw_memory($1_vmware_t)
+ dev_write_raw_memory($1_vmware_t)
+ dev_read_mouse($1_vmware_t)
+ dev_write_sound($1_vmware_t)
+ dev_read_realtime_clock($1_vmware_t)
+ dev_rwx_vmware($1_vmware_t)
+ dev_rw_usbfs($1_vmware_t)
+ dev_search_sysfs($1_vmware_t)
+
+ domain_use_interactive_fds($1_vmware_t)
+
+ files_read_etc_files($1_vmware_t)
+ files_read_etc_runtime_files($1_vmware_t)
+ files_read_usr_files($1_vmware_t)
+ files_list_home($1_vmware_t)
+
+ fs_getattr_xattr_fs($1_vmware_t)
+ fs_search_auto_mountpoints($1_vmware_t)
+
+ storage_raw_read_removable_device($1_vmware_t)
+ storage_raw_write_removable_device($1_vmware_t)
+
+ libs_use_ld_so($1_vmware_t)
+ libs_use_shared_libs($1_vmware_t)
+ # startup scripts run ldd
+ libs_exec_ld_so($1_vmware_t)
+ # Access X11 config files
+ libs_read_lib_files($1_vmware_t)
+
+ miscfiles_read_localization($1_vmware_t)
+
+ userdom_use_user_terminals($1,$1_vmware_t)
+ userdom_use_unpriv_users_fds($1_vmware_t)
+ userdom_list_user_home_dirs($1,$1_vmware_t)
+ # cjp: why?
+ userdom_read_user_home_content_files($1,$1_vmware_t)
+
+ sysnet_dns_name_resolve($1_vmware_t)
+ sysnet_read_config($1_vmware_t)
+
+ xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read VMWare system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_read_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ allow $1 vmware_sys_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Append to VMWare system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ allow $1 vmware_sys_conf_t:file append;
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
new file mode 100644
index 0000000..e41d16c
--- /dev/null
+++ b/policy/modules/apps/vmware.te
@@ -0,0 +1,117 @@
+
+policy_module(vmware,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# VMWare user program
+type vmware_exec_t;
+corecmd_executable_file(vmware_exec_t)
+
+# VMWare host programs
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t,vmware_host_exec_t)
+
+# Systemwide configuration files
+type vmware_sys_conf_t;
+files_type(vmware_sys_conf_t)
+
+type vmware_var_run_t;
+files_pid_file(vmware_var_run_t)
+
+########################################
+#
+# VMWare host local policy
+#
+
+allow vmware_host_t self:capability { setuid net_raw };
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:fifo_file rw_file_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;
+
+# cjp: the ro and rw files should be split up
+allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
+allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
+
+allow vmware_host_t vmware_var_run_t:file manage_file_perms;
+allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
+allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_list_proc(vmware_host_t)
+kernel_read_proc_symlinks(vmware_host_t)
+
+corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_tcp_sendrecv_generic_if(vmware_host_t)
+corenet_udp_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_tcp_sendrecv_all_nodes(vmware_host_t)
+corenet_udp_sendrecv_all_nodes(vmware_host_t)
+corenet_raw_sendrecv_all_nodes(vmware_host_t)
+corenet_tcp_sendrecv_all_ports(vmware_host_t)
+corenet_udp_sendrecv_all_ports(vmware_host_t)
+corenet_raw_bind_all_nodes(vmware_host_t)
+corenet_tcp_connect_all_ports(vmware_host_t)
+corenet_sendrecv_all_client_packets(vmware_host_t)
+corenet_sendrecv_all_server_packets(vmware_host_t)
+
+dev_read_sysfs(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+
+files_read_etc_files(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_use_ld_so(vmware_host_t)
+libs_use_shared_libs(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+sysnet_dns_name_resolve(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(vmware_host_t)
+ term_dontaudit_use_generic_ptys(vmware_host_t)
+ files_dontaudit_read_root_files(vmware_host_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
+
+')
+
+optional_policy(`
+ udev_read_db(vmware_host_t)
+')
+netutils_domtrans_ping(vmware_host_t)
+
+ifdef(`TODO',`
+# VMWare need access to pcmcia devices for network
+optional_policy(`
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
+')
diff --git a/policy/modules/apps/webalizer.fc b/policy/modules/apps/webalizer.fc
new file mode 100644
index 0000000..e4f7d30
--- /dev/null
+++ b/policy/modules/apps/webalizer.fc
@@ -0,0 +1,10 @@
+
+#
+# /usr
+#
+/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
new file mode 100644
index 0000000..642ba83
--- /dev/null
+++ b/policy/modules/apps/webalizer.if
@@ -0,0 +1,55 @@
+## <summary>Web server log analysis</summary>
+
+########################################
+## <summary>
+## Execute webalizer in the webalizer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`webalizer_domtrans',`
+ gen_require(`
+ type webalizer_t, webalizer_exec_t;
+ ')
+
+ domain_auto_trans($1,webalizer_exec_t,webalizer_t)
+
+ allow $1 webalizer_t:fd use;
+ allow webalizer_t $1:fd use;
+ allow webalizer_t $1:fifo_file rw_file_perms;
+ allow webalizer_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute webalizer in the webalizer domain, and
+## allow the specified role the webalizer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the webalizer domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the webalizer domain to use.
+## </summary>
+## </param>
+#
+interface(`webalizer_run',`
+ gen_require(`
+ type webalizer_t;
+ ')
+
+ webalizer_domtrans($1)
+ role $2 types webalizer_t;
+ allow webalizer_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
new file mode 100644
index 0000000..4b309ea
--- /dev/null
+++ b/policy/modules/apps/webalizer.te
@@ -0,0 +1,109 @@
+
+policy_module(webalizer,1.2.2)
+
+########################################
+#
+# Declarations
+#
+type webalizer_t;
+type webalizer_exec_t;
+domain_type(webalizer_t)
+domain_entry_file(webalizer_t,webalizer_exec_t)
+role system_r types webalizer_t;
+
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
+
+type webalizer_usage_t;
+files_type(webalizer_usage_t)
+
+type webalizer_tmp_t;
+files_tmp_file(webalizer_tmp_t)
+
+type webalizer_var_lib_t;
+files_type(webalizer_var_lib_t)
+
+type webalizer_write_t;
+files_type(webalizer_write_t)
+
+########################################
+#
+# Local policy
+#
+allow webalizer_t self:capability dac_override;
+allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow webalizer_t self:fd use;
+allow webalizer_t self:fifo_file rw_file_perms;
+allow webalizer_t self:sock_file r_file_perms;
+allow webalizer_t self:shm create_shm_perms;
+allow webalizer_t self:sem create_sem_perms;
+allow webalizer_t self:msgq create_msgq_perms;
+allow webalizer_t self:msg { send receive };
+allow webalizer_t self:unix_dgram_socket create_socket_perms;
+allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
+allow webalizer_t self:unix_dgram_socket sendto;
+allow webalizer_t self:unix_stream_socket connectto;
+allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow webalizer_t webalizer_etc_t:file { getattr read };
+
+allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
+allow webalizer_t webalizer_tmp_t:file create_file_perms;
+files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+
+allow webalizer_t webalizer_var_lib_t:file create_file_perms;
+allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
+
+kernel_read_kernel_sysctls(webalizer_t)
+kernel_read_system_state(webalizer_t)
+
+corenet_non_ipsec_sendrecv(webalizer_t)
+corenet_tcp_sendrecv_all_if(webalizer_t)
+corenet_tcp_sendrecv_all_nodes(webalizer_t)
+corenet_tcp_sendrecv_all_ports(webalizer_t)
+
+fs_search_auto_mountpoints(webalizer_t)
+
+files_read_etc_files(webalizer_t)
+files_read_etc_runtime_files(webalizer_t)
+
+libs_use_ld_so(webalizer_t)
+libs_use_shared_libs(webalizer_t)
+
+logging_list_logs(webalizer_t)
+logging_send_syslog_msg(webalizer_t)
+
+miscfiles_read_localization(webalizer_t)
+
+sysnet_dns_name_resolve(webalizer_t)
+sysnet_read_config(webalizer_t)
+
+userdom_use_unpriv_users_fds(webalizer_t)
+userdom_dontaudit_search_all_users_home_content(webalizer_t)
+
+apache_read_log(webalizer_t)
+apache_manage_sys_content(webalizer_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(webalizer_t)
+ term_use_unallocated_ttys(webalizer_t)
+')
+
+optional_policy(`
+ ftp_read_log(webalizer_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(webalizer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(webalizer_t)
+')
+
+optional_policy(`
+ cron_system_entry(webalizer_t,webalizer_exec_t)
+')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
new file mode 100644
index 0000000..aa0daf7
--- /dev/null
+++ b/policy/modules/apps/wine.fc
@@ -0,0 +1,2 @@
+/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
new file mode 100644
index 0000000..00b468e
--- /dev/null
+++ b/policy/modules/apps/wine.if
@@ -0,0 +1,25 @@
+## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
+
+########################################
+## <summary>
+## Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_domtrans',`
+ gen_require(`
+ type wine_t, wine_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, wine_exec_t, wine_t)
+
+ allow $1 wine_t:fd use;
+ allow wine_t $1:fd use;
+ allow wine_t $1:fifo_file rw_file_perms;
+ allow wine_t $1:process sigchld;
+')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
new file mode 100644
index 0000000..60aa4cf
--- /dev/null
+++ b/policy/modules/apps/wine.te
@@ -0,0 +1,28 @@
+
+policy_module(wine,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow wine_t self:process { execstack execmem };
+ unconfined_domain_noaudit(wine_t)
+ files_execmod_all_files(wine_t)
+
+ optional_policy(`
+ hal_dbus_chat(wine_t)
+ ')
+')
diff --git a/policy/modules/apps/yam.fc b/policy/modules/apps/yam.fc
new file mode 100644
index 0000000..2875fb6
--- /dev/null
+++ b/policy/modules/apps/yam.fc
@@ -0,0 +1,6 @@
+/etc/yam.conf -- gen_context(system_u:object_r:yam_etc_t,s0)
+
+/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0)
+
+/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
+/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
new file mode 100644
index 0000000..450fb4e
--- /dev/null
+++ b/policy/modules/apps/yam.if
@@ -0,0 +1,76 @@
+## <summary>Yum/Apt Mirroring</summary>
+
+########################################
+## <summary>
+## Execute yam in the yam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`yam_domtrans',`
+ gen_require(`
+ type yam_t, yam_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,yam_exec_t,yam_t)
+
+ allow $1 yam_t:fd use;
+ allow yam_t $1:fd use;
+ allow yam_t $1:fifo_file rw_file_perms;
+ allow yam_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute yam in the yam domain, and
+## allow the specified role the yam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the yam domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the yam domain to use.
+## </summary>
+## </param>
+#
+interface(`yam_run',`
+ gen_require(`
+ type yam_t;
+ ')
+
+ yam_domtrans($1)
+ role $2 types yam_t;
+ allow yam_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read yam content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`yam_read_content',`
+ gen_require(`
+ type yam_content_t;
+ ')
+
+ allow $1 yam_content_t:dir list_dir_perms;
+ allow $1 yam_content_t:file read_file_perms;
+ allow $1 yam_content_t:lnk_file { getattr read };
+')
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
new file mode 100644
index 0000000..9181eba
--- /dev/null
+++ b/policy/modules/apps/yam.te
@@ -0,0 +1,129 @@
+
+policy_module(yam,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type yam_t alias yam_crond_t;
+type yam_exec_t;
+domain_type(yam_t)
+domain_entry_file(yam_t,yam_exec_t)
+
+type yam_content_t;
+files_mountpoint(yam_content_t)
+
+type yam_etc_t;
+files_config_file(yam_etc_t)
+
+type yam_tmp_t;
+files_tmp_file(yam_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow yam_t self:process execmem;
+allow yam_t self:fd use;
+allow yam_t self:fifo_file rw_file_perms;
+allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
+allow yam_t self:shm create_shm_perms;
+allow yam_t self:sem create_sem_perms;
+allow yam_t self:msgq create_msgq_perms;
+allow yam_t self:msg { send receive };
+allow yam_t self:tcp_socket create_socket_perms;
+
+# Update the content being managed by yam.
+allow yam_t yam_content_t:dir create_dir_perms;
+allow yam_t yam_content_t:file create_file_perms;
+allow yam_t yam_content_t:lnk_file create_lnk_perms;
+
+allow yam_t yam_etc_t:file { getattr read };
+files_search_etc(yam_t)
+
+allow yam_t yam_tmp_t:dir create_dir_perms;
+allow yam_t yam_tmp_t:file create_file_perms;
+files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(yam_t)
+kernel_read_proc_symlinks(yam_t)
+# Python works fine without reading /proc/meminfo
+kernel_dontaudit_read_system_state(yam_t)
+
+corecmd_exec_shell(yam_t)
+corecmd_exec_bin(yam_t)
+
+# Rsync and lftp need to network. They also set files attributes to
+# match whats on the remote server.
+corenet_non_ipsec_sendrecv(yam_t)
+corenet_tcp_sendrecv_generic_if(yam_t)
+corenet_tcp_sendrecv_all_nodes(yam_t)
+corenet_tcp_sendrecv_all_ports(yam_t)
+corenet_tcp_connect_http_port(yam_t)
+corenet_tcp_connect_rsync_port(yam_t)
+corenet_sendrecv_http_client_packets(yam_t)
+corenet_sendrecv_rsync_client_packets(yam_t)
+
+# mktemp
+dev_read_urand(yam_t)
+
+files_read_etc_files(yam_t)
+files_read_etc_runtime_files(yam_t)
+# /usr/share/createrepo/genpkgmetadata.py:
+files_exec_usr_files(yam_t)
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+files_rw_var_files(yam_t)
+
+fs_search_auto_mountpoints(yam_t)
+# Content can also be on ISO image files.
+fs_read_iso9660_files(yam_t)
+
+term_search_ptys(yam_t)
+
+libs_use_ld_so(yam_t)
+libs_use_shared_libs(yam_t)
+
+logging_send_syslog_msg(yam_t)
+
+miscfiles_read_localization(yam_t)
+
+seutil_read_config(yam_t)
+
+sysnet_dns_name_resolve(yam_t)
+sysnet_read_config(yam_t)
+
+userdom_use_unpriv_users_fds(yam_t)
+# Reading dotfiles...
+# cjp: ?
+userdom_search_all_users_home_dirs(yam_t)
+
+# The whole point of this program is to make updates available on a
+# local web server. Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+apache_search_sys_content(yam_t)
+
+optional_policy(`
+ cron_system_entry(yam_t,yam_exec_t)
+')
+
+optional_policy(`
+ mount_domtrans(yam_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(yam_t)
+')
+
+optional_policy(`
+ nscd_socket_use(yam_t)
+')
+
+optional_policy(`
+ rsync_exec(yam_t)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
new file mode 100644
index 0000000..e1308e2
--- /dev/null
+++ b/policy/modules/kernel/corecommands.fc
@@ -0,0 +1,242 @@
+
+#
+# /bin
+#
+/bin -d gen_context(system_u:object_r:bin_t,s0)
+/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
+/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /dev
+#
+/dev/MAKEDEV -- gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /emul
+#
+ifdef(`distro_redhat',`
+/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /etc
+#
+
+/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
+
+/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+
+/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_debian',`
+/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`targeted_policy',`
+/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /lib
+#
+
+/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0)
+
+ifdef(`distro_gentoo',`
+/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/net.modules.d/helpers.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/net.modules.d/helpers.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin -d gen_context(system_u:object_r:sbin_t,s0)
+/sbin/.* gen_context(system_u:object_r:sbin_t,s0)
+/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
+/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/workstation/lib/lib/wrapper-gtk24.sh -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /usr
+#
+/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-lvm/system-config-lvm.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /var
+#
+/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
+
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+')
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
new file mode 100644
index 0000000..58d5983
--- /dev/null
+++ b/policy/modules/kernel/corecommands.if
@@ -0,0 +1,989 @@
+## <summary>
+## Core policy for shells, and generic programs
+## in /bin, /sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <required val="true">
+## Contains the base bin and sbin directory types
+## which need to be searched for the kernel to
+## run init.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable for files
+## that are exectuables, such as binary programs.
+## This does not include shared libraries.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`corecmd_executable_file',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ typeattribute $1 exec_type;
+
+ files_type($1)
+')
+
+########################################
+## <summary>
+## Create a aliased type to generic bin files.
+## </summary>
+## <desc>
+## <p>
+## Create a aliased type to generic bin files.
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Alias type for bin_t.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_alias',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ typealias bin_t alias $1;
+ ',`
+ errprint(__file__:__line__:` $0($*) has no effect in strict policy.'__endline__)
+ ')
+')
+
+########################################
+## <summary>
+## Make general progams in bin an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which bin_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_entry_type',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ domain_entry_file($1,bin_t)
+')
+
+########################################
+## <summary>
+## Make general progams in sbin an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which sbin programs are an entrypoint.
+## </summary>
+## </param>
+#
+interface(`corecmd_sbin_entry_type',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ domain_entry_file($1,sbin_t)
+')
+
+########################################
+## <summary>
+## Make the shell an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`corecmd_shell_entry_type',`
+ gen_require(`
+ type shell_exec_t;
+ ')
+
+ domain_entry_file($1,shell_exec_t)
+')
+
+########################################
+## <summary>
+## Search the contents of bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_list_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_symlinks',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read pipes in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_pipes',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named sockets in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_sockets',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute generic programs in bin directories,
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ can_exec($1,bin_t)
+
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete bin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_manage_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir rw_dir_perms;
+ allow $1 bin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_relabel_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Mmap a bin file as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:file { getattr read execute };
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a bin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the userhelper policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_spec_domtrans',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:lnk_file { getattr read };
+
+ domain_trans($1,bin_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a bin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1,$2)
+ type_transition $1 bin_t:process $2;
+')
+
+########################################
+## <summary>
+## Search the contents of sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_search_sbin',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_sbin',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ dontaudit $1 sbin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_list_sbin',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of sbin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_getattr_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attibutes
+## of sbin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ dontaudit $1 sbin_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files in sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_symlinks',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named pipes in sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_pipes',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named sockets in sbin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_sockets',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute generic programs in sbin directories,
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_sbin',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir r_dir_perms;
+ allow $1 sbin_t:lnk_file r_file_perms;
+ can_exec($1,sbin_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete sbin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_manage_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir rw_dir_perms;
+ allow $1 sbin_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from the sbin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_relabel_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Mmap a sbin file as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_mmap_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:file { getattr read execute };
+')
+
+########################################
+## <summary>
+## Execute a file in a sbin directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_sbin_domtrans',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file { getattr read };
+
+ domain_auto_trans($1,sbin_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a file in a sbin directory
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the userhelper policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_sbin_spec_domtrans',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file { getattr read };
+
+ domain_trans($1,sbin_t,$2)
+')
+
+########################################
+## <summary>
+## Check if a shell is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_check_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 shell_exec_t:file execute;
+')
+
+########################################
+## <summary>
+## Execute a shell in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ can_exec($1,shell_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ls in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_ls',`
+ gen_require(`
+ type bin_t, ls_exec_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ can_exec($1,ls_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the shell process.
+## </summary>
+## </param>
+#
+interface(`corecmd_shell_spec_domtrans',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+
+ domain_trans($1,shell_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a shell in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a shell in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the shell process.
+## </summary>
+## </param>
+#
+interface(`corecmd_shell_domtrans',`
+ gen_require(`
+ type shell_exec_t;
+ ')
+
+ corecmd_shell_spec_domtrans($1,$2)
+ type_transition $1 shell_exec_t:process $2;
+')
+
+########################################
+## <summary>
+## Execute chroot in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_chroot',`
+ gen_require(`
+ type chroot_exec_t;
+ ')
+
+ can_exec($1,chroot_exec_t)
+ allow $1 self:capability sys_chroot;
+')
+
+########################################
+## <summary>
+## Execute all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t, sbin_t;
+ ')
+
+ can_exec($1,exec_type)
+ allow $1 { bin_t sbin_t }:dir list_dir_perms;
+ allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_manage_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t, sbin_t;
+ ')
+
+ allow $1 exec_type:file manage_file_perms;
+ allow $1 { bin_t sbin_t }:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_relabel_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ allow $1 exec_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Mmap all executables as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ allow $1 exec_type:file { getattr read execute };
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
new file mode 100644
index 0000000..854ca0e
--- /dev/null
+++ b/policy/modules/kernel/corecommands.te
@@ -0,0 +1,39 @@
+
+policy_module(corecommands,1.3.11)
+
+########################################
+#
+# Declarations
+#
+
+#
+# Types with the exec_type attribute are executable files.
+#
+attribute exec_type;
+
+#
+# bin_t is the type of files in the system bin directories.
+#
+type bin_t;
+corecmd_executable_file(bin_t)
+
+#
+# sbin_t is the type of files in the system sbin directories.
+#
+type sbin_t;
+corecmd_executable_file(sbin_t)
+
+#
+# ls_exec_t is the type of the ls program.
+#
+type ls_exec_t;
+corecmd_executable_file(ls_exec_t)
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t;
+corecmd_executable_file(shell_exec_t)
+
+type chroot_exec_t;
+corecmd_executable_file(chroot_exec_t)
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
new file mode 100644
index 0000000..9e5c83e
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.fc
@@ -0,0 +1,7 @@
+
+/dev/ippp.* -c gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/pppox.* -c gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
new file mode 100644
index 0000000..65fbe15
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -0,0 +1,1695 @@
+## <summary>Policy controlling access to network objects</summary>
+## <required val="true">
+## Contains the initial SIDs for network objects.
+## </required>
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif { tcp_send tcp_recv };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif udp_send;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif udp_recv;
+')
+
+########################################
+## <summary>
+## Send and Receive UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_generic_if',`
+ corenet_udp_send_generic_if($1)
+ corenet_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif rawip_send;
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif rawip_recv;
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_if',`
+ corenet_raw_send_generic_if($1)
+ corenet_raw_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif { tcp_send tcp_recv };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif udp_send;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif udp_recv;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_if',`
+ corenet_udp_send_all_if($1)
+ corenet_udp_receive_all_if($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif rawip_send;
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif rawip_recv;
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_if',`
+ corenet_raw_send_all_if($1)
+ corenet_raw_receive_all_if($1)
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { tcp_send tcp_recv };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node udp_send;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node udp_recv;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_generic_node',`
+ corenet_udp_send_generic_node($1)
+ corenet_udp_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node rawip_send;
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node rawip_recv;
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_node',`
+ corenet_raw_send_generic_node($1)
+ corenet_raw_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { tcp_send tcp_recv };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node udp_send;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node udp_recv;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_nodes',`
+ corenet_udp_send_all_nodes($1)
+ corenet_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node rawip_send;
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node rawip_recv;
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_nodes',`
+ corenet_raw_send_all_nodes($1)
+ corenet_raw_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind raw sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Do not audit send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_generic_port',`
+ corenet_udp_send_generic_port($1)
+ corenet_udp_receive_generic_port($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Do not audit bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ dontaudit $1 port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_ports',`
+ corenet_udp_send_all_ports($1)
+ corenet_udp_receive_all_ports($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attepts to bind TCP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_reserved_port',`
+ corenet_udp_send_reserved_port($1)
+ corenet_udp_receive_reserved_port($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ corenet_udp_send_all_reserved_ports($1)
+ corenet_udp_receive_all_reserved_ports($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect TCP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Read and write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_rw_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
+')
+
+########################################
+## <summary>
+## Read and write the point-to-point device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_rw_ppp_dev',`
+ gen_require(`
+ type ppp_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ppp_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Send generic client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_generic_client_packets',`
+ gen_require(`
+ type client_packet_t;
+ ')
+
+ allow $1 client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive generic client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_generic_client_packets',`
+ gen_require(`
+ type client_packet_t;
+ ')
+
+ allow $1 client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive generic client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_client_packets',`
+ corenet_send_generic_client_packets($1)
+ corenet_receive_generic_client_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to the generic client packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_client_packets',`
+ gen_require(`
+ type client_packet_t;
+ ')
+
+ allow $1 client_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send generic server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive generic server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive generic server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_server_packets',`
+ corenet_send_generic_server_packets($1)
+ corenet_receive_generic_server_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to the generic server packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send and receive unlabeled packets.
+## </summary>
+## <desc>
+## <p>
+## Send and receive unlabeled packets.
+## These packets do not match any netfilter
+## SECMARK rules.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_packets($1)
+')
+
+########################################
+## <summary>
+## Send all client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_all_client_packets',`
+ gen_require(`
+ attribute client_packet_type;
+ ')
+
+ allow $1 client_packet_type:packet send;
+')
+
+########################################
+## <summary>
+## Receive all client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_all_client_packets',`
+ gen_require(`
+ attribute client_packet_type;
+ ')
+
+ allow $1 client_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive all client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_client_packets',`
+ corenet_send_all_client_packets($1)
+ corenet_receive_all_client_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to any client packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_all_client_packets',`
+ gen_require(`
+ attribute client_packet_type;
+ ')
+
+ allow $1 client_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send all server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_all_server_packets',`
+ gen_require(`
+ attribute server_packet_type;
+ ')
+
+ allow $1 server_packet_type:packet send;
+')
+
+########################################
+## <summary>
+## Receive all server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_all_server_packets',`
+ gen_require(`
+ attribute server_packet_type;
+ ')
+
+ allow $1 server_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive all server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_server_packets',`
+ corenet_send_all_server_packets($1)
+ corenet_receive_all_server_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to any server packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_all_server_packets',`
+ gen_require(`
+ attribute server_packet_type;
+ ')
+
+ allow $1 server_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send all packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet send;
+')
+
+########################################
+## <summary>
+## Receive all packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive all packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_packets',`
+ corenet_send_all_packets($1)
+ corenet_receive_all_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to any packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+## Unconfined access to network objects.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_unconfined',`
+ gen_require(`
+ attribute corenet_unconfined_type;
+ ')
+
+ typeattribute $1 corenet_unconfined_type;
+')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
new file mode 100644
index 0000000..51908e2
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -0,0 +1,593 @@
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# Network Interface generated macros
+#
+########################################
+
+define(`create_netif_interfaces',``
+########################################
+## <summary>
+## Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif udp_send;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif udp_recv;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+ corenet_udp_send_$1_if(dollarsone)
+ corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif rawip_send;
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif rawip_recv;
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+ corenet_raw_send_$1_if(dollarsone)
+ corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces
+
+########################################
+#
+# Network node generated macros
+#
+########################################
+
+define(`create_node_interfaces',``
+########################################
+## <summary>
+## Send and receive TCP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node { tcp_send tcp_recv };
+')
+
+########################################
+## <summary>
+## Send UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node udp_send;
+')
+
+########################################
+## <summary>
+## Receive UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node udp_recv;
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_node',`
+ corenet_udp_send_$1_node(dollarsone)
+ corenet_udp_receive_$1_node(dollarsone)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node rawip_send;
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node rawip_recv;
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_node',`
+ corenet_raw_send_$1_node(dollarsone)
+ corenet_raw_receive_$1_node(dollarsone)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to node $1.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket node_bind;
+')
+'') dnl end create_node_interfaces
+
+########################################
+#
+# Network port generated macros
+#
+########################################
+
+define(`create_port_interfaces',``
+########################################
+## <summary>
+## Send and receive TCP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_port',`
+ corenet_udp_send_$1_port(dollarsone)
+ corenet_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket name_bind;
+ $4
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket name_bind;
+ $4
+')
+
+########################################
+## <summary>
+## Make a TCP connection to the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket name_connect;
+')
+'') dnl end create_port_interfaces
+
+define(`create_packet_interfaces',``
+########################################
+## <summary>
+## Send $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_$1_packets',`
+ corenet_send_$1_packets(dollarsone)
+ corenet_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+## Relabel packets to $1 the packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet relabelto;
+')
+'') dnl end create_port_interfaces
+
+#
+# create_netif_*_interfaces(linux_interfacename)
+#
+define(`create_netif_type_interfaces',`
+create_netif_interfaces($1,netif_t,type)
+')
+define(`create_netif_attrib_interfaces',`
+create_netif_interfaces($1,netif,attribute)
+')
+
+#
+# network_interface(linux_interfacename,mls_sensitivity)
+#
+define(`network_interface',`
+create_netif_type_interfaces($1)
+')
+
+#
+# create_node_*_interfaces(node_name)
+#
+define(`create_node_type_interfaces',`
+create_node_interfaces($1,node_t,type)
+')
+define(`create_node_attrib_interfaces',`
+create_node_interfaces($1,node,attribute)
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask)
+#
+define(`network_node',`
+create_node_type_interfaces($1)
+')
+
+# These next three macros have formatting, and should not me indented
+define(`determine_reserved_capability',`dnl
+ifelse($2,`',`',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+determine_reserved_capability(shiftn(3,$*))dnl
+')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+#
+# create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_port_type_interfaces',`create_port_interfaces($1,port_t,type,determine_reserved_capability(shift($*)))')
+define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute,determine_reserved_capability(shift($*)))')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]])
+#
+define(`network_port',`
+create_port_type_interfaces($*)
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
new file mode 100644
index 0000000..e809365
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -0,0 +1,207 @@
+
+policy_module(corenetwork,1.1.12)
+
+########################################
+#
+# Declarations
+#
+
+attribute client_packet_type;
+attribute netif_type;
+attribute node_type;
+attribute packet_type;
+attribute port_type;
+attribute reserved_port_type;
+attribute rpc_port_type;
+attribute server_packet_type;
+
+attribute corenet_unconfined_type;
+
+type ppp_device_t;
+dev_node(ppp_device_t)
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+dev_node(tun_tap_device_t)
+
+########################################
+#
+# Ports and packets
+#
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type client_packet_t, packet_type, client_packet_type;
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+sid port gen_context(system_u:object_r:port_t,s0)
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
+network_port(afs_bos, udp,7007,s0)
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+network_port(afs_ka, udp,7004,s0)
+network_port(afs_pt, udp,7002,s0)
+network_port(afs_vl, udp,7003,s0)
+network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(amavisd_recv, tcp,10024,s0)
+network_port(amavisd_send, tcp,10025,s0)
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(auth, tcp,113,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0)
+type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+network_port(clamd, tcp,3310,s0)
+network_port(clockspeed, udp,4041,s0)
+network_port(comsat, udp,512,s0)
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
+network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dbskkd, tcp,1178,s0)
+network_port(dhcpc, udp,68,s0)
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
+network_port(dict, tcp,2628,s0)
+network_port(distccd, tcp,3632,s0)
+network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(fingerd, tcp,79,s0)
+network_port(ftp_data, tcp,20,s0)
+network_port(ftp, tcp,21,s0)
+network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(giftd, tcp,1213,s0)
+network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
+network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(i18n_input, tcp,9010,s0)
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(innd, tcp,119,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ircd, tcp,6667,s0)
+network_port(isakmp, udp,500,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_interserver, tcp,5269,s0)
+network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(ktalkd, udp,517,s0, udp,518,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+network_port(mail, tcp,2000,s0)
+network_port(monopd, tcp,1234,s0)
+network_port(mysqld, tcp,3306,s0)
+network_port(nessus, tcp,1241,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+network_port(ntp, udp,123,s0)
+network_port(openvpn, udp,1194,s0)
+network_port(pegasus_http, tcp,5988,s0)
+network_port(pegasus_https, tcp,5989,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+network_port(portmap, udp,111,s0, tcp,111,s0)
+network_port(postgresql, tcp,5432,s0)
+network_port(postgrey, tcp,60000,s0)
+network_port(printer, tcp,515,s0)
+network_port(ptal, tcp,5703,s0)
+network_port(pxe, udp,4011,s0)
+network_port(pyzor, udp,24441,s0)
+network_port(radacct, udp,1646,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(razor, tcp,2703,s0)
+network_port(rlogind, tcp,513,s0)
+network_port(rndc, tcp,953,s0)
+network_port(router, udp,520,s0)
+network_port(rsh, tcp,514,s0)
+network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(spamd, tcp,783,s0)
+network_port(ssh, tcp,22,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(swat, tcp,901,s0)
+network_port(syslogd, udp,514,s0)
+network_port(telnetd, tcp,23,s0)
+network_port(tftp, udp,69,s0)
+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
+network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
+network_port(transproxy, tcp,8081,s0)
+type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+network_port(uucpd, tcp,540,s0)
+network_port(vnc, tcp,5900,s0)
+network_port(xen, tcp,8002,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(zebra, tcp,2601,s0)
+network_port(zope, tcp,8021,s0)
+
+# Defaults for reserved ports. Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise declared.
+portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
+
+network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
+type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
+network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
+network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
+network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
+network_node(site_local, s0, fec0::, ffc0::)
+network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
+
+########################################
+#
+# Network Interfaces
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
+
+ifdef(`enable_mls',`
+network_interface(lo, lo,s0 - s15:c0.c255)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow corenet_unconfined_type node_type:node *;
+allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+# Bind to any network address.
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
new file mode 100644
index 0000000..ecae862
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -0,0 +1,74 @@
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+define(`declare_netifs',`dnl
+netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3)
+ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
+')
+
+#
+# network_interface(if_name,linux_interface,mls_sensitivity)
+#
+define(`network_interface',`
+gen_require(`type unlabeled_t')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
+define(`declare_nodes',`dnl
+nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
+ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])
+#
+define(`network_node',`
+type $1_node_t alias node_$1_t, node_type;
+declare_nodes($1_node_t,shift($*))
+')
+
+# These next three macros have formatting, and should not me indented
+define(`determine_reserved_capability',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+define(`determine_reserved_capability_depend',`dnl
+ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
+ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability depend
+
+define(`declare_ports',`dnl
+ifelse(eval($3 < 1024),1,`
+typeattribute $1 reserved_port_type;
+#bindresvport in glibc starts searching for reserved ports at 600
+ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+',`dnl')
+portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+#
+define(`network_port',`
+type $1_port_t, port_type;
+type $1_client_packet_t, packet_type, client_packet_type;
+type $1_server_packet_t, packet_type, server_packet_type;
+declare_ports($1_port_t,shift($*))
+')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+type $1_client_packet_t, packet_type, client_packet_type;
+type $1_server_packet_t, packet_type, server_packet_type;
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
new file mode 100644
index 0000000..f83f36f
--- /dev/null
+++ b/policy/modules/kernel/devices.fc
@@ -0,0 +1,104 @@
+
+/dev -d gen_context(system_u:object_r:device_t,s0)
+/dev/.* gen_context(system_u:object_r:device_t,s0)
+
+/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/adsp -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
+/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
+/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
+/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
+/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ifdef(`distro_suse', `
+/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+')
+/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
+/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
+/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+
+/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
+
+/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
+
+/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+
+/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+
+/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
+/dev/pts(/.*)? <<none>>
+
+/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+
+/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+
+/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+
+ifdef(`distro_redhat',`
+# originally from named.fc
+/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
new file mode 100644
index 0000000..5449c4d
--- /dev/null
+++ b/policy/modules/kernel/devices.if
@@ -0,0 +1,2971 @@
+## <summary>
+## Device nodes and interfaces for many basic system devices.
+## </summary>
+## <desc>
+## <p>
+## This module creates the device node concept and provides
+## the policy for many of the device files. Notable exceptions are
+## the mass storage and terminal devices that are covered by other
+## modules.
+## </p>
+## <p>
+## This module creates the concept of a device node. That is a
+## char or block device file, usually in /dev. All types that
+## are used to label device nodes should use the dev_node macro.
+## </p>
+## <p>
+## Additionally, this module controls access to three things:
+## <ul>
+## <li>the device directories containing device nodes</li>
+## <li>device nodes as a group</li>
+## <li>individual access to specific device nodes covered by
+## this module.</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+## Depended on by other required modules.
+## </required>
+
+########################################
+## <summary>
+## Make the passed in type a type appropriate for
+## use on device nodes (usually files in /dev).
+## </summary>
+## <param name="object_type">
+## <summary>
+## The object type that will be used on device nodes.
+## </summary>
+## </param>
+#
+interface(`dev_node',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ typeattribute $1 device_node;
+')
+
+########################################
+## <summary>
+## Allow full relabeling (to and from) of all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to relabel.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_all_dev_nodes',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ allow $1 device_node:dir { getattr relabelfrom };
+ allow $1 device_node:file { getattr relabelfrom };
+ allow $1 device_node:lnk_file { getattr relabelfrom };
+ allow $1 device_node:fifo_file { getattr relabelfrom };
+ allow $1 device_node:sock_file { getattr relabelfrom };
+ allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto };
+ allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## List all of the device nodes in a device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to list device nodes.
+## </summary>
+## </param>
+#
+interface(`dev_list_all_dev_nodes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Set the attributes of /dev directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to list all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit listing of device nodes.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_list_all_dev_nodes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create a directory in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to create the directory.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { ra_dir_perms create };
+')
+
+########################################
+## <summary>
+## Allow full relabeling (to and from) of directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to relabel.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_generic_dev_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Read and write generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 device_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Delete generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { search write remove_name };
+ allow $1 device_t:file unlink;
+')
+
+########################################
+## <summary>
+## Create a file in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to create the files.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on generic pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Allow getattr on generic block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on generic block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit setattr on generic block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Allow read, write, and create for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir ra_dir_perms;
+ allow $1 device_t:chr_file create;
+
+ allow $1 self:capability mknod;
+')
+
+########################################
+## <summary>
+## Allow getattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit setattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of symbolic links in device directories (/dev).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:lnk_file setattr;
+')
+
+########################################
+## <summary>
+## Delete symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { getattr read write remove_name };
+ allow $1 device_t:lnk_file unlink;
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Relabel symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_t:lnk_file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write device nodes in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_all_dev_nodes',`
+ gen_require(`
+ attribute device_node, memory_raw_read, memory_raw_write;
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+ allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+
+ # these next rules are to satisfy assertions broken by the above lines.
+ # the permissions hopefully can be cut back a lot
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+ storage_read_scsi_generic($1)
+ storage_write_scsi_generic($1)
+
+ typeattribute $1 memory_raw_read;
+ typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr for generic device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_dev_nodes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:chr_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, and write device nodes. The node
+## will be transitioned to the type provided.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="objectclass(es)">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ type_transition $1 device_t:$3 $2;
+
+ fs_associate_tmpfs($2)
+ files_associate_tmp($2)
+')
+
+########################################
+## <summary>
+## Getattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Getattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Setattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_node:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Setattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_node:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Dontaudit read on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Dontaudit read on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read, write, create, and delete all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_node:blk_file create_file_perms;
+
+ # these next rules are to satisfy assertions broken by the above lines.
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+ storage_read_scsi_generic($1)
+ storage_write_scsi_generic($1)
+')
+
+########################################
+## <summary>
+## Read, write, create, and delete all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_all_chr_files',`
+ gen_require(`
+ attribute device_node, memory_raw_read, memory_raw_write;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_node:chr_file create_file_perms;
+
+ typeattribute $1 memory_raw_read, memory_raw_write;
+')
+
+########################################
+## <summary>
+## Getattr the agp devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_agp_dev',`
+ gen_require(`
+ type device_t, agp_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 agp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write the agp devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_agp',`
+ gen_require(`
+ type device_t, agp_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 agp_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_apm_bios_dev',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 apm_bios_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_apm_bios_dev',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ dontaudit $1 apm_bios_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_apm_bios_dev',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 apm_bios_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of
+## the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_apm_bios_dev',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ dontaudit $1 apm_bios_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the apm bios.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_apm_bios',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 apm_bios_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_cardmgr',`
+ gen_require(`
+ type cardmgr_dev_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 cardmgr_dev_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_cardmgr',`
+ gen_require(`
+ type cardmgr_dev_t;
+ ')
+
+ dontaudit $1 cardmgr_dev_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_cardmgr_dev',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## the PCMCIA card manager device
+## with the correct type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_cardmgr_dev',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+ type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
+')
+
+########################################
+## <summary>
+## Get the attributes of the CPU
+## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_cpu_dev',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 cpu_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read the CPU identity.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_cpuid',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 cpu_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the the CPU microcode device. This
+## is required to load CPU microcode.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_cpu_microcode',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 cpu_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the the hardware SSL accelerator.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_crypto',`
+ gen_require(`
+ type device_t, crypt_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 crypt_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## getattr the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 dri_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Setattr the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 dri_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_dri',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 dri_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit read and write on the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_dri',`
+ gen_require(`
+ type dri_device_t;
+ ')
+
+ dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 dri_device_t:chr_file manage_file_perms;
+ type_transition $1 device_t:chr_file dri_device_t;
+')
+
+########################################
+## <summary>
+## Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_input',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Dot not audit attempts to set the attributes
+## of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_framebuffer_dev',`
+ gen_require(`
+ type framebuf_device_t;
+ ')
+
+ dontaudit $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_framebuffer',`
+ gen_require(`
+ type framebuf_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_framebuffer',`
+ gen_require(`
+ type framebuf_device_t;
+ ')
+
+ dontaudit $1 framebuf_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Write the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_framebuffer',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Read and write the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_framebuffer',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the lvm comtrol device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_lvm_control',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 lvm_control_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the lvm control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_lvm_control',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 lvm_control_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Delete the lvm control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_lvm_control_dev',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ allow $1 device_t:dir { getattr search read write remove_name };
+ allow $1 lvm_control_t:chr_file unlink;
+')
+
+########################################
+## <summary>
+## dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_memory_dev',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_read;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 memory_device_t:chr_file r_file_perms;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_read;
+')
+
+########################################
+## <summary>
+## Write raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_write;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 memory_device_t:chr_file write;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
+## Read and execute raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ ')
+
+ dev_read_raw_memory($1)
+ allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Write and execute raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_wx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ ')
+
+ dev_write_raw_memory($1)
+ allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Get the attributes of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_misc_dev',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_misc_dev',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_misc_dev',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_misc_dev',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_misc',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Write miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_misc',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 misc_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_misc',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_mouse_dev',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mouse_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_mouse_dev',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mouse_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read the mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mouse_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mouse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the mtrr device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_mtrr_dev',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+
+ # proc entry is a file. added for nmbd_t
+ allow $1 mtrr_device_t:{ file chr_file } getattr;
+')
+
+########################################
+## <summary>
+## Read the mtrr device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_mtrr',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Write the mtrr device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_mtrr',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Read and write the mtrr device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_mtrr',`
+ dev_read_mtrr($1)
+ dev_write_mtrr($1)
+')
+
+########################################
+## <summary>
+## Read and write to the null device (/dev/null).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_null',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 null_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 printer_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 printer_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Append the printer device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for lpd/checkpc_t
+interface(`dev_append_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 printer_device_t:chr_file { getattr append };
+')
+
+########################################
+## <summary>
+## Read and write the printer device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ allow $1 device_t:dir search;
+ allow $1 printer_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read from random number generator
+## devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_rand',`
+ gen_require(`
+ type device_t, random_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 random_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read from random
+## number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_rand',`
+ gen_require(`
+ type random_device_t;
+ ')
+
+ dontaudit $1 random_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Write to the random device (e.g., /dev/random). This adds
+## entropy used to generate the random data read from the
+## random device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_rand',`
+ gen_require(`
+ type device_t, random_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 random_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Read the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_realtime_clock',`
+ gen_require(`
+ type device_t, clock_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 clock_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Set the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_realtime_clock',`
+ gen_require(`
+ type device_t, clock_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
+')
+
+########################################
+## <summary>
+## Read and set the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_realtime_clock',`
+ dev_read_realtime_clock($1)
+ dev_write_realtime_clock($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_scanner_dev',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 scanner_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_scanner_dev',`
+ gen_require(`
+ type scanner_device_t;
+ ')
+
+ dontaudit $1 scanner_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_scanner_dev',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 scanner_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of
+## the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_scanner_dev',`
+ gen_require(`
+ type scanner_device_t;
+ ')
+
+ dontaudit $1 scanner_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_scanner',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 scanner_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sound_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_sound_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_sound',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Write the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_sound',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Read the sound mixer devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr read ioctl };
+')
+
+########################################
+## <summary>
+## Write the sound mixer devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Get the attributes of the the power management device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_power_mgmt_dev',`
+ gen_require(`
+ type device_t, power_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 power_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the the power management device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_power_mgmt_dev',`
+ gen_require(`
+ type device_t, power_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 power_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the the power management device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_power_management',`
+ gen_require(`
+ type device_t, power_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 power_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of the sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_list_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to read hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading hardware state information.
+## </summary>
+## </param>
+#
+interface(`dev_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir r_dir_perms;
+ allow $1 sysfs_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type modifying hardware state information.
+## </summary>
+## </param>
+#
+interface(`dev_rw_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir r_dir_perms;
+ allow $1 sysfs_t:lnk_file r_file_perms;
+ allow $1 sysfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read from pseudo random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 urandom_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read from pseudo
+## random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_urand',`
+ gen_require(`
+ type urandom_device_t;
+ ')
+
+ dontaudit $1 urandom_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Write to the pseudo random device (e.g., /dev/urandom). This
+## sets the random number generator seed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 urandom_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Getattr generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 usb_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Setattr generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 usb_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 usb_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Mount a usbfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_mount_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Associate a file to a usbfs filesystem.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated to usbfs.
+## </summary>
+## </param>
+#
+interface(`dev_associate_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ dontaudit $1 usbfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the directory containing USB hardware information.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_search_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow caller to get a list of usb hardware.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type getting the list.
+## </summary>
+## </param>
+#
+interface(`dev_list_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:lnk_file r_file_perms;
+ allow $1 usbfs_t:file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_usbfs_files',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:file setattr;
+')
+
+########################################
+## <summary>
+## Read USB hardware information using
+## the usbfs filesystem interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dev_read_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to modify usb hardware configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type modifying the options.
+## </summary>
+## </param>
+#
+interface(`dev_rw_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:lnk_file r_file_perms;
+ allow $1 usbfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of video4linux devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of video4linux device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_video_dev',`
+ gen_require(`
+ type v4l_device_t;
+ ')
+
+ dontaudit $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of video4linux device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 v4l_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of video4linux device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_video_dev',`
+ gen_require(`
+ type v4l_device_t;
+ ')
+
+ dontaudit $1 v4l_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read the video4linux devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_t:lnk_file { getattr read };
+ allow $1 v4l_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write VMWare devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_vmware',`
+ gen_require(`
+ type device_t, vmware_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 vmware_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read, write, and mmap VMWare devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rwx_vmware',`
+ gen_require(`
+ type device_t, vmware_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 vmware_device_t:chr_file { rw_file_perms execute };
+')
+
+########################################
+## <summary>
+## Write to watchdog devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_watchdog',`
+ gen_require(`
+ type device_t, watchdog_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 watchdog_device_t:chr_file { getattr write };
+')
+
+########################################
+## <summary>
+## Read and write Xen devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_xen',`
+ gen_require(`
+ type device_t, xen_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xen_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete Xen devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_xen',`
+ gen_require(`
+ type device_t, xen_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xen_device_t:chr_file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Automatic type transition to the type
+## for xen device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_xen',`
+ gen_require(`
+ type device_t, xen_device_t;
+ ')
+
+ allow $1 device_t:dir rw_dir_perms;
+ type_transition $1 device_t:chr_file xen_device_t;
+')
+
+########################################
+## <summary>
+## Get the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xserver_misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xserver_misc_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_xserver_misc',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xserver_misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_zero',`
+ gen_require(`
+ type device_t, zero_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 zero_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read, write, and execute the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rwx_zero',`
+ gen_require(`
+ type zero_device_t;
+ ')
+
+ dev_rw_zero($1)
+ allow $1 zero_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Execmod the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_execmod_zero',`
+ gen_require(`
+ type zero_device_t;
+ ')
+
+ dev_rw_zero($1)
+ allow $1 zero_device_t:chr_file execmod;
+')
+
+########################################
+## <summary>
+## Unconfined access to devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unconfined',`
+ gen_require(`
+ attribute devices_unconfined_type;
+ ')
+
+ typeattribute $1 devices_unconfined_type;
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
new file mode 100644
index 0000000..8edb0f5
--- /dev/null
+++ b/policy/modules/kernel/devices.te
@@ -0,0 +1,209 @@
+
+policy_module(devices,1.1.14)
+
+########################################
+#
+# Declarations
+#
+
+attribute device_node;
+attribute memory_raw_read;
+attribute memory_raw_write;
+attribute devices_unconfined_type;
+
+#
+# device_t is the type of /dev.
+#
+type device_t;
+fs_associate_tmpfs(device_t)
+files_type(device_t)
+files_mountpoint(device_t)
+files_associate_tmp(device_t)
+
+# Only directories and symlinks should be labeled device_t.
+# If there are other files with this type, it is wrong.
+# Relabelto is allowed for setfiles to function, in case
+# a device node has no specific type yet, but is for some
+# reason labeled with a specific type
+#cjp: want this, but udev policy breaks this
+#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
+
+#
+# Type for /dev/agpgart
+#
+type agp_device_t;
+dev_node(agp_device_t)
+
+#
+# Type for /dev/apm_bios
+#
+type apm_bios_t;
+dev_node(apm_bios_t)
+
+type cardmgr_dev_t;
+dev_node(cardmgr_dev_t)
+files_tmp_file(cardmgr_dev_t)
+
+#
+# clock_device_t is the type of
+# /dev/rtc.
+#
+type clock_device_t;
+dev_node(clock_device_t)
+
+#
+# cpu control devices /dev/cpu/0/*
+#
+type cpu_device_t;
+dev_node(cpu_device_t)
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t;
+dev_node(crypt_device_t)
+
+type dri_device_t;
+dev_node(dri_device_t)
+
+type event_device_t;
+dev_node(event_device_t)
+
+#
+# Type for framebuffer /dev/fb/*
+#
+type framebuf_device_t;
+dev_node(framebuf_device_t)
+
+#
+# Type for /dev/mapper/control
+#
+type lvm_control_t;
+dev_node(lvm_control_t)
+
+#
+# memory_device_t is the type of /dev/kmem,
+# /dev/mem and /dev/port.
+#
+type memory_device_t;
+dev_node(memory_device_t)
+
+neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
+neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
+
+type misc_device_t;
+dev_node(misc_device_t)
+
+#
+# A more general type for mouse devices.
+#
+type mouse_device_t;
+dev_node(mouse_device_t)
+
+#
+# Type for /dev/cpu/mtrr and /proc/mtrr
+#
+type mtrr_device_t;
+dev_node(mtrr_device_t)
+genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
+
+#
+# null_device_t is the type of /dev/null.
+#
+type null_device_t;
+dev_node(null_device_t)
+mls_trusted_object(null_device_t)
+sid devnull gen_context(system_u:object_r:null_device_t,s0)
+
+#
+# Type for /dev/pmu
+#
+type power_device_t;
+dev_node(power_device_t)
+
+type printer_device_t;
+dev_node(printer_device_t)
+
+#
+# random_device_t is the type of /dev/random
+#
+type random_device_t;
+dev_node(random_device_t)
+
+type scanner_device_t;
+dev_node(scanner_device_t)
+
+#
+# Type for sound devices and mixers
+#
+type sound_device_t;
+dev_node(sound_device_t)
+
+#
+# sysfs_t is the type for the /sys pseudofs
+#
+type sysfs_t;
+files_mountpoint(sysfs_t)
+fs_type(sysfs_t)
+genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
+#
+# urandom_device_t is the type of /dev/urandom
+#
+type urandom_device_t;
+dev_node(urandom_device_t)
+
+#
+# usbfs_t is the type for the /proc/bus/usb pseudofs
+#
+type usbfs_t alias usbdevfs_t;
+files_mountpoint(usbfs_t)
+fs_noxattr_type(usbfs_t)
+genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
+genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
+
+#
+# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+#
+type usb_device_t;
+dev_node(usb_device_t)
+
+type v4l_device_t;
+dev_node(v4l_device_t)
+
+# Type for vmware devices.
+type vmware_device_t;
+dev_node(vmware_device_t)
+
+type watchdog_device_t;
+dev_node(vmware_device_t)
+
+type xen_device_t;
+dev_node(xen_device_t)
+
+type xserver_misc_device_t;
+dev_node(xserver_misc_device_t)
+
+#
+# zero_device_t is the type of /dev/zero.
+#
+type zero_device_t;
+dev_node(zero_device_t)
+mls_trusted_object(zero_device_t)
+
+########################################
+#
+# Rules for all device nodes
+#
+
+fs_associate(device_node)
+fs_associate_tmpfs(device_node)
+
+files_associate_tmp(device_node)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow devices_unconfined_type self:capability sys_rawio;
+allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type mtrr_device_t:{ dir file } *;
diff --git a/policy/modules/kernel/domain.fc b/policy/modules/kernel/domain.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/domain.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
new file mode 100644
index 0000000..3de6530
--- /dev/null
+++ b/policy/modules/kernel/domain.if
@@ -0,0 +1,1265 @@
+## <summary>Core policy for domains.</summary>
+## <required val="true">
+## Contains the concept of a domain.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable as a basic domain.
+## </p>
+## <p>
+## This is primarily used for kernel threads;
+## generally the domain_type() interface is
+## more appropriate for userland processes.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used as a basic domain type.
+## </summary>
+## </param>
+#
+interface(`domain_base_type',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ typeattribute $1 domain;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a domain.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a domain type.
+## </summary>
+## </param>
+#
+interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+
+ ifdef(`targeted_policy',`
+ unconfined_use_fds($1)
+ unconfined_sigchld($1)
+ ')
+
+ # send init a sigchld and signull
+ optional_policy(`
+ init_sigchld($1)
+ init_signull($1)
+ ')
+
+ # these seem questionable:
+
+ optional_policy(`
+ rpm_use_fds($1)
+ rpm_read_pipes($1)
+ ')
+
+ optional_policy(`
+ selinux_dontaudit_read_fs($1)
+ ')
+
+ optional_policy(`
+ seutil_dontaudit_read_config($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as
+## an entry point for the domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be entered.
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## Type of program used for entering
+## the domain.
+## </summary>
+## </param>
+#
+interface(`domain_entry_file',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 $2:file entrypoint;
+ allow $1 $2:file rx_file_perms;
+
+ typeattribute $2 entry_type;
+
+ corecmd_executable_file($2)
+')
+
+########################################
+## <summary>
+## Make the file descriptors of the specified
+## domain for interactive use (widely inheritable)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_interactive_fd',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ typeattribute $1 privfd;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to perform
+## dynamic transitions.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to perform
+## dynamic transitions.
+## </p>
+## <p>
+## This violates process tranquility, and it
+## is strongly suggested that this not be used.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dyntrans_type',`
+ gen_require(`
+ attribute set_curr_context;
+ ')
+
+ typeattribute $1 set_curr_context;
+')
+
+########################################
+## <summary>
+## Makes caller and execption to the constraint
+## preventing changing to the system user
+## identity and system role.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_system_change_exemption',`
+ gen_require(`
+ attribute can_system_change;
+ ')
+
+ typeattribute $1 can_system_change;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing of user identity.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to make an exception to the constraint.
+## </summary>
+## </param>
+#
+interface(`domain_subj_id_change_exemption',`
+ gen_require(`
+ attribute can_change_process_identity;
+ ')
+
+ typeattribute $1 can_change_process_identity;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing of role.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to make an exception to the constraint.
+## </summary>
+## </param>
+#
+interface(`domain_role_change_exemption',`
+ gen_require(`
+ attribute can_change_process_role;
+ ')
+
+ typeattribute $1 can_change_process_role;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing the user identity in object contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to make an exception to the constraint.
+## </summary>
+## </param>
+#
+interface(`domain_obj_id_change_exemption',`
+ gen_require(`
+ attribute can_change_object_identity;
+ ')
+
+ typeattribute $1 can_change_object_identity;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the user domains from the base module.
+## It should not be used other than on
+## user domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`domain_user_exemption_target',`
+ gen_require(`
+ attribute process_user_target;
+ ')
+
+ typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## cron domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+ gen_require(`
+ attribute cron_source_domain;
+ ')
+
+ typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## user cron jobs.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+ gen_require(`
+ attribute cron_job_domain;
+ ')
+
+ typeattribute $1 cron_job_domain;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from
+## domains with interactive programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_use_interactive_fds',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ allow $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit file
+## descriptors from domains with interactive
+## programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_use_interactive_fds',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ dontaudit $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to domains whose file
+## discriptors are widely inheritable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_interactive_fds',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ allow $1 privfd:process sigchld;
+')
+
+########################################
+## <summary>
+## Set the nice level of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_setpriority_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process setsched;
+')
+
+########################################
+## <summary>
+## Send general signals to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_signal_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process signal;
+')
+
+########################################
+## <summary>
+## Send a null signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_signull_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process signull;
+')
+
+########################################
+## <summary>
+## Send a stop signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_sigstop_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a child terminated signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_sigchld_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_kill_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process sigkill;
+ allow $1 self:capability kill;
+')
+
+########################################
+## <summary>
+## Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the process
+## state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir r_dir_perms;
+ allow $1 domain:lnk_file r_file_perms;
+ allow $1 domain:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all confined domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_read_confined_domains_state',`
+ gen_require(`
+ attribute domain, unconfined_domain_type;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
+ allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
+ allow $1 { domain -unconfined_domain_type }:file r_file_perms;
+
+ dontaudit $1 unconfined_domain_type:dir search;
+ dontaudit $1 unconfined_domain_type:file { getattr read };
+')
+
+########################################
+## <summary>
+## Get the attributes of all confined domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_confined_domains',`
+ gen_require(`
+ attribute domain, unconfined_domain_type;
+ ')
+
+ allow $1 { domain -unconfined_domain_type }:process getattr;
+')
+
+########################################
+## <summary>
+## Ptrace all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process ptrace;
+ allow domain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ptrace all domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to ptrace all domains.
+## </p>
+## <p>
+## Generally this needs to be suppressed because procps tries to access
+## /proc/pid/environ and this now triggers a ptrace check in recent kernels
+## (2.4 and 2.6).
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ptrace confined domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to ptrace confined domains.
+## </p>
+## <p>
+## Generally this needs to be suppressed because procps tries to access
+## /proc/pid/environ and this now triggers a ptrace check in recent kernels
+## (2.4 and 2.6).
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_ptrace_confined_domains',`
+ gen_require(`
+ attribute domain, unconfined_domain_type;
+ ')
+
+ dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the process
+## state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir r_dir_perms;
+ dontaudit $1 domain:lnk_file r_file_perms;
+ dontaudit $1 domain:file r_file_perms;
+
+ # cjp: these should be removed:
+ dontaudit $1 domain:sock_file r_file_perms;
+ dontaudit $1 domain:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the process state
+## directories of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_list_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the session ID of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## session ID of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains
+## sockets, for all socket types.
+## </summary>
+## <desc>
+## <p>
+## Get the attributes of all domains
+## sockets, for all socket types.
+## </p>
+## <p>
+## This is commonly used for domains
+## that can use lsof on all domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains sockets, for all socket types.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to get the attributes
+## of all domains sockets, for all socket types.
+## </p>
+## <p>
+## This interface was added for PCMCIA cardmgr
+## and is probably excessive.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_udp_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:udp_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_rw_all_udp_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains IPSEC key management sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_packet_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:packet_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains raw sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_raw_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:rawip_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains key sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:key_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_dgram_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_stream_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of entry point
+## files for all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:lnk_file getattr;
+ allow $1 entry_type:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read the entry point files for all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_read_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:lnk_file r_file_perms;
+ allow $1 entry_type:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the entry point files for all
+## domains in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_exec_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ can_exec($1,entry_type)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all
+## entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_manage_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from all entry point
+## file types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_relabel_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Mmap all entry point files as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_mmap_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file { getattr read execute };
+')
+
+########################################
+## <summary>
+## Execute an entry_type in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for userhelper
+interface(`domain_entry_file_spec_domtrans',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ domain_trans($1,entry_type,$2)
+')
+
+########################################
+## <summary>
+## Unconfined access to domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_unconfined',`
+ gen_require(`
+ attribute set_curr_context;
+ attribute can_change_process_identity;
+ attribute can_change_process_role;
+ attribute can_change_object_identity;
+ attribute unconfined_domain_type;
+ ')
+
+ typeattribute $1 unconfined_domain_type;
+
+ # pass constraints
+ typeattribute $1 can_change_process_identity;
+ typeattribute $1 can_change_process_role;
+ typeattribute $1 can_change_object_identity;
+ typeattribute $1 set_curr_context;
+')
+
+#
+# These next macros are not templates, but actually are
+# support macros. Due to the domain_ prefix, they
+# are placed in this module, to try to prevent confusion.
+# They are called templates since regular m4 defines
+# wont work here.
+#
+
+########################################
+## <summary>
+## Specified domain transition requiring setexeccon.
+## </summary>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Type of program to execute.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+template(`domain_trans',`
+ allow $1 $2:file { getattr read execute };
+ allow $1 $3:process transition;
+ dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+')
+
+########################################
+## <summary>
+## Automatic domain transition by type_transition.
+## </summary>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Type of program to execute.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+template(`domain_auto_trans',`
+ domain_trans($1,$2,$3)
+ type_transition $1 $2:process $3;
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
new file mode 100644
index 0000000..f0e07f2
--- /dev/null
+++ b/policy/modules/kernel/domain.te
@@ -0,0 +1,143 @@
+
+policy_module(domain,1.1.3)
+
+########################################
+#
+# Declarations
+#
+
+# Mark process types as domains
+attribute domain;
+
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that are unconfined
+attribute unconfined_domain_type;
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility. If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
+# entrypoint executables
+attribute entry_type;
+
+# widely-inheritable file descriptors
+attribute privfd;
+
+#
+# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
+attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
+attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
+attribute can_change_object_identity;
+
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
+
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt; # add userhelperdomain to this one
+
+neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
+
+########################################
+#
+# Rules applied to all domains
+#
+
+# read /proc/(pid|self) entries
+allow domain self:dir r_dir_perms;
+allow domain self:lnk_file r_file_perms;
+allow domain self:file rw_file_perms;
+kernel_read_proc_symlinks(domain)
+
+# create child processes in the domain
+allow domain self:process { fork sigchld };
+
+# Use trusted objects in /dev
+dev_rw_null(domain)
+dev_rw_zero(domain)
+term_use_controlling_term(domain)
+
+# list the root directory
+files_list_root(domain)
+
+ifdef(`targeted_policy',`
+ # RBAC is disabled in the targeted policy,
+ # as only one role is used, system_r.
+ role system_r types domain;
+
+ # FIXME:
+ # workaround until role dominance is fixed in
+ # the module compiler
+ role secadm_r types domain;
+ role sysadm_r types domain;
+ role user_r types domain;
+ role staff_r types domain;
+')
+
+tunable_policy(`global_ssp',`
+ # enable reading of urandom for all domains:
+ # this should be enabled when all programs
+ # are compiled with ProPolice/SSP
+ # stack smashing protection.
+ dev_read_urand(domain)
+')
+
+optional_policy(`
+ setrans_translate_context(domain)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# unconfined access also allows constraints, but this
+# is handled in the interface as typeattribute cannot
+# be used on an attribute.
+
+# Use/sendto/connectto sockets created by any domain.
+allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
+# Use descriptors and pipes created by any domain.
+allow unconfined_domain_type domain:fd use;
+allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
+# Act upon any other process.
+allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+
+# Create/access any System V IPC objects.
+allow unconfined_domain_type domain:{ sem msgq shm } *;
+allow unconfined_domain_type domain:msg { send receive };
+
+# For /proc/pid
+allow unconfined_domain_type domain:dir r_dir_perms;
+allow unconfined_domain_type domain:file r_file_perms;
+allow unconfined_domain_type domain:lnk_file r_file_perms;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
new file mode 100644
index 0000000..b3a21ea
--- /dev/null
+++ b/policy/modules/kernel/files.fc
@@ -0,0 +1,246 @@
+
+#
+# /
+#
+/.* gen_context(system_u:object_r:default_t,s0)
+/ -d gen_context(system_u:object_r:root_t,s0)
+/\.journal <<none>>
+/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
+/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
+
+ifdef(`distro_redhat',`
+/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_suse',`
+/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# /boot
+#
+/boot -d gen_context(system_u:object_r:boot_t,s0)
+/boot/.* gen_context(system_u:object_r:boot_t,s0)
+/boot/\.journal <<none>>
+/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/boot/lost\+found/.* <<none>>
+/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+
+#
+# /emul
+#
+/emul -d gen_context(system_u:object_r:usr_t,s0)
+/emul/.* gen_context(system_u:object_r:usr_t,s0)
+
+#
+# /etc
+#
+/etc -d gen_context(system_u:object_r:etc_t,s0)
+/etc/.* gen_context(system_u:object_r:etc_t,s0)
+/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+
+/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ifdef(`distro_gentoo', `
+/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
+')
+
+ifdef(`distro_suse',`
+/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# HOME_ROOT
+# expanded by genhomedircon
+#
+HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
+HOME_ROOT/\.journal <<none>>
+HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+HOME_ROOT/lost\+found/.* <<none>>
+
+#
+# /initrd
+#
+# initrd mount point, only used during boot
+/initrd -d gen_context(system_u:object_r:root_t,s0)
+
+#
+# /lib(64)?
+#
+/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+#
+# /lost+found
+#
+/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/lost\+found/.* <<none>>
+
+#
+# /media
+#
+# Mount points; do not relabel subdirectories, since
+# we don't want to change any removable media by default.
+/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*/.* <<none>>
+
+#
+# /misc
+#
+/misc -d gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /mnt
+#
+/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/mnt/[^/]*/.* <<none>>
+
+#
+# /net
+#
+/net -d gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /opt
+#
+/opt -d gen_context(system_u:object_r:usr_t,s0)
+/opt/.* gen_context(system_u:object_r:usr_t,s0)
+
+/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+#
+# /proc
+#
+/proc -d <<none>>
+/proc/.* <<none>>
+
+#
+# /selinux
+#
+/selinux -d <<none>>
+/selinux/.* <<none>>
+
+#
+# /srv
+#
+/srv -d gen_context(system_u:object_r:var_t,s0)
+/srv/.* gen_context(system_u:object_r:var_t,s0)
+
+#
+# /sys
+#
+/sys -d <<none>>
+/sys/.* <<none>>
+
+#
+# /tmp
+#
+/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
+/tmp/.* <<none>>
+/tmp/\.journal <<none>>
+
+/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/tmp/lost\+found/.* <<none>>
+
+#
+# /usr
+#
+/usr -d gen_context(system_u:object_r:usr_t,s0)
+/usr/.* gen_context(system_u:object_r:usr_t,s0)
+/usr/\.journal <<none>>
+
+/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/local/\.journal <<none>>
+
+/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/usr/local/lost\+found/.* <<none>>
+
+/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
+/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/usr/lost\+found/.* <<none>>
+
+/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
+/usr/tmp/.* <<none>>
+
+#
+# /var
+#
+/var -d gen_context(system_u:object_r:var_t,s0)
+/var/.* gen_context(system_u:object_r:var_t,s0)
+/var/\.journal <<none>>
+
+/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
+
+/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+
+/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
+/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/var/lost\+found/.* <<none>>
+
+/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
+/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+/var/run/.*\.*pid <<none>>
+
+/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
+/var/tmp/.* <<none>>
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/var/tmp/lost\+found/.* <<none>>
+/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
new file mode 100644
index 0000000..4ee35d7
--- /dev/null
+++ b/policy/modules/kernel/files.if
@@ -0,0 +1,4401 @@
+## <summary>
+## Basic filesystem types and interfaces.
+## </summary>
+## <desc>
+## <p>
+## This module contains basic filesystem types and interfaces. This
+## includes:
+## <ul>
+## <li>The concept of different file types including basic
+## files, mount points, tmp files, etc.</li>
+## <li>Access to groups of files and all files.</li>
+## <li>Types and interfaces for the basic filesystem layout
+## (/, /etc, /tmp, /usr, etc.).</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+## Contains the concept of a file.
+## Comains the file initial SID.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable for files
+## in a filesystem.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`files_type',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ typeattribute $1 file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## lock files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for lock files.
+## </summary>
+## </param>
+#
+interface(`files_lock_file',`
+ gen_require(`
+ attribute lockfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 lockfile;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## filesystem mount points.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for mount points.
+## </summary>
+## </param>
+#
+interface(`files_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ files_type($1)
+ typeattribute $1 mountpoint;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## runtime process ID files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for PID files.
+## </summary>
+## </param>
+#
+interface(`files_pid_file',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 pidfile;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## configuration file.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type to be used as a configuration file.
+## </summary>
+## </param>
+#
+interface(`files_config_file',`
+ gen_require(`
+ attribute usercanread;
+ ')
+
+ files_type($1)
+
+ # this is a hack and should be removed.
+ typeattribute $1 usercanread;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## polyinstantiated directory.
+## </summary>
+## </param>
+#
+interface(`files_poly',`
+ gen_require(`
+ attribute polydir;
+ ')
+
+ files_type($1)
+ typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+## Make the specified type a parent
+## of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## parent directory.
+## </summary>
+## </param>
+#
+interface(`files_poly_parent',`
+ gen_require(`
+ attribute polyparent;
+ ')
+
+ files_type($1)
+ typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## member directory.
+## </summary>
+## </param>
+#
+interface(`files_poly_member',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ files_type($1)
+ typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+## Make the domain use the specified
+## type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain using the polyinstantiated
+## directory.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## member directory.
+## </summary>
+## </param>
+#
+interface(`files_poly_member_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ type_member $1 tmp_t:dir $2;
+')
+
+########################################
+## <summary>
+## Make the specified type a file that
+## should not be dontaudited from
+## browsing from user domains.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## member directory.
+## </summary>
+## </param>
+#
+interface(`files_security_file',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ files_type($1)
+ typeattribute $1 security_file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type a file
+## used for temporary files.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## temporary file.
+## </summary>
+## </param>
+#
+interface(`files_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
+ type tmp_t;
+ ')
+
+ files_type($1)
+ files_poly_member($1)
+ typeattribute $1 tmpfile;
+')
+
+########################################
+## <summary>
+## Transform the type into a file, for use on a
+## virtual memory filesystem (tmpfs).
+## </summary>
+## <param name="type">
+## <summary>
+## The type to be transformed.
+## </summary>
+## </param>
+#
+interface(`files_tmpfs_file',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 tmpfsfile;
+')
+
+########################################
+## <summary>
+## Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this is an odd interface, because to getattr
+# all dirs, you need to search all the parent directories
+#
+interface(`files_getattr_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:dir getattr;
+')
+
+########################################
+## <summary>
+## List all non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_non_security',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ allow $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list all
+## non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_non_security',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on all non-security
+## directories and files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_non_security',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ allow $1 { file_type -security_file_type }:dir mounton;
+ allow $1 { file_type -security_file_type }:file mounton;
+')
+
+########################################
+## <summary>
+## Allow attempts to modify any directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`files_write_non_security_dirs',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ allow $1 file_type:dir write;
+')
+
+########################################
+## <summary>
+## Get the attributes of all files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:file getattr;
+ allow $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:file getattr;
+')
+
+########################################
+## <summary>
+## Read all files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ allow $1 file_type:file read_file_perms;
+
+ optional_policy(`
+ auth_read_shadow($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow shared library text relocations in all files.
+## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in all files.
+## </p>
+## <p>
+## This is added to support WINE in the targeted
+## policy. It has no effect on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_execmod_all_files',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:file execmod;
+ ',`
+ errprint(__file__:__line__:` $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
+
+########################################
+## <summary>
+## Read all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ allow $1 { file_type -security_file_type }:dir search_dir_perms;
+ allow $1 { file_type -security_file_type }:file r_file_perms;
+ allow $1 { file_type -security_file_type }:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read all directories on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_read_all_files_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search;
+ allow $1 { file_type $2 }:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Read all symbolic links on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search;
+ allow $1 { file_type $2 }:lnk_file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_blk_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_chr_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ allow $1 file_type:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ allow $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ allow $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_blk_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read all character nodes with file types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_chr_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Relabel all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
+ allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+ allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
+## Manage all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir create_dir_perms;
+ allow $1 { file_type $2 }:file create_file_perms;
+ allow $1 { file_type $2 }:lnk_file create_lnk_perms;
+ allow $1 { file_type $2 }:fifo_file create_file_perms;
+ allow $1 { file_type $2 }:sock_file create_file_perms;
+
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
+## Search the contents of all directories on
+## extended attribute filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_all',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of all directories on
+## extended attribute filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_all',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of any directories on extended
+## attribute filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:dir search;
+')
+
+########################################
+## <summary>
+## Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem relabelto;
+')
+
+########################################
+## <summary>
+## Mount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unmount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir { getattr search mounton };
+ allow $1 mountpoint:file { getattr mounton };
+')
+
+########################################
+## <summary>
+## Get the attributes of all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir getattr;
+')
+
+########################################
+## <summary>
+## List the contents of the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir r_dir_perms;
+ allow $1 root_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the root directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_root_filetrans',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ type_transition $1 root_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## character device nodes in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Remove entries from the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Unmount a rootfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unmount_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get attributes of the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attributes
+## of the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir search;
+')
+
+########################################
+## <summary>
+## Create directories in /boot
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir { create rw_dir_perms };
+')
+
+########################################
+## <summary>
+## Create a private type object in boot
+## with an automatic type transition
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_boot_filetrans',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ type_transition $1 boot_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:file relabelfrom;
+')
+
+########################################
+## <summary>
+## Read and write symbolic links
+## in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir r_dir_perms;
+ allow $1 boot_t:lnk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read kernel files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_kernel_img',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+ allow $1 boot_t:file { getattr read };
+ allow $1 boot_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Install a kernel into the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_kernel_img',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir ra_dir_perms;
+ allow $1 boot_t:file { getattr read write create };
+ allow $1 boot_t:lnk_file { getattr read create unlink };
+')
+
+########################################
+## <summary>
+## Delete a kernel from /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_kernel',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir { r_dir_perms write remove_name };
+ allow $1 boot_t:file { getattr unlink };
+')
+
+########################################
+## <summary>
+## Getattr of directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_default_dirs',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_default_dirs',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir search;
+')
+
+########################################
+## <summary>
+## List contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list contents of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on a directory with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir { getattr search mounton };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## files with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_symlinks',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read sockets with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_sockets',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named pipes with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_pipes',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Search the contents of /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir search;
+')
+
+########################################
+## <summary>
+## Set the attributes of the /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir setattr;
+')
+
+########################################
+## <summary>
+## List the contents of /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:file r_file_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:file rw_file_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_t:file create_file_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Delete system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_t:file unlink;
+')
+
+########################################
+## <summary>
+## Execute generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+ can_exec($1,etc_t)
+
+')
+
+#######################################
+## <summary>
+## Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ allow $1 etc_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Create objects in /etc with a private
+## type using a type_transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object classes to be created.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ type_transition $1 etc_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Create a boot flag.
+## </summary>
+## <desc>
+## <p>
+## Create a boot flag, such as
+## /.autorelabel and /.autofsck.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_boot_flag',`
+ gen_require(`
+ type root_t, etc_runtime_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 etc_runtime_t:file { create read write setattr unlink };
+ type_transition $1 root_t:file etc_runtime_t;
+')
+
+########################################
+## <summary>
+## Read files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_runtime_t:file r_file_perms;
+ allow $1 etc_runtime_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_runtime_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in
+## /etc that are dynamically created on boot,
+## such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_runtime_t:dir rw_dir_perms;
+ allow $1 etc_runtime_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, etc runtime objects with an automatic
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans_etc_runtime',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ type_transition $1 etc_t:$2 etc_runtime_t;
+')
+
+########################################
+## <summary>
+## Getattr of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ dontaudit $1 file_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on a directory on new filesystems
+## that has not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir { getattr search mounton };
+')
+
+########################################
+## <summary>
+## Read files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir search;
+ allow $1 file_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_symlinks',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read and write block device nodes on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir search;
+ allow $1 file_t:blk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete block device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete character device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_chr_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:chr_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the home directories root
+## (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_home_dir',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the home directories root
+## (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_home_dir',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search home directories root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## home directories root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list
+## home directories root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get listing of home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in /home.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="home_type">
+## <summary>
+## The private type.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_home_filetrans',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir rw_dir_perms;
+ type_transition $1 home_root_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete objects in
+## lost+found directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_lost_found',`
+ gen_require(`
+ type lost_found_t;
+ ')
+
+ allow $1 lost_found_t:dir create_dir_perms;
+ allow $1 lost_found_t:file create_file_perms;
+ allow $1 lost_found_t:sock_file create_file_perms;
+ allow $1 lost_found_t:fifo_file create_file_perms;
+ allow $1 lost_found_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Search the contents of /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir { search mounton };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mnt_dirs',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mnt_files',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir rw_dir_perms;
+ allow $1 mnt_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mnt_symlinks',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir rw_dir_perms;
+ allow $1 mnt_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Search the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir search;
+ allow $1 modules_object_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Read kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir r_dir_perms;
+ allow $1 modules_object_t:lnk_file r_file_perms;
+ allow $1 modules_object_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Write kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir r_dir_perms;
+ allow $1 modules_object_t:file { write append };
+')
+
+########################################
+## <summary>
+## Delete kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir { list_dir_perms write remove_name };
+ allow $1 modules_object_t:file unlink;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
+ allow $1 modules_object_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel from and to kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:file { relabelfrom relabelto };
+ allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the kernel module directories
+## with a private type via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_kernel_modules_filetrans',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir rw_dir_perms;
+ type_transition $1 modules_object_t:$3 $2;
+')
+
+########################################
+## <summary>
+## List world-readable directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_world_readable',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_world_readable_files',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_world_readable_symlinks',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_world_readable_pipes',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_world_readable_sockets',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to associate.
+## </summary>
+## </param>
+#
+interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit listing of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir { read getattr search };
+')
+
+########################################
+## <summary>
+## Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Manage temporary files and directories in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir rw_dir_perms;
+ allow $1 tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write generic named sockets in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:sock_file { read write };
+')
+
+########################################
+## <summary>
+## Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir { search setattr };
+')
+
+########################################
+## <summary>
+## Create an object in the tmp directories, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_tmp_filetrans',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir rw_dir_perms;
+ type_transition $1 tmp_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Delete the contents of /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_purge_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir { rw_dir_perms rmdir };
+ allow $1 tmpfile:notdevfile_class_set { getattr unlink };
+')
+
+########################################
+## <summary>
+## Search the content of /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_usr',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of generic
+## directories in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_usr',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 usr_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read generic files in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+ allow $1 usr_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute generic programs in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+ allow $1 usr_t:lnk_file r_file_perms;
+ can_exec($1,usr_t)
+
+')
+
+########################################
+## <summary>
+## Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:file relabelto;
+')
+
+########################################
+## <summary>
+## Read symbolic links in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_usr_symlinks',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 usr_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the /usr directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_usr_filetrans',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+ type_transition $1 usr_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir r_dir_perms;
+ allow $1 src_t:lnk_file r_file_perms;
+ can_exec($1,src_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search /usr/src.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_src',`
+ gen_require(`
+ type src_t;
+ ')
+
+ dontaudit $1 src_t:dir search;
+')
+
+########################################
+## <summary>
+## Read files in /usr/src.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir r_dir_perms;
+ allow $1 src_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Install a system.map into the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir ra_dir_perms;
+ allow $1 system_map_t:file { rw_file_perms create };
+')
+
+########################################
+## <summary>
+## Read system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir r_dir_perms;
+ allow $1 system_map_t:file r_file_perms;
+
+ # cjp: this should be dropped:
+ allow $1 boot_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Delete a system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir { r_dir_perms write remove_name };
+ allow $1 system_map_t:file { getattr unlink };
+')
+
+########################################
+## <summary>
+## Search the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:dir write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_symlinks',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic
+## links in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the /var directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_filetrans',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ type_transition $1 var_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Get the attributes of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_var_lib_dirs',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the /var/lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the /var/lib directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_lib_filetrans',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir rw_dir_perms;
+ type_transition $1 var_lib_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Read generic files in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_lib_files',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
+ allow $1 var_lib_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
+ allow $1 var_lib_t:lnk_file { getattr read };
+')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way. They really neeed their own types.
+
+########################################
+## <summary>
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_urandom_seed',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir rw_dir_perms;
+ allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mounttab',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir rw_dir_perms;
+ allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Search the locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
+ dontaudit $1 var_lock_t:dir search;
+')
+
+########################################
+## <summary>
+## Add and remove entries in the /var/lock
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir r_dir_perms;
+ allow $1 var_lock_t:file getattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_locks',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
+ allow $1 var_lock_t:dir rw_dir_perms;
+ allow $1 var_lock_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ ')
+
+ allow $1 lockfile:dir rw_dir_perms;
+ allow $1 lockfile:file { getattr unlink };
+')
+
+########################################
+## <summary>
+## Read all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 lockfile:dir r_dir_perms;
+ allow $1 lockfile:file r_file_perms;
+ allow $1 lockfile:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create an object in the locks directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_lock_filetrans',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lock_t:dir rw_dir_perms;
+ type_transition $1 var_lock_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the contents of runtime process
+## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ dontaudit $1 var_run_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of the runtime process
+## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the process ID directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_pid_filetrans',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rw_dir_perms;
+ type_transition $1 var_run_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:dir r_dir_perms;
+ allow $1 var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_ioctl_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+## <summary>
+## Read all process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 pidfile:dir r_dir_perms;
+ allow $1 pidfile:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Mount filesystems on all polyinstantiation
+## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_all_poly_members',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
+## Delete all process IDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+ allow $1 var_run_t:dir rmdir;
+ allow $1 pidfile:dir rw_dir_perms;
+ allow $1 pidfile:file { getattr unlink };
+ allow $1 pidfile:sock_file { getattr unlink };
+ allow $1 pidfile:fifo_file { getattr unlink };
+')
+
+########################################
+## <summary>
+## Delete all process ID directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 pidfile:dir { rw_dir_perms rmdir };
+')
+
+########################################
+## <summary>
+## Search the contents of generic spool
+## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search generic
+## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_spool',`
+ gen_require(`
+ type var_spool_t;
+ ')
+
+ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of generic spool
+## (/var/spool) directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir r_dir_perms;
+ allow $1 var_spool_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir rw_dir_perms;
+ allow $1 var_spool_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the spool directory
+## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_spool_t:dir rw_dir_perms;
+ type_transition $1 var_spool_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Allow access to manage all polyinstantiated
+## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_polyinstantiate_all',`
+ gen_require(`
+ attribute polydir, polymember, polyparent;
+ type poly_t;
+ ')
+
+ # Need to give access to /selinux/member
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
+ allow $1 self:capability sys_admin;
+
+ # Need to give access to the directories to be polyinstantiated
+ allow $1 polydir:dir { create getattr search write add_name setattr mounton };
+
+ # Need to give access to the polyinstantiated subdirectories
+ allow $1 polymember:dir search_dir_perms;
+
+ # Need to give access to parent directories where original
+ # is remounted for polyinstantiation aware programs (like gdm)
+ allow $1 polyparent:dir { getattr mounton };
+
+ # Need to give permission to create directories where applicable
+ allow $1 self:process setfscreate;
+ allow $1 polymember: dir { create setattr relabelto };
+ allow $1 polydir: dir { write add_name };
+ allow $1 polyparent:dir { write add_name relabelfrom relabelto };
+
+ # Default type for mountpoints
+ allow $1 poly_t:dir { create mounton };
+ fs_unmount_xattr_fs($1)
+')
+
+########################################
+## <summary>
+## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
+ ')
+
+ typeattribute $1 files_unconfined_type;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
new file mode 100644
index 0000000..e3f7b8f
--- /dev/null
+++ b/policy/modules/kernel/files.te
@@ -0,0 +1,220 @@
+
+policy_module(files,1.2.12)
+
+########################################
+#
+# Declarations
+#
+
+attribute file_type;
+attribute files_unconfined_type;
+attribute lockfile;
+attribute mountpoint;
+attribute pidfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+
+attribute tmpfile;
+attribute tmpfsfile;
+
+# this is a hack and should be changed
+attribute usercanread;
+
+#
+# boot_t is the type for files in /boot
+#
+type boot_t;
+files_mountpoint(boot_t)
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t;
+files_mountpoint(default_t)
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t;
+files_type(etc_t)
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t;
+files_type(etc_runtime_t)
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t;
+files_mountpoint(file_t)
+kernel_rootfs_mountpoint(file_t)
+sid file gen_context(system_u:object_r:file_t,s0)
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t;
+files_mountpoint(home_root_t)
+files_poly_parent(home_root_t)
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t;
+files_type(lost_found_t)
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+#
+type mnt_t;
+files_mountpoint(mnt_t)
+
+#
+# modules_object_t is the type for kernel modules
+#
+type modules_object_t;
+files_type(modules_object_t)
+
+type no_access_t;
+files_type(no_access_t)
+
+type poly_t;
+files_type(poly_t)
+
+type readable_t;
+files_type(readable_t)
+
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t;
+files_mountpoint(root_t)
+files_poly_parent(root_t)
+kernel_rootfs_mountpoint(root_t)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t;
+files_mountpoint(src_t)
+
+#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_type(system_map_t)
+
+#
+# tmp_t is the type of the temporary directories
+#
+type tmp_t;
+files_tmp_file(tmp_t)
+files_mountpoint(tmp_t)
+files_poly(tmp_t)
+files_poly_parent(tmp_t)
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t;
+files_mountpoint(usr_t)
+
+#
+# var_t is the type of /var
+#
+type var_t;
+files_mountpoint(var_t)
+
+#
+# var_lib_t is the type of /var/lib
+#
+type var_lib_t;
+files_mountpoint(var_lib_t)
+
+#
+# var_lock_t is tye type of /var/lock
+#
+type var_lock_t;
+files_lock_file(var_lock_t)
+
+#
+# var_run_t is the type of /var/run, usually
+# used for pid and other runtime files.
+#
+type var_run_t;
+files_pid_file(var_run_t)
+
+#
+# var_spool_t is the type of /var/spool
+#
+type var_spool_t;
+files_tmp_file(var_spool_t)
+
+########################################
+#
+# Rules for all file types
+#
+
+allow file_type self:filesystem associate;
+
+fs_associate(file_type)
+fs_associate_noxattr(file_type)
+
+ifdef(`targeted_policy', `
+ fs_associate_tmpfs(file_type)
+')
+
+########################################
+#
+# Rules for all tmp file types
+#
+
+allow tmpfile tmp_t:filesystem associate;
+
+fs_associate_tmpfs(tmpfile)
+
+########################################
+#
+# Rules for all tmpfs file types
+#
+
+fs_associate_tmpfs(tmpfsfile)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# Create/access any file in a labeled filesystem;
+allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+# Mount/unmount any filesystem with the context= option.
+allow files_unconfined_type file_type:filesystem *;
+
+ifdef(`targeted_policy',`
+ tunable_policy(`allow_execmod',`
+ allow files_unconfined_type file_type:file execmod;
+ ')
+')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/filesystem.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
new file mode 100644
index 0000000..6fea2a1
--- /dev/null
+++ b/policy/modules/kernel/filesystem.if
@@ -0,0 +1,3266 @@
+## <summary>Policy for filesystems.</summary>
+## <required val="true">
+## Contains the initial SID for the filesystems.
+## </required>
+
+########################################
+## <summary>
+## Transform specified type into a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_type',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ typeattribute $1 filesystem_type;
+')
+
+########################################
+## <summary>
+## Transform specified type into a filesystem
+## type which does not have extended attribute
+## support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_noxattr_type',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ fs_type($1)
+
+ typeattribute $1 noxattrfs;
+')
+
+########################################
+## <summary>
+## Associate the specified file type to persistent
+## filesystems with extended attributes. This
+## allows a file of this type to be created on
+## a filesystem such as ext3, JFS, and XFS.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Associate the specified file type to
+## filesystems which lack extended attributes
+## support. This allows a file of this type
+## to be created on a filesystem such as
+## FAT32, and NFS.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_noxattr',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:filesystem associate;
+')
+
+########################################
+## <summary>
+## Execute files on a filesystem that does
+## not support extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_exec_noxattr',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ can_exec($1,noxattrfs)
+')
+
+########################################
+## <summary>
+## Mount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a persistent
+## filesystem which has extended
+## attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to
+## get the attributes of a persistent
+## filesystem which has extended
+## attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ dontaudit $1 fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow changing of the label of a
+## filesystem with extended attributes
+## using the context= mount option.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+## Get the filesystem quotas of a filesystem
+## with extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_get_xattr_fs_quotas',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem quotaget;
+')
+
+########################################
+## <summary>
+## Set the filesystem quotas of a filesystem
+## with extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_set_xattr_fs_quotas',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem quotamod;
+')
+
+########################################
+## <summary>
+## Mount an automount pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem mount;
+')
+
+
+########################################
+## <summary>
+## Remount an automount pseudo filesystem
+## This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount an automount pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of an automount
+## pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search automount filesystem to use automatically
+## mounted filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:dir { getattr search };
+')
+
+########################################
+## <summary>
+## Read directories of automatically
+## mounted filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list directories of automatically
+## mounted filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ dontaudit $1 autofs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of directories on
+## binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_dirs',`
+ gen_require(`
+ type binfmt_misc_t;
+ ')
+
+ allow $1 binfmt_misc_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+## Register an interpreter for new binary
+## file types, using the kernel binfmt_misc
+## support.
+## </summary>
+## <desc>
+## <p>
+## Register an interpreter for new binary
+## file types, using the kernel binfmt_misc
+## support.
+## </p>
+## <p>
+## A common use for this is to
+## register a JVM as an interpreter for
+## Java byte code. Registered binaries
+## can be directly executed on a command line
+## without specifying the interpreter.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_register_binary_executable_type',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ allow $1 binfmt_misc_fs_t:dir { getattr search };
+ allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
+')
+
+########################################
+## <summary>
+## Mount a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a CIFS or SMB network filesystem.
+## This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a CIFS or
+## SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of directories on a
+## CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the contents
+## of directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir r_dir_perms;
+ allow $1 cifs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read all noxattrfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir r_dir_perms;
+
+')
+
+########################################
+## <summary>
+## Read all noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir search_dir_perms;
+ allow $1 noxattrfs:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Read all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_noxattr_fs_symlinks',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir search_dir_perms;
+ allow $1 noxattrfs:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or
+## write files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file { read write };
+')
+
+########################################
+## <summary>
+## Read symbolic links on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cifs_symlinks',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir r_dir_perms;
+ allow $1 cifs_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute files on a CIFS or SMB
+## network filesystem, in the caller
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_exec_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir r_dir_perms;
+ can_exec($1, cifs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir rw_dir_perms;
+ allow $1 cifs_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete files
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_symlinks',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir rw_dir_perms;
+ allow $1 cifs_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named pipes
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_named_pipes',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir rw_dir_perms;
+ allow $1 cifs_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_named_sockets',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir rw_file_perms;
+ allow $1 cifs_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Execute a file on a CIFS or SMB filesystem
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file on a CIFS or SMB filesystem
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## home directories on CIFS/SMB filesystems,
+## in particular used by the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`fs_cifs_domtrans',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir search;
+
+ domain_auto_trans($1,cifs_t,$2)
+')
+
+########################################
+## <summary>
+## Mount a DOS filesystem, such as
+## FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a DOS filesystem, such as
+## FAT32 or NTFS. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a DOS filesystem, such as
+## FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a DOS
+## filesystem, such as FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow changing of the label of a
+## DOS filesystem using the context= mount option.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+## Read eventpollfs files.
+## </summary>
+## <desc>
+## <p>
+## Read eventpollfs files
+## </p>
+## <p>
+## This interface has been deprecated, and will
+## be removed in the future.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_eventpollfs',`
+ errprint(__file__:__line__:` $0($*) has been deprecated.'__endline__)
+')
+
+########################################
+## <summary>
+## Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ allow $1 inotifyfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount an iso9660 filesystem, which
+## is usually used on CDs. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file read_file_perms;
+ allow $1 iso9660_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Mount a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a NFS filesystem. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir search;
+')
+
+########################################
+## <summary>
+## List NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the contents
+## of directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:file write;
+')
+
+########################################
+## <summary>
+## Execute files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_exec_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ can_exec($1, nfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or
+## write files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file { read write };
+')
+
+########################################
+## <summary>
+## Read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_rpc_dirs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+## Search directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_rpc',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Search removable storage directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_removable',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir { getattr read search };
+
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list removable storage directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_removable',`
+ gen_require(`
+ type removable_t;
+ ')
+ dontaudit $1 removable_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read removable storage files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:file { read getattr };
+
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read removable storage files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+ dontaudit $1 removable_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read removable storage symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_removable_symlinks',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:lnk_file { getattr read };
+
+')
+
+########################################
+## <summary>
+## Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_rpc',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir { getattr read search };
+
+')
+
+########################################
+## <summary>
+## Read files of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_rpc_files',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:file { read getattr };
+
+')
+
+########################################
+## <summary>
+## Read symbolic links of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_rpc_symlinks',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:lnk_file { getattr read };
+
+')
+
+########################################
+## <summary>
+## Read sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_rpc_sockets',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:sock_file { read write };
+
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file create_file_perms;
+')
+
+#########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:lnk_file create_lnk_perms;
+')
+
+#########################################
+## <summary>
+## Create, read, write, and delete named pipes
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_named_pipes',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:fifo_file create_file_perms;
+')
+
+#########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_named_sockets',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir rw_dir_perms;
+ allow $1 nfs_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Execute a file on a NFS filesystem
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file on a NFS filesystem
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on a NFS filesystem in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## home directories on NFS filesystems,
+## in particular used by the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`fs_nfs_domtrans',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir search;
+
+ domain_auto_trans($1,nfs_t,$2)
+')
+
+########################################
+## <summary>
+## Mount a NFS server pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Mount a NFS server pseudo filesystem.
+## This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a NFS server pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a NFS server
+## pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search NFS server directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:dir search;
+')
+
+########################################
+## <summary>
+## Read and write NFS server files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Mount a RAM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a RAM filesystem. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a RAM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a RAM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories on a ramfs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:dir search;
+')
+
+########################################
+## <summary>
+## Dontaudit read on a ramfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_files',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:file read;
+')
+
+########################################
+## <summary>
+## Dontaudit read on a ramfs fifo_files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:fifo_file read;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## files on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_files',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir rw_dir_perms;
+ allow $1 ramfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Write to named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir search_dir_perms;
+ allow $1 ramfs_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to named
+## pipes on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write a named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir search_dir_perms;
+ allow $1 ramfs_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## named pipes on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir rw_dir_perms;
+ allow $1 ramfs_t:fifo_file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Write to named socket on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_ramfs_sockets',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## named sockets on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_sockets',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir rw_dir_perms;
+ allow $1 ramfs_t:sock_file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mount a ROM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a ROM filesystem. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a ROM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a ROM
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount a RPC pipe filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a RPC pipe filesystem. This
+## allows some mount option to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a RPC pipe filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a RPC pipe
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a tmpfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow the type to associate to tmpfs filesystems.
+## </summary>
+## <param name="type">
+## <summary>
+## The type of the object to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the
+## contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## tmpfs directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in a tmpfs filesystem, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`fs_tmpfs_filetrans',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $2 tmpfs_t:filesystem associate;
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ type_transition $1 tmpfs_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:file { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## auto moutpoints.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read tmpfs link files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 tmpfs_t:lnk_file read;
+')
+
+########################################
+## <summary>
+## Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_chr_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## dontaudit Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir r_dir_perms;
+ dontaudit $1 tmpfs_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_chr_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_blk_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:blk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_blk_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Read and write, create and delete generic
+## files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write, create and delete symbolic
+## links on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read and write, create and delete socket
+## files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_sockets',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write, create and delete character
+## nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_chr_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:chr_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write, create and delete block nodes
+## on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_blk_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir rw_dir_perms;
+ allow $1 tmpfs_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Mount all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount all filesystems. This
+## allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of all persistent
+## filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Get the quotas of all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain getting quotas.
+## </summary>
+## </param>
+#
+interface(`fs_get_all_fs_quotas',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem quotaget;
+')
+
+########################################
+## <summary>
+## Set the quotas of all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain setting quotas.
+## </summary>
+## </param>
+#
+interface(`fs_set_all_quotas',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem quotamod;
+')
+
+########################################
+## <summary>
+## Relabelfrom all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+## Get the attributes of all directories
+## with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_dirs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir getattr;
+')
+
+########################################
+## <summary>
+## Search all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_all',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_all',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all files with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
+ allow $1 filesystem_type:file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all symbolic links with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_symlinks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
+ allow $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named pipes with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_pipes',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
+ allow $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named sockets with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_sockets',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
+ allow $1 filesystem_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all files with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all symbolic links with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_symlinks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named pipes with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named sockets with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Unconfined access to filesystems
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unconfined',`
+ gen_require(`
+ attribute filesystem_unconfined_type;
+ ')
+
+ typeattribute $1 filesystem_unconfined_type;
+')
+
+########################################
+## <summary>
+## Relabel all objets from filesystems that
+## do not support extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
+ allow $1 noxattrfs:file { getattr relabelfrom };
+ allow $1 noxattrfs:lnk_file { getattr relabelfrom };
+ allow $1 noxattrfs:fifo_file { getattr relabelfrom };
+ allow $1 noxattrfs:sock_file { getattr relabelfrom };
+ allow $1 noxattrfs:blk_file { getattr relabelfrom };
+ allow $1 noxattrfs:chr_file { getattr relabelfrom };
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
new file mode 100644
index 0000000..104b56b
--- /dev/null
+++ b/policy/modules/kernel/filesystem.te
@@ -0,0 +1,203 @@
+
+policy_module(filesystem,1.3.12)
+
+########################################
+#
+# Declarations
+#
+
+attribute filesystem_type;
+attribute filesystem_unconfined_type;
+attribute noxattrfs;
+
+##############################
+#
+# fs_t is the default type for persistent
+# filesystems with extended attributes
+#
+type fs_t;
+fs_type(fs_t)
+sid fs gen_context(system_u:object_r:fs_t,s0)
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.
+fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
+
+##############################
+#
+# Non-persistent/pseudo filesystems
+#
+type bdev_t;
+fs_type(bdev_t)
+genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
+
+type binfmt_misc_fs_t;
+fs_type(binfmt_misc_fs_t)
+files_mountpoint(binfmt_misc_fs_t)
+genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+
+type capifs_t;
+fs_type(capifs_t)
+genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+type configfs_t;
+fs_type(configfs_t)
+genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+
+type eventpollfs_t;
+fs_type(eventpollfs_t)
+# change to task SID 20060628
+#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+
+type futexfs_t;
+fs_type(futexfs_t)
+genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
+
+type hugetlbfs_t;
+fs_type(hugetlbfs_t)
+files_mountpoint(hugetlbfs_t)
+genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+
+type ibmasmfs_t;
+fs_type(ibmasmfs_t)
+allow ibmasmfs_t self:filesystem associate;
+genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
+type inotifyfs_t;
+fs_type(inotifyfs_t)
+genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+
+type nfsd_fs_t;
+fs_type(nfsd_fs_t)
+genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+type oprofilefs_t;
+fs_type(oprofilefs_t)
+genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
+type ramfs_t;
+fs_type(ramfs_t)
+genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
+
+type romfs_t;
+fs_type(romfs_t)
+genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
+genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
+
+type rpc_pipefs_t;
+fs_type(rpc_pipefs_t)
+genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
+
+#
+# tmpfs_t is the type for tmpfs filesystems
+#
+type tmpfs_t;
+fs_type(tmpfs_t)
+files_type(tmpfs_t)
+files_mountpoint(tmpfs_t)
+
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
+
+allow tmpfs_t noxattrfs:filesystem associate;
+
+##############################
+#
+# Filesystems without extended attribute support
+#
+type autofs_t;
+fs_noxattr_type(autofs_t)
+files_mountpoint(autofs_t)
+genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
+genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
+
+#
+# cifs_t is the type for filesystems and their
+# files shared from Windows servers
+#
+type cifs_t alias sambafs_t;
+fs_noxattr_type(cifs_t)
+genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
+genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
+
+#
+# dosfs_t is the type for fat and vfat
+# filesystems and their files.
+#
+type dosfs_t;
+fs_noxattr_type(dosfs_t)
+allow dosfs_t fs_t:filesystem associate;
+genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
+
+#
+# iso9660_t is the type for CD filesystems
+# and their files.
+#
+type iso9660_t;
+fs_noxattr_type(iso9660_t)
+genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
+genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+
+#
+# removable_t is the default type of all removable media
+#
+type removable_t;
+allow removable_t noxattrfs:filesystem associate;
+fs_noxattr_type(removable_t)
+files_type(removable_t)
+
+#
+# nfs_t is the default type for NFS file systems
+# and their files.
+#
+type nfs_t;
+fs_noxattr_type(nfs_t)
+files_mountpoint(nfs_t)
+genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
+genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
+
+########################################
+#
+# Rules for all filesystem types
+#
+
+allow filesystem_type self:filesystem associate;
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow filesystem_unconfined_type filesystem_type:filesystem *;
+
+# Create/access other files. fs_type is to pick up various
+# pseudo filesystem types that are applied to both the filesystem
+# and its files.
+allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/kernel.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
new file mode 100644
index 0000000..230b601
--- /dev/null
+++ b/policy/modules/kernel/kernel.if
@@ -0,0 +1,2101 @@
+## <summary>
+## Policy for kernel threads, proc filesystem,
+## and unlabeled processes and objects.
+## </summary>
+## <required val="true">
+## This module has initial SIDs.
+## </required>
+
+########################################
+## <summary>
+## Allows to start userland processes
+## by transitioning to the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by kernel.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The executable type for the entrypoint.
+## </summary>
+## </param>
+#
+interface(`kernel_domtrans_to',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ domain_auto_trans(kernel_t, $2, $1)
+
+ allow kernel_t $1:fd use;
+ allow $1 kernel_t:fd use;
+ allow $1 kernel_t:fifo_file rw_file_perms;
+ allow $1 kernel_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Allows the kernel to mount filesystems on
+## the specified directory type.
+## </summary>
+## <param name="directory_type">
+## <summary>
+## The type of the directory to use as a mountpoint.
+## </summary>
+## </param>
+#
+interface(`kernel_rootfs_mountpoint',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow kernel_t $1:dir mounton;
+')
+
+########################################
+## <summary>
+## Set the process group of kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_setpgid',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process setpgid;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process sending the signal.
+## </summary>
+## </param>
+#
+interface(`kernel_sigchld',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a generic signal to kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process sending the signal.
+## </summary>
+## </param>
+#
+interface(`kernel_signal',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow kernel_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Allows the kernel to share state information with
+## the caller.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process with which to share state information.
+## </summary>
+## </param>
+#
+interface(`kernel_share_state',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow kernel_t $1:process share;
+')
+
+########################################
+## <summary>
+## Permits caller to use kernel file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process using the descriptors.
+## </summary>
+## </param>
+#
+interface(`kernel_use_fds',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## kernel file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of process not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_use_fds',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write kernel unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_pipes',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Read and write kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unix_dgram_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket { read write ioctl };
+')
+
+########################################
+## <summary>
+## Send messages to kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dgram_send',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Receive messages from kernel TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_udp_send',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:udp_socket sendto;
+ allow kernel_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive messages from kernel UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Allows caller to load kernel modules
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to allow to load kernel modules.
+## </summary>
+## </param>
+#
+interface(`kernel_load_module',`
+ gen_require(`
+ attribute can_load_kernmodule;
+ ')
+
+ allow $1 self:capability sys_module;
+ typeattribute $1 can_load_kernmodule;
+')
+
+########################################
+## <summary>
+## Allows caller to read the ring buffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type allowed to read the ring buffer.
+## </summary>
+## </param>
+#
+interface(`kernel_read_ring_buffer',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system syslog_read;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the ring buffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_ring_buffer',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:system syslog_read;
+')
+
+########################################
+## <summary>
+## Change the level of kernel messages logged to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_change_ring_buffer_level',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system syslog_console;
+')
+
+########################################
+## <summary>
+## Allows the caller to clear the ring buffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type clearing the buffer.
+## </summary>
+## </param>
+#
+interface(`kernel_clear_ring_buffer',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system syslog_mod;
+')
+
+########################################
+## <summary>
+## Get information on all System V IPC objects.
+## </summary>
+## <param name="domain">
+## <summary>
+##
+## </summary>
+## </param>
+#
+interface(`kernel_get_sysvipc_info',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system ipc_info;
+')
+
+########################################
+## <summary>
+## Get the attributes of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain mounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain unmounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`kernel_unmount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Remount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain remounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`kernel_remount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Search the contents of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:dir search;
+')
+
+########################################
+## <summary>
+## Read information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:dir r_dir_perms;
+ allow $1 debugfs_t:file r_file_perms;
+ allow $1 debugfs_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Unmount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain unmounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`kernel_unmount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_list_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the
+## contents of directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read symbolic links in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_proc_symlinks',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allows caller to read system state information in proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the system state information.
+## </summary>
+## </param>
+#
+interface(`kernel_read_system_state',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_t:lnk_file { getattr read };
+ allow $1 proc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Write to generic proc entries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this should probably go away. any
+# file thats writable in proc should really
+# have its own label.
+#
+interface(`kernel_write_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_t:file { append write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to
+## read system state information in proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_system_state',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to
+## read system state information in proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_proc_symlinks',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:lnk_file read;
+')
+
+#######################################
+## <summary>
+## Allow caller to read the state information for software raid.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading software raid state.
+## </summary>
+## </param>
+#
+interface(`kernel_read_software_raid_state',`
+ gen_require(`
+ type proc_t, proc_mdstat_t;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_mdstat_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow caller to read and set the state information for software raid.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading software raid state.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_software_raid_state',`
+ gen_require(`
+ type proc_t, proc_mdstat_t;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_mdstat_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allows caller to get attribues of core kernel interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type getting the attibutes.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_core_if',`
+ gen_require(`
+ type proc_t, proc_kcore_t;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_kcore_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## core kernel interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_core_if',`
+ gen_require(`
+ type proc_kcore_t;
+ ')
+
+ dontaudit $1 proc_kcore_t:file getattr;
+')
+
+########################################
+## <summary>
+## Allow caller to read kernel messages
+## using the /proc/kmsg interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the messages.
+## </summary>
+## </param>
+#
+interface(`kernel_read_messages',`
+ gen_require(`
+ attribute can_receive_kernel_messages;
+ type proc_kmsg_t, proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_kmsg_t:file r_file_perms;
+ typeattribute $1 can_receive_kernel_messages;
+')
+
+########################################
+## <summary>
+## Allow caller to get the attributes of kernel message
+## interface (/proc/kmsg).
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type getting the attributes.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_message_if',`
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_kmsg_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the attributes of kernel
+## message interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_message_if',`
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ ')
+
+ dontaudit $1 proc_kmsg_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the network
+## state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_network_state',`
+ gen_require(`
+ type proc_net_t;
+ ')
+
+ dontaudit $1 proc_net_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow searching of network state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_network_state',`
+ gen_require(`
+ type proc_net_t;
+ ')
+
+ allow $1 proc_net_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow caller to read the network state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_network_state',`
+ gen_require(`
+ type proc_t, proc_net_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir r_dir_perms;
+ allow $1 proc_net_t:file r_file_perms;
+ allow $1 proc_net_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow caller to read the network state symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_network_state_symlinks',`
+ gen_require(`
+ type proc_t, proc_net_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir r_dir_perms;
+ allow $1 proc_net_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow searching of xen state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_xen_state',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ allow $1 proc_t:dir search_dir_perms;
+ allow $1 proc_xen_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the xen
+## state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_xen_state',`
+ gen_require(`
+ type proc_xen_t;
+ ')
+
+ dontaudit $1 proc_xen_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow caller to read the xen state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ allow $1 proc_t:dir search_dir_perms;
+ allow $1 proc_xen_t:dir r_dir_perms;
+ allow $1 proc_xen_t:file r_file_perms;
+ allow $1 proc_xen_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow caller to read the xen state symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state_symlinks',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_xen_t:dir r_dir_perms;
+ allow $1 proc_xen_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to write xen state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type writing the state.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_write_xen_state',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_xen_t:dir r_dir_perms;
+ allow $1 proc_xen_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to search
+## the base directory of sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ dontaudit $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow access to read sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to allow to read sysctl directories.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ allow $1 sysctl_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to read the device sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to allow to read the device sysctls.
+## </summary>
+## </param>
+#
+interface(`kernel_read_device_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_dev_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_dev_t:dir r_dir_perms;
+ allow $1 sysctl_dev_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write device sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_device_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_dev_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_dev_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to search virtual memory sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_vm_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+ allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to read virtual memory sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_vm_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_vm_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write virtual memory sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_vm_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_vm_t:dir list_dir_perms;
+ allow $1 sysctl_vm_t:file rw_file_perms;
+
+ # hal needs this
+ allow $1 sysctl_vm_t:dir write;
+')
+
+########################################
+## <summary>
+## Search network sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_network_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+ allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to search network sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_network_sysctl',`
+ gen_require(`
+ type sysctl_net_t;
+ ')
+
+ dontaudit $1 sysctl_net_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow caller to read network sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_net_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to modiry contents of sysctl network files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_net_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to read unix domain
+## socket sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_unix_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_unix_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write unix domain
+## socket sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unix_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_unix_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the hotplug sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_hotplug_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_hotplug_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the hotplug sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_hotplug_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_hotplug_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the modprobe sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_modprobe_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_modprobe_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the modprobe sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_modprobe_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_modprobe_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_kernel_sysctl',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:dir search;
+')
+
+########################################
+## <summary>
+## Read generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_kernel_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ allow $1 proc_t:dir search_dir_perms;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_kernel_sysctl',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_kernel_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read filesystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_fs_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write fileystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_fs_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read IRQ sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_irq_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_irq_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_irq_t:dir r_dir_perms;
+ allow $1 sysctl_irq_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write IRQ sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_rw_irq_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_irq_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 sysctl_irq_t:dir r_dir_perms;
+ allow $1 sysctl_irq_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read RPC sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_rpc_sysctls',`
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir search;
+ allow $1 sysctl_rpc_t:dir r_dir_perms;
+ allow $1 sysctl_rpc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write RPC sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_rw_rpc_sysctls',`
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir search;
+ allow $1 sysctl_rpc_t:dir r_dir_perms;
+ allow $1 sysctl_rpc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to read all sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ type proc_t, proc_net_t;
+ ')
+
+ # proc_net_t for /proc/net/rpc sysctls
+ allow $1 { proc_t proc_net_t }:dir search;
+
+ allow $1 sysctl_type:dir r_dir_perms;
+ allow $1 sysctl_type:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write all sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ type proc_t, proc_net_t;
+ ')
+
+ # proc_net_t for /proc/net/rpc sysctls
+ allow $1 { proc_t proc_net_t }:dir search;
+
+ allow $1 sysctl_type:dir r_dir_perms;
+ allow $1 sysctl_type:file { rw_file_perms setattr };
+')
+
+########################################
+## <summary>
+## Send a kill signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_kill_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send general signals to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_signal_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a null signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_signull_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a stop signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sigstop_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a child terminated signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sigchld_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process sigchld;
+')
+
+########################################
+## <summary>
+## List unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_list_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of an unlabeled file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to
+## read an unlabeled file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get attributes for
+## unlabeled block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get attributes for
+## unlabeled character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type not to audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir { getattr search read relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:sock_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Send and receive messages from an
+## unlabeled IPSEC association.
+## </summary>
+## <desc>
+## <p>
+## Send and receive messages from an
+## unlabeled IPSEC association. Network
+## connections that are not protected
+## by IPSEC have use an unlabeled
+## assocation.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_non_ipsec_sendrecv() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_association',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:association { sendto recvfrom };
+
+ # temporary hack until labeling on packets is supported
+ allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
+## Send and receive unlabeled packets.
+## </summary>
+## <desc>
+## <p>
+## Send and receive unlabeled packets.
+## These packets do not match any netfilter
+## SECMARK rules.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_sendrecv_unlabeled_packets() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
+## Unconfined access to kernel module resources.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_unconfined',`
+ gen_require(`
+ attribute kern_unconfined;
+ ')
+
+ typeattribute $1 kern_unconfined;
+')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
new file mode 100644
index 0000000..43a5333
--- /dev/null
+++ b/policy/modules/kernel/kernel.te
@@ -0,0 +1,360 @@
+
+policy_module(kernel,1.3.13)
+
+########################################
+#
+# Declarations
+#
+
+# assertion related attributes
+attribute can_load_kernmodule;
+attribute can_receive_kernel_messages;
+
+neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+
+# domains with unconfined access to kernel resources
+attribute kern_unconfined;
+
+# regular entries in proc
+attribute proc_type;
+
+# sysctls
+attribute sysctl_type;
+
+role system_r;
+role sysadm_r;
+role staff_r;
+role user_r;
+
+ifdef(`enable_mls',`
+ role secadm_r;
+ role auditadm_r;
+')
+
+#
+# kernel_t is the domain of kernel threads.
+# It is also the target type when checking permissions in the system class.
+#
+type kernel_t, can_load_kernmodule;
+domain_base_type(kernel_t)
+mls_rangetrans_source(kernel_t)
+role system_r types kernel_t;
+sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
+
+#
+# DebugFS
+#
+
+type debugfs_t;
+fs_type(debugfs_t)
+allow debugfs_t self:filesystem associate;
+genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+#
+# Procfs types
+#
+
+type proc_t, proc_type;
+files_mountpoint(proc_t)
+fs_type(proc_t)
+genfscon proc / gen_context(system_u:object_r:proc_t,s0)
+genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
+
+# kernel message interface
+type proc_kmsg_t, proc_type;
+genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+
+# /proc kcore: inaccessible
+type proc_kcore_t, proc_type;
+neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
+
+type proc_mdstat_t, proc_type;
+genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+
+type proc_net_t, proc_type;
+genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+
+type proc_xen_t, proc_type;
+genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+
+#
+# Sysctl types
+#
+
+# /proc/sys directory, base directory of sysctls
+type sysctl_t, sysctl_type;
+files_mountpoint(sysctl_t)
+sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
+genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
+
+# /proc/irq directory and files
+type sysctl_irq_t, sysctl_type;
+genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+
+# /proc/net/rpc directory and files
+type sysctl_rpc_t, sysctl_type;
+genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+
+# /proc/sys/fs directory and files
+type sysctl_fs_t, sysctl_type;
+files_mountpoint(sysctl_fs_t)
+genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+
+# /proc/sys/kernel directory and files
+type sysctl_kernel_t, sysctl_type;
+genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
+
+# /proc/sys/kernel/modprobe file
+type sysctl_modprobe_t, sysctl_type;
+genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
+
+# /proc/sys/kernel/hotplug file
+type sysctl_hotplug_t, sysctl_type;
+genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
+
+# /proc/sys/net directory and files
+type sysctl_net_t, sysctl_type;
+genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
+
+# /proc/sys/net/unix directory and files
+type sysctl_net_unix_t, sysctl_type;
+genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+
+# /proc/sys/vm directory and files
+type sysctl_vm_t, sysctl_type;
+genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
+
+# /proc/sys/dev directory and files
+type sysctl_dev_t, sysctl_type;
+genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+
+#
+# unlabeled_t is the type of unlabeled objects.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
+#
+type unlabeled_t;
+sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+
+# These initial sids are no longer used, and can be removed:
+sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
+sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid init gen_context(system_u:object_r:unlabeled_t,s0)
+sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
+sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+
+########################################
+#
+# kernel local policy
+#
+
+allow kernel_t self:capability *;
+allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow kernel_t self:shm create_shm_perms;
+allow kernel_t self:sem create_sem_perms;
+allow kernel_t self:msg { send receive };
+allow kernel_t self:msgq create_msgq_perms;
+allow kernel_t self:unix_dgram_socket create_socket_perms;
+allow kernel_t self:unix_stream_socket create_stream_socket_perms;
+allow kernel_t self:unix_dgram_socket sendto;
+allow kernel_t self:unix_stream_socket connectto;
+allow kernel_t self:fifo_file rw_file_perms;
+allow kernel_t self:sock_file r_file_perms;
+allow kernel_t self:fd use;
+
+allow kernel_t proc_t:dir r_dir_perms;
+allow kernel_t proc_t:{ lnk_file file } r_file_perms;
+
+allow kernel_t proc_net_t:dir r_dir_perms;
+allow kernel_t proc_net_t:file r_file_perms;
+
+allow kernel_t proc_mdstat_t:file r_file_perms;
+
+allow kernel_t proc_kcore_t:file getattr;
+
+allow kernel_t proc_kmsg_t:file getattr;
+
+allow kernel_t sysctl_kernel_t:dir r_dir_perms;
+allow kernel_t sysctl_kernel_t:file r_file_perms;
+allow kernel_t sysctl_t:dir r_dir_perms;
+
+# Other possible mount points for the root fs are in files
+allow kernel_t unlabeled_t:dir mounton;
+# Kernel-generated traffic e.g., TCP resets on
+# connections with invalidated labels:
+allow kernel_t unlabeled_t:packet send;
+
+corenet_non_ipsec_sendrecv(kernel_t)
+# Kernel-generated traffic e.g., ICMP replies:
+corenet_raw_sendrecv_all_if(kernel_t)
+corenet_raw_sendrecv_all_nodes(kernel_t)
+corenet_raw_send_generic_if(kernel_t)
+# Kernel-generated traffic e.g., TCP resets:
+corenet_tcp_sendrecv_all_if(kernel_t)
+corenet_tcp_sendrecv_all_nodes(kernel_t)
+corenet_raw_send_generic_node(kernel_t)
+corenet_raw_send_multicast_node(kernel_t)
+corenet_send_all_packets(kernel_t)
+
+dev_read_sysfs(kernel_t)
+dev_search_usbfs(kernel_t)
+
+# Mount root file system. Used when loading a policy
+# from initrd, then mounting the root filesystem
+fs_mount_all_fs(kernel_t)
+
+selinux_load_policy(kernel_t)
+
+term_use_console(kernel_t)
+
+corecmd_exec_shell(kernel_t)
+corecmd_list_sbin(kernel_t)
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+corecmd_exec_bin(kernel_t)
+
+domain_signal_all_domains(kernel_t)
+domain_search_all_domains_state(kernel_t)
+
+files_list_root(kernel_t)
+files_list_etc(kernel_t)
+files_list_home(kernel_t)
+files_read_usr_files(kernel_t)
+
+mcs_process_set_categories(kernel_t)
+
+mls_process_read_up(kernel_t)
+mls_process_write_down(kernel_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(kernel_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(kernel_t)
+ files_read_default_files(kernel_t)
+ files_read_default_symlinks(kernel_t)
+ files_read_default_sockets(kernel_t)
+ files_read_default_pipes(kernel_t)
+')
+
+optional_policy(`
+ hotplug_search_config(kernel_t)
+')
+
+optional_policy(`
+ init_sigchld(kernel_t)
+')
+
+optional_policy(`
+ libs_use_ld_so(kernel_t)
+ libs_use_shared_libs(kernel_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(kernel_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(kernel_t)
+')
+
+optional_policy(`
+ portmap_udp_chat(kernel_t)
+')
+
+optional_policy(`
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ allow kernel_t self:tcp_socket create_stream_socket_perms;
+ allow kernel_t self:udp_socket create_socket_perms;
+
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ corenet_udp_sendrecv_all_if(kernel_t)
+ corenet_udp_sendrecv_all_nodes(kernel_t)
+ corenet_udp_sendrecv_all_ports(kernel_t)
+ corenet_udp_bind_all_nodes(kernel_t)
+ corenet_sendrecv_portmap_client_packets(kernel_t)
+ corenet_sendrecv_generic_server_packets(kernel_t)
+
+ auth_dontaudit_getattr_shadow(kernel_t)
+
+ sysnet_read_config(kernel_t)
+
+ rpc_manage_nfs_ro_content(kernel_t)
+ rpc_manage_nfs_rw_content(kernel_t)
+ rpc_udp_rw_nfs_sockets(kernel_t)
+ rpc_udp_send_nfs(kernel_t)
+
+ tunable_policy(`nfs_export_all_ro',`
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_read_all_dirs_except_shadow(kernel_t)
+ auth_read_all_files_except_shadow(kernel_t)
+ auth_read_all_symlinks_except_shadow(kernel_t)
+ ')
+
+ tunable_policy(`nfs_export_all_rw',`
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_manage_all_files_except_shadow(kernel_t)
+ ')
+')
+
+optional_policy(`
+ seutil_read_config(kernel_t)
+ seutil_read_bin_policy(kernel_t)
+')
+
+########################################
+#
+# Unlabeled process local policy
+#
+
+ifdef(`targeted_policy',`
+ allow unlabeled_t self:filesystem associate;
+')
+
+optional_policy(`
+ # If you load a new policy that removes active domains, processes can
+ # get stuck if you do not allow unlabeled processes to signal init.
+ # If you load an incompatible policy, you should probably reboot,
+ # since you may have compromised system security.
+ init_sigchld(unlabeled_t)
+')
+
+########################################
+#
+# Rules for unconfined acccess to this module
+#
+
+allow kern_unconfined proc_type:{ dir file } *;
+
+allow kern_unconfined sysctl_t:{ dir file } *;
+
+allow kern_unconfined kernel_t:system *;
+
+allow kern_unconfined unlabeled_t:dir_file_class_set *;
+allow kern_unconfined unlabeled_t:filesystem *;
+allow kern_unconfined unlabeled_t:association *;
+allow kern_unconfined unlabeled_t:packet *;
+
+kernel_rw_all_sysctls(kern_unconfined)
diff --git a/policy/modules/kernel/mcs.fc b/policy/modules/kernel/mcs.fc
new file mode 100644
index 0000000..fa8a4b1
--- /dev/null
+++ b/policy/modules/kernel/mcs.fc
@@ -0,0 +1 @@
+# no MCS file contexts
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
new file mode 100644
index 0000000..3caa6f7
--- /dev/null
+++ b/policy/modules/kernel/mcs.if
@@ -0,0 +1,43 @@
+## <summary>Multicategory security policy</summary>
+## <required val="true">
+## Contains attributes used in MCS policy.
+## </required>
+
+########################################
+## <summary>
+## This domain is allowed to sigkill and sigstop
+## all domains regardless of their MCS level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_killall',`
+ gen_require(`
+ attribute mcskillall;
+ ')
+
+ typeattribute $1 mcskillall;
+')
+
+########################################
+## <summary>
+## Make specified domain MCS trusted
+## for setting any category set for
+## the processes it executes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_process_set_categories',`
+ gen_require(`
+ attribute mcssetcats;
+ ')
+
+ typeattribute $1 mcssetcats;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
new file mode 100644
index 0000000..88a6e98
--- /dev/null
+++ b/policy/modules/kernel/mcs.te
@@ -0,0 +1,50 @@
+
+policy_module(mcs,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+attribute mcskillall;
+attribute mcssetcats;
+
+########################################
+#
+# THIS IS A HACK
+#
+# Only the base module can have range_transitions, so we
+# temporarily have to break encapsulation to work around this.
+#
+
+type auditd_exec_t;
+type crond_exec_t;
+type cupsd_exec_t;
+type getty_t;
+type init_t;
+type init_exec_t;
+type initrc_t;
+type initrc_exec_t;
+type login_exec_t;
+type sshd_exec_t;
+type udev_exec_t;
+type unconfined_t;
+type xdm_exec_t;
+
+ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions. But while range_transitions have to be in the base module
+# this is not possible.
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+
+# these might be targeted_policy only
+range_transition unconfined_t initrc_exec_t s0;
+')
diff --git a/policy/modules/kernel/metadata.xml b/policy/modules/kernel/metadata.xml
new file mode 100644
index 0000000..d1da3a2
--- /dev/null
+++ b/policy/modules/kernel/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for kernel resources.</summary>
diff --git a/policy/modules/kernel/mls.fc b/policy/modules/kernel/mls.fc
new file mode 100644
index 0000000..13df19e
--- /dev/null
+++ b/policy/modules/kernel/mls.fc
@@ -0,0 +1 @@
+# No MLS file contexts.
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
new file mode 100644
index 0000000..3b38c83
--- /dev/null
+++ b/policy/modules/kernel/mls.if
@@ -0,0 +1,409 @@
+## <summary>Multilevel security policy</summary>
+## <desc>
+## <p>
+## This module contains interfaces for handling multilevel
+## security. The interfaces allow the specified subjects
+## and objects to be allowed certain privileges in the
+## MLS rules.
+## </p>
+## </desc>
+## <required val="true">
+## Contains attributes used in MLS policy.
+## </required>
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from files at higher levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_file_read_up',`
+ gen_require(`
+ attribute mlsfileread;
+ ')
+
+ typeattribute $1 mlsfileread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to files at lower levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_file_write_down',`
+ gen_require(`
+ attribute mlsfilewrite;
+ ')
+
+ typeattribute $1 mlsfilewrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for raising the level of files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_file_upgrade',`
+ gen_require(`
+ attribute mlsfileupgrade;
+ ')
+
+ typeattribute $1 mlsfileupgrade;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for lowering the level of files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_file_downgrade',`
+ gen_require(`
+ attribute mlsfiledowngrade;
+ ')
+
+ typeattribute $1 mlsfiledowngrade;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_read_all_levels',`
+ gen_require(`
+ attribute mlsnetread;
+ ')
+
+ typeattribute $1 mlsnetread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from sockets at any level
+## that is dominated by the process clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_read_to_clearance',`
+ gen_require(`
+ attribute mlsnetreadtoclr;
+ ')
+
+ typeattribute $1 mlsnetreadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_write_all_levels',`
+ gen_require(`
+ attribute mlsnetwrite;
+ ')
+
+ typeattribute $1 mlsnetwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for receiving network data from
+## network interfaces or hosts at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_net_receive_all_levels',`
+ gen_require(`
+ attribute mlsnetrecvall;
+ ')
+
+ typeattribute $1 mlsnetrecvall;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from System V IPC objects
+## at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_sysvipc_read_all_levels',`
+ gen_require(`
+ attribute mlsipcread;
+ ')
+
+ typeattribute $1 mlsipcread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to System V IPC objects
+## at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_sysvipc_write_all_levels',`
+ gen_require(`
+ attribute mlsipcwrite;
+ ')
+
+ typeattribute $1 mlsipcwrite;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to do a MLS
+## range transition that changes
+## the current level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_rangetrans_source',`
+ gen_require(`
+ attribute privrangetrans;
+ ')
+
+ typeattribute $1 privrangetrans;
+')
+
+########################################
+## <summary>
+## Make specified domain a target domain
+## for MLS range transitions that change
+## the current level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_rangetrans_target',`
+ gen_require(`
+ attribute mlsrangetrans;
+ ')
+
+ typeattribute $1 mlsrangetrans;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from processes at higher levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_process_read_up',`
+ gen_require(`
+ attribute mlsprocread;
+ ')
+
+ typeattribute $1 mlsprocread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to processes at lower levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_process_write_down',`
+ gen_require(`
+ attribute mlsprocwrite;
+ ')
+
+ typeattribute $1 mlsprocwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for setting the level of processes
+## it executes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_process_set_level',`
+ gen_require(`
+ attribute mlsprocsetsl;
+ ')
+
+ typeattribute $1 mlsprocsetsl;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X objects at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_xwin_read_all_levels',`
+ gen_require(`
+ attribute mlsxwinread;
+ ')
+
+ typeattribute $1 mlsxwinread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to X objects at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_xwin_write_all_levels',`
+ gen_require(`
+ attribute mlsxwinwrite;
+ ')
+
+ typeattribute $1 mlsxwinwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X colormaps at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_colormap_read_all_levels',`
+ gen_require(`
+ attribute mlsxwinreadcolormap;
+ ')
+
+ typeattribute $1 mlsxwinreadcolormap;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to X colormaps at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_colormap_write_all_levels',`
+ gen_require(`
+ attribute mlsxwinwritecolormap;
+ ')
+
+ typeattribute $1 mlsxwinwritecolormap;
+')
+
+########################################
+## <summary>
+## Make specified object MLS trusted.
+## </summary>
+## <desc>
+## <p>
+## Make specified object MLS trusted. This
+## allows all levels to read and write the
+## object.
+## </p>
+## <p>
+## This currently only applies to filesystem
+## objects, for example, files and directories.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the object.
+## </summary>
+## </param>
+#
+interface(`mls_trusted_object',`
+ gen_require(`
+ attribute mlstrustedobject;
+ ')
+
+ typeattribute $1 mlstrustedobject;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
new file mode 100644
index 0000000..819a2df
--- /dev/null
+++ b/policy/modules/kernel/mls.te
@@ -0,0 +1,69 @@
+
+policy_module(mls,1.3.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetrecvall;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinreadproperty;
+attribute mlsxwinwriteproperty;
+attribute mlsxwinreadcolormap;
+attribute mlsxwinwritecolormap;
+attribute mlsxwinwritexinput;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;
+
+########################################
+#
+# THIS IS A HACK
+#
+# Only the base module can have range_transitions, so we
+# temporarily have to break encapsulation to work around this.
+# Other types are declared in the mcs module.
+#
+
+type lvm_exec_t;
+type run_init_t;
+type setrans_exec_t;
+
+ifdef(`enable_mls',`
+range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+range_transition initrc_t setrans_exec_t s15:c0.c255;
+range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
+')
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/selinux.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
new file mode 100644
index 0000000..08c2907
--- /dev/null
+++ b/policy/modules/kernel/selinux.if
@@ -0,0 +1,401 @@
+## <summary>
+## Policy for kernel security interface, in particular, selinuxfs.
+## </summary>
+## <required val="true">
+## Contains the policy for the kernel SELinux security interface.
+## </required>
+
+########################################
+## <summary>
+## Gets the caller the mountpoint of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type requesting the selinuxfs mountpoint.
+## </summary>
+## </param>
+#
+interface(`selinux_get_fs_mount',`
+ # read /proc/filesystems to see if selinuxfs is supported
+ # then read /proc/self/mount to see where selinuxfs is mounted
+ kernel_read_system_state($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the selinuxfs directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_dir',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search selinuxfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_search_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search selinuxfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_search_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## generic selinuxfs entries
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_read_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir search;
+ dontaudit $1 security_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allows the caller to get the mode of policy enforcement
+## (enforcing or permissive mode).
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to allow to get the enforcing mode.
+## </summary>
+## </param>
+#
+interface(`selinux_get_enforce_mode',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow caller to set the mode of policy enforcement
+## (enforcing or permissive mode).
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the mode of policy enforcement
+## (enforcing or permissive mode).
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type to allow to set the enforcement mode.
+## </summary>
+## </param>
+#
+interface(`selinux_set_enforce_mode',`
+ gen_require(`
+ type security_t;
+ attribute can_setenforce;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ typeattribute $1 can_setenforce;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setenforce;
+ auditallow $1 security_t:security setenforce;
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to load the policy into the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type that will load the policy.
+## </summary>
+## </param>
+#
+interface(`selinux_load_policy',`
+ gen_require(`
+ type security_t;
+ attribute can_load_policy;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ typeattribute $1 can_load_policy;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security load_policy;
+ auditallow $1 security_t:security load_policy;
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to set the state of Booleans to
+## enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the state of Booleans to
+## enable or disable conditional portions of the policy.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type allowed to set the Boolean.
+## </summary>
+## </param>
+#
+interface(`selinux_set_boolean',`
+ gen_require(`
+ type security_t;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir search;
+ allow $1 security_t:dir { getattr search read };
+ allow $1 security_t:file { getattr read write };
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setbool;
+ auditallow $1 security_t:security setbool;
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to set SELinux access vector cache parameters.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set SELinux access vector cache parameters.
+## The allows the domain to set performance related parameters
+## of the AVC, such as cache threshold.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type to allow to set security parameters.
+## </summary>
+## </param>
+#
+interface(`selinux_set_parameters',`
+ gen_require(`
+ type security_t;
+ attribute can_setsecparam;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security setsecparam;
+ auditallow $1 security_t:security setsecparam;
+ typeattribute $1 can_setsecparam;
+')
+
+########################################
+## <summary>
+## Allows caller to validate security contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type permitted to validate contexts.
+## </summary>
+## </param>
+#
+interface(`selinux_validate_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security check_context;
+')
+
+########################################
+## <summary>
+## Allows caller to compute an access vector.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type allowed to compute an access vector.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_access_vector',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_av;
+')
+
+########################################
+## <summary>
+## Calculate the default type for object creation.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_create_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_create;
+')
+
+########################################
+## <summary>
+## Allows caller to compute polyinstatntiated
+## directory members.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_member',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_member;
+')
+
+########################################
+## <summary>
+## Calculate the context for relabeling objects.
+## </summary>
+## <desc>
+## <p>
+## Calculate the context for relabeling objects.
+## This is determined by using the type_change
+## rules in the policy, and is generally used
+## for determining the context for relabeling
+## a terminal when a user logs in.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_relabel_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_relabel;
+')
+
+########################################
+## <summary>
+## Allows caller to compute possible contexts for a user.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type allowed to compute user contexts.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_user_contexts',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:file { getattr read write };
+ allow $1 security_t:security compute_user;
+')
+
+########################################
+## <summary>
+## Unconfined access to the SELinux kernel security server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_unconfined',`
+ gen_require(`
+ attribute selinux_unconfined_type;
+ ')
+
+ typeattribute $1 selinux_unconfined_type;
+')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
new file mode 100644
index 0000000..5d60938
--- /dev/null
+++ b/policy/modules/kernel/selinux.te
@@ -0,0 +1,44 @@
+
+policy_module(selinux,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+attribute selinux_unconfined_type;
+
+#
+# security_t is the target type when checking
+# the permissions in the security class. It is also
+# applied to selinuxfs inodes.
+#
+type security_t;
+fs_type(security_t)
+mls_trusted_object(security_t)
+sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
+genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+
+neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# use SELinuxfs
+allow selinux_unconfined_type security_t:dir { getattr search read };
+allow selinux_unconfined_type security_t:file { getattr read write };
+
+# Access the security API.
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+
+if(!secure_mode_policyload) {
+ allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+ auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
new file mode 100644
index 0000000..30d7868
--- /dev/null
+++ b/policy/modules/kernel/storage.fc
@@ -0,0 +1,65 @@
+
+/dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
+/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ifdef(`distro_redhat', `
+/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+')
+/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
+/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
new file mode 100644
index 0000000..2fac4d0
--- /dev/null
+++ b/policy/modules/kernel/storage.if
@@ -0,0 +1,671 @@
+## <summary>Policy controlling access to storage devices</summary>
+
+########################################
+## <summary>
+## Allow the caller to get the attributes of fixed disk
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to get
+## the attributes of fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes of fixed disk
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to set
+## the attributes of fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_setattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read from a fixed disk.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_raw_read_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_read;
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file r_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to read
+## fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_read_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
+')
+
+########################################
+## <summary>
+## Allow the caller to directly write to a fixed disk.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_raw_write_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
+ typeattribute $1 fixed_disk_raw_write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to write
+## fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_write_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_manage_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file create_file_perms;
+ typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
+########################################
+## <summary>
+## Create block devices in /dev with the fixed disk type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_dev_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_filetrans($1,fixed_disk_device_t,blk_file)
+')
+
+########################################
+## <summary>
+## Create block devices in on a tmpfs filesystem with the
+## fixed disk type via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_tmpfs_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
+')
+
+########################################
+## <summary>
+## Relabel fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_relabel_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Enable a fixed disk device as swap space
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_swapon_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { getattr swapon };
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes of
+## the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_scsi_generic_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes of
+## the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_scsi_generic_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read, in a
+## generic fashion, from any SCSI device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_read_scsi_generic',`
+ gen_require(`
+ attribute scsi_generic_read;
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file r_file_perms;
+ typeattribute $1 scsi_generic_read;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly write, in a
+## generic fashion, from any SCSI device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_write_scsi_generic',`
+ gen_require(`
+ attribute scsi_generic_write;
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
+ typeattribute $1 scsi_generic_write;
+')
+
+########################################
+## <summary>
+## Set attributes of the device nodes
+## for the SCSI generic inerface.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_scsi_generic_dev_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## SCSI generic device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_scsi_generic',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes of removable
+## devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to get
+## the attributes of removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to read
+## removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+
+ ')
+
+ dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes of removable
+## devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to set
+## the attributes of removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_setattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read from
+## a removable device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_raw_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to directly read removable devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly write to
+## a removable device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_raw_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to directly write removable devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file { write append ioctl };
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read
+## a tape device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_read_tape',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read
+## a tape device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_write_tape',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes
+## of device nodes of tape devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_tape_dev',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes
+## of device nodes of tape devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_tape_dev',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Unconfined access to storage devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_unconfined',`
+ gen_require(`
+ attribute storage_unconfined_type;
+ ')
+
+ typeattribute $1 storage_unconfined_type;
+')
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
new file mode 100644
index 0000000..e78c43c
--- /dev/null
+++ b/policy/modules/kernel/storage.te
@@ -0,0 +1,54 @@
+
+policy_module(storage,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute fixed_disk_raw_read;
+attribute fixed_disk_raw_write;
+attribute scsi_generic_read;
+attribute scsi_generic_write;
+attribute storage_unconfined_type;
+
+#
+# fixed_disk_device_t is the type of
+# /dev/hd* and /dev/sd*.
+#
+type fixed_disk_device_t;
+dev_node(fixed_disk_device_t)
+
+neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
+neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t;
+dev_node(scsi_generic_device_t)
+
+neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
+neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
+
+#
+# removable_device_t is the type of
+# /dev/scd* and /dev/fd*.
+#
+type removable_device_t;
+dev_node(removable_device_t)
+
+#
+# tape_device_t is the type of
+#
+type tape_device_t;
+dev_node(tape_device_t)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
new file mode 100644
index 0000000..df0d76c
--- /dev/null
+++ b/policy/modules/kernel/terminal.fc
@@ -0,0 +1,32 @@
+
+/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+
+/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
+
+/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
+
+ifdef(`distro_gentoo',`
+/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
+')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
new file mode 100644
index 0000000..04b2dc2
--- /dev/null
+++ b/policy/modules/kernel/terminal.if
@@ -0,0 +1,951 @@
+## <summary>Policy for terminals.</summary>
+## <required val="true">
+## Depended on by other required modules.
+## </required>
+
+########################################
+## <summary>
+## Transform specified type into a pty type.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## An object type that will applied to a pty.
+## </summary>
+## </param>
+#
+interface(`term_pty',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ files_type($1)
+ allow $1 devpts_t:filesystem associate;
+ typeattribute $1 ptynode;
+')
+
+########################################
+## <summary>
+## Transform specified type into an user
+## pty type. This allows it to be relabeled via
+## type change by login programs such as ssh.
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The type of the user domain associated with
+## this pty.
+## </summary>
+## </param>
+## <param name="object_type">
+## <summary>
+## An object type that will applied to a pty.
+## </summary>
+## </param>
+#
+interface(`term_user_pty',`
+ gen_require(`
+ attribute server_ptynode;
+ ')
+
+ term_pty($2)
+ type_change $1 server_ptynode:chr_file $2;
+')
+
+########################################
+## <summary>
+## Transform specified type into a pty type
+## used by login programs, such as sshd.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## An object type that will applied to a pty.
+## </summary>
+## </param>
+#
+interface(`term_login_pty',`
+ gen_require(`
+ attribute server_ptynode;
+ ')
+
+ term_pty($1)
+ typeattribute $1 server_ptynode;
+')
+
+########################################
+## <summary>
+## Transform specified type into a tty type.
+## </summary>
+## <param name="tty_type">
+## <summary>
+## An object type that will applied to a tty.
+## </summary>
+## </param>
+#
+interface(`term_tty',`
+ gen_require(`
+ attribute ttynode, serial_device;
+ type tty_device_t;
+ ')
+
+ typeattribute $2 ttynode, serial_device;
+ type_change $1 tty_device_t:chr_file $2;
+
+ files_associate_tmp($1)
+
+ # Debian login is from shadow utils and does not allow resetting the perms.
+ # have to fix this!
+ ifdef(`distro_debian',`
+ type_change $1 ttynode:chr_file $2;
+ ')
+
+ ifdef(`distro_gentoo',`
+ fs_associate_tmpfs($2)
+ ')
+
+ ifdef(`distro_redhat',`
+ fs_associate_tmpfs($2)
+ ')
+')
+
+########################################
+## <summary>
+## Create a pty in the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process creating the pty.
+## </summary>
+## </param>
+## <param name="pty_type">
+## <summary>
+## The type of the pty.
+## </summary>
+## </param>
+#
+interface(`term_create_pty',`
+ gen_require(`
+ type bsdpty_device_t, devpts_t, ptmx_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ptmx_t:chr_file rw_file_perms;
+
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:filesystem getattr;
+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
+ type_transition $1 devpts_t:chr_file $2;
+')
+
+########################################
+## <summary>
+## Read and write the console, all
+## ttys and all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_all_terms',`
+ gen_require(`
+ attribute ttynode, ptynode;
+ type console_device_t, devpts_t, tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Write to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file { getattr write append };
+')
+
+########################################
+## <summary>
+## Read from the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_read_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file read;
+')
+
+########################################
+## <summary>
+## Read from and write to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attemtps to read from
+## or write to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dontaudit $1 console_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of the console
+## device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_search_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_search_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_dontaudit_list_all_dev_nodes($1)
+ dontaudit $1 devpts_t:dir search;
+')
+
+########################################
+## <summary>
+## Read the /dev/pts directory to
+## list all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_list_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_list_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:dir { getattr search read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, or delete the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_manage_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## ioctl of generic pty types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for ppp
+interface(`term_ioctl_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
+## Read and write the generic pty
+## type. This is generally only used in
+## the targeted policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Dot not audit attempts to read and
+## write the generic pty type. This is
+## generally only used in the targeted policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Read and write the controlling
+## terminal (/dev/tty).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Read and write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to allow access.
+## </summary>
+## </param>
+#
+interface(`term_use_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ allow $1 ptmx_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ dontaudit $1 ptmx_t:chr_file { getattr read write };
+')
+
+########################################
+## <summary>
+## Get the attributes of all user
+## pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of any user pty
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ dontaudit $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of all user
+## pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Relabel to all user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabelto_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ allow $1 ptynode:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Read and write all user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ allow $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read any
+## user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Relabel from and to all user
+## user pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 ptynode:chr_file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Get the attributes of all unallocated
+## tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of all unallocated
+## tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ioctl
+## unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_ioctl_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
+## Relabel from and to the unallocated
+## tty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Relabel from all user tty types to
+## the unallocated tty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_reset_tty_labels',`
+ gen_require(`
+ attribute ttynode;
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file relabelfrom;
+ allow $1 tty_device_t:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Write to unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file { getattr write };
+')
+
+########################################
+## <summary>
+## Read and write unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or
+## write unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Get the attributes of all user tty
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of any user tty
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of all user tty
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Relabel from and to all user
+## user tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Write to all user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file { getattr write };
+')
+
+########################################
+## <summary>
+## Read and write all user to all user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## any user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_user_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dontaudit $1 ttynode:chr_file { read write };
+')
+
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
new file mode 100644
index 0000000..9fa8156
--- /dev/null
+++ b/policy/modules/kernel/terminal.te
@@ -0,0 +1,68 @@
+
+policy_module(terminal,1.1.2)
+
+########################################
+#
+# Declarations
+#
+attribute ttynode;
+attribute ptynode;
+attribute server_ptynode;
+attribute serial_device;
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t;
+dev_node(bsdpty_device_t)
+
+#
+# console_device_t is the type of /dev/console.
+#
+type console_device_t;
+dev_node(console_device_t)
+
+#
+# devpts_t is the type of the devpts file system and
+# the type of the root directory of the file system.
+#
+type devpts_t;
+files_mountpoint(devpts_t)
+fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
+fs_type(devpts_t)
+fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+
+ifdef(`targeted_policy',`
+ # cjp: the ttynode should probably be removed.
+ typeattribute devpts_t ttynode, ptynode;
+')
+
+#
+# devtty_t is the type of /dev/tty.
+#
+type devtty_t;
+dev_node(devtty_t)
+mls_trusted_object(devtty_t)
+
+#
+# ptmx_t is the type for /dev/ptmx.
+#
+type ptmx_t;
+dev_node(ptmx_t)
+mls_trusted_object(ptmx_t)
+
+#
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t, serial_device;
+dev_node(tty_device_t)
+
+ifdef(`targeted_policy',`
+ typeattribute tty_device_t ttynode;
+')
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t, serial_device;
+dev_node(usbtty_device_t)
diff --git a/policy/modules/services/afs.fc b/policy/modules/services/afs.fc
new file mode 100644
index 0000000..1689223
--- /dev/null
+++ b/policy/modules/services/afs.fc
@@ -0,0 +1,22 @@
+/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
+/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+
+/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
+/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
+/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0)
+/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0)
+
+/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+
+/vicepa gen_context(system_u:object_r:afs_files_t,s0)
+/vicepb gen_context(system_u:object_r:afs_files_t,s0)
+/vicepc gen_context(system_u:object_r:afs_files_t,s0)
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
new file mode 100644
index 0000000..e84153f
--- /dev/null
+++ b/policy/modules/services/afs.if
@@ -0,0 +1 @@
+## <summary>Andrew Filesystem server</summary>
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
new file mode 100644
index 0000000..1e748b0
--- /dev/null
+++ b/policy/modules/services/afs.te
@@ -0,0 +1,343 @@
+
+policy_module(afs,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type afs_bosserver_t;
+type afs_bosserver_exec_t;
+init_daemon_domain(afs_bosserver_t,afs_bosserver_exec_t)
+
+type afs_config_t;
+files_type(afs_config_t)
+
+type afs_dbdir_t;
+files_type(afs_dbdir_t)
+
+# exported files
+type afs_files_t;
+files_type(afs_files_t)
+
+type afs_fsserver_t;
+type afs_fsserver_exec_t;
+domain_type(afs_fsserver_t)
+domain_entry_file(afs_fsserver_t,afs_fsserver_exec_t)
+role system_r types afs_fsserver_t;
+
+type afs_ka_db_t;
+files_type(afs_ka_db_t)
+
+type afs_kaserver_t;
+type afs_kaserver_exec_t;
+domain_type(afs_kaserver_t)
+domain_entry_file(afs_kaserver_t,afs_kaserver_exec_t)
+role system_r types afs_kaserver_t;
+
+type afs_logfile_t;
+logging_log_file(afs_logfile_t)
+
+type afs_pt_db_t;
+files_type(afs_pt_db_t)
+
+type afs_ptserver_t;
+type afs_ptserver_exec_t;
+domain_type(afs_ptserver_t)
+domain_entry_file(afs_ptserver_t,afs_ptserver_exec_t)
+role system_r types afs_ptserver_t;
+
+type afs_vl_db_t;
+files_type(afs_vl_db_t)
+
+type afs_vlserver_t;
+type afs_vlserver_exec_t;
+domain_type(afs_vlserver_t)
+domain_entry_file(afs_vlserver_t,afs_vlserver_exec_t)
+role system_r types afs_vlserver_t;
+
+########################################
+#
+# AFS bossserver local policy
+#
+
+allow afs_bosserver_t self:process { setsched signal_perms };
+allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_bosserver_t self:udp_socket create_socket_perms;
+
+can_exec(afs_bosserver_t,afs_bosserver_exec_t)
+
+allow afs_bosserver_t afs_config_t:file manage_file_perms;
+allow afs_bosserver_t afs_config_t:dir manage_dir_perms;
+
+allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
+
+allow afs_bosserver_t afs_fsserver_t:process signal_perms;
+domain_auto_trans(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
+allow afs_fsserver_t afs_bosserver_t:fd use;
+allow afs_fsserver_t afs_bosserver_t:fifo_file rw_file_perms;
+allow afs_fsserver_t afs_bosserver_t:process sigchld;
+
+allow afs_bosserver_t afs_kaserver_t:process signal_perms;
+domain_auto_trans(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
+allow afs_kaserver_t afs_bosserver_t:fd use;
+allow afs_kaserver_t afs_bosserver_t:fifo_file rw_file_perms;
+allow afs_kaserver_t afs_bosserver_t:process sigchld;
+
+allow afs_bosserver_t afs_logfile_t:file create_file_perms;
+allow afs_bosserver_t afs_logfile_t:dir create_dir_perms;
+
+allow afs_bosserver_t afs_ptserver_t:process signal_perms;
+domain_auto_trans(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
+allow afs_ptserver_t afs_bosserver_t:fd use;
+allow afs_ptserver_t afs_bosserver_t:fifo_file rw_file_perms;
+allow afs_ptserver_t afs_bosserver_t:process sigchld;
+
+allow afs_bosserver_t afs_vlserver_t:process signal_perms;
+domain_auto_trans(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+allow afs_vlserver_t afs_bosserver_t:fd use;
+allow afs_vlserver_t afs_bosserver_t:fifo_file rw_file_perms;
+allow afs_vlserver_t afs_bosserver_t:process sigchld;
+
+kernel_read_kernel_sysctls(afs_bosserver_t)
+
+corenet_non_ipsec_sendrecv(afs_bosserver_t)
+corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
+corenet_udp_sendrecv_generic_if(afs_bosserver_t)
+corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
+corenet_udp_sendrecv_all_nodes(afs_bosserver_t)
+corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
+corenet_udp_sendrecv_all_ports(afs_bosserver_t)
+corenet_udp_bind_all_nodes(afs_bosserver_t)
+corenet_udp_bind_afs_bos_port(afs_bosserver_t)
+corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+
+files_read_etc_files(afs_bosserver_t)
+files_list_home(afs_bosserver_t)
+files_read_usr_files(afs_bosserver_t)
+
+libs_use_ld_so(afs_bosserver_t)
+libs_use_shared_libs(afs_bosserver_t)
+
+miscfiles_read_localization(afs_bosserver_t)
+
+seutil_read_config(afs_bosserver_t)
+
+sysnet_read_config(afs_bosserver_t)
+
+########################################
+#
+# fileserver local policy
+#
+
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+dontaudit afs_fsserver_t self:capability fsetid;
+allow afs_fsserver_t self:process { setsched signal_perms };
+allow afs_fsserver_t self:fifo_file rw_file_perms;
+allow afs_fsserver_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
+allow afs_fsserver_t self:udp_socket { create_socket_perms sendto recvfrom };
+
+allow afs_fsserver_t afs_config_t:file r_file_perms;
+allow afs_fsserver_t afs_config_t:dir r_dir_perms;
+
+allow afs_fsserver_t afs_config_t:file manage_file_perms;
+allow afs_fsserver_t afs_config_t:dir manage_dir_perms;
+
+allow afs_fsserver_t afs_files_t:filesystem getattr;
+allow afs_fsserver_t afs_files_t:dir manage_dir_perms;
+allow afs_fsserver_t afs_files_t:file manage_file_perms;
+allow afs_fsserver_t afs_files_t:lnk_file create_lnk_perms;
+allow afs_fsserver_t afs_files_t:sock_file manage_file_perms;
+allow afs_fsserver_t afs_files_t:fifo_file manage_file_perms;
+type_transition afs_fsserver_t afs_config_t:{ file lnk_file sock_file fifo_file } afs_files_t;
+allow afs_fsserver_t afs_config_t:dir rw_dir_perms;
+
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+
+allow afs_fsserver_t afs_logfile_t:file create_file_perms;
+allow afs_fsserver_t afs_logfile_t:dir create_dir_perms;
+
+allow afs_fsserver_t afs_ptserver_t:udp_socket recvfrom;
+
+allow afs_fsserver_t afs_vlserver_t:udp_socket recvfrom;
+
+kernel_read_system_state(afs_fsserver_t)
+kernel_read_kernel_sysctls(afs_fsserver_t)
+
+corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+corenet_udp_sendrecv_generic_if(afs_fsserver_t)
+corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
+corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
+corenet_non_ipsec_sendrecv(afs_fsserver_t)
+corenet_tcp_bind_all_nodes(afs_fsserver_t)
+corenet_udp_bind_all_nodes(afs_fsserver_t)
+corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+corenet_udp_bind_afs_fs_port(afs_fsserver_t)
+corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+
+files_read_etc_files(afs_fsserver_t)
+files_read_etc_runtime_files(afs_fsserver_t)
+files_list_home(afs_fsserver_t)
+files_read_usr_files(afs_fsserver_t)
+files_list_pids(afs_fsserver_t)
+files_dontaudit_search_mnt(afs_fsserver_t)
+
+fs_getattr_xattr_fs(afs_fsserver_t)
+
+term_dontaudit_use_console(afs_fsserver_t)
+
+init_dontaudit_use_script_fds(afs_fsserver_t)
+
+libs_use_ld_so(afs_fsserver_t)
+libs_use_shared_libs(afs_fsserver_t)
+
+logging_send_syslog_msg(afs_fsserver_t)
+
+miscfiles_read_localization(afs_fsserver_t)
+
+seutil_read_config(afs_fsserver_t)
+
+sysnet_read_config(afs_fsserver_t)
+
+userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
+userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
+
+########################################
+#
+# kaserver local policy
+#
+
+allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_kaserver_t self:udp_socket create_socket_perms;
+
+allow afs_kaserver_t afs_config_t:file manage_file_perms;
+allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
+
+allow afs_kaserver_t afs_ka_db_t:file manage_file_perms;
+allow afs_kaserver_t afs_dbdir_t:dir rw_dir_perms;
+type_transition afs_kaserver_t afs_dbdir_t:file afs_ka_db_t;
+
+allow afs_kaserver_t afs_logfile_t:file manage_file_perms;
+allow afs_kaserver_t afs_logfile_t:dir manage_dir_perms;
+
+kernel_read_kernel_sysctls(afs_kaserver_t)
+
+corenet_non_ipsec_sendrecv(afs_kaserver_t)
+corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
+corenet_udp_sendrecv_generic_if(afs_kaserver_t)
+corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
+corenet_udp_sendrecv_all_nodes(afs_kaserver_t)
+corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
+corenet_udp_sendrecv_all_ports(afs_kaserver_t)
+corenet_udp_bind_all_nodes(afs_kaserver_t)
+corenet_udp_bind_afs_ka_port(afs_kaserver_t)
+corenet_udp_bind_kerberos_port(afs_kaserver_t)
+corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
+corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
+
+files_read_etc_files(afs_kaserver_t)
+files_list_home(afs_kaserver_t)
+files_read_usr_files(afs_kaserver_t)
+
+libs_use_ld_so(afs_kaserver_t)
+libs_use_shared_libs(afs_kaserver_t)
+
+miscfiles_read_localization(afs_kaserver_t)
+
+seutil_read_config(afs_kaserver_t)
+
+sysnet_read_config(afs_kaserver_t)
+
+userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
+userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
+
+########################################
+#
+# ptserver local policy
+#
+
+allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_ptserver_t self:udp_socket create_socket_perms;
+
+allow afs_ptserver_t afs_config_t:file r_file_perms;
+allow afs_ptserver_t afs_config_t:dir r_dir_perms;
+
+allow afs_ptserver_t afs_logfile_t:file create_file_perms;
+allow afs_ptserver_t afs_logfile_t:dir create_dir_perms;
+
+allow afs_ptserver_t afs_fsserver_t:udp_socket recvfrom;
+
+allow afs_ptserver_t afs_pt_db_t:file manage_file_perms;
+allow afs_ptserver_t afs_dbdir_t:dir rw_dir_perms;
+type_transition afs_ptserver_t afs_dbdir_t:file afs_pt_db_t;
+
+corenet_non_ipsec_sendrecv(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
+corenet_udp_sendrecv_generic_if(afs_ptserver_t)
+corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
+corenet_udp_sendrecv_all_nodes(afs_ptserver_t)
+corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_bind_all_nodes(afs_ptserver_t)
+corenet_udp_bind_afs_pt_port(afs_ptserver_t)
+corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+
+files_read_etc_files(afs_ptserver_t)
+
+libs_use_ld_so(afs_ptserver_t)
+libs_use_shared_libs(afs_ptserver_t)
+
+miscfiles_read_localization(afs_ptserver_t)
+
+sysnet_read_config(afs_ptserver_t)
+
+userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
+userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
+
+########################################
+#
+# vlserver local policy
+#
+
+allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_vlserver_t self:udp_socket create_socket_perms;
+
+allow afs_vlserver_t afs_config_t:file r_file_perms;
+allow afs_vlserver_t afs_config_t:dir r_dir_perms;
+
+allow afs_vlserver_t afs_fsserver_t:udp_socket recvfrom;
+
+allow afs_vlserver_t afs_logfile_t:file create_file_perms;
+allow afs_vlserver_t afs_logfile_t:dir create_dir_perms;
+
+allow afs_vlserver_t afs_vl_db_t:file manage_file_perms;
+allow afs_vlserver_t afs_dbdir_t:dir rw_dir_perms;
+type_transition afs_vlserver_t afs_dbdir_t:file afs_vl_db_t;
+
+corenet_non_ipsec_sendrecv(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
+corenet_udp_sendrecv_generic_if(afs_vlserver_t)
+corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
+corenet_udp_sendrecv_all_nodes(afs_vlserver_t)
+corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_bind_all_nodes(afs_vlserver_t)
+corenet_udp_bind_afs_vl_port(afs_vlserver_t)
+corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
+
+files_read_etc_files(afs_vlserver_t)
+
+libs_use_ld_so(afs_vlserver_t)
+libs_use_shared_libs(afs_vlserver_t)
+
+miscfiles_read_localization(afs_vlserver_t)
+
+sysnet_read_config(afs_vlserver_t)
+
+userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
+userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
new file mode 100644
index 0000000..31b1ab7
--- /dev/null
+++ b/policy/modules/services/amavis.fc
@@ -0,0 +1,12 @@
+
+/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
+
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
+/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
new file mode 100644
index 0000000..f236899
--- /dev/null
+++ b/policy/modules/services/amavis.if
@@ -0,0 +1,176 @@
+## <summary>
+## Daemon that interfaces mail transfer agents and content
+## checkers, such as virus scanners.
+## </summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run amavis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`amavis_domtrans',`
+ gen_require(`
+ type amavis_t, amavis_exec_t;
+ ')
+
+ domain_auto_trans($1,amavis_exec_t,amavis_t)
+
+ allow $1 amavis_t:fd use;
+ allow amavis_t $1:fd use;
+ allow amavis_t $1:fifo_file rw_file_perms;
+ allow amavis_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Read amavis spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_read_spool_files',`
+ gen_require(`
+ type amavis_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 amavis_spool_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Manage amavis spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_manage_spool_files',`
+ gen_require(`
+ type amavis_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 amavis_spool_t:dir manage_dir_perms;
+ allow $1 amavis_spool_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the amavis spool directories
+## with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+#
+interface(`amavis_spool_filetrans',`
+ gen_require(`
+ type amavis_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 amavis_spool_t:dir rw_dir_perms;
+ type_transition $1 amavis_spool_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Search amavis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_search_lib',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_read_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:file r_file_perms;
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_manage_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:file manage_file_perms;
+ allow $1 amavis_var_lib_t:dir rw_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of amavis pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_setattr_pid_files',`
+ gen_require(`
+ type amavis_var_run_t;
+ ')
+
+ allow $1 amavis_var_run_t:file setattr;
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
new file mode 100644
index 0000000..55b4b6b
--- /dev/null
+++ b/policy/modules/services/amavis.te
@@ -0,0 +1,182 @@
+
+policy_module(amavis,1.0.5)
+
+########################################
+#
+# Declarations
+#
+
+type amavis_t;
+type amavis_exec_t;
+domain_type(amavis_t)
+init_daemon_domain(amavis_t, amavis_exec_t)
+
+# configuration files
+type amavis_etc_t;
+files_type(amavis_etc_t)
+
+# pid files
+type amavis_var_run_t;
+files_pid_file(amavis_var_run_t)
+
+# var/lib files
+type amavis_var_lib_t;
+files_type(amavis_var_lib_t)
+
+# log files
+type amavis_var_log_t;
+logging_log_file(amavis_var_log_t)
+
+# tmp files
+type amavis_tmp_t;
+files_tmp_file(amavis_tmp_t)
+
+# virus quarantine
+type amavis_quarantine_t;
+files_type(amavis_quarantine_t)
+
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
+########################################
+#
+# amavis local policy
+#
+
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
+dontaudit amavis_t self:capability sys_tty_config;
+allow amavis_t self:process { signal sigchld signull };
+allow amavis_t self:fifo_file rw_file_perms;
+allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+allow amavis_t self:unix_dgram_socket create_socket_perms;
+allow amavis_t self:tcp_socket { listen accept };
+
+# configuration files
+allow amavis_t amavis_etc_t:dir r_dir_perms;
+allow amavis_t amavis_etc_t:file r_file_perms;
+allow amavis_t amavis_etc_t:lnk_file { getattr read };
+
+# mail quarantine
+allow amavis_t amavis_quarantine_t:file create_file_perms;
+allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
+allow amavis_t amavis_quarantine_t:dir create_dir_perms;
+
+# Spool Files
+allow amavis_t amavis_spool_t:dir manage_dir_perms;
+allow amavis_t amavis_spool_t:file manage_file_perms;
+allow amavis_t amavis_spool_t:sock_file manage_file_perms;
+files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+
+# tmp files
+allow amavis_t amavis_tmp_t:file create_file_perms;
+allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
+files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
+
+# var/lib files for amavis
+allow amavis_t amavis_var_lib_t:file create_file_perms;
+allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
+allow amavis_t amavis_var_lib_t:dir create_dir_perms;
+files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
+
+# log files
+allow amavis_t amavis_var_log_t:file create_file_perms;
+allow amavis_t amavis_var_log_t:sock_file create_file_perms;
+allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })
+
+# pid file
+allow amavis_t amavis_var_run_t:file manage_file_perms;
+allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
+allow amavis_t amavis_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(amavis_t)
+# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_proc_symlinks(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
+
+# find perl
+corecmd_exec_bin(amavis_t)
+corecmd_search_sbin(amavis_t)
+
+corenet_non_ipsec_sendrecv(amavis_t)
+corenet_tcp_sendrecv_all_if(amavis_t)
+corenet_tcp_sendrecv_all_nodes(amavis_t)
+corenet_tcp_bind_all_nodes(amavis_t)
+corenet_udp_bind_all_nodes(amavis_t)
+# amavis uses well-defined ports
+corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
+corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
+# just the other side not. ;-)
+corenet_tcp_sendrecv_all_ports(amavis_t)
+# connect to backchannel port
+corenet_tcp_connect_amavisd_send_port(amavis_t)
+# bind to incoming port
+corenet_tcp_bind_amavisd_recv_port(amavis_t)
+corenet_udp_bind_generic_port(amavis_t)
+
+dev_read_rand(amavis_t)
+dev_read_urand(amavis_t)
+
+domain_use_interactive_fds(amavis_t)
+
+files_read_etc_files(amavis_t)
+files_read_etc_runtime_files(amavis_t)
+files_read_usr_files(amavis_t)
+
+auth_dontaudit_read_shadow(amavis_t)
+
+init_use_fds(amavis_t)
+init_use_script_ptys(amavis_t)
+init_stream_connect_script(amavis_t)
+
+libs_use_ld_so(amavis_t)
+libs_use_shared_libs(amavis_t)
+
+logging_send_syslog_msg(amavis_t)
+
+miscfiles_read_localization(amavis_t)
+
+sysnet_dns_name_resolve(amavis_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
+
+# Cron handling
+cron_use_fds(amavis_t)
+cron_use_system_job_fds(amavis_t)
+cron_rw_pipes(amavis_t)
+
+mta_read_config(amavis_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(amavis_t)
+')
+
+optional_policy(`
+ clamav_stream_connect(amavis_t)
+ clamav_domtrans_clamscan(amavis_t)
+')
+
+optional_policy(`
+ dcc_domtrans_client(amavis_t)
+ dcc_stream_connect_dccifd(amavis_t)
+')
+
+optional_policy(`
+ ldap_use(amavis_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(amavis_t)
+')
+
+optional_policy(`
+ razor_domtrans(amavis_t)
+')
+
+optional_policy(`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
+')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
new file mode 100644
index 0000000..f6277c5
--- /dev/null
+++ b/policy/modules/services/apache.fc
@@ -0,0 +1,82 @@
+# temporary hack till genhomedircon is fixed
+ifdef(`targeted_policy',`
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+',`
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+')
+
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/squid/cachemgr.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+')
+
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+')
+
+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+ifdef(`strict_policy',`
+/var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0)
+')
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
new file mode 100644
index 0000000..d263fc3
--- /dev/null
+++ b/policy/modules/services/apache.if
@@ -0,0 +1,1028 @@
+## <summary>Apache web server</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`apache_content_template',`
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_exec_scripts;
+ attribute httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ ')
+ # allow write access to public file transfer
+ # services files.
+ gen_tunable(allow_httpd_$1_script_anon_write,false)
+
+ #This type is for webpages
+ type httpd_$1_content_t, httpdcontent; # customizable
+ files_type(httpd_$1_content_t)
+
+ # This type is used for .htaccess files
+ type httpd_$1_htaccess_t; # customizable;
+ files_type(httpd_$1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type httpd_$1_script_t;
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ corecmd_shell_entry_type(httpd_$1_script_t)
+ domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
+
+ # The following three are the only areas that
+ # scripts can read, read/write, or append to
+ type httpd_$1_script_ro_t, httpdcontent; # customizable
+ files_type(httpd_$1_script_ro_t)
+
+ type httpd_$1_script_rw_t, httpdcontent; # customizable
+ files_type(httpd_$1_script_rw_t)
+
+ type httpd_$1_script_ra_t, httpdcontent; # customizable
+ files_type(httpd_$1_script_ra_t)
+
+ allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
+
+ domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_suexec_t httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t httpd_suexec_t:fd use;
+ allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
+ allow httpd_$1_script_t httpd_suexec_t:process sigchld;
+
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
+
+ allow httpd_$1_script_t httpd_t:fifo_file write;
+ # apache should set close-on-exec
+ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
+
+ allow httpd_$1_script_t httpd_log_t:file { getattr append };
+ allow httpd_$1_script_t httpd_log_t:dir search;
+ logging_search_logs(httpd_$1_script_t)
+
+ can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+
+ allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
+ allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
+
+ allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
+ allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
+ allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
+
+ allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
+ files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
+
+ kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+ kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+
+ dev_read_rand(httpd_$1_script_t)
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+ files_search_home(httpd_$1_script_t)
+
+ libs_use_ld_so(httpd_$1_script_t)
+ libs_use_shared_libs(httpd_$1_script_t)
+ libs_exec_ld_so(httpd_$1_script_t)
+ libs_exec_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_fonts(httpd_$1_script_t)
+ miscfiles_read_public_files(httpd_$1_script_t)
+
+ seutil_dontaudit_search_config(httpd_$1_script_t)
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_$1_script_t httpdcontent:file entrypoint;
+ allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
+ allow httpd_$1_script_t httpdcontent:file create_file_perms;
+ allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+ can_exec(httpd_$1_script_t, httpdcontent)
+ ')
+
+ tunable_policy(`allow_httpd_$1_script_anon_write',`
+ miscfiles_manage_public_files(httpd_$1_script_t)
+ ')
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
+ allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
+ allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
+ allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
+
+ allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
+ allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
+ allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
+
+ allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
+ allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
+ allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
+
+ allow httpd_t httpd_$1_content_t:dir r_dir_perms;
+ allow httpd_t httpd_$1_content_t:file r_file_perms;
+ allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
+ # privileged users run the script:
+ domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_exec_scripts httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t httpd_exec_scripts:fd use;
+ allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
+ allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
+
+ # apache runs the script:
+ domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+ allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
+
+ allow httpd_$1_script_t self:process signal_perms;
+ allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
+ kernel_read_system_state(httpd_$1_script_t)
+
+ dev_read_urand(httpd_$1_script_t)
+
+ fs_getattr_xattr_fs(httpd_$1_script_t)
+
+ files_read_etc_runtime_files(httpd_$1_script_t)
+ files_read_usr_files(httpd_$1_script_t)
+
+ libs_read_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_localization(httpd_$1_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
+
+ sysnet_read_config(httpd_$1_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_tcp_connect_all_ports(httpd_$1_script_t)
+ corenet_sendrecv_all_client_packets(httpd_$1_script_t)
+
+ sysnet_read_config(httpd_$1_script_t)
+ ')
+
+ optional_policy(`
+ mta_send_mail(httpd_$1_script_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+ nis_use_ypbind_uncond(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`
+ nscd_socket_use(httpd_$1_script_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the apache module.
+## </summary>
+## <desc>
+## <p>
+## This template creates types used for web pages
+## and web cgi to be used from the user home directory.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`apache_per_userdomain_template', `
+ gen_require(`
+ attribute httpdcontent, httpd_script_domains;
+ attribute httpd_exec_scripts;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ ')
+
+ apache_content_template($1)
+
+ typeattribute httpd_$1_content_t httpd_script_domains;
+ userdom_user_home_content($1,httpd_$1_content_t)
+
+ role $3 types httpd_$1_script_t;
+
+ allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+ allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
+ allow $2 httpd_$1_script_exec_t:file create_file_perms;
+ allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
+
+ allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow $2 httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t $2:fd use;
+ allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+ allow httpd_$1_script_t $2:process sigchld;
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_$1_script_t httpdcontent:file entrypoint;
+
+ domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
+ allow $2 httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t $2:fd use;
+ allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+ allow httpd_$1_script_t $2:process sigchld;
+ ')
+
+ # allow accessing files/dirs below the users home dir
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs($1,httpd_t)
+ userdom_search_user_home_dirs($1,httpd_suexec_t)
+ userdom_search_user_home_dirs($1,httpd_$1_script_t)
+ ')
+')
+
+########################################
+## <summary>
+## Read httpd user scripts executables.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`apache_read_user_scripts',`
+ gen_require(`
+ type httpd_$1_script_exec_t;
+ ')
+
+ allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
+ allow $2 httpd_$1_script_exec_t:file r_file_perms;
+ allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read user web content.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`apache_read_user_content',`
+ gen_require(`
+ type httpd_$1_content_t;
+ ')
+
+ allow $2 httpd_$1_content_t:dir r_dir_perms;
+ allow $2 httpd_$1_content_t:file r_file_perms;
+ allow $2 httpd_$1_content_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Transition to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans',`
+ gen_require(`
+ type httpd_t, httpd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,httpd_exec_t,httpd_t)
+
+ allow $1 httpd_t:fd use;
+ allow httpd_t $1:fd use;
+ allow httpd_t $1:fifo_file rw_file_perms;
+ allow httpd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a null signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_signull',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_sigchld',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from Apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_use_fds',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_all_content',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
+ allow $1 httpdcontent:dir manage_dir_perms;
+ allow $1 httpdcontent:file manage_file_perms;
+ allow $1 httpdcontent:lnk_file create_lnk_perms;
+
+ allow $1 httpd_script_exec_type:dir manage_dir_perms;
+ allow $1 httpd_script_exec_type:file manage_file_perms;
+ allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
+
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write Apache cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_rw_cache_files',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ allow $1 httpd_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir r_dir_perms;
+ allow $1 httpd_config_t:file r_file_perms;
+ allow $1 httpd_config_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## apache configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir manage_dir_perms;
+ allow $1 httpd_config_t:file manage_file_perms;
+ allow $1 httpd_config_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Execute the Apache helper program with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_helper',`
+ gen_require(`
+ type httpd_helper_t, httpd_helper_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
+
+ allow $1 httpd_helper_t:fd use;
+ allow httpd_helper_t $1:fd use;
+ allow httpd_helper_t $1:fifo_file rw_file_perms;
+ allow httpd_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the Apache helper program with
+## a domain transition, and allow the
+## specified role the dmidecode domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the dmidecode domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the dmidecode domain to use.
+## </summary>
+## </param>
+#
+interface(`apache_run_helper',`
+ gen_require(`
+ type httpd_helper_t;
+ ')
+
+ apache_domtrans_helper($1)
+ role $2 types httpd_helper_t;
+ allow httpd_helper_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir r_dir_perms;
+ allow $1 httpd_log_t:file r_file_perms;
+ allow $1 httpd_log_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_append_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir r_dir_perms;
+ allow $1 httpd_log_t:file append;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append to the
+## Apache logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_append_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ dontaudit $1 httpd_log_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## to apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir manage_dir_perms;
+ allow $1 httpd_log_t:file manage_file_perms;
+ allow $1 httpd_log_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search Apache
+## module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_search_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute
+## apache modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_exec_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir r_dir_perms;
+ allow $1 httpd_modules_t:lnk_file r_file_perms;
+ can_exec($1,httpd_modules_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run httpd_rotatelogs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+ domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
+
+ allow httpd_rotatelogs_t $1:fd use;
+ allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
+ allow httpd_rotatelogs_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## apache system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_manage_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ files_search_var($1)
+ allow $1 httpd_sys_content_t:dir create_dir_perms;
+ allow $1 httpd_sys_content_t:file create_file_perms;
+ allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Execute all web scripts in the system
+## script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
+interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+ type httpd_sys_script_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
+
+ allow $1 httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t $1:fd use;
+ allow httpd_sys_script_t $1:fifo_file rw_file_perms;
+ allow httpd_sys_script_t $1:process sigchld;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## system script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+
+ dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute all user scripts in the user
+## script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_all_scripts',`
+ gen_require(`
+ attribute httpd_exec_scripts;
+ ')
+
+ typeattribute $1 httpd_exec_scripts;
+')
+
+########################################
+## <summary>
+## Execute all user scripts in the user
+## script domain. Add user script domains
+## to the specified role.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the script domains.
+## </summary>
+## </param>
+#
+# cjp: this is missing the terminal since scripts
+# do not output to the terminal
+interface(`apache_run_all_scripts',`
+ gen_require(`
+ attribute httpd_exec_scripts, httpd_script_domains;
+ ')
+
+ role $2 types httpd_script_domains;
+ apache_domtrans_all_scripts($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache squirrelmail data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_squirrelmail_data',`
+ gen_require(`
+ type httpd_squirrelmail_t;
+ ')
+
+ allow $1 httpd_squirrelmail_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## apache squirrelmail data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_append_squirrelmail_data',`
+ gen_require(`
+ type httpd_squirrelmail_t;
+ ')
+
+ allow $1 httpd_squirrelmail_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Search apache system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read apache system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_read_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:dir r_dir_perms;
+ allow $1 httpd_sys_content_t:file { getattr read };
+ allow $1 httpd_sys_content_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Search system script state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_search_sys_script_state',`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+
+ allow $1 httpd_sys_script_t:dir search;
+')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
new file mode 100644
index 0000000..e92d29d
--- /dev/null
+++ b/policy/modules/services/apache.te
@@ -0,0 +1,723 @@
+
+policy_module(apache,1.3.15)
+
+#
+# NOTES:
+# This policy will work with SUEXEC enabled as part of the Apache
+# configuration. However, the user CGI scripts will run under the
+# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
+# of the creating user.
+#
+# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+# type, and the directory containing the scripts should also be labeled
+# with these types. This policy allows user_r role to perform that
+# relabeling. If it is desired that only sysadm_r should be able to relabel
+# the user CGI scripts, then relabel rule for user_r should be removed.
+#
+
+########################################
+#
+# Declarations
+#
+
+attribute httpdcontent;
+
+# domains that can exec all users scripts
+attribute httpd_exec_scripts;
+
+attribute httpd_script_exec_type;
+
+# user script domains
+attribute httpd_script_domains;
+
+type httpd_t;
+type httpd_exec_t;
+init_daemon_domain(httpd_t,httpd_exec_t)
+role system_r types httpd_t;
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+type httpd_cache_t;
+files_type(httpd_cache_t)
+
+# httpd_config_t is the type given to the configuration files
+type httpd_config_t;
+files_type(httpd_config_t)
+
+type httpd_helper_t;
+type httpd_helper_exec_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
+role system_r types httpd_helper_t;
+
+type httpd_lock_t;
+files_lock_file(httpd_lock_t)
+
+type httpd_log_t;
+logging_log_file(httpd_log_t)
+
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+type httpd_modules_t;
+files_type(httpd_modules_t)
+
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t,httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
+type httpd_rotatelogs_t;
+type httpd_rotatelogs_exec_t;
+init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+
+type httpd_squirrelmail_t;
+files_type(httpd_squirrelmail_t)
+
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
+type httpd_suexec_exec_t;
+domain_type(httpd_suexec_t)
+domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
+role system_r types httpd_suexec_t;
+
+type httpd_suexec_tmp_t;
+files_tmp_file(httpd_suexec_tmp_t)
+
+# setup the system domain for system CGI scripts
+apache_content_template(sys)
+
+type httpd_tmp_t;
+files_tmp_file(httpd_tmp_t)
+
+type httpd_tmpfs_t;
+files_tmpfs_file(httpd_tmpfs_t)
+
+# Unconfined domain for apache scripts.
+# Only to be used as a last resort
+type httpd_unconfined_script_t;
+type httpd_unconfined_script_exec_t; # customizable
+domain_type(httpd_unconfined_script_t)
+domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
+role system_r types httpd_unconfined_script_t;
+
+# for apache2 memory mapped files
+type httpd_var_lib_t;
+files_type(httpd_var_lib_t)
+
+type httpd_var_run_t;
+files_pid_file(httpd_var_run_t)
+
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+
+ifdef(`targeted_policy',`
+ typealias httpd_sys_content_t alias httpd_user_content_t;
+ typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+')
+
+optional_policy(`
+ prelink_object_file(httpd_modules_t)
+')
+
+########################################
+#
+# Apache server local policy
+#
+
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
+allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_t self:fd use;
+allow httpd_t self:sock_file r_file_perms;
+allow httpd_t self:fifo_file rw_file_perms;
+allow httpd_t self:shm create_shm_perms;
+allow httpd_t self:sem create_sem_perms;
+allow httpd_t self:msgq create_msgq_perms;
+allow httpd_t self:msg { send receive };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow httpd_t self:tcp_socket { create_stream_socket_perms acceptfrom connectto recvfrom };
+allow httpd_t self:udp_socket create_socket_perms;
+
+# Allow httpd_t to put files in /var/cache/httpd etc
+allow httpd_t httpd_cache_t:dir create_dir_perms;
+allow httpd_t httpd_cache_t:file create_file_perms;
+allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;
+
+# Allow the httpd_t to read the web servers config files
+allow httpd_t httpd_config_t:dir r_dir_perms;
+allow httpd_t httpd_config_t:file r_file_perms;
+allow httpd_t httpd_config_t:lnk_file { getattr read };
+
+can_exec(httpd_t, httpd_exec_t)
+
+allow httpd_t httpd_lock_t:file create_file_perms;
+files_lock_filetrans(httpd_t,httpd_lock_t,file)
+
+allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
+allow httpd_t httpd_log_t:file { create ra_file_perms };
+allow httpd_t httpd_log_t:lnk_file read;
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
+logging_log_filetrans(httpd_t,httpd_log_t,file)
+
+allow httpd_t httpd_modules_t:file rx_file_perms;
+allow httpd_t httpd_modules_t:dir r_dir_perms;
+allow httpd_t httpd_modules_t:lnk_file r_file_perms;
+
+allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
+allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
+allow httpd_t httpd_squirrelmail_t:file create_file_perms;
+
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+allow httpd_t httpd_sys_content_t:dir r_dir_perms;
+allow httpd_t httpd_sys_content_t:file r_file_perms;
+allow httpd_t httpd_sys_content_t:lnk_file r_file_perms;
+
+allow httpd_t httpd_tmp_t:dir create_dir_perms;
+allow httpd_t httpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
+
+allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
+allow httpd_t httpd_tmpfs_t:file create_file_perms;
+allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
+allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
+allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
+fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow httpd_t httpd_var_lib_t:file create_file_perms;
+allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
+
+allow httpd_t httpd_var_run_t:file create_file_perms;
+allow httpd_t httpd_var_run_t:sock_file create_file_perms;
+allow httpd_t httpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
+
+allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
+allow httpd_t squirrelmail_spool_t:file create_file_perms;
+allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
+
+kernel_read_kernel_sysctls(httpd_t)
+kernel_tcp_recvfrom(httpd_t)
+# for modules that want to access /proc/meminfo
+kernel_read_system_state(httpd_t)
+
+corenet_non_ipsec_sendrecv(httpd_t)
+corenet_tcp_sendrecv_all_if(httpd_t)
+corenet_udp_sendrecv_all_if(httpd_t)
+corenet_tcp_sendrecv_all_nodes(httpd_t)
+corenet_udp_sendrecv_all_nodes(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
+corenet_tcp_bind_all_nodes(httpd_t)
+corenet_tcp_bind_http_port(httpd_t)
+corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+
+dev_read_sysfs(httpd_t)
+dev_read_rand(httpd_t)
+dev_read_urand(httpd_t)
+dev_rw_crypto(httpd_t)
+
+fs_getattr_all_fs(httpd_t)
+fs_search_auto_mountpoints(httpd_t)
+
+term_dontaudit_use_console(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_sbin(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+
+files_read_usr_files(httpd_t)
+files_list_mnt(httpd_t)
+files_search_spool(httpd_t)
+files_read_var_lib_files(httpd_t)
+files_search_home(httpd_t)
+files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
+files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+files_read_etc_files(httpd_t)
+# for tomcat
+files_read_var_lib_symlinks(httpd_t)
+
+init_use_fds(httpd_t)
+init_use_script_ptys(httpd_t)
+
+libs_use_ld_so(httpd_t)
+libs_use_shared_libs(httpd_t)
+libs_read_lib_files(httpd_t)
+
+logging_send_syslog_msg(httpd_t)
+
+miscfiles_read_localization(httpd_t)
+miscfiles_read_fonts(httpd_t)
+miscfiles_read_public_files(httpd_t)
+miscfiles_read_certs(httpd_t)
+
+seutil_dontaudit_search_config(httpd_t)
+
+sysnet_use_ldap(httpd_t)
+sysnet_read_config(httpd_t)
+
+userdom_use_unpriv_users_fds(httpd_t)
+userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
+
+mta_send_mail(httpd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(httpd_t)
+ term_dontaudit_use_generic_ptys(httpd_t)
+ files_dontaudit_read_root_files(httpd_t)
+
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dirs(httpd_t)
+ ')
+')
+
+tunable_policy(`allow_httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
+')
+
+ifdef(`TODO', `
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chk_passwd(httpd_t)
+')
+')
+
+tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+ # allow httpd to connect to mysql/posgresql
+ corenet_tcp_connect_postgresql_port(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_enable_cgi',`
+ domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ allow httpd_t httpd_unconfined_script_t:fd use;
+ allow httpd_unconfined_script_t httpd_t:fd use;
+ allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_unconfined_script_t httpd_t:process sigchld;
+
+ allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+ allow httpd_t httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
+
+ allow httpd_t httpdcontent:dir create_dir_perms;
+ allow httpd_t httpdcontent:file create_file_perms;
+ allow httpd_t httpdcontent:lnk_file create_lnk_perms;
+')
+
+tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_ssi_exec',`
+ corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
+ allow httpd_t httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
+')
+
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+tunable_policy(`httpd_tty_comm',`
+ # cjp: this is redundant:
+ term_use_controlling_term(httpd_t)
+
+ userdom_use_sysadm_terms(httpd_t)
+',`
+ userdom_dontaudit_use_sysadm_terms(httpd_t)
+')
+
+optional_policy(`
+ calamaris_read_www_files(httpd_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(httpd_t)
+')
+
+optional_policy(`
+ mailman_signal_cgi(httpd_t)
+ mailman_domtrans_cgi(httpd_t)
+ # should have separate types for public and private archives
+ mailman_search_data(httpd_t)
+ mailman_read_archive(httpd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+')
+
+optional_policy(`
+ nagios_read_config(httpd_t)
+ nagios_domtrans_cgi(httpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(httpd_t)
+')
+
+optional_policy(`
+ openca_domtrans(httpd_t)
+ openca_signal(httpd_t)
+ openca_sigstop(httpd_t)
+ openca_kill(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(httpd_t)
+')
+
+optional_policy(`
+ udev_read_db(httpd_t)
+')
+
+optional_policy(`
+ yam_read_content(httpd_t)
+')
+
+########################################
+#
+# Apache helper local policy
+#
+
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+allow httpd_t httpd_helper_t:fd use;
+allow httpd_helper_t httpd_t:fd use;
+allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
+allow httpd_helper_t httpd_t:process sigchld;
+
+allow httpd_helper_t httpd_config_t:file { getattr read };
+
+allow httpd_helper_t httpd_log_t:file append;
+
+libs_use_ld_so(httpd_helper_t)
+libs_use_shared_libs(httpd_helper_t)
+
+logging_send_syslog_msg(httpd_helper_t)
+
+tunable_policy(`httpd_tty_comm',`
+ # cjp: this is redundant:
+ term_use_controlling_term(httpd_helper_t)
+
+ userdom_use_sysadm_terms(httpd_helper_t)
+')
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_file_perms;
+allow httpd_php_t self:sock_file r_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
+allow httpd_t httpd_php_t:fd use;
+allow httpd_php_t httpd_t:fd use;
+allow httpd_php_t httpd_t:fifo_file rw_file_perms;
+allow httpd_php_t httpd_t:process sigchld;
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file ra_file_perms;
+
+allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
+allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+libs_use_ld_so(httpd_php_t)
+libs_use_shared_libs(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+optional_policy(`
+ mysql_stream_connect(httpd_php_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(httpd_php_t)
+')
+
+########################################
+#
+# Apache suexec local policy
+#
+
+allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:process signal_perms;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+ifdef(`targeted_policy',`
+ gen_tunable(httpd_suexec_disable_trans,false)
+
+ tunable_policy(`httpd_suexec_disable_trans',`',`
+ domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+ allow httpd_t httpd_suexec_t:fd use;
+ allow httpd_suexec_t httpd_t:fd use;
+ allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_suexec_t httpd_t:process sigchld;
+ ')
+')
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+
+allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
+allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
+files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(httpd_suexec_t)
+kernel_list_proc(httpd_suexec_t)
+kernel_read_proc_symlinks(httpd_suexec_t)
+
+dev_read_urand(httpd_suexec_t)
+
+fs_search_auto_mountpoints(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
+files_read_etc_files(httpd_suexec_t)
+files_read_usr_files(httpd_suexec_t)
+files_dontaudit_search_pids(httpd_suexec_t)
+files_search_home(httpd_suexec_t)
+
+libs_use_ld_so(httpd_suexec_t)
+libs_use_shared_libs(httpd_suexec_t)
+
+logging_search_logs(httpd_suexec_t)
+logging_send_syslog_msg(httpd_suexec_t)
+
+miscfiles_read_localization(httpd_suexec_t)
+
+ifdef(`targeted_policy',`
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dirs(httpd_suexec_t)
+ ')
+')
+
+tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_if(httpd_suexec_t)
+ corenet_udp_sendrecv_all_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
+ corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+
+ sysnet_read_config(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_cgi',`
+ domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ allow httpd_suexec_t httpd_unconfined_script_t:fd use;
+ allow httpd_unconfined_script_t httpd_suexec_t:fd use;
+ allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
+ allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ allow httpd_suexec_t httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t httpd_suexec_t:fd use;
+ allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_suexec_t:process sigchld;
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
+optional_policy(`
+ mailman_domtrans_cgi(httpd_suexec_t)
+')
+
+optional_policy(`
+ mta_stub(httpd_suexec_t)
+
+ # apache should set close-on-exec
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
+optional_policy(`
+ nagios_domtrans_cgi(httpd_suexec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(httpd_suexec_t)
+')
+
+optional_policy(`
+ nscd_socket_use(httpd_suexec_t)
+')
+
+########################################
+#
+# Apache system script local policy
+#
+
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+
+allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
+allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
+allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read };
+
+kernel_read_kernel_sysctls(httpd_sys_script_t)
+
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
+
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file { getattr append };
+')
+
+ifdef(`targeted_policy',`
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dirs(httpd_sys_script_t)
+ ')
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+')
+
+########################################
+#
+# Apache unconfined script local policy
+#
+
+unconfined_domain(httpd_unconfined_script_t)
+
+optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+')
+
+optional_policy(`
+ nscd_socket_use(httpd_unconfined_script_t)
+')
+
+########################################
+#
+# httpd_rotatelogs local policy
+#
+
+allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
+allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+files_read_etc_files(httpd_rotatelogs_t)
+
+libs_use_ld_so(httpd_rotatelogs_t)
+libs_use_shared_libs(httpd_rotatelogs_t)
+
+miscfiles_read_localization(httpd_rotatelogs_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+')
diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc
new file mode 100644
index 0000000..0123777
--- /dev/null
+++ b/policy/modules/services/apm.fc
@@ -0,0 +1,23 @@
+
+#
+# /usr
+#
+/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
+
+/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
+')
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
new file mode 100644
index 0000000..8fd6d54
--- /dev/null
+++ b/policy/modules/services/apm.if
@@ -0,0 +1,118 @@
+## <summary>Advanced power management daemon</summary>
+
+########################################
+## <summary>
+## Execute APM in the apm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_domtrans_client',`
+ gen_require(`
+ type apm_t, apm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,apm_exec_t,apm_t)
+
+ allow $1 apm_t:fd use;
+ allow apm_t $1:fd use;
+ allow apm_t $1:fifo_file rw_file_perms;
+ allow apm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Use file descriptors for apmd.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apm_use_fds',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:fd use;
+')
+
+########################################
+## <summary>
+## Write to apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apm_write_pipes',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write to an apm unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_rw_stream_sockets',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Append to apm's log file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_append_log',`
+ gen_require(`
+ type apmd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 apmd_log_t:file append;
+')
+
+########################################
+## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_stream_connect',`
+ gen_require(`
+ type apmd_t, apmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 apmd_var_run_t:sock_file write;
+ allow $1 apmd_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
new file mode 100644
index 0000000..5f47a78
--- /dev/null
+++ b/policy/modules/services/apm.te
@@ -0,0 +1,238 @@
+
+policy_module(apm,1.2.4)
+
+########################################
+#
+# Declarations
+#
+type apmd_t;
+type apmd_exec_t;
+init_daemon_domain(apmd_t,apmd_exec_t)
+
+type apm_t;
+domain_type(apm_t)
+role system_r types apm_t;
+
+type apm_exec_t;
+domain_entry_file(apm_t,apm_exec_t)
+
+type apmd_log_t;
+logging_log_file(apmd_log_t)
+
+type apmd_tmp_t;
+files_tmp_file(apmd_tmp_t)
+
+type apmd_var_run_t;
+files_pid_file(apmd_var_run_t)
+
+ifdef(`distro_redhat',`
+ type apmd_lock_t;
+ files_lock_file(apmd_lock_t)
+')
+
+ifdef(`distro_suse',`
+ type apmd_var_lib_t;
+ files_type(apmd_var_lib_t)
+')
+
+########################################
+#
+# apm client Local policy
+#
+
+allow apm_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(apm_t)
+
+dev_rw_apm_bios(apm_t)
+
+fs_getattr_xattr_fs(apm_t)
+
+term_use_all_terms(apm_t)
+
+domain_use_interactive_fds(apm_t)
+
+libs_use_ld_so(apm_t)
+libs_use_shared_libs(apm_t)
+
+logging_send_syslog_msg(apm_t)
+
+########################################
+#
+# apm daemon Local policy
+#
+
+# mknod: controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+allow apmd_t self:process { signal_perms getsession };
+allow apmd_t self:fifo_file rw_file_perms;
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow apmd_t apmd_log_t:file create_file_perms;
+logging_log_filetrans(apmd_t,apmd_log_t,file)
+
+allow apmd_t apmd_tmp_t:dir create_dir_perms;
+allow apmd_t apmd_tmp_t:file create_file_perms;
+files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
+
+allow apmd_t apmd_var_run_t:dir rw_dir_perms;
+allow apmd_t apmd_var_run_t:file create_file_perms;
+allow apmd_t apmd_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(apmd_t)
+kernel_rw_all_sysctls(apmd_t)
+kernel_read_system_state(apmd_t)
+kernel_write_proc_files(apmd_t)
+
+dev_read_realtime_clock(apmd_t)
+dev_read_urand(apmd_t)
+dev_rw_apm_bios(apmd_t)
+dev_rw_sysfs(apmd_t)
+dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
+dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
+
+fs_dontaudit_list_tmpfs(apmd_t)
+fs_getattr_all_fs(apmd_t)
+fs_search_auto_mountpoints(apmd_t)
+fs_dontaudit_getattr_all_files(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
+
+selinux_search_fs(apmd_t)
+
+term_dontaudit_use_console(apmd_t)
+
+corecmd_exec_all_executables(apmd_t)
+
+domain_read_all_domains_state(apmd_t)
+domain_use_interactive_fds(apmd_t)
+domain_dontaudit_getattr_all_sockets(apmd_t)
+domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
+domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
+
+files_exec_etc_files(apmd_t)
+files_read_etc_runtime_files(apmd_t)
+files_dontaudit_getattr_all_files(apmd_t) # Excessive?
+files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+init_domtrans_script(apmd_t)
+init_use_fds(apmd_t)
+init_use_script_ptys(apmd_t)
+init_rw_utmp(apmd_t)
+init_write_initctl(apmd_t)
+
+libs_exec_ld_so(apmd_t)
+libs_use_ld_so(apmd_t)
+libs_exec_lib_files(apmd_t)
+libs_use_shared_libs(apmd_t)
+
+logging_send_syslog_msg(apmd_t)
+
+miscfiles_read_localization(apmd_t)
+miscfiles_read_hwdata(apmd_t)
+
+modutils_domtrans_insmod(apmd_t)
+modutils_read_module_config(apmd_t)
+
+seutil_dontaudit_read_config(apmd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
+userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
+
+ifdef(`distro_redhat',`
+ allow apmd_t apmd_lock_t:file create_file_perms;
+ files_lock_filetrans(apmd_t,apmd_lock_t,file)
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
+ optional_policy(`
+ iptables_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+ netutils_domtrans(apmd_t)
+ ')
+
+',`
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl(apmd_t)
+')
+
+ifdef(`distro_suse',`
+ allow apmd_t apmd_var_lib_t:file create_file_perms;
+ allow apmd_t apmd_var_lib_t:dir create_dir_perms;
+ files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(apmd_t)
+ term_dontaudit_use_generic_ptys(apmd_t)
+ files_dontaudit_read_root_files(apmd_t)
+ unconfined_domain(apmd_t)
+')
+
+optional_policy(`
+ automount_domtrans(apmd_t)
+')
+
+optional_policy(`
+ clock_domtrans(apmd_t)
+ clock_rw_adjtime(apmd_t)
+')
+
+optional_policy(`
+ cron_system_entry(apmd_t, apmd_exec_t)
+ cron_anacron_domtrans_system_job(apmd_t)
+')
+
+optional_policy(`
+ dbus_stub(apmd_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(apmd_t)
+ ')
+')
+
+optional_policy(`
+ logrotate_use_fds(apmd_t)
+')
+
+optional_policy(`
+ mta_send_mail(apmd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(apmd_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(apmd_t)
+ pcmcia_domtrans_cardctl(apmd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(apmd_t)
+')
+
+optional_policy(`
+ udev_read_db(apmd_t)
+ udev_read_state(apmd_t) #necessary?
+')
+
+# cjp: related to sleep/resume (?)
+optional_policy(`
+ xserver_domtrans_xdm_xserver(apmd_t)
+')
diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
new file mode 100644
index 0000000..6318f23
--- /dev/null
+++ b/policy/modules/services/arpwatch.fc
@@ -0,0 +1,11 @@
+
+#
+# /usr
+#
+/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+#
+# /var
+#
+/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
new file mode 100644
index 0000000..f354902
--- /dev/null
+++ b/policy/modules/services/arpwatch.if
@@ -0,0 +1,93 @@
+## <summary>Ethernet activity monitor.</summary>
+
+########################################
+## <summary>
+## Search arpwatch's data file directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_search_data',`
+ gen_require(`
+ type arpwatch_data_t;
+ ')
+
+ allow $1 arpwatch_data_t:dir search;
+')
+
+########################################
+## <summary>
+## Create arpwatch data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_manage_data_files',`
+ gen_require(`
+ type arpwatch_data_t;
+ ')
+
+ allow $1 arpwatch_data_t:dir rw_dir_perms;
+ allow $1 arpwatch_data_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_rw_tmp_files',`
+ gen_require(`
+ type arpwatch_tmp_t;
+ ')
+
+ allow $1 arpwatch_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_manage_tmp_files',`
+ gen_require(`
+ type arpwatch_tmp_t;
+ ')
+
+ allow $1 arpwatch_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## arpwatch packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`arpwatch_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type arpwatch_t;
+ ')
+
+ dontaudit $1 arpwatch_t:packet_socket { read write };
+')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
new file mode 100644
index 0000000..b4173a2
--- /dev/null
+++ b/policy/modules/services/arpwatch.te
@@ -0,0 +1,115 @@
+
+policy_module(arpwatch,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type arpwatch_t;
+type arpwatch_exec_t;
+init_daemon_domain(arpwatch_t,arpwatch_exec_t)
+
+type arpwatch_data_t;
+files_type(arpwatch_data_t)
+
+type arpwatch_tmp_t;
+files_tmp_file(arpwatch_tmp_t)
+
+type arpwatch_var_run_t;
+files_pid_file(arpwatch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:process signal_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+
+allow arpwatch_t arpwatch_data_t:dir create_dir_perms;
+allow arpwatch_t arpwatch_data_t:file create_file_perms;
+allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms;
+
+allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms;
+allow arpwatch_t arpwatch_tmp_t:file create_file_perms;
+files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+
+allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
+allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file)
+
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_list_proc(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
+
+corenet_non_ipsec_sendrecv(arpwatch_t)
+corenet_tcp_sendrecv_all_if(arpwatch_t)
+corenet_udp_sendrecv_all_if(arpwatch_t)
+corenet_raw_sendrecv_all_if(arpwatch_t)
+corenet_tcp_sendrecv_all_nodes(arpwatch_t)
+corenet_udp_sendrecv_all_nodes(arpwatch_t)
+corenet_raw_sendrecv_all_nodes(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
+dev_read_sysfs(arpwatch_t)
+
+fs_getattr_all_fs(arpwatch_t)
+fs_search_auto_mountpoints(arpwatch_t)
+
+term_dontaudit_use_console(arpwatch_t)
+
+corecmd_read_sbin_symlinks(arpwatch_t)
+
+domain_use_interactive_fds(arpwatch_t)
+
+files_read_etc_files(arpwatch_t)
+files_read_usr_files(arpwatch_t)
+files_search_var_lib(arpwatch_t)
+
+init_use_fds(arpwatch_t)
+init_use_script_ptys(arpwatch_t)
+
+libs_use_ld_so(arpwatch_t)
+libs_use_shared_libs(arpwatch_t)
+
+logging_send_syslog_msg(arpwatch_t)
+
+miscfiles_read_localization(arpwatch_t)
+
+sysnet_read_config(arpwatch_t)
+
+userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
+
+mta_send_mail(arpwatch_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(arpwatch_t)
+ term_dontaudit_use_generic_ptys(arpwatch_t)
+ files_dontaudit_read_root_files(arpwatch_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(arpwatch_t)
+')
+
+optional_policy(`
+ corecmd_search_bin(arpwatch_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(arpwatch_t)
+')
+
+optional_policy(`
+ udev_read_db(arpwatch_t)
+')
+
diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc
new file mode 100644
index 0000000..fabece5
--- /dev/null
+++ b/policy/modules/services/asterisk.fc
@@ -0,0 +1,8 @@
+/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
+
+/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
+
+/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
+/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0)
+/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0)
+/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
new file mode 100644
index 0000000..3ff41f2
--- /dev/null
+++ b/policy/modules/services/asterisk.if
@@ -0,0 +1 @@
+## <summary>Asterisk IP telephony server</summary>
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
new file mode 100644
index 0000000..7c32504
--- /dev/null
+++ b/policy/modules/services/asterisk.te
@@ -0,0 +1,160 @@
+
+policy_module(asterisk,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type asterisk_t;
+type asterisk_exec_t;
+init_daemon_domain(asterisk_t,asterisk_exec_t)
+
+type asterisk_etc_t;
+files_config_file(asterisk_etc_t)
+
+type asterisk_log_t;
+logging_log_file(asterisk_log_t)
+
+type asterisk_spool_t;
+files_type(asterisk_spool_t)
+
+type asterisk_tmp_t;
+files_tmp_file(asterisk_tmp_t)
+
+type asterisk_tmpfs_t;
+files_tmpfs_file(asterisk_tmpfs_t)
+
+type asterisk_var_lib_t;
+files_type(asterisk_var_lib_t)
+
+type asterisk_var_run_t;
+files_pid_file(asterisk_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
+dontaudit asterisk_t self:capability sys_tty_config;
+allow asterisk_t self:process { setsched signal_perms };
+allow asterisk_t self:fifo_file rw_file_perms;
+allow asterisk_t self:sem create_sem_perms;
+allow asterisk_t self:shm create_shm_perms;
+allow asterisk_t self:tcp_socket create_stream_socket_perms;
+allow asterisk_t self:udp_socket create_socket_perms;
+
+allow asterisk_t asterisk_etc_t:file r_file_perms;
+allow asterisk_t asterisk_etc_t:dir r_dir_perms;
+allow asterisk_t asterisk_etc_t:lnk_file { getattr read };
+files_search_etc(asterisk_t)
+
+allow asterisk_t asterisk_log_t:file manage_file_perms;
+allow asterisk_t asterisk_log_t:dir rw_dir_perms;
+logging_log_filetrans(asterisk_t,asterisk_log_t,{ file dir })
+
+allow asterisk_t asterisk_spool_t:dir manage_dir_perms;
+allow asterisk_t asterisk_spool_t:file manage_file_perms;
+allow asterisk_t asterisk_spool_t:lnk_file create_lnk_perms;
+
+allow asterisk_t asterisk_tmp_t:dir create_dir_perms;
+allow asterisk_t asterisk_tmp_t:file create_file_perms;
+files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
+
+allow asterisk_t asterisk_tmpfs_t:dir rw_dir_perms;
+allow asterisk_t asterisk_tmpfs_t:file manage_file_perms;
+allow asterisk_t asterisk_tmpfs_t:lnk_file create_lnk_perms;
+allow asterisk_t asterisk_tmpfs_t:sock_file manage_file_perms;
+allow asterisk_t asterisk_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(asterisk_t,asterisk_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow asterisk_t asterisk_var_lib_t:file manage_file_perms;
+allow asterisk_t asterisk_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(asterisk_t,asterisk_var_lib_t,file)
+
+allow asterisk_t asterisk_var_run_t:sock_file manage_file_perms;
+allow asterisk_t asterisk_var_run_t:fifo_file manage_file_perms;
+allow asterisk_t asterisk_var_run_t:file manage_file_perms;
+allow asterisk_t asterisk_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(asterisk_t,asterisk_var_run_t,file)
+
+kernel_read_system_state(asterisk_t)
+kernel_read_kernel_sysctls(asterisk_t)
+
+corecmd_exec_bin(asterisk_t)
+corecmd_search_sbin(asterisk_t)
+
+corenet_non_ipsec_sendrecv(asterisk_t)
+corenet_tcp_sendrecv_generic_if(asterisk_t)
+corenet_udp_sendrecv_generic_if(asterisk_t)
+corenet_tcp_sendrecv_all_nodes(asterisk_t)
+corenet_udp_sendrecv_all_nodes(asterisk_t)
+corenet_tcp_sendrecv_all_ports(asterisk_t)
+corenet_udp_sendrecv_all_ports(asterisk_t)
+corenet_tcp_bind_all_nodes(asterisk_t)
+corenet_udp_bind_all_nodes(asterisk_t)
+corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_udp_bind_asterisk_port(asterisk_t)
+corenet_sendrecv_asterisk_server_packets(asterisk_t)
+# for VOIP voice channels.
+corenet_tcp_bind_generic_port(asterisk_t)
+corenet_udp_bind_generic_port(asterisk_t)
+corenet_sendrecv_generic_server_packets(asterisk_t)
+
+dev_read_sysfs(asterisk_t)
+dev_read_sound(asterisk_t)
+dev_write_sound(asterisk_t)
+
+domain_use_interactive_fds(asterisk_t)
+
+files_read_etc_files(asterisk_t)
+files_search_spool(asterisk_t)
+# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+# are labeled usr_t
+files_read_usr_files(asterisk_t)
+
+fs_getattr_all_fs(asterisk_t)
+fs_search_auto_mountpoints(asterisk_t)
+
+term_dontaudit_use_console(asterisk_t)
+
+init_use_fds(asterisk_t)
+init_use_script_ptys(asterisk_t)
+
+libs_use_ld_so(asterisk_t)
+libs_use_shared_libs(asterisk_t)
+
+logging_send_syslog_msg(asterisk_t)
+
+miscfiles_read_localization(asterisk_t)
+
+sysnet_read_config(asterisk_t)
+
+userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(asterisk_t)
+ term_dontaudit_use_generic_ptys(asterisk_t)
+ files_dontaudit_read_root_files(asterisk_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(asterisk_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(asterisk_t)
+')
+
+optional_policy(`
+ udev_read_db(asterisk_t)
+')
+
+ifdef(`TODO',`
+allow initrc_t asterisk_var_run_t:fifo_file unlink;
+allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
+')
+
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
new file mode 100644
index 0000000..bcf3e1c
--- /dev/null
+++ b/policy/modules/services/audioentropy.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
diff --git a/policy/modules/services/audioentropy.if b/policy/modules/services/audioentropy.if
new file mode 100644
index 0000000..67906f0
--- /dev/null
+++ b/policy/modules/services/audioentropy.if
@@ -0,0 +1 @@
+## <summary>Generate entropy from audio input</summary>
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
new file mode 100644
index 0000000..17e3572
--- /dev/null
+++ b/policy/modules/services/audioentropy.te
@@ -0,0 +1,72 @@
+
+policy_module(audio_entropy,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type entropyd_t;
+type entropyd_exec_t;
+init_daemon_domain(entropyd_t,entropyd_exec_t)
+
+type entropyd_var_run_t;
+files_pid_file(entropyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow entropyd_t self:capability { ipc_lock sys_admin };
+dontaudit entropyd_t self:capability sys_tty_config;
+allow entropyd_t self:process signal_perms;
+
+allow entropyd_t entropyd_var_run_t:file manage_file_perms;
+allow entropyd_t entropyd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(entropyd_t,entropyd_var_run_t,file)
+
+kernel_read_kernel_sysctls(entropyd_t)
+kernel_list_proc(entropyd_t)
+kernel_read_proc_symlinks(entropyd_t)
+
+dev_read_sysfs(entropyd_t)
+dev_read_urand(entropyd_t)
+dev_write_urand(entropyd_t)
+dev_read_sound(entropyd_t)
+
+fs_getattr_all_fs(entropyd_t)
+fs_search_auto_mountpoints(entropyd_t)
+
+term_dontaudit_use_console(entropyd_t)
+
+domain_use_interactive_fds(entropyd_t)
+
+init_use_fds(entropyd_t)
+init_use_script_ptys(entropyd_t)
+
+libs_use_ld_so(entropyd_t)
+libs_use_shared_libs(entropyd_t)
+
+logging_send_syslog_msg(entropyd_t)
+
+miscfiles_read_localization(entropyd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_files(entropyd_t)
+
+ term_dontaudit_use_unallocated_ttys(entropyd_t)
+ term_dontaudit_use_generic_ptys(entropyd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(entropyd_t)
+')
+
+optional_policy(`
+ udev_read_db(entropyd_t)
+')
+
diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
new file mode 100644
index 0000000..746c120
--- /dev/null
+++ b/policy/modules/services/automount.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/auto\..+ -- gen_context(system_u:object_r:automount_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
new file mode 100644
index 0000000..5f97e34
--- /dev/null
+++ b/policy/modules/services/automount.if
@@ -0,0 +1,83 @@
+## <summary>Filesystem automounter service.</summary>
+
+########################################
+## <summary>
+## Execute automount in the automount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`automount_domtrans',`
+ gen_require(`
+ type automount_t, automount_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, automount_exec_t, automount_t)
+
+ allow $1 automount_t:fd use;
+ allow automount_t $1:fd use;
+ allow automount_t $1:fifo_file rw_file_perms;
+ allow automount_t $1:process sigchld;
+
+')
+
+########################################
+## <summary>
+## Execute automount in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`automount_exec_config',`
+ gen_require(`
+ type automount_etc_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,automount_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the domain to read state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`automount_read_state',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ allow $1 automount_t:dir search_dir_perms;
+ allow $1 automount_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of automount temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
+ type automount_tmp_t;
+ ')
+
+ dontaudit $1 automount_tmp_t:dir getattr;
+')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
new file mode 100644
index 0000000..67020c0
--- /dev/null
+++ b/policy/modules/services/automount.te
@@ -0,0 +1,185 @@
+
+policy_module(automount,1.2.7)
+
+########################################
+#
+# Declarations
+#
+
+type automount_t;
+type automount_exec_t;
+init_daemon_domain(automount_t,automount_exec_t)
+
+type automount_var_run_t;
+files_pid_file(automount_var_run_t)
+
+type automount_etc_t;
+files_config_file(automount_etc_t)
+
+type automount_lock_t;
+files_lock_file(automount_lock_t)
+
+type automount_tmp_t;
+files_tmp_file(automount_tmp_t)
+files_mountpoint(automount_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
+dontaudit automount_t self:capability sys_tty_config;
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+allow automount_t self:fifo_file rw_file_perms;
+allow automount_t self:unix_stream_socket create_socket_perms;
+allow automount_t self:unix_dgram_socket create_socket_perms;
+allow automount_t self:tcp_socket create_stream_socket_perms;
+allow automount_t self:udp_socket create_socket_perms;
+
+allow automount_t automount_etc_t:file { getattr read };
+# because config files can be shell scripts
+can_exec(automount_t, automount_etc_t)
+
+allow automount_t automount_lock_t:file create_file_perms;
+files_lock_filetrans(automount_t,automount_lock_t,file)
+
+allow automount_t automount_tmp_t:dir create_dir_perms;
+allow automount_t automount_tmp_t:file create_file_perms;
+files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
+
+# Allow automount to create and delete directories in / and /home
+allow automount_t automount_tmp_t:dir create_dir_perms;
+files_home_filetrans(automount_t,automount_tmp_t,dir)
+files_root_filetrans(automount_t,automount_tmp_t,dir)
+
+allow automount_t automount_var_run_t:file create_file_perms;
+allow automount_t automount_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(automount_t,automount_var_run_t,file)
+
+kernel_read_kernel_sysctls(automount_t)
+kernel_read_irq_sysctls(automount_t)
+kernel_read_fs_sysctls(automount_t)
+kernel_read_proc_symlinks(automount_t)
+kernel_read_system_state(automount_t)
+kernel_read_network_state(automount_t)
+kernel_list_proc(automount_t)
+kernel_dontaudit_search_xen_state(automount_t)
+
+files_search_boot(automount_t)
+# Automount is slowly adding all mount functionality internally
+files_search_all(automount_t)
+files_mounton_all_mountpoints(automount_t)
+files_mount_all_file_type_fs(automount_t)
+files_unmount_all_file_type_fs(automount_t)
+
+fs_mount_all_fs(automount_t)
+fs_unmount_all_fs(automount_t)
+
+corecmd_exec_sbin(automount_t)
+corecmd_exec_bin(automount_t)
+corecmd_exec_shell(automount_t)
+
+corenet_non_ipsec_sendrecv(automount_t)
+corenet_tcp_sendrecv_generic_if(automount_t)
+corenet_udp_sendrecv_generic_if(automount_t)
+corenet_tcp_sendrecv_all_nodes(automount_t)
+corenet_udp_sendrecv_all_nodes(automount_t)
+corenet_tcp_sendrecv_all_ports(automount_t)
+corenet_udp_sendrecv_all_ports(automount_t)
+corenet_tcp_bind_all_nodes(automount_t)
+corenet_udp_bind_all_nodes(automount_t)
+corenet_tcp_connect_portmap_port(automount_t)
+corenet_tcp_connect_all_ports(automount_t)
+corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+corenet_sendrecv_all_client_packets(automount_t)
+# Automount execs showmount when you browse /net. This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
+
+dev_read_sysfs(automount_t)
+# for SSP
+dev_read_urand(automount_t)
+
+domain_use_interactive_fds(automount_t)
+domain_dontaudit_read_all_domains_state(automount_t)
+
+files_dontaudit_write_var_dirs(automount_t)
+files_getattr_all_dirs(automount_t)
+files_list_mnt(automount_t)
+files_getattr_home_dir(automount_t)
+files_read_etc_files(automount_t)
+files_read_etc_runtime_files(automount_t)
+# for if the mount point is not labelled
+files_getattr_isid_type_dirs(automount_t)
+files_getattr_default_dirs(automount_t)
+# because config files can be shell scripts
+files_exec_etc_files(automount_t)
+files_mounton_mnt(automount_t)
+
+fs_getattr_all_fs(automount_t)
+fs_getattr_all_dirs(automount_t)
+fs_search_auto_mountpoints(automount_t)
+fs_manage_auto_mountpoints(automount_t)
+fs_unmount_autofs(automount_t)
+fs_mount_autofs(automount_t)
+
+term_dontaudit_use_console(automount_t)
+term_dontaudit_getattr_pty_dirs(automount_t)
+
+init_use_fds(automount_t)
+init_use_script_ptys(automount_t)
+
+libs_use_ld_so(automount_t)
+libs_use_shared_libs(automount_t)
+
+logging_send_syslog_msg(automount_t)
+logging_search_logs(automount_t)
+
+miscfiles_read_localization(automount_t)
+miscfiles_read_certs(automount_t)
+
+# Run mount in the mount_t domain.
+mount_domtrans(automount_t)
+
+sysnet_dns_name_resolve(automount_t)
+sysnet_use_ldap(automount_t)
+sysnet_read_config(automount_t)
+
+userdom_dontaudit_use_unpriv_user_fds(automount_t)
+userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_files(automount_t)
+ term_dontaudit_use_unallocated_ttys(automount_t)
+ term_dontaudit_use_generic_ptys(automount_t)
+')
+
+optional_policy(`
+ corecmd_exec_bin(automount_t)
+')
+
+optional_policy(`
+ bind_search_cache(automount_t)
+')
+
+optional_policy(`
+ fstools_domtrans(automount_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(automount_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(automount_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(automount_t)
+')
+
+optional_policy(`
+ udev_read_db(automount_t)
+')
diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc
new file mode 100644
index 0000000..49dcc5f
--- /dev/null
+++ b/policy/modules/services/avahi.fc
@@ -0,0 +1,5 @@
+
+/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+
+/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
new file mode 100644
index 0000000..c82289b
--- /dev/null
+++ b/policy/modules/services/avahi.if
@@ -0,0 +1,22 @@
+## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## avahi over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_dbus_chat',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
new file mode 100644
index 0000000..86a2b04
--- /dev/null
+++ b/policy/modules/services/avahi.te
@@ -0,0 +1,108 @@
+
+policy_module(avahi,1.2.3)
+
+########################################
+#
+# Declarations
+#
+
+type avahi_t;
+type avahi_exec_t;
+init_daemon_domain(avahi_t,avahi_exec_t)
+
+type avahi_var_run_t;
+files_pid_file(avahi_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
+dontaudit avahi_t self:capability sys_tty_config;
+allow avahi_t self:process { setrlimit signal_perms setcap };
+allow avahi_t self:fifo_file { read write };
+allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow avahi_t self:unix_dgram_socket create_socket_perms;
+allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
+allow avahi_t self:tcp_socket create_stream_socket_perms;
+allow avahi_t self:udp_socket create_socket_perms;
+
+allow avahi_t avahi_var_run_t:sock_file create_file_perms;
+allow avahi_t avahi_var_run_t:file create_file_perms;
+allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
+files_pid_filetrans(avahi_t,avahi_var_run_t,file)
+
+kernel_read_kernel_sysctls(avahi_t)
+kernel_list_proc(avahi_t)
+kernel_read_proc_symlinks(avahi_t)
+kernel_read_network_state(avahi_t)
+
+corenet_non_ipsec_sendrecv(avahi_t)
+corenet_tcp_sendrecv_all_if(avahi_t)
+corenet_udp_sendrecv_all_if(avahi_t)
+corenet_tcp_sendrecv_all_nodes(avahi_t)
+corenet_udp_sendrecv_all_nodes(avahi_t)
+corenet_tcp_sendrecv_all_ports(avahi_t)
+corenet_udp_sendrecv_all_ports(avahi_t)
+corenet_tcp_bind_all_nodes(avahi_t)
+corenet_udp_bind_all_nodes(avahi_t)
+corenet_tcp_bind_howl_port(avahi_t)
+corenet_udp_bind_howl_port(avahi_t)
+corenet_send_howl_client_packets(avahi_t)
+corenet_receive_howl_server_packets(avahi_t)
+
+dev_read_sysfs(avahi_t)
+dev_read_urand(avahi_t)
+
+fs_getattr_all_fs(avahi_t)
+fs_search_auto_mountpoints(avahi_t)
+
+term_dontaudit_use_console(avahi_t)
+
+domain_use_interactive_fds(avahi_t)
+
+files_read_etc_files(avahi_t)
+files_read_etc_runtime_files(avahi_t)
+
+init_use_fds(avahi_t)
+init_use_script_ptys(avahi_t)
+init_signal_script(avahi_t)
+init_signull_script(avahi_t)
+
+libs_use_ld_so(avahi_t)
+libs_use_shared_libs(avahi_t)
+
+logging_send_syslog_msg(avahi_t)
+
+miscfiles_read_localization(avahi_t)
+
+sysnet_read_config(avahi_t)
+
+userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(avahi_t)
+ term_dontaudit_use_generic_ptys(avahi_t)
+ files_dontaudit_read_root_files(avahi_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(avahi,avahi_t)
+ dbus_connect_system_bus(avahi_t)
+ dbus_send_system_bus(avahi_t)
+ init_dbus_chat_script(avahi_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(avahi_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+')
+
+optional_policy(`
+ udev_read_db(avahi_t)
+')
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
new file mode 100644
index 0000000..3a1ba68
--- /dev/null
+++ b/policy/modules/services/bind.fc
@@ -0,0 +1,46 @@
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+')
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
new file mode 100644
index 0000000..6797a13
--- /dev/null
+++ b/policy/modules/services/bind.if
@@ -0,0 +1,273 @@
+## <summary>Berkeley internet name domain DNS server.</summary>
+
+########################################
+## <summary>
+## Execute ndc in the ndc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_domtrans_ndc',`
+ gen_require(`
+ type ndc_t, ndc_exec_t;
+ ')
+
+ domain_auto_trans($1,ndc_exec_t,ndc_t)
+
+ allow $1 ndc_t:fd use;
+ allow ndc_t $1:fd use;
+ allow ndc_t $1:fifo_file rw_file_perms;
+ allow ndc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to BIND.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_signal',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute ndc in the ndc domain, and
+## allow the specified role the ndc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the bind domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the bind domain to use.
+## </summary>
+## </param>
+#
+interface(`bind_run_ndc',`
+ gen_require(`
+ type ndc_t;
+ ')
+
+ bind_domtrans_ndc($1)
+ role $2 types ndc_t;
+ allow ndc_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute bind in the named domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_domtrans',`
+ gen_require(`
+ type named_t, named_exec_t;
+ ')
+
+ domain_auto_trans($1,named_exec_t,named_t)
+
+ allow $1 named_t:fd use;
+ allow named_t $1:fd use;
+ allow named_t $1:fifo_file rw_file_perms;
+ allow named_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Read DNSSEC keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+ gen_require(`
+ type named_conf_t, named_zone_t, dnssec_t;
+ ')
+
+ allow $1 { named_conf_t named_zone_t }:dir search;
+ allow $1 dnssec_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read BIND named configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ allow $1 named_conf_t:dir search;
+ allow $1 named_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Write BIND named configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_write_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ allow $1 named_conf_t:dir search;
+ allow $1 named_conf_t:file { write setattr };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## BIND configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_config_dirs',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ allow $1 named_conf_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Search the BIND cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_search_cache',`
+ gen_require(`
+ type named_conf_t, named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_conf_t:dir search_dir_perms;
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## BIND cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_cache',`
+ gen_require(`
+ type named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_cache_t:dir rw_dir_perms;
+ allow $1 named_cache_t:file create_file_perms;
+ allow $1 named_cache_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of the BIND pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_pid_dirs',`
+ gen_require(`
+ type named_var_run_t;
+ ')
+
+ allow $1 named_var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Read BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_zone_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive datagrams to and from named.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_udp_chat_named',`
+ gen_require(`
+ type named_t;
+ ')
+ allow $1 named_t:udp_socket sendto;
+ allow named_t $1:udp_socket recvfrom;
+')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
new file mode 100644
index 0000000..e284ddf
--- /dev/null
+++ b/policy/modules/services/bind.te
@@ -0,0 +1,291 @@
+
+policy_module(bind,1.1.6)
+
+########################################
+#
+# Declarations
+#
+
+# for DNSSEC key files
+type dnssec_t;
+files_security_file(dnssec_t)
+
+type named_t;
+type named_exec_t;
+init_daemon_domain(named_t,named_exec_t)
+role system_r types named_t;
+
+type named_checkconf_exec_t;
+init_system_domain(named_t,named_checkconf_exec_t)
+
+# A type for configuration files of named.
+type named_conf_t;
+files_type(named_conf_t)
+files_mountpoint(named_conf_t)
+
+# for secondary zone files
+type named_cache_t;
+files_type(named_cache_t)
+
+type named_log_t;
+logging_log_file(named_log_t)
+
+type named_tmp_t;
+files_tmp_file(named_tmp_t)
+
+type named_var_run_t;
+files_pid_file(named_var_run_t)
+
+# for primary zone files
+type named_zone_t;
+files_type(named_zone_t)
+
+type ndc_t;
+type ndc_exec_t;
+init_system_domain(ndc_t,ndc_exec_t)
+role system_r types ndc_t;
+
+########################################
+#
+# Named local policy
+#
+
+allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit named_t self:capability sys_tty_config;
+allow named_t self:process { setsched setcap setrlimit signal_perms };
+allow named_t self:fifo_file rw_file_perms;
+allow named_t self:unix_stream_socket create_stream_socket_perms;
+allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:tcp_socket create_stream_socket_perms;
+allow named_t self:udp_socket create_socket_perms;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow named_t dnssec_t:file { getattr read };
+
+# read configuration
+allow named_t named_conf_t:dir r_dir_perms;
+allow named_t named_conf_t:file r_file_perms;
+allow named_t named_conf_t:lnk_file r_file_perms;
+
+# write cache for secondary zones
+allow named_t named_cache_t:dir rw_dir_perms;
+allow named_t named_cache_t:file create_file_perms;
+allow named_t named_cache_t:lnk_file create_lnk_perms;
+
+can_exec(named_t, named_exec_t)
+
+allow named_t named_log_t:file create_file_perms;
+allow named_t named_log_t:dir rw_dir_perms;
+logging_log_filetrans(named_t,named_log_t,{ file dir })
+
+allow named_t named_tmp_t:dir create_dir_perms;
+allow named_t named_tmp_t:file create_file_perms;
+files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
+allow named_t named_var_run_t:dir rw_dir_perms;
+allow named_t named_var_run_t:file create_file_perms;
+allow named_t named_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(named_t,named_var_run_t,{ file sock_file })
+
+# read zone files
+allow named_t named_zone_t:dir r_dir_perms;
+allow named_t named_zone_t:file r_file_perms;
+allow named_t named_zone_t:lnk_file r_file_perms;
+
+allow named_t ndc_t:tcp_socket { acceptfrom recvfrom };
+
+kernel_read_kernel_sysctls(named_t)
+kernel_read_system_state(named_t)
+kernel_read_network_state(named_t)
+kernel_tcp_recvfrom(named_t)
+
+corenet_non_ipsec_sendrecv(named_t)
+corenet_tcp_sendrecv_all_if(named_t)
+corenet_udp_sendrecv_all_if(named_t)
+corenet_tcp_sendrecv_all_nodes(named_t)
+corenet_udp_sendrecv_all_nodes(named_t)
+corenet_tcp_sendrecv_all_ports(named_t)
+corenet_udp_sendrecv_all_ports(named_t)
+corenet_tcp_bind_all_nodes(named_t)
+corenet_udp_bind_all_nodes(named_t)
+corenet_tcp_bind_dns_port(named_t)
+corenet_udp_bind_dns_port(named_t)
+corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_connect_all_ports(named_t)
+corenet_sendrecv_dns_server_packets(named_t)
+corenet_sendrecv_dns_client_packets(named_t)
+corenet_sendrecv_rndc_server_packets(named_t)
+corenet_sendrecv_rndc_client_packets(named_t)
+
+dev_read_sysfs(named_t)
+dev_read_rand(named_t)
+
+fs_getattr_all_fs(named_t)
+fs_search_auto_mountpoints(named_t)
+
+term_dontaudit_use_console(named_t)
+
+corecmd_search_sbin(named_t)
+
+dev_read_urand(named_t)
+
+domain_use_interactive_fds(named_t)
+
+files_read_etc_files(named_t)
+files_read_etc_runtime_files(named_t)
+
+init_use_fds(named_t)
+init_use_script_ptys(named_t)
+
+libs_use_ld_so(named_t)
+libs_use_shared_libs(named_t)
+
+logging_send_syslog_msg(named_t)
+
+miscfiles_read_localization(named_t)
+miscfiles_read_certs(named_t)
+
+sysnet_read_config(named_t)
+
+userdom_dontaudit_use_unpriv_user_fds(named_t)
+userdom_dontaudit_search_sysadm_home_dirs(named_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(named_t)
+ term_dontaudit_use_generic_ptys(named_t)
+ files_dontaudit_read_root_files(named_t)
+')
+
+tunable_policy(`named_write_master_zones',`
+ allow named_t named_zone_t:dir create_dir_perms;
+ allow named_t named_zone_t:file create_file_perms;
+ allow named_t named_zone_t:lnk_file create_lnk_perms;
+')
+
+optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow named_t self:dbus send_msg;
+
+ init_dbus_chat_script(named_t)
+
+ sysnet_dbus_chat_dhcpc(named_t)
+
+ dbus_system_bus_client_template(named,named_t)
+ dbus_connect_system_bus(named_t)
+ dbus_send_system_bus(named_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(named_t)
+ ')
+')
+
+optional_policy(`
+ # this seems like fds that arent being
+ # closed. these should probably be
+ # dontaudits instead.
+ networkmanager_rw_udp_sockets(named_t)
+ networkmanager_rw_packet_sockets(named_t)
+ networkmanager_rw_routing_sockets(named_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(named_t)
+')
+
+optional_policy(`
+ nscd_socket_use(named_t)
+')
+
+optional_policy(`
+ nsd_tcp_connect(named_t)
+ nsd_udp_chat(named_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(named_t)
+')
+
+optional_policy(`
+ udev_read_db(named_t)
+')
+
+########################################
+#
+# NDC local policy
+#
+
+# cjp: why net_admin?!
+allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:process { fork signal_perms };
+allow ndc_t self:fifo_file { read write getattr ioctl };
+allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
+allow ndc_t self:tcp_socket create_socket_perms;
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow ndc_t dnssec_t:file { getattr read };
+
+allow ndc_t named_t:tcp_socket { connectto recvfrom };
+allow ndc_t named_t:unix_stream_socket connectto;
+
+allow ndc_t named_conf_t:file { getattr read };
+
+allow ndc_t named_var_run_t:sock_file rw_file_perms;
+
+allow ndc_t named_zone_t:dir search;
+
+kernel_read_kernel_sysctls(ndc_t)
+kernel_tcp_recvfrom(ndc_t)
+
+corenet_non_ipsec_sendrecv(ndc_t)
+corenet_tcp_sendrecv_all_if(ndc_t)
+corenet_tcp_sendrecv_all_nodes(ndc_t)
+corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_connect_rndc_port(ndc_t)
+corenet_sendrecv_rndc_client_packets(ndc_t)
+
+fs_getattr_xattr_fs(ndc_t)
+
+domain_use_interactive_fds(ndc_t)
+
+files_read_etc_files(ndc_t)
+files_search_pids(ndc_t)
+
+init_use_fds(ndc_t)
+init_use_script_ptys(ndc_t)
+
+libs_use_ld_so(ndc_t)
+libs_use_shared_libs(ndc_t)
+
+logging_send_syslog_msg(ndc_t)
+
+miscfiles_read_localization(ndc_t)
+
+sysnet_read_config(ndc_t)
+sysnet_dns_name_resolve(ndc_t)
+
+# for /etc/rndc.key
+ifdef(`distro_redhat',`
+ allow ndc_t named_conf_t:dir search;
+')
+
+ifdef(`targeted_policy',`
+ kernel_dontaudit_read_unlabeled_files(ndc_t)
+
+ term_use_unallocated_ttys(ndc_t)
+ term_use_generic_ptys(ndc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ndc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ndc_t)
+')
+
+optional_policy(`
+ ppp_dontaudit_use_fds(ndc_t)
+')
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
new file mode 100644
index 0000000..ad82661
--- /dev/null
+++ b/policy/modules/services/bluetooth.fc
@@ -0,0 +1,23 @@
+#
+# /etc
+#
+/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
+/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+
+#
+# /usr
+#
+/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
+/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
new file mode 100644
index 0000000..0b67fac
--- /dev/null
+++ b/policy/modules/services/bluetooth.if
@@ -0,0 +1,113 @@
+## <summary>Bluetooth tools and system services.</summary>
+
+########################################
+## <summary>
+## Read bluetooth daemon configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_read_config',`
+ gen_require(`
+ type bluetooth_conf_t;
+ ')
+
+ allow $1 bluetooth_conf_t:file { getattr read ioctl };
+')
+
+########################################
+## <summary>
+## Execute bluetooth_helper in the bluetooth_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bluetooth_domtrans_helper',`
+ gen_require(`
+ type bluetooth_helper_t, bluetooth_helper_exec_t;
+ ')
+
+ domain_auto_trans($1,bluetooth_helper_exec_t,bluetooth_helper_t)
+
+ allow $1 bluetooth_helper_t:fd use;
+ allow bluetooth_helper_t $1:fd use;
+ allow bluetooth_helper_t $1:fifo_file rw_file_perms;
+ allow bluetooth_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## bluetooth over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 bluetooth_t:dbus send_msg;
+ allow bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute bluetooth_helper in the bluetooth_helper domain, and
+## allow the specified role the bluetooth_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the bluetooth_helper domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the bluetooth_helper domain to use.
+## </summary>
+## </param>
+#
+interface(`bluetooth_run_helper',`
+ gen_require(`
+ type bluetooth_helper_t;
+ ')
+
+ bluetooth_domtrans_helper($1)
+ role $2 types bluetooth_helper_t;
+ allow bluetooth_helper_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read bluetooth helper files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_read_helper_files',`
+ gen_require(`
+ type bluetooth_helper_t;
+ ')
+
+ dontaudit $1 bluetooth_helper_t:dir search;
+ dontaudit $1 bluetooth_helper_t:file { read getattr };
+')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
new file mode 100644
index 0000000..3a78044
--- /dev/null
+++ b/policy/modules/services/bluetooth.te
@@ -0,0 +1,246 @@
+
+policy_module(bluetooth,1.2.8)
+
+########################################
+#
+# Declarations
+#
+type bluetooth_t;
+type bluetooth_exec_t;
+init_daemon_domain(bluetooth_t,bluetooth_exec_t)
+
+type bluetooth_conf_t;
+files_type(bluetooth_conf_t)
+
+type bluetooth_conf_rw_t;
+files_type(bluetooth_conf_rw_t)
+
+type bluetooth_helper_t;
+type bluetooth_helper_exec_t;
+domain_type(bluetooth_helper_t)
+domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
+role system_r types bluetooth_helper_t;
+
+type bluetooth_helper_tmp_t;
+files_tmp_file(bluetooth_helper_tmp_t)
+
+type bluetooth_lock_t;
+files_lock_file(bluetooth_lock_t)
+
+type bluetooth_tmp_t;
+files_tmp_file(bluetooth_tmp_t)
+
+type bluetooth_var_lib_t;
+files_type(bluetooth_var_lib_t)
+
+type bluetooth_var_run_t;
+files_pid_file(bluetooth_var_run_t)
+
+########################################
+#
+# Bluetooth services local policy
+#
+
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
+dontaudit bluetooth_t self:capability sys_tty_config;
+allow bluetooth_t self:process { getsched signal_perms };
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t self:shm create_shm_perms;
+allow bluetooth_t self:socket create_stream_socket_perms;
+allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:tcp_socket create_stream_socket_perms;
+allow bluetooth_t self:udp_socket create_socket_perms;
+
+allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
+allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+
+allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
+allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
+allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
+allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
+allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
+type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+allow bluetooth_t bluetooth_helper_t:fd use;
+allow bluetooth_helper_t bluetooth_t:fd use;
+allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
+allow bluetooth_helper_t bluetooth_t:process sigchld;
+
+allow bluetooth_t bluetooth_lock_t:file create_file_perms;
+files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
+
+allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
+allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
+
+allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
+allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
+
+allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
+allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
+allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(bluetooth_t)
+kernel_read_system_state(bluetooth_t)
+
+corenet_non_ipsec_sendrecv(bluetooth_t)
+corenet_tcp_sendrecv_all_if(bluetooth_t)
+corenet_udp_sendrecv_all_if(bluetooth_t)
+corenet_raw_sendrecv_all_if(bluetooth_t)
+corenet_tcp_sendrecv_all_nodes(bluetooth_t)
+corenet_udp_sendrecv_all_nodes(bluetooth_t)
+corenet_raw_sendrecv_all_nodes(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_read_sysfs(bluetooth_t)
+dev_rw_usbfs(bluetooth_t)
+dev_rw_generic_usb_dev(bluetooth_t)
+dev_read_urand(bluetooth_t)
+
+fs_getattr_all_fs(bluetooth_t)
+fs_search_auto_mountpoints(bluetooth_t)
+
+term_dontaudit_use_console(bluetooth_t)
+#Handle bluetooth serial devices
+term_use_unallocated_ttys(bluetooth_t)
+
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
+domain_use_interactive_fds(bluetooth_t)
+domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+files_read_etc_files(bluetooth_t)
+files_read_etc_runtime_files(bluetooth_t)
+files_read_usr_files(bluetooth_t)
+
+init_use_fds(bluetooth_t)
+init_use_script_ptys(bluetooth_t)
+
+libs_use_ld_so(bluetooth_t)
+libs_use_shared_libs(bluetooth_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_t)
+
+miscfiles_read_localization(bluetooth_t)
+miscfiles_read_fonts(bluetooth_t)
+
+sysnet_read_config(bluetooth_t)
+
+userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
+userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(bluetooth_t)
+ term_dontaudit_use_generic_ptys(bluetooth_t)
+ files_dontaudit_read_root_files(bluetooth_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(bluetooth,bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+ dbus_send_system_bus(bluetooth_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(bluetooth_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(bluetooth_t)
+')
+
+optional_policy(`
+ udev_read_db(bluetooth_t)
+')
+
+########################################
+#
+# Bluetooth helper local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
+allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
+allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_search_tmp(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+libs_use_ld_so(bluetooth_helper_t)
+libs_use_shared_libs(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t)
+miscfiles_read_fonts(bluetooth_helper_t)
+
+sysnet_read_config(bluetooth_helper_t)
+
+ifdef(`targeted_policy',`
+ files_rw_generic_tmp_sockets(bluetooth_helper_t)
+ files_manage_generic_tmp_files(bluetooth_helper_t)
+
+ fs_rw_tmpfs_files(bluetooth_helper_t)
+
+ term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+
+ unconfined_stream_connect(bluetooth_helper_t)
+
+ userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
+
+ optional_policy(`
+ xserver_stream_connect_xdm(bluetooth_helper_t)
+ xserver_use_xdm_fds(bluetooth_helper_t)
+ xserver_rw_xdm_pipes(bluetooth_helper_t)
+ # when started via startx
+ xserver_stream_connect_xdm_xserver(bluetooth_helper_t)
+ ')
+')
+
+optional_policy(`
+ bluetooth_dbus_chat(bluetooth_helper_t)
+ dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
+ dbus_connect_system_bus(bluetooth_helper_t)
+ dbus_send_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+ nscd_socket_use(bluetooth_helper_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm(bluetooth_helper_t)
+')
diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
new file mode 100644
index 0000000..14c323c
--- /dev/null
+++ b/policy/modules/services/canna.fc
@@ -0,0 +1,22 @@
+
+#
+# /usr
+#
+/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+
+/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0)
+/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0)
+
+/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
+/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
+
+/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if
new file mode 100644
index 0000000..c3f5b1d
--- /dev/null
+++ b/policy/modules/services/canna.if
@@ -0,0 +1,22 @@
+## <summary>Canna - kana-kanji conversion server</summary>
+
+########################################
+## <summary>
+## Connect to Canna using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`canna_stream_connect',`
+ gen_require(`
+ type canna_t, canna_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 canna_var_run_t:dir search;
+ allow $1 canna_var_run_t:sock_file write;
+ allow $1 canna_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
new file mode 100644
index 0000000..a7724ca
--- /dev/null
+++ b/policy/modules/services/canna.te
@@ -0,0 +1,104 @@
+
+policy_module(canna,1.2.2)
+
+########################################
+#
+# Declarations
+#
+
+type canna_t;
+type canna_exec_t;
+init_daemon_domain(canna_t,canna_exec_t)
+
+type canna_log_t;
+logging_log_file(canna_log_t)
+
+type canna_var_lib_t;
+files_type(canna_var_lib_t)
+
+type canna_var_run_t;
+files_pid_file(canna_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow canna_t self:capability { setgid setuid net_bind_service };
+dontaudit canna_t self:capability sys_tty_config;
+allow canna_t self:process signal_perms;
+allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
+allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+allow canna_t self:tcp_socket create_stream_socket_perms;
+
+allow canna_t canna_log_t:file create_file_perms;
+allow canna_t canna_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(canna_t,canna_log_t,{ file dir })
+
+allow canna_t canna_var_lib_t:dir create_dir_perms;
+allow canna_t canna_var_lib_t:file create_file_perms;
+allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
+files_var_lib_filetrans(canna_t,canna_var_lib_t,file)
+
+allow canna_t canna_var_run_t:dir rw_dir_perms;
+allow canna_t canna_var_run_t:file create_file_perms;
+allow canna_t canna_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(canna_t)
+kernel_read_system_state(canna_t)
+
+corenet_non_ipsec_sendrecv(canna_t)
+corenet_tcp_sendrecv_all_if(canna_t)
+corenet_tcp_sendrecv_all_nodes(canna_t)
+corenet_tcp_sendrecv_all_ports(canna_t)
+corenet_tcp_connect_all_ports(canna_t)
+corenet_sendrecv_all_client_packets(canna_t)
+
+dev_read_sysfs(canna_t)
+
+fs_getattr_all_fs(canna_t)
+fs_search_auto_mountpoints(canna_t)
+
+term_dontaudit_use_console(canna_t)
+
+domain_use_interactive_fds(canna_t)
+
+files_read_etc_files(canna_t)
+files_read_etc_runtime_files(canna_t)
+files_read_usr_files(canna_t)
+files_search_tmp(canna_t)
+files_dontaudit_read_root_files(canna_t)
+
+init_use_fds(canna_t)
+init_use_script_ptys(canna_t)
+
+libs_use_ld_so(canna_t)
+libs_use_shared_libs(canna_t)
+
+logging_send_syslog_msg(canna_t)
+
+miscfiles_read_localization(canna_t)
+
+sysnet_read_config(canna_t)
+
+userdom_dontaudit_use_unpriv_user_fds(canna_t)
+userdom_dontaudit_search_sysadm_home_dirs(canna_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(canna_t)
+ term_dontaudit_use_generic_ptys(canna_t)
+ files_dontaudit_read_root_files(canna_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(canna_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(canna_t)
+')
+
+optional_policy(`
+ udev_read_db(canna_t)
+')
diff --git a/policy/modules/services/cipe.fc b/policy/modules/services/cipe.fc
new file mode 100644
index 0000000..afcdf02
--- /dev/null
+++ b/policy/modules/services/cipe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/services/cipe.if b/policy/modules/services/cipe.if
new file mode 100644
index 0000000..b5fd668
--- /dev/null
+++ b/policy/modules/services/cipe.if
@@ -0,0 +1 @@
+## <summary>Encrypted tunnel daemon</summary>
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
new file mode 100644
index 0000000..4c43de5
--- /dev/null
+++ b/policy/modules/services/cipe.te
@@ -0,0 +1,87 @@
+
+policy_module(cipe,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type ciped_t;
+type ciped_exec_t;
+init_daemon_domain(ciped_t,ciped_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+dontaudit ciped_t self:capability sys_tty_config;
+allow ciped_t self:process signal_perms;
+allow ciped_t self:fifo_file rw_file_perms;
+allow ciped_t self:unix_dgram_socket create_socket_perms;
+allow ciped_t self:unix_stream_socket create_socket_perms;
+allow ciped_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(ciped_t)
+kernel_read_system_state(ciped_t)
+
+corecmd_exec_shell(ciped_t)
+corecmd_exec_bin(ciped_t)
+corecmd_exec_sbin(ciped_t)
+
+corenet_non_ipsec_sendrecv(ciped_t)
+corenet_udp_sendrecv_generic_if(ciped_t)
+corenet_udp_sendrecv_all_nodes(ciped_t)
+corenet_udp_sendrecv_all_ports(ciped_t)
+corenet_udp_bind_all_nodes(ciped_t)
+# cipe uses the afs3-bos port (udp 7007)
+corenet_udp_bind_afs_bos_port(ciped_t)
+corenet_sendrecv_afs_bos_server_packets(ciped_t)
+
+dev_read_sysfs(ciped_t)
+dev_read_rand(ciped_t)
+# for SSP
+dev_read_urand(ciped_t)
+
+domain_use_interactive_fds(ciped_t)
+
+files_read_etc_files(ciped_t)
+files_read_etc_runtime_files(ciped_t)
+files_dontaudit_search_var(ciped_t)
+
+fs_search_auto_mountpoints(ciped_t)
+
+term_dontaudit_use_console(ciped_t)
+
+init_use_fds(ciped_t)
+init_use_script_ptys(ciped_t)
+
+libs_use_ld_so(ciped_t)
+libs_use_shared_libs(ciped_t)
+
+logging_send_syslog_msg(ciped_t)
+
+miscfiles_read_localization(ciped_t)
+
+sysnet_read_config(ciped_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ciped_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(ciped_t)
+ term_dontaudit_use_generic_ptys(ciped_t)
+ files_dontaudit_read_root_files(ciped_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ciped_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ciped_t)
+')
+
+optional_policy(`
+ udev_read_db(ciped_t)
+')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
new file mode 100644
index 0000000..4640ac6
--- /dev/null
+++ b/policy/modules/services/clamav.fc
@@ -0,0 +1,15 @@
+/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+
+
+/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
+/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
new file mode 100644
index 0000000..3263dbb
--- /dev/null
+++ b/policy/modules/services/clamav.if
@@ -0,0 +1,104 @@
+## <summary>ClamAV Virus Scanner</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run clamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans',`
+ gen_require(`
+ type clamd_t, clamd_exec_t;
+ ')
+
+ domain_auto_trans($1,clamd_exec_t,clamd_t)
+
+ allow $1 clamd_t:fd use;
+ allow clamd_t $1:fd use;
+ allow clamd_t $1:fifo_file rw_file_perms;
+ allow clamd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Connect to run clamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`clamav_stream_connect',`
+ gen_require(`
+ type clamd_t, clamd_sock_t, clamd_var_run_t;
+ ')
+
+ allow $1 clamd_var_run_t:dir search;
+ allow $1 clamd_sock_t:sock_file write;
+ allow $1 clamd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read clamav configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_read_config',`
+ gen_require(`
+ type clamd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 clamd_etc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Search clamav libraries directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_search_lib',`
+ gen_require(`
+ type clamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 clamd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run clamscan.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans_clamscan',`
+ gen_require(`
+ type clamscan_t, clamscan_exec_t;
+ ')
+
+ domain_auto_trans($1,clamscan_exec_t,clamscan_t)
+
+ allow clamscan_t $1:fd use;
+ allow clamscan_t $1:fifo_file rw_file_perms;
+ allow clamscan_t $1:process sigchld;
+')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
new file mode 100644
index 0000000..14f06d6
--- /dev/null
+++ b/policy/modules/services/clamav.te
@@ -0,0 +1,256 @@
+
+policy_module(clamav,1.0.4)
+
+########################################
+#
+# Declarations
+#
+
+# Main clamd domain
+type clamd_t;
+type clamd_exec_t;
+init_daemon_domain(clamd_t, clamd_exec_t)
+
+# configuration files
+type clamd_etc_t;
+files_type(clamd_etc_t)
+
+# named socket type
+type clamd_sock_t;
+files_type(clamd_sock_t)
+
+# tmp files
+type clamd_tmp_t;
+files_tmp_file(clamd_tmp_t)
+
+# log files
+type clamd_var_log_t;
+logging_log_file(clamd_var_log_t)
+
+# var/lib files
+type clamd_var_lib_t;
+files_type(clamd_var_lib_t)
+
+# pid files
+type clamd_var_run_t;
+files_pid_file(clamd_var_run_t)
+
+type clamscan_t;
+type clamscan_exec_t;
+init_daemon_domain(clamscan_t, clamscan_exec_t)
+
+# tmp files
+type clamscan_tmp_t;
+files_tmp_file(clamscan_tmp_t)
+
+type freshclam_t;
+type freshclam_exec_t;
+init_daemon_domain(freshclam_t, freshclam_exec_t)
+
+# log files
+type freshclam_var_log_t;
+logging_log_file(freshclam_var_log_t)
+
+########################################
+#
+# clamd local policy
+#
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:fifo_file rw_file_perms;
+allow clamd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamd_t self:unix_dgram_socket create_socket_perms;
+allow clamd_t self:tcp_socket { listen accept };
+
+# configuration files
+allow clamd_t clamd_etc_t:dir r_dir_perms;
+allow clamd_t clamd_etc_t:file r_file_perms;
+allow clamd_t clamd_etc_t:lnk_file { getattr read };
+
+# socket file
+allow clamd_t clamd_sock_t:file manage_file_perms;
+allow clamd_t clamd_sock_t:sock_file manage_file_perms;
+allow clamd_t clamd_sock_t:dir rw_dir_perms;
+files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
+
+# tmp files
+allow clamd_t clamd_tmp_t:file create_file_perms;
+allow clamd_t clamd_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
+
+# var/lib files for clamd
+allow clamd_t clamd_var_lib_t:file create_file_perms;
+allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
+allow clamd_t clamd_var_lib_t:dir create_dir_perms;
+files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
+
+# log files
+allow clamd_t clamd_var_log_t:file create_file_perms;
+allow clamd_t clamd_var_log_t:sock_file create_file_perms;
+allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(clamd_t,clamd_var_log_t,file)
+
+# pid file
+allow clamd_t clamd_var_run_t:file manage_file_perms;
+allow clamd_t clamd_var_run_t:sock_file manage_file_perms;
+allow clamd_t clamd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(clamd_t,clamd_var_run_t,file)
+
+kernel_dontaudit_list_proc(clamd_t)
+
+corenet_non_ipsec_sendrecv(clamd_t)
+corenet_tcp_sendrecv_all_if(clamd_t)
+corenet_tcp_sendrecv_all_nodes(clamd_t)
+corenet_tcp_sendrecv_all_ports(clamd_t)
+corenet_tcp_sendrecv_clamd_port(clamd_t)
+corenet_tcp_bind_all_nodes(clamd_t)
+corenet_tcp_bind_clamd_port(clamd_t)
+corenet_sendrecv_clamd_server_packets(clamd_t)
+
+dev_read_rand(clamd_t)
+dev_read_urand(clamd_t)
+
+domain_use_interactive_fds(clamd_t)
+
+files_read_etc_files(clamd_t)
+files_read_etc_runtime_files(clamd_t)
+files_search_spool(clamd_t)
+
+init_use_fds(clamd_t)
+init_use_script_ptys(clamd_t)
+
+libs_use_ld_so(clamd_t)
+libs_use_shared_libs(clamd_t)
+
+logging_send_syslog_msg(clamd_t)
+
+miscfiles_read_localization(clamd_t)
+
+sysnet_dns_name_resolve(clamd_t)
+
+cron_use_fds(clamd_t)
+cron_use_system_job_fds(clamd_t)
+cron_rw_pipes(clamd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(clamd_t)
+')
+
+optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+ amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
+')
+
+########################################
+#
+# Freshclam local policy
+#
+
+allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:fifo_file rw_file_perms;
+allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
+allow freshclam_t self:unix_dgram_socket create_socket_perms;
+allow freshclam_t self:tcp_socket { listen accept };
+
+# configuration files
+allow freshclam_t clamd_etc_t:dir r_dir_perms;
+allow freshclam_t clamd_etc_t:file r_file_perms;
+allow freshclam_t clamd_etc_t:lnk_file { getattr read };
+
+# var/lib files together with clamd
+allow freshclam_t clamd_var_lib_t:file create_file_perms;
+allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
+allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
+files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
+
+# pidfiles- var/run together with clamd
+allow freshclam_t clamd_var_run_t:file manage_file_perms;
+allow freshclam_t clamd_var_run_t:sock_file manage_file_perms;
+allow freshclam_t clamd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
+
+# log files (own logfiles only)
+allow freshclam_t freshclam_var_log_t:file create_file_perms;
+allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
+allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
+allow freshclam_t clamd_var_log_t:dir search;
+logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
+
+corenet_non_ipsec_sendrecv(freshclam_t)
+corenet_tcp_sendrecv_all_if(freshclam_t)
+corenet_tcp_sendrecv_all_nodes(freshclam_t)
+corenet_tcp_sendrecv_all_ports(freshclam_t)
+corenet_tcp_sendrecv_clamd_port(freshclam_t)
+corenet_tcp_connect_http_port(freshclam_t)
+corenet_sendrecv_http_client_packets(freshclam_t)
+
+dev_read_rand(freshclam_t)
+dev_read_urand(freshclam_t)
+
+domain_use_interactive_fds(freshclam_t)
+
+files_read_etc_files(freshclam_t)
+files_read_etc_runtime_files(freshclam_t)
+
+init_use_fds(freshclam_t)
+init_use_script_ptys(freshclam_t)
+
+libs_use_ld_so(freshclam_t)
+libs_use_shared_libs(freshclam_t)
+
+miscfiles_read_localization(freshclam_t)
+
+sysnet_dns_name_resolve(freshclam_t)
+
+clamav_stream_connect(freshclam_t)
+
+cron_use_fds(freshclam_t)
+cron_use_system_job_fds(freshclam_t)
+cron_rw_pipes(freshclam_t)
+
+########################################
+#
+# clamscam local policy
+#
+
+allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:fifo_file rw_file_perms;
+allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
+allow clamscan_t self:unix_dgram_socket create_socket_perms;
+allow clamscan_t self:tcp_socket { listen accept };
+
+# configuration files
+allow clamscan_t clamd_etc_t:dir r_dir_perms;
+allow clamscan_t clamd_etc_t:file r_file_perms;
+allow clamscan_t clamd_etc_t:lnk_file { getattr read };
+
+# tmp files
+allow clamscan_t clamscan_tmp_t:file manage_file_perms;
+allow clamscan_t clamscan_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
+
+# var/lib files together with clamd
+allow clamscan_t clamd_var_lib_t:file r_file_perms;
+allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
+allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
+
+kernel_read_kernel_sysctls(clamscan_t)
+
+files_read_etc_files(clamscan_t)
+files_read_etc_runtime_files(clamscan_t)
+files_search_var_lib(clamscan_t)
+
+libs_use_ld_so(clamscan_t)
+libs_use_shared_libs(clamscan_t)
+
+miscfiles_read_localization(clamscan_t)
+miscfiles_read_public_files(clamscan_t)
+
+clamav_stream_connect(clamscan_t)
+
+optional_policy(`
+ apache_read_sys_content(clamscan_t)
+')
diff --git a/policy/modules/services/clockspeed.fc b/policy/modules/services/clockspeed.fc
new file mode 100644
index 0000000..a7aa385
--- /dev/null
+++ b/policy/modules/services/clockspeed.fc
@@ -0,0 +1,14 @@
+
+#
+# /usr
+#
+/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0)
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
new file mode 100644
index 0000000..9d4c892
--- /dev/null
+++ b/policy/modules/services/clockspeed.if
@@ -0,0 +1,53 @@
+## <summary>Clockspeed simple network time protocol client</summary>
+
+########################################
+## <summary>
+## Execute clockspeed utilities in the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clockspeed_domtrans_cli',`
+ gen_require(`
+ type clockspeed_cli_t, clockspeed_cli_exec_t;
+ ')
+
+ domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t)
+ allow clockspeed_cli_t $1:fd use;
+ allow clockspeed_cli_t $1:fifo_file { read write };
+ allow clockspeed_cli_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified role the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the clockspeed_cli domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the clockspeed_cli domain to use.
+## </summary>
+## </param>
+#
+template(`clockspeed_run_cli',`
+ gen_require(`
+ type clockspeed_cli_t;
+ ')
+
+ role $2 types clockspeed_cli_t;
+ clockspeed_domtrans_cli($1)
+ allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };
+
+')
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
new file mode 100644
index 0000000..7866470
--- /dev/null
+++ b/policy/modules/services/clockspeed.te
@@ -0,0 +1,77 @@
+
+policy_module(clockspeed,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type clockspeed_cli_t;
+type clockspeed_cli_exec_t;
+domain_type(clockspeed_cli_t)
+domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t)
+
+type clockspeed_srv_t;
+type clockspeed_srv_exec_t;
+init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+
+type clockspeed_var_lib_t;
+files_type(clockspeed_var_lib_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow clockspeed_cli_t self:capability sys_time;
+allow clockspeed_cli_t self:udp_socket create_socket_perms;
+allow clockspeed_cli_t clockspeed_var_lib_t:dir search;
+allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read };
+
+corenet_non_ipsec_sendrecv(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+
+files_list_var_lib(clockspeed_cli_t)
+files_read_etc_files(clockspeed_cli_t)
+
+libs_use_ld_so(clockspeed_cli_t)
+libs_use_shared_libs(clockspeed_cli_t)
+
+miscfiles_read_localization(clockspeed_cli_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:udp_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+
+allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms;
+allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms;
+allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms;
+
+corenet_non_ipsec_sendrecv(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
+corenet_udp_bind_all_nodes(clockspeed_srv_t)
+corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
+corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
+
+files_read_etc_files(clockspeed_srv_t)
+files_list_var_lib(clockspeed_srv_t)
+
+libs_use_ld_so(clockspeed_srv_t)
+libs_use_shared_libs(clockspeed_srv_t)
+
+miscfiles_read_localization(clockspeed_srv_t)
+
+optional_policy(`
+ daemontools_service_domain(clockspeed_srv_t,clockspeed_srv_exec_t)
+')
diff --git a/policy/modules/services/comsat.fc b/policy/modules/services/comsat.fc
new file mode 100644
index 0000000..e7633fa
--- /dev/null
+++ b/policy/modules/services/comsat.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/policy/modules/services/comsat.if b/policy/modules/services/comsat.if
new file mode 100644
index 0000000..afc4dfe
--- /dev/null
+++ b/policy/modules/services/comsat.if
@@ -0,0 +1 @@
+## <summary>Comsat, a biff server.</summary>
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
new file mode 100644
index 0000000..9e2e9cb
--- /dev/null
+++ b/policy/modules/services/comsat.te
@@ -0,0 +1,88 @@
+
+policy_module(comsat,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type comsat_t;
+type comsat_exec_t;
+inetd_udp_service_domain(comsat_t,comsat_exec_t)
+role system_r types comsat_t;
+
+type comsat_tmp_t;
+files_tmp_file(comsat_tmp_t)
+
+type comsat_var_run_t;
+files_pid_file(comsat_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow comsat_t self:capability { setuid setgid };
+allow comsat_t self:process signal_perms;
+allow comsat_t self:dir search;
+allow comsat_t self:fifo_file rw_file_perms;
+allow comsat_t self:{ lnk_file file } { getattr read };
+allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow comsat_t self:tcp_socket connected_stream_socket_perms;
+allow comsat_t self:udp_socket create_socket_perms;
+
+allow comsat_t comsat_tmp_t:dir create_dir_perms;
+allow comsat_t comsat_tmp_t:file create_file_perms;
+files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
+
+allow comsat_t comsat_var_run_t:file create_file_perms;
+allow comsat_t comsat_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(comsat_t,comsat_var_run_t,file)
+
+kernel_read_kernel_sysctls(comsat_t)
+kernel_read_network_state(comsat_t)
+kernel_read_system_state(comsat_t)
+
+corenet_non_ipsec_sendrecv(comsat_t)
+corenet_tcp_sendrecv_all_if(comsat_t)
+corenet_udp_sendrecv_all_if(comsat_t)
+corenet_tcp_sendrecv_all_nodes(comsat_t)
+corenet_udp_sendrecv_all_nodes(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
+dev_read_urand(comsat_t)
+
+fs_getattr_xattr_fs(comsat_t)
+
+files_read_etc_files(comsat_t)
+files_list_usr(comsat_t)
+files_search_spool(comsat_t)
+files_search_home(comsat_t)
+
+init_read_utmp(comsat_t)
+init_dontaudit_write_utmp(comsat_t)
+
+libs_use_ld_so(comsat_t)
+libs_use_shared_libs(comsat_t)
+
+logging_send_syslog_msg(comsat_t)
+
+miscfiles_read_localization(comsat_t)
+
+sysnet_read_config(comsat_t)
+
+userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
+
+mta_getattr_spool(comsat_t)
+
+optional_policy(`
+ kerberos_use(comsat_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(comsat_t)
+')
+
+optional_policy(`
+ nscd_socket_use(comsat_t)
+')
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
new file mode 100644
index 0000000..3009c73
--- /dev/null
+++ b/policy/modules/services/courier.fc
@@ -0,0 +1,21 @@
+/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+
+/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
+/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+
+/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+
+/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
+
+/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
new file mode 100644
index 0000000..d5866bb
--- /dev/null
+++ b/policy/modules/services/courier.if
@@ -0,0 +1,142 @@
+## <summary>Courier IMAP and POP3 email servers</summary>
+
+########################################
+## <summary>
+## Template for creating courier server processes.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix name of the server process.
+## </summary>
+## </param>
+#
+template(`courier_domain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type courier_$1_t;
+ type courier_$1_exec_t;
+ init_daemon_domain(courier_$1_t,courier_$1_exec_t)
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ allow courier_$1_t self:capability dac_override;
+ dontaudit courier_$1_t self:capability sys_tty_config;
+ allow courier_$1_t self:process { setpgid signal_perms };
+ allow courier_$1_t self:fifo_file { read write getattr };
+ allow courier_$1_t self:tcp_socket create_stream_socket_perms;
+ allow courier_$1_t self:udp_socket create_socket_perms;
+
+ can_exec(courier_$1_t, courier_$1_exec_t)
+
+ allow courier_$1_t courier_etc_t:file r_file_perms;
+ allow courier_$1_t courier_etc_t:dir r_dir_perms;
+
+ allow courier_$1_t courier_var_run_t:dir rw_dir_perms;
+ allow courier_$1_t courier_var_run_t:file create_file_perms;
+ allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms;
+ allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
+ files_search_pids(courier_$1_t)
+
+ kernel_read_system_state(courier_$1_t)
+ kernel_read_kernel_sysctls(courier_$1_t)
+
+ corecmd_exec_bin(courier_$1_t)
+
+ corenet_non_ipsec_sendrecv(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+ corenet_tcp_sendrecv_all_nodes(courier_$1_t)
+ corenet_udp_sendrecv_all_nodes(courier_$1_t)
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+ dev_read_sysfs(courier_$1_t)
+
+ domain_use_interactive_fds(courier_$1_t)
+
+ files_read_etc_files(courier_$1_t)
+ files_read_etc_runtime_files(courier_$1_t)
+ files_read_usr_files(courier_$1_t)
+
+ fs_getattr_xattr_fs(courier_$1_t)
+ fs_search_auto_mountpoints(courier_$1_t)
+
+ term_dontaudit_use_console(courier_$1_t)
+
+ init_use_fds(courier_$1_t)
+ init_use_script_ptys(courier_$1_t)
+
+ libs_use_ld_so(courier_$1_t)
+ libs_use_shared_libs(courier_$1_t)
+
+ logging_send_syslog_msg(courier_$1_t)
+
+ sysnet_read_config(courier_$1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
+
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(courier_$1_t)
+ term_dontaudit_use_generic_ptys(courier_$1_t)
+ files_dontaudit_read_root_files(courier_$1_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole(courier_$1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(courier_$1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the courier authentication daemon with
+## a domain transition.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_domtrans_authdaemon',`
+ gen_require(`
+ type courier_authdaemon_t, courier_authdaemon_exec_t;
+ ')
+
+ domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+ allow courier_authdaemon_t $1:fd use;
+ allow courier_authdaemon_t $1:fifo_file rw_file_perms;
+ allow courier_authdaemon_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the courier POP3 and IMAP server with
+## a domain transition.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_domtrans_pop',`
+ gen_require(`
+ type courier_pop_t, courier_pop_exec_t;
+ ')
+
+ domain_auto_trans($1, courier_pop_exec_t, courier_pop_t)
+ allow courier_pop_t $1:fd use;
+ allow courier_pop_t $1:fifo_file rw_file_perms;
+ allow courier_pop_t $1:process sigchld;
+')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
new file mode 100644
index 0000000..0c41a0f
--- /dev/null
+++ b/policy/modules/services/courier.te
@@ -0,0 +1,143 @@
+
+policy_module(courier,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+courier_domain_template(authdaemon)
+
+type courier_etc_t;
+files_type(courier_etc_t)
+
+courier_domain_template(pcp)
+
+courier_domain_template(pop)
+
+courier_domain_template(tcpd)
+
+type courier_var_lib_t;
+files_type(courier_var_lib_t)
+
+type courier_var_run_t;
+files_pid_file(courier_var_run_t)
+
+type courier_exec_t;
+files_type(courier_exec_t)
+
+courier_domain_template(sqwebmail)
+typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+
+########################################
+#
+# Authdaemon local policy
+#
+
+allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+allow courier_authdaemon_t self:unix_stream_socket connectto;
+
+can_exec(courier_authdaemon_t, courier_exec_t)
+
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+
+corecmd_search_sbin(courier_authdaemon_t)
+
+# for SSP
+dev_read_urand(courier_authdaemon_t)
+
+files_getattr_tmp_dirs(courier_authdaemon_t)
+
+auth_domtrans_chk_passwd(courier_authdaemon_t)
+
+libs_read_lib_files(courier_authdaemon_t)
+
+miscfiles_read_localization(courier_authdaemon_t)
+
+# should not be needed!
+userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
+userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
+
+courier_domtrans_pop(courier_authdaemon_t)
+
+########################################
+#
+# Calendar (PCP) local policy
+#
+
+allow courier_pcp_t self:capability { setuid setgid };
+
+dev_read_rand(courier_pcp_t)
+
+########################################
+#
+# POP3/IMAP local policy
+#
+
+allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_pop_t courier_authdaemon_t:process sigchld;
+
+allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+# inherits file handle - should it?
+allow courier_pop_t courier_var_lib_t:file { read write };
+
+miscfiles_read_localization(courier_pop_t)
+
+courier_domtrans_authdaemon(courier_pop_t)
+
+# do the actual work (read the Maildir)
+userdom_manage_unpriv_users_home_content_files(courier_pop_t)
+# cjp: the fact that this is different for pop vs imap means that
+# there should probably be a courier_pop_t and courier_imap_t
+# this should also probably be a separate type too instead of
+# the regular home dir
+userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+
+########################################
+#
+# TCPd local policy
+#
+
+allow courier_tcpd_t self:capability kill;
+
+can_exec(courier_tcpd_t, courier_exec_t)
+
+allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_tcpd_t courier_var_lib_t:file manage_file_perms;
+allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms;
+files_search_var_lib(courier_tcpd_t)
+
+corecmd_search_sbin(courier_tcpd_t)
+
+corenet_tcp_bind_all_nodes(courier_tcpd_t)
+corenet_tcp_bind_pop_port(courier_tcpd_t)
+corenet_sendrecv_pop_server_packets(courier_tcpd_t)
+
+# for TLS
+dev_read_rand(courier_tcpd_t)
+dev_read_urand(courier_tcpd_t)
+
+miscfiles_read_localization(courier_tcpd_t)
+
+courier_domtrans_pop(courier_tcpd_t)
+
+########################################
+#
+# Webmail local policy
+#
+
+kernel_read_kernel_sysctls(courier_sqwebmail_t)
+
+optional_policy(`
+ cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t)
+')
diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc
new file mode 100644
index 0000000..6905f77
--- /dev/null
+++ b/policy/modules/services/cpucontrol.fc
@@ -0,0 +1,10 @@
+
+/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+
+/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+
+/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
+/var/run/cpufreqd.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
diff --git a/policy/modules/services/cpucontrol.if b/policy/modules/services/cpucontrol.if
new file mode 100644
index 0000000..a827592
--- /dev/null
+++ b/policy/modules/services/cpucontrol.if
@@ -0,0 +1,17 @@
+## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
+
+########################################
+## <summary>
+## CPUcontrol stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`cpucontrol_stub',`
+ gen_require(`
+ type cpucontrol_t;
+ ')
+')
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
new file mode 100644
index 0000000..256df78
--- /dev/null
+++ b/policy/modules/services/cpucontrol.te
@@ -0,0 +1,136 @@
+
+policy_module(cpucontrol,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type cpucontrol_t;
+type cpucontrol_exec_t;
+init_system_domain(cpucontrol_t,cpucontrol_exec_t)
+
+type cpucontrol_conf_t;
+files_type(cpucontrol_conf_t)
+
+type cpuspeed_t;
+type cpuspeed_exec_t;
+init_system_domain(cpuspeed_t,cpuspeed_exec_t)
+
+type cpuspeed_var_run_t;
+files_pid_file(cpuspeed_var_run_t)
+
+########################################
+#
+# CPU microcode loader local policy
+#
+
+allow cpucontrol_t self:capability sys_rawio;
+dontaudit cpucontrol_t self:capability sys_tty_config;
+allow cpucontrol_t self:process signal_perms;
+
+allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
+allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
+allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
+
+kernel_list_proc(cpucontrol_t)
+kernel_read_proc_symlinks(cpucontrol_t)
+kernel_read_kernel_sysctls(cpucontrol_t)
+
+dev_read_sysfs(cpucontrol_t)
+dev_rw_cpu_microcode(cpucontrol_t)
+
+fs_search_auto_mountpoints(cpucontrol_t)
+
+term_dontaudit_use_console(cpucontrol_t)
+
+domain_use_interactive_fds(cpucontrol_t)
+
+files_list_usr(cpucontrol_t)
+
+init_use_fds(cpucontrol_t)
+init_use_script_ptys(cpucontrol_t)
+
+libs_use_ld_so(cpucontrol_t)
+libs_use_shared_libs(cpucontrol_t)
+
+logging_send_syslog_msg(cpucontrol_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(cpucontrol_t)
+ term_dontaudit_use_generic_ptys(cpucontrol_t)
+ files_dontaudit_read_root_files(cpucontrol_t)
+')
+
+optional_policy(`
+ nscd_socket_use(cpucontrol_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cpucontrol_t)
+')
+
+optional_policy(`
+ udev_read_db(cpucontrol_t)
+')
+
+########################################
+#
+# CPU frequency scaling daemons
+#
+
+dontaudit cpuspeed_t self:capability sys_tty_config;
+allow cpuspeed_t self:process { signal_perms setsched };
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+
+allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
+files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
+
+kernel_read_system_state(cpuspeed_t)
+kernel_read_kernel_sysctls(cpuspeed_t)
+
+dev_rw_sysfs(cpuspeed_t)
+
+domain_use_interactive_fds(cpuspeed_t)
+# for demand/load-based scaling:
+domain_read_all_domains_state(cpuspeed_t)
+
+files_read_etc_files(cpuspeed_t)
+files_read_etc_runtime_files(cpuspeed_t)
+files_list_usr(cpuspeed_t)
+
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
+init_use_fds(cpuspeed_t)
+init_use_script_ptys(cpuspeed_t)
+
+libs_use_ld_so(cpuspeed_t)
+libs_use_shared_libs(cpuspeed_t)
+
+logging_send_syslog_msg(cpuspeed_t)
+
+miscfiles_read_localization(cpuspeed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(cpuspeed_t)
+ term_dontaudit_use_generic_ptys(cpuspeed_t)
+ files_dontaudit_read_root_files(cpuspeed_t)
+')
+
+optional_policy(`
+ nscd_socket_use(cpuspeed_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cpuspeed_t)
+')
+
+optional_policy(`
+ udev_read_db(cpuspeed_t)
+')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
new file mode 100644
index 0000000..00f919a
--- /dev/null
+++ b/policy/modules/services/cron.fc
@@ -0,0 +1,40 @@
+
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/at/[^/]* -- <<none>>
+
+/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <<none>>
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+')
+
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs/.* -- <<none>>
+#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.* <<none>>
+/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
new file mode 100644
index 0000000..fb6b883
--- /dev/null
+++ b/policy/modules/services/cron.if
@@ -0,0 +1,578 @@
+## <summary>Periodic execution of scheduled commands.</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the cron module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for running programs on behalf of the user, from cron.
+## A type for the user crontab is also created.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`cron_per_userdomain_template',`
+ gen_require(`
+ attribute cron_spool_type;
+ type crond_t, cron_spool_t, crontab_exec_t;
+ ')
+
+ # Type of user crontabs once moved to cron spool.
+ type $1_cron_spool_t, cron_spool_type;
+ files_type($1_cron_spool_t)
+
+ type $1_crond_t;
+ domain_type($1_crond_t)
+ domain_cron_exemption_target($1_crond_t)
+ corecmd_shell_entry_type($1_crond_t)
+ role $3 types $1_crond_t;
+
+ type $1_crontab_t;
+ domain_type($1_crontab_t)
+ domain_entry_file($1_crontab_t,crontab_exec_t)
+ role $3 types $1_crontab_t;
+
+ ##############################
+ #
+ # $1_crond_t local policy
+ #
+
+ allow $1_crond_t self:capability dac_override;
+ allow $1_crond_t self:process { signal_perms setsched };
+ allow $1_crond_t self:fifo_file rw_file_perms;
+ allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_crond_t self:unix_dgram_socket create_socket_perms;
+
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+ # the crontab file has a type that is appropriate
+ # for the domain of the user cron job. It
+ # performs an entrypoint permission check
+ # for this purpose.
+ allow $1_crond_t $1_cron_spool_t:file entrypoint;
+
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t $1_crond_t:process transition;
+ dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
+ allow crond_t $1_crond_t:fd use;
+ allow $1_crond_t crond_t:fd use;
+ allow $1_crond_t crond_t:fifo_file rw_file_perms;
+ allow $1_crond_t crond_t:process sigchld;
+
+ kernel_read_system_state($1_crond_t)
+ kernel_read_kernel_sysctls($1_crond_t)
+
+ # ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot($1_crond_t)
+
+ corenet_non_ipsec_sendrecv($1_crond_t)
+ corenet_tcp_sendrecv_all_if($1_crond_t)
+ corenet_udp_sendrecv_all_if($1_crond_t)
+ corenet_tcp_sendrecv_all_nodes($1_crond_t)
+ corenet_udp_sendrecv_all_nodes($1_crond_t)
+ corenet_tcp_sendrecv_all_ports($1_crond_t)
+ corenet_udp_sendrecv_all_ports($1_crond_t)
+ corenet_tcp_connect_all_ports($1_crond_t)
+ corenet_sendrecv_all_client_packets($1_crond_t)
+
+ dev_read_urand($1_crond_t)
+
+ fs_getattr_all_fs($1_crond_t)
+
+ corecmd_exec_all_executables($1_crond_t)
+
+ # quiet other ps operations
+ domain_dontaudit_read_all_domains_state($1_crond_t)
+ domain_dontaudit_getattr_all_domains($1_crond_t)
+
+ files_read_usr_files($1_crond_t)
+ files_exec_etc_files($1_crond_t)
+ # for nscd:
+ files_dontaudit_search_pids($1_crond_t)
+
+ libs_use_ld_so($1_crond_t)
+ libs_use_shared_libs($1_crond_t)
+ libs_exec_lib_files($1_crond_t)
+ libs_exec_ld_so($1_crond_t)
+
+ files_read_etc_runtime_files($1_crond_t)
+ files_read_var_files($1_crond_t)
+ files_search_spool($1_crond_t)
+
+ logging_search_logs($1_crond_t)
+
+ seutil_read_config($1_crond_t)
+
+ miscfiles_read_localization($1_crond_t)
+
+ userdom_manage_user_tmp_files($1,$1_crond_t)
+ userdom_manage_user_tmp_symlinks($1,$1_crond_t)
+ userdom_manage_user_tmp_pipes($1,$1_crond_t)
+ userdom_manage_user_tmp_sockets($1,$1_crond_t)
+ # Run scripts in user home directory and access shared libs.
+ userdom_exec_user_home_content_files($1,$1_crond_t)
+ # Access user files and dirs.
+# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
+ userdom_manage_user_home_content_files($1,$1_crond_t)
+ userdom_manage_user_home_content_symlinks($1,$1_crond_t)
+ userdom_manage_user_home_content_pipes($1,$1_crond_t)
+ userdom_manage_user_home_content_sockets($1,$1_crond_t)
+# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+
+ tunable_policy(`fcron_crond', `
+ allow crond_t $1_cron_spool_t:file create_file_perms;
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_crond_t)
+ ')
+
+ ifdef(`TODO',`
+ optional_policy(`
+ create_dir_file($1_crond_t, httpd_$1_content_t)
+ ')
+ allow $1_crond_t tmp_t:dir rw_dir_perms;
+ type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
+
+ ifdef(`mta.te', `
+ domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
+ allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;
+
+ # $1_mail_t should only be reading from the cron fifo not needing to write
+ dontaudit $1_mail_t crond_t:fifo_file write;
+ allow mta_user_agent $1_crond_t:fd use;
+ ')
+ ') dnl endif TODO
+
+ ##############################
+ #
+ # $1_crontab_t local policy
+ #
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
+ allow $1_crontab_t $2:fd use;
+ allow $1_crontab_t $2:fifo_file rw_file_perms;
+ allow $1_crontab_t $2:process sigchld;
+
+ # crontab shows up in user ps
+ allow $2 $1_crontab_t:dir { search getattr read };
+ allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
+ allow $2 $1_crontab_t:process getattr;
+ dontaudit $2 $1_crontab_t:process ptrace;
+
+ # for ^Z
+ allow $2 $1_crontab_t:process signal;
+
+ # Allow crond to read those crontabs in cron spool.
+ allow crond_t $1_cron_spool_t:file create_file_perms;
+
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_crontab_t self:capability { setuid setgid chown dac_override };
+ allow $1_crontab_t self:process signal_perms;
+
+ # create files in /var/spool/cron
+ allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
+ allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
+ type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
+
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_crontab_t cron_spool_t:dir setattr;
+
+ kernel_read_system_state($1_crontab_t)
+
+ # for the checks used by crontab -u
+ selinux_dontaudit_search_fs($1_crontab_t)
+
+ fs_getattr_xattr_fs($1_crontab_t)
+
+ # Run helper programs as the user domain
+ corecmd_bin_domtrans($1_crontab_t,$2)
+ corecmd_sbin_domtrans($1_crontab_t,$2)
+ corecmd_shell_domtrans($1_crontab_t,$2)
+
+ domain_use_interactive_fds($1_crontab_t)
+
+ files_read_etc_files($1_crontab_t)
+ files_dontaudit_search_pids($1_crontab_t)
+
+ libs_use_ld_so($1_crontab_t)
+ libs_use_shared_libs($1_crontab_t)
+
+ logging_send_syslog_msg($1_crontab_t)
+
+ miscfiles_read_localization($1_crontab_t)
+
+ seutil_read_config($1_crontab_t)
+
+ userdom_manage_user_tmp_dirs($1,$1_crontab_t)
+ userdom_manage_user_tmp_files($1,$1_crontab_t)
+ # Access terminals.
+ userdom_use_user_terminals($1,$1_crontab_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1,$1_crontab_t)
+
+ tunable_policy(`fcron_crond', `
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit $1_crontab_t crond_t:process signal;
+ ')
+
+ ifdef(`TODO',`
+ allow $1_crond_t tmp_t:dir rw_dir_perms;
+ type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
+
+ # Read user crontabs
+ dontaudit $1_crontab_t $1_home_dir_t:dir write;
+ ') dnl endif TODO
+')
+
+#######################################
+## <summary>
+## The administrative functions template for the cron module.
+## </summary>
+## <desc>
+## <p>
+## This template creates rules for administrating the cron service,
+## allowing the specified user to manage other user crontabs.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`cron_admin_template',`
+ gen_require(`
+ attribute cron_spool_type;
+ type $1_crontab_t, $1_crond_t;
+ ')
+
+ # Allow our crontab domain to unlink a user cron spool file.
+ allow $1_crontab_t cron_spool_type:file { getattr read unlink };
+
+ logging_read_generic_logs($1_crond_t)
+
+ # Manipulate other users crontab.
+ selinux_get_fs_mount($1_crontab_t)
+ selinux_validate_context($1_crontab_t)
+ selinux_compute_access_vector($1_crontab_t)
+ selinux_compute_create_context($1_crontab_t)
+ selinux_compute_relabel_context($1_crontab_t)
+ selinux_compute_user_contexts($1_crontab_t)
+
+ tunable_policy(`fcron_crond', `
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow $1_crontab_t self:process setfscreate;
+ selinux_get_fs_mount($1_crontab_t)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified program domain accessable
+## from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to transition to.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type of the file used as an entrypoint to this domain.
+## </summary>
+## </param>
+#
+interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_crond_t;
+ ')
+
+ domain_auto_trans(system_crond_t, $2, $1)
+
+ # cjp: perhaps these four rules from the old
+ # domain_auto_trans are not needed?
+ allow system_crond_t $1:fd use;
+ allow $1 system_crond_t:fd use;
+ allow $1 system_crond_t:fifo_file rw_file_perms;
+ allow $1 system_crond_t:process sigchld;
+
+ allow $1 crond_t:fifo_file rw_file_perms;
+ allow $1 crond_t:fd use;
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor
+## from the cron daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_use_fds',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the cron daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_sigchld',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write cron daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_write_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file { getattr read write };
+')
+
+########################################
+## <summary>
+## Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to performing this action.
+## </summary>
+## </param>
+#
+interface(`cron_search_spool',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 cron_spool_t:dir search;
+')
+
+########################################
+## <summary>
+## Execute APM in the apm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_anacron_domtrans_system_job',`
+ gen_require(`
+ type system_crond_t, anacron_exec_t;
+ ')
+
+ domain_auto_trans($1,anacron_exec_t,system_crond_t)
+
+ allow $1 system_crond_t:fd use;
+ allow system_crond_t $1:fd use;
+ allow system_crond_t $1:fifo_file rw_file_perms;
+ allow system_crond_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor
+## from system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_use_system_job_fds',`
+ gen_require(`
+ type system_crond_t;
+ ')
+
+ allow $1 system_crond_t:fd use;
+')
+
+########################################
+## <summary>
+## Write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_write_system_job_pipes',`
+ gen_require(`
+ type system_crond_t;
+ ')
+
+ allow $1 system_crond_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_system_job_pipes',`
+ gen_require(`
+ type system_crond_t;
+ ')
+
+ allow $1 system_crond_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+ type system_crond_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_crond_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append temporary
+## files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_append_system_job_tmp_files',`
+ gen_require(`
+ type system_crond_tmp_t;
+ ')
+
+ dontaudit $1 system_crond_tmp_t:file append;
+')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
new file mode 100644
index 0000000..3b48afb
--- /dev/null
+++ b/policy/modules/services/cron.te
@@ -0,0 +1,446 @@
+
+policy_module(cron,1.3.9)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+attribute cron_spool_type;
+
+type anacron_exec_t;
+corecmd_executable_file(anacron_exec_t)
+
+type cron_spool_t;
+files_type(cron_spool_t)
+
+type crond_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type crond_exec_t;
+')
+init_daemon_domain(crond_t,crond_exec_t)
+domain_interactive_fd(crond_t)
+domain_cron_exemption_source(crond_t)
+
+type crond_tmp_t;
+files_tmp_file(crond_tmp_t)
+
+type crond_var_run_t;
+files_pid_file(crond_var_run_t)
+
+type crontab_exec_t;
+corecmd_executable_file(crontab_exec_t)
+
+type system_cron_spool_t, cron_spool_type;
+files_type(system_cron_spool_t)
+
+ifdef(`targeted_policy',`
+ typealias crond_t alias system_crond_t;
+',`
+ type system_crond_t;
+')
+init_daemon_domain(system_crond_t,anacron_exec_t)
+corecmd_shell_entry_type(system_crond_t)
+role system_r types system_crond_t;
+
+type system_crond_lock_t;
+files_lock_file(system_crond_lock_t)
+
+type system_crond_tmp_t;
+files_tmp_file(system_crond_tmp_t)
+
+ifdef(`targeted_policy',`
+ type sysadm_cron_spool_t;
+ files_type(sysadm_cron_spool_t)
+')
+
+########################################
+#
+# Cron Local policy
+#
+
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process { setexec setfscreate };
+allow crond_t self:fd use;
+allow crond_t self:fifo_file rw_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
+allow crond_t self:unix_dgram_socket sendto;
+allow crond_t self:unix_stream_socket connectto;
+allow crond_t self:shm create_shm_perms;
+allow crond_t self:sem create_sem_perms;
+allow crond_t self:msgq create_msgq_perms;
+allow crond_t self:msg { send receive };
+
+allow crond_t crond_var_run_t:file create_file_perms;
+files_pid_filetrans(crond_t,crond_var_run_t,file)
+
+allow crond_t cron_spool_t:dir rw_dir_perms;
+allow crond_t cron_spool_t:file r_file_perms;
+allow crond_t system_cron_spool_t:dir r_dir_perms;
+allow crond_t system_cron_spool_t:file r_file_perms;
+
+kernel_read_kernel_sysctls(crond_t)
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
+
+dev_read_urand(crond_t)
+
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+
+term_dontaudit_use_console(crond_t)
+
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+
+corecmd_exec_shell(crond_t)
+corecmd_list_sbin(crond_t)
+corecmd_read_sbin_symlinks(crond_t)
+
+domain_use_interactive_fds(crond_t)
+
+files_read_etc_files(crond_t)
+files_read_generic_spool(crond_t)
+files_list_usr(crond_t)
+# Read from /var/spool/cron.
+files_search_var_lib(crond_t)
+files_search_default(crond_t)
+
+init_use_fds(crond_t)
+init_use_script_ptys(crond_t)
+init_rw_utmp(crond_t)
+
+libs_use_ld_so(crond_t)
+libs_use_shared_libs(crond_t)
+
+logging_send_syslog_msg(crond_t)
+
+seutil_read_config(crond_t)
+seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
+
+miscfiles_read_localization(crond_t)
+
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
+userdom_list_all_users_home_dirs(crond_t)
+
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(crond_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ allow crond_t system_crond_tmp_t:dir create_dir_perms;
+ allow crond_t system_crond_tmp_t:file create_file_perms;
+ allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
+ allow crond_t system_crond_tmp_t:sock_file create_file_perms;
+ allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
+ files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+ unconfined_domain(crond_t)
+
+ userdom_manage_generic_user_home_content_dirs(crond_t)
+ userdom_manage_generic_user_home_content_files(crond_t)
+ userdom_manage_generic_user_home_content_symlinks(crond_t)
+ userdom_manage_generic_user_home_content_sockets(crond_t)
+ userdom_manage_generic_user_home_content_pipes(crond_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file })
+
+ allow crond_t unconfined_t:dbus send_msg;
+ allow crond_t initrc_t:dbus send_msg;
+
+ optional_policy(`
+ mono_domtrans(crond_t)
+ ')
+',`
+ allow crond_t crond_tmp_t:dir create_dir_perms;
+ allow crond_t crond_tmp_t:file create_file_perms;
+ files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+
+ mta_send_mail(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file create_file_perms;
+')
+
+optional_policy(`
+ amavis_search_lib(crond_t)
+')
+
+optional_policy(`
+ hal_dbus_send(crond_t)
+')
+
+optional_policy(`
+ # cjp: why?
+ munin_search_lib(crond_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(crond_t)
+')
+
+optional_policy(`
+ nscd_socket_use(crond_t)
+')
+
+optional_policy(`
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
+')
+
+optional_policy(`
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
+')
+
+optional_policy(`
+ udev_read_db(crond_t)
+')
+
+########################################
+#
+# System cron process domain
+#
+
+optional_policy(`
+ # cjp: why?
+ squid_domtrans(system_crond_t)
+')
+
+ifdef(`targeted_policy',`
+ # cjp: FIXME
+ allow crond_t unconfined_t:process transition;
+',`
+ allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+ allow system_crond_t self:process { signal_perms setsched };
+ allow system_crond_t self:fifo_file rw_file_perms;
+ allow system_crond_t self:passwd rootok;
+
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+ # the crontab file has a type that is appropriate
+ # for the domain of the user cron job. It
+ # performs an entrypoint permission check
+ # for this purpose.
+ allow system_crond_t system_cron_spool_t:file entrypoint;
+
+ allow system_crond_t system_cron_spool_t:file r_file_perms;
+
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t system_crond_t:process transition;
+ dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
+ allow crond_t system_crond_t:fd use;
+ allow system_crond_t crond_t:fd use;
+ allow system_crond_t crond_t:fifo_file rw_file_perms;
+ allow system_crond_t crond_t:process sigchld;
+
+ # Write /var/lock/makewhatis.lock.
+ allow system_crond_t system_crond_lock_t:file create_file_perms;
+ files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
+
+ # write temporary files
+ allow system_crond_t system_crond_tmp_t:file create_file_perms;
+ files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
+
+ # write temporary files in crond tmp dir:
+ allow system_crond_t crond_tmp_t:dir rw_dir_perms;
+ type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
+
+ # Read from /var/spool/cron.
+ allow system_crond_t cron_spool_t:dir r_dir_perms;
+ allow system_crond_t cron_spool_t:file r_file_perms;
+
+ kernel_read_kernel_sysctls(system_crond_t)
+ kernel_read_system_state(system_crond_t)
+ kernel_read_software_raid_state(system_crond_t)
+
+ # ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot(system_crond_t)
+
+ corecmd_exec_all_executables(system_crond_t)
+
+ corenet_non_ipsec_sendrecv(system_crond_t)
+ corenet_tcp_sendrecv_all_if(system_crond_t)
+ corenet_udp_sendrecv_all_if(system_crond_t)
+ corenet_tcp_sendrecv_all_nodes(system_crond_t)
+ corenet_udp_sendrecv_all_nodes(system_crond_t)
+ corenet_tcp_sendrecv_all_ports(system_crond_t)
+ corenet_udp_sendrecv_all_ports(system_crond_t)
+
+ dev_getattr_all_blk_files(system_crond_t)
+ dev_getattr_all_chr_files(system_crond_t)
+ dev_read_urand(system_crond_t)
+
+ fs_getattr_all_fs(system_crond_t)
+ fs_getattr_all_files(system_crond_t)
+ fs_getattr_all_symlinks(system_crond_t)
+ fs_getattr_all_pipes(system_crond_t)
+ fs_getattr_all_sockets(system_crond_t)
+
+ # quiet other ps operations
+ domain_dontaudit_read_all_domains_state(system_crond_t)
+
+ files_exec_etc_files(system_crond_t)
+ files_read_etc_files(system_crond_t)
+ files_read_etc_runtime_files(system_crond_t)
+ files_list_all(system_crond_t)
+ files_getattr_all_dirs(system_crond_t)
+ files_getattr_all_files(system_crond_t)
+ files_getattr_all_symlinks(system_crond_t)
+ files_getattr_all_pipes(system_crond_t)
+ files_getattr_all_sockets(system_crond_t)
+ files_read_usr_files(system_crond_t)
+ files_read_var_files(system_crond_t)
+ # for nscd:
+ files_dontaudit_search_pids(system_crond_t)
+ # Access other spool directories like
+ # /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_crond_t)
+
+ init_use_fds(system_crond_t)
+ init_use_script_fds(system_crond_t)
+ init_use_script_ptys(system_crond_t)
+ init_read_utmp(system_crond_t)
+ init_dontaudit_rw_utmp(system_crond_t)
+ # prelink tells init to restart it self, we either need to allow or dontaudit
+ init_write_initctl(system_crond_t)
+
+ libs_use_ld_so(system_crond_t)
+ libs_use_shared_libs(system_crond_t)
+ libs_exec_lib_files(system_crond_t)
+ libs_exec_ld_so(system_crond_t)
+
+ logging_read_generic_logs(system_crond_t)
+ logging_send_syslog_msg(system_crond_t)
+
+ miscfiles_read_localization(system_crond_t)
+ miscfiles_manage_man_pages(system_crond_t)
+
+ seutil_read_config(system_crond_t)
+
+ mta_send_mail(system_crond_t)
+
+ ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_crond_t)
+ ')
+ ')
+
+ tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_crond_t)
+ seutil_domtrans_restorecon(system_crond_t)
+ ',`
+ selinux_get_fs_mount(system_crond_t)
+ selinux_validate_context(system_crond_t)
+ selinux_compute_access_vector(system_crond_t)
+ selinux_compute_create_context(system_crond_t)
+ selinux_compute_relabel_context(system_crond_t)
+ selinux_compute_user_contexts(system_crond_t)
+ seutil_read_file_contexts(system_crond_t)
+ ')
+
+ optional_policy(`
+ # Needed for certwatch
+ apache_exec_modules(system_crond_t)
+ apache_read_config(system_crond_t)
+ apache_read_log(system_crond_t)
+ apache_read_sys_content(system_crond_t)
+ ')
+
+ optional_policy(`
+ cyrus_manage_data(system_crond_t)
+ ')
+
+ optional_policy(`
+ ftp_read_log(system_crond_t)
+ ')
+
+ optional_policy(`
+ inn_manage_log(system_crond_t)
+ inn_manage_pid(system_crond_t)
+ inn_read_config(system_crond_t)
+ ')
+
+ optional_policy(`
+ mrtg_append_create_logs(system_crond_t)
+ ')
+
+ optional_policy(`
+ mta_send_mail(system_crond_t)
+ ')
+
+ optional_policy(`
+ mysql_read_config(system_crond_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind(system_crond_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(system_crond_t)
+ ')
+
+ optional_policy(`
+ postfix_read_config(system_crond_t)
+ ')
+
+ optional_policy(`
+ prelink_read_cache(system_crond_t)
+ prelink_manage_log(system_crond_t)
+ prelink_delete_cache(system_crond_t)
+ ')
+
+ optional_policy(`
+ samba_read_config(system_crond_t)
+ samba_read_log(system_crond_t)
+ #samba_read_secrets(system_crond_t)
+ ')
+
+ optional_policy(`
+ slocate_create_append_log(system_crond_t)
+ ')
+
+ optional_policy(`
+ sysstat_manage_log(system_crond_t)
+ ')
+
+ ifdef(`TODO',`
+ dontaudit userdomain system_crond_t:fd use;
+
+ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
+
+ # for if /var/mail is a symlink
+ allow system_crond_t mail_spool_t:lnk_file read;
+
+ ifdef(`mta.te', `
+ allow mta_user_agent system_crond_t:fd use;
+ r_dir_file(system_mail_t, crond_tmp_t)
+ ')
+ ') dnl end TODO
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
new file mode 100644
index 0000000..44831b1
--- /dev/null
+++ b/policy/modules/services/cups.fc
@@ -0,0 +1,54 @@
+
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
+
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
new file mode 100644
index 0000000..5f3a5cb
--- /dev/null
+++ b/policy/modules/services/cups.if
@@ -0,0 +1,249 @@
+## <summary>Common UNIX printing system</summary>
+
+########################################
+## <summary>
+## Execute cups in the cups domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`cups_domtrans',`
+ gen_require(`
+ type cupsd_t, cupsd_exec_t;
+ ')
+
+ domain_auto_trans($1,cupsd_exec_t,cupsd_t)
+
+ allow $1 cupsd_t:fd use;
+ allow cupsd_t $1:fd use;
+ allow cupsd_t $1:fifo_file rw_file_perms;
+ allow cupsd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Connect to cupsd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_stream_connect',`
+ gen_require(`
+ type cupsd_t, cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cupsd_var_run_t:dir search;
+ allow $1 cupsd_var_run_t:sock_file { getattr write };
+ allow $1 cupsd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Connect to cups over TCP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_tcp_connect',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ allow $1 cupsd_t:tcp_socket { connectto recvfrom };
+ allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## cups over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_dbus_chat',`
+ gen_require(`
+ type cupsd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_t:dbus send_msg;
+ allow cupsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute cups_config in the cups_config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`cups_domtrans_config',`
+ gen_require(`
+ type cupsd_config_t, cupsd_config_exec_t;
+ ')
+
+ domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t)
+
+ allow $1 cupsd_config_t:fd use;
+ allow cupsd_config_t $1:fd use;
+ allow cupsd_config_t $1:fifo_file rw_file_perms;
+ allow cupsd_config_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to the cups
+## configuration daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_signal_config',`
+ gen_require(`
+ type cupsd_config_t;
+ ')
+
+ allow $1 cupsd_config_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## cupsd_config over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_dbus_chat_config',`
+ gen_require(`
+ type cupsd_config_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_config_t:dbus send_msg;
+ allow cupsd_config_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read cups configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 cupsd_etc_t:dir search_dir_perms;
+ allow $1 cupsd_etc_t:file { getattr read };
+ allow $1 cupsd_rw_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read cups-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_rw_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 cupsd_etc_t:dir search_dir_perms;
+ allow $1 cupsd_rw_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read cups log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Write cups log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_write_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file write;
+')
+
+########################################
+## <summary>
+## Connect to ptal over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_stream_connect_ptal',`
+ gen_require(`
+ type ptal_t, ptal_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ptal_var_run_t:dir search;
+ allow $1 ptal_var_run_t:sock_file write;
+ allow $1 ptal_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
new file mode 100644
index 0000000..48ed810
--- /dev/null
+++ b/policy/modules/services/cups.te
@@ -0,0 +1,738 @@
+
+policy_module(cups,1.3.10)
+
+########################################
+#
+# Declarations
+#
+
+type cupsd_config_t;
+type cupsd_config_exec_t;
+init_daemon_domain(cupsd_config_t,cupsd_config_exec_t)
+
+type cupsd_config_var_run_t;
+files_pid_file(cupsd_config_var_run_t)
+
+type cupsd_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type cupsd_exec_t;
+')
+init_daemon_domain(cupsd_t,cupsd_exec_t)
+
+type cupsd_etc_t;
+files_config_file(cupsd_etc_t)
+
+type cupsd_rw_etc_t;
+files_config_file(cupsd_rw_etc_t)
+
+type cupsd_log_t;
+logging_log_file(cupsd_log_t)
+
+type cupsd_lpd_t;
+type cupsd_lpd_exec_t;
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
+role system_r types cupsd_lpd_t;
+
+type cupsd_lpd_tmp_t;
+files_tmp_file(cupsd_lpd_tmp_t)
+
+type cupsd_lpd_var_run_t;
+files_pid_file(cupsd_lpd_var_run_t)
+
+type cupsd_tmp_t;
+files_tmp_file(cupsd_tmp_t)
+
+type cupsd_var_run_t;
+files_pid_file(cupsd_var_run_t)
+
+type hplip_t;
+type hplip_exec_t;
+init_daemon_domain(hplip_t,hplip_exec_t)
+
+type hplip_etc_t;
+files_config_file(hplip_etc_t)
+
+type hplip_var_run_t;
+files_pid_file(hplip_var_run_t)
+
+type ptal_t;
+type ptal_exec_t;
+init_daemon_domain(ptal_t,ptal_exec_t)
+
+type ptal_etc_t;
+files_config_file(ptal_etc_t)
+
+type ptal_var_run_t;
+files_pid_file(ptal_var_run_t)
+
+########################################
+#
+# Cups local policy
+#
+
+# /usr/lib/cups/backend/serial needs sys_admin(?!)
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:process { setsched signal_perms };
+allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
+allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
+allow cupsd_t self:udp_socket create_socket_perms;
+allow cupsd_t self:appletalk_socket create_socket_perms;
+# generic socket here until appletalk socket is available in kernels
+allow cupsd_t self:socket create_socket_perms;
+
+allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
+allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr };
+allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
+files_search_etc(cupsd_t)
+
+allow cupsd_t cupsd_rw_etc_t:file manage_file_perms;
+allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms;
+type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t;
+files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:lnk_file read;
+
+allow cupsd_t cupsd_log_t:file create_file_perms;
+allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
+logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
+
+allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
+allow cupsd_t cupsd_tmp_t:file create_file_perms;
+allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+allow cupsd_t cupsd_var_run_t:file create_file_perms;
+allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
+allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
+
+allow cupsd_t hplip_var_run_t:file { read getattr };
+
+allow cupsd_t ptal_var_run_t:dir search;
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
+allow cupsd_t ptal_t:unix_stream_socket connectto;
+
+kernel_read_system_state(cupsd_t)
+kernel_read_network_state(cupsd_t)
+kernel_read_all_sysctls(cupsd_t)
+kernel_tcp_recvfrom(cupsd_t)
+
+corenet_non_ipsec_sendrecv(cupsd_t)
+corenet_tcp_sendrecv_all_if(cupsd_t)
+corenet_udp_sendrecv_all_if(cupsd_t)
+corenet_raw_sendrecv_all_if(cupsd_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_t)
+corenet_udp_sendrecv_all_nodes(cupsd_t)
+corenet_raw_sendrecv_all_nodes(cupsd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_t)
+corenet_udp_sendrecv_all_ports(cupsd_t)
+corenet_tcp_bind_all_nodes(cupsd_t)
+corenet_udp_bind_all_nodes(cupsd_t)
+corenet_tcp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_ipp_port(cupsd_t)
+corenet_tcp_bind_reserved_port(cupsd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+corenet_tcp_connect_all_ports(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_sendrecv_ipp_server_packets(cupsd_t)
+
+dev_rw_printer(cupsd_t)
+dev_read_urand(cupsd_t)
+dev_read_sysfs(cupsd_t)
+dev_read_usbfs(cupsd_t)
+
+fs_getattr_all_fs(cupsd_t)
+fs_search_auto_mountpoints(cupsd_t)
+# from old usercanread attrib:
+fs_read_removable_files(cupsd_t)
+
+term_dontaudit_use_console(cupsd_t)
+term_write_unallocated_ttys(cupsd_t)
+term_search_ptys(cupsd_t)
+
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_shell(cupsd_t)
+corecmd_exec_bin(cupsd_t)
+corecmd_exec_sbin(cupsd_t)
+
+domain_use_interactive_fds(cupsd_t)
+
+files_read_etc_files(cupsd_t)
+files_read_etc_runtime_files(cupsd_t)
+# read python modules
+files_read_usr_files(cupsd_t)
+# for /var/lib/defoma
+files_search_var_lib(cupsd_t)
+files_list_world_readable(cupsd_t)
+files_read_world_readable_files(cupsd_t)
+files_read_world_readable_symlinks(cupsd_t)
+# Satisfy readahead
+files_read_var_files(cupsd_t)
+files_read_var_symlinks(cupsd_t)
+# for /etc/printcap
+files_dontaudit_write_etc_files(cupsd_t)
+
+init_use_fds(cupsd_t)
+init_use_script_ptys(cupsd_t)
+init_exec_script_files(cupsd_t)
+
+libs_use_ld_so(cupsd_t)
+libs_use_shared_libs(cupsd_t)
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+libs_read_lib_files(cupsd_t)
+
+logging_send_syslog_msg(cupsd_t)
+
+miscfiles_read_localization(cupsd_t)
+# invoking ghostscript needs to read fonts
+miscfiles_read_fonts(cupsd_t)
+
+seutil_dontaudit_read_config(cupsd_t)
+
+sysnet_read_config(cupsd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_all_users_home_content(cupsd_t)
+
+# Write to /var/spool/cups.
+lpd_manage_spool(cupsd_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(cupsd_t)
+
+ term_dontaudit_use_unallocated_ttys(cupsd_t)
+ term_dontaudit_use_generic_ptys(cupsd_t)
+
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_read_pipes(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+
+ unconfined_dbus_send(cupsd_t)
+
+ dbus_stub(cupsd_t)
+ ')
+')
+
+optional_policy(`
+ cron_system_entry(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(cupsd,cupsd_t)
+ dbus_send_system_bus(cupsd_t)
+
+ userdom_dbus_send_all_users(cupsd_t)
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(cupsd_t)
+')
+
+optional_policy(`
+ inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(cupsd_t)
+')
+
+optional_policy(`
+ portmap_udp_chat(cupsd_t)
+')
+
+optional_policy(`
+ # from old usercanread attrib:
+ rpc_read_nfs_content(cupsd_t)
+ rpc_read_nfs_state_data(cupsd_t)
+')
+
+optional_policy(`
+ samba_rw_var_files(cupsd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cupsd_t)
+')
+
+optional_policy(`
+ udev_read_db(cupsd_t)
+')
+
+optional_policy(`
+ # from old usercanread attrib:
+ usermanage_read_crack_db(cupsd_t)
+')
+
+optional_policy(`
+ # from old usercanread attrib:
+ xserver_read_xkb_libs(cupsd_t)
+')
+
+ifdef(`TODO',`
+allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
+allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
+allow cupsd_t kernel_t:tcp_socket recvfrom;
+allow web_client_domain kernel_t:tcp_socket recvfrom;
+') dnl end TODO
+
+allow cupsd_t usercanread:dir r_dir_perms;
+allow cupsd_t usercanread:file r_file_perms;
+allow cupsd_t usercanread:lnk_file { getattr read };
+
+########################################
+#
+# Cups configuration daemon local policy
+#
+
+allow cupsd_config_t self:capability { chown sys_tty_config };
+dontaudit cupsd_config_t self:capability sys_tty_config;
+allow cupsd_config_t self:process signal_perms;
+allow cupsd_config_t self:fifo_file rw_file_perms;
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
+allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
+
+# old can_ps() on cupsd_t:
+allow cupsd_config_t cupsd_t:process { signal };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+allow cupsd_config_t cupsd_t:dir { search getattr read };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr };
+allow cupsd_config_t cupsd_t:process getattr;
+
+allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
+allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
+
+can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+allow cupsd_config_t cupsd_etc_t:dir rw_dir_perms;
+allow cupsd_config_t cupsd_etc_t:file create_file_perms;
+allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
+type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
+
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
+allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
+allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
+allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
+files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
+
+allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
+
+allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+
+kernel_read_system_state(cupsd_config_t)
+kernel_read_kernel_sysctls(cupsd_config_t)
+kernel_tcp_recvfrom(cupsd_config_t)
+
+corenet_non_ipsec_sendrecv(cupsd_config_t)
+corenet_tcp_sendrecv_all_if(cupsd_config_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
+corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+corenet_tcp_connect_all_ports(cupsd_config_t)
+corenet_sendrecv_all_client_packets(cupsd_config_t)
+
+dev_read_sysfs(cupsd_config_t)
+dev_read_urand(cupsd_config_t)
+dev_read_rand(cupsd_config_t)
+
+fs_getattr_all_fs(cupsd_config_t)
+fs_search_auto_mountpoints(cupsd_config_t)
+
+term_dontaudit_use_console(cupsd_config_t)
+
+corecmd_exec_bin(cupsd_config_t)
+corecmd_exec_sbin(cupsd_config_t)
+corecmd_exec_shell(cupsd_config_t)
+
+domain_use_interactive_fds(cupsd_config_t)
+# killall causes the following
+domain_dontaudit_search_all_domains_state(cupsd_config_t)
+
+files_read_usr_files(cupsd_config_t)
+files_read_etc_files(cupsd_config_t)
+files_read_etc_runtime_files(cupsd_config_t)
+files_read_var_symlinks(cupsd_config_t)
+
+init_use_fds(cupsd_config_t)
+init_use_script_ptys(cupsd_config_t)
+# Alternatives asks for this
+init_getattr_script_files(cupsd_config_t)
+
+libs_use_ld_so(cupsd_config_t)
+libs_use_shared_libs(cupsd_config_t)
+
+logging_send_syslog_msg(cupsd_config_t)
+
+miscfiles_read_localization(cupsd_config_t)
+
+seutil_dontaudit_search_config(cupsd_config_t)
+
+sysnet_read_config(cupsd_config_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
+
+lpd_read_config(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
+
+ifdef(`distro_redhat',`
+ init_getattr_script_files(cupsd_config_t)
+
+ optional_policy(`
+ rpm_read_db(cupsd_config_t)
+ ')
+')
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_files(cupsd_config_t)
+
+ term_dontaudit_use_unallocated_ttys(cupsd_config_t)
+ term_use_generic_ptys(cupsd_config_t)
+
+ unconfined_rw_pipes(cupsd_config_t)
+')
+
+optional_policy(`
+ cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
+ dbus_connect_system_bus(cupsd_config_t)
+ dbus_send_system_bus(cupsd_config_t)
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_config_t)
+ ')
+')
+
+optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+')
+
+optional_policy(`
+ hostname_exec(cupsd_config_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(cupsd_config_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(cupsd_config_t)
+')
+
+optional_policy(`
+ nscd_socket_use(cupsd_config_t)
+')
+
+optional_policy(`
+ rpm_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cupsd_config_t)
+')
+
+optional_policy(`
+ udev_read_db(cupsd_config_t)
+')
+
+########################################
+#
+# Cups lpd support
+#
+
+allow cupsd_lpd_t self:process signal_perms;
+allow cupsd_lpd_t self:fifo_file rw_file_perms;
+allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+allow cupsd_lpd_t self:udp_socket create_socket_perms;
+allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cupsd_lpd_t self:capability { setuid setgid };
+files_search_home(cupsd_lpd_t)
+optional_policy(`
+ kerberos_use(cupsd_lpd_t)
+')
+#end for identd
+
+allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+allow cupsd_lpd_t cupsd_etc_t:file r_file_perms;
+allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
+
+allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
+allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
+
+allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
+allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
+
+allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
+allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
+allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
+
+kernel_read_kernel_sysctls(cupsd_lpd_t)
+kernel_read_system_state(cupsd_lpd_t)
+kernel_read_network_state(cupsd_lpd_t)
+
+corenet_non_ipsec_sendrecv(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
+corenet_udp_sendrecv_all_if(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
+corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_tcp_bind_all_nodes(cupsd_lpd_t)
+corenet_udp_bind_all_nodes(cupsd_lpd_t)
+corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+
+dev_read_urand(cupsd_lpd_t)
+
+fs_getattr_xattr_fs(cupsd_lpd_t)
+
+files_read_etc_files(cupsd_lpd_t)
+
+libs_use_ld_so(cupsd_lpd_t)
+libs_use_shared_libs(cupsd_lpd_t)
+
+logging_send_syslog_msg(cupsd_lpd_t)
+
+miscfiles_read_localization(cupsd_lpd_t)
+
+sysnet_read_config(cupsd_lpd_t)
+
+cups_stream_connect(cupsd_lpd_t)
+
+optional_policy(`
+ inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(cupsd_lpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(cupsd_lpd_t)
+')
+
+########################################
+#
+# HPLIP local policy
+#
+
+allow hplip_t self:capability net_raw;
+dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:fifo_file rw_file_perms;
+allow hplip_t self:process signal_perms;
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
+allow hplip_t self:tcp_socket create_stream_socket_perms;
+allow hplip_t self:udp_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
+
+allow hplip_t cupsd_etc_t:dir search;
+
+cups_stream_connect(hplip_t)
+
+allow hplip_t hplip_etc_t:file r_file_perms;
+allow hplip_t hplip_etc_t:dir r_dir_perms;
+allow hplip_t hplip_etc_t:lnk_file { getattr read };
+files_search_etc(hplip_t)
+
+allow hplip_t hplip_var_run_t:file create_file_perms;
+allow hplip_t hplip_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(hplip_t,hplip_var_run_t,file)
+
+kernel_read_system_state(hplip_t)
+kernel_read_kernel_sysctls(hplip_t)
+
+corenet_non_ipsec_sendrecv(hplip_t)
+corenet_tcp_sendrecv_all_if(hplip_t)
+corenet_udp_sendrecv_all_if(hplip_t)
+corenet_raw_sendrecv_all_if(hplip_t)
+corenet_tcp_sendrecv_all_nodes(hplip_t)
+corenet_udp_sendrecv_all_nodes(hplip_t)
+corenet_raw_sendrecv_all_nodes(hplip_t)
+corenet_tcp_sendrecv_all_ports(hplip_t)
+corenet_udp_sendrecv_all_ports(hplip_t)
+corenet_tcp_bind_all_nodes(hplip_t)
+corenet_udp_bind_all_nodes(hplip_t)
+corenet_tcp_bind_hplip_port(hplip_t)
+corenet_tcp_connect_hplip_port(hplip_t)
+corenet_tcp_connect_ipp_port(hplip_t)
+corenet_sendrecv_hplip_client_packets(hplip_t)
+corenet_receive_hplip_server_packets(hplip_t)
+
+dev_read_sysfs(hplip_t)
+dev_rw_printer(hplip_t)
+dev_read_urand(hplip_t)
+dev_read_rand(hplip_t)
+dev_rw_generic_usb_dev(hplip_t)
+
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+
+term_dontaudit_use_console(hplip_t)
+
+# for python
+corecmd_exec_bin(hplip_t)
+corecmd_search_sbin(hplip_t)
+
+domain_use_interactive_fds(hplip_t)
+
+files_read_etc_files(hplip_t)
+files_read_etc_runtime_files(hplip_t)
+files_read_usr_files(hplip_t)
+
+init_use_fds(hplip_t)
+init_use_script_ptys(hplip_t)
+
+libs_use_ld_so(hplip_t)
+libs_use_shared_libs(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
+
+miscfiles_read_localization(hplip_t)
+
+sysnet_read_config(hplip_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
+userdom_dontaudit_search_all_users_home_content(hplip_t)
+
+lpd_read_config(cupsd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(hplip_t)
+ term_dontaudit_use_generic_ptys(hplip_t)
+ files_dontaudit_read_root_files(hplip_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hplip_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(hplip_t)
+')
+
+optional_policy(`
+ udev_read_db(hplip_t)
+')
+
+########################################
+#
+# PTAL local policy
+#
+
+allow ptal_t self:capability { chown sys_rawio };
+dontaudit ptal_t self:capability sys_tty_config;
+allow ptal_t self:fifo_file rw_file_perms;
+allow ptal_t self:unix_dgram_socket create_socket_perms;
+allow ptal_t self:unix_stream_socket create_stream_socket_perms;
+allow ptal_t self:tcp_socket create_stream_socket_perms;
+
+allow ptal_t ptal_etc_t:file r_file_perms;
+allow ptal_t ptal_etc_t:dir r_dir_perms;
+allow ptal_t ptal_etc_t:lnk_file { getattr read };
+files_search_etc(ptal_t)
+
+allow ptal_t ptal_var_run_t:dir create_dir_perms;
+allow ptal_t ptal_var_run_t:file create_file_perms;
+allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
+allow ptal_t ptal_var_run_t:sock_file create_file_perms;
+allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
+files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
+
+allow ptal_t ptal_var_run_t:file create_file_perms;
+allow ptal_t ptal_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ptal_t,ptal_var_run_t,file)
+
+kernel_read_kernel_sysctls(ptal_t)
+kernel_list_proc(ptal_t)
+kernel_read_proc_symlinks(ptal_t)
+
+corenet_non_ipsec_sendrecv(ptal_t)
+corenet_tcp_sendrecv_all_if(ptal_t)
+corenet_tcp_sendrecv_all_nodes(ptal_t)
+corenet_tcp_sendrecv_all_ports(ptal_t)
+corenet_tcp_bind_all_nodes(ptal_t)
+corenet_tcp_bind_ptal_port(ptal_t)
+
+dev_read_sysfs(ptal_t)
+dev_read_usbfs(ptal_t)
+dev_rw_printer(ptal_t)
+
+fs_getattr_all_fs(ptal_t)
+fs_search_auto_mountpoints(ptal_t)
+
+term_dontaudit_use_console(ptal_t)
+
+domain_use_interactive_fds(ptal_t)
+
+files_read_etc_files(ptal_t)
+files_read_etc_runtime_files(ptal_t)
+
+init_use_fds(ptal_t)
+init_use_script_ptys(ptal_t)
+
+libs_use_ld_so(ptal_t)
+libs_use_shared_libs(ptal_t)
+
+logging_send_syslog_msg(ptal_t)
+
+miscfiles_read_localization(ptal_t)
+
+sysnet_read_config(ptal_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+userdom_dontaudit_search_all_users_home_content(ptal_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ptal_t)
+ term_dontaudit_use_generic_ptys(ptal_t)
+ files_dontaudit_read_root_files(ptal_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ptal_t)
+')
+
+optional_policy(`
+ udev_read_db(ptal_t)
+')
diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc
new file mode 100644
index 0000000..689a960
--- /dev/null
+++ b/policy/modules/services/cvs.fc
@@ -0,0 +1,7 @@
+
+/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
+
+/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
new file mode 100644
index 0000000..380a139
--- /dev/null
+++ b/policy/modules/services/cvs.if
@@ -0,0 +1,39 @@
+## <summary>Concurrent versions system</summary>
+
+########################################
+## <summary>
+## Read the CVS data and metadata.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cvs_read_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ allow $1 cvs_data_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute cvs
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cvs_exec',`
+ gen_require(`
+ type cvs_exec_t;
+ ')
+
+ can_exec($1,cvs_exec_t)
+')
+
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
new file mode 100644
index 0000000..fe2e4b0
--- /dev/null
+++ b/policy/modules/services/cvs.te
@@ -0,0 +1,104 @@
+
+policy_module(cvs,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type cvs_t;
+type cvs_exec_t;
+inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+role system_r types cvs_t;
+
+type cvs_data_t; # customizable
+files_type(cvs_data_t)
+
+type cvs_tmp_t;
+files_tmp_file(cvs_tmp_t)
+
+type cvs_var_run_t;
+files_pid_file(cvs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cvs_t self:process signal_perms;
+allow cvs_t self:fifo_file rw_file_perms;
+allow cvs_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cvs_t self:capability { setuid setgid };
+
+allow cvs_t cvs_data_t:dir create_dir_perms;
+allow cvs_t cvs_data_t:file create_file_perms;
+allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
+
+allow cvs_t cvs_tmp_t:dir create_dir_perms;
+allow cvs_t cvs_tmp_t:file create_file_perms;
+files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
+
+allow cvs_t cvs_var_run_t:file create_file_perms;
+allow cvs_t cvs_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(cvs_t,cvs_var_run_t,file)
+
+kernel_read_kernel_sysctls(cvs_t)
+kernel_read_system_state(cvs_t)
+kernel_read_network_state(cvs_t)
+
+corenet_non_ipsec_sendrecv(cvs_t)
+corenet_tcp_sendrecv_all_if(cvs_t)
+corenet_udp_sendrecv_all_if(cvs_t)
+corenet_tcp_sendrecv_all_nodes(cvs_t)
+corenet_udp_sendrecv_all_nodes(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+
+dev_read_urand(cvs_t)
+
+fs_getattr_xattr_fs(cvs_t)
+
+auth_domtrans_chk_passwd(cvs_t)
+
+corecmd_exec_bin(cvs_t)
+corecmd_exec_sbin(cvs_t)
+corecmd_exec_shell(cvs_t)
+
+files_read_etc_files(cvs_t)
+files_read_etc_runtime_files(cvs_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(cvs_t)
+
+libs_use_ld_so(cvs_t)
+libs_use_shared_libs(cvs_t)
+
+logging_send_syslog_msg(cvs_t)
+
+miscfiles_read_localization(cvs_t)
+
+sysnet_read_config(cvs_t)
+
+mta_send_mail(cvs_t)
+
+# cjp: typeattribute doesnt work in conditionals yet
+auth_can_read_shadow_passwords(cvs_t)
+tunable_policy(`allow_cvs_read_shadow',`
+ auth_tunable_read_shadow(cvs_t)
+')
+
+optional_policy(`
+ kerberos_use(cvs_t)
+ kerberos_read_keytab(cvs_t)
+ kerberos_read_config(cvs_t)
+ kerberos_dontaudit_write_config(cvs_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(cvs_t)
+')
+
+optional_policy(`
+ nscd_socket_use(cvs_t)
+')
diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc
new file mode 100644
index 0000000..86a9d7e
--- /dev/null
+++ b/policy/modules/services/cyrus.fc
@@ -0,0 +1,4 @@
+
+/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
new file mode 100644
index 0000000..30d552e
--- /dev/null
+++ b/policy/modules/services/cyrus.if
@@ -0,0 +1,44 @@
+## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
+
+########################################
+## <summary>
+## Allow caller to create, read, write,
+## and delete cyrus data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cyrus_manage_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 cyrus_var_lib_t:dir rw_dir_perms;
+ allow $1 cyrus_var_lib_t:file manage_file_perms;
+')
+
+
+########################################
+## <summary>
+## Connect to Cyrus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cyrus_stream_connect',`
+ gen_require(`
+ type cyrus_t, cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 cyrus_var_lib_t:dir search;
+ allow $1 cyrus_var_lib_t:sock_file write;
+ allow $1 cyrus_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
new file mode 100644
index 0000000..21dc5da
--- /dev/null
+++ b/policy/modules/services/cyrus.te
@@ -0,0 +1,139 @@
+
+policy_module(cyrus,1.1.3)
+
+########################################
+#
+# Declarations
+#
+
+type cyrus_t;
+type cyrus_exec_t;
+init_daemon_domain(cyrus_t,cyrus_exec_t)
+
+type cyrus_tmp_t;
+files_tmp_file(cyrus_tmp_t)
+
+type cyrus_var_lib_t;
+files_type(cyrus_var_lib_t)
+
+type cyrus_var_run_t;
+files_pid_file(cyrus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit cyrus_t self:capability sys_tty_config;
+allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process setrlimit;
+allow cyrus_t self:fd use;
+allow cyrus_t self:fifo_file rw_file_perms;
+allow cyrus_t self:sock_file r_file_perms;
+allow cyrus_t self:shm create_shm_perms;
+allow cyrus_t self:sem create_sem_perms;
+allow cyrus_t self:msgq create_msgq_perms;
+allow cyrus_t self:msg { send receive };
+allow cyrus_t self:unix_dgram_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
+allow cyrus_t self:unix_dgram_socket sendto;
+allow cyrus_t self:unix_stream_socket connectto;
+allow cyrus_t self:tcp_socket create_stream_socket_perms;
+allow cyrus_t self:udp_socket create_socket_perms;
+
+allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
+allow cyrus_t cyrus_tmp_t:file create_file_perms;
+files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
+
+allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
+files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
+
+allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
+allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
+allow cyrus_t cyrus_var_run_t:file create_file_perms;
+files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file })
+
+kernel_read_kernel_sysctls(cyrus_t)
+kernel_read_system_state(cyrus_t)
+kernel_read_all_sysctls(cyrus_t)
+
+corenet_non_ipsec_sendrecv(cyrus_t)
+corenet_tcp_sendrecv_all_if(cyrus_t)
+corenet_udp_sendrecv_all_if(cyrus_t)
+corenet_tcp_sendrecv_all_nodes(cyrus_t)
+corenet_udp_sendrecv_all_nodes(cyrus_t)
+corenet_tcp_sendrecv_all_ports(cyrus_t)
+corenet_udp_sendrecv_all_ports(cyrus_t)
+corenet_tcp_bind_all_nodes(cyrus_t)
+corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+corenet_sendrecv_mail_server_packets(cyrus_t)
+corenet_sendrecv_pop_server_packets(cyrus_t)
+corenet_sendrecv_all_client_packets(cyrus_t)
+
+dev_read_rand(cyrus_t)
+dev_read_urand(cyrus_t)
+dev_read_sysfs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
+
+term_dontaudit_use_console(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
+
+domain_use_interactive_fds(cyrus_t)
+
+files_list_var_lib(cyrus_t)
+files_read_etc_files(cyrus_t)
+files_read_etc_runtime_files(cyrus_t)
+
+init_use_fds(cyrus_t)
+init_use_script_ptys(cyrus_t)
+
+libs_use_ld_so(cyrus_t)
+libs_use_shared_libs(cyrus_t)
+libs_exec_lib_files(cyrus_t)
+
+logging_send_syslog_msg(cyrus_t)
+
+miscfiles_read_localization(cyrus_t)
+miscfiles_read_certs(cyrus_t)
+
+sysnet_read_config(cyrus_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
+userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
+userdom_use_unpriv_users_fds(cyrus_t)
+userdom_use_sysadm_ptys(cyrus_t)
+
+mta_manage_spool(cyrus_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(cyrus_t)
+ term_dontaudit_use_generic_ptys(cyrus_t)
+ files_dontaudit_read_root_files(cyrus_t)
+')
+
+optional_policy(`
+ cron_system_entry(cyrus_t,cyrus_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(cyrus_t)
+')
+
+optional_policy(`
+ sasl_connect(cyrus_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cyrus_t)
+')
+
+optional_policy(`
+ udev_read_db(cyrus_t)
+')
diff --git a/policy/modules/services/dante.fc b/policy/modules/services/dante.fc
new file mode 100644
index 0000000..5071bae
--- /dev/null
+++ b/policy/modules/services/dante.fc
@@ -0,0 +1,6 @@
+
+/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
+
+/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
+
+/var/run/sockd.pid -- gen_context(system_u:object_r:dante_var_run_t,s0)
diff --git a/policy/modules/services/dante.if b/policy/modules/services/dante.if
new file mode 100644
index 0000000..704661c
--- /dev/null
+++ b/policy/modules/services/dante.if
@@ -0,0 +1 @@
+## <summary>Dante msproxy and socks4/5 proxy server</summary>
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
new file mode 100644
index 0000000..149677d
--- /dev/null
+++ b/policy/modules/services/dante.te
@@ -0,0 +1,93 @@
+
+policy_module(dante,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type dante_t;
+type dante_exec_t;
+init_daemon_domain(dante_t,dante_exec_t)
+
+type dante_conf_t;
+files_type(dante_conf_t)
+
+type dante_var_run_t;
+files_pid_file(dante_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dante_t self:capability { setuid setgid };
+dontaudit dante_t self:capability sys_tty_config;
+allow dante_t self:process signal_perms;
+allow dante_t self:fifo_file { read write };
+allow dante_t self:tcp_socket create_stream_socket_perms;
+allow dante_t self:udp_socket create_socket_perms;
+
+allow dante_t dante_conf_t:dir r_dir_perms;
+allow dante_t dante_conf_t:file r_file_perms;
+
+allow dante_t dante_var_run_t:file create_file_perms;
+allow dante_t dante_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dante_t,dante_var_run_t,file)
+
+kernel_read_kernel_sysctls(dante_t)
+kernel_list_proc(dante_t)
+kernel_read_proc_symlinks(dante_t)
+
+corenet_non_ipsec_sendrecv(dante_t)
+corenet_tcp_sendrecv_generic_if(dante_t)
+corenet_udp_sendrecv_generic_if(dante_t)
+corenet_tcp_sendrecv_all_nodes(dante_t)
+corenet_udp_sendrecv_all_nodes(dante_t)
+corenet_tcp_sendrecv_all_ports(dante_t)
+corenet_udp_sendrecv_all_ports(dante_t)
+corenet_tcp_bind_all_nodes(dante_t)
+#TODO: no portcons for this type
+#allow dante_t socks_port_t:tcp_socket name_bind;
+
+dev_read_sysfs(dante_t)
+
+domain_use_interactive_fds(dante_t)
+
+files_read_etc_files(dante_t)
+files_read_etc_runtime_files(dante_t)
+
+fs_getattr_all_fs(dante_t)
+fs_search_auto_mountpoints(dante_t)
+
+term_dontaudit_use_console(dante_t)
+
+init_use_fds(dante_t)
+init_use_script_ptys(dante_t)
+init_write_utmp(dante_t)
+
+libs_use_ld_so(dante_t)
+libs_use_shared_libs(dante_t)
+
+logging_send_syslog_msg(dante_t)
+
+miscfiles_read_localization(dante_t)
+
+sysnet_read_config(dante_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dante_t)
+userdom_dontaudit_search_sysadm_home_dirs(dante_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dante_t)
+ term_dontaudit_use_generic_ptys(dante_t)
+ files_dontaudit_read_root_files(dante_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dante_t)
+')
+
+optional_policy(`
+ udev_read_db(dante_t)
+')
diff --git a/policy/modules/services/dbskk.fc b/policy/modules/services/dbskk.fc
new file mode 100644
index 0000000..7af2590
--- /dev/null
+++ b/policy/modules/services/dbskk.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/services/dbskk.if b/policy/modules/services/dbskk.if
new file mode 100644
index 0000000..9e71004
--- /dev/null
+++ b/policy/modules/services/dbskk.if
@@ -0,0 +1 @@
+## <summary>Dictionary server for the SKK Japanese input method system.</summary>
diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te
new file mode 100644
index 0000000..914627c
--- /dev/null
+++ b/policy/modules/services/dbskk.te
@@ -0,0 +1,81 @@
+
+policy_module(dbskk,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type dbskkd_t;
+type dbskkd_exec_t;
+inetd_service_domain(dbskkd_t,dbskkd_exec_t)
+role system_r types dbskkd_t;
+
+type dbskkd_tmp_t;
+files_tmp_file(dbskkd_tmp_t)
+
+type dbskkd_var_run_t;
+files_pid_file(dbskkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dbskkd_t self:process signal_perms;
+allow dbskkd_t self:fifo_file rw_file_perms;
+allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
+allow dbskkd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow dbskkd_t self:capability { setuid setgid };
+files_search_home(dbskkd_t)
+optional_policy(`
+ kerberos_use(dbskkd_t)
+')
+#end for identd
+
+allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms;
+allow dbskkd_t dbskkd_tmp_t:file create_file_perms;
+files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
+
+allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
+allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file)
+
+kernel_read_kernel_sysctls(dbskkd_t)
+kernel_read_system_state(dbskkd_t)
+kernel_read_network_state(dbskkd_t)
+
+corenet_non_ipsec_sendrecv(dbskkd_t)
+corenet_tcp_sendrecv_all_if(dbskkd_t)
+corenet_udp_sendrecv_all_if(dbskkd_t)
+corenet_tcp_sendrecv_all_nodes(dbskkd_t)
+corenet_udp_sendrecv_all_nodes(dbskkd_t)
+corenet_tcp_sendrecv_all_ports(dbskkd_t)
+corenet_udp_sendrecv_all_ports(dbskkd_t)
+
+dev_read_urand(dbskkd_t)
+
+fs_getattr_xattr_fs(dbskkd_t)
+
+files_read_etc_files(dbskkd_t)
+
+libs_use_ld_so(dbskkd_t)
+libs_use_shared_libs(dbskkd_t)
+
+logging_send_syslog_msg(dbskkd_t)
+
+miscfiles_read_localization(dbskkd_t)
+
+sysnet_read_config(dbskkd_t)
+
+optional_policy(`
+ nis_use_ypbind(dbskkd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dbskkd_t)
+')
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
new file mode 100644
index 0000000..8004713
--- /dev/null
+++ b/policy/modules/services/dbus.fc
@@ -0,0 +1,6 @@
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+
+# Sorting does not work correctly if I combine these next two roles
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
new file mode 100644
index 0000000..dd77cfc
--- /dev/null
+++ b/policy/modules/services/dbus.if
@@ -0,0 +1,351 @@
+## <summary>Desktop messaging bus</summary>
+
+########################################
+## <summary>
+## DBUS stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`dbus_stub',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the dbus module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is
+## used for the user dbus.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`dbus_per_userdomain_template',`
+
+ ##############################
+ #
+ # Delcarations
+ #
+ type $1_dbusd_t;
+ domain_type($1_dbusd_t)
+ domain_entry_file($1_dbusd_t,system_dbusd_exec_t)
+ role $3 types $1_dbusd_t;
+
+ type $1_dbusd_$1_t;
+
+ type $1_dbusd_tmp_t;
+ files_tmp_file($1_dbusd_tmp_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_dbusd_t self:process { getattr sigkill signal };
+ allow $1_dbusd_t self:file { getattr read write };
+ allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+ # For connecting to the bus
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+ type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+
+ # SE-DBus specific permissions
+ allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+ allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms;
+ allow $1_dbusd_t dbusd_etc_t:file r_file_perms;
+ allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read };
+
+ allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms;
+ allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
+
+ domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t)
+ allow $2 $1_dbusd_t:fd use;
+ allow $1_dbusd_t $2:fd use;
+ allow $1_dbusd_t $2:fifo_file rw_file_perms;
+ allow $1_dbusd_t $2:process sigchld;
+
+ allow $2 $1_dbusd_t:process { sigkill signal };
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+
+ corenet_non_ipsec_sendrecv($1_dbusd_t)
+ corenet_tcp_sendrecv_all_if($1_dbusd_t)
+ corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
+ corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+ corenet_tcp_bind_all_nodes($1_dbusd_t)
+ corenet_tcp_bind_reserved_port($1_dbusd_t)
+
+ dev_read_urand($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+ selinux_validate_context($1_dbusd_t)
+ selinux_compute_access_vector($1_dbusd_t)
+ selinux_compute_create_context($1_dbusd_t)
+ selinux_compute_relabel_context($1_dbusd_t)
+ selinux_compute_user_contexts($1_dbusd_t)
+
+ corecmd_list_bin($1_dbusd_t)
+ corecmd_read_bin_symlinks($1_dbusd_t)
+ corecmd_read_bin_files($1_dbusd_t)
+ corecmd_read_bin_pipes($1_dbusd_t)
+ corecmd_read_bin_sockets($1_dbusd_t)
+ corecmd_list_sbin($1_dbusd_t)
+ corecmd_read_sbin_symlinks($1_dbusd_t)
+ corecmd_read_sbin_files($1_dbusd_t)
+ corecmd_read_sbin_pipes($1_dbusd_t)
+ corecmd_read_sbin_sockets($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+ files_list_home($1_dbusd_t)
+ files_read_usr_files($1_dbusd_t)
+ files_dontaudit_search_var($1_dbusd_t)
+
+ libs_use_ld_so($1_dbusd_t)
+ libs_use_shared_libs($1_dbusd_t)
+
+ logging_send_syslog_msg($1_dbusd_t)
+
+ miscfiles_read_localization($1_dbusd_t)
+
+ seutil_read_config($1_dbusd_t)
+ seutil_read_default_contexts($1_dbusd_t)
+
+ sysnet_read_config($1_dbusd_t)
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_dbusd_t)
+ files_read_default_files($1_dbusd_t)
+ files_read_default_symlinks($1_dbusd_t)
+ files_read_default_sockets($1_dbusd_t)
+ files_read_default_pipes($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ auth_read_pam_console_data($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Template for creating connections to
+## the system DBUS.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The type of the domain.
+## </summary>
+## </param>
+#
+template(`dbus_system_bus_client_template',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t;
+ class dbus send_msg;
+ ')
+
+ type $1_dbusd_system_t;
+ type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
+
+ # SE-DBus specific permissions
+ allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
+
+ # For connecting to the bus
+ files_search_pids($2)
+ allow $2 system_dbusd_var_run_t:dir search;
+ allow $2 system_dbusd_var_run_t:sock_file write;
+ allow $2 system_dbusd_t:unix_stream_socket connectto;
+')
+
+#######################################
+## <summary>
+## Template for creating connections to
+## a user DBUS.
+## </summary>
+## <param name="user_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The type of the domain.
+## </summary>
+## </param>
+#
+template(`dbus_user_bus_client_template',`
+ gen_require(`
+ type $1_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ type $2_dbusd_$1_t;
+ type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
+
+ # SE-DBus specific permissions
+ allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Send a message on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`dbus_send_user_bus',`
+ gen_require(`
+ type $1_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_dbusd_t:dbus send_msg;
+')
+
+
+########################################
+## <summary>
+## Read dbus configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_read_config',`
+ gen_require(`
+ type dbusd_etc_t;
+ ')
+
+ allow $1 dbusd_etc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to the the system DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_connect_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 system_dbusd_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Send a message on the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_send_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 system_dbusd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+
+ allow $1 system_dbusd_t:dbus *;
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
new file mode 100644
index 0000000..6fd0076
--- /dev/null
+++ b/policy/modules/services/dbus.te
@@ -0,0 +1,143 @@
+
+policy_module(dbus,1.2.6)
+
+gen_require(`
+ class dbus { send_msg acquire_svc };
+')
+
+##############################
+#
+# Delcarations
+#
+
+type dbusd_etc_t alias etc_dbusd_t;
+files_type(dbusd_etc_t)
+
+type system_dbusd_t alias dbusd_t;
+type system_dbusd_exec_t;
+init_system_domain(system_dbusd_t,system_dbusd_exec_t)
+
+type system_dbusd_tmp_t;
+files_tmp_file(system_dbusd_tmp_t)
+
+type system_dbusd_var_run_t;
+files_pid_file(system_dbusd_var_run_t)
+
+##############################
+#
+# Local policy
+#
+
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+dontaudit system_dbusd_t self:capability sys_tty_config;
+allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:dbus { send_msg acquire_svc };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
+allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+
+allow system_dbusd_t dbusd_etc_t:dir r_dir_perms;
+allow system_dbusd_t dbusd_etc_t:file r_file_perms;
+allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read };
+
+allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms;
+allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms;
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
+allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
+allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
+
+kernel_read_system_state(system_dbusd_t)
+kernel_read_kernel_sysctls(system_dbusd_t)
+
+dev_read_urand(system_dbusd_t)
+dev_read_sysfs(system_dbusd_t)
+
+fs_getattr_all_fs(system_dbusd_t)
+fs_search_auto_mountpoints(system_dbusd_t)
+
+selinux_get_fs_mount(system_dbusd_t)
+selinux_validate_context(system_dbusd_t)
+selinux_compute_access_vector(system_dbusd_t)
+selinux_compute_create_context(system_dbusd_t)
+selinux_compute_relabel_context(system_dbusd_t)
+selinux_compute_user_contexts(system_dbusd_t)
+
+term_dontaudit_use_console(system_dbusd_t)
+
+auth_use_nsswitch(system_dbusd_t)
+auth_read_pam_console_data(system_dbusd_t)
+
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_symlinks(system_dbusd_t)
+corecmd_read_bin_files(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+corecmd_list_sbin(system_dbusd_t)
+corecmd_read_sbin_symlinks(system_dbusd_t)
+corecmd_read_sbin_files(system_dbusd_t)
+corecmd_read_sbin_pipes(system_dbusd_t)
+corecmd_read_sbin_sockets(system_dbusd_t)
+corecmd_exec_sbin(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+
+files_read_etc_files(system_dbusd_t)
+files_list_home(system_dbusd_t)
+files_read_usr_files(system_dbusd_t)
+
+init_use_fds(system_dbusd_t)
+init_use_script_ptys(system_dbusd_t)
+
+libs_use_ld_so(system_dbusd_t)
+libs_use_shared_libs(system_dbusd_t)
+
+logging_send_syslog_msg(system_dbusd_t)
+
+miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_certs(system_dbusd_t)
+
+seutil_read_config(system_dbusd_t)
+seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(system_dbusd_t)
+ term_dontaudit_use_generic_ptys(system_dbusd_t)
+ files_dontaudit_read_root_files(system_dbusd_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(system_dbusd_t)
+ files_read_default_files(system_dbusd_t)
+ files_read_default_symlinks(system_dbusd_t)
+ files_read_default_sockets(system_dbusd_t)
+ files_read_default_pipes(system_dbusd_t)
+')
+
+optional_policy(`
+ bind_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(system_dbusd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+ udev_read_db(system_dbusd_t)
+')
diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc
new file mode 100644
index 0000000..45efbf1
--- /dev/null
+++ b/policy/modules/services/dcc.fc
@@ -0,0 +1,18 @@
+/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
+/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+
+/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+
+/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
+/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
new file mode 100644
index 0000000..ea9083f
--- /dev/null
+++ b/policy/modules/services/dcc.if
@@ -0,0 +1,181 @@
+## <summary>Distributed checksum clearinghouse spam filtering</summary>
+
+########################################
+## <summary>
+## Execute cdcc in the cdcc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_domtrans_cdcc',`
+ gen_require(`
+ type cdcc_t, cdcc_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,cdcc_exec_t,cdcc_t)
+ allow cdcc_t $1:fd use;
+ allow cdcc_t $1:fifo_file rw_file_perms;
+ allow cdcc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute cdcc in the cdcc domain, and
+## allow the specified role the cdcc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the cdcc domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the cdcc domain to use.
+## </summary>
+## </param>
+#
+interface(`dcc_run_cdcc',`
+ gen_require(`
+ type cdcc_t;
+ ')
+
+ dcc_domtrans_cdcc($1)
+ role $2 types cdcc_t;
+ allow cdcc_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute dcc_client in the dcc_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_domtrans_client',`
+ gen_require(`
+ type dcc_client_t, dcc_client_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
+ allow dcc_client_t $1:fd use;
+ allow dcc_client_t $1:fifo_file rw_file_perms;
+ allow dcc_client_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dcc_client in the dcc_client domain, and
+## allow the specified role the dcc_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the dcc_client domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the dcc_client domain to use.
+## </summary>
+## </param>
+#
+interface(`dcc_run_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ dcc_domtrans_client($1)
+ role $2 types dcc_client_t;
+ allow dcc_client_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute dbclean in the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_domtrans_dbclean',`
+ gen_require(`
+ type dcc_dbclean_t, dcc_dbclean_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
+ allow dcc_dbclean_t $1:fd use;
+ allow dcc_dbclean_t $1:fifo_file rw_file_perms;
+ allow dcc_dbclean_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dbclean in the dcc_dbclean domain, and
+## allow the specified role the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the dcc_dbclean domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the dcc_dbclean domain to use.
+## </summary>
+## </param>
+#
+interface(`dcc_run_dbclean',`
+ gen_require(`
+ type dcc_dbclean_t;
+ ')
+
+ dcc_domtrans_dbclean($1)
+ role $2 types dcc_dbclean_t;
+ allow dcc_dbclean_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Connect to dccifd over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_stream_connect_dccifd',`
+ gen_require(`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+ files_search_var($1)
+ allow $1 dcc_var_t:dir search;
+ allow $1 dccifd_var_run_t:sock_file { getattr write };
+ allow $1 dccifd_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
new file mode 100644
index 0000000..0214b5d
--- /dev/null
+++ b/policy/modules/services/dcc.te
@@ -0,0 +1,471 @@
+
+policy_module(dcc,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type cdcc_t;
+type cdcc_exec_t;
+domain_type(cdcc_t)
+domain_entry_file(cdcc_t,cdcc_exec_t)
+role system_r types cdcc_t;
+
+type cdcc_tmp_t;
+files_tmp_file(cdcc_tmp_t)
+
+type dcc_client_t;
+type dcc_client_exec_t;
+domain_type(dcc_client_t)
+domain_entry_file(dcc_client_t,dcc_client_exec_t)
+role system_r types dcc_client_t;
+
+type dcc_client_map_t;
+files_type(dcc_client_map_t)
+
+type dcc_client_tmp_t;
+files_tmp_file(dcc_client_tmp_t)
+
+type dcc_dbclean_t;
+type dcc_dbclean_exec_t;
+domain_type(dcc_dbclean_t)
+domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t)
+role system_r types dcc_dbclean_t;
+
+type dcc_dbclean_tmp_t;
+files_tmp_file(dcc_dbclean_tmp_t)
+
+type dcc_var_t;
+files_type(dcc_var_t)
+
+type dcc_var_run_t;
+files_type(dcc_var_run_t)
+
+type dccd_t;
+type dccd_exec_t;
+init_daemon_domain(dccd_t,dccd_exec_t)
+
+type dccd_tmp_t;
+files_tmp_file(dccd_tmp_t)
+
+type dccd_var_run_t;
+files_pid_file(dccd_var_run_t)
+
+type dccifd_t;
+type dccifd_exec_t;
+init_daemon_domain(dccifd_t,dccifd_exec_t)
+
+type dccifd_tmp_t;
+files_tmp_file(dccifd_tmp_t)
+
+type dccifd_var_run_t;
+files_pid_file(dccifd_var_run_t)
+
+type dccm_t;
+type dccm_exec_t;
+init_daemon_domain(dccm_t,dccm_exec_t)
+
+type dccm_tmp_t;
+files_tmp_file(dccm_tmp_t)
+
+type dccm_var_run_t;
+files_pid_file(dccm_var_run_t)
+
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc. For now this policy supports both directories being
+# writable.
+
+# cjp: dccifd and dccm should be merged, as
+# they have the same rules.
+
+########################################
+#
+# dcc daemon controller local policy
+#
+
+allow cdcc_t self:capability setuid;
+allow cdcc_t self:unix_dgram_socket create_socket_perms;
+allow cdcc_t self:udp_socket create_socket_perms;
+
+allow cdcc_t cdcc_tmp_t:dir manage_dir_perms;
+allow cdcc_t cdcc_tmp_t:file create_file_perms;
+files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
+
+allow cdcc_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow cdcc_t dcc_var_t:dir r_dir_perms;
+allow cdcc_t dcc_var_t:file r_file_perms;
+allow cdcc_t dcc_var_t:lnk_file { getattr read };
+
+corenet_non_ipsec_sendrecv(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_all_nodes(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
+files_read_etc_files(cdcc_t)
+files_read_etc_runtime_files(cdcc_t)
+
+libs_use_ld_so(cdcc_t)
+libs_use_shared_libs(cdcc_t)
+
+logging_send_syslog_msg(cdcc_t)
+
+miscfiles_read_localization(cdcc_t)
+
+sysnet_read_config(cdcc_t)
+sysnet_dns_name_resolve(cdcc_t)
+
+optional_policy(`
+ nscd_socket_use(cdcc_t)
+')
+
+########################################
+#
+# dcc procmail interface local policy
+#
+
+allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+allow dcc_client_t self:udp_socket create_socket_perms;
+
+allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
+allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms;
+allow dcc_client_t dcc_client_tmp_t:file create_file_perms;
+files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+
+# Access files in /var/dcc. The map file can be updated
+allow dcc_client_t dcc_var_t:dir r_dir_perms;
+allow dcc_client_t dcc_var_t:file r_file_perms;
+allow dcc_client_t dcc_var_t:lnk_file { getattr read };
+
+corenet_non_ipsec_sendrecv(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_all_nodes(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+
+files_read_etc_files(dcc_client_t)
+files_read_etc_runtime_files(dcc_client_t)
+
+libs_use_ld_so(dcc_client_t)
+libs_use_shared_libs(dcc_client_t)
+
+logging_send_syslog_msg(dcc_client_t)
+
+miscfiles_read_localization(dcc_client_t)
+
+sysnet_read_config(dcc_client_t)
+sysnet_dns_name_resolve(dcc_client_t)
+
+optional_policy(`
+ nscd_socket_use(dcc_client_t)
+')
+
+########################################
+#
+# Database cleanup tool local policy
+#
+
+allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
+allow dcc_dbclean_t self:udp_socket create_socket_perms;
+
+allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
+
+allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms;
+allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms;
+files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+
+allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms;
+allow dcc_dbclean_t dcc_var_t:file manage_file_perms;
+allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms;
+
+kernel_read_system_state(dcc_dbclean_t)
+
+corenet_non_ipsec_sendrecv(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+files_read_etc_files(dcc_dbclean_t)
+files_read_etc_runtime_files(dcc_dbclean_t)
+
+libs_use_ld_so(dcc_dbclean_t)
+libs_use_shared_libs(dcc_dbclean_t)
+
+logging_send_syslog_msg(dcc_dbclean_t)
+
+miscfiles_read_localization(dcc_dbclean_t)
+
+sysnet_read_config(dcc_dbclean_t)
+sysnet_dns_name_resolve(dcc_dbclean_t)
+
+optional_policy(`
+ nscd_socket_use(dcc_dbclean_t)
+')
+
+########################################
+#
+# Server daemon local policy
+#
+
+allow dccd_t self:capability net_admin;
+dontaudit dccd_t self:capability sys_tty_config;
+allow dccd_t self:process signal_perms;
+allow dccd_t self:unix_stream_socket create_socket_perms;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow dccd_t self:udp_socket create_socket_perms;
+
+allow dccd_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow dccd_t dcc_var_t:dir r_dir_perms;
+allow dccd_t dcc_var_t:file r_file_perms;
+allow dccd_t dcc_var_t:lnk_file { getattr read };
+
+# Runs the dbclean program
+domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+corecmd_search_bin(dccd_t)
+allow dcc_dbclean_t dccd_t:fd use;
+allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms;
+allow dcc_dbclean_t dccd_t:process sigchld;
+
+# Updating dcc_db, flod, ...
+allow dccd_t dcc_var_t:dir manage_dir_perms;
+allow dccd_t dcc_var_t:file manage_file_perms;
+allow dccd_t dcc_var_t:lnk_file create_lnk_perms;
+
+allow dccd_t dccd_tmp_t:dir manage_dir_perms;
+allow dccd_t dccd_tmp_t:file create_file_perms;
+files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
+
+allow dccd_t dccd_var_run_t:file create_file_perms;
+allow dccd_t dccd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dccd_t,dccd_var_run_t,file)
+
+kernel_read_system_state(dccd_t)
+kernel_read_kernel_sysctls(dccd_t)
+
+corenet_non_ipsec_sendrecv(dccd_t)
+corenet_udp_sendrecv_generic_if(dccd_t)
+corenet_udp_sendrecv_all_nodes(dccd_t)
+corenet_udp_sendrecv_all_ports(dccd_t)
+corenet_udp_bind_all_nodes(dccd_t)
+corenet_udp_bind_dcc_port(dccd_t)
+corenet_sendrecv_dcc_server_packets(dccd_t)
+
+dev_read_sysfs(dccd_t)
+
+domain_use_interactive_fds(dccd_t)
+
+files_read_etc_files(dccd_t)
+files_read_etc_runtime_files(dccd_t)
+
+fs_getattr_all_fs(dccd_t)
+fs_search_auto_mountpoints(dccd_t)
+
+term_dontaudit_use_console(dccd_t)
+
+init_use_fds(dccd_t)
+init_use_script_ptys(dccd_t)
+
+libs_use_ld_so(dccd_t)
+libs_use_shared_libs(dccd_t)
+
+logging_send_syslog_msg(dccd_t)
+
+miscfiles_read_localization(dccd_t)
+
+sysnet_read_config(dccd_t)
+sysnet_dns_name_resolve(dccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dccd_t)
+ term_dontaudit_use_generic_ptys(dccd_t)
+ files_dontaudit_read_root_files(dccd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dccd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dccd_t)
+')
+
+optional_policy(`
+ udev_read_db(dccd_t)
+')
+
+########################################
+#
+# Spamassassin and general MTA persistent client local policy
+#
+
+dontaudit dccifd_t self:capability sys_tty_config;
+allow dccifd_t self:process signal_perms;
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+allow dccifd_t self:unix_dgram_socket create_socket_perms;
+allow dccifd_t self:udp_socket create_socket_perms;
+
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# Updating dcc_db, flod, ...
+allow dccifd_t dcc_var_t:dir manage_dir_perms;
+allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms;
+allow dccifd_t dcc_var_t:lnk_file create_lnk_perms;
+
+allow dccifd_t dccifd_tmp_t:dir manage_dir_perms;
+allow dccifd_t dccifd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
+
+allow dccifd_t dccifd_var_run_t:file manage_file_perms;
+allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms;
+allow dccifd_t dcc_var_t:dir rw_dir_perms;
+type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t;
+
+allow dccifd_t dccifd_var_run_t:file manage_file_perms;
+allow dccifd_t dccifd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
+
+kernel_read_system_state(dccifd_t)
+kernel_read_kernel_sysctls(dccifd_t)
+
+corenet_non_ipsec_sendrecv(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_all_nodes(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
+dev_read_sysfs(dccifd_t)
+
+domain_use_interactive_fds(dccifd_t)
+
+files_read_etc_files(dccifd_t)
+files_read_etc_runtime_files(dccifd_t)
+
+fs_getattr_all_fs(dccifd_t)
+fs_search_auto_mountpoints(dccifd_t)
+
+term_dontaudit_use_console(dccifd_t)
+
+init_use_fds(dccifd_t)
+init_use_script_ptys(dccifd_t)
+
+libs_use_ld_so(dccifd_t)
+libs_use_shared_libs(dccifd_t)
+
+logging_send_syslog_msg(dccifd_t)
+
+miscfiles_read_localization(dccifd_t)
+
+sysnet_read_config(dccifd_t)
+sysnet_dns_name_resolve(dccifd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dccifd_t)
+ term_dontaudit_use_generic_ptys(dccifd_t)
+ files_dontaudit_read_root_files(dccifd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dccifd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dccifd_t)
+')
+
+optional_policy(`
+ udev_read_db(dccifd_t)
+')
+
+########################################
+#
+# sendmail milter client local policy
+#
+
+dontaudit dccm_t self:capability sys_tty_config;
+allow dccm_t self:process signal_perms;
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+allow dccm_t self:unix_dgram_socket create_socket_perms;
+allow dccm_t self:udp_socket create_socket_perms;
+
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+allow dccm_t dcc_var_t:dir manage_dir_perms;
+allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms;
+allow dccm_t dcc_var_t:lnk_file create_lnk_perms;
+
+allow dccm_t dccm_tmp_t:dir manage_dir_perms;
+allow dccm_t dccm_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
+
+allow dccm_t dccm_var_run_t:file manage_file_perms;
+allow dccm_t dccm_var_run_t:sock_file manage_file_perms;
+allow dccm_t dcc_var_run_t:dir rw_dir_perms;
+type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t;
+
+allow dccm_t dccm_var_run_t:file manage_file_perms;
+allow dccm_t dccm_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dccm_t,dccm_var_run_t,file)
+
+kernel_read_system_state(dccm_t)
+kernel_read_kernel_sysctls(dccm_t)
+
+corenet_non_ipsec_sendrecv(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_all_nodes(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
+dev_read_sysfs(dccm_t)
+
+domain_use_interactive_fds(dccm_t)
+
+files_read_etc_files(dccm_t)
+files_read_etc_runtime_files(dccm_t)
+
+fs_getattr_all_fs(dccm_t)
+fs_search_auto_mountpoints(dccm_t)
+
+term_dontaudit_use_console(dccm_t)
+
+init_use_fds(dccm_t)
+init_use_script_ptys(dccm_t)
+
+libs_use_ld_so(dccm_t)
+libs_use_shared_libs(dccm_t)
+
+logging_send_syslog_msg(dccm_t)
+
+miscfiles_read_localization(dccm_t)
+
+sysnet_read_config(dccm_t)
+sysnet_dns_name_resolve(dccm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dccm_t)
+ term_dontaudit_use_generic_ptys(dccm_t)
+ files_dontaudit_read_root_files(dccm_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dccm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dccm_t)
+')
+
+optional_policy(`
+ udev_read_db(dccm_t)
+')
diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc
new file mode 100644
index 0000000..606d2d2
--- /dev/null
+++ b/policy/modules/services/ddclient.fc
@@ -0,0 +1,11 @@
+/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+
+/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+
+/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0)
+/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0)
+/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0)
+/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
new file mode 100644
index 0000000..c1ddf99
--- /dev/null
+++ b/policy/modules/services/ddclient.if
@@ -0,0 +1,25 @@
+## <summary>Update dynamic IP address at DynDNS.org</summary>
+
+#######################################
+## <summary>
+## Execute ddclient in the ddclient domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ddclient_domtrans',`
+ gen_require(`
+ type ddclient_t, ddclient_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, ddclient_exec_t, ddclient_t)
+
+ allow $1 ddclient_t:fd use;
+ allow ddclient_t $1:fd use;
+ allow ddclient_t $1:fifo_file rw_file_perms;
+ allow ddclient_t $1:process sigchld;
+')
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
new file mode 100644
index 0000000..633e49f
--- /dev/null
+++ b/policy/modules/services/ddclient.te
@@ -0,0 +1,121 @@
+
+policy_module(ddclient,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type ddclient_t;
+type ddclient_exec_t;
+init_daemon_domain(ddclient_t,ddclient_exec_t)
+
+type ddclient_etc_t;
+files_type(ddclient_etc_t)
+
+type ddclient_log_t;
+logging_log_file(ddclient_log_t)
+
+type ddclient_var_t;
+files_type(ddclient_var_t)
+
+type ddclient_var_lib_t;
+files_type(ddclient_var_lib_t)
+
+type ddclient_var_run_t;
+files_pid_file(ddclient_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+dontaudit ddclient_t self:capability sys_tty_config;
+allow ddclient_t self:process signal_perms;
+allow ddclient_t self:fifo_file rw_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+
+allow ddclient_t ddclient_etc_t:file r_file_perms;
+
+allow ddclient_t ddclient_log_t:file manage_file_perms;
+logging_log_filetrans(ddclient_t,ddclient_log_t,file)
+
+allow ddclient_t ddclient_var_t:dir manage_dir_perms;
+allow ddclient_t ddclient_var_t:file manage_file_perms;
+allow ddclient_t ddclient_var_t:lnk_file create_lnk_perms;
+allow ddclient_t ddclient_var_t:sock_file manage_file_perms;
+allow ddclient_t ddclient_var_t:fifo_file manage_file_perms;
+files_var_filetrans(ddclient_t,ddclient_var_t,{ file lnk_file sock_file fifo_file })
+
+allow ddclient_t ddclient_var_lib_t:file manage_file_perms;
+allow ddclient_t ddclient_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(ddclient_t,ddclient_var_lib_t,file)
+
+allow ddclient_t ddclient_var_run_t:file manage_file_perms;
+allow ddclient_t ddclient_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ddclient_t,ddclient_var_run_t,file)
+
+kernel_read_system_state(ddclient_t)
+kernel_read_network_state(ddclient_t)
+kernel_read_software_raid_state(ddclient_t)
+kernel_getattr_core_if(ddclient_t)
+kernel_getattr_message_if(ddclient_t)
+kernel_read_kernel_sysctls(ddclient_t)
+
+corecmd_exec_shell(ddclient_t)
+corecmd_exec_bin(ddclient_t)
+
+corenet_non_ipsec_sendrecv(ddclient_t)
+corenet_tcp_sendrecv_generic_if(ddclient_t)
+corenet_udp_sendrecv_generic_if(ddclient_t)
+corenet_tcp_sendrecv_all_nodes(ddclient_t)
+corenet_udp_sendrecv_all_nodes(ddclient_t)
+corenet_tcp_sendrecv_all_ports(ddclient_t)
+corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_connect_all_ports(ddclient_t)
+corenet_sendrecv_all_client_packets(ddclient_t)
+
+dev_read_sysfs(ddclient_t)
+dev_read_urand(ddclient_t)
+
+domain_use_interactive_fds(ddclient_t)
+
+files_read_etc_files(ddclient_t)
+files_read_etc_runtime_files(ddclient_t)
+files_read_usr_files(ddclient_t)
+
+fs_getattr_all_fs(ddclient_t)
+fs_search_auto_mountpoints(ddclient_t)
+
+term_dontaudit_use_console(ddclient_t)
+
+init_use_fds(ddclient_t)
+init_use_script_ptys(ddclient_t)
+
+libs_use_ld_so(ddclient_t)
+libs_use_shared_libs(ddclient_t)
+
+logging_send_syslog_msg(ddclient_t)
+
+miscfiles_read_localization(ddclient_t)
+
+sysnet_exec_ifconfig(ddclient_t)
+sysnet_read_config(ddclient_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
+userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(ddclient_t)
+ term_dontaudit_use_generic_ptys(ddclient_t)
+ files_dontaudit_read_root_files(ddclient_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ddclient_t)
+')
+
+optional_policy(`
+ udev_read_db(ddclient_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
new file mode 100644
index 0000000..4d40b6b
--- /dev/null
+++ b/policy/modules/services/dhcp.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
new file mode 100644
index 0000000..349b35d
--- /dev/null
+++ b/policy/modules/services/dhcp.if
@@ -0,0 +1,21 @@
+## <summary>Dynamic host configuration protocol (DHCP) server</summary>
+
+########################################
+## <summary>
+## Set the attributes of the DCHP
+## server state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dhcpd_setattr_state_files',`
+ gen_require(`
+ type dhcpd_state_t;
+ ')
+
+ sysnet_search_dhcp_state($1)
+ allow $1 dhcpd_state_t:file setattr;
+')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
new file mode 100644
index 0000000..eff134a
--- /dev/null
+++ b/policy/modules/services/dhcp.te
@@ -0,0 +1,140 @@
+
+policy_module(dhcp,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type dhcpd_t;
+type dhcpd_exec_t;
+init_daemon_domain(dhcpd_t,dhcpd_exec_t)
+
+type dhcpd_state_t;
+files_type(dhcpd_state_t)
+
+type dhcpd_tmp_t;
+files_tmp_file(dhcpd_tmp_t)
+
+type dhcpd_var_run_t;
+files_pid_file(dhcpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dhcpd_t self:capability net_raw;
+dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:fifo_file { read write getattr };
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow dhcpd_t self:tcp_socket create_stream_socket_perms;
+allow dhcpd_t self:udp_socket create_socket_perms;
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+can_exec(dhcpd_t,dhcpd_exec_t)
+
+allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
+allow dhcpd_t dhcpd_state_t:file create_file_perms;
+sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file)
+
+allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
+allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
+
+allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
+allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
+
+kernel_read_system_state(dhcpd_t)
+kernel_read_kernel_sysctls(dhcpd_t)
+
+corenet_non_ipsec_sendrecv(dhcpd_t)
+corenet_tcp_sendrecv_all_if(dhcpd_t)
+corenet_udp_sendrecv_all_if(dhcpd_t)
+corenet_raw_sendrecv_all_if(dhcpd_t)
+corenet_tcp_sendrecv_all_nodes(dhcpd_t)
+corenet_udp_sendrecv_all_nodes(dhcpd_t)
+corenet_raw_sendrecv_all_nodes(dhcpd_t)
+corenet_tcp_sendrecv_all_ports(dhcpd_t)
+corenet_udp_sendrecv_all_ports(dhcpd_t)
+corenet_tcp_bind_all_nodes(dhcpd_t)
+corenet_udp_bind_all_nodes(dhcpd_t)
+corenet_tcp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_pxe_port(dhcpd_t)
+corenet_tcp_connect_all_ports(dhcpd_t)
+corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+corenet_sendrecv_pxe_server_packets(dhcpd_t)
+corenet_sendrecv_all_client_packets(dhcpd_t)
+
+dev_read_sysfs(dhcpd_t)
+dev_read_rand(dhcpd_t)
+dev_read_urand(dhcpd_t)
+
+fs_getattr_all_fs(dhcpd_t)
+fs_search_auto_mountpoints(dhcpd_t)
+
+term_dontaudit_use_console(dhcpd_t)
+
+corecmd_exec_bin(dhcpd_t)
+corecmd_exec_sbin(dhcpd_t)
+
+domain_use_interactive_fds(dhcpd_t)
+
+files_read_etc_files(dhcpd_t)
+files_read_usr_files(dhcpd_t)
+files_read_etc_runtime_files(dhcpd_t)
+files_search_var_lib(dhcpd_t)
+
+init_use_fds(dhcpd_t)
+init_use_script_ptys(dhcpd_t)
+
+libs_use_ld_so(dhcpd_t)
+libs_use_shared_libs(dhcpd_t)
+
+logging_send_syslog_msg(dhcpd_t)
+
+miscfiles_read_localization(dhcpd_t)
+
+sysnet_read_config(dhcpd_t)
+sysnet_read_dhcp_config(dhcpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t)
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dhcpd_t)
+ term_dontaudit_use_generic_ptys(dhcpd_t)
+ files_dontaudit_read_root_files(dhcpd_t)
+')
+
+optional_policy(`
+ # used for dynamic DNS
+ bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dhcpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dhcpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dhcpd_t)
+')
+
+optional_policy(`
+ udev_read_db(dhcpd_t)
+')
diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc
new file mode 100644
index 0000000..1907af7
--- /dev/null
+++ b/policy/modules/services/dictd.fc
@@ -0,0 +1,6 @@
+
+/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
+
+/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
+/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if
new file mode 100644
index 0000000..5addaa1
--- /dev/null
+++ b/policy/modules/services/dictd.if
@@ -0,0 +1,22 @@
+## <summary>Dictionary daemon</summary>
+
+########################################
+## <summary>
+## Use dictionary services by connecting
+## over TCP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dictd_tcp_connect',`
+ gen_require(`
+ type dictd_t;
+ ')
+
+ allow $1 dictd_t:tcp_socket { connectto recvfrom };
+ allow dictd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
new file mode 100644
index 0000000..1a8ae10
--- /dev/null
+++ b/policy/modules/services/dictd.te
@@ -0,0 +1,104 @@
+
+policy_module(dictd,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type dictd_t;
+type dictd_exec_t;
+init_system_domain(dictd_t,dictd_exec_t)
+
+type dictd_etc_t;
+files_config_file(dictd_etc_t)
+
+type dictd_var_lib_t alias var_lib_dictd_t;
+files_type(dictd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dictd_t self:capability { setuid setgid };
+dontaudit dictd_t self:capability sys_tty_config;
+allow dictd_t self:process { signal_perms setpgid };
+allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+allow dictd_t self:tcp_socket create_stream_socket_perms;
+allow dictd_t self:udp_socket create_socket_perms;
+
+allow dictd_t dictd_etc_t:file r_file_perms;
+files_search_etc(dictd_t)
+
+allow dictd_t dictd_var_lib_t:dir r_dir_perms;
+allow dictd_t dictd_var_lib_t:file r_file_perms;
+
+kernel_read_system_state(dictd_t)
+kernel_read_kernel_sysctls(dictd_t)
+kernel_tcp_recvfrom(dictd_t)
+
+corenet_non_ipsec_sendrecv(dictd_t)
+corenet_tcp_sendrecv_all_if(dictd_t)
+corenet_raw_sendrecv_all_if(dictd_t)
+corenet_udp_sendrecv_all_if(dictd_t)
+corenet_tcp_sendrecv_all_nodes(dictd_t)
+corenet_udp_sendrecv_all_nodes(dictd_t)
+corenet_raw_sendrecv_all_nodes(dictd_t)
+corenet_tcp_sendrecv_all_ports(dictd_t)
+corenet_udp_sendrecv_all_ports(dictd_t)
+corenet_tcp_bind_all_nodes(dictd_t)
+corenet_tcp_bind_dict_port(dictd_t)
+corenet_sendrecv_dict_server_packets(dictd_t)
+
+dev_read_sysfs(dictd_t)
+
+fs_getattr_xattr_fs(dictd_t)
+fs_search_auto_mountpoints(dictd_t)
+
+term_dontaudit_use_console(dictd_t)
+
+domain_use_interactive_fds(dictd_t)
+
+files_read_etc_files(dictd_t)
+files_read_etc_runtime_files(dictd_t)
+files_read_usr_files(dictd_t)
+files_search_var_lib(dictd_t)
+# for checking for nscd
+files_dontaudit_search_pids(dictd_t)
+
+init_use_fds(dictd_t)
+init_use_script_ptys(dictd_t)
+
+libs_use_ld_so(dictd_t)
+libs_use_shared_libs(dictd_t)
+
+logging_send_syslog_msg(dictd_t)
+
+miscfiles_read_localization(dictd_t)
+
+sysnet_read_config(dictd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dictd_t)
+ term_dontaudit_use_generic_ptys(dictd_t)
+ files_dontaudit_read_root_files(dictd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dictd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dictd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dictd_t)
+')
+
+optional_policy(`
+ udev_read_db(dictd_t)
+')
diff --git a/policy/modules/services/distcc.fc b/policy/modules/services/distcc.fc
new file mode 100644
index 0000000..6ce6b00
--- /dev/null
+++ b/policy/modules/services/distcc.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0)
diff --git a/policy/modules/services/distcc.if b/policy/modules/services/distcc.if
new file mode 100644
index 0000000..926e959
--- /dev/null
+++ b/policy/modules/services/distcc.if
@@ -0,0 +1 @@
+## <summary>Distributed compiler daemon</summary>
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
new file mode 100644
index 0000000..69a89ff
--- /dev/null
+++ b/policy/modules/services/distcc.te
@@ -0,0 +1,106 @@
+
+policy_module(distcc,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type distccd_t;
+type distccd_exec_t;
+init_daemon_domain(distccd_t,distccd_exec_t)
+
+type distccd_log_t;
+logging_log_file(distccd_log_t)
+
+type distccd_tmp_t;
+files_tmp_file(distccd_tmp_t)
+
+type distccd_var_run_t;
+files_pid_file(distccd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow distccd_t self:capability { setgid setuid };
+dontaudit distccd_t self:capability sys_tty_config;
+allow distccd_t self:process { signal_perms setsched };
+allow distccd_t self:fifo_file { read write getattr };
+allow distccd_t self:tcp_socket create_stream_socket_perms;
+allow distccd_t self:udp_socket create_socket_perms;
+
+allow distccd_t distccd_log_t:file create_file_perms;
+logging_log_filetrans(distccd_t,distccd_log_t,file)
+
+allow distccd_t distccd_tmp_t:dir create_dir_perms;
+allow distccd_t distccd_tmp_t:file create_file_perms;
+files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
+
+allow distccd_t distccd_var_run_t:file create_file_perms;
+allow distccd_t distccd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(distccd_t,distccd_var_run_t,file)
+
+kernel_read_system_state(distccd_t)
+kernel_read_kernel_sysctls(distccd_t)
+
+corenet_non_ipsec_sendrecv(distccd_t)
+corenet_tcp_sendrecv_all_if(distccd_t)
+corenet_udp_sendrecv_all_if(distccd_t)
+corenet_tcp_sendrecv_all_nodes(distccd_t)
+corenet_udp_sendrecv_all_nodes(distccd_t)
+corenet_tcp_sendrecv_all_ports(distccd_t)
+corenet_udp_sendrecv_all_ports(distccd_t)
+corenet_tcp_bind_all_nodes(distccd_t)
+corenet_tcp_bind_distccd_port(distccd_t)
+corenet_sendrecv_distccd_server_packets(distccd_t)
+
+dev_read_sysfs(distccd_t)
+
+fs_getattr_all_fs(distccd_t)
+fs_search_auto_mountpoints(distccd_t)
+
+term_dontaudit_use_console(distccd_t)
+
+corecmd_exec_bin(distccd_t)
+corecmd_read_sbin_symlinks(distccd_t)
+
+domain_use_interactive_fds(distccd_t)
+
+files_read_etc_files(distccd_t)
+files_read_etc_runtime_files(distccd_t)
+
+init_use_fds(distccd_t)
+init_use_script_ptys(distccd_t)
+
+libs_use_ld_so(distccd_t)
+libs_use_shared_libs(distccd_t)
+libs_exec_lib_files(distccd_t)
+
+logging_send_syslog_msg(distccd_t)
+
+miscfiles_read_localization(distccd_t)
+
+sysnet_read_config(distccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(distccd_t)
+userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(distccd_t)
+ term_dontaudit_use_generic_ptys(distccd_t)
+ files_dontaudit_read_root_files(distccd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(distccd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(distccd_t)
+')
+
+optional_policy(`
+ udev_read_db(distccd_t)
+')
diff --git a/policy/modules/services/djbdns.fc b/policy/modules/services/djbdns.fc
new file mode 100644
index 0000000..fdb6652
--- /dev/null
+++ b/policy/modules/services/djbdns.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
+/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
+/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
+
+/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
+/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
+/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
+
diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if
new file mode 100644
index 0000000..e8baf77
--- /dev/null
+++ b/policy/modules/services/djbdns.if
@@ -0,0 +1,54 @@
+## <summary>small and secure DNS daemon</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for djbdns
+## components that are directly supervised by daemontools.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`djbdns_daemontools_domain_template',`
+
+ type djbdns_$1_t;
+ type djbdns_$1_exec_t;
+ type djbdns_$1_conf_t;
+ files_config_file(djbdns_$1_conf_t)
+
+ domain_type(djbdns_$1_t)
+ domain_entry_file(djbdns_$1_t,djbdns_$1_exec_t)
+ role system_r types djbdns_$1_t;
+
+ daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
+ daemontools_read_svc(djbdns_$1_t)
+
+ allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+ allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ allow djbdns_$1_t self:udp_socket create_socket_perms;
+
+ allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
+
+ corenet_non_ipsec_sendrecv(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_if(djbdns_$1_t)
+ corenet_udp_sendrecv_all_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
+ corenet_udp_sendrecv_all_nodes(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_tcp_bind_all_nodes(djbdns_$1_t)
+ corenet_udp_bind_all_nodes(djbdns_$1_t)
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
+
+ libs_use_ld_so(djbdns_$1_t)
+ libs_use_shared_libs(djbdns_$1_t)
+')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
new file mode 100644
index 0000000..0ca3670
--- /dev/null
+++ b/policy/modules/services/djbdns.te
@@ -0,0 +1,47 @@
+
+policy_module(djbdns,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type djbdns_axfrdns_t;
+type djbdns_axfrdns_exec_t;
+type djbdns_axfrdns_conf_t;
+domain_type(djbdns_axfrdns_t)
+domain_entry_file(djbdns_axfrdns_t,djbdns_axfrdns_exec_t)
+role system_r types djbdns_axfrdns_t;
+files_config_file(djbdns_axfrdns_conf_t)
+
+djbdns_daemontools_domain_template(dnscache)
+
+djbdns_daemontools_domain_template(tinydns)
+
+########################################
+#
+# Local policy for axfrdns component
+#
+
+files_config_file(djbdns_axfrdns_conf_t)
+
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms;
+
+files_search_var(djbdns_axfrdns_t)
+
+libs_use_ld_so(djbdns_axfrdns_t)
+libs_use_shared_libs(djbdns_axfrdns_t)
+
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
new file mode 100644
index 0000000..aa52c2c
--- /dev/null
+++ b/policy/modules/services/dnsmasq.fc
@@ -0,0 +1,4 @@
+/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
new file mode 100644
index 0000000..e5b0998
--- /dev/null
+++ b/policy/modules/services/dnsmasq.if
@@ -0,0 +1 @@
+## <summary>dnsmasq DNS forwarder and DHCP server</summary>
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
new file mode 100644
index 0000000..79063d1
--- /dev/null
+++ b/policy/modules/services/dnsmasq.te
@@ -0,0 +1,105 @@
+
+policy_module(dnsmasq,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type dnsmasq_t;
+type dnsmasq_exec_t;
+init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
+
+type dnsmasq_lease_t;
+files_type(dnsmasq_lease_t)
+
+type dnsmasq_var_run_t;
+files_pid_file(dnsmasq_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
+dontaudit dnsmasq_t self:capability sys_tty_config;
+allow dnsmasq_t self:process signal_perms;
+allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
+allow dnsmasq_t self:udp_socket create_socket_perms;
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+# dhcp leases
+allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
+files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
+
+allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms;
+allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
+
+kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_list_proc(dnsmasq_t)
+kernel_read_proc_symlinks(dnsmasq_t)
+
+corenet_non_ipsec_sendrecv(dnsmasq_t)
+corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+corenet_udp_sendrecv_generic_if(dnsmasq_t)
+corenet_raw_sendrecv_generic_if(dnsmasq_t)
+corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
+corenet_udp_sendrecv_all_nodes(dnsmasq_t)
+corenet_raw_sendrecv_all_nodes(dnsmasq_t)
+corenet_tcp_sendrecv_all_ports(dnsmasq_t)
+corenet_udp_sendrecv_all_ports(dnsmasq_t)
+corenet_tcp_bind_all_nodes(dnsmasq_t)
+corenet_udp_bind_all_nodes(dnsmasq_t)
+corenet_tcp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_dhcpd_port(dnsmasq_t)
+corenet_sendrecv_dns_server_packets(dnsmasq_t)
+corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
+
+dev_read_sysfs(dnsmasq_t)
+dev_read_urand(dnsmasq_t)
+
+domain_use_interactive_fds(dnsmasq_t)
+
+# allow access to dnsmasq.conf
+files_read_etc_files(dnsmasq_t)
+
+fs_getattr_all_fs(dnsmasq_t)
+fs_search_auto_mountpoints(dnsmasq_t)
+
+term_dontaudit_use_console(dnsmasq_t)
+
+init_use_fds(dnsmasq_t)
+init_use_script_ptys(dnsmasq_t)
+
+libs_use_ld_so(dnsmasq_t)
+libs_use_shared_libs(dnsmasq_t)
+
+logging_send_syslog_msg(dnsmasq_t)
+
+miscfiles_read_localization(dnsmasq_t)
+
+sysnet_read_config(dnsmasq_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dnsmasq_t)
+ term_dontaudit_use_generic_ptys(dnsmasq_t)
+ files_dontaudit_read_root_files(dnsmasq_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dnsmasq_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dnsmasq_t)
+')
+
+optional_policy(`
+ udev_read_db(dnsmasq_t)
+')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
new file mode 100644
index 0000000..0b5a513
--- /dev/null
+++ b/policy/modules/services/dovecot.fc
@@ -0,0 +1,35 @@
+
+#
+# /etc
+#
+/etc/dovecot.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+
+
+
+
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
new file mode 100644
index 0000000..ba714cc
--- /dev/null
+++ b/policy/modules/services/dovecot.if
@@ -0,0 +1,21 @@
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+########################################
+## <summary>
+## Create, read, write, and delete the dovecot spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_manage_spool',`
+ gen_require(`
+ type dovecot_spool_t;
+ ')
+
+ allow $1 dovecot_spool_t:dir rw_dir_perms;
+ allow $1 dovecot_spool_t:file create_file_perms;
+ allow $1 dovecot_spool_t:lnk_file create_lnk_perms;
+')
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
new file mode 100644
index 0000000..166d4dc
--- /dev/null
+++ b/policy/modules/services/dovecot.te
@@ -0,0 +1,203 @@
+
+policy_module(dovecot,1.2.4)
+
+########################################
+#
+# Declarations
+#
+type dovecot_t;
+type dovecot_exec_t;
+init_daemon_domain(dovecot_t,dovecot_exec_t)
+
+type dovecot_cert_t;
+files_type(dovecot_cert_t)
+
+type dovecot_etc_t;
+files_config_file(dovecot_etc_t)
+
+type dovecot_passwd_t;
+files_type(dovecot_passwd_t)
+
+type dovecot_spool_t;
+files_type(dovecot_spool_t)
+
+type dovecot_var_run_t;
+files_pid_file(dovecot_var_run_t)
+
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
+########################################
+#
+# dovecot local policy
+#
+
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+dontaudit dovecot_t self:capability sys_tty_config;
+allow dovecot_t self:process { setrlimit signal_perms };
+allow dovecot_t self:fifo_file rw_file_perms;
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
+
+domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+allow dovecot_t dovecot_auth_t:fd use;
+allow dovecot_auth_t dovecot_t:process sigchld;
+allow dovecot_auth_t dovecot_t:fd use;
+allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append };
+
+allow dovecot_t dovecot_cert_t:dir r_dir_perms;
+allow dovecot_t dovecot_cert_t:file r_file_perms;
+allow dovecot_t dovecot_cert_t:lnk_file { getattr read };
+
+allow dovecot_t dovecot_etc_t:file r_file_perms;
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+allow dovecot_t dovecot_spool_t:dir create_dir_perms;
+allow dovecot_t dovecot_spool_t:file create_file_perms;
+allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
+
+allow dovecot_t dovecot_var_run_t:file create_file_perms;
+allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
+allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
+
+kernel_read_kernel_sysctls(dovecot_t)
+kernel_read_system_state(dovecot_t)
+
+corenet_non_ipsec_sendrecv(dovecot_t)
+corenet_tcp_sendrecv_all_if(dovecot_t)
+corenet_tcp_sendrecv_all_nodes(dovecot_t)
+corenet_tcp_sendrecv_all_ports(dovecot_t)
+corenet_tcp_bind_all_nodes(dovecot_t)
+corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_connect_all_ports(dovecot_t)
+corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+dev_read_sysfs(dovecot_t)
+dev_read_urand(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
+
+term_dontaudit_use_console(dovecot_t)
+
+corecmd_exec_bin(dovecot_t)
+
+domain_use_interactive_fds(dovecot_t)
+
+files_read_etc_files(dovecot_t)
+files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
+files_dontaudit_list_default(dovecot_t)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+files_read_etc_runtime_files(dovecot_t)
+files_getattr_all_mountpoints(dovecot_t)
+
+init_use_fds(dovecot_t)
+init_use_script_ptys(dovecot_t)
+init_getattr_utmp(dovecot_t)
+
+libs_use_ld_so(dovecot_t)
+libs_use_shared_libs(dovecot_t)
+
+logging_send_syslog_msg(dovecot_t)
+
+miscfiles_read_certs(dovecot_t)
+miscfiles_read_localization(dovecot_t)
+
+sysnet_read_config(dovecot_t)
+sysnet_use_ldap(dovecot_auth_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
+userdom_priveleged_home_dir_manager(dovecot_t)
+
+mta_manage_spool(dovecot_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dovecot_t)
+ term_dontaudit_use_generic_ptys(dovecot_t)
+ files_dontaudit_read_root_files(dovecot_t)
+')
+
+optional_policy(`
+ kerberos_use(dovecot_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dovecot_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
+')
+
+optional_policy(`
+ udev_read_db(dovecot_t)
+')
+
+########################################
+#
+# dovecot auth local policy
+#
+
+allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:process signal_perms;
+allow dovecot_auth_t self:fifo_file rw_file_perms;
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+
+allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
+
+kernel_read_all_sysctls(dovecot_auth_t)
+kernel_read_system_state(dovecot_auth_t)
+
+dev_read_urand(dovecot_auth_t)
+
+auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_use_nsswitch(dovecot_auth_t)
+
+files_read_etc_files(dovecot_auth_t)
+files_read_etc_runtime_files(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
+
+libs_use_ld_so(dovecot_auth_t)
+libs_use_shared_libs(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_auth_t)
+
+seutil_dontaudit_search_config(dovecot_auth_t)
+
+sysnet_dns_name_resolve(dovecot_auth_t)
+
+optional_policy(`
+ kerberos_use(dovecot_auth_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dovecot_auth_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dovecot_auth_t)
+')
diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc
new file mode 100644
index 0000000..455c620
--- /dev/null
+++ b/policy/modules/services/fetchmail.fc
@@ -0,0 +1,19 @@
+
+#
+# /etc
+#
+
+/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
new file mode 100644
index 0000000..fde49b7
--- /dev/null
+++ b/policy/modules/services/fetchmail.if
@@ -0,0 +1 @@
+## <summary>Remote-mail retrieval and forwarding utility</summary>
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
new file mode 100644
index 0000000..bac61a5
--- /dev/null
+++ b/policy/modules/services/fetchmail.te
@@ -0,0 +1,105 @@
+
+policy_module(fetchmail,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type fetchmail_t;
+type fetchmail_exec_t;
+init_daemon_domain(fetchmail_t,fetchmail_exec_t)
+
+type fetchmail_var_run_t;
+files_pid_file(fetchmail_var_run_t)
+
+type fetchmail_etc_t;
+files_type(fetchmail_etc_t)
+
+type fetchmail_uidl_cache_t;
+files_type(fetchmail_uidl_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit fetchmail_t self:capability sys_tty_config;
+allow fetchmail_t self:process { signal_perms setrlimit };
+allow fetchmail_t self:unix_dgram_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
+allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
+allow fetchmail_t self:tcp_socket create_socket_perms;
+allow fetchmail_t self:udp_socket create_socket_perms;
+
+allow fetchmail_t fetchmail_etc_t:file r_file_perms;
+
+allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
+mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file)
+
+allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
+allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file)
+
+kernel_read_kernel_sysctls(fetchmail_t)
+kernel_list_proc(fetchmail_t)
+kernel_getattr_proc_files(fetchmail_t)
+kernel_read_proc_symlinks(fetchmail_t)
+kernel_dontaudit_read_system_state(fetchmail_t)
+
+corenet_non_ipsec_sendrecv(fetchmail_t)
+corenet_tcp_sendrecv_generic_if(fetchmail_t)
+corenet_udp_sendrecv_generic_if(fetchmail_t)
+corenet_tcp_sendrecv_all_nodes(fetchmail_t)
+corenet_udp_sendrecv_all_nodes(fetchmail_t)
+corenet_tcp_sendrecv_dns_port(fetchmail_t)
+corenet_udp_sendrecv_dns_port(fetchmail_t)
+corenet_tcp_sendrecv_pop_port(fetchmail_t)
+corenet_tcp_sendrecv_smtp_port(fetchmail_t)
+corenet_tcp_connect_all_ports(fetchmail_t)
+corenet_sendrecv_all_client_packets(fetchmail_t)
+
+dev_read_sysfs(fetchmail_t)
+dev_read_rand(fetchmail_t)
+dev_read_urand(fetchmail_t)
+
+files_read_etc_files(fetchmail_t)
+files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
+
+fs_getattr_all_fs(fetchmail_t)
+fs_search_auto_mountpoints(fetchmail_t)
+
+term_dontaudit_use_console(fetchmail_t)
+
+domain_use_interactive_fds(fetchmail_t)
+
+init_use_fds(fetchmail_t)
+init_use_script_ptys(fetchmail_t)
+
+libs_use_ld_so(fetchmail_t)
+libs_use_shared_libs(fetchmail_t)
+
+logging_send_syslog_msg(fetchmail_t)
+
+miscfiles_read_localization(fetchmail_t)
+miscfiles_read_certs(fetchmail_t)
+
+sysnet_read_config(fetchmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(fetchmail_t)
+ term_dontaudit_use_generic_ptys(fetchmail_t)
+ files_dontaudit_read_root_files(fetchmail_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fetchmail_t)
+')
+
+optional_policy(`
+ udev_read_db(fetchmail_t)
+')
diff --git a/policy/modules/services/finger.fc b/policy/modules/services/finger.fc
new file mode 100644
index 0000000..c861192
--- /dev/null
+++ b/policy/modules/services/finger.fc
@@ -0,0 +1,19 @@
+# fingerd
+
+#
+# /etc
+#
+/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
+
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if
new file mode 100644
index 0000000..22d4824
--- /dev/null
+++ b/policy/modules/services/finger.if
@@ -0,0 +1,44 @@
+## <summary>Finger user information service.</summary>
+
+########################################
+## <summary>
+## Execute fingerd in the fingerd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`finger_domtrans',`
+ gen_require(`
+ type fingerd_t, fingerd_exec_t;
+ ')
+
+ domain_auto_trans($1,fingerd_exec_t,fingerd_t)
+
+ allow $1 fingerd_t:fd use;
+ allow fingerd_t $1:fd use;
+ allow fingerd_t $1:fifo_file rw_file_perms;
+ allow fingerd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to fingerd with a tcp socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`finger_tcp_connect',`
+ gen_require(`
+ type fingerd_t;
+ ')
+
+ kernel_tcp_recvfrom($1)
+ allow $1 fingerd_t:tcp_socket { connectto recvfrom };
+ allow fingerd_t $1:tcp_socket { acceptfrom recvfrom };
+')
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
new file mode 100644
index 0000000..1647e64
--- /dev/null
+++ b/policy/modules/services/finger.te
@@ -0,0 +1,134 @@
+
+policy_module(finger,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type fingerd_t;
+type fingerd_exec_t;
+init_daemon_domain(fingerd_t,fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
+
+type fingerd_etc_t;
+files_config_file(fingerd_etc_t)
+
+type fingerd_log_t;
+logging_log_file(fingerd_log_t)
+
+type fingerd_var_run_t;
+files_pid_file(fingerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fingerd_t self:capability { setgid setuid };
+dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+allow fingerd_t self:process signal_perms;
+allow fingerd_t self:fifo_file { read write getattr };
+allow fingerd_t self:tcp_socket connected_stream_socket_perms;
+allow fingerd_t self:udp_socket create_socket_perms;
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+
+allow fingerd_t fingerd_var_run_t:file create_file_perms;
+allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
+
+allow fingerd_t fingerd_etc_t:file r_file_perms;
+allow fingerd_t fingerd_etc_t:dir r_dir_perms;
+allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
+
+allow fingerd_t fingerd_log_t:file create_file_perms;
+logging_log_filetrans(fingerd_t,fingerd_log_t,file)
+
+kernel_read_kernel_sysctls(fingerd_t)
+kernel_read_system_state(fingerd_t)
+kernel_tcp_recvfrom(fingerd_t)
+
+corenet_non_ipsec_sendrecv(fingerd_t)
+corenet_tcp_sendrecv_all_if(fingerd_t)
+corenet_udp_sendrecv_all_if(fingerd_t)
+corenet_tcp_sendrecv_all_nodes(fingerd_t)
+corenet_udp_sendrecv_all_nodes(fingerd_t)
+corenet_tcp_sendrecv_all_ports(fingerd_t)
+corenet_udp_sendrecv_all_ports(fingerd_t)
+corenet_tcp_bind_all_nodes(fingerd_t)
+corenet_tcp_bind_fingerd_port(fingerd_t)
+
+dev_read_sysfs(fingerd_t)
+
+fs_getattr_all_fs(fingerd_t)
+fs_search_auto_mountpoints(fingerd_t)
+
+term_dontaudit_use_console(fingerd_t)
+term_getattr_all_user_ttys(fingerd_t)
+term_getattr_all_user_ptys(fingerd_t)
+
+auth_read_lastlog(fingerd_t)
+
+corecmd_exec_bin(fingerd_t)
+corecmd_exec_sbin(fingerd_t)
+corecmd_exec_shell(fingerd_t)
+
+domain_use_interactive_fds(fingerd_t)
+
+files_search_home(fingerd_t)
+files_read_etc_files(fingerd_t)
+files_read_etc_runtime_files(fingerd_t)
+
+init_read_utmp(fingerd_t)
+init_dontaudit_write_utmp(fingerd_t)
+init_use_fds(fingerd_t)
+init_use_script_ptys(fingerd_t)
+
+libs_use_ld_so(fingerd_t)
+libs_use_shared_libs(fingerd_t)
+
+logging_send_syslog_msg(fingerd_t)
+
+mta_getattr_spool(fingerd_t)
+
+sysnet_read_config(fingerd_t)
+
+miscfiles_read_localization(fingerd_t)
+
+userdom_read_unpriv_users_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(fingerd_t)
+ term_dontaudit_use_generic_ptys(fingerd_t)
+ files_dontaudit_read_root_files(fingerd_t)
+')
+
+optional_policy(`
+ cron_system_entry(fingerd_t,fingerd_exec_t)
+')
+
+optional_policy(`
+ logrotate_exec(fingerd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(fingerd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(fingerd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fingerd_t)
+')
+
+optional_policy(`
+ udev_read_db(fingerd_t)
+')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
new file mode 100644
index 0000000..5ea69a0
--- /dev/null
+++ b/policy/modules/services/ftp.fc
@@ -0,0 +1,29 @@
+#
+# /etc
+#
+/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+
+/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0)
+
+/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
new file mode 100644
index 0000000..113e56c
--- /dev/null
+++ b/policy/modules/services/ftp.if
@@ -0,0 +1,134 @@
+## <summary>File transfer protocol service</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the ftp module.
+## </summary>
+## <desc>
+## <p>
+## This template allows ftpd to manage files in
+## a user home directory, creating files with the
+## correct type.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`ftp_per_userdomain_template',`
+ tunable_policy(`ftpd_is_daemon',`
+ userdom_manage_user_home_content_files($1,ftpd_t)
+ userdom_manage_user_home_content_symlinks($1,ftpd_t)
+ userdom_manage_user_home_content_sockets($1,ftpd_t)
+ userdom_manage_user_home_content_pipes($1,ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+########################################
+## <summary>
+## Use ftp by connecting over TCP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_tcp_connect',`
+ gen_require(`
+ type ftpd_t;
+ ')
+
+ allow $1 ftpd_t:tcp_socket { connectto recvfrom };
+ allow ftpd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+## Read ftpd etc files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_read_config',`
+ gen_require(`
+ type ftpd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ftpd_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Execute FTP daemon entry point programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_check_exec',`
+ gen_require(`
+ type ftpd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ allow $1 ftpd_exec_t:file x_file_perms;
+')
+
+########################################
+## <summary>
+## Read FTP transfer logs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_read_log',`
+ gen_require(`
+ type xferlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xferlog_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t, ftpdctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)
+
+ allow ftpdctl_t $1:fd use;
+ allow ftpdctl_t $1:fifo_file rw_file_perms;
+ allow ftpdctl_t $1:process sigchld;
+')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
new file mode 100644
index 0000000..fb09648
--- /dev/null
+++ b/policy/modules/services/ftp.te
@@ -0,0 +1,274 @@
+
+policy_module(ftp,1.2.6)
+
+########################################
+#
+# Declarations
+#
+
+type ftpd_t;
+type ftpd_exec_t;
+init_daemon_domain(ftpd_t,ftpd_exec_t)
+
+type ftpd_etc_t;
+files_config_file(ftpd_etc_t)
+
+# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
+type ftpd_lock_t;
+files_lock_file(ftpd_lock_t)
+
+type ftpd_tmp_t;
+files_tmp_file(ftpd_tmp_t)
+
+type ftpd_tmpfs_t;
+files_tmpfs_file(ftpd_tmpfs_t)
+
+type ftpd_var_run_t;
+files_pid_file(ftpd_var_run_t)
+
+type ftpdctl_t;
+type ftpdctl_exec_t;
+init_system_domain(ftpdctl_t,ftpdctl_exec_t)
+
+type ftpdctl_tmp_t;
+files_tmp_file(ftpdctl_tmp_t)
+
+type xferlog_t;
+logging_log_file(xferlog_t)
+
+########################################
+#
+# ftpd local policy
+#
+
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit ftpd_t self:capability sys_tty_config;
+allow ftpd_t self:process signal_perms;
+allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:fifo_file rw_file_perms;
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+allow ftpd_t self:tcp_socket create_stream_socket_perms;
+allow ftpd_t self:udp_socket create_socket_perms;
+
+allow ftpd_t ftpd_etc_t:file r_file_perms;
+
+allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
+allow ftpd_t ftpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+
+allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
+allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
+allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
+allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
+allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
+fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow ftpd_t ftpd_var_run_t:file manage_file_perms;
+allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
+allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
+files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+
+# proftpd requires the client side to bind a socket so that
+# it can stat the socket to perform access control decisions,
+# since getsockopt with SO_PEERCRED is not available on all
+# proftpd-supported OSs
+allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+
+# Create and modify /var/log/xferlog.
+allow ftpd_t xferlog_t:dir search_dir_perms;
+allow ftpd_t xferlog_t:file create_file_perms;
+logging_log_filetrans(ftpd_t,xferlog_t,file)
+
+kernel_read_kernel_sysctls(ftpd_t)
+kernel_read_system_state(ftpd_t)
+
+dev_read_sysfs(ftpd_t)
+dev_read_urand(ftpd_t)
+
+corecmd_exec_bin(ftpd_t)
+corecmd_exec_sbin(ftpd_t)
+# Execute /bin/ls (can comment this out for proftpd)
+# also may need rules to allow tar etc...
+corecmd_exec_ls(ftpd_t)
+
+corenet_non_ipsec_sendrecv(ftpd_t)
+corenet_tcp_sendrecv_all_if(ftpd_t)
+corenet_udp_sendrecv_all_if(ftpd_t)
+corenet_tcp_sendrecv_all_nodes(ftpd_t)
+corenet_udp_sendrecv_all_nodes(ftpd_t)
+corenet_tcp_sendrecv_all_ports(ftpd_t)
+corenet_udp_sendrecv_all_ports(ftpd_t)
+corenet_tcp_bind_all_nodes(ftpd_t)
+corenet_tcp_bind_ftp_port(ftpd_t)
+corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_connect_all_ports(ftpd_t)
+corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+domain_use_interactive_fds(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+files_search_var_lib(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+
+term_dontaudit_use_console(ftpd_t)
+
+auth_use_nsswitch(ftpd_t)
+auth_domtrans_chk_passwd(ftpd_t)
+# Append to /var/log/wtmp.
+auth_append_login_records(ftpd_t)
+#kerberized ftp requires the following
+auth_write_login_records(ftpd_t)
+
+init_use_fds(ftpd_t)
+init_use_script_ptys(ftpd_t)
+
+libs_use_ld_so(ftpd_t)
+libs_use_shared_libs(ftpd_t)
+
+logging_send_syslog_msg(ftpd_t)
+
+miscfiles_read_localization(ftpd_t)
+miscfiles_read_public_files(ftpd_t)
+
+seutil_dontaudit_search_config(ftpd_t)
+
+sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
+userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(ftpd_t)
+
+ term_dontaudit_use_generic_ptys(ftpd_t)
+ term_dontaudit_use_unallocated_ttys(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_anon_write',`
+ miscfiles_manage_public_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs',`
+ fs_read_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+ fs_manage_cifs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs',`
+ fs_read_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+ fs_manage_nfs_files(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(ftpd_t)
+ userdom_read_all_users_home_content_files(ftpd_t)
+ userdom_manage_all_users_home_content_dirs(ftpd_t)
+ userdom_manage_all_users_home_content_files(ftpd_t)
+ userdom_manage_all_users_home_content_symlinks(ftpd_t)
+
+ ifdef(`targeted_policy',`
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+ fs_manage_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+ fs_manage_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftpd_is_daemon',`
+ allow ftpd_t ftpd_lock_t:file create_file_perms;
+ files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
+
+ corenet_tcp_bind_ftp_port(ftpd_t)
+')
+
+optional_policy(`
+ corecmd_exec_shell(ftpd_t)
+
+ files_read_usr_files(ftpd_t)
+
+ cron_system_entry(ftpd_t, ftpd_exec_t)
+
+ optional_policy(`
+ logrotate_exec(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ daemontools_service_domain(ftpd_t, ftpd_exec_t)
+')
+
+optional_policy(`
+ #reh: typeattributes not allowed in conditionals yet.
+ #tunable_policy(`! ftpd_is_daemon',`
+ # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+ #')
+
+ inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+
+ optional_policy(`
+ tunable_policy(`! ftpd_is_daemon',`
+ tcpd_domtrans(tcpd_t)
+ ')
+ ')
+')
+
+optional_policy(`
+ nscd_socket_use(ftpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ftpd_t)
+')
+
+optional_policy(`
+ udev_read_db(ftpd_t)
+')
+
+########################################
+#
+# ftpdctl local policy
+#
+
+# Allow ftpdctl to talk to ftpd over a socket connection
+allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
+allow ftpdctl_t ftpd_var_run_t:dir search;
+allow ftpdctl_t ftpd_var_run_t:sock_file write;
+
+# ftpdctl creates a socket so that the daemon can perform
+# access control decisions (see comments in ftpd_t rules above)
+allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+
+# Allow ftpdctl to read config files
+files_read_etc_files(ftpdctl_t)
+
+libs_use_ld_so(ftpdctl_t)
+libs_use_shared_libs(ftpdctl_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(ftpdctl_t)
+')
diff --git a/policy/modules/services/gatekeeper.fc b/policy/modules/services/gatekeeper.fc
new file mode 100644
index 0000000..d6ef025
--- /dev/null
+++ b/policy/modules/services/gatekeeper.fc
@@ -0,0 +1,8 @@
+/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0)
+
+/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
+/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
+/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
diff --git a/policy/modules/services/gatekeeper.if b/policy/modules/services/gatekeeper.if
new file mode 100644
index 0000000..311cb06
--- /dev/null
+++ b/policy/modules/services/gatekeeper.if
@@ -0,0 +1 @@
+## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
new file mode 100644
index 0000000..c33041d
--- /dev/null
+++ b/policy/modules/services/gatekeeper.te
@@ -0,0 +1,128 @@
+
+policy_module(gatekeeper,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type gatekeeper_t;
+type gatekeeper_exec_t;
+init_daemon_domain(gatekeeper_t,gatekeeper_exec_t)
+
+type gatekeeper_etc_t;
+files_config_file(gatekeeper_etc_t)
+
+type gatekeeper_log_t;
+logging_log_file(gatekeeper_log_t)
+
+# for stupid symlinks
+type gatekeeper_tmp_t;
+files_tmp_file(gatekeeper_tmp_t)
+
+type gatekeeper_var_run_t;
+files_pid_file(gatekeeper_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit gatekeeper_t self:capability sys_tty_config;
+allow gatekeeper_t self:process { setsched signal_perms };
+allow gatekeeper_t self:fifo_file rw_file_perms;
+allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
+allow gatekeeper_t self:udp_socket create_socket_perms;
+
+allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
+files_search_etc(gatekeeper_t)
+
+allow gatekeeper_t gatekeeper_log_t:file create_file_perms;
+allow gatekeeper_t gatekeeper_log_t:dir rw_dir_perms;
+logging_log_filetrans(gatekeeper_t,gatekeeper_log_t,{ file dir })
+
+allow gatekeeper_t gatekeeper_tmp_t:dir create_dir_perms;
+allow gatekeeper_t gatekeeper_tmp_t:file create_file_perms;
+files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
+
+allow gatekeeper_t gatekeeper_var_run_t:file create_file_perms;
+allow gatekeeper_t gatekeeper_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
+
+kernel_read_system_state(gatekeeper_t)
+kernel_read_kernel_sysctls(gatekeeper_t)
+
+corecmd_list_sbin(gatekeeper_t)
+
+corenet_non_ipsec_sendrecv(gatekeeper_t)
+corenet_tcp_sendrecv_generic_if(gatekeeper_t)
+corenet_udp_sendrecv_generic_if(gatekeeper_t)
+corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
+corenet_udp_sendrecv_all_nodes(gatekeeper_t)
+corenet_tcp_sendrecv_all_ports(gatekeeper_t)
+corenet_udp_sendrecv_all_ports(gatekeeper_t)
+corenet_tcp_bind_all_nodes(gatekeeper_t)
+corenet_udp_bind_all_nodes(gatekeeper_t)
+corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
+corenet_udp_bind_gatekeeper_port(gatekeeper_t)
+corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
+
+dev_read_sysfs(gatekeeper_t)
+# for SSP
+dev_read_urand(gatekeeper_t)
+
+domain_use_interactive_fds(gatekeeper_t)
+
+files_read_etc_files(gatekeeper_t)
+
+fs_getattr_all_fs(gatekeeper_t)
+fs_search_auto_mountpoints(gatekeeper_t)
+
+term_dontaudit_use_console(gatekeeper_t)
+
+init_use_fds(gatekeeper_t)
+init_use_script_ptys(gatekeeper_t)
+
+libs_use_ld_so(gatekeeper_t)
+libs_use_shared_libs(gatekeeper_t)
+
+logging_send_syslog_msg(gatekeeper_t)
+
+miscfiles_read_localization(gatekeeper_t)
+
+sysnet_read_config(gatekeeper_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(gatekeeper_t)
+ term_dontaudit_use_generic_ptys(gatekeeper_t)
+ files_dontaudit_read_root_files(gatekeeper_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(gatekeeper_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(gatekeeper_t)
+')
+
+optional_policy(`
+ udev_read_db(gatekeeper_t)
+')
+
+ifdef(`TODO',`
+# for local users to run VOIP software
+allow userdomain gatekeeper_t:udp_socket sendto;
+allow gatekeeper_t userdomain:udp_socket recvfrom;
+allow gatekeeper_t userdomain:udp_socket sendto;
+allow userdomain gatekeeper_t:udp_socket recvfrom;
+
+allow gatekeeper_t userdomain:tcp_socket { connectto recvfrom };
+allow userdomain gatekeeper_t:tcp_socket { acceptfrom recvfrom };
+kernel_tcp_recvfrom(gatekeeper_t)
+kernel_tcp_recvfrom(userdomain)
+')
diff --git a/policy/modules/services/gpm.fc b/policy/modules/services/gpm.fc
new file mode 100644
index 0000000..6fc9661
--- /dev/null
+++ b/policy/modules/services/gpm.fc
@@ -0,0 +1,7 @@
+
+/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0)
+/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0)
+
+/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0)
+
+/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
new file mode 100644
index 0000000..2890beb
--- /dev/null
+++ b/policy/modules/services/gpm.if
@@ -0,0 +1,81 @@
+## <summary>General Purpose Mouse driver</summary>
+
+########################################
+## <summary>
+## Connect to GPM over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_stream_connect',`
+ gen_require(`
+ type gpmctl_t, gpm_t;
+ ')
+
+ allow $1 gpmctl_t:sock_file { getattr write };
+ allow $1 gpm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Get the attributes of the GPM
+## control channel named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_getattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 gpmctl_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the GPM control channel
+## named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_dontaudit_getattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dontaudit $1 gpmctl_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the GPM
+## control channel named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_setattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 gpmctl_t:sock_file setattr;
+')
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
new file mode 100644
index 0000000..c2b800a
--- /dev/null
+++ b/policy/modules/services/gpm.te
@@ -0,0 +1,93 @@
+
+policy_module(gpm,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type gpm_t;
+type gpm_exec_t;
+init_daemon_domain(gpm_t,gpm_exec_t)
+
+type gpm_conf_t;
+files_type(gpm_conf_t)
+
+type gpm_tmp_t;
+files_tmp_file(gpm_tmp_t)
+
+type gpm_var_run_t;
+files_pid_file(gpm_var_run_t)
+
+type gpmctl_t;
+files_type(gpmctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow gpm_t gpm_conf_t:dir r_dir_perms;
+allow gpm_t gpm_conf_t:file r_file_perms;
+allow gpm_t gpm_conf_t:lnk_file { getattr read };
+
+allow gpm_t gpm_tmp_t:dir create_dir_perms;
+allow gpm_t gpm_tmp_t:file create_file_perms;
+files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
+
+allow gpm_t gpm_var_run_t:file create_file_perms;
+files_pid_filetrans(gpm_t,gpm_var_run_t,file)
+
+allow gpm_t gpmctl_t:sock_file create_file_perms;
+allow gpm_t gpmctl_t:fifo_file create_file_perms;
+dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file })
+
+# cjp: this has no effect
+allow gpm_t gpmctl_t:unix_stream_socket name_bind;
+
+kernel_read_kernel_sysctls(gpm_t)
+kernel_list_proc(gpm_t)
+kernel_read_proc_symlinks(gpm_t)
+
+dev_read_sysfs(gpm_t)
+# Access the mouse.
+dev_rw_input_dev(gpm_t)
+dev_rw_mouse(gpm_t)
+
+fs_getattr_all_fs(gpm_t)
+fs_search_auto_mountpoints(gpm_t)
+
+term_use_unallocated_ttys(gpm_t)
+term_dontaudit_use_console(gpm_t)
+
+domain_use_interactive_fds(gpm_t)
+
+init_use_fds(gpm_t)
+init_use_script_ptys(gpm_t)
+
+libs_use_ld_so(gpm_t)
+libs_use_shared_libs(gpm_t)
+
+logging_send_syslog_msg(gpm_t)
+
+miscfiles_read_localization(gpm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(gpm_t)
+ term_dontaudit_use_generic_ptys(gpm_t)
+ files_dontaudit_read_root_files(gpm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(gpm_t)
+')
+
+optional_policy(`
+ udev_read_db(gpm_t)
+')
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
new file mode 100644
index 0000000..93f50cb
--- /dev/null
+++ b/policy/modules/services/hal.fc
@@ -0,0 +1,9 @@
+
+/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
new file mode 100644
index 0000000..97e7830
--- /dev/null
+++ b/policy/modules/services/hal.if
@@ -0,0 +1,159 @@
+## <summary>Hardware abstraction layer</summary>
+
+########################################
+## <summary>
+## Execute hal in the hal domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_domtrans',`
+ gen_require(`
+ type hald_t, hald_exec_t;
+ ')
+
+ domain_auto_trans($1,hald_exec_t,hald_t)
+
+ allow $1 hald_t:fd use;
+ allow hald_t $1:fd use;
+ allow hald_t $1:fifo_file rw_file_perms;
+ allow hald_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send to hal over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dgram_send',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Send to hal over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_stream_connect',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Send a dbus message to hal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dbus_send',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## hal over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dbus_chat',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+ allow hald_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read hald tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_read_tmp_files',`
+ gen_require(`
+ type hald_tmp_t;
+ ')
+
+ allow $1 hald_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_read_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file r_file_perms;
+')
+
+
+########################################
+## <summary>
+## Read/Write hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_rw_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
new file mode 100644
index 0000000..47786ad
--- /dev/null
+++ b/policy/modules/services/hal.te
@@ -0,0 +1,240 @@
+
+policy_module(hal,1.3.10)
+
+########################################
+#
+# Declarations
+#
+
+type hald_t;
+type hald_exec_t;
+init_daemon_domain(hald_t,hald_exec_t)
+
+type hald_tmp_t;
+files_tmp_file(hald_tmp_t)
+
+type hald_var_run_t;
+files_pid_file(hald_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# execute openvt which needs setuid
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+dontaudit hald_t self:capability sys_tty_config;
+allow hald_t self:process signal_perms;
+allow hald_t self:fifo_file rw_file_perms;
+allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow hald_t self:unix_dgram_socket create_socket_perms;
+allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow hald_t self:tcp_socket create_stream_socket_perms;
+allow hald_t self:udp_socket create_socket_perms;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+allow hald_t hald_tmp_t:dir create_dir_perms;
+allow hald_t hald_tmp_t:file create_file_perms;
+files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
+
+allow hald_t hald_var_run_t:file create_file_perms;
+allow hald_t hald_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(hald_t,hald_var_run_t,file)
+
+kernel_read_system_state(hald_t)
+kernel_read_network_state(hald_t)
+kernel_read_kernel_sysctls(hald_t)
+kernel_read_fs_sysctls(hald_t)
+kernel_rw_vm_sysctls(hald_t)
+kernel_write_proc_files(hald_t)
+
+auth_read_pam_console_data(hald_t)
+
+corecmd_exec_all_executables(hald_t)
+
+corenet_non_ipsec_sendrecv(hald_t)
+corenet_tcp_sendrecv_all_if(hald_t)
+corenet_udp_sendrecv_all_if(hald_t)
+corenet_tcp_sendrecv_all_nodes(hald_t)
+corenet_udp_sendrecv_all_nodes(hald_t)
+corenet_tcp_sendrecv_all_ports(hald_t)
+corenet_udp_sendrecv_all_ports(hald_t)
+
+dev_rw_usbfs(hald_t)
+dev_read_urand(hald_t)
+dev_read_input(hald_t)
+dev_read_mouse(hald_t)
+dev_rw_printer(hald_t)
+dev_read_lvm_control(hald_t)
+dev_getattr_all_chr_files(hald_t)
+dev_manage_generic_chr_files(hald_t)
+dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs_files(hald_t)
+# hal is now execing pm-suspend
+dev_rw_sysfs(hald_t)
+
+domain_use_interactive_fds(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
+files_getattr_all_dirs(hald_t)
+files_read_kernel_img(hald_t)
+
+fs_getattr_all_fs(hald_t)
+fs_search_all(hald_t)
+fs_list_auto_mountpoints(hald_t)
+files_getattr_all_mountpoints(hald_t)
+
+mls_file_read_up(hald_t)
+
+selinux_get_fs_mount(hald_t)
+selinux_validate_context(hald_t)
+selinux_compute_access_vector(hald_t)
+selinux_compute_create_context(hald_t)
+selinux_compute_relabel_context(hald_t)
+selinux_compute_user_contexts(hald_t)
+
+storage_raw_read_removable_device(hald_t)
+storage_raw_write_removable_device(hald_t)
+storage_raw_read_fixed_disk(hald_t)
+storage_raw_write_fixed_disk(hald_t)
+
+term_dontaudit_use_console(hald_t)
+term_dontaudit_use_generic_ptys(hald_t)
+term_use_unallocated_ttys(hald_t)
+
+auth_use_nsswitch(hald_t)
+
+init_use_fds(hald_t)
+init_use_script_ptys(hald_t)
+init_domtrans_script(hald_t)
+init_write_initctl(hald_t)
+init_read_utmp(hald_t)
+#hal runs shutdown, probably need a shutdown domain
+init_rw_utmp(hald_t)
+
+libs_use_ld_so(hald_t)
+libs_use_shared_libs(hald_t)
+libs_exec_ld_so(hald_t)
+libs_exec_lib_files(hald_t)
+
+logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
+
+miscfiles_read_localization(hald_t)
+miscfiles_read_hwdata(hald_t)
+
+modutils_domtrans_insmod(hald_t)
+
+seutil_read_config(hald_t)
+seutil_read_default_contexts(hald_t)
+
+sysnet_read_config(hald_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hald_t)
+userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+
+ifdef(`targeted_policy', `
+ term_setattr_unallocated_ttys(hald_t)
+ term_dontaudit_use_unallocated_ttys(hald_t)
+ term_dontaudit_use_generic_ptys(hald_t)
+ files_dontaudit_read_root_files(hald_t)
+')
+
+optional_policy(`
+ # For /usr/libexec/hald-addon-acpi
+ # writes to /var/run/acpid.socket
+ apm_stream_connect(hald_t)
+')
+
+optional_policy(`
+ bind_search_cache(hald_t)
+')
+
+optional_policy(`
+ clock_domtrans(hald_t)
+')
+
+optional_policy(`
+ cups_domtrans_config(hald_t)
+ cups_signal_config(hald_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(hald,hald_t)
+ dbus_send_system_bus(hald_t)
+ dbus_connect_system_bus(hald_t)
+ allow hald_t self:dbus send_msg;
+
+ init_dbus_chat_script(hald_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(hald_t)
+ ')
+')
+
+optional_policy(`
+ # For /usr/libexec/hald-probe-smbios
+ dmidecode_domtrans(hald_t)
+')
+
+optional_policy(`
+ hotplug_read_config(hald_t)
+')
+
+optional_policy(`
+ lvm_domtrans(hald_t)
+')
+
+optional_policy(`
+ mount_domtrans(hald_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(hald_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hald_t)
+')
+
+optional_policy(`
+ ntp_domtrans(hald_t)
+')
+
+optional_policy(`
+ pcmcia_manage_pid(hald_t)
+ pcmcia_manage_pid_chr_files(hald_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(hald_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hald_t)
+')
+
+optional_policy(`
+ udev_domtrans(hald_t)
+ udev_read_db(hald_t)
+')
+
+optional_policy(`
+ updfstab_domtrans(hald_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(hald_t)
+')
diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc
new file mode 100644
index 0000000..faf9146
--- /dev/null
+++ b/policy/modules/services/howl.fc
@@ -0,0 +1,5 @@
+
+/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0)
+/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0)
+
+/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0)
diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if
new file mode 100644
index 0000000..9164dd2
--- /dev/null
+++ b/policy/modules/services/howl.if
@@ -0,0 +1,19 @@
+## <summary>Port of Apple Rendezvous multicast DNS</summary>
+
+########################################
+## <summary>
+## Send generic signals to howl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`howl_signal',`
+ gen_require(`
+ type howl_t;
+ ')
+
+ allow $1 howl_t:process signal;
+')
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
new file mode 100644
index 0000000..061a23d
--- /dev/null
+++ b/policy/modules/services/howl.te
@@ -0,0 +1,94 @@
+
+policy_module(howl,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type howl_t;
+type howl_exec_t;
+init_daemon_domain(howl_t,howl_exec_t)
+
+type howl_var_run_t;
+files_pid_file(howl_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow howl_t self:capability { kill net_admin };
+dontaudit howl_t self:capability sys_tty_config;
+allow howl_t self:process signal_perms;
+allow howl_t self:fifo_file rw_file_perms;
+allow howl_t self:tcp_socket create_stream_socket_perms;
+allow howl_t self:udp_socket create_socket_perms;
+
+allow howl_t howl_var_run_t:file create_file_perms;
+allow howl_t howl_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(howl_t,howl_var_run_t,file)
+
+kernel_read_network_state(howl_t)
+kernel_read_kernel_sysctls(howl_t)
+kernel_load_module(howl_t)
+kernel_list_proc(howl_t)
+kernel_read_proc_symlinks(howl_t)
+
+corenet_non_ipsec_sendrecv(howl_t)
+corenet_tcp_sendrecv_all_if(howl_t)
+corenet_udp_sendrecv_all_if(howl_t)
+corenet_tcp_sendrecv_all_nodes(howl_t)
+corenet_udp_sendrecv_all_nodes(howl_t)
+corenet_tcp_sendrecv_all_ports(howl_t)
+corenet_udp_sendrecv_all_ports(howl_t)
+corenet_tcp_bind_all_nodes(howl_t)
+corenet_udp_bind_all_nodes(howl_t)
+corenet_tcp_bind_howl_port(howl_t)
+corenet_udp_bind_howl_port(howl_t)
+corenet_sendrecv_howl_server_packets(howl_t)
+
+dev_read_sysfs(howl_t)
+
+fs_getattr_all_fs(howl_t)
+fs_search_auto_mountpoints(howl_t)
+
+term_dontaudit_use_console(howl_t)
+
+domain_use_interactive_fds(howl_t)
+
+files_read_etc_files(howl_t)
+
+init_use_fds(howl_t)
+init_use_script_ptys(howl_t)
+init_rw_utmp(howl_t)
+
+libs_use_ld_so(howl_t)
+libs_use_shared_libs(howl_t)
+
+logging_send_syslog_msg(howl_t)
+
+miscfiles_read_localization(howl_t)
+
+sysnet_read_config(howl_t)
+
+userdom_dontaudit_use_unpriv_user_fds(howl_t)
+userdom_dontaudit_search_sysadm_home_dirs(howl_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(howl_t)
+ term_dontaudit_use_generic_ptys(howl_t)
+ files_dontaudit_read_root_files(howl_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(howl_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(howl_t)
+')
+
+optional_policy(`
+ udev_read_db(howl_t)
+')
diff --git a/policy/modules/services/i18n_input.fc b/policy/modules/services/i18n_input.fc
new file mode 100644
index 0000000..024eb18
--- /dev/null
+++ b/policy/modules/services/i18n_input.fc
@@ -0,0 +1,19 @@
+#
+# /usr
+#
+
+/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0)
diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if
new file mode 100644
index 0000000..9a9f0f7
--- /dev/null
+++ b/policy/modules/services/i18n_input.if
@@ -0,0 +1,21 @@
+## <summary>IIIMF htt server</summary>
+
+########################################
+## <summary>
+## Use i18n_input over a TCP connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`i18n_use',`
+ gen_require(`
+ type i18n_input_t;
+ ')
+
+ allow $1 i18n_input_t:tcp_socket { connectto recvfrom };
+ allow i18n_input_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
new file mode 100644
index 0000000..9cabd74
--- /dev/null
+++ b/policy/modules/services/i18n_input.te
@@ -0,0 +1,118 @@
+
+policy_module(i18n_input,1.1.3)
+
+########################################
+#
+# Declarations
+#
+
+type i18n_input_t;
+type i18n_input_exec_t;
+init_daemon_domain(i18n_input_t,i18n_input_exec_t)
+
+type i18n_input_var_run_t;
+files_pid_file(i18n_input_var_run_t)
+
+########################################
+#
+# i18n_input local policy
+#
+
+allow i18n_input_t self:capability { kill setgid setuid };
+dontaudit i18n_input_t self:capability sys_tty_config;
+allow i18n_input_t self:process { signal_perms setsched setpgid };
+allow i18n_input_t self:fifo_file rw_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t self:tcp_socket create_stream_socket_perms;
+allow i18n_input_t self:udp_socket create_socket_perms;
+
+allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
+allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
+allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file)
+
+can_exec(i18n_input_t, i18n_input_exec_t)
+
+kernel_read_kernel_sysctls(i18n_input_t)
+kernel_read_system_state(i18n_input_t)
+kernel_tcp_recvfrom(i18n_input_t)
+
+corenet_non_ipsec_sendrecv(i18n_input_t)
+corenet_tcp_sendrecv_generic_if(i18n_input_t)
+corenet_udp_sendrecv_generic_if(i18n_input_t)
+corenet_tcp_sendrecv_all_nodes(i18n_input_t)
+corenet_udp_sendrecv_all_nodes(i18n_input_t)
+corenet_tcp_sendrecv_all_ports(i18n_input_t)
+corenet_udp_sendrecv_all_ports(i18n_input_t)
+corenet_tcp_bind_all_nodes(i18n_input_t)
+corenet_tcp_bind_i18n_input_port(i18n_input_t)
+corenet_tcp_connect_all_ports(i18n_input_t)
+corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
+corenet_sendrecv_all_client_packets(i18n_input_t)
+
+dev_read_sysfs(i18n_input_t)
+
+fs_getattr_all_fs(i18n_input_t)
+fs_search_auto_mountpoints(i18n_input_t)
+
+term_dontaudit_use_console(i18n_input_t)
+
+corecmd_search_sbin(i18n_input_t)
+corecmd_search_bin(i18n_input_t)
+corecmd_exec_bin(i18n_input_t)
+
+domain_use_interactive_fds(i18n_input_t)
+
+files_read_etc_files(i18n_input_t)
+files_read_etc_runtime_files(i18n_input_t)
+files_read_usr_files(i18n_input_t)
+
+init_use_fds(i18n_input_t)
+init_use_script_ptys(i18n_input_t)
+init_stream_connect_script(i18n_input_t)
+
+libs_use_ld_so(i18n_input_t)
+libs_use_shared_libs(i18n_input_t)
+
+logging_send_syslog_msg(i18n_input_t)
+
+miscfiles_read_localization(i18n_input_t)
+
+sysnet_read_config(i18n_input_t)
+
+userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
+userdom_read_unpriv_users_home_content_files(i18n_input_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(i18n_input_t)
+ term_dontaudit_use_generic_ptys(i18n_input_t)
+ files_dontaudit_read_root_files(i18n_input_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(i18n_input_t)
+ fs_read_nfs_symlinks(i18n_input_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(i18n_input_t)
+ fs_read_cifs_symlinks(i18n_input_t)
+')
+
+optional_policy(`
+ canna_stream_connect(i18n_input_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(i18n_input_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(i18n_input_t)
+')
+
+optional_policy(`
+ udev_read_db(i18n_input_t)
+')
diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc
new file mode 100644
index 0000000..8d455ba
--- /dev/null
+++ b/policy/modules/services/imaze.fc
@@ -0,0 +1,4 @@
+/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
+/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
+
+/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
diff --git a/policy/modules/services/imaze.if b/policy/modules/services/imaze.if
new file mode 100644
index 0000000..8eb9ec3
--- /dev/null
+++ b/policy/modules/services/imaze.if
@@ -0,0 +1 @@
+## <summary>iMaze game server</summary>
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
new file mode 100644
index 0000000..97ddd5f
--- /dev/null
+++ b/policy/modules/services/imaze.te
@@ -0,0 +1,114 @@
+
+policy_module(imaze,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type imazesrv_t;
+type imazesrv_exec_t;
+init_daemon_domain(imazesrv_t,imazesrv_exec_t)
+
+type imazesrv_data_t;
+files_type(imazesrv_data_t)
+
+type imazesrv_data_labs_t;
+files_type(imazesrv_data_labs_t)
+
+type imazesrv_log_t;
+logging_log_file(imazesrv_log_t)
+
+type imazesrv_var_run_t;
+files_pid_file(imazesrv_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit imazesrv_t self:capability sys_tty_config;
+allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow imazesrv_t self:fd use;
+allow imazesrv_t self:fifo_file rw_file_perms;
+allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto };
+allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow imazesrv_t self:shm create_shm_perms;
+allow imazesrv_t self:sem create_sem_perms;
+allow imazesrv_t self:msgq create_msgq_perms;
+allow imazesrv_t self:msg { send receive };
+allow imazesrv_t self:tcp_socket create_stream_socket_perms;
+allow imazesrv_t self:udp_socket create_socket_perms;
+
+allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
+allow imazesrv_t imazesrv_data_t:file read_file_perms;
+allow imazesrv_t imazesrv_data_t:lnk_file { getattr read };
+
+allow imazesrv_t imazesrv_log_t:file manage_file_perms;
+allow imazesrv_t imazesrv_log_t:dir ra_dir_perms;
+logging_log_filetrans(imazesrv_t,imazesrv_log_t,file)
+
+allow imazesrv_t imazesrv_var_run_t:file manage_file_perms;
+allow imazesrv_t imazesrv_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(imazesrv_t,imazesrv_var_run_t,file)
+
+kernel_read_kernel_sysctls(imazesrv_t)
+kernel_list_proc(imazesrv_t)
+kernel_read_proc_symlinks(imazesrv_t)
+
+corenet_non_ipsec_sendrecv(imazesrv_t)
+corenet_tcp_sendrecv_generic_if(imazesrv_t)
+corenet_udp_sendrecv_generic_if(imazesrv_t)
+corenet_tcp_sendrecv_all_nodes(imazesrv_t)
+corenet_udp_sendrecv_all_nodes(imazesrv_t)
+corenet_tcp_sendrecv_all_ports(imazesrv_t)
+corenet_udp_sendrecv_all_ports(imazesrv_t)
+corenet_tcp_bind_all_nodes(imazesrv_t)
+corenet_udp_bind_all_nodes(imazesrv_t)
+corenet_tcp_bind_imaze_port(imazesrv_t)
+corenet_udp_bind_imaze_port(imazesrv_t)
+corenet_sendrecv_imaze_server_packets(imazesrv_t)
+
+dev_read_sysfs(imazesrv_t)
+
+domain_use_interactive_fds(imazesrv_t)
+
+files_read_etc_files(imazesrv_t)
+
+fs_getattr_all_fs(imazesrv_t)
+fs_search_auto_mountpoints(imazesrv_t)
+
+term_dontaudit_use_console(imazesrv_t)
+
+init_use_fds(imazesrv_t)
+init_use_script_ptys(imazesrv_t)
+
+libs_use_ld_so(imazesrv_t)
+libs_use_shared_libs(imazesrv_t)
+
+logging_send_syslog_msg(imazesrv_t)
+
+miscfiles_read_localization(imazesrv_t)
+
+sysnet_read_config(imazesrv_t)
+
+userdom_use_unpriv_users_fds(imazesrv_t)
+userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(imazesrv_t)
+ term_dontaudit_use_generic_ptys(imazesrv_t)
+ files_dontaudit_read_root_files(imazesrv_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(imazesrv_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(imazesrv_t)
+')
+
+optional_policy(`
+ udev_read_db(imazesrv_t)
+')
diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc
new file mode 100644
index 0000000..b460519
--- /dev/null
+++ b/policy/modules/services/inetd.fc
@@ -0,0 +1,10 @@
+
+/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
+/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
new file mode 100644
index 0000000..eded403
--- /dev/null
+++ b/policy/modules/services/inetd.if
@@ -0,0 +1,249 @@
+## <summary>Internet services daemon.</summary>
+
+########################################
+## <summary>
+## Define the specified domain as a inetd service.
+## </summary>
+## <desc>
+## <p>
+## Define the specified domain as a inetd service. The
+## inetd_service_domain(), inetd_tcp_service_domain(),
+## or inetd_udp_service_domain() interfaces should be used
+## instead of this interface, as this interface only provides
+## the common rules to these three interfaces.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_core_service_domain',`
+ gen_require(`
+ type inetd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ ifdef(`targeted_policy',`
+ # this regex is a hack, since it assumes there is a
+ # _t at the end of the domain type. If there is no _t
+ # at the end of the type, it returns empty!
+ ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
+ bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
+ ')
+ if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+# can_exec(inetd_t,$2)
+ # cjp: this must be wrong
+ gen_require(`
+ type initrc_t, unconfined_t;
+ ')
+ can_exec({ unconfined_t initrc_t },$2)
+ } else {
+ domain_auto_trans(inetd_t,$2,$1)
+ allow inetd_t $1:fd use;
+ allow $1 inetd_t:fd use;
+ allow $1 inetd_t:fifo_file rw_file_perms;
+ allow $1 inetd_t:process sigchld;
+ dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+ allow inetd_t $1:process sigkill;
+ }
+ ',`
+ domain_auto_trans(inetd_t,$2,$1)
+ allow inetd_t $1:fd use;
+ allow $1 inetd_t:fd use;
+ allow $1 inetd_t:fifo_file rw_file_perms;
+ allow $1 inetd_t:process sigchld;
+ dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+ allow inetd_t $1:process sigkill;
+ ')
+')
+
+########################################
+## <summary>
+## Define the specified domain as a TCP inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_tcp_service_domain',`
+
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1,$2)
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Define the specified domain as a UDP inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_udp_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1,$2)
+
+ allow $1 inetd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Define the specified domain as a TCP and UDP inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1,$2)
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+ allow $1 inetd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from inetd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_use_fds',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:fd use;
+')
+
+########################################
+## <summary>
+## Connect to the inetd service using a TCP connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_tcp_connect',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:tcp_socket { connectto recvfrom };
+ allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+## Run inetd child process in the inet child domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_domtrans_child',`
+ gen_require(`
+ type inetd_child_t, inetd_child_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)
+
+ allow $1 inetd_child_t:fd use;
+ allow inetd_child_t $1:fd use;
+ allow inetd_child_t $1:fifo_file rw_file_perms;
+ allow inetd_child_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to inetd.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`inetd_udp_send',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:udp_socket sendto;
+ allow inetd_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Read and write inetd TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`inetd_rw_tcp_sockets',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
new file mode 100644
index 0000000..d4c0050
--- /dev/null
+++ b/policy/modules/services/inetd.te
@@ -0,0 +1,242 @@
+
+policy_module(inetd,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+type inetd_t;
+type inetd_exec_t;
+init_daemon_domain(inetd_t,inetd_exec_t)
+
+type inetd_log_t;
+logging_log_file(inetd_log_t)
+
+type inetd_tmp_t;
+files_tmp_file(inetd_tmp_t)
+
+type inetd_var_run_t;
+files_pid_file(inetd_var_run_t)
+
+type inetd_child_t;
+type inetd_child_exec_t;
+inetd_service_domain(inetd_child_t,inetd_child_exec_t)
+role system_r types inetd_child_t;
+
+type inetd_child_tmp_t;
+files_tmp_file(inetd_child_tmp_t)
+
+type inetd_child_var_run_t;
+files_pid_file(inetd_child_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow inetd_t self:capability { setuid setgid };
+dontaudit inetd_t self:capability sys_tty_config;
+allow inetd_t self:process setsched;
+allow inetd_t self:fifo_file rw_file_perms;
+allow inetd_t self:tcp_socket create_stream_socket_perms;
+allow inetd_t self:udp_socket create_socket_perms;
+
+allow inetd_t inetd_log_t:file create_file_perms;
+logging_log_filetrans(inetd_t,inetd_log_t,file)
+
+allow inetd_t inetd_tmp_t:dir create_dir_perms;
+allow inetd_t inetd_tmp_t:file create_file_perms;
+files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
+
+allow inetd_t inetd_var_run_t:file create_file_perms;
+files_pid_filetrans(inetd_t,inetd_var_run_t,file)
+
+kernel_read_kernel_sysctls(inetd_t)
+kernel_list_proc(inetd_t)
+kernel_read_proc_symlinks(inetd_t)
+kernel_tcp_recvfrom(inetd_t)
+
+# base networking:
+corenet_non_ipsec_sendrecv(inetd_t)
+corenet_tcp_sendrecv_all_if(inetd_t)
+corenet_udp_sendrecv_all_if(inetd_t)
+corenet_tcp_sendrecv_all_nodes(inetd_t)
+corenet_udp_sendrecv_all_nodes(inetd_t)
+corenet_tcp_sendrecv_all_ports(inetd_t)
+corenet_udp_sendrecv_all_ports(inetd_t)
+corenet_tcp_bind_all_nodes(inetd_t)
+corenet_udp_bind_all_nodes(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
+corenet_sendrecv_all_client_packets(inetd_t)
+
+# listen on service ports:
+corenet_tcp_bind_amanda_port(inetd_t)
+corenet_udp_bind_amanda_port(inetd_t)
+corenet_tcp_bind_auth_port(inetd_t)
+corenet_udp_bind_comsat_port(inetd_t)
+corenet_tcp_bind_dbskkd_port(inetd_t)
+corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_udp_bind_ftp_port(inetd_t)
+corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_ktalkd_port(inetd_t)
+corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsync_port(inetd_t)
+corenet_udp_bind_rsync_port(inetd_t)
+#corenet_tcp_bind_stunnel_port(inetd_t)
+corenet_tcp_bind_swat_port(inetd_t)
+corenet_udp_bind_swat_port(inetd_t)
+corenet_udp_bind_tftp_port(inetd_t)
+
+# service port packets:
+corenet_sendrecv_amanda_server_packets(inetd_t)
+corenet_sendrecv_auth_server_packets(inetd_t)
+corenet_sendrecv_comsat_server_packets(inetd_t)
+corenet_sendrecv_dbskkd_server_packets(inetd_t)
+corenet_sendrecv_ftp_server_packets(inetd_t)
+corenet_sendrecv_inetd_child_server_packets(inetd_t)
+corenet_sendrecv_ktalkd_server_packets(inetd_t)
+corenet_sendrecv_printer_server_packets(inetd_t)
+corenet_sendrecv_rsh_server_packets(inetd_t)
+corenet_sendrecv_rsync_server_packets(inetd_t)
+#corenet_sendrecv_stunnel_server_packets(inetd_t)
+corenet_sendrecv_swat_server_packets(inetd_t)
+corenet_sendrecv_tftp_server_packets(inetd_t)
+
+dev_read_sysfs(inetd_t)
+
+fs_getattr_all_fs(inetd_t)
+fs_search_auto_mountpoints(inetd_t)
+
+term_dontaudit_use_console(inetd_t)
+
+# Run other daemons in the inetd_child_t domain.
+corecmd_search_bin(inetd_t)
+corecmd_read_sbin_symlinks(inetd_t)
+
+domain_use_interactive_fds(inetd_t)
+
+files_read_etc_files(inetd_t)
+
+init_use_fds(inetd_t)
+init_use_script_ptys(inetd_t)
+
+libs_use_ld_so(inetd_t)
+libs_use_shared_libs(inetd_t)
+
+logging_send_syslog_msg(inetd_t)
+
+miscfiles_read_localization(inetd_t)
+
+sysnet_read_config(inetd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(inetd_t)
+userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(inetd_t)
+ term_dontaudit_use_generic_ptys(inetd_t)
+ files_dontaudit_read_root_files(inetd_t)
+')
+
+optional_policy(`
+ amanda_search_lib(inetd_t)
+')
+
+# Communicate with the portmapper.
+optional_policy(`
+ portmap_udp_send(inetd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(inetd_t)
+')
+
+optional_policy(`
+ udev_read_db(inetd_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(inetd_t)
+',`
+ optional_policy(`
+ unconfined_domtrans(inetd_t)
+ ')
+')
+
+########################################
+#
+# inetd child local_policy
+#
+
+allow inetd_child_t self:process signal_perms;
+allow inetd_child_t self:fifo_file rw_file_perms;
+allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
+allow inetd_child_t self:udp_socket create_socket_perms;
+
+# for identd
+allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+files_search_home(inetd_child_t)
+
+allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
+allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
+files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
+
+allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
+allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file)
+
+kernel_read_kernel_sysctls(inetd_child_t)
+kernel_read_system_state(inetd_child_t)
+kernel_read_network_state(inetd_child_t)
+
+corenet_non_ipsec_sendrecv(inetd_child_t)
+corenet_tcp_sendrecv_all_if(inetd_child_t)
+corenet_udp_sendrecv_all_if(inetd_child_t)
+corenet_tcp_sendrecv_all_nodes(inetd_child_t)
+corenet_udp_sendrecv_all_nodes(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+dev_read_urand(inetd_child_t)
+
+fs_getattr_xattr_fs(inetd_child_t)
+
+files_read_etc_files(inetd_child_t)
+
+libs_use_ld_so(inetd_child_t)
+libs_use_shared_libs(inetd_child_t)
+
+logging_send_syslog_msg(inetd_child_t)
+
+miscfiles_read_localization(inetd_child_t)
+
+sysnet_read_config(inetd_child_t)
+
+tunable_policy(`run_ssh_inetd',`
+ corenet_tcp_bind_ssh_port(inetd_t)
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_is_daemon',`
+ # Allows it to check exec privs on daemon
+ ftp_check_exec(inetd_t)
+ ')
+')
+
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(inetd_child_t)
+')
+
+optional_policy(`
+ nscd_socket_use(inetd_child_t)
+')
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
new file mode 100644
index 0000000..85dc7b3
--- /dev/null
+++ b/policy/modules/services/inn.fc
@@ -0,0 +1,66 @@
+
+#
+# /etc
+#
+/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
+/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
+
+/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+# cjp: split these to fix an ordering
+# problem with a match in corecommands
+/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
+
+/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+
+/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
new file mode 100644
index 0000000..39ce526
--- /dev/null
+++ b/policy/modules/services/inn.if
@@ -0,0 +1,183 @@
+## <summary>Internet News NNTP server</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to execute innd
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_exec',`
+ gen_require(`
+ type innd_t;
+ ')
+
+ can_exec($1,innd_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute
+## inn configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_exec_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ can_exec($1,innd_etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the innd log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_manage_log',`
+ gen_require(`
+ type innd_log_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 innd_log_t:dir search;
+ allow $1 innd_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the innd pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_manage_pid',`
+ gen_require(`
+ type innd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 innd_var_run_t:dir rw_dir_perms;
+ allow $1 innd_var_run_t:file create_file_perms;
+ allow $1 innd_var_run_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read innd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ allow $1 innd_etc_t:dir { getattr read search };
+ allow $1 innd_etc_t:file { read getattr };
+ allow $1 innd_etc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read innd news library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ allow $1 innd_var_lib_t:dir { getattr read search };
+ allow $1 innd_var_lib_t:file { read getattr };
+ allow $1 innd_var_lib_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read innd news library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_news_spool',`
+ gen_require(`
+ type news_spool_t;
+ ')
+
+ allow $1 news_spool_t:dir { getattr read search };
+ allow $1 news_spool_t:file { read getattr };
+ allow $1 news_spool_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Send to a innd unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_dgram_send',`
+ gen_require(`
+ type innd_t;
+ ')
+
+ allow $1 innd_t:unix_dgram_socket sendto;
+')
+
+
+########################################
+## <summary>
+## Execute inn in the inn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_domtrans',`
+ gen_require(`
+ type innd_t, innd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,innd_exec_t,innd_t)
+
+ allow innd_t $1:fd use;
+ allow innd_t $1:fifo_file rw_file_perms;
+ allow innd_t $1:process sigchld;
+')
+
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
new file mode 100644
index 0000000..d531219
--- /dev/null
+++ b/policy/modules/services/inn.te
@@ -0,0 +1,142 @@
+
+policy_module(inn,1.1.3)
+
+########################################
+#
+# Declarations
+#
+type innd_t;
+type innd_exec_t;
+init_daemon_domain(innd_t,innd_exec_t)
+
+type innd_etc_t;
+files_config_file(innd_etc_t)
+
+type innd_log_t;
+logging_log_file(innd_log_t)
+
+type innd_var_lib_t;
+files_type(innd_var_lib_t)
+
+type innd_var_run_t;
+files_pid_file(innd_var_run_t)
+
+type news_spool_t;
+files_type(news_spool_t)
+
+########################################
+#
+# Local policy
+#
+allow innd_t self:capability { dac_override kill setgid setuid };
+dontaudit innd_t self:capability sys_tty_config;
+allow innd_t self:process { setsched signal_perms };
+allow innd_t self:fifo_file rw_file_perms;
+allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow innd_t self:tcp_socket create_stream_socket_perms;
+allow innd_t self:udp_socket create_socket_perms;
+
+allow innd_t innd_etc_t:file r_file_perms;
+allow innd_t innd_etc_t:dir r_dir_perms;
+allow innd_t innd_etc_t:lnk_file { getattr read };
+
+can_exec(innd_t, innd_exec_t)
+
+allow innd_t innd_log_t:file manage_file_perms;
+allow innd_t innd_log_t:dir { setattr rw_dir_perms };
+logging_log_filetrans(innd_t,innd_log_t,file)
+
+allow innd_t innd_var_lib_t:dir create_dir_perms;
+allow innd_t innd_var_lib_t:file create_file_perms;
+files_var_lib_filetrans(innd_t,innd_var_lib_t,file)
+
+allow innd_t innd_var_run_t:dir create_dir_perms;
+allow innd_t innd_var_run_t:file create_file_perms;
+allow innd_t innd_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(innd_t,innd_var_run_t,file)
+
+allow innd_t news_spool_t:dir create_dir_perms;
+allow innd_t news_spool_t:file create_file_perms;
+allow innd_t news_spool_t:lnk_file create_lnk_perms;
+
+kernel_read_kernel_sysctls(innd_t)
+kernel_read_system_state(innd_t)
+
+corenet_non_ipsec_sendrecv(innd_t)
+corenet_tcp_sendrecv_all_if(innd_t)
+corenet_udp_sendrecv_all_if(innd_t)
+corenet_tcp_sendrecv_all_nodes(innd_t)
+corenet_udp_sendrecv_all_nodes(innd_t)
+corenet_tcp_sendrecv_all_ports(innd_t)
+corenet_udp_sendrecv_all_ports(innd_t)
+corenet_tcp_bind_all_nodes(innd_t)
+corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
+corenet_sendrecv_innd_server_packets(innd_t)
+corenet_sendrecv_all_client_packets(innd_t)
+
+dev_read_sysfs(innd_t)
+dev_read_urand(innd_t)
+
+fs_getattr_all_fs(innd_t)
+fs_search_auto_mountpoints(innd_t)
+
+term_dontaudit_use_console(innd_t)
+
+corecmd_exec_bin(innd_t)
+corecmd_exec_shell(innd_t)
+corecmd_search_sbin(innd_t)
+corecmd_read_sbin_symlinks(innd_t)
+
+domain_use_interactive_fds(innd_t)
+
+files_list_spool(innd_t)
+files_read_etc_files(innd_t)
+files_read_etc_runtime_files(innd_t)
+files_read_usr_files(innd_t)
+
+init_use_fds(innd_t)
+init_use_script_ptys(innd_t)
+
+libs_use_ld_so(innd_t)
+libs_use_shared_libs(innd_t)
+
+logging_send_syslog_msg(innd_t)
+
+miscfiles_read_localization(innd_t)
+
+seutil_dontaudit_search_config(innd_t)
+
+sysnet_read_config(innd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(innd_t)
+userdom_dontaudit_search_sysadm_home_dirs(innd_t)
+
+mta_send_mail(innd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(innd_t)
+ term_dontaudit_use_generic_ptys(innd_t)
+ files_dontaudit_read_root_files(innd_t)
+')
+
+optional_policy(`
+ cron_system_entry(innd_t, innd_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(innd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(innd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(innd_t)
+')
+
+optional_policy(`
+ udev_read_db(innd_t)
+')
diff --git a/policy/modules/services/ircd.fc b/policy/modules/services/ircd.fc
new file mode 100644
index 0000000..d733fa8
--- /dev/null
+++ b/policy/modules/services/ircd.fc
@@ -0,0 +1,7 @@
+/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0)
+
+/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+
+/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
+/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0)
+/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0)
diff --git a/policy/modules/services/ircd.if b/policy/modules/services/ircd.if
new file mode 100644
index 0000000..3f4de83
--- /dev/null
+++ b/policy/modules/services/ircd.if
@@ -0,0 +1 @@
+## <summary>IRC server</summary>
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
new file mode 100644
index 0000000..fb4c356
--- /dev/null
+++ b/policy/modules/services/ircd.te
@@ -0,0 +1,111 @@
+
+policy_module(ircd,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type ircd_t;
+type ircd_exec_t;
+init_daemon_domain(ircd_t,ircd_exec_t)
+
+type ircd_etc_t;
+files_config_file(ircd_etc_t)
+
+type ircd_log_t;
+logging_log_file(ircd_log_t)
+
+type ircd_var_lib_t;
+files_type(ircd_var_lib_t)
+
+type ircd_var_run_t;
+files_pid_file(ircd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit ircd_t self:capability sys_tty_config;
+allow ircd_t self:process signal_perms;
+allow ircd_t self:tcp_socket create_stream_socket_perms;
+allow ircd_t self:udp_socket create_socket_perms;
+
+allow ircd_t ircd_etc_t:file r_file_perms;
+allow ircd_t ircd_etc_t:dir r_dir_perms;
+allow ircd_t ircd_etc_t:lnk_file { getattr read };
+files_search_etc(ircd_t)
+
+allow ircd_t ircd_log_t:file create_file_perms;
+allow ircd_t ircd_log_t:dir rw_dir_perms;
+logging_log_filetrans(ircd_t,ircd_log_t,{ file dir })
+
+allow ircd_t ircd_var_lib_t:file create_file_perms;
+allow ircd_t ircd_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(ircd_t,ircd_var_lib_t,file)
+
+allow ircd_t ircd_var_run_t:file create_file_perms;
+allow ircd_t ircd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ircd_t,ircd_var_run_t,file)
+
+kernel_read_system_state(ircd_t)
+kernel_read_kernel_sysctls(ircd_t)
+
+corecmd_search_sbin(ircd_t)
+
+corenet_non_ipsec_sendrecv(ircd_t)
+corenet_tcp_sendrecv_generic_if(ircd_t)
+corenet_udp_sendrecv_generic_if(ircd_t)
+corenet_tcp_sendrecv_all_nodes(ircd_t)
+corenet_udp_sendrecv_all_nodes(ircd_t)
+corenet_tcp_sendrecv_all_ports(ircd_t)
+corenet_udp_sendrecv_all_ports(ircd_t)
+corenet_tcp_bind_all_nodes(ircd_t)
+corenet_tcp_bind_ircd_port(ircd_t)
+corenet_sendrecv_ircd_server_packets(ircd_t)
+
+dev_read_sysfs(ircd_t)
+
+domain_use_interactive_fds(ircd_t)
+
+files_read_etc_files(ircd_t)
+files_read_etc_runtime_files(ircd_t)
+
+fs_getattr_all_fs(ircd_t)
+fs_search_auto_mountpoints(ircd_t)
+
+term_dontaudit_use_console(ircd_t)
+
+init_use_fds(ircd_t)
+init_use_script_ptys(ircd_t)
+
+libs_use_ld_so(ircd_t)
+libs_use_shared_libs(ircd_t)
+
+logging_send_syslog_msg(ircd_t)
+
+miscfiles_read_localization(ircd_t)
+
+sysnet_read_config(ircd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ircd_t)
+userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(ircd_t)
+ term_dontaudit_use_generic_ptys(ircd_t)
+ files_dontaudit_read_root_files(ircd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ircd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ircd_t)
+')
+
+optional_policy(`
+ udev_read_db(ircd_t)
+')
diff --git a/policy/modules/services/irqbalance.fc b/policy/modules/services/irqbalance.fc
new file mode 100644
index 0000000..3831075
--- /dev/null
+++ b/policy/modules/services/irqbalance.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/services/irqbalance.if b/policy/modules/services/irqbalance.if
new file mode 100644
index 0000000..058fb75
--- /dev/null
+++ b/policy/modules/services/irqbalance.if
@@ -0,0 +1 @@
+## <summary>IRQ balancing daemon</summary>
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
new file mode 100644
index 0000000..25368c0
--- /dev/null
+++ b/policy/modules/services/irqbalance.te
@@ -0,0 +1,69 @@
+
+policy_module(irqbalance,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type irqbalance_t;
+type irqbalance_exec_t;
+init_daemon_domain(irqbalance_t,irqbalance_exec_t)
+
+type irqbalance_var_run_t;
+files_pid_file(irqbalance_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit irqbalance_t self:capability sys_tty_config;
+allow irqbalance_t self:process signal_perms;
+
+allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
+allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
+
+kernel_read_system_state(irqbalance_t)
+kernel_read_kernel_sysctls(irqbalance_t)
+kernel_rw_irq_sysctls(irqbalance_t)
+
+dev_read_sysfs(irqbalance_t)
+
+files_read_etc_files(irqbalance_t)
+files_read_etc_runtime_files(irqbalance_t)
+
+fs_getattr_all_fs(irqbalance_t)
+fs_search_auto_mountpoints(irqbalance_t)
+
+term_dontaudit_use_console(irqbalance_t)
+
+domain_use_interactive_fds(irqbalance_t)
+
+init_use_fds(irqbalance_t)
+init_use_script_ptys(irqbalance_t)
+
+libs_use_ld_so(irqbalance_t)
+libs_use_shared_libs(irqbalance_t)
+
+logging_send_syslog_msg(irqbalance_t)
+
+miscfiles_read_localization(irqbalance_t)
+
+userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
+userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(irqbalance_t)
+ term_dontaudit_use_generic_ptys(irqbalance_t)
+ files_dontaudit_read_root_files(irqbalance_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(irqbalance_t)
+')
+
+optional_policy(`
+ udev_read_db(irqbalance_t)
+')
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
new file mode 100644
index 0000000..06ea746
--- /dev/null
+++ b/policy/modules/services/jabber.fc
@@ -0,0 +1,4 @@
+/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
new file mode 100644
index 0000000..ac0db06
--- /dev/null
+++ b/policy/modules/services/jabber.if
@@ -0,0 +1,21 @@
+## <summary>Jabber instant messaging server</summary>
+
+########################################
+## <summary>
+## Connect to jabber over a TCP socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jabber_tcp_connect',`
+ gen_require(`
+ type jabberd_t;
+ ')
+
+ allow $1 jabberd_t:tcp_socket { connectto recvfrom };
+ allow jabberd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
new file mode 100644
index 0000000..01f85a7
--- /dev/null
+++ b/policy/modules/services/jabber.te
@@ -0,0 +1,109 @@
+
+policy_module(jabber,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type jabberd_t;
+type jabberd_exec_t;
+init_daemon_domain(jabberd_t,jabberd_exec_t)
+
+type jabberd_log_t;
+logging_log_file(jabberd_log_t)
+
+type jabberd_var_lib_t;
+files_type(jabberd_var_lib_t)
+
+type jabberd_var_run_t;
+files_pid_file(jabberd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow jabberd_t self:capability dac_override;
+dontaudit jabberd_t self:capability sys_tty_config;
+allow jabberd_t self:process signal_perms;
+allow jabberd_t self:fifo_file { read write getattr };
+allow jabberd_t self:tcp_socket create_stream_socket_perms;
+allow jabberd_t self:udp_socket create_socket_perms;
+
+allow jabberd_t jabberd_var_lib_t:file create_file_perms;
+allow jabberd_t jabberd_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(jabberd_t,jabberd_var_lib_t,file)
+
+allow jabberd_t jabberd_log_t:file create_file_perms;
+allow jabberd_t jabberd_log_t:dir rw_dir_perms;
+logging_log_filetrans(jabberd_t,jabberd_log_t,{ file dir })
+
+allow jabberd_t jabberd_var_run_t:file create_file_perms;
+allow jabberd_t jabberd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(jabberd_t,jabberd_var_run_t,file)
+
+kernel_read_kernel_sysctls(jabberd_t)
+kernel_list_proc(jabberd_t)
+kernel_read_proc_symlinks(jabberd_t)
+kernel_tcp_recvfrom(jabberd_t)
+
+corenet_non_ipsec_sendrecv(jabberd_t)
+corenet_tcp_sendrecv_generic_if(jabberd_t)
+corenet_udp_sendrecv_generic_if(jabberd_t)
+corenet_tcp_sendrecv_all_nodes(jabberd_t)
+corenet_udp_sendrecv_all_nodes(jabberd_t)
+corenet_tcp_sendrecv_all_ports(jabberd_t)
+corenet_udp_sendrecv_all_ports(jabberd_t)
+corenet_tcp_bind_all_nodes(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+
+dev_read_sysfs(jabberd_t)
+# For SSL
+dev_read_rand(jabberd_t)
+
+domain_use_interactive_fds(jabberd_t)
+
+files_read_etc_files(jabberd_t)
+files_read_etc_runtime_files(jabberd_t)
+
+fs_getattr_all_fs(jabberd_t)
+fs_search_auto_mountpoints(jabberd_t)
+
+term_dontaudit_use_console(jabberd_t)
+
+init_use_fds(jabberd_t)
+init_use_script_ptys(jabberd_t)
+
+libs_use_ld_so(jabberd_t)
+libs_use_shared_libs(jabberd_t)
+
+logging_send_syslog_msg(jabberd_t)
+
+miscfiles_read_localization(jabberd_t)
+
+sysnet_read_config(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(jabberd_t)
+ term_dontaudit_use_generic_ptys(jabberd_t)
+ files_dontaudit_read_root_files(jabberd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(jabberd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
new file mode 100644
index 0000000..1990ad0
--- /dev/null
+++ b/policy/modules/services/kerberos.fc
@@ -0,0 +1,18 @@
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
+
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+
+/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
new file mode 100644
index 0000000..b700f65
--- /dev/null
+++ b/policy/modules/services/kerberos.if
@@ -0,0 +1,138 @@
+## <summary>MIT Kerberos admin and KDC</summary>
+## <desc>
+## <p>
+## This policy supports:
+## </p>
+## <p>
+## Servers:
+## <ul>
+## <li>kadmind</li>
+## <li>krb5kdc</li>
+## </ul>
+## </p>
+## <p>
+## Clients:
+## <ul>
+## <li>kinit</li>
+## <li>kdestroy</li>
+## <li>klist</li>
+## <li>ksu (incomplete)</li>
+## </ul>
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Use kerberos services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_use',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file { getattr read };
+ dontaudit $1 krb5_conf_t:file write;
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_kerberos_port($1)
+ corenet_udp_sendrecv_kerberos_port($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_udp_bind_all_nodes($1)
+ corenet_tcp_connect_kerberos_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+
+ sysnet_read_config($1)
+ sysnet_dns_name_resolve($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_read_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the kerberos
+## configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kerberos_dontaudit_write_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ dontaudit $1 krb5_conf_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_rw_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the kerberos key table.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_read_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file r_file_perms;
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
new file mode 100644
index 0000000..2a9c1dd
--- /dev/null
+++ b/policy/modules/services/kerberos.te
@@ -0,0 +1,249 @@
+
+policy_module(kerberos,1.1.3)
+
+########################################
+#
+# Declarations
+#
+
+type kadmind_t;
+type kadmind_exec_t;
+init_daemon_domain(kadmind_t,kadmind_exec_t)
+
+type kadmind_log_t;
+logging_log_file(kadmind_log_t)
+
+type kadmind_tmp_t;
+files_tmp_file(kadmind_tmp_t)
+
+type kadmind_var_run_t;
+files_pid_file(kadmind_var_run_t)
+
+type krb5_conf_t;
+files_type(krb5_conf_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t;
+files_security_file(krb5_keytab_t)
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t;
+files_type(krb5kdc_conf_t)
+
+# types for KDC principal file(s)
+type krb5kdc_principal_t;
+files_type(krb5kdc_principal_t)
+
+type krb5kdc_t;
+type krb5kdc_exec_t;
+init_daemon_domain(krb5kdc_t,krb5kdc_exec_t)
+
+type krb5kdc_log_t;
+logging_log_file(krb5kdc_log_t)
+
+type krb5kdc_tmp_t;
+files_tmp_file(krb5kdc_tmp_t)
+
+type krb5kdc_var_run_t;
+files_pid_file(krb5kdc_var_run_t)
+
+########################################
+#
+# kadmind local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:process signal_perms;
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+allow kadmind_t self:udp_socket create_socket_perms;
+
+allow kadmind_t kadmind_log_t:file create_file_perms;
+logging_log_filetrans(kadmind_t,kadmind_log_t,file)
+
+allow kadmind_t krb5_conf_t:file r_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
+
+allow kadmind_t krb5kdc_conf_t:dir search;
+allow kadmind_t krb5kdc_conf_t:file r_file_perms;
+dontaudit kadmind_t krb5kdc_conf_t:file write;
+
+allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
+
+can_exec(kadmind_t, kadmind_exec_t)
+
+allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
+allow kadmind_t kadmind_tmp_t:file create_file_perms;
+files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+
+allow kadmind_t kadmind_var_run_t:file create_file_perms;
+allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
+
+kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
+
+corenet_non_ipsec_sendrecv(kadmind_t)
+corenet_tcp_sendrecv_all_if(kadmind_t)
+corenet_udp_sendrecv_all_if(kadmind_t)
+corenet_tcp_sendrecv_all_nodes(kadmind_t)
+corenet_udp_sendrecv_all_nodes(kadmind_t)
+corenet_tcp_sendrecv_all_ports(kadmind_t)
+corenet_udp_sendrecv_all_ports(kadmind_t)
+corenet_tcp_bind_all_nodes(kadmind_t)
+corenet_udp_bind_all_nodes(kadmind_t)
+corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+
+dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
+
+fs_getattr_all_fs(kadmind_t)
+fs_search_auto_mountpoints(kadmind_t)
+
+term_dontaudit_use_console(kadmind_t)
+
+domain_use_interactive_fds(kadmind_t)
+
+files_read_etc_files(kadmind_t)
+
+init_use_fds(kadmind_t)
+init_use_script_ptys(kadmind_t)
+
+libs_use_ld_so(kadmind_t)
+libs_use_shared_libs(kadmind_t)
+
+logging_send_syslog_msg(kadmind_t)
+
+miscfiles_read_localization(kadmind_t)
+
+sysnet_read_config(kadmind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(kadmind_t)
+ term_dontaudit_use_generic_ptys(kadmind_t)
+ files_dontaudit_read_root_files(kadmind_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(kadmind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(kadmind_t)
+')
+
+optional_policy(`
+ udev_read_db(kadmind_t)
+')
+
+########################################
+#
+# Krb5kdc local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:process signal_perms;
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
+allow krb5kdc_t self:udp_socket create_socket_perms;
+
+allow krb5kdc_t krb5_conf_t:file r_file_perms;
+dontaudit krb5kdc_t krb5_conf_t:file write;
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+allow krb5kdc_t krb5kdc_conf_t:dir search;
+allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
+logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
+
+allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
+dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+
+allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
+allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
+files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+
+allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
+allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
+
+kernel_read_system_state(krb5kdc_t)
+kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
+kernel_read_network_state(krb5kdc_t)
+
+corenet_non_ipsec_sendrecv(krb5kdc_t)
+corenet_tcp_sendrecv_all_if(krb5kdc_t)
+corenet_udp_sendrecv_all_if(krb5kdc_t)
+corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
+corenet_udp_sendrecv_all_nodes(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
+corenet_tcp_bind_all_nodes(krb5kdc_t)
+corenet_udp_bind_all_nodes(krb5kdc_t)
+corenet_tcp_bind_kerberos_port(krb5kdc_t)
+corenet_udp_bind_kerberos_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+
+dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
+
+fs_getattr_all_fs(krb5kdc_t)
+fs_search_auto_mountpoints(krb5kdc_t)
+
+term_dontaudit_use_console(krb5kdc_t)
+
+domain_use_interactive_fds(krb5kdc_t)
+
+files_read_etc_files(krb5kdc_t)
+
+init_use_fds(krb5kdc_t)
+init_use_script_ptys(krb5kdc_t)
+
+libs_use_ld_so(krb5kdc_t)
+libs_use_shared_libs(krb5kdc_t)
+
+logging_send_syslog_msg(krb5kdc_t)
+
+miscfiles_read_localization(krb5kdc_t)
+
+sysnet_read_config(krb5kdc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(krb5kdc_t)
+ term_dontaudit_use_generic_ptys(krb5kdc_t)
+ files_dontaudit_read_root_files(krb5kdc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(krb5kdc_t)
+')
+
+optional_policy(`
+ udev_read_db(krb5kdc_t)
+')
diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc
new file mode 100644
index 0000000..6b30e26
--- /dev/null
+++ b/policy/modules/services/ktalk.fc
@@ -0,0 +1,4 @@
+
+/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
diff --git a/policy/modules/services/ktalk.if b/policy/modules/services/ktalk.if
new file mode 100644
index 0000000..5ba36db
--- /dev/null
+++ b/policy/modules/services/ktalk.if
@@ -0,0 +1 @@
+## <summary>KDE Talk daemon</summary>
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
new file mode 100644
index 0000000..d4139c9
--- /dev/null
+++ b/policy/modules/services/ktalk.te
@@ -0,0 +1,89 @@
+
+policy_module(ktalk,1.2.2)
+
+########################################
+#
+# Declarations
+#
+
+type ktalkd_t;
+type ktalkd_exec_t;
+inetd_udp_service_domain(ktalkd_t,ktalkd_exec_t)
+role system_r types ktalkd_t;
+
+type ktalkd_log_t;
+logging_log_file(ktalkd_log_t)
+
+type ktalkd_tmp_t;
+files_tmp_file(ktalkd_tmp_t)
+
+type ktalkd_var_run_t;
+files_pid_file(ktalkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ktalkd_t self:process signal_perms;
+allow ktalkd_t self:fifo_file rw_file_perms;
+allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
+allow ktalkd_t self:udp_socket create_socket_perms;
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow ktalkd_t self:capability { setuid setgid };
+allow ktalkd_t self:dir search;
+allow ktalkd_t self:{ lnk_file file } { getattr read };
+files_search_home(ktalkd_t)
+optional_policy(`
+ kerberos_use(ktalkd_t)
+')
+#end for identd
+
+allow ktalkd_t ktalkd_log_t:file manage_file_perms;
+logging_log_filetrans(ktalkd_t,ktalkd_log_t,file)
+
+allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
+allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
+files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
+
+allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
+allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
+
+kernel_read_kernel_sysctls(ktalkd_t)
+kernel_read_system_state(ktalkd_t)
+kernel_read_network_state(ktalkd_t)
+
+corenet_non_ipsec_sendrecv(ktalkd_t)
+corenet_tcp_sendrecv_all_if(ktalkd_t)
+corenet_udp_sendrecv_all_if(ktalkd_t)
+corenet_tcp_sendrecv_all_nodes(ktalkd_t)
+corenet_udp_sendrecv_all_nodes(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
+
+dev_read_urand(ktalkd_t)
+
+fs_getattr_xattr_fs(ktalkd_t)
+
+files_read_etc_files(ktalkd_t)
+
+init_read_utmp(ktalkd_t)
+
+libs_use_ld_so(ktalkd_t)
+libs_use_shared_libs(ktalkd_t)
+logging_send_syslog_msg(ktalkd_t)
+
+miscfiles_read_localization(ktalkd_t)
+
+sysnet_read_config(ktalkd_t)
+
+optional_policy(`
+ nis_use_ypbind(ktalkd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ktalkd_t)
+')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
new file mode 100644
index 0000000..8ee84ac
--- /dev/null
+++ b/policy/modules/services/ldap.fc
@@ -0,0 +1,11 @@
+
+/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+
+/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
new file mode 100644
index 0000000..45b3bd9
--- /dev/null
+++ b/policy/modules/services/ldap.if
@@ -0,0 +1,59 @@
+## <summary>OpenLDAP directory server</summary>
+
+########################################
+## <summary>
+## Read the contents of the OpenLDAP
+## database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_list_db',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ allow $1 slapd_db_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the OpenLDAP configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_read_config',`
+ gen_require(`
+ type slapd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Use LDAP over TCP connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_use',`
+ gen_require(`
+ type slapd_t;
+ ')
+
+ allow $1 slapd_t:tcp_socket { connectto recvfrom };
+ allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
new file mode 100644
index 0000000..315dffb
--- /dev/null
+++ b/policy/modules/services/ldap.te
@@ -0,0 +1,154 @@
+
+policy_module(ldap,1.2.3)
+
+########################################
+#
+# Declarations
+#
+
+type slapd_t;
+type slapd_exec_t;
+init_daemon_domain(slapd_t,slapd_exec_t)
+
+type slapd_cert_t;
+files_type(slapd_cert_t)
+
+type slapd_db_t;
+files_type(slapd_db_t)
+
+type slapd_etc_t;
+files_config_file(slapd_etc_t)
+
+type slapd_lock_t;
+files_lock_file(slapd_lock_t)
+
+type slapd_replog_t;
+files_type(slapd_replog_t)
+
+type slapd_tmp_t;
+files_tmp_file(slapd_tmp_t)
+
+type slapd_var_run_t;
+files_pid_file(slapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# should not need kill
+# cjp: why net_raw?
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+dontaudit slapd_t self:capability sys_tty_config;
+allow slapd_t self:process setsched;
+allow slapd_t self:fifo_file { read write };
+allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+allow slapd_t self:udp_socket create_socket_perms;
+#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+allow slapd_t self:tcp_socket create_stream_socket_perms;
+
+allow slapd_t slapd_cert_t:dir r_dir_perms;
+allow slapd_t slapd_cert_t:file r_file_perms;
+allow slapd_t slapd_cert_t:lnk_file { getattr read };
+
+# Allow access to the slapd databases
+allow slapd_t slapd_db_t:dir create_dir_perms;
+allow slapd_t slapd_db_t:file create_file_perms;
+allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
+
+allow slapd_t slapd_etc_t:file { getattr read };
+
+allow slapd_t slapd_lock_t:file create_file_perms;
+files_lock_filetrans(slapd_t,slapd_lock_t,file)
+
+# Allow access to write the replication log (should tighten this)
+allow slapd_t slapd_replog_t:dir create_dir_perms;
+allow slapd_t slapd_replog_t:file create_file_perms;
+allow slapd_t slapd_replog_t:lnk_file create_lnk_perms;
+
+allow slapd_t slapd_tmp_t:dir create_dir_perms;
+allow slapd_t slapd_tmp_t:file create_file_perms;
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+
+allow slapd_t slapd_var_run_t:file create_file_perms;
+allow slapd_t slapd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(slapd_t,slapd_var_run_t,file)
+
+kernel_read_system_state(slapd_t)
+kernel_read_kernel_sysctls(slapd_t)
+kernel_tcp_recvfrom(slapd_t)
+
+corenet_non_ipsec_sendrecv(slapd_t)
+corenet_tcp_sendrecv_all_if(slapd_t)
+corenet_udp_sendrecv_all_if(slapd_t)
+corenet_tcp_sendrecv_all_nodes(slapd_t)
+corenet_udp_sendrecv_all_nodes(slapd_t)
+corenet_tcp_sendrecv_all_ports(slapd_t)
+corenet_udp_sendrecv_all_ports(slapd_t)
+corenet_tcp_bind_all_nodes(slapd_t)
+corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
+corenet_sendrecv_ldap_server_packets(slapd_t)
+corenet_sendrecv_all_client_packets(slapd_t)
+
+dev_read_urand(slapd_t)
+dev_read_sysfs(slapd_t)
+
+fs_getattr_all_fs(slapd_t)
+fs_search_auto_mountpoints(slapd_t)
+
+term_dontaudit_use_console(slapd_t)
+
+domain_use_interactive_fds(slapd_t)
+
+files_read_etc_files(slapd_t)
+files_read_etc_runtime_files(slapd_t)
+files_read_usr_files(slapd_t)
+files_list_var_lib(slapd_t)
+
+init_use_fds(slapd_t)
+init_use_script_ptys(slapd_t)
+
+libs_use_ld_so(slapd_t)
+libs_use_shared_libs(slapd_t)
+
+logging_send_syslog_msg(slapd_t)
+
+miscfiles_read_certs(slapd_t)
+miscfiles_read_localization(slapd_t)
+
+sysnet_read_config(slapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+ifdef(`targeted_policy',`
+ #reh slapcat will want to talk to the terminal
+ term_use_generic_ptys(slapd_t)
+ term_use_unallocated_ttys(slapd_t)
+
+ userdom_search_generic_user_home_dirs(slapd_t)
+ #need to be able to read ldif files created by root
+ # cjp: fix to not use templated interface:
+ userdom_read_user_home_content_files(user,slapd_t)
+
+ term_dontaudit_use_unallocated_ttys(slapd_t)
+ term_dontaudit_use_generic_ptys(slapd_t)
+ files_dontaudit_read_root_files(slapd_t)
+')
+
+optional_policy(`
+ kerberos_use(slapd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(slapd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(slapd_t)
+')
+
+optional_policy(`
+ udev_read_db(slapd_t)
+')
diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
new file mode 100644
index 0000000..e97eb7a
--- /dev/null
+++ b/policy/modules/services/lpd.fc
@@ -0,0 +1,20 @@
+#
+# /dev
+#
+/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+#
+# /var
+#
+/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
new file mode 100644
index 0000000..fd149e4
--- /dev/null
+++ b/policy/modules/services/lpd.if
@@ -0,0 +1,393 @@
+## <summary>Line printer daemon</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the lpd module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for lpr printing client.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`lpd_per_userdomain_template',`
+ gen_require(`
+ type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+ # Derived domain based on the calling user domain and the program
+ type $1_lpr_t;
+ domain_type($1_lpr_t)
+ domain_entry_file($1_lpr_t,lpr_exec_t)
+ role $3 types $1_lpr_t;
+
+ type $1_lpr_tmp_t;
+ files_tmp_file($1_lpr_tmp_t)
+
+ # Type for spool files.
+ type $1_print_spool_t;
+ files_type($1_print_spool_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+ allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
+ allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_lpr_t self:tcp_socket create_socket_perms;
+ allow $1_lpr_t self:udp_socket create_socket_perms;
+
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow $1_lpr_t lpd_var_run_t:dir search;
+ allow $1_lpr_t lpd_var_run_t:sock_file write;
+ files_read_var_files($1_lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+ allow $1_lpr_t printer_t:sock_file rw_file_perms;
+ allow $1_lpr_t lpd_t:unix_stream_socket connectto;
+ # connecto to a network lpd
+ allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
+ allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
+ # Send SIGHUP to lpd.
+ allow $1_lpr_t lpd_t:process signal;
+
+ can_exec($1_lpr_t,lpr_exec_t)
+
+ allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
+ allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
+
+ allow $1_lpr_t $1_print_spool_t:file create_file_perms;
+ allow $1_lpr_t print_spool_t:dir rw_dir_perms;
+ type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
+ # Read and write shared files in the spool directory.
+ allow $1_lpr_t print_spool_t:file rw_file_perms;
+
+ allow $1_lpr_t printconf_t:dir r_dir_perms;
+ allow $1_lpr_t printconf_t:file r_file_perms;
+ allow $1_lpr_t printconf_t:lnk_file { getattr read };
+
+ dontaudit $1_lpr_t $2:unix_stream_socket { read write };
+
+ # Transition from the user domain to the derived domain.
+ allow $2 $1_lpr_t:fd use;
+ allow $1_lpr_t $2:fd use;
+ allow $1_lpr_t $2:fifo_file rw_file_perms;
+ allow $1_lpr_t $2:process sigchld;
+ domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
+
+ allow $2 $1_lpr_t:process signull;
+
+ # Allow lpd to read, rename, and unlink spool files.
+ allow lpd_t $1_print_spool_t:file r_file_perms;
+ allow lpd_t $1_print_spool_t:file link_file_perms;
+
+ kernel_tcp_recvfrom($1_lpr_t)
+
+ corenet_tcp_sendrecv_generic_if($1_lpr_t)
+ corenet_udp_sendrecv_generic_if($1_lpr_t)
+ corenet_tcp_sendrecv_all_nodes($1_lpr_t)
+ corenet_udp_sendrecv_all_nodes($1_lpr_t)
+ corenet_tcp_sendrecv_all_ports($1_lpr_t)
+ corenet_udp_sendrecv_all_ports($1_lpr_t)
+ corenet_tcp_connect_all_ports($1_lpr_t)
+ corenet_sendrecv_all_client_packets($1_lpr_t)
+
+ # for /dev/null
+ dev_list_all_dev_nodes($1_lpr_t)
+
+ domain_use_interactive_fds($1_lpr_t)
+
+ files_search_spool($1_lpr_t)
+ # for lpd config files (should have a new type)
+ files_read_etc_files($1_lpr_t)
+ # for test print
+ files_read_usr_files($1_lpr_t)
+ #Added to cover read_content macro
+ files_list_home($1_lpr_t)
+ files_read_generic_tmp_files($1_lpr_t)
+
+ fs_getattr_xattr_fs($1_lpr_t)
+
+ # Access the terminal.
+ term_use_controlling_term($1_lpr_t)
+ term_use_generic_ptys($1_lpr_t)
+
+ libs_use_ld_so($1_lpr_t)
+ libs_use_shared_libs($1_lpr_t)
+
+ miscfiles_read_localization($1_lpr_t)
+
+ sysnet_read_config($1_lpr_t)
+
+ userdom_read_user_tmp_symlinks($1,$1_lpr_t)
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_lpr_t)
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_lpr_t)
+ files_read_default_symlinks($1_lpr_t)
+ files_read_default_files($1_lpr_t)
+ ')
+
+ tunable_policy(`read_untrusted_content',`
+ #list and read user specific untrusted content
+ files_list_home($1_lpr_t)
+ userdom_list_user_home_dirs($1,$1_lpr_t)
+ userdom_read_user_untrusted_content_files($1,$1_lpr_t)
+
+ #list and read user specific temporary untrusted content
+ files_list_tmp($1_lpr_t)
+ userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ files_list_home($1_lpr_t)
+ fs_list_auto_mountpoints($1_lpr_t)
+ fs_read_nfs_files($1_lpr_t)
+ fs_read_nfs_symlinks($1_lpr_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ files_list_home($1_lpr_t)
+ fs_list_auto_mountpoints($1_lpr_t)
+ fs_read_cifs_files($1_lpr_t)
+ fs_read_cifs_symlinks($1_lpr_t)
+ ')
+
+ optional_policy(`
+ cups_read_config($1_lpr_t)
+ cups_tcp_connect($1_lpr_t)
+ cups_read_config($2)
+ cups_tcp_connect($2)
+ ')
+
+ optional_policy(`
+ logging_send_syslog_msg($1_lpr_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_lpr_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_lpr_t)
+ ')
+
+ ifdef(`TODO',`
+ optional_policy(`
+ allow $1_lpr_t xdm_t:fd use;
+ allow $1_lpr_t xdm_var_run_t:dir search;
+ allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
+ ')
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The administrative functions template for the lpd module.
+## </summary>
+## <desc>
+## <p>
+## This template creates rules for administrating the ldp service,
+## allowing the specified user to manage lpr files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`lpr_admin_template',`
+ gen_require(`
+ type $1_lpr_t;
+ ')
+
+ userdom_read_all_users_home_content_files($1_lpr_t)
+
+ # Allow per user lpr domain read acces for specific user.
+ tunable_policy(`read_untrusted_content',`
+ userdom_read_all_untrusted_content($1_lpr_t)
+ userdom_read_all_tmp_untrusted_content($1_lpr_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute lpd in the lpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_domtrans_checkpc',`
+ gen_require(`
+ type checkpc_t, checkpc_exec_t;
+ ')
+
+ domain_auto_trans($1,checkpc_exec_t,checkpc_t)
+
+ allow $1 checkpc_t:fd use;
+ allow checkpc_t $1:fd use;
+ allow checkpc_t $1:fifo_file rw_file_perms;
+ allow checkpc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute amrecover in the lpd domain, and
+## allow the specified role the lpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the lpd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the lpd domain to use.
+## </summary>
+## </param>
+#
+interface(`lpd_run_checkpc',`
+ gen_require(`
+ type checkpc_t;
+ ')
+
+ lpd_domtrans_checkpc($1)
+ role $2 types checkpc_t;
+ allow checkpc_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_list_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 print_spool_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete printer spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_manage_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+
+ # cjp: cups wants setattr
+ allow $1 print_spool_t:dir { rw_dir_perms setattr };
+ allow $1 print_spool_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_read_config',`
+ gen_require(`
+ type printconf_t;
+ ')
+
+ allow $1 printconf_t:dir list_dir_perms;
+ allow $1 printconf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Transition to a user lpr domain.
+## </summary>
+## <desc>
+## <p>
+## Transition to a user lpr domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`lpd_domtrans_user_lpr',`
+ gen_require(`
+ type $1_lpr_t, lpr_exec_t;
+ ')
+
+ domain_auto_trans($2, lpr_exec_t, $1_lpr_t)
+ allow $2 $1_lpr_t:fd use;
+ allow $1_lpr_t $2:fd use;
+ allow $1_lpr_t $2:fifo_file rw_file_perms;
+ allow $1_lpr_t $2:process sigchld;
+')
+
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
new file mode 100644
index 0000000..c2eedbd
--- /dev/null
+++ b/policy/modules/services/lpd.te
@@ -0,0 +1,236 @@
+
+policy_module(lpd,1.2.4)
+
+########################################
+#
+# Declarations
+#
+
+type checkpc_t;
+type checkpc_exec_t;
+init_system_domain(checkpc_t,checkpc_exec_t)
+role system_r types checkpc_t;
+
+type checkpc_log_t;
+logging_log_file(checkpc_log_t)
+
+type lpd_t;
+type lpd_exec_t;
+init_daemon_domain(lpd_t,lpd_exec_t)
+
+type lpd_tmp_t;
+files_tmp_file(lpd_tmp_t)
+
+type lpd_var_run_t;
+files_pid_file(lpd_var_run_t)
+
+type lpr_exec_t;
+corecmd_executable_file(lpr_exec_t)
+
+type print_spool_t;
+files_tmp_file(print_spool_t)
+
+type printer_t;
+files_type(printer_t)
+
+type printconf_t;
+files_type(printconf_t)
+
+########################################
+#
+# Checkpc local policy
+#
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process signal_perms;
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+allow checkpc_t self:tcp_socket create_socket_perms;
+allow checkpc_t self:udp_socket create_socket_perms;
+
+allow checkpc_t checkpc_log_t:file create_file_perms;
+logging_log_filetrans(checkpc_t,checkpc_log_t,file)
+
+allow checkpc_t lpd_var_run_t:dir { search getattr };
+files_search_pids(checkpc_t)
+
+allow checkpc_t print_spool_t:file { rw_file_perms unlink };
+allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
+files_search_spool(checkpc_t)
+
+allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:dir { getattr search read };
+
+kernel_read_system_state(checkpc_t)
+
+corenet_non_ipsec_sendrecv(checkpc_t)
+corenet_tcp_sendrecv_all_if(checkpc_t)
+corenet_udp_sendrecv_all_if(checkpc_t)
+corenet_tcp_sendrecv_all_nodes(checkpc_t)
+corenet_udp_sendrecv_all_nodes(checkpc_t)
+corenet_tcp_sendrecv_all_ports(checkpc_t)
+corenet_udp_sendrecv_all_ports(checkpc_t)
+corenet_tcp_connect_all_ports(checkpc_t)
+corenet_sendrecv_all_client_packets(checkpc_t)
+
+dev_append_printer(checkpc_t)
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+corecmd_exec_shell(checkpc_t)
+corecmd_exec_bin(checkpc_t)
+corecmd_search_sbin(checkpc_t)
+
+domain_use_interactive_fds(checkpc_t)
+
+files_read_etc_files(checkpc_t)
+files_read_etc_runtime_files(checkpc_t)
+
+init_use_script_ptys(checkpc_t)
+# Allow access to /dev/console through the fd:
+init_use_fds(checkpc_t)
+
+libs_use_ld_so(checkpc_t)
+libs_use_shared_libs(checkpc_t)
+
+sysnet_read_config(checkpc_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(checkpc_t)
+ term_use_unallocated_ttys(checkpc_t)
+')
+
+optional_policy(`
+ cron_system_entry(checkpc_t,checkpc_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(checkpc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(checkpc_t)
+')
+
+########################################
+#
+# Lpd local policy
+#
+
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
+allow lpd_t self:fifo_file rw_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+allow lpd_t self:tcp_socket create_stream_socket_perms;
+allow lpd_t self:udp_socket create_stream_socket_perms;
+
+allow lpd_t lpd_tmp_t:dir create_dir_perms;
+allow lpd_t lpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+
+allow lpd_t lpd_var_run_t:dir rw_dir_perms;
+allow lpd_t lpd_var_run_t:file create_file_perms;
+allow lpd_t lpd_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(lpd_t,lpd_var_run_t,file)
+
+# Write to /var/spool/lpd.
+allow lpd_t print_spool_t:dir rw_dir_perms;
+allow lpd_t print_spool_t:file create_file_perms;
+allow lpd_t print_spool_t:file rw_file_perms;
+files_search_spool(lpd_t)
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+allow lpd_t printconf_t:dir { getattr search read };
+can_exec(lpd_t, printconf_t)
+
+# Create and bind to /dev/printer.
+allow lpd_t printer_t:lnk_file create_lnk_perms;
+dev_filetrans(lpd_t,printer_t,lnk_file)
+# cjp: I believe these have no effect:
+allow lpd_t printer_t:unix_stream_socket name_bind;
+allow lpd_t printer_t:unix_dgram_socket name_bind;
+
+kernel_read_kernel_sysctls(lpd_t)
+kernel_tcp_recvfrom(lpd_t)
+# bash wants access to /proc/meminfo
+kernel_read_system_state(lpd_t)
+
+corenet_non_ipsec_sendrecv(lpd_t)
+corenet_tcp_sendrecv_all_if(lpd_t)
+corenet_udp_sendrecv_all_if(lpd_t)
+corenet_tcp_sendrecv_all_nodes(lpd_t)
+corenet_udp_sendrecv_all_nodes(lpd_t)
+corenet_tcp_sendrecv_all_ports(lpd_t)
+corenet_udp_sendrecv_all_ports(lpd_t)
+corenet_tcp_bind_all_nodes(lpd_t)
+corenet_tcp_bind_printer_port(lpd_t)
+corenet_sendrecv_printer_server_packets(lpd_t)
+
+dev_read_sysfs(lpd_t)
+dev_rw_printer(lpd_t)
+
+fs_getattr_all_fs(lpd_t)
+fs_search_auto_mountpoints(lpd_t)
+
+term_dontaudit_use_console(lpd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_bin(lpd_t)
+corecmd_exec_sbin(lpd_t)
+corecmd_exec_shell(lpd_t)
+
+domain_use_interactive_fds(lpd_t)
+
+files_read_etc_runtime_files(lpd_t)
+files_read_usr_files(lpd_t)
+# for defoma
+files_list_world_readable(lpd_t)
+files_read_world_readable_files(lpd_t)
+files_read_world_readable_symlinks(lpd_t)
+files_list_var_lib(lpd_t)
+files_read_var_lib_files(lpd_t)
+files_read_var_lib_symlinks(lpd_t)
+# config files for lpd are of type etc_t, probably should change this
+files_read_etc_files(lpd_t)
+
+init_use_fds(lpd_t)
+init_use_script_ptys(lpd_t)
+
+libs_use_ld_so(lpd_t)
+libs_use_shared_libs(lpd_t)
+
+logging_send_syslog_msg(lpd_t)
+
+miscfiles_read_fonts(lpd_t)
+miscfiles_read_localization(lpd_t)
+
+sysnet_read_config(lpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(lpd_t)
+userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(lpd_t)
+ term_dontaudit_use_generic_ptys(lpd_t)
+ files_dontaudit_read_root_files(lpd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(lpd_t)
+ nis_tcp_connect_ypbind(lpd_t)
+')
+
+optional_policy(`
+ portmap_udp_send(lpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(lpd_t)
+')
+
+optional_policy(`
+ udev_read_db(lpd_t)
+')
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
new file mode 100644
index 0000000..839017f
--- /dev/null
+++ b/policy/modules/services/mailman.fc
@@ -0,0 +1,33 @@
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+
+#
+# distro_debian
+#
+ifdef(`distro_debian', `
+/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+')
+
+#
+# distro_redhat
+#
+ifdef(`distro_redhat', `
+/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
new file mode 100644
index 0000000..68a2588
--- /dev/null
+++ b/policy/modules/services/mailman.if
@@ -0,0 +1,335 @@
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+
+#######################################
+## <summary>
+## The template to define a mailmain domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new mailman daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The type of daemon to be used eg, cgi would give mailman_cgi_
+## </summary>
+## </param>
+#
+template(`mailman_domain_template', `
+ type mailman_$1_t;
+ domain_type(mailman_$1_t)
+ role system_r types mailman_$1_t;
+
+ type mailman_$1_exec_t;
+ domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+
+ type mailman_$1_tmp_t;
+ files_tmp_file(mailman_$1_tmp_t)
+
+ allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+ allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+ allow mailman_$1_t self:udp_socket create_socket_perms;
+
+ allow mailman_$1_t mailman_data_t:dir create_dir_perms;
+ allow mailman_$1_t mailman_data_t:file create_file_perms;
+ allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
+
+ allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
+ allow mailman_$1_t mailman_lock_t:file create_file_perms;
+ files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
+
+ allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
+ allow mailman_$1_t mailman_log_t:file create_file_perms;
+ logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
+
+ allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
+ allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
+ files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+
+ kernel_read_kernel_sysctls(mailman_$1_t)
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_non_ipsec_sendrecv(mailman_$1_t)
+ corenet_tcp_sendrecv_all_if(mailman_$1_t)
+ corenet_udp_sendrecv_all_if(mailman_$1_t)
+ corenet_raw_sendrecv_all_if(mailman_$1_t)
+ corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
+ corenet_udp_sendrecv_all_nodes(mailman_$1_t)
+ corenet_raw_sendrecv_all_nodes(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_all_nodes(mailman_$1_t)
+ corenet_udp_bind_all_nodes(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
+ fs_getattr_xattr_fs(mailman_$1_t)
+
+ corecmd_exec_all_executables(mailman_$1_t)
+
+ files_exec_etc_files(mailman_$1_t)
+ files_list_usr(mailman_$1_t)
+ files_list_var(mailman_$1_t)
+ files_list_var_lib(mailman_$1_t)
+ files_read_var_lib_symlinks(mailman_$1_t)
+ files_read_etc_runtime_files(mailman_$1_t)
+
+ libs_use_ld_so(mailman_$1_t)
+ libs_use_shared_libs(mailman_$1_t)
+ libs_exec_ld_so(mailman_$1_t)
+ libs_exec_lib_files(mailman_$1_t)
+
+ logging_send_syslog_msg(mailman_$1_t)
+
+ miscfiles_read_localization(mailman_$1_t)
+
+ sysnet_read_config(mailman_$1_t)
+
+ optional_policy(`
+ nis_use_ypbind(mailman_$1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Execute mailman in the mailman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_domtrans',`
+ gen_require(`
+ type mailman_mail_exec_t, mailman_mail_t;
+ ')
+
+ domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
+
+ allow $1 mailman_mail_t:fd use;
+ allow mailman_mail_t $1:fd use;
+ allow mailman_mail_t $1:fifo_file rw_file_perms;
+ allow mailman_mail_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+## Execute mailman CGI scripts in the
+## mailman CGI domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_domtrans_cgi',`
+ gen_require(`
+ type mailman_cgi_exec_t, mailman_cgi_t;
+ ')
+
+ domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
+
+ allow $1 mailman_cgi_t:fd use;
+ allow mailman_cgi_t $1:fd use;
+ allow mailman_cgi_t $1:fifo_file rw_file_perms;
+ allow mailman_cgi_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+## Execute mailman in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowd access.
+## </summary>
+## </param>
+#
+interface(`mailman_exec',`
+ gen_require(`
+ type mailman_mail_exec_t;
+ ')
+
+ can_exec($1,mailman_mail_exec_t)
+')
+
+#######################################
+## <summary>
+## Send generic signals to the mailman cgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_signal_cgi',`
+ gen_require(`
+ type mailman_cgi_t;
+ ')
+
+ allow $1 mailman_cgi_t:process signal;
+')
+
+#######################################
+## <summary>
+## Allow domain to search data directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_search_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to to read mailman data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search_dir_perms;
+ allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to to create mailman data files
+## and write the directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir rw_dir_perms;
+ allow $1 mailman_data_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## List the contents of mailman data directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_list_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir r_dir_perms;
+')
+
+#######################################
+## <summary>
+## Allow read acces to mailman data symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_data_symlinks',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search;
+ allow $1 mailman_data_t:lnk_file read;
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ allow $1 mailman_log_t:dir rw_dir_perms;
+ allow $1 mailman_log_t:file create_file_perms;
+ allow $1 mailman_log_t:lnk_file create_lnk_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to read mailman archive files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_archive',`
+ gen_require(`
+ type mailman_archive_t;
+ ')
+
+ allow $1 mailman_archive_t:dir list_dir_perms;
+ allow $1 mailman_archive_t:file r_file_perms;
+ allow $1 mailman_archive_t:lnk_file { getattr read };
+')
+
+
+#######################################
+## <summary>
+## Execute mailman_queue in the mailman_queue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_domtrans_queue',`
+ gen_require(`
+ type mailman_queue_exec_t, mailman_queue_t;
+ ')
+
+ domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
+
+ allow $1 mailman_queue_t:fd use;
+ allow mailman_queue_t $1:fd use;
+ allow mailman_queue_t $1:fifo_file rw_file_perms;
+ allow mailman_queue_t $1:process sigchld;
+')
+
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
new file mode 100644
index 0000000..f5ccc55
--- /dev/null
+++ b/policy/modules/services/mailman.te
@@ -0,0 +1,114 @@
+
+policy_module(mailman,1.1.5)
+
+########################################
+#
+# Declarations
+#
+
+mailman_domain_template(cgi)
+
+type mailman_data_t;
+files_type(mailman_data_t)
+
+type mailman_archive_t;
+files_type(mailman_archive_t)
+
+type mailman_log_t;
+logging_log_file(mailman_log_t)
+
+type mailman_lock_t;
+files_lock_file(mailman_lock_t)
+
+mailman_domain_template(mail)
+init_daemon_domain(mailman_mail_t,mailman_mail_exec_t)
+
+mailman_domain_template(queue)
+
+########################################
+#
+# Mailman CGI local policy
+#
+
+# cjp: the template invocation for queue should be
+# in the below optional policy; however, there are no
+# optionals for file contexts yet, so it is promoted
+# to global scope until such facilities exist.
+
+optional_policy(`
+ allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
+ allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
+ allow mailman_cgi_t mailman_archive_t:file create_file_perms;
+
+ kernel_tcp_recvfrom(mailman_cgi_t)
+
+ term_use_controlling_term(mailman_cgi_t)
+
+ files_search_spool(mailman_cgi_t)
+
+ mta_tcp_connect_all_mailservers(mailman_cgi_t)
+
+ apache_sigchld(mailman_cgi_t)
+ apache_use_fds(mailman_cgi_t)
+ apache_dontaudit_append_log(mailman_cgi_t)
+ apache_search_sys_script_state(mailman_cgi_t)
+')
+
+########################################
+#
+# Mailman mail local policy
+#
+
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+
+ifdef(`TODO',`
+optional_policy(`
+ allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
+ # do we really need this?
+ allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+')
+')
+
+########################################
+#
+# Mailman queue local policy
+#
+
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:process signal;
+allow mailman_queue_t self:fifo_file rw_file_perms;
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
+allow mailman_queue_t mailman_archive_t:file create_file_perms;
+allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
+
+kernel_read_proc_symlinks(mailman_queue_t)
+kernel_tcp_recvfrom(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+files_dontaudit_search_pids(mailman_queue_t)
+
+# for su
+seutil_dontaudit_search_config(mailman_queue_t)
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+userdom_search_sysadm_home_dirs(mailman_queue_t)
+userdom_getattr_sysadm_home_dirs(mailman_queue_t)
+
+mta_tcp_connect_all_mailservers(mailman_queue_t)
+
+su_exec(mailman_queue_t)
+
+optional_policy(`
+ cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mailman_queue_t)
+')
diff --git a/policy/modules/services/metadata.xml b/policy/modules/services/metadata.xml
new file mode 100644
index 0000000..4e6ec17
--- /dev/null
+++ b/policy/modules/services/metadata.xml
@@ -0,0 +1,4 @@
+<summary>
+ Policy modules for system services, like cron, and network services,
+ like sshd.
+</summary>
diff --git a/policy/modules/services/monop.fc b/policy/modules/services/monop.fc
new file mode 100644
index 0000000..9ee4028
--- /dev/null
+++ b/policy/modules/services/monop.fc
@@ -0,0 +1,4 @@
+/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
+
+/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
+/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/policy/modules/services/monop.if b/policy/modules/services/monop.if
new file mode 100644
index 0000000..2611351
--- /dev/null
+++ b/policy/modules/services/monop.if
@@ -0,0 +1 @@
+## <summary>Monopoly daemon</summary>
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
new file mode 100644
index 0000000..dc24c3c
--- /dev/null
+++ b/policy/modules/services/monop.te
@@ -0,0 +1,100 @@
+
+policy_module(monop,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type monopd_t;
+type monopd_exec_t;
+init_daemon_domain(monopd_t,monopd_exec_t)
+
+type monopd_etc_t;
+files_config_file(monopd_etc_t)
+
+type monopd_share_t;
+files_type(monopd_share_t)
+
+type monopd_var_run_t;
+files_pid_file(monopd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit monopd_t self:capability sys_tty_config;
+allow monopd_t self:process signal_perms;
+allow monopd_t self:tcp_socket create_stream_socket_perms;
+allow monopd_t self:udp_socket create_socket_perms;
+
+allow monopd_t monopd_etc_t:file { getattr read };
+files_search_etc(monopd_t)
+
+allow monopd_t monopd_share_t:dir r_dir_perms;
+allow monopd_t monopd_share_t:file r_file_perms;
+allow monopd_t monopd_share_t:lnk_file { getattr read };
+
+allow monopd_t monopd_var_run_t:file create_file_perms;
+allow monopd_t monopd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(monopd_t,monopd_var_run_t,file)
+
+kernel_read_kernel_sysctls(monopd_t)
+kernel_list_proc(monopd_t)
+kernel_read_proc_symlinks(monopd_t)
+
+corenet_non_ipsec_sendrecv(monopd_t)
+corenet_tcp_sendrecv_generic_if(monopd_t)
+corenet_udp_sendrecv_generic_if(monopd_t)
+corenet_tcp_sendrecv_all_nodes(monopd_t)
+corenet_udp_sendrecv_all_nodes(monopd_t)
+corenet_tcp_sendrecv_all_ports(monopd_t)
+corenet_udp_sendrecv_all_ports(monopd_t)
+corenet_tcp_bind_all_nodes(monopd_t)
+corenet_tcp_bind_monopd_port(monopd_t)
+corenet_sendrecv_monopd_server_packets(monopd_t)
+
+dev_read_sysfs(monopd_t)
+
+domain_use_interactive_fds(monopd_t)
+
+files_read_etc_files(monopd_t)
+
+fs_getattr_all_fs(monopd_t)
+fs_search_auto_mountpoints(monopd_t)
+
+term_dontaudit_use_console(monopd_t)
+
+init_use_fds(monopd_t)
+init_use_script_ptys(monopd_t)
+
+libs_use_ld_so(monopd_t)
+libs_use_shared_libs(monopd_t)
+
+logging_send_syslog_msg(monopd_t)
+
+miscfiles_read_localization(monopd_t)
+
+sysnet_read_config(monopd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(monopd_t)
+userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(monopd_t)
+ term_dontaudit_use_generic_ptys(monopd_t)
+ files_dontaudit_read_root_files(monopd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(monopd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(monopd_t)
+')
+
+optional_policy(`
+ udev_read_db(monopd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
new file mode 100644
index 0000000..14ff65c
--- /dev/null
+++ b/policy/modules/services/mta.fc
@@ -0,0 +1,25 @@
+
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail(.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+#ifdef(`postfix.te', `', `
+#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+#')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
new file mode 100644
index 0000000..0aeaf6e
--- /dev/null
+++ b/policy/modules/services/mta.if
@@ -0,0 +1,898 @@
+## <summary>Policy common to all email tranfer agents.</summary>
+
+########################################
+## <summary>
+## MTA stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`mta_stub',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+')
+
+#######################################
+## <summary>
+## Basic mail transfer agent domain template.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+## </p>
+## <p>
+## This is the basic types and rules, common
+## to the system agent and user agents.
+## </p>
+## </desc>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`mta_base_mail_template',`
+
+ ##############################
+ #
+ # $1_mail_t declarations
+ #
+
+ type $1_mail_t, user_mail_domain;
+ domain_type($1_mail_t)
+ domain_entry_file($1_mail_t,sendmail_exec_t)
+
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
+
+ ##############################
+ #
+ # $1_mail_t local policy
+ #
+
+ allow $1_mail_t self:capability { setuid setgid chown };
+ allow $1_mail_t self:process { signal_perms setrlimit };
+ allow $1_mail_t self:tcp_socket create_socket_perms;
+
+ # re-exec itself
+ can_exec($1_mail_t, sendmail_exec_t)
+ allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
+
+ kernel_read_kernel_sysctls($1_mail_t)
+
+ corenet_non_ipsec_sendrecv($1_mail_t)
+ corenet_tcp_sendrecv_all_if($1_mail_t)
+ corenet_tcp_sendrecv_all_nodes($1_mail_t)
+ corenet_tcp_sendrecv_all_ports($1_mail_t)
+ corenet_tcp_connect_all_ports($1_mail_t)
+ corenet_tcp_connect_smtp_port($1_mail_t)
+ corenet_sendrecv_smtp_client_packets($1_mail_t)
+
+ corecmd_exec_bin($1_mail_t)
+ corecmd_search_sbin($1_mail_t)
+
+ files_read_etc_files($1_mail_t)
+ files_search_spool($1_mail_t)
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
+ libs_use_ld_so($1_mail_t)
+ libs_use_shared_libs($1_mail_t)
+
+ logging_send_syslog_msg($1_mail_t)
+
+ miscfiles_read_localization($1_mail_t)
+
+ sysnet_read_config($1_mail_t)
+ sysnet_dns_name_resolve($1_mail_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_mail_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_mail_t)
+ ')
+
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+
+ optional_policy(`
+ procmail_exec($1_mail_t)
+ ')
+
+ optional_policy(`
+ qmail_domtrans_inject($1_mail_t)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type etc_mail_t, mail_spool_t, mqueue_spool_t;
+ ')
+
+ allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
+ allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+
+ allow $1_mail_t etc_mail_t:dir { getattr search };
+
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ allow $1_mail_t mail_spool_t:dir rw_dir_perms;
+ allow $1_mail_t mail_spool_t:file create_file_perms;
+ allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
+ allow $1_mail_t mqueue_spool_t:file create_file_perms;
+
+ # Check available space.
+ fs_getattr_xattr_fs($1_mail_t)
+
+ files_read_etc_runtime_files($1_mail_t)
+
+ # Write to /var/log/sendmail.st
+ sendmail_manage_log($1_mail_t)
+ sendmail_create_log($1_mail_t)
+ ')
+
+')
+
+#######################################
+## <summary>
+## The per user domain template for the mta module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`mta_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ mta_base_mail_template($1)
+ role $3 types $1_mail_t;
+
+ ##############################
+ #
+ # $1_mail_t local policy
+ #
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
+ allow $2 sendmail_exec_t:lnk_file { getattr read };
+
+ allow $2 $1_mail_t:fd use;
+ allow $1_mail_t $2:fd use;
+ allow $1_mail_t $2:fifo_file rw_file_perms;
+ allow $1_mail_t $2:process sigchld;
+
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($2)
+ allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
+ allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
+
+ domain_use_interactive_fds($1_mail_t)
+
+ userdom_use_user_terminals($1,$1_mail_t)
+ # Write to the user domain tty. cjp: why?
+ userdom_use_user_terminals($1,mta_user_agent)
+ # Create dead.letter in user home directories.
+ userdom_manage_user_home_content_files($1,$1_mail_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
+ # for reading .forward - maybe we need a new type for it?
+ # also for delivering mail to maildir
+ userdom_manage_user_home_content_dirs($1,mailserver_delivery)
+ userdom_manage_user_home_content_files($1,mailserver_delivery)
+ userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
+ userdom_manage_user_home_content_pipes($1,mailserver_delivery)
+ userdom_manage_user_home_content_sockets($1,mailserver_delivery)
+ userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+ # Read user temporary files.
+ userdom_read_user_tmp_files($1,$1_mail_t)
+ userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
+ # cjp: this should probably be read all user tmp
+ # files in an appropriate place for mta_user_agent
+ userdom_read_user_tmp_files($1,mta_user_agent)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_mail_t)
+ fs_manage_cifs_symlinks($1_mail_t)
+ ')
+
+ optional_policy(`
+ allow $1_mail_t self:capability dac_override;
+
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
+ userdom_rw_user_tmp_files($1,$1_mail_t)
+
+ postfix_read_config($1_mail_t)
+ postfix_list_spool($1_mail_t)
+ ')
+')
+
+########################################
+## <summary>
+## Provide extra permissions for admin users
+## mail domain.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mta_admin_template',`
+ gen_require(`
+ type $1_mail_t;
+ ')
+
+ ifdef(`strict_policy',`
+ # allow the sysadmin to do "mail someone < /home/user/whatever"
+ userdom_read_unpriv_users_home_content_files($1_mail_t)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ attribute mta_user_agent;
+ type etc_aliases_t;
+ ')
+
+ allow mta_user_agent $2:fifo_file { read write };
+
+ allow $1_mail_t etc_aliases_t:dir create_dir_perms;
+ allow $1_mail_t etc_aliases_t:file create_file_perms;
+ allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
+ allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
+ allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
+ files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
+
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs($1_mail_t)
+
+ postfix_exec_master($1_mail_t)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+ postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified domain usable for a mail server.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail server domain.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($1)
+
+ init_daemon_domain($1,$2)
+ typeattribute $1 mailserver_domain;
+')
+
+########################################
+## <summary>
+## Modified mailserver interface for
+## sendmail daemon use.
+## </summary>
+## <desc>
+## <p>
+## A modified MTA mail server interface for
+## the sendmail program. It's design does
+## not fit well with policy, and using the
+## regular interface causes a type_transition
+## conflict if direct running of init scripts
+## is enabled.
+## </p>
+## <p>
+## This interface should most likely only be used
+## by the sendmail policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type to be used for the mail server.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## The type to be used for the domain entry point program.
+## </summary>
+## </param>
+interface(`mta_sendmail_mailserver',`
+ gen_require(`
+ attribute mailserver_domain;
+ type sendmail_exec_t;
+ ')
+
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($1)
+
+ init_system_domain($1,sendmail_exec_t)
+ typeattribute $1 mailserver_domain;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for sending mail.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain type used for sending mail.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver_sender',`
+ gen_require(`
+ attribute mailserver_sender;
+ ')
+
+ typeattribute $1 mailserver_sender;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for delivering mail to local users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain type used for delivering mail.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver_delivery',`
+ gen_require(`
+ attribute mailserver_delivery;
+ type mail_spool_t;
+ ')
+
+ typeattribute $1 mailserver_delivery;
+
+ allow $1 mail_spool_t:dir ra_dir_perms;
+ allow $1 mail_spool_t:file { create ioctl read getattr lock append };
+ allow $1 mail_spool_t:lnk_file { create read getattr };
+
+ optional_policy(`
+ dovecot_manage_spool($1)
+ ')
+
+ optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib($1)
+
+ mailman_domtrans($1)
+ mailman_read_data_symlinks($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for sending mail on behalf of local
+## users to the local mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain type used for sending local mail.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ typeattribute $1 mta_user_agent;
+
+ optional_policy(`
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
+ ')
+')
+
+########################################
+## <summary>
+## Send mail from the system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_send_mail',`
+ gen_require(`
+ attribute mta_user_agent;
+ type system_mail_t, sendmail_exec_t;
+ ')
+
+ allow $1 sendmail_exec_t:lnk_file r_file_perms;
+ domain_auto_trans($1, sendmail_exec_t, system_mail_t)
+
+ allow $1 system_mail_t:fd use;
+ allow system_mail_t $1:fd use;
+ allow system_mail_t $1:fifo_file rw_file_perms;
+ allow system_mail_t $1:process sigchld;
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute send mail in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute send mail in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_domtrans',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_read_sbin_symlinks($1)
+ domain_auto_trans($1,sendmail_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_exec',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ can_exec($1, sendmail_exec_t)
+ errprint(`bah $1'__endline__)
+')
+
+########################################
+## <summary>
+## Read mail server configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_mail_t:dir list_dir_perms;
+ allow $1 etc_mail_t:file r_file_perms;
+ allow $1 etc_mail_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read mail address aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Type transition files created in /etc
+## to the mail address aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_etc_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_etc_filetrans($1,etc_aliases_t, file)
+')
+
+########################################
+## <summary>
+## Read and write mail aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_rw_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file { rw_file_perms setattr };
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ dontaudit $1 mailserver_delivery:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+## Connect to all mail servers over TCP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain.
+## </summary>
+## </param>
+#
+interface(`mta_tcp_connect_all_mailservers',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
+ allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read a symlink
+## in the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_read_spool_symlinks',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ dontaudit $1 mail_spool_t:lnk_file read;
+')
+
+########################################
+## <summary>
+## Get the attributes of mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_getattr_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir r_dir_perms;
+ allow $1 mail_spool_t:lnk_file read;
+ allow $1 mail_spool_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_getattr_spool_files',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_dontaudit_search_spool($1)
+ dontaudit $1 mail_spool_t:dir search;
+ dontaudit $1 mail_spool_t:lnk_file read;
+ dontaudit $1 mail_spool_t:file getattr;
+')
+
+#######################################
+## <summary>
+## Create private objects in the
+## mail spool directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`mta_spool_filetrans',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir rw_dir_perms;
+ type_transition $1 mail_spool_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Read and write the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_rw_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir r_dir_perms;
+ allow $1 mail_spool_t:lnk_file { getattr read };
+ allow $1 mail_spool_t:file { rw_file_perms setattr };
+')
+
+#######################################
+## <summary>
+## Create, read, and write the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_append_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir ra_dir_perms;
+ allow $1 mail_spool_t:lnk_file { getattr read };
+ allow $1 mail_spool_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Delete from the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_delete_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
+ allow $1 mail_spool_t:file unlink;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir manage_dir_perms;
+ allow $1 mail_spool_t:lnk_file create_lnk_perms;
+ allow $1 mail_spool_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read and
+## write the mail queue.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_rw_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ dontaudit $1 mqueue_spool_t:file { getattr read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mail queue files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mqueue_spool_t:dir rw_dir_perms;
+ allow $1 mqueue_spool_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Read sendmail binary.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for postfix
+interface(`mta_read_sendmail_bin',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ allow $1 sendmail_exec_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Read and write unix domain stream sockets
+## of user mail domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_rw_user_mail_stream_sockets',`
+ gen_require(`
+ attribute user_mail_domain;
+ ')
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
new file mode 100644
index 0000000..2e9d8a7
--- /dev/null
+++ b/policy/modules/services/mta.te
@@ -0,0 +1,194 @@
+
+policy_module(mta,1.3.7)
+
+########################################
+#
+# Declarations
+#
+
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
+attribute user_mail_domain;
+
+type etc_aliases_t;
+files_type(etc_aliases_t)
+
+type etc_mail_t;
+files_config_file(etc_mail_t)
+
+type mqueue_spool_t;
+files_type(mqueue_spool_t)
+
+type mail_spool_t;
+files_type(mail_spool_t)
+
+type sendmail_exec_t;
+files_type(sendmail_exec_t)
+
+mta_base_mail_template(system)
+role system_r types system_mail_t;
+
+# cjp: need to resolve this, but require{}
+# does not work in the else part of the optional
+#ifdef(`strict_policy',`
+# optional_policy(`',`
+# init_system_domain(system_mail_t,sendmail_exec_t)
+# ')
+#')
+
+########################################
+#
+# System mail local policy
+#
+
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override };
+
+allow system_mail_t etc_mail_t:dir { getattr search };
+allow system_mail_t etc_mail_t:file r_file_perms;
+
+kernel_read_system_state(system_mail_t)
+kernel_read_network_state(system_mail_t)
+
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
+
+init_use_script_ptys(system_mail_t)
+
+userdom_use_sysadm_terms(system_mail_t)
+
+ifdef(`targeted_policy',`
+ typealias system_mail_t alias sysadm_mail_t;
+
+ allow system_mail_t mail_spool_t:dir create_dir_perms;
+ allow system_mail_t mail_spool_t:file create_file_perms;
+ allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
+ allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+
+ allow system_mail_t mqueue_spool_t:dir create_dir_perms;
+ allow system_mail_t mqueue_spool_t:file create_file_perms;
+ allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
+
+ # for reading .forward - maybe we need a new type for it?
+ # also for delivering mail to maildir
+ userdom_manage_generic_user_home_content_dirs(mailserver_delivery)
+ userdom_manage_generic_user_home_content_files(mailserver_delivery)
+ userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
+ userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
+ userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
+
+# cjp: another require-in-else to resolve
+# optional_policy(`',`
+ corecmd_exec_all_executables(system_mail_t)
+
+ files_exec_etc_files(system_mail_t)
+
+ libs_exec_ld_so(system_mail_t)
+ libs_exec_lib_files(system_mail_t)
+# ')
+')
+
+optional_policy(`
+ apache_read_squirrelmail_data(system_mail_t)
+ apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_append_log(system_mail_t)
+ apache_dontaudit_rw_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+ arpwatch_manage_tmp_files(system_mail_t)
+
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ cron_read_system_job_tmp_files(system_mail_t)
+ cron_dontaudit_write_pipes(system_mail_t)
+')
+
+optional_policy(`
+ cvs_read_data(system_mail_t)
+')
+
+optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ logwatch_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ nagios_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ allow system_mail_t etc_aliases_t:dir create_dir_perms;
+ allow system_mail_t etc_aliases_t:file create_file_perms;
+ allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
+ allow system_mail_t etc_aliases_t:sock_file create_file_perms;
+ allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
+ files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(system_mail_t)
+
+ postfix_exec_master(system_mail_t)
+ postfix_read_config(system_mail_t)
+ postfix_search_spool(system_mail_t)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+ postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+
+ optional_policy(`
+ cron_rw_tcp_sockets(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+')
+
+optional_policy(`
+ sxid_read_log(system_mail_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
+
+ optional_policy(`
+ cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ smartmon_read_tmp_files(system_mail_t)
+')
+
+# should break this up among sections:
+
+optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
+ arpwatch_manage_tmp_files(mta_user_agent)
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+ ')
+ optional_policy(`
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
new file mode 100644
index 0000000..54ca668
--- /dev/null
+++ b/policy/modules/services/munin.fc
@@ -0,0 +1,11 @@
+/etc/lrrd(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+
+/usr/bin/lrrd-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/lrrd-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/lrrd/lrrd-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/lrrd/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+
+/var/lib/lrrd(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/log/lrrd.* -- gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/lrrd(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/lrrd(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
new file mode 100644
index 0000000..aca3c63
--- /dev/null
+++ b/policy/modules/services/munin.if
@@ -0,0 +1,62 @@
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
+
+########################################
+## <summary>
+## Connect to munin over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_stream_connect',`
+ gen_require(`
+ type munin_var_run_t, munin_t;
+ ')
+
+ allow $1 munin_t:unix_stream_socket connectto;
+ allow $1 munin_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
+
+#######################################
+## <summary>
+## Read munin configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_read_config',`
+ gen_require(`
+ type munin_etc_t;
+ ')
+
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+ allow $1 munin_etc_t:lnk_file { getattr read };
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Search munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ allow $1 munin_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
new file mode 100644
index 0000000..c77591e
--- /dev/null
+++ b/policy/modules/services/munin.te
@@ -0,0 +1,131 @@
+
+policy_module(munin,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type munin_t alias lrrd_t;
+type munin_exec_t alias lrrd_exec_t;
+init_daemon_domain(munin_t,munin_exec_t)
+
+type munin_etc_t alias lrrd_etc_t;
+files_config_file(munin_etc_t)
+
+type munin_log_t alias lrrd_log_t;
+logging_log_file(munin_log_t)
+
+type munin_tmp_t alias lrrd_tmp_t;
+files_tmp_file(munin_tmp_t)
+
+type munin_var_lib_t alias lrrd_var_lib_t;
+files_type(munin_var_lib_t)
+
+type munin_var_run_t alias lrrd_var_run_t;
+files_pid_file(munin_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow munin_t self:capability { setgid setuid };
+dontaudit munin_t self:capability sys_tty_config;
+allow munin_t self:process { getsched setsched signal_perms };
+allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+allow munin_t self:tcp_socket create_stream_socket_perms;
+allow munin_t self:udp_socket create_socket_perms;
+
+allow munin_t munin_etc_t:file r_file_perms;
+allow munin_t munin_etc_t:dir r_dir_perms;
+allow munin_t munin_etc_t:lnk_file { getattr read };
+files_search_etc(munin_t)
+
+allow munin_t munin_log_t:file create_file_perms;
+logging_log_filetrans(munin_t,munin_log_t,file)
+
+allow munin_t munin_tmp_t:dir create_dir_perms;
+allow munin_t munin_tmp_t:file create_file_perms;
+files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
+
+# Allow access to the munin databases
+allow munin_t munin_var_lib_t:dir create_dir_perms;
+allow munin_t munin_var_lib_t:file create_file_perms;
+allow munin_t munin_var_lib_t:lnk_file create_lnk_perms;
+files_search_var_lib(munin_t)
+
+allow munin_t munin_var_run_t:sock_file manage_file_perms;
+allow munin_t munin_var_run_t:file manage_file_perms;
+allow munin_t munin_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(munin_t,munin_var_run_t,file)
+
+kernel_read_system_state(munin_t)
+kernel_read_kernel_sysctls(munin_t)
+
+corecmd_exec_bin(munin_t)
+
+corenet_non_ipsec_sendrecv(munin_t)
+corenet_tcp_sendrecv_generic_if(munin_t)
+corenet_udp_sendrecv_generic_if(munin_t)
+corenet_tcp_sendrecv_all_nodes(munin_t)
+corenet_udp_sendrecv_all_nodes(munin_t)
+corenet_tcp_sendrecv_all_ports(munin_t)
+corenet_udp_sendrecv_all_ports(munin_t)
+
+dev_read_sysfs(munin_t)
+dev_read_urand(munin_t)
+
+domain_use_interactive_fds(munin_t)
+
+files_read_etc_files(munin_t)
+files_read_etc_runtime_files(munin_t)
+files_read_usr_files(munin_t)
+
+fs_getattr_all_fs(munin_t)
+fs_search_auto_mountpoints(munin_t)
+
+term_dontaudit_use_console(munin_t)
+
+init_use_fds(munin_t)
+init_use_script_ptys(munin_t)
+
+libs_use_ld_so(munin_t)
+libs_use_shared_libs(munin_t)
+
+logging_send_syslog_msg(munin_t)
+
+miscfiles_read_localization(munin_t)
+
+sysnet_read_config(munin_t)
+
+userdom_dontaudit_use_unpriv_user_fds(munin_t)
+userdom_dontaudit_search_sysadm_home_dirs(munin_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(munin_t)
+ term_dontaudit_use_generic_ptys(munin_t)
+ files_dontaudit_read_root_files(munin_t)
+')
+
+optional_policy(`
+ # for accessing the output directory
+ apache_search_sys_content(munin_t)
+')
+
+optional_policy(`
+ cron_system_entry(munin_t,munin_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(munin_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(munin_t)
+')
+
+optional_policy(`
+ udev_read_db(munin_t)
+')
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
new file mode 100644
index 0000000..5c05c08
--- /dev/null
+++ b/policy/modules/services/mysql.fc
@@ -0,0 +1,24 @@
+# mysql database server
+
+#
+# /etc
+#
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+
+#
+# /usr
+#
+/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
new file mode 100644
index 0000000..9fe9237
--- /dev/null
+++ b/policy/modules/services/mysql.if
@@ -0,0 +1,159 @@
+## <summary>Policy for MySQL</summary>
+
+########################################
+## <summary>
+## Send a generic signal to MySQL.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_signal',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signal;
+')
+
+########################################
+## <summary>
+## Connect to MySQL using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_stream_connect',`
+ gen_require(`
+ type mysqld_t, mysqld_var_run_t;
+ ')
+
+ allow $1 mysqld_var_run_t:dir search;
+ allow $1 mysqld_var_run_t:sock_file write;
+ allow $1 mysqld_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read MySQL configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_read_config',`
+ gen_require(`
+ type mysqld_etc_t;
+ ')
+
+ allow $1 mysqld_etc_t:dir { getattr read search };
+ allow $1 mysqld_etc_t:file { read getattr };
+ allow $1 mysqld_etc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Search the directories that contain MySQL
+## database storage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
+interface(`mysql_search_db',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search;
+')
+
+########################################
+## <summary>
+## Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_rw_db_dirs',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete MySQL database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_manage_db_dirs',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write to the MySQL database
+## named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_rw_db_sockets',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search;
+ allow $1 mysqld_db_t:sock_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Write to the MySQL log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_write_log',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write append setattr ioctl };
+')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
new file mode 100644
index 0000000..052381d
--- /dev/null
+++ b/policy/modules/services/mysql.te
@@ -0,0 +1,140 @@
+
+policy_module(mysql,1.2.5)
+
+########################################
+#
+# Declarations
+#
+
+type mysqld_t;
+type mysqld_exec_t;
+init_daemon_domain(mysqld_t,mysqld_exec_t)
+
+type mysqld_var_run_t;
+files_pid_file(mysqld_var_run_t)
+
+type mysqld_db_t;
+files_type(mysqld_db_t)
+
+type mysqld_etc_t alias etc_mysqld_t;
+files_config_file(mysqld_etc_t)
+
+type mysqld_log_t;
+logging_log_file(mysqld_log_t)
+
+type mysqld_tmp_t;
+files_tmp_file(mysqld_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
+
+allow mysqld_t mysqld_db_t:dir create_dir_perms;
+allow mysqld_t mysqld_db_t:file create_file_perms;
+allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
+files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })
+
+allow mysqld_t mysqld_etc_t:file { getattr read };
+allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+
+allow mysqld_t mysqld_log_t:file create_file_perms;
+logging_log_filetrans(mysqld_t,mysqld_log_t,file)
+
+allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
+allow mysqld_t mysqld_tmp_t:file create_file_perms;
+files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+
+allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
+allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
+allow mysqld_t mysqld_var_run_t:file create_file_perms;
+files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
+
+kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corenet_non_ipsec_sendrecv(mysqld_t)
+corenet_tcp_sendrecv_all_if(mysqld_t)
+corenet_udp_sendrecv_all_if(mysqld_t)
+corenet_tcp_sendrecv_all_nodes(mysqld_t)
+corenet_udp_sendrecv_all_nodes(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
+corenet_tcp_bind_all_nodes(mysqld_t)
+corenet_tcp_bind_mysqld_port(mysqld_t)
+corenet_tcp_connect_mysqld_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
+
+dev_read_sysfs(mysqld_t)
+
+fs_getattr_all_fs(mysqld_t)
+fs_search_auto_mountpoints(mysqld_t)
+
+term_dontaudit_use_console(mysqld_t)
+
+domain_use_interactive_fds(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
+files_read_etc_runtime_files(mysqld_t)
+files_read_etc_files(mysqld_t)
+files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+
+auth_use_nsswitch(mysqld_t)
+
+init_use_fds(mysqld_t)
+init_use_script_ptys(mysqld_t)
+
+libs_use_ld_so(mysqld_t)
+libs_use_shared_libs(mysqld_t)
+
+logging_send_syslog_msg(mysqld_t)
+
+miscfiles_read_localization(mysqld_t)
+
+sysnet_read_config(mysqld_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+# for /root/.my.cnf - should not be needed:
+userdom_read_sysadm_home_content_files(mysqld_t)
+
+ifdef(`distro_redhat',`
+ # because Fedora has the sock_file in the database directory
+ type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(mysqld_t)
+ term_dontaudit_use_generic_ptys(mysqld_t)
+ files_dontaudit_read_root_files(mysqld_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(mysqld_t, mysqld_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(mysqld_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mysqld_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mysqld_t)
+')
+
+optional_policy(`
+ udev_read_db(mysqld_t)
+')
diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc
new file mode 100644
index 0000000..4f8477c
--- /dev/null
+++ b/policy/modules/services/nagios.fc
@@ -0,0 +1,16 @@
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+
+/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+')
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
new file mode 100644
index 0000000..a8975bf
--- /dev/null
+++ b/policy/modules/services/nagios.if
@@ -0,0 +1,86 @@
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_config',`
+ gen_require(`
+ type nagios_etc_t;
+ ')
+
+ allow $1 nagios_etc_t:dir list_dir_perms;
+ allow $1 nagios_etc_t:file r_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file r_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Execute the nagios CGI with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_domtrans_cgi',`
+ gen_require(`
+ type nagios_cgi_t, nagios_cgi_exec_t;
+ ')
+
+ domain_auto_trans($1,nagios_cgi_exec_t,nagios_cgi_t)
+ allow nagios_cgi_t $1:fd use;
+ allow nagios_cgi_t $1:fifo_file rw_file_perms;
+ allow nagios_cgi_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the nagios NRPE with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_domtrans_nrpe',`
+ gen_require(`
+ type nrpe_t, nrpe_exec_t;
+ ')
+
+ domain_auto_trans($1,nrpe_exec_t,nrpe_t)
+ allow nrpe_t $1:fd use;
+ allow nrpe_t $1:fifo_file rw_file_perms;
+ allow nrpe_t $1:process sigchld;
+')
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
new file mode 100644
index 0000000..423c664
--- /dev/null
+++ b/policy/modules/services/nagios.te
@@ -0,0 +1,246 @@
+
+policy_module(nagios,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type nagios_t;
+type nagios_exec_t;
+init_daemon_domain(nagios_t,nagios_exec_t)
+
+type nagios_cgi_t;
+type nagios_cgi_exec_t;
+init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+
+type nagios_etc_t;
+files_config_file(nagios_etc_t)
+
+type nagios_log_t;
+logging_log_file(nagios_log_t)
+
+type nagios_tmp_t;
+files_tmp_file(nagios_tmp_t)
+
+type nagios_var_run_t;
+files_pid_file(nagios_var_run_t)
+
+type nrpe_t;
+type nrpe_exec_t;
+init_daemon_domain(nrpe_t,nrpe_exec_t)
+
+type nrpe_etc_t;
+files_config_file(nrpe_etc_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow nagios_t self:capability { dac_override setgid setuid };
+dontaudit nagios_t self:capability sys_tty_config;
+allow nagios_t self:process { setpgid signal_perms };
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:tcp_socket create_stream_socket_perms;
+allow nagios_t self:udp_socket create_socket_perms;
+
+allow nagios_t nagios_etc_t:file r_file_perms;
+allow nagios_t nagios_etc_t:dir r_dir_perms;
+allow nagios_t nagios_etc_t:lnk_file { getattr read };
+
+allow nagios_t nagios_log_t:file manage_file_perms;
+allow nagios_t nagios_log_t:fifo_file manage_file_perms;
+allow nagios_t nagios_log_t:dir rw_dir_perms;
+logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
+
+allow nagios_t nagios_tmp_t:dir create_dir_perms;
+allow nagios_t nagios_tmp_t:file create_file_perms;
+files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
+
+allow nagios_t nagios_var_run_t:file create_file_perms;
+allow nagios_t nagios_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+
+kernel_read_system_state(nagios_t)
+kernel_read_kernel_sysctls(nagios_t)
+
+corecmd_exec_bin(nagios_t)
+corecmd_exec_shell(nagios_t)
+
+corenet_non_ipsec_sendrecv(nagios_t)
+corenet_tcp_sendrecv_generic_if(nagios_t)
+corenet_udp_sendrecv_generic_if(nagios_t)
+corenet_tcp_sendrecv_all_nodes(nagios_t)
+corenet_udp_sendrecv_all_nodes(nagios_t)
+corenet_tcp_sendrecv_all_ports(nagios_t)
+corenet_udp_sendrecv_all_ports(nagios_t)
+
+dev_read_sysfs(nagios_t)
+
+domain_use_interactive_fds(nagios_t)
+# for ps
+domain_read_all_domains_state(nagios_t)
+
+files_read_etc_files(nagios_t)
+files_read_etc_runtime_files(nagios_t)
+files_read_kernel_symbol_table(nagios_t)
+
+fs_getattr_all_fs(nagios_t)
+fs_search_auto_mountpoints(nagios_t)
+
+term_dontaudit_use_console(nagios_t)
+
+init_use_fds(nagios_t)
+init_use_script_ptys(nagios_t)
+# for who
+init_read_utmp(nagios_t)
+
+libs_use_ld_so(nagios_t)
+libs_use_shared_libs(nagios_t)
+
+logging_send_syslog_msg(nagios_t)
+
+miscfiles_read_localization(nagios_t)
+
+sysnet_read_config(nagios_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
+
+mta_send_mail(nagios_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(nagios_t)
+ term_dontaudit_use_generic_ptys(nagios_t)
+ files_dontaudit_read_root_files(nagios_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(nagios_t)
+ netutils_signal_ping(nagios_t)
+ netutils_kill_ping(nagios_t)
+
+ # cjp: leaked file descriptors:
+ #dontaudit ping_t nagios_etc_t:file read;
+ #dontaudit ping_t nagios_log_t:fifo_file read;
+')
+
+optional_policy(`
+ nis_use_ypbind(nagios_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nagios_t)
+')
+
+optional_policy(`
+ udev_read_db(nagios_t)
+')
+
+# cjp: leaked file descriptors:
+# for open file handles
+#dontaudit system_mail_t nagios_etc_t:file read;
+#dontaudit system_mail_t nagios_log_t:fifo_file read;
+
+########################################
+#
+# Nagios CGI local policy
+#
+
+allow nagios_cgi_t self:process { fork signal_perms };
+allow nagios_cgi_t self:fifo_file rw_file_perms;
+
+allow nagios_cgi_t nagios_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_t:file r_file_perms;
+allow nagios_cgi_t nagios_t:lnk_file { getattr read };
+
+allow nagios_cgi_t nagios_etc_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_etc_t:file r_file_perms;
+allow nagios_cgi_t nagios_etc_t:lnk_file { getattr read };
+
+allow nagios_cgi_t nagios_log_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_log_t:file r_file_perms;
+allow nagios_cgi_t nagios_log_t:lnk_file { getattr read };
+
+kernel_read_system_state(nagios_cgi_t)
+
+corecmd_exec_bin(nagios_cgi_t)
+
+domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+
+files_read_etc_files(nagios_cgi_t)
+files_read_etc_runtime_files(nagios_cgi_t)
+files_read_kernel_symbol_table(nagios_cgi_t)
+
+libs_use_ld_so(nagios_cgi_t)
+libs_use_shared_libs(nagios_cgi_t)
+
+logging_send_syslog_msg(nagios_cgi_t)
+logging_search_logs(nagios_cgi_t)
+
+miscfiles_read_localization(nagios_cgi_t)
+
+optional_policy(`
+ apache_append_log(nagios_cgi_t)
+')
+
+########################################
+#
+# Nagios remote plugin executor local policy
+#
+
+dontaudit nrpe_t self:capability sys_tty_config;
+allow nrpe_t self:process { setpgid signal_perms };
+allow nrpe_t self:fifo_file rw_file_perms;
+
+allow nrpe_t nrpe_etc_t:file { getattr read };
+files_search_etc(nrpe_t)
+
+kernel_read_system_state(nrpe_t)
+kernel_read_kernel_sysctls(nrpe_t)
+
+corecmd_exec_bin(nrpe_t)
+corecmd_exec_shell(nrpe_t)
+corecmd_exec_ls(nrpe_t)
+
+dev_read_sysfs(nrpe_t)
+dev_read_urand(nrpe_t)
+
+domain_use_interactive_fds(nrpe_t)
+
+files_read_etc_runtime_files(nrpe_t)
+
+fs_search_auto_mountpoints(nrpe_t)
+
+term_dontaudit_use_console(nrpe_t)
+
+init_use_fds(nrpe_t)
+init_use_script_ptys(nrpe_t)
+
+libs_use_ld_so(nrpe_t)
+libs_use_shared_libs(nrpe_t)
+
+logging_send_syslog_msg(nrpe_t)
+
+miscfiles_read_localization(nrpe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(nrpe_t)
+ term_dontaudit_use_generic_ptys(nrpe_t)
+ files_dontaudit_read_root_files(nrpe_t)
+')
+
+optional_policy(`
+ inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nrpe_t)
+')
+
+optional_policy(`
+ udev_read_db(nrpe_t)
+')
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
new file mode 100644
index 0000000..74da57f
--- /dev/null
+++ b/policy/modules/services/nessus.fc
@@ -0,0 +1,10 @@
+
+/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0)
+
+/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0)
+
+/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0)
diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if
new file mode 100644
index 0000000..425c29b
--- /dev/null
+++ b/policy/modules/services/nessus.if
@@ -0,0 +1,21 @@
+## <summary>Nessus network scanning daemon</summary>
+
+########################################
+## <summary>
+## Connect to nessus over a TCP socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nessus_tcp_connect',`
+ gen_require(`
+ type nessusd_t;
+ ')
+
+ allow $1 nessusd_t:tcp_socket { connectto recvfrom };
+ allow nessusd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
new file mode 100644
index 0000000..b049bf5
--- /dev/null
+++ b/policy/modules/services/nessus.te
@@ -0,0 +1,122 @@
+
+policy_module(nessus,1.0.1)
+
+########################################
+#
+# Local policy
+#
+
+type nessusd_t;
+type nessusd_exec_t;
+init_daemon_domain(nessusd_t,nessusd_exec_t)
+
+type nessusd_db_t;
+files_type(nessusd_db_t)
+
+type nessusd_etc_t;
+files_config_file(nessusd_etc_t)
+
+type nessusd_log_t;
+logging_log_file(nessusd_log_t)
+
+type nessusd_var_run_t;
+files_pid_file(nessusd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow nessusd_t self:capability net_raw;
+dontaudit nessusd_t self:capability sys_tty_config;
+allow nessusd_t self:process { setsched signal_perms };
+allow nessusd_t self:fifo_file { getattr read write };
+allow nessusd_t self:tcp_socket create_stream_socket_perms;
+allow nessusd_t self:udp_socket create_socket_perms;
+allow nessusd_t self:rawip_socket create_socket_perms;
+allow nessusd_t self:packet_socket create_socket_perms;
+
+# Allow access to the nessusd authentication database
+allow nessusd_t nessusd_db_t:dir create_dir_perms;
+allow nessusd_t nessusd_db_t:file create_file_perms;
+allow nessusd_t nessusd_db_t:lnk_file create_lnk_perms;
+files_list_var_lib(nessusd_t)
+
+allow nessusd_t nessusd_etc_t:file { getattr read };
+files_search_etc(nessusd_t)
+
+allow nessusd_t nessusd_log_t:file create_file_perms;
+allow nessusd_t nessusd_log_t:dir rw_dir_perms;
+logging_log_filetrans(nessusd_t,nessusd_log_t,{ file dir })
+
+allow nessusd_t nessusd_var_run_t:file create_file_perms;
+allow nessusd_t nessusd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nessusd_t,nessusd_var_run_t,file)
+
+kernel_read_system_state(nessusd_t)
+kernel_read_kernel_sysctls(nessusd_t)
+kernel_tcp_recvfrom(nessusd_t)
+
+# for nmap etc
+corecmd_exec_bin(nessusd_t)
+
+corenet_non_ipsec_sendrecv(nessusd_t)
+corenet_tcp_sendrecv_generic_if(nessusd_t)
+corenet_udp_sendrecv_generic_if(nessusd_t)
+corenet_raw_sendrecv_generic_if(nessusd_t)
+corenet_tcp_sendrecv_all_nodes(nessusd_t)
+corenet_udp_sendrecv_all_nodes(nessusd_t)
+corenet_raw_sendrecv_all_nodes(nessusd_t)
+corenet_tcp_sendrecv_all_ports(nessusd_t)
+corenet_udp_sendrecv_all_ports(nessusd_t)
+corenet_tcp_bind_all_nodes(nessusd_t)
+corenet_tcp_bind_nessus_port(nessusd_t)
+corenet_tcp_connect_all_ports(nessusd_t)
+corenet_sendrecv_all_client_packets(nessusd_t)
+corenet_sendrecv_nessus_server_packets(nessusd_t)
+
+dev_read_sysfs(nessusd_t)
+dev_read_urand(nessusd_t)
+
+domain_use_interactive_fds(nessusd_t)
+
+files_read_etc_files(nessusd_t)
+files_read_etc_runtime_files(nessusd_t)
+
+fs_getattr_all_fs(nessusd_t)
+fs_search_auto_mountpoints(nessusd_t)
+
+term_dontaudit_use_console(nessusd_t)
+
+init_use_fds(nessusd_t)
+init_use_script_ptys(nessusd_t)
+
+libs_use_ld_so(nessusd_t)
+libs_use_shared_libs(nessusd_t)
+
+logging_send_syslog_msg(nessusd_t)
+
+miscfiles_read_localization(nessusd_t)
+
+sysnet_read_config(nessusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
+userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(nessusd_t)
+ term_dontaudit_use_generic_ptys(nessusd_t)
+ files_dontaudit_read_root_files(nessusd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nessusd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nessusd_t)
+')
+
+optional_policy(`
+ udev_read_db(nessusd_t)
+')
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
new file mode 100644
index 0000000..e198e69
--- /dev/null
+++ b/policy/modules/services/networkmanager.fc
@@ -0,0 +1,5 @@
+
+/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/var/run/NetworkManager.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
new file mode 100644
index 0000000..5aa9107
--- /dev/null
+++ b/policy/modules/services/networkmanager.if
@@ -0,0 +1,80 @@
+## <summary>Manager for dynamically switching between networks.</summary>
+
+########################################
+## <summary>
+## Read and write NetworkManager UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_udp_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write NetworkManager packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_packet_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write NetworkManager netlink
+## routing sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_routing_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## NetworkManager over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
new file mode 100644
index 0000000..418ba83
--- /dev/null
+++ b/policy/modules/services/networkmanager.te
@@ -0,0 +1,175 @@
+
+policy_module(networkmanager,1.3.6)
+
+########################################
+#
+# Declarations
+#
+
+type NetworkManager_t;
+type NetworkManager_exec_t;
+init_daemon_domain(NetworkManager_t,NetworkManager_exec_t)
+
+type NetworkManager_var_run_t;
+files_pid_file(NetworkManager_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
+dontaudit NetworkManager_t self:capability sys_tty_config;
+allow NetworkManager_t self:process { setcap getsched signal_perms };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+allow NetworkManager_t self:udp_socket create_socket_perms;
+allow NetworkManager_t self:packet_socket create_socket_perms;
+
+allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
+allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
+allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(NetworkManager_t)
+kernel_read_network_state(NetworkManager_t)
+kernel_read_kernel_sysctls(NetworkManager_t)
+kernel_load_module(NetworkManager_t)
+
+corenet_non_ipsec_sendrecv(NetworkManager_t)
+corenet_tcp_sendrecv_all_if(NetworkManager_t)
+corenet_udp_sendrecv_all_if(NetworkManager_t)
+corenet_raw_sendrecv_all_if(NetworkManager_t)
+corenet_tcp_sendrecv_all_nodes(NetworkManager_t)
+corenet_udp_sendrecv_all_nodes(NetworkManager_t)
+corenet_raw_sendrecv_all_nodes(NetworkManager_t)
+corenet_tcp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_bind_all_nodes(NetworkManager_t)
+corenet_udp_bind_isakmp_port(NetworkManager_t)
+corenet_udp_bind_dhcpc_port(NetworkManager_t)
+corenet_tcp_connect_all_ports(NetworkManager_t)
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
+
+dev_read_sysfs(NetworkManager_t)
+dev_read_rand(NetworkManager_t)
+dev_read_urand(NetworkManager_t)
+
+fs_getattr_all_fs(NetworkManager_t)
+fs_search_auto_mountpoints(NetworkManager_t)
+
+mls_file_read_up(NetworkManager_t)
+
+selinux_dontaudit_search_fs(NetworkManager_t)
+
+term_dontaudit_use_console(NetworkManager_t)
+
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+corecmd_exec_sbin(NetworkManager_t)
+corecmd_exec_ls(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_confined_domains_state(NetworkManager_t)
+
+files_read_etc_files(NetworkManager_t)
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_usr_files(NetworkManager_t)
+
+init_use_fds(NetworkManager_t)
+init_use_script_ptys(NetworkManager_t)
+init_read_utmp(NetworkManager_t)
+init_domtrans_script(NetworkManager_t)
+
+libs_use_ld_so(NetworkManager_t)
+libs_use_shared_libs(NetworkManager_t)
+
+logging_send_syslog_msg(NetworkManager_t)
+
+miscfiles_read_localization(NetworkManager_t)
+miscfiles_read_certs(NetworkManager_t)
+
+modutils_domtrans_insmod(NetworkManager_t)
+
+seutil_read_config(NetworkManager_t)
+
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_manage_config(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
+
+userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
+userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(NetworkManager_t)
+ term_dontaudit_use_generic_ptys(NetworkManager_t)
+ files_dontaudit_read_root_files(NetworkManager_t)
+')
+
+optional_policy(`
+ bind_domtrans(NetworkManager_t)
+ bind_manage_cache(NetworkManager_t)
+ bind_signal(NetworkManager_t)
+')
+
+optional_policy(`
+ bluetooth_dontaudit_read_helper_files(NetworkManager_t)
+')
+
+optional_policy(`
+ consoletype_exec(NetworkManager_t)
+')
+
+optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow NetworkManager_t self:dbus send_msg;
+
+ dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
+ dbus_connect_system_bus(NetworkManager_t)
+ dbus_send_system_bus(NetworkManager_t)
+')
+
+optional_policy(`
+ howl_signal(NetworkManager_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(NetworkManager_t)
+')
+
+optional_policy(`
+ nscd_socket_use(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+')
+
+optional_policy(`
+ ppp_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(NetworkManager_t)
+')
+
+optional_policy(`
+ udev_read_db(NetworkManager_t)
+')
+
+optional_policy(`
+ vpn_domtrans(NetworkManager_t)
+ vpn_signal(NetworkManager_t)
+')
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
new file mode 100644
index 0000000..0128ee0
--- /dev/null
+++ b/policy/modules/services/nis.fc
@@ -0,0 +1,10 @@
+
+/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+
+/usr/sbin/rpc.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
new file mode 100644
index 0000000..99ba6cb
--- /dev/null
+++ b/policy/modules/services/nis.if
@@ -0,0 +1,267 @@
+## <summary>Policy for NIS (YP) servers and clients</summary>
+
+########################################
+## <summary>
+## Use the ypbind service to access NIS services
+## unconditionally.
+## </summary>
+## <desc>
+## <p>
+## Use the ypbind service to access NIS services
+## unconditionally.
+## </p>
+## <p>
+## This interface was added because of apache and
+## spamassassin, to fix a nested conditionals problem.
+## When that support is added, this should be removed,
+## and the regular interface should be used.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nis_use_ypbind_uncond',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ dontaudit $1 self:capability net_bind_service;
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ allow $1 var_yp_t:dir r_dir_perms;
+ allow $1 var_yp_t:lnk_file { getattr read };
+ allow $1 var_yp_t:file r_file_perms;
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_udp_bind_all_nodes($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+ corenet_tcp_bind_reserved_port($1)
+ corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_reserved_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
+ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+
+ sysnet_read_config($1)
+')
+
+########################################
+## <summary>
+## Use the ypbind service to access NIS services.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nis_use_ypbind',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ ',`
+ dontaudit $1 var_yp_t:dir search;
+ ')
+')
+
+########################################
+## <summary>
+## Execute ypbind in the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_domtrans_ypbind',`
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,ypbind_exec_t,ypbind_t)
+
+ allow $1 ypbind_t:fd use;
+ allow ypbind_t $1:fd use;
+ allow ypbind_t $1:fifo_file rw_file_perms;
+ allow ypbind_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to ypbind.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nis_signal_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ allow $1 ypbind_t:process signal;
+')
+
+########################################
+## <summary>
+## List the contents of the NIS data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nis_list_var_yp',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_yp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to NIS clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nis_udp_send_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ allow $1 ypbind_t:udp_socket sendto;
+ allow ypbind_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Connect to ypbind over TCP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_tcp_connect_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ allow $1 ypbind_t:tcp_socket { connectto recvfrom };
+ allow ypbind_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+## Read ypbind pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_read_ypbind_pid',`
+ gen_require(`
+ type ypbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ypbind_var_run_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Delete ypbind pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_delete_ypbind_pid',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ # TODO: add delete pid from dir call to files
+ allow $1 ypbind_t:file unlink;
+')
+
+########################################
+## <summary>
+## Read ypserv configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_read_ypserv_config',`
+ gen_require(`
+ type ypserv_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ypserv_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Execute ypxfr in the ypxfr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_domtrans_ypxfr',`
+ gen_require(`
+ type ypxfr_t, ypxfr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
+
+ allow $1 ypxfr_t:fd use;
+ allow ypxfr_t $1:fd use;
+ allow ypxfr_t $1:fifo_file rw_file_perms;
+ allow ypxfr_t $1:process sigchld;
+')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
new file mode 100644
index 0000000..a5fd29b
--- /dev/null
+++ b/policy/modules/services/nis.te
@@ -0,0 +1,357 @@
+
+policy_module(nis,1.1.5)
+
+########################################
+#
+# Declarations
+#
+
+type var_yp_t;
+files_type(var_yp_t)
+
+type ypbind_t;
+type ypbind_exec_t;
+init_daemon_domain(ypbind_t,ypbind_exec_t)
+
+type ypbind_tmp_t;
+files_tmp_file(ypbind_tmp_t)
+
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
+type yppasswdd_t;
+type yppasswdd_exec_t;
+init_daemon_domain(yppasswdd_t,yppasswdd_exec_t)
+domain_obj_id_change_exemption(yppasswdd_t)
+
+type yppasswdd_var_run_t;
+files_pid_file(yppasswdd_var_run_t)
+
+type ypserv_t;
+type ypserv_exec_t;
+init_daemon_domain(ypserv_t,ypserv_exec_t)
+
+type ypserv_conf_t;
+files_type(ypserv_conf_t)
+
+type ypserv_tmp_t;
+files_tmp_file(ypserv_tmp_t)
+
+type ypserv_var_run_t;
+files_pid_file(ypserv_var_run_t)
+
+type ypxfr_t;
+type ypxfr_exec_t;
+init_daemon_domain(ypxfr_t,ypxfr_exec_t)
+
+########################################
+#
+# ypbind local policy
+
+dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+allow ypbind_t self:fifo_file rw_file_perms;
+allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t self:tcp_socket create_stream_socket_perms;
+allow ypbind_t self:udp_socket create_socket_perms;
+
+allow ypbind_t ypbind_tmp_t:dir create_dir_perms;
+allow ypbind_t ypbind_tmp_t:file create_file_perms;
+files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
+
+allow ypbind_t ypbind_var_run_t:file manage_file_perms;
+allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ypbind_t,ypbind_var_run_t,file)
+
+allow ypbind_t var_yp_t:dir rw_dir_perms;
+allow ypbind_t var_yp_t:file create_file_perms;
+
+kernel_read_kernel_sysctls(ypbind_t)
+kernel_list_proc(ypbind_t)
+kernel_read_proc_symlinks(ypbind_t)
+kernel_tcp_recvfrom(ypbind_t)
+
+corenet_non_ipsec_sendrecv(ypbind_t)
+corenet_tcp_sendrecv_all_if(ypbind_t)
+corenet_udp_sendrecv_all_if(ypbind_t)
+corenet_tcp_sendrecv_all_nodes(ypbind_t)
+corenet_udp_sendrecv_all_nodes(ypbind_t)
+corenet_tcp_sendrecv_all_ports(ypbind_t)
+corenet_udp_sendrecv_all_ports(ypbind_t)
+corenet_tcp_bind_all_nodes(ypbind_t)
+corenet_udp_bind_all_nodes(ypbind_t)
+corenet_tcp_bind_generic_port(ypbind_t)
+corenet_udp_bind_generic_port(ypbind_t)
+corenet_tcp_bind_reserved_port(ypbind_t)
+corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
+
+dev_read_sysfs(ypbind_t)
+
+fs_getattr_all_fs(ypbind_t)
+fs_search_auto_mountpoints(ypbind_t)
+
+term_dontaudit_use_console(ypbind_t)
+
+domain_use_interactive_fds(ypbind_t)
+
+files_read_etc_files(ypbind_t)
+files_list_var(ypbind_t)
+
+init_use_fds(ypbind_t)
+init_use_script_ptys(ypbind_t)
+init_udp_send_script(ypbind_t)
+
+libs_use_ld_so(ypbind_t)
+libs_use_shared_libs(ypbind_t)
+
+logging_send_syslog_msg(ypbind_t)
+
+miscfiles_read_localization(ypbind_t)
+
+sysnet_read_config(ypbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
+userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+portmap_udp_send(ypbind_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ypbind_t)
+ term_dontaudit_use_generic_ptys(ypbind_t)
+ files_dontaudit_read_root_files(ypbind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ypbind_t)
+')
+
+optional_policy(`
+ udev_read_db(ypbind_t)
+')
+
+########################################
+#
+# yppasswdd local policy
+#
+
+dontaudit yppasswdd_t self:capability sys_tty_config;
+allow yppasswdd_t self:fifo_file rw_file_perms;
+allow yppasswdd_t self:process { setfscreate signal_perms };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
+allow yppasswdd_t self:udp_socket create_socket_perms;
+
+allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
+allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file)
+
+allow yppasswdd_t var_yp_t:dir rw_dir_perms;
+allow yppasswdd_t var_yp_t:file create_file_perms;
+allow yppasswdd_t var_yp_t:lnk_file create_lnk_perms;
+
+kernel_list_proc(yppasswdd_t)
+kernel_read_proc_symlinks(yppasswdd_t)
+kernel_getattr_proc_files(yppasswdd_t)
+kernel_read_kernel_sysctls(yppasswdd_t)
+
+corenet_non_ipsec_sendrecv(yppasswdd_t)
+corenet_tcp_sendrecv_generic_if(yppasswdd_t)
+corenet_udp_sendrecv_generic_if(yppasswdd_t)
+corenet_tcp_sendrecv_all_nodes(yppasswdd_t)
+corenet_udp_sendrecv_all_nodes(yppasswdd_t)
+corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+corenet_udp_sendrecv_all_ports(yppasswdd_t)
+corenet_tcp_bind_all_nodes(yppasswdd_t)
+corenet_udp_bind_all_nodes(yppasswdd_t)
+corenet_tcp_bind_reserved_port(yppasswdd_t)
+corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
+
+dev_read_sysfs(yppasswdd_t)
+
+fs_getattr_all_fs(yppasswdd_t)
+fs_search_auto_mountpoints(yppasswdd_t)
+
+selinux_get_fs_mount(yppasswdd_t)
+
+term_dontaudit_use_console(yppasswdd_t)
+
+auth_manage_shadow(yppasswdd_t)
+auth_relabel_shadow(yppasswdd_t)
+auth_etc_filetrans_shadow(yppasswdd_t)
+
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+corecmd_search_sbin(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_files(yppasswdd_t)
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
+init_use_fds(yppasswdd_t)
+init_use_script_ptys(yppasswdd_t)
+init_udp_send_script(yppasswdd_t)
+
+libs_use_ld_so(yppasswdd_t)
+libs_use_shared_libs(yppasswdd_t)
+
+logging_send_syslog_msg(yppasswdd_t)
+
+miscfiles_read_localization(yppasswdd_t)
+
+sysnet_read_config(yppasswdd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
+userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
+
+portmap_udp_send(yppasswdd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(yppasswdd_t)
+ term_dontaudit_use_generic_ptys(yppasswdd_t)
+ files_dontaudit_read_root_files(yppasswdd_t)
+')
+
+optional_policy(`
+ hostname_exec(yppasswdd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(yppasswdd_t)
+')
+
+optional_policy(`
+ udev_read_db(yppasswdd_t)
+')
+
+########################################
+#
+# ypserv local policy
+#
+
+dontaudit ypserv_t self:capability sys_tty_config;
+allow ypserv_t self:fifo_file rw_file_perms;
+allow ypserv_t self:process signal_perms;
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypserv_t self:tcp_socket connected_stream_socket_perms;
+allow ypserv_t self:udp_socket create_socket_perms;
+
+allow ypserv_t var_yp_t:dir rw_dir_perms;
+allow ypserv_t var_yp_t:file create_file_perms;
+
+allow ypserv_t ypserv_conf_t:file { getattr read };
+
+allow ypserv_t ypserv_tmp_t:dir create_dir_perms;
+allow ypserv_t ypserv_tmp_t:file create_file_perms;
+files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
+
+allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
+allow ypserv_t ypserv_var_run_t:file manage_file_perms;
+files_pid_filetrans(ypserv_t,ypserv_var_run_t,file)
+
+kernel_read_kernel_sysctls(ypserv_t)
+kernel_list_proc(ypserv_t)
+kernel_read_proc_symlinks(ypserv_t)
+
+corenet_non_ipsec_sendrecv(ypserv_t)
+corenet_tcp_sendrecv_all_if(ypserv_t)
+corenet_udp_sendrecv_all_if(ypserv_t)
+corenet_tcp_sendrecv_all_nodes(ypserv_t)
+corenet_udp_sendrecv_all_nodes(ypserv_t)
+corenet_tcp_sendrecv_all_ports(ypserv_t)
+corenet_udp_sendrecv_all_ports(ypserv_t)
+corenet_tcp_bind_all_nodes(ypserv_t)
+corenet_udp_bind_all_nodes(ypserv_t)
+corenet_tcp_bind_reserved_port(ypserv_t)
+corenet_udp_bind_reserved_port(ypserv_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+
+dev_read_sysfs(ypserv_t)
+
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
+
+term_dontaudit_use_console(ypserv_t)
+
+corecmd_exec_bin(ypserv_t)
+
+domain_use_interactive_fds(ypserv_t)
+
+files_read_var_files(ypserv_t)
+
+init_use_fds(ypserv_t)
+init_use_script_ptys(ypserv_t)
+init_udp_send_script(ypserv_t)
+
+libs_use_ld_so(ypserv_t)
+libs_use_shared_libs(ypserv_t)
+
+logging_send_syslog_msg(ypserv_t)
+
+miscfiles_read_localization(ypserv_t)
+
+nis_domtrans_ypxfr(ypserv_t)
+
+sysnet_read_config(ypserv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
+userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
+
+portmap_udp_send(ypserv_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(ypserv_t)
+ term_dontaudit_use_generic_ptys(ypserv_t)
+ files_dontaudit_read_root_files(ypserv_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ypserv_t)
+')
+
+optional_policy(`
+ udev_read_db(ypserv_t)
+')
+
+########################################
+#
+# ypxfr local policy
+#
+
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+
+corenet_non_ipsec_sendrecv(ypxfr_t)
+corenet_tcp_sendrecv_all_if(ypxfr_t)
+corenet_udp_sendrecv_all_if(ypxfr_t)
+corenet_tcp_sendrecv_all_nodes(ypxfr_t)
+corenet_udp_sendrecv_all_nodes(ypxfr_t)
+corenet_tcp_sendrecv_all_ports(ypxfr_t)
+corenet_udp_sendrecv_all_ports(ypxfr_t)
+corenet_tcp_bind_all_nodes(ypxfr_t)
+corenet_udp_bind_all_nodes(ypxfr_t)
+corenet_tcp_bind_reserved_port(ypxfr_t)
+corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+corenet_tcp_connect_all_ports(ypxfr_t)
+corenet_sendrecv_generic_server_packets(ypxfr_t)
+corenet_sendrecv_all_client_packets(ypxfr_t)
+
+files_read_etc_files(ypxfr_t)
diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc
new file mode 100644
index 0000000..1f8489b
--- /dev/null
+++ b/policy/modules/services/nscd.fc
@@ -0,0 +1,11 @@
+
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
+
+/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
new file mode 100644
index 0000000..0625b2d
--- /dev/null
+++ b/policy/modules/services/nscd.if
@@ -0,0 +1,146 @@
+## <summary>Name service cache daemon</summary>
+
+########################################
+## <summary>
+## Send generic signals to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signal',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nscd_domtrans',`
+ gen_require(`
+ type nscd_t, nscd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,nscd_exec_t,nscd_t)
+
+ allow $1 nscd_t:fd use;
+ allow nscd_t $1:fd use;
+ allow nscd_t $1:fifo_file rw_file_perms;
+ allow nscd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Use NSCD services by connecting using
+## a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_socket_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ ')
+
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ allow $1 nscd_t:unix_stream_socket connectto;
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_t:fd use;
+ dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ files_search_pids($1)
+ allow $1 nscd_var_run_t:dir r_dir_perms;
+ allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ ')
+
+ allow $1 nscd_var_run_t:dir r_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 nscd_t:unix_stream_socket connectto;
+ allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read NSCD pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 nscd_var_run_t:dir search;
+ allow $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Unconfined access to NSCD services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_unconfined',`
+ gen_require(`
+ type nscd_t;
+ class nscd all_nscd_perms;
+ ')
+
+ allow $1 nscd_t:nscd *;
+')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
new file mode 100644
index 0000000..1b44ce8
--- /dev/null
+++ b/policy/modules/services/nscd.te
@@ -0,0 +1,138 @@
+
+policy_module(nscd,1.2.5)
+
+gen_require(`
+ class nscd all_nscd_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
+# nscd is both the client program and the daemon.
+type nscd_t;
+type nscd_exec_t;
+init_daemon_domain(nscd_t,nscd_exec_t)
+
+type nscd_log_t;
+logging_log_file(nscd_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow nscd_t self:capability { kill setgid setuid };
+dontaudit nscd_t self:capability sys_tty_config;
+allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:fifo_file { read write };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
+allow nscd_t self:nscd { admin getstat };
+
+allow nscd_t nscd_log_t:file create_file_perms;
+logging_log_filetrans(nscd_t,nscd_log_t,file)
+
+allow nscd_t nscd_var_run_t:file create_file_perms;
+allow nscd_t nscd_var_run_t:sock_file create_file_perms;
+allow nscd_t nscd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
+
+kernel_read_kernel_sysctls(nscd_t)
+kernel_list_proc(nscd_t)
+kernel_read_proc_symlinks(nscd_t)
+
+dev_read_sysfs(nscd_t)
+dev_read_rand(nscd_t)
+dev_read_urand(nscd_t)
+
+fs_getattr_all_fs(nscd_t)
+fs_search_auto_mountpoints(nscd_t)
+
+term_dontaudit_use_console(nscd_t)
+
+# for when /etc/passwd has just been updated and has the wrong type
+auth_getattr_shadow(nscd_t)
+
+corenet_non_ipsec_sendrecv(nscd_t)
+corenet_tcp_sendrecv_all_if(nscd_t)
+corenet_udp_sendrecv_all_if(nscd_t)
+corenet_tcp_sendrecv_all_nodes(nscd_t)
+corenet_udp_sendrecv_all_nodes(nscd_t)
+corenet_tcp_sendrecv_all_ports(nscd_t)
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
+corenet_rw_tun_tap_dev(nscd_t)
+
+selinux_get_fs_mount(nscd_t)
+selinux_validate_context(nscd_t)
+selinux_compute_access_vector(nscd_t)
+selinux_compute_create_context(nscd_t)
+selinux_compute_relabel_context(nscd_t)
+selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+
+files_read_etc_files(nscd_t)
+files_read_generic_tmp_symlinks(nscd_t)
+
+init_use_fds(nscd_t)
+init_use_script_ptys(nscd_t)
+
+libs_use_ld_so(nscd_t)
+libs_use_shared_libs(nscd_t)
+
+logging_send_syslog_msg(nscd_t)
+
+miscfiles_read_certs(nscd_t)
+miscfiles_read_localization(nscd_t)
+
+seutil_read_config(nscd_t)
+seutil_read_default_contexts(nscd_t)
+seutil_sigchld_newrole(nscd_t)
+
+sysnet_dns_name_resolve(nscd_t)
+sysnet_read_config(nscd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(nscd_t)
+ term_use_generic_ptys(nscd_t)
+
+ term_dontaudit_use_unallocated_ttys(nscd_t)
+ term_dontaudit_use_generic_ptys(nscd_t)
+ files_dontaudit_read_root_files(nscd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nscd_t)
+')
+
+optional_policy(`
+ samba_stream_connect_winbind(nscd_t)
+')
+
+optional_policy(`
+ udev_read_db(nscd_t)
+')
+
+optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+')
diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc
new file mode 100644
index 0000000..e18eae8
--- /dev/null
+++ b/policy/modules/services/nsd.fc
@@ -0,0 +1,14 @@
+
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if
new file mode 100644
index 0000000..3004b55
--- /dev/null
+++ b/policy/modules/services/nsd.if
@@ -0,0 +1,39 @@
+## <summary>Authoritative only name server</summary>
+
+########################################
+## <summary>
+## Send and receive datagrams from NSD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsd_udp_chat',`
+ gen_require(`
+ type nsd_t;
+ ')
+ allow $1 nsd_t:udp_socket sendto;
+ allow nsd_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Connect to NSD over a TCP socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsd_tcp_connect',`
+ gen_require(`
+ type nsd_t;
+ ')
+
+ allow $1 nsd_t:tcp_socket { connectto recvfrom };
+ allow nsd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
new file mode 100644
index 0000000..e3b56d8
--- /dev/null
+++ b/policy/modules/services/nsd.te
@@ -0,0 +1,203 @@
+
+policy_module(nsd,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type nsd_t;
+type nsd_exec_t;
+init_daemon_domain(nsd_t,nsd_exec_t)
+
+# A type for configuration files of nsd
+type nsd_conf_t;
+files_type(nsd_conf_t)
+
+type nsd_crond_t;
+domain_type(nsd_crond_t)
+domain_entry_file(nsd_crond_t,nsd_exec_t)
+role system_r types nsd_crond_t;
+
+# a type for nsd.db
+type nsd_db_t;
+files_type(nsd_db_t)
+
+type nsd_var_run_t;
+files_pid_file(nsd_var_run_t)
+
+# A type for zone files
+type nsd_zone_t;
+files_type(nsd_zone_t)
+
+########################################
+#
+# NSD Local policy
+#
+
+allow nsd_t self:capability { dac_override chown setuid setgid };
+dontaudit nsd_t self:capability sys_tty_config;
+allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
+
+allow nsd_t nsd_conf_t:dir r_dir_perms;
+allow nsd_t nsd_conf_t:file r_file_perms;
+allow nsd_t nsd_conf_t:lnk_file { getattr read };
+
+allow nsd_t nsd_db_t:file manage_file_perms;
+type_transition nsd_t nsd_zone_t:file nsd_db_t;
+allow nsd_t nsd_zone_t:dir rw_dir_perms;
+
+allow nsd_t nsd_var_run_t:file create_file_perms;
+allow nsd_t nsd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nsd_t,nsd_var_run_t,file)
+
+allow nsd_t nsd_zone_t:dir r_dir_perms;
+allow nsd_t nsd_zone_t:file r_file_perms;
+allow nsd_t nsd_zone_t:lnk_file { getattr read };
+
+can_exec(nsd_t,nsd_exec_t)
+
+kernel_read_system_state(nsd_t)
+kernel_read_kernel_sysctls(nsd_t)
+
+corecmd_exec_bin(nsd_t)
+
+corenet_non_ipsec_sendrecv(nsd_t)
+corenet_tcp_sendrecv_generic_if(nsd_t)
+corenet_udp_sendrecv_generic_if(nsd_t)
+corenet_tcp_sendrecv_all_nodes(nsd_t)
+corenet_udp_sendrecv_all_nodes(nsd_t)
+corenet_tcp_sendrecv_all_ports(nsd_t)
+corenet_udp_sendrecv_all_ports(nsd_t)
+corenet_tcp_bind_all_nodes(nsd_t)
+corenet_udp_bind_all_nodes(nsd_t)
+corenet_tcp_bind_dns_port(nsd_t)
+corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+
+dev_read_sysfs(nsd_t)
+
+domain_use_interactive_fds(nsd_t)
+
+files_read_etc_files(nsd_t)
+files_read_etc_runtime_files(nsd_t)
+
+fs_getattr_all_fs(nsd_t)
+fs_search_auto_mountpoints(nsd_t)
+
+term_dontaudit_use_console(nsd_t)
+
+init_use_fds(nsd_t)
+init_use_script_ptys(nsd_t)
+
+libs_use_ld_so(nsd_t)
+libs_use_shared_libs(nsd_t)
+
+logging_send_syslog_msg(nsd_t)
+
+miscfiles_read_localization(nsd_t)
+
+sysnet_read_config(nsd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nsd_t)
+userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(nsd_t)
+ term_dontaudit_use_generic_ptys(nsd_t)
+ files_dontaudit_read_root_files(nsd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nsd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nsd_t)
+')
+
+optional_policy(`
+ udev_read_db(nsd_t)
+')
+
+########################################
+#
+# Zone update cron job local policy
+#
+
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_override kill };
+dontaudit nsd_crond_t self:capability sys_nice;
+allow nsd_crond_t self:process { setsched signal_perms };
+allow nsd_crond_t self:fifo_file rw_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
+
+allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
+
+allow nsd_crond_t nsd_db_t:file manage_file_perms;
+type_transition nsd_crond_t nsd_zone_t:file nsd_db_t;
+allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+allow nsd_crond_t nsd_t:dir { search getattr read };
+allow nsd_crond_t nsd_t:{ file lnk_file } { read getattr };
+allow nsd_crond_t nsd_t:process getattr;
+
+allow nsd_crond_t nsd_zone_t:file manage_file_perms;
+allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
+type_transition nsd_crond_t nsd_conf_t:file nsd_zone_t;
+allow nsd_crond_t nsd_conf_t:dir rw_dir_perms;
+
+can_exec(nsd_crond_t,nsd_exec_t)
+
+kernel_read_system_state(nsd_crond_t)
+
+corecmd_exec_bin(nsd_crond_t)
+corecmd_exec_sbin(nsd_crond_t)
+corecmd_exec_shell(nsd_crond_t)
+
+corenet_non_ipsec_sendrecv(nsd_crond_t)
+corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
+corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
+corenet_udp_sendrecv_all_nodes(nsd_crond_t)
+corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
+
+# for SSP
+dev_read_urand(nsd_crond_t)
+
+domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+files_read_etc_files(nsd_crond_t)
+files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
+
+libs_use_ld_so(nsd_crond_t)
+libs_use_shared_libs(nsd_crond_t)
+
+logging_send_syslog_msg(nsd_crond_t)
+
+miscfiles_read_localization(nsd_crond_t)
+
+sysnet_read_config(nsd_crond_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(nsd_crond_t)
+
+optional_policy(`
+ cron_system_entry(nsd_crond_t,nsd_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nsd_crond_t)
+')
+
+optional_policy(`
+ nscd_read_pid(nsd_crond_t)
+')
diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc
new file mode 100644
index 0000000..da88341
--- /dev/null
+++ b/policy/modules/services/ntop.fc
@@ -0,0 +1,7 @@
+/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
+
+/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0)
+
+/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
+/var/run/ntop.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --git a/policy/modules/services/ntop.if b/policy/modules/services/ntop.if
new file mode 100644
index 0000000..4bf0a14
--- /dev/null
+++ b/policy/modules/services/ntop.if
@@ -0,0 +1 @@
+## <summary>Network Top</summary>
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
new file mode 100644
index 0000000..d4a2380
--- /dev/null
+++ b/policy/modules/services/ntop.te
@@ -0,0 +1,113 @@
+
+policy_module(ntop,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type ntop_t;
+type ntop_exec_t;
+init_daemon_domain(ntop_t,ntop_exec_t)
+
+type ntop_etc_t;
+files_config_file(ntop_etc_t)
+
+type ntop_http_content_t;
+files_type(ntop_http_content_t)
+
+type ntop_tmp_t;
+files_tmp_file(ntop_tmp_t)
+
+type ntop_var_lib_t;
+files_type(ntop_var_lib_t)
+
+type ntop_var_run_t;
+files_pid_file(ntop_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+dontaudit ntop_t self:capability sys_tty_config;
+allow ntop_t self:process signal_perms;
+allow ntop_t self:fifo_file { read write };
+allow ntop_t self:tcp_socket create_stream_socket_perms;
+allow ntop_t self:udp_socket create_socket_perms;
+allow ntop_t self:packet_socket create_socket_perms;
+
+allow ntop_t ntop_etc_t:file r_file_perms;
+allow ntop_t ntop_etc_t:dir r_dir_perms;
+allow ntop_t ntop_etc_t:lnk_file { getattr read };
+
+allow ntop_t ntop_http_content_t:file r_file_perms;
+allow ntop_t ntop_http_content_t:dir r_dir_perms;
+
+allow ntop_t ntop_tmp_t:dir create_dir_perms;
+allow ntop_t ntop_tmp_t:file create_file_perms;
+files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+
+allow ntop_t ntop_var_lib_t:file create_file_perms;
+allow ntop_t ntop_var_lib_t:dir { create rw_dir_perms };
+files_var_lib_filetrans(ntop_t,ntop_var_lib_t,file)
+
+allow ntop_t ntop_var_run_t:file manage_file_perms;
+allow ntop_t ntop_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ntop_t,ntop_var_run_t,file)
+
+kernel_read_network_state(ntop_t)
+kernel_read_kernel_sysctls(ntop_t)
+kernel_list_proc(ntop_t)
+kernel_read_proc_symlinks(ntop_t)
+
+corenet_non_ipsec_sendrecv(ntop_t)
+corenet_tcp_sendrecv_generic_if(ntop_t)
+corenet_udp_sendrecv_generic_if(ntop_t)
+corenet_raw_sendrecv_generic_if(ntop_t)
+corenet_tcp_sendrecv_all_nodes(ntop_t)
+corenet_udp_sendrecv_all_nodes(ntop_t)
+corenet_raw_sendrecv_all_nodes(ntop_t)
+corenet_tcp_sendrecv_all_ports(ntop_t)
+corenet_udp_sendrecv_all_ports(ntop_t)
+
+dev_read_sysfs(ntop_t)
+
+domain_use_interactive_fds(ntop_t)
+
+files_read_etc_files(ntop_t)
+
+fs_getattr_all_fs(ntop_t)
+fs_search_auto_mountpoints(ntop_t)
+
+term_dontaudit_use_console(ntop_t)
+
+init_use_fds(ntop_t)
+init_use_script_ptys(ntop_t)
+
+libs_use_ld_so(ntop_t)
+libs_use_shared_libs(ntop_t)
+
+logging_send_syslog_msg(ntop_t)
+
+miscfiles_read_localization(ntop_t)
+
+sysnet_read_config(ntop_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntop_t)
+userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(ntop_t)
+ term_dontaudit_use_generic_ptys(ntop_t)
+ files_dontaudit_read_root_files(ntop_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ntop_t)
+')
+
+optional_policy(`
+ udev_read_db(ntop_t)
+')
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
new file mode 100644
index 0000000..6719480
--- /dev/null
+++ b/policy/modules/services/ntp.fc
@@ -0,0 +1,19 @@
+
+/etc/ntp(d)?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
new file mode 100644
index 0000000..bbae8f8
--- /dev/null
+++ b/policy/modules/services/ntp.if
@@ -0,0 +1,65 @@
+## <summary>Network time protocol daemon</summary>
+
+########################################
+## <summary>
+## NTP stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`ntp_stub',`
+ gen_require(`
+ type ntpd_t;
+ ')
+')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ntp_domtrans',`
+ gen_require(`
+ type ntpd_t, ntpd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,ntpd_exec_t,ntpd_t)
+
+ allow $1 ntpd_t:fd use;
+ allow ntpd_t $1:fd use;
+ allow ntpd_t $1:fifo_file rw_file_perms;
+ allow ntpd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ntp_domtrans_ntpdate',`
+ gen_require(`
+ type ntpd_t, ntpdate_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,ntpdate_exec_t,ntpd_t)
+
+ allow $1 ntpd_t:fd use;
+ allow ntpd_t $1:fd use;
+ allow ntpd_t $1:fifo_file rw_file_perms;
+ allow ntpd_t $1:process sigchld;
+')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
new file mode 100644
index 0000000..859cf22
--- /dev/null
+++ b/policy/modules/services/ntp.te
@@ -0,0 +1,159 @@
+
+policy_module(ntp,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+type ntp_drift_t;
+files_type(ntp_drift_t)
+
+type ntpd_t;
+type ntpd_exec_t;
+init_daemon_domain(ntpd_t,ntpd_exec_t)
+
+type ntpd_log_t;
+logging_log_file(ntpd_log_t)
+
+type ntpd_tmp_t;
+files_tmp_file(ntpd_tmp_t)
+
+type ntpd_var_run_t;
+files_pid_file(ntpd_var_run_t)
+
+type ntpdate_exec_t;
+init_system_domain(ntpd_t,ntpdate_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# sys_resource and setrlimit is for locking memory
+# ntpdate wants sys_nice
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
+allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t self:unix_dgram_socket create_socket_perms;
+allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ntpd_t self:tcp_socket create_stream_socket_perms;
+allow ntpd_t self:udp_socket { create_socket_perms sendto recvfrom };
+
+allow ntpd_t ntp_drift_t:dir rw_dir_perms;
+allow ntpd_t ntp_drift_t:file create_file_perms;
+
+can_exec(ntpd_t,ntpd_exec_t)
+
+allow ntpd_t ntpd_log_t:file create_file_perms;
+allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+
+# for some reason it creates a file in /tmp
+allow ntpd_t ntpd_tmp_t:dir create_dir_perms;
+allow ntpd_t ntpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
+
+allow ntpd_t ntpd_var_run_t:file create_file_perms;
+allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
+
+kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_system_state(ntpd_t)
+kernel_read_network_state(ntpd_t)
+
+corenet_non_ipsec_sendrecv(ntpd_t)
+corenet_tcp_sendrecv_all_if(ntpd_t)
+corenet_udp_sendrecv_all_if(ntpd_t)
+corenet_tcp_sendrecv_all_nodes(ntpd_t)
+corenet_udp_sendrecv_all_nodes(ntpd_t)
+corenet_tcp_sendrecv_all_ports(ntpd_t)
+corenet_udp_sendrecv_all_ports(ntpd_t)
+corenet_tcp_bind_all_nodes(ntpd_t)
+corenet_udp_bind_all_nodes(ntpd_t)
+corenet_udp_bind_ntp_port(ntpd_t)
+corenet_tcp_connect_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
+
+dev_read_sysfs(ntpd_t)
+# for SSP
+dev_read_urand(ntpd_t)
+
+fs_getattr_all_fs(ntpd_t)
+fs_search_auto_mountpoints(ntpd_t)
+
+term_dontaudit_use_console(ntpd_t)
+
+auth_use_nsswitch(ntpd_t)
+
+corecmd_exec_bin(ntpd_t)
+corecmd_exec_sbin(ntpd_t)
+corecmd_exec_ls(ntpd_t)
+corecmd_exec_shell(ntpd_t)
+
+domain_use_interactive_fds(ntpd_t)
+domain_dontaudit_list_all_domains_state(ntpd_t)
+
+files_read_etc_files(ntpd_t)
+files_read_etc_runtime_files(ntpd_t)
+files_read_usr_files(ntpd_t)
+files_list_var_lib(ntpd_t)
+
+init_exec_script_files(ntpd_t)
+init_use_fds(ntpd_t)
+init_use_script_ptys(ntpd_t)
+
+libs_use_ld_so(ntpd_t)
+libs_use_shared_libs(ntpd_t)
+
+logging_send_syslog_msg(ntpd_t)
+
+miscfiles_read_localization(ntpd_t)
+
+sysnet_read_config(ntpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+userdom_list_sysadm_home_dirs(ntpd_t)
+userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ntpd_t)
+ term_dontaudit_use_generic_ptys(ntpd_t)
+ files_dontaudit_read_root_files(ntpd_t)
+')
+
+optional_policy(`
+ # for cron jobs
+ cron_system_entry(ntpd_t,ntpdate_exec_t)
+')
+
+optional_policy(`
+ firstboot_dontaudit_use_fds(ntpd_t)
+')
+
+optional_policy(`
+ logrotate_exec(ntpd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ntpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ntpd_t)
+')
+
+optional_policy(`
+ samba_stream_connect_winbind(ntpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ntpd_t)
+')
+
+optional_policy(`
+ udev_read_db(ntpd_t)
+')
diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc
new file mode 100644
index 0000000..3a294f3
--- /dev/null
+++ b/policy/modules/services/nx.fc
@@ -0,0 +1,5 @@
+/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
new file mode 100644
index 0000000..2287f85
--- /dev/null
+++ b/policy/modules/services/nx.if
@@ -0,0 +1,22 @@
+## <summary>NX remote desktop</summary>
+
+########################################
+## <summary>
+## Transition to NX server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_spec_domtrans_server',`
+ gen_require(`
+ type nx_server_t, nx_server_exec_t;
+ ')
+
+ domain_trans($1,nx_server_exec_t,nx_server_t)
+ allow nx_server_t $1:fd use;
+ allow nx_server_t $1:fifo_file rw_file_perms;
+ allow nx_server_t $1:process sigchld;
+')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
new file mode 100644
index 0000000..7c6d817
--- /dev/null
+++ b/policy/modules/services/nx.te
@@ -0,0 +1,94 @@
+
+policy_module(nx,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type nx_server_t;
+type nx_server_exec_t;
+domain_type(nx_server_t)
+domain_entry_file(nx_server_t,nx_server_exec_t)
+domain_user_exemption_target(nx_server_t)
+# we need an extra role because nxserver is called from sshd
+# cjp: do we really need this?
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+
+type nx_server_devpts_t;
+term_user_pty(nx_server_t,nx_server_devpts_t)
+
+type nx_server_tmp_t;
+files_tmp_file(nx_server_tmp_t)
+
+type nx_server_var_run_t;
+files_pid_file(nx_server_var_run_t)
+
+########################################
+#
+# NX server local policy
+#
+
+allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t self:tcp_socket create_socket_perms;
+allow nx_server_t self:udp_socket create_socket_perms;
+
+allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(nx_server_t,nx_server_devpts_t)
+
+allow nx_server_t nx_server_tmp_t:dir manage_dir_perms;
+allow nx_server_t nx_server_tmp_t:file manage_file_perms;
+files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+
+allow nx_server_t nx_server_var_run_t:file manage_file_perms;
+allow nx_server_t nx_server_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)
+
+kernel_read_system_state(nx_server_t)
+kernel_read_kernel_sysctls(nx_server_t)
+
+# nxserver is a shell script --> call other programs
+corecmd_exec_shell(nx_server_t)
+corecmd_exec_bin(nx_server_t)
+
+corenet_non_ipsec_sendrecv(nx_server_t)
+corenet_tcp_sendrecv_generic_if(nx_server_t)
+corenet_udp_sendrecv_generic_if(nx_server_t)
+corenet_tcp_sendrecv_all_nodes(nx_server_t)
+corenet_udp_sendrecv_all_nodes(nx_server_t)
+corenet_tcp_sendrecv_all_ports(nx_server_t)
+corenet_udp_sendrecv_all_ports(nx_server_t)
+corenet_tcp_connect_all_ports(nx_server_t)
+corenet_sendrecv_all_client_packets(nx_server_t)
+
+dev_read_urand(nx_server_t)
+
+files_read_etc_files(nx_server_t)
+files_read_etc_runtime_files(nx_server_t)
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+files_read_usr_files(nx_server_t)
+
+libs_use_ld_so(nx_server_t)
+libs_use_shared_libs(nx_server_t)
+
+miscfiles_read_localization(nx_server_t)
+
+seutil_dontaudit_search_config(nx_server_t)
+
+sysnet_read_config(nx_server_t)
+
+ifdef(`TODO',`
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+')
+
+########################################
+#
+# SSH component local policy
+#
+
+ssh_basic_client_template(nx_server,nx_server_t,nx_server_r)
diff --git a/policy/modules/services/oav.fc b/policy/modules/services/oav.fc
new file mode 100644
index 0000000..0a66474
--- /dev/null
+++ b/policy/modules/services/oav.fc
@@ -0,0 +1,9 @@
+/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
+/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+
+/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
+/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
new file mode 100644
index 0000000..122b069
--- /dev/null
+++ b/policy/modules/services/oav.if
@@ -0,0 +1,56 @@
+## <summary>Open AntiVirus scannerdaemon and signature update</summary>
+
+########################################
+## <summary>
+## Execute oav_update in the oav_update domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oav_domtrans_update',`
+ gen_require(`
+ type oav_update_t, oav_update_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,oav_update_exec_t,oav_update_t)
+
+ allow $1 oav_update_t:fd use;
+ allow oav_update_t $1:fd use;
+ allow oav_update_t $1:fifo_file rw_file_perms;
+ allow oav_update_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute oav_update in the oav_update domain, and
+## allow the specified role the oav_update domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the oav_update domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the oav_update domain to use.
+## </summary>
+## </param>
+#
+interface(`oav_run_update',`
+ gen_require(`
+ type oav_update_t;
+ ')
+
+ oav_domtrans_update($1)
+ role $2 types oav_update_t;
+ allow oav_update_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
new file mode 100644
index 0000000..736c67e
--- /dev/null
+++ b/policy/modules/services/oav.te
@@ -0,0 +1,164 @@
+
+policy_module(oav,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type oav_update_t;
+type oav_update_exec_t;
+domain_type(oav_update_t)
+domain_entry_file(oav_update_t,oav_update_exec_t)
+
+# cjp: may be collapsable to etc_t
+type oav_update_etc_t;
+files_type(oav_update_etc_t)
+
+type oav_update_var_lib_t;
+files_type(oav_update_var_lib_t)
+
+type scannerdaemon_t;
+type scannerdaemon_exec_t;
+init_daemon_domain(scannerdaemon_t,scannerdaemon_exec_t)
+
+type scannerdaemon_etc_t;
+files_type(scannerdaemon_etc_t)
+
+type scannerdaemon_log_t;
+logging_log_file(scannerdaemon_log_t)
+
+type scannerdaemon_var_run_t;
+files_pid_file(scannerdaemon_var_run_t)
+
+########################################
+#
+# OAV update local policy
+#
+
+allow oav_update_t self:tcp_socket create_stream_socket_perms;
+allow oav_update_t self:udp_socket create_socket_perms;
+
+# Can read /etc/oav-update/* files
+allow oav_update_t oav_update_etc_t:dir r_dir_perms;
+allow oav_update_t oav_update_etc_t:file r_file_perms;
+
+# Can read /var/lib/oav-update/current
+allow oav_update_t oav_update_var_lib_t:dir manage_dir_perms;
+allow oav_update_t oav_update_var_lib_t:file manage_file_perms;
+allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
+
+corecmd_exec_all_executables(oav_update_t)
+
+corenet_non_ipsec_sendrecv(oav_update_t)
+corenet_tcp_sendrecv_generic_if(oav_update_t)
+corenet_udp_sendrecv_generic_if(oav_update_t)
+corenet_tcp_sendrecv_all_nodes(oav_update_t)
+corenet_udp_sendrecv_all_nodes(oav_update_t)
+corenet_tcp_sendrecv_all_ports(oav_update_t)
+corenet_udp_sendrecv_all_ports(oav_update_t)
+
+files_exec_etc_files(oav_update_t)
+
+libs_use_ld_so(oav_update_t)
+libs_use_shared_libs(oav_update_t)
+libs_exec_ld_so(oav_update_t)
+libs_exec_lib_files(oav_update_t)
+libs_use_ld_so(oav_update_t)
+libs_use_shared_libs(oav_update_t)
+
+logging_send_syslog_msg(oav_update_t)
+
+sysnet_read_config(oav_update_t)
+
+optional_policy(`
+ cron_system_entry(oav_update_t,oav_update_exec_t)
+')
+
+########################################
+#
+# Scannerdaemon local policy
+#
+
+dontaudit scannerdaemon_t self:capability sys_tty_config;
+allow scannerdaemon_t self:process signal_perms;
+allow scannerdaemon_t self:fifo_file { read write };
+allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
+allow scannerdaemon_t self:udp_socket create_socket_perms;
+
+allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
+files_search_var_lib(scannerdaemon_t)
+
+allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
+
+allow scannerdaemon_t scannerdaemon_log_t:file create_file_perms;
+logging_log_filetrans(scannerdaemon_t,scannerdaemon_log_t,file)
+
+allow scannerdaemon_t scannerdaemon_var_run_t:file create_file_perms;
+allow scannerdaemon_t scannerdaemon_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(scannerdaemon_t,scannerdaemon_var_run_t,file)
+
+kernel_read_system_state(scannerdaemon_t)
+kernel_read_kernel_sysctls(scannerdaemon_t)
+
+# Can run kaffe
+corecmd_exec_all_executables(scannerdaemon_t)
+
+corenet_non_ipsec_sendrecv(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
+corenet_udp_sendrecv_generic_if(scannerdaemon_t)
+corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
+corenet_udp_sendrecv_all_nodes(scannerdaemon_t)
+corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
+corenet_udp_sendrecv_all_ports(scannerdaemon_t)
+
+dev_read_sysfs(scannerdaemon_t)
+
+domain_use_interactive_fds(scannerdaemon_t)
+
+files_read_etc_files(scannerdaemon_t)
+files_read_etc_runtime_files(scannerdaemon_t)
+# Can run kaffe
+files_exec_etc_files(scannerdaemon_t)
+
+fs_getattr_all_fs(scannerdaemon_t)
+fs_search_auto_mountpoints(scannerdaemon_t)
+
+term_dontaudit_use_console(scannerdaemon_t)
+
+auth_dontaudit_read_shadow(scannerdaemon_t)
+
+init_use_fds(scannerdaemon_t)
+init_use_script_ptys(scannerdaemon_t)
+
+libs_use_ld_so(scannerdaemon_t)
+libs_use_shared_libs(scannerdaemon_t)
+# Can run kaffe
+libs_use_ld_so(scannerdaemon_t)
+libs_use_shared_libs(scannerdaemon_t)
+libs_exec_ld_so(scannerdaemon_t)
+libs_exec_lib_files(scannerdaemon_t)
+
+logging_send_syslog_msg(scannerdaemon_t)
+
+miscfiles_read_localization(scannerdaemon_t)
+
+sysnet_read_config(scannerdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
+userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(scannerdaemon_t)
+ term_dontaudit_use_generic_ptys(scannerdaemon_t)
+ files_dontaudit_read_root_files(scannerdaemon_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(scannerdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(scannerdaemon_t)
+')
diff --git a/policy/modules/services/openca.fc b/policy/modules/services/openca.fc
new file mode 100644
index 0000000..dc360b9
--- /dev/null
+++ b/policy/modules/services/openca.fc
@@ -0,0 +1,9 @@
+/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0)
+/etc/openca/*.\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0)
+/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0)
+
+/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0)
+/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0)
+
+/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0)
+/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if
new file mode 100644
index 0000000..d84d2ed
--- /dev/null
+++ b/policy/modules/services/openca.if
@@ -0,0 +1,80 @@
+## <summary>OpenCA - Open Certificate Authority</summary>
+
+########################################
+## <summary>
+## Execute the OpenCA program with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_domtrans',`
+ gen_require(`
+ type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
+ ')
+
+ domain_auto_trans($1,openca_ca_exec_t,openca_ca_t)
+ allow httpd_t openca_usr_share_t:dir search_dir_perms;
+ files_search_usr(httpd_t)
+
+ allow openca_ca_t $1:fd use;
+ allow openca_ca_t $1:fifo_file rw_file_perms;
+ allow openca_ca_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send OpenCA generic signals.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_signal',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process signal;
+')
+
+########################################
+## <summary>
+## Send OpenCA stop signals.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_sigstop',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Kill OpenCA.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_kill',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigkill;
+')
diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te
new file mode 100644
index 0000000..04fc293
--- /dev/null
+++ b/policy/modules/services/openca.te
@@ -0,0 +1,85 @@
+
+policy_module(openca,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openca_ca_t;
+type openca_ca_exec_t;
+domain_type(openca_ca_t)
+domain_entry_file(openca_ca_t,openca_ca_exec_t)
+role system_r types openca_ca_t;
+
+# cjp: seems like some of these types
+# can be removed and replaced with generic
+# etc or usr files.
+
+# /etc/openca standard files
+type openca_etc_t;
+files_type(openca_etc_t)
+
+# /etc/openca template files
+type openca_etc_in_t;
+files_type(openca_etc_in_t)
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t;
+files_type(openca_etc_writeable_t)
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t;
+files_type(openca_usr_share_t)
+
+# /var/lib/openca
+type openca_var_lib_t;
+files_type(openca_var_lib_t)
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t;
+files_type(openca_var_lib_keys_t)
+
+########################################
+#
+# Local policy
+#
+
+# Allow access to other files under /etc/openca
+allow openca_ca_t openca_etc_t:file r_file_perms;
+allow openca_ca_t openca_etc_t:dir r_dir_perms;
+
+# Allow access to writeable files under /etc/openca
+allow openca_ca_t openca_etc_writeable_t:file manage_file_perms;
+allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms;
+
+# Allow access to other /var/lib/openca files
+allow openca_ca_t openca_var_lib_t:file manage_file_perms;
+allow openca_ca_t openca_var_lib_t:dir manage_dir_perms;
+
+# Allow access to private CA key
+allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms;
+allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms;
+
+# Allow access to other /usr/share/openca files
+allow openca_ca_t openca_usr_share_t:file r_file_perms;
+allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
+allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
+
+# the perl executable will be able to run a perl script
+corecmd_exec_bin(openca_ca_t)
+
+dev_read_rand(openca_ca_t)
+
+files_list_default(openca_ca_t)
+
+init_use_fds(openca_ca_t)
+init_use_script_fds(openca_ca_t)
+
+libs_use_ld_so(openca_ca_t)
+libs_use_shared_libs(openca_ca_t)
+libs_exec_lib_files(openca_ca_t)
+
+apache_append_log(openca_ca_t)
+# Allow the script to return its output
+apache_rw_cache_files(openca_ca_t)
diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc
new file mode 100644
index 0000000..8aaadc5
--- /dev/null
+++ b/policy/modules/services/openct.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+
+#
+# /var
+#
+/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0)
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
new file mode 100644
index 0000000..6df1a48
--- /dev/null
+++ b/policy/modules/services/openct.if
@@ -0,0 +1 @@
+## <summary>Service for handling smart card readers.</summary>
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
new file mode 100644
index 0000000..3e55f55
--- /dev/null
+++ b/policy/modules/services/openct.te
@@ -0,0 +1,71 @@
+
+policy_module(openct,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openct_t;
+type openct_exec_t;
+init_daemon_domain(openct_t,openct_exec_t)
+
+type openct_var_run_t;
+files_pid_file(openct_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:process signal_perms;
+
+allow openct_t openct_var_run_t:file create_file_perms;
+allow openct_t openct_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(openct_t,openct_var_run_t,file)
+
+kernel_read_kernel_sysctls(openct_t)
+kernel_list_proc(openct_t)
+kernel_read_proc_symlinks(openct_t)
+
+dev_read_sysfs(openct_t)
+# openct asks for this
+dev_rw_usbfs(openct_t)
+
+domain_use_interactive_fds(openct_t)
+
+# openct asks for this
+files_read_etc_files(openct_t)
+
+fs_getattr_all_fs(openct_t)
+fs_search_auto_mountpoints(openct_t)
+
+term_dontaudit_use_console(openct_t)
+
+init_use_fds(openct_t)
+init_use_script_ptys(openct_t)
+
+libs_use_ld_so(openct_t)
+libs_use_shared_libs(openct_t)
+
+logging_send_syslog_msg(openct_t)
+
+miscfiles_read_localization(openct_t)
+
+userdom_dontaudit_use_unpriv_user_fds(openct_t)
+userdom_dontaudit_search_sysadm_home_dirs(openct_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(openct_t)
+ term_dontaudit_use_generic_ptys(openct_t)
+ files_dontaudit_read_root_files(openct_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(openct_t)
+')
+
+optional_policy(`
+ udev_read_db(openct_t)
+')
diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc
new file mode 100644
index 0000000..046d5d7
--- /dev/null
+++ b/policy/modules/services/openvpn.fc
@@ -0,0 +1,15 @@
+#
+# /etc
+#
+/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
+#
+# /var
+#
+/var/log/openvpn.* -- gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/run/openvpn.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
new file mode 100644
index 0000000..78bbc4b
--- /dev/null
+++ b/policy/modules/services/openvpn.if
@@ -0,0 +1,23 @@
+## <summary>full-featured SSL VPN solution</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## OpenVPN configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_read_config',`
+ gen_require(`
+ type openvpn_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 openvpn_etc_t:dir r_dir_perms;
+ allow $1 openvpn_etc_t:file r_file_perms;
+ allow $1 openvpn_etc_t:lnk_file { getattr read };
+')
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
new file mode 100644
index 0000000..8277b36
--- /dev/null
+++ b/policy/modules/services/openvpn.te
@@ -0,0 +1,91 @@
+
+policy_module(openvpn,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+# main openvpn domain
+type openvpn_t;
+type openvpn_exec_t;
+init_daemon_domain(openvpn_t, openvpn_exec_t)
+
+# configuration files
+type openvpn_etc_t;
+files_type(openvpn_etc_t)
+
+# log files
+type openvpn_var_log_t;
+logging_log_file(openvpn_var_log_t)
+
+# pid files
+type openvpn_var_run_t;
+files_pid_file(openvpn_var_run_t)
+
+########################################
+#
+# openvpn local policy
+#
+
+allow openvpn_t self:capability { net_admin setgid setuid };
+allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvpn_t self:udp_socket create_socket_perms;
+allow openvpn_t self:tcp_socket create_socket_perms;
+
+allow openvpn_t openvpn_etc_t:dir r_dir_perms;
+allow openvpn_t openvpn_etc_t:file r_file_perms;
+allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
+
+allow openvpn_t openvpn_var_log_t:file create_file_perms;
+logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
+
+allow openvpn_t openvpn_var_run_t:file create_file_perms;
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
+
+kernel_read_kernel_sysctls(openvpn_t)
+kernel_read_net_sysctls(openvpn_t)
+kernel_read_network_state(openvpn_t)
+kernel_read_system_state(openvpn_t)
+
+corecmd_exec_bin(openvpn_t)
+corecmd_exec_sbin(openvpn_t)
+corecmd_exec_shell(openvpn_t)
+
+corenet_non_ipsec_sendrecv(openvpn_t)
+corenet_tcp_sendrecv_all_if(openvpn_t)
+corenet_udp_sendrecv_all_if(openvpn_t)
+corenet_tcp_sendrecv_generic_node(openvpn_t)
+corenet_udp_sendrecv_generic_node(openvpn_t)
+corenet_tcp_sendrecv_all_ports(openvpn_t)
+corenet_udp_sendrecv_all_ports(openvpn_t)
+corenet_tcp_bind_all_nodes(openvpn_t)
+corenet_udp_bind_all_nodes(openvpn_t)
+corenet_tcp_bind_openvpn_port(openvpn_t)
+corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_sendrecv_openvpn_server_packets(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+
+dev_read_rand(openvpn_t)
+dev_read_urand(openvpn_t)
+
+files_read_etc_files(openvpn_t)
+files_read_etc_runtime_files(openvpn_t)
+
+libs_use_ld_so(openvpn_t)
+libs_use_shared_libs(openvpn_t)
+
+logging_send_syslog_msg(openvpn_t)
+
+miscfiles_read_localization(openvpn_t)
+
+sysnet_exec_ifconfig(openvpn_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(openvpn_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(openvpn_t,openvpn_exec_t)
+')
diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc
new file mode 100644
index 0000000..601c91c
--- /dev/null
+++ b/policy/modules/services/pegasus.fc
@@ -0,0 +1,12 @@
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+/etc/Pegasus/pegasus_current.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/policy/modules/services/pegasus.if b/policy/modules/services/pegasus.if
new file mode 100644
index 0000000..920b13f
--- /dev/null
+++ b/policy/modules/services/pegasus.if
@@ -0,0 +1 @@
+## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
new file mode 100644
index 0000000..7769803
--- /dev/null
+++ b/policy/modules/services/pegasus.te
@@ -0,0 +1,155 @@
+
+policy_module(pegasus,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+type pegasus_t;
+type pegasus_exec_t;
+init_daemon_domain(pegasus_t,pegasus_exec_t)
+
+type pegasus_data_t;
+files_type(pegasus_data_t)
+
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
+type pegasus_conf_t;
+files_type(pegasus_conf_t)
+
+type pegasus_mof_t;
+files_type(pegasus_mof_t)
+
+type pegasus_var_run_t;
+files_pid_file(pegasus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write };
+dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
+allow pegasus_t self:fifo_file rw_file_perms;
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
+
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
+allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
+
+allow pegasus_t pegasus_data_t:dir rw_dir_perms;
+allow pegasus_t pegasus_data_t:file create_file_perms;
+allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
+type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
+
+can_exec(pegasus_t,pegasus_exec_t)
+
+allow pegasus_t pegasus_mof_t:dir r_dir_perms;
+allow pegasus_t pegasus_mof_t:file r_file_perms;
+allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
+
+allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
+allow pegasus_t pegasus_tmp_t:file create_file_perms;
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+
+allow pegasus_t pegasus_var_run_t:file create_file_perms;
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(pegasus_t,pegasus_var_run_t,file)
+
+kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_fs_sysctls(pegasus_t)
+kernel_read_system_state(pegasus_t)
+kernel_search_vm_sysctl(pegasus_t)
+kernel_read_net_sysctls(pegasus_t)
+
+corenet_non_ipsec_sendrecv(pegasus_t)
+corenet_tcp_sendrecv_all_if(pegasus_t)
+corenet_tcp_sendrecv_all_nodes(pegasus_t)
+corenet_tcp_sendrecv_all_ports(pegasus_t)
+corenet_tcp_bind_all_nodes(pegasus_t)
+corenet_tcp_bind_pegasus_http_port(pegasus_t)
+corenet_tcp_bind_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_pegasus_http_port(pegasus_t)
+corenet_tcp_connect_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+
+corecmd_exec_sbin(pegasus_t)
+corecmd_exec_bin(pegasus_t)
+corecmd_exec_shell(pegasus_t)
+
+dev_read_sysfs(pegasus_t)
+dev_read_urand(pegasus_t)
+
+fs_getattr_all_fs(pegasus_t)
+fs_search_auto_mountpoints(pegasus_t)
+files_getattr_all_dirs(pegasus_t)
+
+term_dontaudit_use_console(pegasus_t)
+
+auth_use_nsswitch(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
+
+domain_use_interactive_fds(pegasus_t)
+domain_read_all_domains_state(pegasus_t)
+
+files_read_etc_files(pegasus_t)
+files_list_var_lib(pegasus_t)
+files_read_var_lib_files(pegasus_t)
+files_read_var_lib_symlinks(pegasus_t)
+
+hostname_exec(pegasus_t)
+
+init_use_fds(pegasus_t)
+init_use_script_ptys(pegasus_t)
+init_rw_utmp(pegasus_t)
+init_stream_connect_script(pegasus_t)
+
+libs_use_ld_so(pegasus_t)
+libs_use_shared_libs(pegasus_t)
+
+miscfiles_read_localization(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(pegasus_t)
+ term_dontaudit_use_generic_ptys(pegasus_t)
+ files_dontaudit_read_root_files(pegasus_t)
+ unconfined_signull(pegasus_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(pegasus_t)
+')
+
+optional_policy(`
+ nscd_socket_use(pegasus_t)
+')
+
+optional_policy(`
+ rpm_exec(pegasus_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pegasus_t)
+ seutil_dontaudit_read_config(pegasus_t)
+')
+
+optional_policy(`
+ udev_read_db(pegasus_t)
+')
diff --git a/policy/modules/services/perdition.fc b/policy/modules/services/perdition.fc
new file mode 100644
index 0000000..bcdf89b
--- /dev/null
+++ b/policy/modules/services/perdition.fc
@@ -0,0 +1,3 @@
+/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
+
+/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if
new file mode 100644
index 0000000..949cc11
--- /dev/null
+++ b/policy/modules/services/perdition.if
@@ -0,0 +1,21 @@
+## <summary>Perdition POP and IMAP proxy</summary>
+
+########################################
+## <summary>
+## Connect to perdition over a TCP socket
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`perdition_tcp_connect',`
+ gen_require(`
+ type perdition_t;
+ ')
+
+ allow $1 perdition_t:tcp_socket { connectto recvfrom };
+ allow perdition_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
new file mode 100644
index 0000000..d9c4037
--- /dev/null
+++ b/policy/modules/services/perdition.te
@@ -0,0 +1,91 @@
+
+policy_module(perdition,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type perdition_t;
+type perdition_exec_t;
+init_daemon_domain(perdition_t,perdition_exec_t)
+
+type perdition_etc_t;
+files_config_file(perdition_etc_t)
+
+type perdition_var_run_t;
+files_pid_file(perdition_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow perdition_t self:capability { setgid setuid };
+dontaudit perdition_t self:capability sys_tty_config;
+allow perdition_t self:process signal_perms;
+allow perdition_t self:tcp_socket create_stream_socket_perms;
+allow perdition_t self:udp_socket create_socket_perms;
+
+allow perdition_t perdition_etc_t:file { getattr read };
+files_search_etc(perdition_t)
+
+allow perdition_t perdition_var_run_t:file create_file_perms;
+allow perdition_t perdition_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(perdition_t,perdition_var_run_t,file)
+
+kernel_read_kernel_sysctls(perdition_t)
+kernel_list_proc(perdition_t)
+kernel_read_proc_symlinks(perdition_t)
+kernel_tcp_recvfrom(perdition_t)
+
+corenet_non_ipsec_sendrecv(perdition_t)
+corenet_tcp_sendrecv_generic_if(perdition_t)
+corenet_udp_sendrecv_generic_if(perdition_t)
+corenet_tcp_sendrecv_all_nodes(perdition_t)
+corenet_udp_sendrecv_all_nodes(perdition_t)
+corenet_tcp_sendrecv_all_ports(perdition_t)
+corenet_udp_sendrecv_all_ports(perdition_t)
+corenet_tcp_bind_all_nodes(perdition_t)
+corenet_tcp_bind_pop_port(perdition_t)
+corenet_sendrecv_pop_server_packets(perdition_t)
+
+dev_read_sysfs(perdition_t)
+
+domain_use_interactive_fds(perdition_t)
+
+fs_getattr_all_fs(perdition_t)
+fs_search_auto_mountpoints(perdition_t)
+
+files_read_etc_files(perdition_t)
+
+term_dontaudit_use_console(perdition_t)
+
+init_use_fds(perdition_t)
+init_use_script_ptys(perdition_t)
+
+libs_use_ld_so(perdition_t)
+libs_use_shared_libs(perdition_t)
+
+logging_send_syslog_msg(perdition_t)
+
+miscfiles_read_localization(perdition_t)
+
+sysnet_read_config(perdition_t)
+
+userdom_dontaudit_use_unpriv_user_fds(perdition_t)
+userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(perdition_t)
+ term_dontaudit_use_generic_ptys(perdition_t)
+ files_dontaudit_read_root_files(perdition_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(perdition_t)
+')
+
+optional_policy(`
+ udev_read_db(perdition_t)
+')
diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc
new file mode 100644
index 0000000..2c42dfd
--- /dev/null
+++ b/policy/modules/services/portmap.fc
@@ -0,0 +1,12 @@
+
+/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
+/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+')
+
+/var/run/portmap.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
new file mode 100644
index 0000000..430138c
--- /dev/null
+++ b/policy/modules/services/portmap.if
@@ -0,0 +1,125 @@
+## <summary>RPC port mapping service.</summary>
+
+########################################
+## <summary>
+## Execute portmap_helper in the helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portmap_domtrans_helper',`
+ gen_require(`
+ type portmap_helper_t, portmap_helper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
+
+ allow $1 portmap_helper_t:fd use;
+ allow portmap_helper_t $1:fd use;
+ allow portmap_helper_t $1:fifo_file rw_file_perms;
+ allow portmap_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute portmap helper in the helper domain, and
+## allow the specified role the helper domain.
+## Communicate with portmap.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the portmap domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the portmap domain to use.
+## </summary>
+## </param>
+#
+interface(`portmap_run_helper',`
+ gen_require(`
+ type portmap_t, portmap_helper_t;
+ ')
+
+ portmap_domtrans_helper($1)
+ role $2 types portmap_helper_t;
+ allow portmap_helper_t $3:chr_file { getattr read write ioctl };
+
+ # send to portmap
+ allow $1 portmap_t:udp_socket sendto;
+ allow portmap_t $1:udp_socket recvfrom;
+
+ # receive from portmap
+ allow portmap_t $1:udp_socket sendto;
+ allow $1 portmap_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to portmap.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`portmap_udp_send',`
+ gen_require(`
+ type portmap_t;
+ ')
+
+ allow $1 portmap_t:udp_socket sendto;
+ allow portmap_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic from portmap.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portmap_udp_chat',`
+ gen_require(`
+ type portmap_t;
+ ')
+
+ allow $1 portmap_t:udp_socket sendto;
+ allow portmap_t $1:udp_socket recvfrom;
+ allow portmap_t $1:udp_socket sendto;
+ allow $1 portmap_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Connect to portmap over a TCP socket
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`portmap_tcp_connect',`
+ gen_require(`
+ type portmap_t;
+ ')
+
+ allow $1 portmap_t:tcp_socket { connectto recvfrom };
+ allow portmap_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
new file mode 100644
index 0000000..06e0af5
--- /dev/null
+++ b/policy/modules/services/portmap.te
@@ -0,0 +1,184 @@
+
+policy_module(portmap,1.2.4)
+
+########################################
+#
+# Declarations
+#
+
+type portmap_t;
+type portmap_exec_t;
+init_daemon_domain(portmap_t,portmap_exec_t)
+
+type portmap_helper_t;
+type portmap_helper_exec_t;
+init_system_domain(portmap_helper_t,portmap_helper_exec_t)
+role system_r types portmap_helper_t;
+
+type portmap_tmp_t;
+files_tmp_file(portmap_tmp_t)
+
+type portmap_var_run_t;
+files_pid_file(portmap_var_run_t)
+
+########################################
+#
+# Portmap local policy
+#
+
+allow portmap_t self:capability { setuid setgid };
+dontaudit portmap_t self:capability sys_tty_config;
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+allow portmap_t self:tcp_socket create_stream_socket_perms;
+allow portmap_t self:udp_socket create_socket_perms;
+
+allow portmap_t portmap_tmp_t:dir create_dir_perms;
+allow portmap_t portmap_tmp_t:file create_file_perms;
+files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
+
+allow portmap_t portmap_var_run_t:file create_file_perms;
+allow portmap_t portmap_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(portmap_t,portmap_var_run_t,file)
+
+kernel_read_kernel_sysctls(portmap_t)
+kernel_list_proc(portmap_t)
+kernel_read_proc_symlinks(portmap_t)
+kernel_tcp_recvfrom(portmap_t)
+
+corenet_non_ipsec_sendrecv(portmap_t)
+corenet_tcp_sendrecv_all_if(portmap_t)
+corenet_udp_sendrecv_all_if(portmap_t)
+corenet_tcp_sendrecv_all_nodes(portmap_t)
+corenet_udp_sendrecv_all_nodes(portmap_t)
+corenet_tcp_sendrecv_all_ports(portmap_t)
+corenet_udp_sendrecv_all_ports(portmap_t)
+corenet_tcp_bind_all_nodes(portmap_t)
+corenet_udp_bind_all_nodes(portmap_t)
+corenet_tcp_bind_portmap_port(portmap_t)
+corenet_udp_bind_portmap_port(portmap_t)
+corenet_tcp_connect_all_ports(portmap_t)
+corenet_sendrecv_portmap_client_packets(portmap_t)
+corenet_sendrecv_portmap_server_packets(portmap_t)
+# portmap binds to arbitary ports
+corenet_tcp_bind_generic_port(portmap_t)
+corenet_udp_bind_generic_port(portmap_t)
+corenet_tcp_bind_reserved_port(portmap_t)
+corenet_udp_bind_reserved_port(portmap_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)
+
+dev_read_sysfs(portmap_t)
+
+fs_getattr_all_fs(portmap_t)
+fs_search_auto_mountpoints(portmap_t)
+
+term_dontaudit_use_console(portmap_t)
+
+domain_use_interactive_fds(portmap_t)
+
+files_read_etc_files(portmap_t)
+
+init_use_fds(portmap_t)
+init_use_script_ptys(portmap_t)
+init_udp_send(portmap_t)
+init_udp_send_script(portmap_t)
+
+libs_use_ld_so(portmap_t)
+libs_use_shared_libs(portmap_t)
+
+logging_send_syslog_msg(portmap_t)
+
+miscfiles_read_localization(portmap_t)
+
+sysnet_read_config(portmap_t)
+
+userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(portmap_t)
+ term_dontaudit_use_generic_ptys(portmap_t)
+ files_dontaudit_read_root_files(portmap_t)
+')
+
+optional_policy(`
+ inetd_udp_send(portmap_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(portmap_t)
+ nis_udp_send_ypbind(portmap_t)
+')
+
+optional_policy(`
+ nscd_socket_use(portmap_t)
+')
+
+optional_policy(`
+ rpc_udp_send_nfs(portmap_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portmap_t)
+')
+
+optional_policy(`
+ udev_read_db(portmap_t)
+')
+
+########################################
+#
+# Portmap helper local policy
+#
+
+dontaudit portmap_helper_t self:capability net_admin;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
+allow portmap_helper_t self:udp_socket create_socket_perms;
+
+allow portmap_helper_t portmap_var_run_t:file create_file_perms;
+files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
+
+corenet_tcp_sendrecv_all_if(portmap_helper_t)
+corenet_udp_sendrecv_all_if(portmap_helper_t)
+corenet_raw_sendrecv_all_if(portmap_helper_t)
+corenet_tcp_sendrecv_all_nodes(portmap_helper_t)
+corenet_udp_sendrecv_all_nodes(portmap_helper_t)
+corenet_raw_sendrecv_all_nodes(portmap_helper_t)
+corenet_tcp_sendrecv_all_ports(portmap_helper_t)
+corenet_udp_sendrecv_all_ports(portmap_helper_t)
+corenet_non_ipsec_sendrecv(portmap_helper_t)
+corenet_tcp_bind_all_nodes(portmap_helper_t)
+corenet_udp_bind_all_nodes(portmap_helper_t)
+corenet_tcp_bind_reserved_port(portmap_helper_t)
+corenet_udp_bind_reserved_port(portmap_helper_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+corenet_tcp_connect_all_ports(portmap_helper_t)
+
+domain_dontaudit_use_interactive_fds(portmap_helper_t)
+
+files_read_etc_files(portmap_helper_t)
+files_rw_generic_pids(portmap_helper_t)
+
+init_rw_utmp(portmap_helper_t)
+
+libs_use_ld_so(portmap_helper_t)
+libs_use_shared_libs(portmap_helper_t)
+
+logging_send_syslog_msg(portmap_helper_t)
+
+sysnet_read_config(portmap_helper_t)
+
+userdom_dontaudit_use_all_users_fds(portmap_helper_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(portmap_helper_t)
+ term_dontaudit_use_generic_ptys(portmap_helper_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(portmap_helper_t)
+')
diff --git a/policy/modules/services/portslave.fc b/policy/modules/services/portslave.fc
new file mode 100644
index 0000000..2dd7786
--- /dev/null
+++ b/policy/modules/services/portslave.fc
@@ -0,0 +1,4 @@
+/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+
+/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if
new file mode 100644
index 0000000..410cdb1
--- /dev/null
+++ b/policy/modules/services/portslave.if
@@ -0,0 +1,24 @@
+## <summary>Portslave terminal server software</summary>
+
+########################################
+## <summary>
+## Execute portslave with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portslave_domtrans',`
+ gen_require(`
+ type portslave_t, portslave_exec_t;
+ ')
+
+ domain_auto_trans($1,portslave_exec_t,portslave_t)
+
+ allow $1 portslave_t:fd use;
+ allow portslave_t $1:fd use;
+ allow portslave_t $1:fifo_file rw_file_perms;
+ allow portslave_t $1:process sigchld;
+')
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
new file mode 100644
index 0000000..5ebc80d
--- /dev/null
+++ b/policy/modules/services/portslave.te
@@ -0,0 +1,140 @@
+
+policy_module(portslave,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type portslave_t;
+type portslave_exec_t;
+init_domain(portslave_t,portslave_exec_t)
+init_daemon_domain(portslave_t,portslave_exec_t)
+
+type portslave_etc_t;
+files_type(portslave_etc_t)
+
+type portslave_lock_t;
+files_lock_file(portslave_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# setuid setgid net_admin fsetid for pppd
+# sys_admin for ctlportslave
+# net_bind_service for rlogin
+allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+dontaudit portslave_t self:capability sys_admin;
+allow portslave_t self:process signal_perms;
+allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow portslave_t self:fd use;
+allow portslave_t self:fifo_file rw_file_perms;
+allow portslave_t self:unix_dgram_socket create_socket_perms;
+allow portslave_t self:unix_stream_socket create_stream_socket_perms;
+allow portslave_t self:unix_dgram_socket sendto;
+allow portslave_t self:unix_stream_socket connectto;
+allow portslave_t self:shm create_shm_perms;
+allow portslave_t self:sem create_sem_perms;
+allow portslave_t self:msgq create_msgq_perms;
+allow portslave_t self:msg { send receive };
+allow portslave_t self:tcp_socket create_stream_socket_perms;
+allow portslave_t self:udp_socket create_socket_perms;
+
+allow portslave_t portslave_etc_t:dir r_dir_perms;
+allow portslave_t portslave_etc_t:file r_file_perms;
+allow portslave_t portslave_etc_t:lnk_file { getattr read };
+
+allow portslave_t portslave_lock_t:file create_file_perms;
+files_lock_filetrans(portslave_t,portslave_lock_t,file)
+
+kernel_read_system_state(portslave_t)
+kernel_read_kernel_sysctls(portslave_t)
+
+corecmd_exec_bin(portslave_t)
+corecmd_exec_shell(portslave_t)
+
+corenet_non_ipsec_sendrecv(portslave_t)
+corenet_tcp_sendrecv_generic_if(portslave_t)
+corenet_udp_sendrecv_generic_if(portslave_t)
+corenet_tcp_sendrecv_all_nodes(portslave_t)
+corenet_udp_sendrecv_all_nodes(portslave_t)
+corenet_tcp_sendrecv_all_ports(portslave_t)
+corenet_udp_sendrecv_all_ports(portslave_t)
+corenet_rw_ppp_dev(portslave_t)
+
+dev_read_sysfs(portslave_t)
+# for ssh
+dev_read_urand(portslave_t)
+
+domain_use_interactive_fds(portslave_t)
+
+files_read_etc_files(portslave_t)
+files_read_etc_runtime_files(portslave_t)
+files_exec_etc_files(portslave_t)
+
+fs_search_auto_mountpoints(portslave_t)
+fs_getattr_xattr_fs(portslave_t)
+
+term_use_unallocated_ttys(portslave_t)
+term_setattr_unallocated_ttys(portslave_t)
+term_use_all_user_ttys(portslave_t)
+term_dontaudit_use_console(portslave_t)
+term_search_ptys(portslave_t)
+
+auth_rw_login_records(portslave_t)
+auth_domtrans_chk_passwd(portslave_t)
+init_use_fds(portslave_t)
+init_use_script_ptys(portslave_t)
+init_rw_utmp(portslave_t)
+
+libs_use_ld_so(portslave_t)
+libs_use_shared_libs(portslave_t)
+
+logging_send_syslog_msg(portslave_t)
+logging_search_logs(portslave_t)
+
+sysnet_read_config(portslave_t)
+
+userdom_use_unpriv_users_fds(portslave_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+userdom_search_all_users_home_dirs(portslave_t)
+
+mta_send_mail(portslave_t)
+
+# this should probably be a domtrans to pppd
+# instead of exec.
+ppp_read_rw_config(portslave_t)
+ppp_exec(portslave_t)
+ppp_read_secrets(portslave_t)
+ppp_manage_pid_files(portslave_t)
+ppp_pid_filetrans(portslave_t)
+
+ssh_exec(portslave_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(portslave_t)
+ term_dontaudit_use_generic_ptys(portslave_t)
+ files_dontaudit_read_root_files(portslave_t)
+')
+
+optional_policy(`
+ inetd_tcp_service_domain(portslave_t,portslave_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(portslave_t)
+')
+
+optional_policy(`
+ radius_use(portslave_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portslave_t)
+')
+
+optional_policy(`
+ udev_read_db(portslave_t)
+')
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
new file mode 100644
index 0000000..696b5c5
--- /dev/null
+++ b/policy/modules/services/postfix.fc
@@ -0,0 +1,48 @@
+# postfix
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+', `
+/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
new file mode 100644
index 0000000..b6c9bb1
--- /dev/null
+++ b/policy/modules/services/postfix.if
@@ -0,0 +1,484 @@
+## <summary>Postfix email server</summary>
+
+########################################
+## <summary>
+## Postfix stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`postfix_stub',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## postfix process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`postfix_domain_template',`
+ type postfix_$1_t;
+ type postfix_$1_exec_t;
+ domain_type(postfix_$1_t)
+ domain_entry_file(postfix_$1_t,postfix_$1_exec_t)
+ role system_r types postfix_$1_t;
+
+ dontaudit postfix_$1_t self:capability sys_tty_config;
+ allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket connectto;
+
+ allow postfix_master_t postfix_$1_t:process signal;
+
+ allow postfix_$1_t postfix_etc_t:dir r_dir_perms;
+ allow postfix_$1_t postfix_etc_t:file r_file_perms;
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+ allow postfix_$1_t postfix_exec_t:file rx_file_perms;
+ # cjp: ???
+ allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
+
+ allow postfix_$1_t postfix_master_t:process sigchld;
+
+ allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
+
+ allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+ files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
+
+ kernel_read_system_state(postfix_$1_t)
+ kernel_read_network_state(postfix_$1_t)
+ kernel_read_all_sysctls(postfix_$1_t)
+
+ dev_read_sysfs(postfix_$1_t)
+ dev_read_rand(postfix_$1_t)
+ dev_read_urand(postfix_$1_t)
+
+ fs_search_auto_mountpoints(postfix_$1_t)
+ fs_getattr_xattr_fs(postfix_$1_t)
+
+ term_dontaudit_use_console(postfix_$1_t)
+
+ corecmd_list_bin(postfix_$1_t)
+ corecmd_list_sbin(postfix_$1_t)
+ corecmd_read_bin_symlinks(postfix_$1_t)
+ corecmd_read_sbin_symlinks(postfix_$1_t)
+ corecmd_exec_shell(postfix_$1_t)
+
+ files_read_etc_files(postfix_$1_t)
+ files_read_etc_runtime_files(postfix_$1_t)
+ files_read_usr_symlinks(postfix_$1_t)
+ files_search_spool(postfix_$1_t)
+ files_getattr_tmp_dirs(postfix_$1_t)
+
+ init_use_fds(postfix_$1_t)
+ init_sigchld(postfix_$1_t)
+
+ libs_use_ld_so(postfix_$1_t)
+ libs_use_shared_libs(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+ miscfiles_read_localization(postfix_$1_t)
+ miscfiles_read_certs(postfix_$1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(postfix_$1_t)
+ term_dontaudit_use_generic_ptys(postfix_$1_t)
+ files_dontaudit_read_root_files(postfix_$1_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(postfix_$1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(postfix_$1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Creates a postfix server process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain.
+## </summary>
+## </param>
+#
+template(`postfix_server_domain_template',`
+ postfix_domain_template($1)
+
+ allow postfix_$1_t self:capability { setuid setgid dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
+
+ domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+ allow postfix_master_t postfix_$1_t:fd use;
+ allow postfix_$1_t postfix_master_t:fd use;
+ allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
+ allow postfix_$1_t postfix_master_t:process sigchld;
+
+ corenet_non_ipsec_sendrecv(postfix_$1_t)
+ corenet_tcp_sendrecv_all_if(postfix_$1_t)
+ corenet_udp_sendrecv_all_if(postfix_$1_t)
+ corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
+ corenet_udp_sendrecv_all_nodes(postfix_$1_t)
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
+ corenet_tcp_bind_all_nodes(postfix_$1_t)
+ corenet_udp_bind_all_nodes(postfix_$1_t)
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
+
+ sysnet_read_config(postfix_$1_t)
+
+ optional_policy(`
+ nis_use_ypbind(postfix_$1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Creates a process domain for programs
+## that are ran by users.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain.
+## </summary>
+## </param>
+#
+template(`postfix_user_domain_template',`
+ gen_require(`
+ attribute postfix_user_domains, postfix_user_domtrans;
+ ')
+
+ postfix_domain_template($1)
+
+ typeattribute postfix_$1_t postfix_user_domains;
+
+ allow postfix_$1_t self:capability dac_override;
+
+ domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+ allow postfix_user_domtrans postfix_$1_t:fd use;
+ allow postfix_$1_t postfix_user_domtrans:fd use;
+ allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
+ allow postfix_$1_t postfix_user_domtrans:process sigchld;
+
+ domain_use_interactive_fds(postfix_$1_t)
+')
+
+########################################
+## <summary>
+## The per-userdomain template for the postfix module.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the user domain.
+## (e.g., user is the prefix of user_t)
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain type.
+## </summary>
+## </param>
+#
+template(`postfix_per_userdomain_template',`
+ gen_require(`
+ attribute postfix_user_domains;
+ type postfix_postdrop_t;
+ ')
+
+ role $3 types postfix_postdrop_t;
+
+ allow postfix_user_domains $2:process sigchld;
+ allow postfix_user_domains $2:fifo_file { write getattr };
+ allow postfix_user_domains $2:fd use;
+')
+
+########################################
+## <summary>
+## Read postfix configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_read_config',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ allow $1 postfix_etc_t:dir { getattr read search };
+ allow $1 postfix_etc_t:file { read getattr };
+ allow $1 postfix_etc_t:lnk_file { getattr read };
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Create files with the specified type in
+## the postfix configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`postfix_config_filetrans',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 postfix_etc_t:dir rw_dir_perms;
+ type_transition $1 postfix_etc_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write postfix local delivery
+## TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ dontaudit $1 postfix_local_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## postfix master process file
+## file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_dontaudit_use_fds',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ dontaudit $1 postfix_master_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute postfix_map in the postfix_map domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_map',`
+ gen_require(`
+ type postfix_map_t, postfix_map_exec_t;
+ ')
+
+ domain_auto_trans($1,postfix_map_exec_t,postfix_map_t)
+
+ allow $1 postfix_map_t:fd use;
+ allow postfix_map_t $1:fd use;
+ allow postfix_map_t $1:fifo_file rw_file_perms;
+ allow postfix_map_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute postfix_map in the postfix_map domain, and
+## allow the specified role the postfix_map domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the postfix_map domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postfix_map domain to use.
+## </summary>
+## </param>
+#
+interface(`postfix_run_map',`
+ gen_require(`
+ type postfix_map_t;
+ ')
+
+ postfix_domtrans_map($1)
+ role $2 types postfix_map_t;
+ allow postfix_map_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## postfix_master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_master',`
+ gen_require(`
+ type postfix_master_t, postfix_master_exec_t;
+ ')
+
+ domain_auto_trans($1,postfix_master_exec_t,postfix_master_t)
+
+ allow $1 postfix_master_t:fd use;
+ allow postfix_master_t $1:fd use;
+ allow postfix_master_t $1:fifo_file rw_file_perms;
+ allow postfix_master_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_exec_master',`
+ gen_require(`
+ type postfix_master_exec_t;
+ ')
+
+ can_exec($1,postfix_master_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## postfix_master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_smtp',`
+ gen_require(`
+ type postfix_smtp_t, postfix_smtp_exec_t;
+ ')
+
+ domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
+
+ allow postfix_smtp_t $1:fd use;
+ allow postfix_smtp_t $1:fifo_file rw_file_perms;
+ allow postfix_smtp_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Search postfix mail spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_search_spool',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ allow $1 postfix_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## List postfix mail spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_list_spool',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ allow $1 postfix_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Execute postfix user mail programs
+## in their respective domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_user_mail_handler',`
+ gen_require(`
+ attribute postfix_user_domtrans;
+ ')
+
+ typeattribute $1 postfix_user_domtrans;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
new file mode 100644
index 0000000..8a1dd9f
--- /dev/null
+++ b/policy/modules/services/postfix.te
@@ -0,0 +1,595 @@
+
+policy_module(postfix,1.2.9)
+
+########################################
+#
+# Declarations
+#
+
+attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
+attribute postfix_user_domtrans;
+
+postfix_server_domain_template(bounce)
+
+type postfix_spool_bounce_t;
+files_type(postfix_spool_bounce_t)
+
+postfix_server_domain_template(cleanup)
+
+type postfix_etc_t;
+files_type(postfix_etc_t)
+
+type postfix_exec_t;
+corecmd_executable_file(postfix_exec_t)
+
+postfix_server_domain_template(local)
+mta_mailserver_delivery(postfix_local_t)
+
+type postfix_local_tmp_t;
+files_tmp_file(postfix_local_tmp_t)
+
+# Program for creating database files
+type postfix_map_t;
+type postfix_map_exec_t;
+domain_type(postfix_map_t)
+domain_entry_file(postfix_map_t,postfix_map_exec_t)
+
+type postfix_map_tmp_t;
+files_tmp_file(postfix_map_tmp_t)
+
+postfix_domain_template(master)
+typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
+mta_mailserver(postfix_t,postfix_master_exec_t)
+
+postfix_server_domain_template(pickup)
+
+postfix_server_domain_template(pipe)
+
+postfix_user_domain_template(postdrop)
+mta_mailserver_user_agent(postfix_postdrop_t)
+
+postfix_user_domain_template(postqueue)
+
+type postfix_private_t;
+files_type(postfix_private_t)
+
+type postfix_prng_t;
+files_type(postfix_prng_t)
+
+postfix_server_domain_template(qmgr)
+
+postfix_user_domain_template(showq)
+
+postfix_server_domain_template(smtp)
+mta_mailserver_sender(postfix_smtp_t)
+
+postfix_server_domain_template(smtpd)
+
+type postfix_spool_t;
+files_type(postfix_spool_t)
+
+type postfix_spool_maildrop_t;
+files_type(postfix_spool_maildrop_t)
+
+type postfix_spool_flush_t;
+files_type(postfix_spool_flush_t)
+
+type postfix_public_t;
+files_type(postfix_public_t)
+
+type postfix_var_run_t;
+files_pid_file(postfix_var_run_t)
+
+########################################
+#
+# Postfix master process local policy
+#
+
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:fifo_file rw_file_perms;
+allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+allow postfix_master_t self:udp_socket create_socket_perms;
+
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+
+can_exec(postfix_master_t,postfix_exec_t)
+
+allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
+
+allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+
+allow postfix_master_t postfix_private_t:dir rw_dir_perms;
+allow postfix_master_t postfix_private_t:sock_file create_file_perms;
+allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
+
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
+allow postfix_master_t postfix_public_t:sock_file create_file_perms;
+allow postfix_master_t postfix_public_t:dir rw_dir_perms;
+
+# allow access to deferred queue and allow removing bogus incoming entries
+allow postfix_master_t postfix_spool_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_t:file create_file_perms;
+
+allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr;
+
+allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
+allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
+
+allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
+
+kernel_read_all_sysctls(postfix_master_t)
+
+corenet_non_ipsec_sendrecv(postfix_master_t)
+corenet_tcp_sendrecv_all_if(postfix_master_t)
+corenet_udp_sendrecv_all_if(postfix_master_t)
+corenet_tcp_sendrecv_all_nodes(postfix_master_t)
+corenet_udp_sendrecv_all_nodes(postfix_master_t)
+corenet_tcp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_tcp_bind_all_nodes(postfix_master_t)
+corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+corenet_tcp_bind_smtp_port(postfix_master_t)
+corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+
+# for a find command
+selinux_dontaudit_search_fs(postfix_master_t)
+
+corecmd_exec_ls(postfix_master_t)
+corecmd_exec_sbin(postfix_master_t)
+corecmd_exec_shell(postfix_master_t)
+corecmd_exec_bin(postfix_master_t)
+
+domain_use_interactive_fds(postfix_master_t)
+
+files_read_usr_files(postfix_master_t)
+
+init_use_script_ptys(postfix_master_t)
+
+miscfiles_dontaudit_search_man_pages(postfix_master_t)
+
+seutil_sigchld_newrole(postfix_master_t)
+# postfix does a "find" on startup for some reason - keep it quiet
+seutil_dontaudit_search_config(postfix_master_t)
+
+sysnet_read_config(postfix_master_t)
+
+mta_rw_aliases(postfix_master_t)
+mta_read_sendmail_bin(postfix_master_t)
+
+optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_master_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(postfix_master_t)
+')
+
+###########################################################
+#
+# Partially converted rules. THESE ARE ONLY TEMPORARY
+#
+
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ allow postfix_master_t etc_t:dir rw_dir_perms;
+ allow postfix_master_t etc_aliases_t:dir create_dir_perms;
+ allow postfix_master_t etc_aliases_t:file create_file_perms;
+ allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
+ allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
+ allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
+ type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
+
+ allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+ allow postfix_master_t etc_aliases_t:dir create_dir_perms;
+ allow postfix_master_t etc_aliases_t:file create_file_perms;
+ allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
+ allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
+ allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
+ type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t;
+')
+
+# end partially converted rules
+
+########################################
+#
+# Postfix bounce local policy
+#
+
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search;
+
+allow postfix_bounce_t postfix_spool_t:dir create_dir_perms;
+allow postfix_bounce_t postfix_spool_t:file create_file_perms;
+allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms;
+
+allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms;
+allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms;
+allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
+
+########################################
+#
+# Postfix cleanup local policy
+#
+
+allow postfix_cleanup_t self:process setrlimit;
+
+# connect to master process
+allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_cleanup_t postfix_private_t:dir search;
+allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
+
+allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
+allow postfix_cleanup_t postfix_public_t:dir search;
+
+allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms;
+allow postfix_cleanup_t postfix_spool_t:file create_file_perms;
+allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
+
+allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+
+########################################
+#
+# Postfix local local policy
+#
+
+allow postfix_local_t self:fifo_file rw_file_perms;
+allow postfix_local_t self:process { setsched setrlimit };
+
+allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
+allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
+files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
+
+# connect to master process
+allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_local_t postfix_public_t:dir search;
+allow postfix_local_t postfix_public_t:sock_file write;
+
+# for .forward - maybe we need a new type for it?
+allow postfix_local_t postfix_private_t:dir search;
+allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
+
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
+corecmd_exec_bin(postfix_local_t)
+
+files_read_etc_files(postfix_local_t)
+
+mta_read_aliases(postfix_local_t)
+mta_delete_spool(postfix_local_t)
+# For reading spamassasin
+mta_read_config(postfix_local_t)
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_local_t)
+')
+
+optional_policy(`
+ procmail_domtrans(postfix_local_t)
+')
+
+########################################
+#
+# Postfix map local policy
+#
+
+allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
+
+allow postfix_map_t postfix_etc_t:dir create_dir_perms;
+allow postfix_map_t postfix_etc_t:file create_file_perms;
+allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
+
+allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
+allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
+files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(postfix_map_t)
+kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
+
+corenet_non_ipsec_sendrecv(postfix_map_t)
+corenet_tcp_sendrecv_all_if(postfix_map_t)
+corenet_udp_sendrecv_all_if(postfix_map_t)
+corenet_tcp_sendrecv_all_nodes(postfix_map_t)
+corenet_udp_sendrecv_all_nodes(postfix_map_t)
+corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
+
+corecmd_list_bin(postfix_map_t)
+corecmd_read_bin_symlinks(postfix_map_t)
+corecmd_read_bin_files(postfix_map_t)
+corecmd_read_bin_pipes(postfix_map_t)
+corecmd_read_bin_sockets(postfix_map_t)
+corecmd_list_sbin(postfix_map_t)
+corecmd_read_sbin_symlinks(postfix_map_t)
+corecmd_read_sbin_files(postfix_map_t)
+corecmd_read_sbin_pipes(postfix_map_t)
+corecmd_read_sbin_sockets(postfix_map_t)
+
+files_list_home(postfix_map_t)
+files_read_usr_files(postfix_map_t)
+files_read_etc_files(postfix_map_t)
+files_read_etc_runtime_files(postfix_map_t)
+files_dontaudit_search_var(postfix_map_t)
+
+libs_use_ld_so(postfix_map_t)
+libs_use_shared_libs(postfix_map_t)
+
+logging_send_syslog_msg(postfix_map_t)
+
+miscfiles_read_localization(postfix_map_t)
+
+seutil_read_config(postfix_map_t)
+
+sysnet_read_config(postfix_map_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(postfix_map_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(postfix_map_t)
+ files_read_default_files(postfix_map_t)
+ files_read_default_symlinks(postfix_map_t)
+ files_read_default_sockets(postfix_map_t)
+ files_read_default_pipes(postfix_map_t)
+')
+
+optional_policy(`
+ locallogin_dontaudit_use_fds(postfix_map_t)
+')
+
+# a "run" interface needs to be
+# added, and have sysadm_t use it
+# in a optional_policy block.
+
+########################################
+#
+# Postfix pickup local policy
+#
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
+
+allow postfix_pickup_t postfix_private_t:dir search;
+allow postfix_pickup_t postfix_private_t:sock_file write;
+
+allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_pickup_t postfix_public_t:dir search;
+
+postfix_list_spool(postfix_pickup_t)
+allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
+
+########################################
+#
+# Postfix pipe local policy
+#
+
+allow postfix_pipe_t self:fifo_file { read write };
+
+allow postfix_pipe_t postfix_private_t:dir search;
+allow postfix_pipe_t postfix_private_t:sock_file write;
+
+allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
+allow postfix_pipe_t postfix_public_t:dir search;
+
+allow postfix_pipe_t postfix_spool_t:dir search;
+allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
+
+optional_policy(`
+ procmail_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
+ mailman_domtrans_queue(postfix_pipe_t)
+')
+
+########################################
+#
+# Postfix postdrop local policy
+#
+
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+allow postfix_postdrop_t postfix_public_t:dir search;
+allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
+
+postfix_list_spool(postfix_postdrop_t)
+allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+
+corenet_udp_sendrecv_all_if(postfix_postdrop_t)
+corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
+
+term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
+term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
+
+sysnet_dns_name_resolve(postfix_postdrop_t)
+
+mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
+
+ifdef(`targeted_policy', `
+ term_use_unallocated_ttys(postfix_postdrop_t)
+ term_use_generic_ptys(postfix_postdrop_t)
+')
+
+optional_policy(`
+ cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+')
+
+optional_policy(`
+ ppp_use_fds(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+')
+
+#######################################
+#
+# Postfix postqueue local policy
+#
+
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
+allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
+
+allow postfix_postqueue_t postfix_public_t:dir search;
+# write to /var/spool/postfix/public/qmgr
+allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
+
+domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+allow postfix_master_t postfix_postqueue_t:fd use;
+allow postfix_postqueue_t postfix_master_t:fd use;
+allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms;
+allow postfix_postqueue_t postfix_master_t:process sigchld;
+
+domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_postqueue_t postfix_showq_t:fd use;
+allow postfix_showq_t postfix_postqueue_t:fd use;
+allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
+allow postfix_showq_t postfix_postqueue_t:process sigchld;
+
+# to write the mailq output, it really should not need read access!
+term_use_all_user_ptys(postfix_postqueue_t)
+term_use_all_user_ttys(postfix_postqueue_t)
+
+init_sigchld_script(postfix_postqueue_t)
+init_use_script_fds(postfix_postqueue_t)
+
+sysnet_dontaudit_read_config(postfix_postqueue_t)
+
+########################################
+#
+# Postfix qmgr local policy
+#
+
+allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
+
+allow postfix_qmgr_t postfix_private_t:dir search;
+allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
+
+allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_qmgr_t postfix_public_t:sock_file write;
+allow postfix_qmgr_t postfix_public_t:dir search;
+
+# for /var/spool/postfix/active
+allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms;
+allow postfix_qmgr_t postfix_spool_t:file create_file_perms;
+allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms;
+
+allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
+allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+
+########################################
+#
+# Postfix showq local policy
+#
+
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+
+# the following auto_trans is usually in postfix server domain
+domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_master_t postfix_showq_t:fd use;
+allow postfix_showq_t postfix_master_t:fd use;
+allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms;
+allow postfix_showq_t postfix_master_t:process sigchld;
+
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+
+allow postfix_showq_t postfix_spool_t:file r_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
+allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
+allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+
+# to write the mailq output, it really should not need read access!
+term_use_all_user_ptys(postfix_showq_t)
+term_use_all_user_ttys(postfix_showq_t)
+
+sysnet_dns_name_resolve(postfix_showq_t)
+
+########################################
+#
+# Postfix smtp delivery local policy
+#
+
+# connect to master process
+allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
+kernel_tcp_recvfrom(postfix_smtp_t)
+
+# if you have two different mail servers on the same host let them talk via
+# SMTP, also if one mail server wants to talk to itself then allow it and let
+# the SMTP protocol sort it out (SE Linux is not to prevent mail server
+# misconfiguration)
+mta_tcp_connect_all_mailservers(postfix_smtp_t)
+
+########################################
+#
+# Postfix smtpd local policy
+#
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
+# connect to master process
+allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+
+# for OpenSSL certificates
+files_read_usr_files(postfix_smtpd_t)
+mta_read_aliases(postfix_smtpd_t)
+
+optional_policy(`
+ sasl_connect(postfix_smtpd_t)
+')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
new file mode 100644
index 0000000..a77d9eb
--- /dev/null
+++ b/policy/modules/services/postgresql.fc
@@ -0,0 +1,40 @@
+#
+# /etc
+#
+/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+')
+
+#
+# /var
+#
+/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+
+/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql/pgstartup.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ifdef(`distro_redhat', `
+/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+')
+
+/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
new file mode 100644
index 0000000..818ba7c
--- /dev/null
+++ b/policy/modules/services/postgresql.if
@@ -0,0 +1,124 @@
+## <summary>PostgreSQL relational database</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to search postgresql's database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_search_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+ allow $1 postgresql_db_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage postgresql's database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+ allow $1 postgresql_db_t:dir rw_dir_perms;
+ allow $1 postgresql_db_t:file rw_file_perms;
+ allow $1 postgresql_db_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Execute postgresql in the postgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_domtrans',`
+ gen_require(`
+ type postgresql_t, postgresql_exec_t;
+ ')
+
+ domain_auto_trans($1,postgresql_exec_t,postgresql_t)
+
+ allow $1 postgresql_t:fd use;
+ allow postgresql_t $1:fd use;
+ allow postgresql_t $1:fifo_file rw_file_perms;
+ allow postgresql_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read postgresql's etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_read_config',`
+ gen_require(`
+ type postgresql_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 postgresql_etc_t:dir { getattr read search };
+ allow $1 postgresql_etc_t:file { read getattr };
+ allow $1 postgresql_etc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_tcp_connect',`
+ gen_require(`
+ type postgresql_t;
+ ')
+
+ kernel_tcp_recvfrom($1)
+ allow $1 postgresql_t:tcp_socket { connectto recvfrom };
+ allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_stream_connect',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 postgresql_t:unix_stream_socket connectto;
+ allow $1 postgresql_var_run_t:sock_file write;
+ # Some versions of postgresql put the sock file in /tmp
+ allow $1 postgresql_tmp_t:sock_file write;
+')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
new file mode 100644
index 0000000..452f96c
--- /dev/null
+++ b/policy/modules/services/postgresql.te
@@ -0,0 +1,209 @@
+
+policy_module(postgresql,1.1.2)
+
+#################################
+#
+# Declarations
+#
+type postgresql_t;
+type postgresql_exec_t;
+init_daemon_domain(postgresql_t,postgresql_exec_t)
+
+type postgresql_db_t;
+files_type(postgresql_db_t)
+
+type postgresql_etc_t;
+files_config_file(postgresql_etc_t)
+
+type postgresql_lock_t;
+files_lock_file(postgresql_lock_t)
+
+type postgresql_log_t;
+logging_log_file(postgresql_log_t)
+
+type postgresql_tmp_t;
+files_tmp_file(postgresql_tmp_t)
+
+type postgresql_var_run_t;
+files_pid_file(postgresql_var_run_t)
+
+########################################
+#
+# postgresql Local policy
+#
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+allow postgresql_t self:process signal_perms;
+allow postgresql_t self:fifo_file { getattr read write ioctl };
+allow postgresql_t self:file { getattr read };
+allow postgresql_t self:sem create_sem_perms;
+allow postgresql_t self:shm create_shm_perms;
+allow postgresql_t self:tcp_socket create_stream_socket_perms;
+allow postgresql_t self:udp_socket create_stream_socket_perms;
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow postgresql_t postgresql_db_t:dir create_dir_perms;
+allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
+allow postgresql_t postgresql_db_t:file create_file_perms;
+allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
+allow postgresql_t postgresql_db_t:sock_file create_file_perms;
+files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_etc_t:dir r_dir_perms;
+allow postgresql_t postgresql_etc_t:file r_file_perms;
+allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
+
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+can_exec(postgresql_t, postgresql_exec_t )
+
+allow postgresql_t postgresql_lock_t:file create_file_perms;
+files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
+
+allow postgresql_t postgresql_log_t:dir rw_dir_perms;
+allow postgresql_t postgresql_log_t:file create_file_perms;
+logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
+
+allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
+allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
+allow postgresql_t postgresql_tmp_t:file create_file_perms;
+allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
+allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
+files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
+allow postgresql_t postgresql_var_run_t:file create_file_perms;
+allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
+
+kernel_read_kernel_sysctls(postgresql_t)
+kernel_read_system_state(postgresql_t)
+kernel_list_proc(postgresql_t)
+kernel_read_all_sysctls(postgresql_t)
+kernel_read_proc_symlinks(postgresql_t)
+kernel_tcp_recvfrom(postgresql_t)
+
+corenet_non_ipsec_sendrecv(postgresql_t)
+corenet_tcp_sendrecv_all_if(postgresql_t)
+corenet_udp_sendrecv_all_if(postgresql_t)
+corenet_tcp_sendrecv_all_nodes(postgresql_t)
+corenet_udp_sendrecv_all_nodes(postgresql_t)
+corenet_tcp_sendrecv_all_ports(postgresql_t)
+corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_tcp_bind_all_nodes(postgresql_t)
+corenet_tcp_bind_postgresql_port(postgresql_t)
+corenet_tcp_connect_auth_port(postgresql_t)
+corenet_sendrecv_postgresql_server_packets(postgresql_t)
+corenet_sendrecv_auth_client_packets(postgresql_t)
+
+dev_read_sysfs(postgresql_t)
+dev_read_urand(postgresql_t)
+
+fs_getattr_all_fs(postgresql_t)
+fs_search_auto_mountpoints(postgresql_t)
+
+term_use_controlling_term(postgresql_t)
+term_dontaudit_use_console(postgresql_t)
+
+corecmd_exec_bin(postgresql_t)
+corecmd_exec_ls(postgresql_t)
+corecmd_exec_sbin(postgresql_t)
+corecmd_exec_shell(postgresql_t)
+
+domain_dontaudit_list_all_domains_state(postgresql_t)
+domain_use_interactive_fds(postgresql_t)
+
+files_dontaudit_search_home(postgresql_t)
+files_manage_etc_files(postgresql_t)
+files_search_etc(postgresql_t)
+files_read_etc_runtime_files(postgresql_t)
+files_read_usr_files(postgresql_t)
+
+init_read_utmp(postgresql_t)
+init_use_fds(postgresql_t)
+init_use_script_ptys(postgresql_t)
+
+libs_use_ld_so(postgresql_t)
+libs_use_shared_libs(postgresql_t)
+
+logging_send_syslog_msg(postgresql_t)
+
+miscfiles_read_localization(postgresql_t)
+
+seutil_dontaudit_search_config(postgresql_t)
+
+sysnet_read_config(postgresql_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
+userdom_dontaudit_use_sysadm_ttys(postgresql_t)
+userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+
+mta_getattr_spool(postgresql_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_files(postgresql_t)
+ term_dontaudit_use_generic_ptys(postgresql_t)
+ term_dontaudit_use_unallocated_ttys(postgresql_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow postgresql_t self:process execmem;
+')
+
+optional_policy(`
+ consoletype_exec(postgresql_t)
+')
+
+optional_policy(`
+ cron_search_spool(postgresql_t)
+ cron_system_entry(postgresql_t,postgresql_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(postgresql_t)
+')
+
+optional_policy(`
+ kerberos_use(postgresql_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(postgresql_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(postgresql_t)
+')
+
+optional_policy(`
+ udev_read_db(postgresql_t)
+')
+
+ifdef(`TODO',`
+ifdef(`targeted_policy', `', `
+bool allow_user_postgresql_connect false;
+
+if (allow_user_postgresql_connect) {
+# allow any user domain to connect to the database server
+can_tcp_connect(userdomain, postgresql_t)
+allow userdomain postgresql_t:unix_stream_socket connectto;
+allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
+}
+')
+ifdef(`distro_debian', `
+ init_exec_script_files(postgresql_t)
+ # gross hack
+ postgresql_domtrans(dpkg_t)
+ can_exec(postgresql_t, dpkg_exec_t)
+')
+
+ifdef(`distro_gentoo', `
+ allow postgresql_t initrc_su_t:process { sigchld };
+ # "su - postgres ..." is called from initrc_t
+ postgresql_search_db(initrc_su_t)
+ dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
+')
+')
diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc
new file mode 100644
index 0000000..74c88dc
--- /dev/null
+++ b/policy/modules/services/postgrey.fc
@@ -0,0 +1,8 @@
+
+/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
+
+/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
+
+/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
new file mode 100644
index 0000000..f5cae30
--- /dev/null
+++ b/policy/modules/services/postgrey.if
@@ -0,0 +1 @@
+## <summary>Postfix grey-listing server</summary>
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
new file mode 100644
index 0000000..b794ca6
--- /dev/null
+++ b/policy/modules/services/postgrey.te
@@ -0,0 +1,105 @@
+
+policy_module(postgrey,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type postgrey_t;
+type postgrey_exec_t;
+init_daemon_domain(postgrey_t,postgrey_exec_t)
+
+type postgrey_etc_t;
+files_config_file(postgrey_etc_t)
+
+type postgrey_var_lib_t;
+files_type(postgrey_var_lib_t)
+
+type postgrey_var_run_t;
+files_pid_file(postgrey_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow postgrey_t self:capability { chown setgid setuid };
+dontaudit postgrey_t self:capability sys_tty_config;
+allow postgrey_t self:process signal_perms;
+allow postgrey_t self:tcp_socket create_stream_socket_perms;
+
+allow postgrey_t postgrey_etc_t:file r_file_perms;
+allow postgrey_t postgrey_etc_t:dir r_dir_perms;
+allow postgrey_t postgrey_etc_t:lnk_file { getattr read };
+
+allow postgrey_t postgrey_var_lib_t:file create_file_perms;
+allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
+
+allow postgrey_t postgrey_var_run_t:file create_file_perms;
+allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
+
+kernel_read_system_state(postgrey_t)
+kernel_read_kernel_sysctls(postgrey_t)
+
+# for perl
+corecmd_search_bin(postgrey_t)
+corecmd_search_sbin(postgrey_t)
+
+corenet_non_ipsec_sendrecv(postgrey_t)
+corenet_tcp_sendrecv_generic_if(postgrey_t)
+corenet_tcp_sendrecv_all_nodes(postgrey_t)
+corenet_tcp_sendrecv_all_ports(postgrey_t)
+corenet_tcp_bind_all_nodes(postgrey_t)
+corenet_tcp_bind_postgrey_port(postgrey_t)
+corenet_sendrecv_postgrey_server_packets(postgrey_t)
+
+dev_read_urand(postgrey_t)
+dev_read_sysfs(postgrey_t)
+
+domain_use_interactive_fds(postgrey_t)
+
+files_read_etc_files(postgrey_t)
+files_read_etc_runtime_files(postgrey_t)
+files_read_usr_files(postgrey_t)
+files_getattr_tmp_dirs(postgrey_t)
+
+fs_getattr_all_fs(postgrey_t)
+fs_search_auto_mountpoints(postgrey_t)
+
+term_dontaudit_use_console(postgrey_t)
+
+init_use_fds(postgrey_t)
+init_use_script_ptys(postgrey_t)
+
+libs_use_ld_so(postgrey_t)
+libs_use_shared_libs(postgrey_t)
+
+logging_send_syslog_msg(postgrey_t)
+
+miscfiles_read_localization(postgrey_t)
+
+sysnet_read_config(postgrey_t)
+
+userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
+userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(postgrey_t)
+ term_dontaudit_use_generic_ptys(postgrey_t)
+ files_dontaudit_read_root_files(postgrey_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(postgrey_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(postgrey_t)
+')
+
+optional_policy(`
+ udev_read_db(postgrey_t)
+')
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
new file mode 100644
index 0000000..3b2595c
--- /dev/null
+++ b/policy/modules/services/ppp.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp/.* -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
new file mode 100644
index 0000000..afec620
--- /dev/null
+++ b/policy/modules/services/ppp.if
@@ -0,0 +1,237 @@
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
+
+########################################
+## <summary>
+## Use PPP file discriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_use_fds',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## and use PPP file discriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ppp_dontaudit_use_fds',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ dontaudit $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to PPP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_sigchld',`
+ gen_require(`
+ type pppd_t;
+
+ ')
+
+ allow $1 pppd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a generic signal to PPP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_signal',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute domain in the ppp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_domtrans',`
+ gen_require(`
+ type pppd_t, pppd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, pppd_exec_t, pppd_t)
+
+ allow $1 pppd_t:fd use;
+ allow pppd_t $1:fd use;
+ allow pppd_t $1:fifo_file rw_file_perms;
+ allow pppd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Conditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_run_cond',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ role $2 types pppd_t;
+
+ tunable_policy(`pppd_for_user',`
+ ppp_domtrans($1)
+ allow pppd_t $3:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_run',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ ppp_domtrans($1)
+ role $2 types pppd_t;
+ allow pppd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute domain in the ppp caller.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_exec',`
+ gen_require(`
+ type pppd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1, pppd_exec_t)
+')
+
+########################################
+## <summary>
+## Read PPP-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_rw_config',`
+ gen_require(`
+ type pppd_etc_t, pppd_etc_rw_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_etc_rw_t:file { getattr read };
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read PPP secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_secrets',`
+ gen_require(`
+ type pppd_etc_t, pppd_secret_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_secret_t:file { getattr read };
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_manage_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ allow $1 pppd_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_pid_filetrans',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ files_pid_filetrans($1,pppd_var_run_t,file)
+')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
new file mode 100644
index 0000000..4f48f9b
--- /dev/null
+++ b/policy/modules/services/ppp.te
@@ -0,0 +1,333 @@
+
+policy_module(ppp,1.2.4)
+
+########################################
+#
+# Declarations
+#
+
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+type pppd_t;
+type pppd_exec_t;
+init_daemon_domain(pppd_t,pppd_exec_t)
+
+type pppd_devpts_t;
+term_pty(pppd_devpts_t)
+
+# Define a separate type for /etc/ppp
+type pppd_etc_t;
+files_config_file(pppd_etc_t)
+
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t;
+files_type(pppd_etc_rw_t)
+
+type pppd_script_exec_t;
+files_type(pppd_script_exec_t)
+
+# pppd_secret_t is the type of the pap and chap password files
+type pppd_secret_t;
+files_type(pppd_secret_t)
+
+type pppd_log_t;
+logging_log_file(pppd_log_t)
+
+type pppd_lock_t;
+files_lock_file(pppd_lock_t)
+
+type pppd_tmp_t;
+files_tmp_file(pppd_tmp_t)
+
+type pppd_var_run_t;
+files_pid_file(pppd_var_run_t)
+
+type pptp_t;
+type pptp_exec_t;
+init_daemon_domain(pptp_t,pptp_exec_t)
+
+type pptp_log_t;
+logging_log_file(pptp_log_t)
+
+type pptp_var_run_t;
+files_pid_file(pptp_var_run_t)
+
+########################################
+#
+# PPPD Local policy
+#
+
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:process signal;
+allow pppd_t self:fifo_file rw_file_perms;
+allow pppd_t self:socket create_socket_perms;
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
+allow pppd_t self:packet_socket create_socket_perms;
+
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pppd_t pptp_t:fd use;
+allow pptp_t pppd_t:fd use;
+allow pptp_t pppd_t:fifo_file rw_file_perms;
+allow pptp_t pppd_t:process sigchld;
+
+allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
+
+allow pppd_t pppd_etc_t:dir rw_dir_perms;
+allow pppd_t pppd_etc_t:file r_file_perms;
+allow pppd_t pppd_etc_t:lnk_file { getattr read };
+files_etc_filetrans(pppd_t,pppd_etc_t,file)
+
+allow pppd_t pppd_etc_rw_t:file create_file_perms;
+
+allow pppd_t pppd_lock_t:file create_file_perms;
+files_lock_filetrans(pppd_t,pppd_lock_t,file)
+
+allow pppd_t pppd_log_t:file create_file_perms;
+logging_log_filetrans(pppd_t,pppd_log_t,file)
+
+allow pppd_t pppd_tmp_t:dir create_dir_perms;
+allow pppd_t pppd_tmp_t:file create_file_perms;
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+
+allow pppd_t pppd_var_run_t:dir rw_dir_perms;
+allow pppd_t pppd_var_run_t:file create_file_perms;
+files_pid_filetrans(pppd_t,pppd_var_run_t,file)
+
+allow pppd_t pptp_t:process signal;
+
+# for SSP
+# Access secret files
+allow pppd_t pppd_secret_t:file r_file_perms;
+
+# Automatically label newly created files under /etc/ppp with this type
+type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
+
+kernel_read_kernel_sysctls(pppd_t)
+kernel_read_system_state(pppd_t)
+kernel_read_net_sysctls(pppd_t)
+kernel_read_network_state(pppd_t)
+kernel_load_module(pppd_t)
+
+dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
+dev_read_sysfs(pppd_t)
+
+corenet_non_ipsec_sendrecv(pppd_t)
+corenet_tcp_sendrecv_all_if(pppd_t)
+corenet_raw_sendrecv_all_if(pppd_t)
+corenet_udp_sendrecv_all_if(pppd_t)
+corenet_tcp_sendrecv_all_nodes(pppd_t)
+corenet_raw_sendrecv_all_nodes(pppd_t)
+corenet_udp_sendrecv_all_nodes(pppd_t)
+corenet_tcp_sendrecv_all_ports(pppd_t)
+corenet_udp_sendrecv_all_ports(pppd_t)
+# Access /dev/ppp.
+corenet_rw_ppp_dev(pppd_t)
+
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t,pppd_devpts_t)
+term_dontaudit_use_console(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
+corecmd_exec_bin(pppd_t)
+corecmd_exec_sbin(pppd_t)
+corecmd_exec_shell(pppd_t)
+
+domain_use_interactive_fds(pppd_t)
+
+files_exec_etc_files(pppd_t)
+files_read_etc_runtime_files(pppd_t)
+# for scripts
+files_read_etc_files(pppd_t)
+
+init_read_utmp(pppd_t)
+init_dontaudit_write_utmp(pppd_t)
+init_use_fds(pppd_t)
+init_use_script_ptys(pppd_t)
+
+libs_use_ld_so(pppd_t)
+libs_use_shared_libs(pppd_t)
+
+logging_send_syslog_msg(pppd_t)
+
+miscfiles_read_localization(pppd_t)
+
+sysnet_read_config(pppd_t)
+sysnet_exec_ifconfig(pppd_t)
+sysnet_manage_config(pppd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+userdom_search_sysadm_home_dirs(pppd_t)
+userdom_search_unpriv_users_home_dirs(pppd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(pppd_t)
+ term_dontaudit_use_generic_ptys(pppd_t)
+ files_dontaudit_read_root_files(pppd_t)
+
+ optional_policy(`
+ gen_require(`
+ bool postfix_disable_trans;
+ ')
+
+ if(!postfix_disable_trans) {
+ postfix_domtrans_master(pppd_t)
+ }
+ ')
+',`
+ optional_policy(`
+ postfix_domtrans_master(pppd_t)
+ ')
+')
+
+optional_policy(`
+ ddclient_domtrans(pppd_t)
+')
+
+optional_policy(`
+ tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
+ modutils_domtrans_insmod_uncond(pppd_t)
+ ')
+')
+
+optional_policy(`
+ mta_send_mail(pppd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(pppd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(pppd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pppd_t)
+')
+
+optional_policy(`
+ udev_read_db(pppd_t)
+')
+
+########################################
+#
+# PPTP Local policy
+#
+
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:tcp_socket create_socket_perms;
+
+allow pptp_t pppd_etc_t:dir { getattr read search };
+allow pptp_t pppd_etc_t:file { read getattr };
+allow pptp_t pppd_etc_t:lnk_file { getattr read };
+
+allow pptp_t pppd_etc_rw_t:dir { getattr read search };
+allow pptp_t pppd_etc_rw_t:file { read getattr };
+allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+can_exec(pptp_t, pppd_etc_rw_t)
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append;
+
+allow pptp_t pptp_log_t:file create_file_perms;
+logging_log_filetrans(pptp_t,pptp_log_t,file)
+
+allow pptp_t pptp_var_run_t:file create_file_perms;
+allow pptp_t pptp_var_run_t:dir rw_dir_perms;
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(pptp_t,pptp_var_run_t,file)
+
+kernel_list_proc(pptp_t)
+kernel_read_kernel_sysctls(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
+
+dev_read_sysfs(pptp_t)
+
+corenet_non_ipsec_sendrecv(pptp_t)
+corenet_tcp_sendrecv_all_if(pptp_t)
+corenet_raw_sendrecv_all_if(pptp_t)
+corenet_tcp_sendrecv_all_nodes(pptp_t)
+corenet_raw_sendrecv_all_nodes(pptp_t)
+corenet_tcp_sendrecv_all_ports(pptp_t)
+corenet_tcp_bind_all_nodes(pptp_t)
+corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_sendrecv_generic_client_packets(pptp_t)
+
+fs_getattr_all_fs(pptp_t)
+fs_search_auto_mountpoints(pptp_t)
+
+term_dontaudit_use_console(pptp_t)
+term_ioctl_generic_ptys(pptp_t)
+term_search_ptys(pptp_t)
+term_use_ptmx(pptp_t)
+
+domain_use_interactive_fds(pptp_t)
+
+init_use_fds(pptp_t)
+init_use_script_ptys(pptp_t)
+
+libs_use_ld_so(pptp_t)
+libs_use_shared_libs(pptp_t)
+
+logging_send_syslog_msg(pptp_t)
+
+miscfiles_read_localization(pptp_t)
+
+sysnet_read_config(pptp_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(pptp_t)
+ term_dontaudit_use_generic_ptys(pptp_t)
+ files_dontaudit_read_root_files(pptp_t)
+')
+
+optional_policy(`
+ hostname_exec(pptp_t)
+')
+
+optional_policy(`
+ nscd_socket_use(pptp_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pptp_t)
+')
+
+optional_policy(`
+ udev_read_db(pptp_t)
+')
+
+optional_policy(`
+ postfix_read_config(pppd_t)
+')
+
+# FIXME:
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:fd use;
+allow initrc_t pppd_t:fd use;
+allow initrc_t pppd_t:fifo_file rw_file_perms;
+allow initrc_t pppd_t:process sigchld;
diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc
new file mode 100644
index 0000000..79e1e13
--- /dev/null
+++ b/policy/modules/services/privoxy.fc
@@ -0,0 +1,6 @@
+
+/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+
+/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
+/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
new file mode 100644
index 0000000..26d15d7
--- /dev/null
+++ b/policy/modules/services/privoxy.if
@@ -0,0 +1 @@
+## <summary>Privacy enhancing web proxy.</summary>
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
new file mode 100644
index 0000000..866b3e3
--- /dev/null
+++ b/policy/modules/services/privoxy.te
@@ -0,0 +1,109 @@
+
+policy_module(privoxy,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+type privoxy_t; # web_client_domain
+type privoxy_exec_t;
+init_daemon_domain(privoxy_t,privoxy_exec_t)
+
+type privoxy_etc_rw_t;
+files_type(privoxy_etc_rw_t)
+
+type privoxy_log_t;
+logging_log_file(privoxy_log_t)
+
+type privoxy_var_run_t;
+files_pid_file(privoxy_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow privoxy_t self:capability { setgid setuid };
+dontaudit privoxy_t self:capability sys_tty_config;
+allow privoxy_t self:tcp_socket create_stream_socket_perms;
+
+allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+
+allow privoxy_t privoxy_log_t:file create_file_perms;
+allow privoxy_t privoxy_log_t:dir rw_dir_perms;
+logging_log_filetrans(privoxy_t,privoxy_log_t,file)
+
+allow privoxy_t privoxy_var_run_t:file create_file_perms;
+allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(privoxy_t,privoxy_var_run_t,file)
+
+kernel_read_kernel_sysctls(privoxy_t)
+kernel_list_proc(privoxy_t)
+kernel_read_proc_symlinks(privoxy_t)
+
+corenet_non_ipsec_sendrecv(privoxy_t)
+corenet_tcp_sendrecv_all_if(privoxy_t)
+corenet_tcp_sendrecv_all_nodes(privoxy_t)
+corenet_tcp_sendrecv_all_ports(privoxy_t)
+corenet_tcp_bind_all_nodes(privoxy_t)
+corenet_tcp_bind_http_cache_port(privoxy_t)
+corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
+corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_tor_port(privoxy_t)
+corenet_sendrecv_http_cache_client_packets(privoxy_t)
+corenet_sendrecv_http_cache_server_packets(privoxy_t)
+corenet_sendrecv_http_client_packets(privoxy_t)
+corenet_sendrecv_ftp_client_packets(privoxy_t)
+corenet_sendrecv_tor_client_packets(privoxy_t)
+
+dev_read_sysfs(privoxy_t)
+
+fs_getattr_all_fs(privoxy_t)
+fs_search_auto_mountpoints(privoxy_t)
+
+term_dontaudit_use_console(privoxy_t)
+
+domain_use_interactive_fds(privoxy_t)
+
+files_read_etc_files(privoxy_t)
+
+init_use_fds(privoxy_t)
+init_use_script_ptys(privoxy_t)
+
+libs_use_ld_so(privoxy_t)
+libs_use_shared_libs(privoxy_t)
+
+logging_send_syslog_msg(privoxy_t)
+
+miscfiles_read_localization(privoxy_t)
+
+sysnet_dns_name_resolve(privoxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+userdom_dontaudit_search_sysadm_home_dirs(privoxy_t)
+# cjp: this should really not be needed
+userdom_use_sysadm_terms(privoxy_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(privoxy_t)
+ term_dontaudit_use_generic_ptys(privoxy_t)
+ files_dontaudit_read_root_files(privoxy_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(privoxy_t)
+')
+
+optional_policy(`
+ nscd_socket_use(privoxy_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(privoxy_t)
+')
+
+optional_policy(`
+ udev_read_db(privoxy_t)
+')
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
new file mode 100644
index 0000000..5c335d4
--- /dev/null
+++ b/policy/modules/services/procmail.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
new file mode 100644
index 0000000..078fca3
--- /dev/null
+++ b/policy/modules/services/procmail.if
@@ -0,0 +1,46 @@
+## <summary>Procmail mail delivery agent</summary>
+
+########################################
+## <summary>
+## Execute procmail with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_domtrans',`
+ gen_require(`
+ type procmail_exec_t, procmail_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,procmail_exec_t,procmail_t)
+
+ allow $1 procmail_t:fd use;
+ allow procmail_t $1:fd use;
+ allow procmail_t $1:fifo_file rw_file_perms;
+ allow procmail_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute procmail in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_exec',`
+ gen_require(`
+ type procmail_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,procmail_exec_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
new file mode 100644
index 0000000..29eefae
--- /dev/null
+++ b/policy/modules/services/procmail.te
@@ -0,0 +1,116 @@
+
+policy_module(procmail,1.2.4)
+
+########################################
+#
+# Declarations
+#
+
+type procmail_t;
+type procmail_exec_t;
+domain_type(procmail_t)
+domain_entry_file(procmail_t,procmail_exec_t)
+role system_r types procmail_t;
+
+########################################
+#
+# Local policy
+#
+
+allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+allow procmail_t self:process { setsched signal };
+allow procmail_t self:fifo_file rw_file_perms;
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(procmail_t)
+kernel_read_kernel_sysctls(procmail_t)
+
+corenet_non_ipsec_sendrecv(procmail_t)
+corenet_tcp_sendrecv_all_if(procmail_t)
+corenet_udp_sendrecv_all_if(procmail_t)
+corenet_tcp_sendrecv_all_nodes(procmail_t)
+corenet_udp_sendrecv_all_nodes(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_tcp_connect_spamd_port(procmail_t)
+corenet_sendrecv_spamd_client_packets(procmail_t)
+
+dev_read_urand(procmail_t)
+
+fs_getattr_xattr_fs(procmail_t)
+
+auth_use_nsswitch(procmail_t)
+
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+corecmd_dontaudit_search_sbin(procmail_t)
+
+files_read_etc_files(procmail_t)
+files_read_etc_runtime_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
+files_read_usr_files(procmail_t)
+
+libs_use_ld_so(procmail_t)
+libs_use_shared_libs(procmail_t)
+
+miscfiles_read_localization(procmail_t)
+
+# only works until we define a different type for maildir
+userdom_priveleged_home_dir_manager(procmail_t)
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
+userdom_dontaudit_search_staff_home_dirs(procmail_t)
+
+mta_manage_spool(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
+')
+
+ifdef(`targeted_policy', `
+ corenet_udp_bind_generic_port(procmail_t)
+ files_getattr_tmp_dirs(procmail_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+ clamav_search_lib(procmail_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(procmail_t)
+')
+
+optional_policy(`
+ nscd_socket_use(procmail_t)
+')
+
+optional_policy(`
+ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
+ postfix_dontaudit_use_fds(procmail_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(procmail_t)
+')
+
+optional_policy(`
+ mta_read_config(procmail_t)
+ sendmail_domtrans(procmail_t)
+ sendmail_rw_tcp_sockets(procmail_t)
+ sendmail_rw_unix_stream_sockets(procmail_t)
+')
+
+optional_policy(`
+ corenet_udp_bind_generic_port(procmail_t)
+
+ files_getattr_tmp_dirs(procmail_t)
+
+ spamassassin_exec(procmail_t)
+ spamassassin_exec_client(procmail_t)
+')
diff --git a/policy/modules/services/publicfile.fc b/policy/modules/services/publicfile.fc
new file mode 100644
index 0000000..5b20b68
--- /dev/null
+++ b/policy/modules/services/publicfile.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0)
diff --git a/policy/modules/services/publicfile.if b/policy/modules/services/publicfile.if
new file mode 100644
index 0000000..5b07592
--- /dev/null
+++ b/policy/modules/services/publicfile.if
@@ -0,0 +1 @@
+## <summary>publicfile supplies files to the public through HTTP and FTP</summary>
diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te
new file mode 100644
index 0000000..7b91ac9
--- /dev/null
+++ b/policy/modules/services/publicfile.te
@@ -0,0 +1,39 @@
+
+policy_module(publicfile,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type publicfile_t;
+type publicfile_exec_t;
+init_system_domain(publicfile_t,publicfile_exec_t)
+role system_r types publicfile_t;
+
+type publicfile_content_t;
+files_type(publicfile_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t publicfile_content_t:dir r_dir_perms;
+allow publicfile_t publicfile_content_t:file r_file_perms;
+
+files_search_var(publicfile_t)
+
+libs_use_ld_so(publicfile_t)
+libs_use_shared_libs(publicfile_t)
+
+optional_policy(`
+ daemontools_ipc_domain(publicfile_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
+')
+
+#allow publicfile_t initrc_t:tcp_socket { read write };
diff --git a/policy/modules/services/pxe.fc b/policy/modules/services/pxe.fc
new file mode 100644
index 0000000..44b3a0c
--- /dev/null
+++ b/policy/modules/services/pxe.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
+/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
+
+/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
diff --git a/policy/modules/services/pxe.if b/policy/modules/services/pxe.if
new file mode 100644
index 0000000..d3d6a6b
--- /dev/null
+++ b/policy/modules/services/pxe.if
@@ -0,0 +1 @@
+## <summary>Server for the PXE network boot protocol</summary>
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
new file mode 100644
index 0000000..d992e7d
--- /dev/null
+++ b/policy/modules/services/pxe.te
@@ -0,0 +1,79 @@
+
+policy_module(pxe,1.0.0)
+
+# cjp: policy seems incomplete
+
+########################################
+#
+# Declarations
+#
+
+type pxe_t;
+type pxe_exec_t;
+init_daemon_domain(pxe_t,pxe_exec_t)
+
+type pxe_log_t;
+logging_log_file(pxe_log_t)
+
+type pxe_var_run_t;
+files_pid_file(pxe_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pxe_t self:capability { chown setgid setuid };
+dontaudit pxe_t self:capability sys_tty_config;
+allow pxe_t self:process signal_perms;
+
+allow pxe_t pxe_log_t:file create_file_perms;
+logging_log_filetrans(pxe_t,pxe_log_t,file)
+
+allow pxe_t pxe_var_run_t:file create_file_perms;
+allow pxe_t pxe_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(pxe_t,pxe_var_run_t,file)
+
+kernel_read_kernel_sysctls(pxe_t)
+kernel_list_proc(pxe_t)
+kernel_read_proc_symlinks(pxe_t)
+
+corenet_udp_bind_pxe_port(pxe_t)
+
+dev_read_sysfs(pxe_t)
+
+domain_use_interactive_fds(pxe_t)
+
+files_read_etc_files(pxe_t)
+
+fs_getattr_all_fs(pxe_t)
+fs_search_auto_mountpoints(pxe_t)
+
+term_dontaudit_use_console(pxe_t)
+
+init_use_fds(pxe_t)
+init_use_script_ptys(pxe_t)
+
+libs_use_ld_so(pxe_t)
+libs_use_shared_libs(pxe_t)
+
+logging_send_syslog_msg(pxe_t)
+
+miscfiles_read_localization(pxe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pxe_t)
+userdom_dontaudit_search_sysadm_home_dirs(pxe_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(pxe_t)
+ term_dontaudit_use_generic_ptys(pxe_t)
+ files_dontaudit_read_root_files(pxe_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pxe_t)
+')
+
+optional_policy(`
+ udev_read_db(pxe_t)
+')
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
new file mode 100644
index 0000000..71e71c8
--- /dev/null
+++ b/policy/modules/services/pyzor.fc
@@ -0,0 +1,11 @@
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+')
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
new file mode 100644
index 0000000..ef23b07
--- /dev/null
+++ b/policy/modules/services/pyzor.if
@@ -0,0 +1,80 @@
+## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+
+########################################
+## <summary>
+## Execute pyzor with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pyzor_domtrans',`
+ gen_require(`
+ type pyzor_exec_t, pyzor_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,pyzor_exec_t,pyzor_t)
+
+ allow $1 pyzor_t:fd use;
+ allow pyzor_t $1:fd use;
+ allow pyzor_t $1:fifo_file rw_file_perms;
+ allow pyzor_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute pyzor in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pyzor_exec',`
+ gen_require(`
+ type pyzor_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,pyzor_exec_t)
+')
+
+#######################################
+## <summary>
+## The per user domain template for the pyzor module.
+## </summary>
+## <desc>
+## <p>
+## This template allows pyzor to manage files in
+## a user home directory, creating files with the
+## correct type.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`pyzor_per_userdomain_template',`
+ type $1_pyzor_home_t;
+ userdom_user_home_content($1,$1_pyzor_home_t)
+
+ allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
+ allow pyzord_t $1_pyzor_home_t:file create_file_perms;
+ allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
+ userdom_search_user_home_dirs($1,pyzord_t)
+ userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
+')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
new file mode 100644
index 0000000..547a1c7
--- /dev/null
+++ b/policy/modules/services/pyzor.te
@@ -0,0 +1,132 @@
+
+policy_module(pyzor,1.0.4)
+
+########################################
+#
+# Declarations
+#
+
+type pyzor_t;
+type pyzor_exec_t;
+domain_type(pyzor_t)
+domain_entry_file(pyzor_t,pyzor_exec_t)
+role system_r types pyzor_t;
+
+type pyzord_t;
+type pyzord_exec_t;
+domain_type(pyzord_t)
+init_daemon_domain(pyzord_t,pyzord_exec_t)
+
+type pyzor_etc_t;
+files_type(pyzor_etc_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
+
+type pyzor_var_lib_t;
+files_type(pyzor_var_lib_t)
+
+########################################
+#
+# Pyzor local policy
+#
+
+allow pyzor_t self:udp_socket create_socket_perms;
+
+allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
+allow pyzor_t pyzor_var_lib_t:file r_file_perms;
+files_search_var_lib(pyzor_t)
+
+kernel_read_kernel_sysctls(pyzor_t)
+kernel_read_system_state(pyzor_t)
+
+corecmd_list_bin(pyzor_t)
+corecmd_getattr_bin_files(pyzor_t)
+
+corenet_udp_sendrecv_all_if(pyzor_t)
+corenet_udp_sendrecv_all_nodes(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
+
+dev_read_urand(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+auth_use_nsswitch(pyzor_t)
+
+libs_use_ld_so(pyzor_t)
+libs_use_shared_libs(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+optional_policy(`
+ amavis_manage_lib_files(pyzor_t)
+ amavis_manage_spool_files(pyzor_t)
+')
+
+optional_policy(`
+ spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+########################################
+#
+# Pyzord local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+
+allow pyzord_t pyzor_var_lib_t:file create_file_perms;
+allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
+
+allow pyzord_t pyzor_etc_t:file create_file_perms;
+allow pyzord_t pyzor_etc_t:dir r_dir_perms;
+
+can_exec(pyzord_t,pyzor_exec_t)
+
+allow pyzord_t pyzord_log_t:file create_file_perms;
+allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+corecmd_exec_bin(pyzord_t)
+
+corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_udp_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_nodes(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_udp_bind_all_nodes(pyzord_t)
+corenet_udp_bind_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+term_dontaudit_use_generic_ptys(pyzord_t)
+
+auth_use_nsswitch(pyzord_t)
+
+libs_use_ld_so(pyzord_t)
+libs_use_shared_libs(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
+userdom_dontaudit_search_staff_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+ifdef(`targeted_policy',`
+ userdom_read_generic_user_home_content_files(pyzord_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(pyzord_t)
+')
+
+optional_policy(`
+ nscd_socket_use(pyzord_t)
+')
diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc
new file mode 100644
index 0000000..0055e54
--- /dev/null
+++ b/policy/modules/services/qmail.fc
@@ -0,0 +1,47 @@
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
+
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
new file mode 100644
index 0000000..a9ac709
--- /dev/null
+++ b/policy/modules/services/qmail.if
@@ -0,0 +1,209 @@
+## <summary>Qmail Mail Server</summary>
+
+#######################################
+## <summary>
+## The per user domain template for qmail
+## </summary>
+## <desc>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`qmail_per_userdomain_template',`
+ gen_require(`
+ attribute qmail_user_domains;
+ ')
+
+ role $3 types qmail_user_domains;
+
+ qmail_domtrans_inject($2)
+
+ allow qmail_user_domains $2:process sigchld;
+ allow qmail_user_domains $2:fifo_file { write getattr };
+ allow qmail_user_domains $2:fd use;
+
+')
+
+########################################
+## <summary>
+## Template for qmail parent/sub-domain pairs
+## </summary>
+## <param name="child_prefix">
+## <summary>
+## The prefix of the child domain
+## </summary>
+## </param>
+## <param name="parent_domain">
+## <summary>
+## The name of the parent domain.
+## </summary>
+## </param>
+#
+template(`qmail_child_domain_template',`
+ type $1_t;
+ domain_type($1_t)
+ type $1_exec_t;
+ domain_entry_file($1_t,$1_exec_t)
+ domain_auto_trans($2, $1_exec_t, $1_t)
+ role system_r types $1_t;
+
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir { getattr read search };
+ allow $1_t qmail_etc_t:file { getattr read };
+ allow $1_t qmail_etc_t:lnk_file { getattr read };
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
+
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+## Transition to qmail_inject_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`qmail_domtrans_inject',`
+ gen_require(`
+ type qmail_inject_t;
+ type qmail_inject_exec_t;
+ ')
+
+ domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
+ allow qmail_inject_t $1:fd use;
+ allow qmail_inject_t $1:fifo_file { read write };
+ allow qmail_inject_t $1:process sigchld;
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ ',`
+ files_search_var($1)
+ corecmd_search_bin($1)
+ ')
+')
+
+########################################
+## <summary>
+## Transition to qmail_queue_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`qmail_domtrans_queue',`
+ gen_require(`
+ type qmail_queue_t;
+ type qmail_queue_exec_t;
+ ')
+
+ domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
+
+ allow qmail_queue_t $1:fd use;
+ allow qmail_queue_t $1:fifo_file { read write };
+ allow qmail_queue_t $1:process sigchld;
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ ',`
+ files_search_var($1)
+ corecmd_search_bin($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read qmail configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_read_config',`
+ gen_require(`
+ type qmail_etc_t;
+ ')
+
+ allow $1 qmail_etc_t:dir { getattr read search };
+ allow $1 qmail_etc_t:file { getattr read };
+ allow $1 qmail_etc_t:lnk_file { getattr read };
+ files_search_var($1)
+
+ ifdef(`distro_debian',`
+ # handle /etc/qmail
+ files_search_etc($1)
+ ')
+')
+
+########################################
+## <summary>
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`qmail_smtpd_service_domain',`
+ gen_require(`
+ type qmail_smtpd_t;
+ ')
+
+ domain_auto_trans(qmail_smtpd_t, $2, $1)
+
+ allow $1 qmail_smtpd_t:fd use;
+ allow $1 qmail_smtpd_t:fifo_file { read write };
+ allow $1 qmail_smtpd_t:process sigchld;
+')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
new file mode 100644
index 0000000..3cd7e62
--- /dev/null
+++ b/policy/modules/services/qmail.te
@@ -0,0 +1,314 @@
+
+policy_module(qmail,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute qmail_user_domains;
+
+type qmail_alias_home_t;
+files_type(qmail_alias_home_t)
+
+qmail_child_domain_template(qmail_clean, qmail_start_t)
+
+type qmail_etc_t;
+files_type(qmail_etc_t)
+
+type qmail_exec_t;
+files_type(qmail_exec_t)
+
+type qmail_inject_t, qmail_user_domains;
+type qmail_inject_exec_t;
+domain_type(qmail_inject_t)
+domain_entry_file(qmail_inject_t,qmail_inject_exec_t)
+mta_mailserver_user_agent(qmail_inject_t)
+role system_r types qmail_inject_t;
+
+qmail_child_domain_template(qmail_local, qmail_lspawn_t)
+mta_mailserver_delivery(qmail_local_t)
+
+qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+mta_mailserver_delivery(qmail_lspawn_t)
+
+qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
+mta_mailserver_user_agent(qmail_queue_t)
+
+qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+mta_mailserver_sender(qmail_remote_t)
+
+qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
+qmail_child_domain_template(qmail_send, qmail_start_t)
+
+qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
+qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+type qmail_spool_t;
+files_type(qmail_spool_t)
+
+type qmail_start_t;
+type qmail_start_exec_t;
+init_daemon_domain(qmail_start_t,qmail_start_exec_t)
+
+type qmail_tcp_env_t;
+type qmail_tcp_env_exec_t;
+domain_type(qmail_tcp_env_t)
+domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
+
+########################################
+#
+# qmail-clean local policy
+# this component cleans up the queue directory
+#
+
+allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
+allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
+
+########################################
+#
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
+#
+
+allow qmail_inject_t self:fifo_file write;
+allow qmail_inject_t self:process signal_perms;
+
+allow qmail_inject_t qmail_queue_exec_t:file read;
+
+corecmd_search_bin(qmail_inject_t)
+corecmd_search_sbin(qmail_inject_t)
+
+files_search_var(qmail_inject_t)
+
+libs_use_ld_so(qmail_inject_t)
+libs_use_shared_libs(qmail_inject_t)
+
+qmail_read_config(qmail_inject_t)
+
+########################################
+#
+# qmail-local local policy
+# this component delivers a mail message
+#
+
+allow qmail_local_t self:fifo_file write;
+allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+allow qmail_local_t qmail_alias_home_t:dir create_dir_perms;
+allow qmail_local_t qmail_alias_home_t:file create_file_perms;
+
+allow qmail_local_t qmail_queue_exec_t:file read;
+
+allow qmail_local_t qmail_spool_t:file r_file_perms;
+
+kernel_read_system_state(qmail_local_t)
+
+corecmd_exec_shell(qmail_local_t)
+corecmd_search_sbin(qmail_local_t)
+
+files_read_etc_files(qmail_local_t)
+files_read_etc_runtime_files(qmail_local_t)
+
+mta_append_spool(qmail_local_t)
+
+qmail_domtrans_queue(qmail_local_t)
+
+########################################
+#
+# qmail-lspawn local policy
+# this component schedules local deliveries
+#
+
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process signal_perms;
+allow qmail_lspawn_t self:fifo_file { read write };
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+
+can_exec(qmail_lspawn_t, qmail_exec_t)
+
+allow qmail_lspawn_t qmail_local_exec_t:file read;
+
+allow qmail_lspawn_t qmail_spool_t:dir search;
+allow qmail_lspawn_t qmail_spool_t:file { read getattr };
+
+corecmd_search_sbin(qmail_lspawn_t)
+
+files_read_etc_files(qmail_lspawn_t)
+files_search_pids(qmail_lspawn_t)
+files_search_tmp(qmail_lspawn_t)
+
+########################################
+#
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
+#
+
+allow qmail_queue_t qmail_lspawn_t:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write;
+
+allow qmail_queue_t qmail_smtpd_t:fd use;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+allow qmail_queue_t qmail_spool_t:dir create_dir_perms;
+allow qmail_queue_t qmail_spool_t:fifo_file { read write };
+allow qmail_queue_t qmail_spool_t:file create_file_perms;
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_queue_t)
+')
+
+########################################
+#
+# qmail-remote local policy
+# this component sends mail via SMTP
+#
+
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+allow qmail_remote_t qmail_spool_t:dir search;
+allow qmail_remote_t qmail_spool_t:file rw_file_perms;
+
+corenet_non_ipsec_sendrecv(qmail_remote_t)
+corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
+corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
+corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+
+dev_read_rand(qmail_remote_t)
+dev_read_urand(qmail_remote_t)
+
+sysnet_read_config(qmail_remote_t)
+
+########################################
+#
+# qmail-rspawn local policy
+# this component scedules remote deliveries
+#
+
+allow qmail_rspawn_t self:process signal_perms;
+allow qmail_rspawn_t self:fifo_file read;
+
+allow qmail_rspawn_t qmail_remote_exec_t:file read;
+
+allow qmail_rspawn_t qmail_spool_t:dir search;
+allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
+
+corecmd_search_bin(qmail_rspawn_t)
+corecmd_search_sbin(qmail_rspawn_t)
+
+########################################
+#
+# qmail-send local policy
+# this component delivers mail messages from the queue
+#
+
+allow qmail_send_t self:process signal_perms;
+allow qmail_send_t self:fifo_file write;
+
+allow qmail_send_t qmail_spool_t:dir create_dir_perms;
+allow qmail_send_t qmail_spool_t:file create_file_perms;
+allow qmail_send_t qmail_spool_t:fifo_file read;
+
+qmail_domtrans_queue(qmail_send_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_send_t)
+')
+
+########################################
+#
+# qmail-smtpd local policy
+# this component receives mails via SMTP
+#
+
+allow qmail_smtpd_t self:process signal_perms;
+allow qmail_smtpd_t self:fifo_file write;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+allow qmail_smtpd_t qmail_queue_exec_t:file read;
+
+dev_read_rand(qmail_smtpd_t)
+dev_read_urand(qmail_smtpd_t)
+
+qmail_domtrans_queue(qmail_smtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_smtpd_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
+')
+
+########################################
+#
+# splogger local policy
+# this component creates entries in syslog
+#
+
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(qmail_splogger_t)
+
+init_dontaudit_use_script_fds(qmail_splogger_t)
+
+miscfiles_read_localization(qmail_splogger_t)
+
+########################################
+#
+# qmail-start local policy
+# this component starts up the mail delivery component
+#
+
+allow qmail_start_t self:capability { setgid setuid };
+dontaudit qmail_start_t self:capability sys_tty_config;
+allow qmail_start_t self:fifo_file { getattr read write };
+allow qmail_start_t self:process signal_perms;
+
+can_exec(qmail_start_t, qmail_start_exec_t)
+
+corecmd_search_bin(qmail_start_t)
+corecmd_search_sbin(qmail_start_t)
+
+files_search_var(qmail_start_t)
+
+libs_use_ld_so(qmail_start_t)
+libs_use_shared_libs(qmail_start_t)
+
+qmail_read_config(qmail_start_t)
+
+optional_policy(`
+ daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
+ daemontools_ipc_domain(qmail_start_t)
+')
+
+########################################
+#
+# tcp-env local policy
+# this component sets up TCP-related environment variables
+#
+
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+
+corecmd_search_sbin(qmail_tcp_env_t)
+
+sysnet_read_config(qmail_tcp_env_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc
new file mode 100644
index 0000000..576f54f
--- /dev/null
+++ b/policy/modules/services/radius.fc
@@ -0,0 +1,19 @@
+
+/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
+
+/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+
+/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
new file mode 100644
index 0000000..59963cb
--- /dev/null
+++ b/policy/modules/services/radius.if
@@ -0,0 +1,23 @@
+## <summary>RADIUS authentication and accounting server.</summary>
+
+########################################
+## <summary>
+## Use radius over a UDP connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`radius_use',`
+ gen_require(`
+ type radiusd_t;
+ ')
+
+ allow $1 radiusd_t:udp_socket sendto;
+ allow radiusd_t $1:udp_socket recvfrom;
+
+ allow radiusd_t $1:udp_socket sendto;
+ allow $1 radiusd_t:udp_socket recvfrom;
+')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
new file mode 100644
index 0000000..4f61a75
--- /dev/null
+++ b/policy/modules/services/radius.te
@@ -0,0 +1,134 @@
+
+policy_module(radius,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type radiusd_t;
+type radiusd_exec_t;
+init_daemon_domain(radiusd_t,radiusd_exec_t)
+
+type radiusd_etc_t;
+files_config_file(radiusd_etc_t)
+
+type radiusd_log_t;
+logging_log_file(radiusd_log_t)
+
+type radiusd_var_run_t;
+files_pid_file(radiusd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+dontaudit radiusd_t self:capability sys_tty_config;
+allow radiusd_t self:process setsched;
+allow radiusd_t self:fifo_file rw_file_perms;
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t self:tcp_socket create_stream_socket_perms;
+allow radiusd_t self:udp_socket create_socket_perms;
+
+allow radiusd_t radiusd_etc_t:file r_file_perms;
+allow radiusd_t radiusd_etc_t:dir r_dir_perms;
+allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
+files_search_etc(radiusd_t)
+
+allow radiusd_t radiusd_log_t:file create_file_perms;
+allow radiusd_t radiusd_log_t:dir create_dir_perms;
+logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
+
+allow radiusd_t radiusd_var_run_t:file create_file_perms;
+allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
+
+kernel_read_kernel_sysctls(radiusd_t)
+kernel_read_system_state(radiusd_t)
+
+corenet_non_ipsec_sendrecv(radiusd_t)
+corenet_tcp_sendrecv_all_if(radiusd_t)
+corenet_udp_sendrecv_all_if(radiusd_t)
+corenet_tcp_sendrecv_all_nodes(radiusd_t)
+corenet_udp_sendrecv_all_nodes(radiusd_t)
+corenet_tcp_sendrecv_all_ports(radiusd_t)
+corenet_udp_sendrecv_all_ports(radiusd_t)
+corenet_udp_bind_all_nodes(radiusd_t)
+corenet_udp_bind_radacct_port(radiusd_t)
+corenet_udp_bind_radius_port(radiusd_t)
+corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_sendrecv_radacct_server_packets(radiusd_t)
+# for RADIUS proxy port
+corenet_udp_bind_generic_port(radiusd_t)
+corenet_sendrecv_generic_server_packets(radiusd_t)
+
+dev_read_sysfs(radiusd_t)
+
+fs_getattr_all_fs(radiusd_t)
+fs_search_auto_mountpoints(radiusd_t)
+
+term_dontaudit_use_console(radiusd_t)
+
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
+corecmd_exec_bin(radiusd_t)
+corecmd_exec_shell(radiusd_t)
+corecmd_search_sbin(radiusd_t)
+
+domain_use_interactive_fds(radiusd_t)
+
+files_read_usr_files(radiusd_t)
+files_read_etc_files(radiusd_t)
+files_read_etc_runtime_files(radiusd_t)
+
+init_use_fds(radiusd_t)
+init_use_script_ptys(radiusd_t)
+
+libs_use_ld_so(radiusd_t)
+libs_use_shared_libs(radiusd_t)
+libs_exec_lib_files(radiusd_t)
+
+logging_send_syslog_msg(radiusd_t)
+
+miscfiles_read_localization(radiusd_t)
+
+sysnet_read_config(radiusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
+userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(radiusd_t)
+ term_dontaudit_use_generic_ptys(radiusd_t)
+ files_dontaudit_read_root_files(radiusd_t)
+')
+
+optional_policy(`
+ cron_system_entry(radiusd_t,radiusd_exec_t)
+')
+
+optional_policy(`
+ logrotate_exec(radiusd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(radiusd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(radiusd_t)
+')
+
+optional_policy(`
+ snmp_tcp_connect(radiusd_t)
+')
+
+optional_policy(`
+ udev_read_db(radiusd_t)
+')
diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc
new file mode 100644
index 0000000..c699ccd
--- /dev/null
+++ b/policy/modules/services/radvd.fc
@@ -0,0 +1,7 @@
+
+/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
+
+/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
+
+/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0)
+/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
new file mode 100644
index 0000000..6fe38b7
--- /dev/null
+++ b/policy/modules/services/radvd.if
@@ -0,0 +1 @@
+## <summary>IPv6 router advertisement daemon</summary>
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
new file mode 100644
index 0000000..a4c9bc8
--- /dev/null
+++ b/policy/modules/services/radvd.te
@@ -0,0 +1,95 @@
+
+policy_module(radvd,1.1.1)
+
+########################################
+#
+# Declarations
+#
+type radvd_t;
+type radvd_exec_t;
+init_daemon_domain(radvd_t,radvd_exec_t)
+
+type radvd_var_run_t;
+files_pid_file(radvd_var_run_t)
+
+type radvd_etc_t;
+files_config_file(radvd_etc_t)
+
+########################################
+#
+# Local policy
+#
+allow radvd_t self:capability { setgid setuid net_raw };
+dontaudit radvd_t self:capability sys_tty_config;
+allow radvd_t self:process signal_perms;
+allow radvd_t self:unix_dgram_socket create_socket_perms;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+allow radvd_t self:rawip_socket create_socket_perms;
+allow radvd_t self:tcp_socket create_stream_socket_perms;
+allow radvd_t self:udp_socket create_socket_perms;
+
+allow radvd_t radvd_etc_t:file { getattr read };
+
+allow radvd_t radvd_var_run_t:file create_file_perms;
+allow radvd_t radvd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(radvd_t,radvd_var_run_t,file)
+
+kernel_read_kernel_sysctls(radvd_t)
+kernel_read_net_sysctls(radvd_t)
+kernel_read_network_state(radvd_t)
+kernel_read_system_state(radvd_t)
+
+corenet_non_ipsec_sendrecv(radvd_t)
+corenet_tcp_sendrecv_all_if(radvd_t)
+corenet_udp_sendrecv_all_if(radvd_t)
+corenet_raw_sendrecv_all_if(radvd_t)
+corenet_tcp_sendrecv_all_nodes(radvd_t)
+corenet_udp_sendrecv_all_nodes(radvd_t)
+corenet_raw_sendrecv_all_nodes(radvd_t)
+corenet_tcp_sendrecv_all_ports(radvd_t)
+corenet_udp_sendrecv_all_ports(radvd_t)
+
+dev_read_sysfs(radvd_t)
+
+fs_getattr_all_fs(radvd_t)
+fs_search_auto_mountpoints(radvd_t)
+
+term_dontaudit_use_console(radvd_t)
+
+domain_use_interactive_fds(radvd_t)
+
+files_read_etc_files(radvd_t)
+files_list_usr(radvd_t)
+
+init_use_fds(radvd_t)
+init_use_script_ptys(radvd_t)
+
+libs_use_ld_so(radvd_t)
+libs_use_shared_libs(radvd_t)
+
+logging_send_syslog_msg(radvd_t)
+
+miscfiles_read_localization(radvd_t)
+
+sysnet_read_config(radvd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radvd_t)
+userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(radvd_t)
+ term_dontaudit_use_generic_ptys(radvd_t)
+ files_dontaudit_read_root_files(radvd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(radvd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(radvd_t)
+')
+
+optional_policy(`
+ udev_read_db(radvd_t)
+')
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
new file mode 100644
index 0000000..82c87b4
--- /dev/null
+++ b/policy/modules/services/razor.fc
@@ -0,0 +1,10 @@
+ifdef(`strict_policy',`
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+')
+
+/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+
+/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+
+/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+/var/log/razor-agent.log -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
new file mode 100644
index 0000000..26b3637
--- /dev/null
+++ b/policy/modules/services/razor.if
@@ -0,0 +1,217 @@
+## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
+## <desc>
+## <p>
+## A distributed, collaborative, spam detection and filtering network.
+## </p>
+## <p>
+## This policy will work with either the ATrpms provided config
+## file in /etc/razor, or with the default of dumping everything into
+## $HOME/.razor.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## Template to create types and rules common to
+## all razor domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`razor_common_domain_template',`
+
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ allow $1_t self:tcp_socket create_socket_perms;
+
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+ allow $1_t razor_etc_t:lnk_file { getattr read };
+
+ allow $1_t razor_log_t:dir manage_dir_perms;
+ allow $1_t razor_log_t:file manage_file_perms;
+ allow $1_t razor_log_t:lnk_file create_lnk_perms;
+ logging_log_filetrans($1_t,razor_log_t,file)
+
+ allow $1_t razor_var_lib_t:dir manage_dir_perms;
+ allow $1_t razor_var_lib_t:file manage_file_perms;
+ allow $1_t razor_var_lib_t:lnk_file create_lnk_perms;
+ files_search_var_lib($1_t)
+
+ # Razor is one executable and several symlinks
+ allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corecmd_exec_bin($1_t)
+
+ corenet_non_ipsec_sendrecv($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_raw_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_razor_port($1_t)
+
+ # mktemp and other randoms
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_search_pids($1_t)
+ # Allow access to various files in the /etc/directory including mtab
+ # and nsswitch
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+ libs_read_lib_files($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+
+ userdom_use_unpriv_users_fds($1_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the razor module.
+## </summary>
+## <desc>
+## <p>
+## The per user domain template for the razor module.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`razor_per_userdomain_template',`
+
+ type $1_razor_t;
+ domain_type($1_razor_t)
+ domain_entry_file($1_razor_t,razor_exec_t)
+ razor_common_domain_template($1_razor)
+ role $3 types $1_razor_t;
+
+ type $1_razor_home_t alias $1_razor_rw_t;
+ files_poly_member($1_razor_home_t)
+ userdom_user_home_content($1,$1_razor_home_t)
+
+ type $1_razor_tmp_t;
+ files_tmp_file($1_razor_tmp_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1_razor_t $1_razor_home_t:dir manage_dir_perms;
+ allow $1_razor_t $1_razor_home_t:file manage_file_perms;
+ allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms;
+ userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)
+
+ allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms;
+ allow $1_razor_t $1_razor_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
+
+ domain_auto_trans($2, razor_exec_t, $1_razor_t)
+ allow $1_razor_t $2:fd use;
+ allow $1_razor_t $2:fifo_file rw_file_perms;
+ allow $1_razor_t $2:process sigchld;
+
+ allow $2 $1_razor_home_t:dir manage_dir_perms;
+ allow $2 $1_razor_home_t:file manage_file_perms;
+ allow $2 $1_razor_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ logging_send_syslog_msg($1_razor_t)
+
+ userdom_search_user_home_dirs($1,$1_razor_t)
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+ userdom_use_user_terminals($1,$1_razor_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_razor_t)
+ fs_manage_nfs_files($1_razor_t)
+ fs_manage_nfs_symlinks($1_razor_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_razor_t)
+ fs_manage_cifs_files($1_razor_t)
+ fs_manage_cifs_symlinks($1_razor_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_razor_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute razor in the system razor domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`razor_domtrans',`
+ gen_require(`
+ type razor_t, razor_exec_t;
+ ')
+
+ domain_auto_trans($1, razor_exec_t, razor_t)
+ allow razor_t $1:fd use;
+ allow razor_t $1:fifo_file rw_file_perms;
+ allow razor_t $1:process sigchld;
+')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
new file mode 100644
index 0000000..08e7b72
--- /dev/null
+++ b/policy/modules/services/razor.te
@@ -0,0 +1,61 @@
+
+policy_module(razor,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type razor_t;
+type razor_exec_t;
+domain_type(razor_t)
+domain_entry_file(razor_t,razor_exec_t)
+razor_common_domain_template(razor)
+role system_r types razor_t;
+
+type razor_etc_t;
+files_config_file(razor_etc_t)
+
+type razor_log_t;
+logging_log_file(razor_log_t)
+
+type razor_var_lib_t;
+files_type(razor_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow razor_t self:tcp_socket create_socket_perms;
+
+allow razor_t razor_etc_t:dir create_dir_perms;
+allow razor_t razor_etc_t:file create_file_perms;
+allow razor_t razor_etc_t:lnk_file create_lnk_perms;
+files_search_etc(razor_t)
+
+allow razor_t razor_log_t:file create_file_perms;
+logging_log_filetrans(razor_t,razor_log_t,file)
+
+allow razor_t razor_var_lib_t:file create_file_perms;
+allow razor_t razor_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
+
+corenet_non_ipsec_sendrecv(razor_t)
+corenet_tcp_sendrecv_generic_if(razor_t)
+corenet_raw_sendrecv_generic_if(razor_t)
+corenet_tcp_sendrecv_all_nodes(razor_t)
+corenet_raw_sendrecv_all_nodes(razor_t)
+corenet_tcp_sendrecv_razor_port(razor_t)
+corenet_tcp_connect_razor_port(razor_t)
+corenet_sendrecv_razor_client_packets(razor_t)
+
+sysnet_read_config(razor_t)
+
+optional_policy(`
+ logging_send_syslog_msg(razor_t)
+')
+
+optional_policy(`
+ nscd_socket_use(razor_t)
+')
diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc
new file mode 100644
index 0000000..dee4adc
--- /dev/null
+++ b/policy/modules/services/rdisc.fc
@@ -0,0 +1,2 @@
+
+/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/services/rdisc.if b/policy/modules/services/rdisc.if
new file mode 100644
index 0000000..c163e27
--- /dev/null
+++ b/policy/modules/services/rdisc.if
@@ -0,0 +1 @@
+## <summary>Network router discovery daemon</summary>
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
new file mode 100644
index 0000000..72d587d
--- /dev/null
+++ b/policy/modules/services/rdisc.te
@@ -0,0 +1,70 @@
+
+policy_module(rdisc,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type rdisc_t;
+type rdisc_exec_t;
+init_daemon_domain(rdisc_t,rdisc_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rdisc_t self:capability net_raw;
+dontaudit rdisc_t self:capability sys_tty_config;
+allow rdisc_t self:process signal_perms;
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+
+kernel_list_proc(rdisc_t)
+kernel_read_proc_symlinks(rdisc_t)
+kernel_read_kernel_sysctls(rdisc_t)
+
+corenet_non_ipsec_sendrecv(rdisc_t)
+corenet_udp_sendrecv_generic_if(rdisc_t)
+corenet_raw_sendrecv_generic_if(rdisc_t)
+corenet_udp_sendrecv_all_nodes(rdisc_t)
+corenet_raw_sendrecv_all_nodes(rdisc_t)
+corenet_udp_sendrecv_all_ports(rdisc_t)
+
+dev_read_sysfs(rdisc_t)
+
+fs_search_auto_mountpoints(rdisc_t)
+
+term_dontaudit_use_console(rdisc_t)
+
+domain_use_interactive_fds(rdisc_t)
+
+files_read_etc_files(rdisc_t)
+
+init_use_fds(rdisc_t)
+init_use_script_ptys(rdisc_t)
+
+libs_use_ld_so(rdisc_t)
+libs_use_shared_libs(rdisc_t)
+
+logging_send_syslog_msg(rdisc_t)
+
+sysnet_read_config(rdisc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(rdisc_t)
+ term_dontaudit_use_generic_ptys(rdisc_t)
+ files_dontaudit_read_root_files(rdisc_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(rdisc_t)
+')
+
+optional_policy(`
+ udev_read_db(rdisc_t)
+')
diff --git a/policy/modules/services/remotelogin.fc b/policy/modules/services/remotelogin.fc
new file mode 100644
index 0000000..d8691bd
--- /dev/null
+++ b/policy/modules/services/remotelogin.fc
@@ -0,0 +1,2 @@
+
+# Remote login currently has no file contexts.
diff --git a/policy/modules/services/remotelogin.if b/policy/modules/services/remotelogin.if
new file mode 100644
index 0000000..3b86750
--- /dev/null
+++ b/policy/modules/services/remotelogin.if
@@ -0,0 +1,20 @@
+## <summary>Policy for rshd, rlogind, and telnetd.</summary>
+
+########################################
+## <summary>
+## Domain transition to the remote login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`remotelogin_domtrans',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ auth_domtrans_login_program($1,remote_login_t)
+')
+
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
new file mode 100644
index 0000000..18d90dc
--- /dev/null
+++ b/policy/modules/services/remotelogin.te
@@ -0,0 +1,170 @@
+
+policy_module(remotelogin,1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type remote_login_t;
+domain_obj_id_change_exemption(remote_login_t)
+domain_subj_id_change_exemption(remote_login_t)
+domain_role_change_exemption(remote_login_t)
+domain_type(remote_login_t)
+domain_interactive_fd(remote_login_t)
+auth_login_entry_type(remote_login_t)
+role system_r types remote_login_t;
+
+type remote_login_tmp_t;
+files_tmp_file(remote_login_tmp_t)
+
+########################################
+#
+# Remote login remote policy
+#
+
+allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow remote_login_t self:process { setrlimit setexec };
+allow remote_login_t self:fd use;
+allow remote_login_t self:fifo_file rw_file_perms;
+allow remote_login_t self:sock_file r_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
+allow remote_login_t self:unix_dgram_socket sendto;
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+
+allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
+allow remote_login_t remote_login_tmp_t:file create_file_perms;
+files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+
+kernel_read_system_state(remote_login_t)
+kernel_read_kernel_sysctls(remote_login_t)
+
+dev_getattr_mouse_dev(remote_login_t)
+dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
+# for SSP/ProPolice
+dev_read_urand(remote_login_t)
+
+fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
+
+selinux_get_fs_mount(remote_login_t)
+selinux_validate_context(remote_login_t)
+selinux_compute_access_vector(remote_login_t)
+selinux_compute_create_context(remote_login_t)
+selinux_compute_relabel_context(remote_login_t)
+selinux_compute_user_contexts(remote_login_t)
+
+term_relabel_all_user_ptys(remote_login_t)
+
+auth_domtrans_chk_passwd(remote_login_t)
+auth_dontaudit_read_shadow(remote_login_t)
+auth_rw_login_records(remote_login_t)
+auth_rw_lastlog(remote_login_t)
+auth_rw_faillog(remote_login_t)
+auth_exec_pam(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
+
+corecmd_list_bin(remote_login_t)
+corecmd_list_sbin(remote_login_t)
+corecmd_read_bin_symlinks(remote_login_t)
+corecmd_read_sbin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
+corecmd_read_sbin_files(remote_login_t)
+corecmd_read_sbin_pipes(remote_login_t)
+corecmd_read_sbin_sockets(remote_login_t)
+
+domain_read_all_entry_files(remote_login_t)
+
+files_read_etc_files(remote_login_t)
+files_read_etc_runtime_files(remote_login_t)
+files_list_home(remote_login_t)
+files_read_usr_files(remote_login_t)
+files_list_world_readable(remote_login_t)
+files_read_world_readable_files(remote_login_t)
+files_read_world_readable_symlinks(remote_login_t)
+files_read_world_readable_pipes(remote_login_t)
+files_read_world_readable_sockets(remote_login_t)
+files_list_mnt(remote_login_t)
+files_polyinstantiate_all(remote_login_t)
+# for when /var/mail is a sym-link
+files_read_var_symlinks(remote_login_t)
+
+init_rw_utmp(remote_login_t)
+
+libs_use_ld_so(remote_login_t)
+libs_use_shared_libs(remote_login_t)
+
+logging_send_syslog_msg(remote_login_t)
+
+mls_file_read_up(remote_login_t)
+mls_file_write_down(remote_login_t)
+mls_file_upgrade(remote_login_t)
+mls_file_downgrade(remote_login_t)
+mls_process_set_level(remote_login_t)
+
+seutil_read_config(remote_login_t)
+seutil_read_default_contexts(remote_login_t)
+
+sysnet_dns_name_resolve(remote_login_t)
+
+miscfiles_read_localization(remote_login_t)
+
+userdom_use_unpriv_users_fds(remote_login_t)
+userdom_search_all_users_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+userdom_signal_unpriv_users(remote_login_t)
+userdom_spec_domtrans_unpriv_users(remote_login_t)
+
+# Search for mail spool file.
+mta_getattr_spool(remote_login_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(remote_login_t)
+ files_read_default_files(remote_login_t)
+ files_read_default_symlinks(remote_login_t)
+ files_read_default_sockets(remote_login_t)
+ files_read_default_pipes(remote_login_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(remote_login_t)
+ fs_read_nfs_symlinks(remote_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(remote_login_t)
+ fs_read_cifs_symlinks(remote_login_t)
+')
+
+optional_policy(`
+ alsa_domtrans(remote_login_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(remote_login_t)
+')
+
+optional_policy(`
+ nscd_socket_use(remote_login_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(remote_login_t)
+')
diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc
new file mode 100644
index 0000000..af810b9
--- /dev/null
+++ b/policy/modules/services/resmgr.fc
@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
new file mode 100644
index 0000000..d457736
--- /dev/null
+++ b/policy/modules/services/resmgr.if
@@ -0,0 +1,22 @@
+## <summary>Resource management daemon</summary>
+
+########################################
+## <summary>
+## Connect to resmgrd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`resmgr_stream_connect',`
+ gen_require(`
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+ allow $1 resmgrd_t:unix_stream_socket connectto;
+ allow $1 resmgrd_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te
new file mode 100644
index 0000000..695d7c6
--- /dev/null
+++ b/policy/modules/services/resmgr.te
@@ -0,0 +1,81 @@
+
+policy_module(resmgr,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t,resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file { getattr read };
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms;
+files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+term_dontaudit_use_console(resmgrd_t)
+
+init_use_fds(resmgrd_t)
+init_use_script_ptys(resmgrd_t)
+
+libs_use_ld_so(resmgrd_t)
+libs_use_shared_libs(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(resmgrd_t)
+ term_dontaudit_use_generic_ptys(resmgrd_t)
+ files_dontaudit_read_root_files(resmgrd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+ udev_read_db(resmgrd_t)
+')
diff --git a/policy/modules/services/rhgb.fc b/policy/modules/services/rhgb.fc
new file mode 100644
index 0000000..9e5d31b
--- /dev/null
+++ b/policy/modules/services/rhgb.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0)
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
new file mode 100644
index 0000000..639ece6
--- /dev/null
+++ b/policy/modules/services/rhgb.if
@@ -0,0 +1,126 @@
+## <summary> Red Hat Graphical Boot </summary>
+
+########################################
+## <summary>
+## RHGB stub interface. No access allowed.
+## </summary>
+## <param name="domain">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`rhgb_stub',`
+ gen_require(`
+ type rhgb_t;
+ ')
+')
+
+########################################
+## <summary>
+## Use a rhgb file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rhgb_use_fds',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write to unix stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rhgb_rw_stream_sockets',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## rhgb unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rhgb_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ dontaudit $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Connected to rhgb unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rhgb_stream_connect',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read and write to rhgb shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rhgb_rw_shm',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read and write to rhgb temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rhgb_rw_tmpfs_files',`
+ gen_require(`
+ type rhgb_tmpfs_t;
+ ')
+
+ allow $1 rhgb_tmpfs_t:file { read write };
+')
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
new file mode 100644
index 0000000..c12d219
--- /dev/null
+++ b/policy/modules/services/rhgb.te
@@ -0,0 +1,146 @@
+
+policy_module(rhgb,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type rhgb_t;
+type rhgb_exec_t;
+init_daemon_domain(rhgb_t,rhgb_exec_t)
+
+type rhgb_devpts_t;
+term_pty(rhgb_devpts_t)
+
+type rhgb_tmpfs_t;
+files_tmpfs_file(rhgb_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rhgb_t self:capability { sys_admin sys_tty_config };
+dontaudit rhgb_t self:capability sys_tty_config;
+allow rhgb_t self:process signal_perms;
+allow rhgb_t self:shm create_shm_perms;
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_file_perms;
+allow rhgb_t self:tcp_socket create_socket_perms;
+allow rhgb_t self:udp_socket create_socket_perms;
+
+allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rhgb_t,rhgb_devpts_t)
+
+allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
+allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
+allow rhgb_t rhgb_tmpfs_t:lnk_file create_lnk_perms;
+allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms;
+allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(rhgb_t)
+kernel_read_system_state(rhgb_t)
+
+corecmd_exec_bin(rhgb_t)
+corecmd_exec_sbin(rhgb_t)
+
+corenet_non_ipsec_sendrecv(rhgb_t)
+corenet_tcp_sendrecv_generic_if(rhgb_t)
+corenet_udp_sendrecv_generic_if(rhgb_t)
+corenet_tcp_sendrecv_all_nodes(rhgb_t)
+corenet_udp_sendrecv_all_nodes(rhgb_t)
+corenet_tcp_sendrecv_all_ports(rhgb_t)
+corenet_udp_sendrecv_all_ports(rhgb_t)
+corenet_tcp_connect_all_ports(rhgb_t)
+corenet_sendrecv_all_client_packets(rhgb_t)
+
+dev_read_sysfs(rhgb_t)
+
+domain_use_interactive_fds(rhgb_t)
+
+files_read_etc_files(rhgb_t)
+files_read_etc_runtime_files(rhgb_t)
+files_search_tmp(rhgb_t)
+files_read_usr_files(rhgb_t)
+files_mounton_mnt(rhgb_t)
+files_dontaudit_read_default_files(rhgb_t)
+files_dontaudit_search_pids(rhgb_t)
+# for nscd
+files_dontaudit_search_var(rhgb_t)
+
+fs_search_auto_mountpoints(rhgb_t)
+fs_mount_ramfs(rhgb_t)
+fs_unmount_ramfs(rhgb_t)
+# for ramfs file systems
+fs_manage_ramfs_files(rhgb_t)
+fs_manage_ramfs_pipes(rhgb_t)
+fs_manage_ramfs_sockets(rhgb_t)
+
+term_dontaudit_use_console(rhgb_t)
+term_use_unallocated_ttys(rhgb_t)
+
+init_use_fds(rhgb_t)
+init_use_script_ptys(rhgb_t)
+init_write_initctl(rhgb_t)
+
+libs_use_ld_so(rhgb_t)
+libs_use_shared_libs(rhgb_t)
+# for localization
+libs_read_lib_files(rhgb_t)
+
+logging_send_syslog_msg(rhgb_t)
+
+miscfiles_read_localization(rhgb_t)
+miscfiles_read_fonts(rhgb_t)
+
+sysnet_read_config(rhgb_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+
+xserver_read_xdm_xserver_tmp_files(rhgb_t)
+xserver_kill_xdm_xserver(rhgb_t)
+# for running setxkbmap
+xserver_read_xkb_libs(rhgb_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(rhgb_t)
+ files_dontaudit_read_root_files(rhgb_t)
+')
+
+optional_policy(`
+ firstboot_read_rw_files(rhgb_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rhgb_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(rhgb_t)
+')
+
+optional_policy(`
+ udev_read_db(rhgb_t)
+')
+
+ifdef(`TODO',`
+ #TODO
+ ifdef(`hide_broken_symptoms', `
+ # for a bug in the X server
+ dontaudit mount_t rhgb_gph_t:fd use;
+ ')
+ #TODO this seems a bit much
+ allow domain rhgb_devpts_t:chr_file { read write };
+ #TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
+ allow rhgb_t default_t:file { getattr read };
+ #TODO
+ # for gnome-pty-helper
+ gph_domain(rhgb, system)
+ allow initrc_t rhgb_gph_t:fd use;
+ ifdef(`hide_broken_symptoms', `
+ # it should not do this
+ dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+ ')
+')
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
new file mode 100644
index 0000000..b447800
--- /dev/null
+++ b/policy/modules/services/rlogin.fc
@@ -0,0 +1,6 @@
+
+/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
new file mode 100644
index 0000000..9326e5a
--- /dev/null
+++ b/policy/modules/services/rlogin.if
@@ -0,0 +1,25 @@
+## <summary>Remote login daemon</summary>
+
+########################################
+## <summary>
+## Execute rlogind in the rlogin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rlogin_domtrans',`
+ gen_require(`
+ type rlogind_t, rlogind_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,rlogind_exec_t,rlogind_t)
+
+ allow $1 rlogind_t:fd use;
+ allow rlogind_t $1:fd use;
+ allow rlogind_t $1:fifo_file rw_file_perms;
+ allow rlogind_t $1:process sigchld;
+')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
new file mode 100644
index 0000000..191ac11
--- /dev/null
+++ b/policy/modules/services/rlogin.te
@@ -0,0 +1,111 @@
+
+policy_module(rlogin,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type rlogind_t;
+type rlogind_exec_t;
+inetd_service_domain(rlogind_t,rlogind_exec_t)
+role system_r types rlogind_t;
+
+type rlogind_devpts_t; #, userpty_type;
+term_login_pty(rlogind_devpts_t)
+
+type rlogind_tmp_t;
+files_tmp_file(rlogind_tmp_t)
+
+type rlogind_var_run_t;
+files_pid_file(rlogind_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:process signal_perms;
+allow rlogind_t self:fifo_file rw_file_perms;
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rlogind_t self:capability { setuid setgid };
+
+allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rlogind_t,rlogind_devpts_t)
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
+allow rlogind_t rlogind_tmp_t:file create_file_perms;
+files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
+
+allow rlogind_t rlogind_var_run_t:file create_file_perms;
+allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
+
+kernel_read_kernel_sysctls(rlogind_t)
+kernel_read_system_state(rlogind_t)
+kernel_read_network_state(rlogind_t)
+
+corenet_non_ipsec_sendrecv(rlogind_t)
+corenet_tcp_sendrecv_all_if(rlogind_t)
+corenet_udp_sendrecv_all_if(rlogind_t)
+corenet_tcp_sendrecv_all_nodes(rlogind_t)
+corenet_udp_sendrecv_all_nodes(rlogind_t)
+corenet_tcp_sendrecv_all_ports(rlogind_t)
+corenet_udp_sendrecv_all_ports(rlogind_t)
+
+dev_read_urand(rlogind_t)
+
+fs_getattr_xattr_fs(rlogind_t)
+
+auth_domtrans_chk_passwd(rlogind_t)
+auth_rw_login_records(rlogind_t)
+
+files_read_etc_files(rlogind_t)
+files_read_etc_runtime_files(rlogind_t)
+files_search_home(rlogind_t)
+files_search_default(rlogind_t)
+
+init_rw_utmp(rlogind_t)
+
+libs_use_ld_so(rlogind_t)
+libs_use_shared_libs(rlogind_t)
+
+logging_send_syslog_msg(rlogind_t)
+
+miscfiles_read_localization(rlogind_t)
+
+seutil_dontaudit_search_config(rlogind_t)
+
+sysnet_read_config(rlogind_t)
+
+userdom_setattr_unpriv_users_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_all_users_home_content_files(rlogind_t)
+
+remotelogin_domtrans(rlogind_t)
+
+optional_policy(`
+ kerberos_read_keytab(rlogind_t)
+
+ # for identd; cjp: this should probably only be inetd_child rules?
+ kerberos_use(rlogind_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rlogind_t)
+')
+
+optional_policy(`
+ nscd_socket_use(rlogind_t)
+')
+
+ifdef(`TODO',`
+# Allow krb5 rlogind to use fork and open /dev/tty for use
+allow rlogind_t userpty_type:chr_file setattr;
+')
diff --git a/policy/modules/services/roundup.fc b/policy/modules/services/roundup.fc
new file mode 100644
index 0000000..0b5ac58
--- /dev/null
+++ b/policy/modules/services/roundup.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
new file mode 100644
index 0000000..f93997c
--- /dev/null
+++ b/policy/modules/services/roundup.if
@@ -0,0 +1 @@
+## <summary>Roundup Issue Tracking System policy</summary>
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
new file mode 100644
index 0000000..a4dd1ab
--- /dev/null
+++ b/policy/modules/services/roundup.te
@@ -0,0 +1,109 @@
+
+policy_module(roundup,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type roundup_t;
+type roundup_exec_t;
+init_daemon_domain(roundup_t,roundup_exec_t)
+
+type roundup_var_run_t;
+files_pid_file(roundup_var_run_t)
+
+type roundup_var_lib_t;
+files_type(roundup_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow roundup_t self:capability { setgid setuid };
+dontaudit roundup_t self:capability sys_tty_config;
+allow roundup_t self:process signal_perms;
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+allow roundup_t self:tcp_socket create_stream_socket_perms;
+allow roundup_t self:udp_socket create_socket_perms;
+
+allow roundup_t roundup_var_run_t:file create_file_perms;
+allow roundup_t roundup_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(roundup_t,roundup_var_run_t,file)
+
+allow roundup_t roundup_var_lib_t:file create_file_perms;
+allow roundup_t roundup_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(roundup_t,roundup_var_lib_t,file)
+
+kernel_read_kernel_sysctls(roundup_t)
+kernel_list_proc(roundup_t)
+kernel_read_proc_symlinks(roundup_t)
+
+dev_read_sysfs(roundup_t)
+
+# execute python
+corecmd_exec_bin(roundup_t)
+
+corenet_non_ipsec_sendrecv(roundup_t)
+corenet_tcp_sendrecv_generic_if(roundup_t)
+corenet_udp_sendrecv_generic_if(roundup_t)
+corenet_raw_sendrecv_generic_if(roundup_t)
+corenet_tcp_sendrecv_all_nodes(roundup_t)
+corenet_udp_sendrecv_all_nodes(roundup_t)
+corenet_raw_sendrecv_all_nodes(roundup_t)
+corenet_tcp_sendrecv_all_ports(roundup_t)
+corenet_udp_sendrecv_all_ports(roundup_t)
+corenet_tcp_bind_all_nodes(roundup_t)
+corenet_tcp_bind_http_cache_port(roundup_t)
+corenet_tcp_connect_smtp_port(roundup_t)
+corenet_sendrecv_http_cache_server_packets(roundup_t)
+corenet_sendrecv_smtp_client_packets(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+dev_read_urand(roundup_t)
+
+domain_use_interactive_fds(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+files_read_usr_files(roundup_t)
+files_read_etc_files(roundup_t)
+
+fs_getattr_all_fs(roundup_t)
+fs_search_auto_mountpoints(roundup_t)
+
+term_dontaudit_use_console(roundup_t)
+
+init_use_fds(roundup_t)
+init_use_script_ptys(roundup_t)
+
+libs_use_ld_so(roundup_t)
+libs_use_shared_libs(roundup_t)
+
+logging_send_syslog_msg(roundup_t)
+
+miscfiles_read_localization(roundup_t)
+
+sysnet_read_config(roundup_t)
+
+userdom_dontaudit_use_unpriv_user_fds(roundup_t)
+userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(roundup_t)
+ term_dontaudit_use_unallocated_ttys(roundup_t)
+ term_dontaudit_use_generic_ptys(roundup_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(roundup_t)
+ mysql_search_db(roundup_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(roundup_t)
+')
+
+optional_policy(`
+ udev_read_db(roundup_t)
+')
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
new file mode 100644
index 0000000..dbe7c72
--- /dev/null
+++ b/policy/modules/services/rpc.fc
@@ -0,0 +1,27 @@
+#
+# /etc
+#
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+
+/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
new file mode 100644
index 0000000..831a1cb
--- /dev/null
+++ b/policy/modules/services/rpc.if
@@ -0,0 +1,351 @@
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+
+#######################################
+## <summary>
+## The template to define a rpc domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new rpc daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The type of daemon to be used.
+## </summary>
+## </param>
+#
+template(`rpc_domain_template', `
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t,$1_exec_t)
+ domain_use_interactive_fds($1_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ dontaudit $1_t self:capability { net_admin sys_tty_config };
+ allow $1_t self:capability net_bind_service;
+ allow $1_t self:process signal_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ allow $1_t var_lib_nfs_t:dir create_dir_perms;
+ allow $1_t var_lib_nfs_t:file create_file_perms;
+
+ kernel_list_proc($1_t)
+ kernel_read_proc_symlinks($1_t)
+ kernel_read_kernel_sysctls($1_t)
+ # bind to arbitary unused ports
+ kernel_rw_rpc_sysctls($1_t)
+
+ dev_read_sysfs($1_t)
+
+ corenet_non_ipsec_sendrecv($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_udp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_all_nodes($1_t)
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_portmap_client_packets($1_t)
+ # do not log when it tries to bind to a port belonging to another domain
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
+ # bind to arbitary unused ports
+ corenet_tcp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_reserved_port($1_t)
+ corenet_sendrecv_generic_server_packets($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ term_dontaudit_use_console($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_search_var($1_t)
+ files_search_var_lib($1_t)
+
+ init_use_fds($1_t)
+ init_use_script_ptys($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds($1_t)
+
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys($1_t)
+ term_dontaudit_use_generic_ptys($1_t)
+ files_dontaudit_read_root_files($1_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to rpc and recieve UDP traffic from rpc.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_send',`
+ gen_require(`
+ type rpc_t;
+ ')
+
+ allow $1 rpc_t:udp_socket sendto;
+ allow rpc_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the NFS export file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_dontaudit_getattr_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ dontaudit $1 exports_t:file getattr;
+')
+
+########################################
+## <summary>
+## Allow read access to exports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_read_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow write access to exports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_write_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file write;
+')
+
+########################################
+## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_t, nfsd_exec_t;
+ ')
+
+ domain_auto_trans($1,nfsd_exec_t,nfsd_t)
+
+ allow $1 nfsd_t:fd use;
+ allow nfsd_t $1:fd use;
+ allow nfsd_t $1:fifo_file rw_file_perms;
+ allow nfsd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Read NFS exported content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_nfs_content',`
+ gen_require(`
+ type nfsd_ro_t, nfsd_rw_t;
+ ')
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_rw_content',`
+ gen_require(`
+ type nfsd_rw_t;
+ ')
+
+ allow $1 nfsd_rw_t:dir manage_dir_perms;
+ allow $1 nfsd_rw_t:file manage_file_perms;
+ allow $1 nfsd_rw_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_ro_content',`
+ gen_require(`
+ type nfsd_ro_t;
+ ')
+
+ allow $1 nfsd_ro_t:dir manage_dir_perms;
+ allow $1 nfsd_ro_t:file manage_file_perms;
+ allow $1 nfsd_ro_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read and write to an NFS UDP socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:udp_socket rw_socket_perms;
+
+')
+
+########################################
+## <summary>
+## Send UDP traffic to NFSd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_send_nfs',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:udp_socket sendto;
+ allow nfsd_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Search NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_search_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search;
+')
+
+########################################
+## <summary>
+## Read NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
+ allow $1 var_lib_nfs_t:file read_file_perms;
+')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
new file mode 100644
index 0000000..8536f77
--- /dev/null
+++ b/policy/modules/services/rpc.te
@@ -0,0 +1,162 @@
+
+policy_module(rpc,1.2.9)
+
+########################################
+#
+# Declarations
+#
+
+type exports_t;
+files_type(exports_t)
+
+rpc_domain_template(gssd)
+
+type gssd_tmp_t;
+files_tmp_file(gssd_tmp_t)
+
+type rpcd_var_run_t;
+files_pid_file(rpcd_var_run_t)
+
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
+rpc_domain_template(rpcd)
+
+rpc_domain_template(nfsd)
+
+type nfsd_rw_t;
+files_type(nfsd_rw_t)
+
+type nfsd_ro_t;
+files_type(nfsd_ro_t)
+
+type var_lib_nfs_t;
+files_mountpoint(var_lib_nfs_t)
+
+########################################
+#
+# RPC local policy
+#
+
+allow rpcd_t self:fifo_file rw_file_perms;
+allow rpcd_t self:file { getattr read };
+
+allow rpcd_t rpcd_var_run_t:file manage_file_perms;
+allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
+files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+
+kernel_search_network_state(rpcd_t)
+# for rpc.rquotad
+kernel_read_sysctl(rpcd_t)
+
+dev_read_urand(rpcd_t)
+dev_read_rand(rpcd_t)
+
+fs_list_rpc(rpcd_t)
+fs_read_rpc_files(rpcd_t)
+fs_read_rpc_symlinks(rpcd_t)
+fs_read_rpc_sockets(rpcd_t)
+term_use_controlling_term(rpcd_t)
+
+# cjp: this should really have its own type
+files_manage_mounttab(rpcd_t)
+
+miscfiles_read_certs(rpcd_t)
+
+seutil_dontaudit_search_config(rpcd_t)
+
+portmap_udp_chat(rpcd_t)
+
+ifdef(`distro_redhat',`
+ allow rpcd_t self:capability { chown dac_override setgid setuid };
+')
+
+optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+')
+
+########################################
+#
+# NFSD local policy
+#
+
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+
+allow nfsd_t exports_t:file { getattr read };
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
+kernel_read_network_state(nfsd_t)
+kernel_udp_send(nfsd_t)
+kernel_tcp_recvfrom(nfsd_t)
+
+fs_mount_nfsd_fs(nfsd_t)
+fs_search_nfsd_fs(nfsd_t)
+fs_getattr_all_fs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t)
+
+term_use_controlling_term(nfsd_t)
+
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
+files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
+files_manage_mounttab(rpcd_t)
+
+# Read access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+
+portmap_tcp_connect(nfsd_t)
+portmap_udp_chat(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`allow_nfsd_anon_write',`
+ miscfiles_manage_public_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_rw',`
+ fs_read_noxattr_fs_files(nfsd_t)
+ auth_manage_all_files_except_shadow(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_ro',`
+ fs_read_noxattr_fs_files(nfsd_t)
+ auth_read_all_files_except_shadow(nfsd_t)
+')
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setuid };
+allow gssd_t self:fifo_file { read write };
+
+allow gssd_t gssd_tmp_t:dir create_dir_perms;
+allow gssd_t gssd_tmp_t:file create_file_perms;
+files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+
+dev_read_urand(gssd_t)
+
+fs_list_rpc(gssd_t)
+fs_read_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+
+files_list_tmp(gssd_t)
+files_read_generic_tmp_files(gssd_t)
+files_read_generic_tmp_symlinks(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+ userdom_list_unpriv_users_tmp(gssd_t)
+ userdom_read_unpriv_users_tmp_files(gssd_t)
+ userdom_read_unpriv_users_tmp_symlinks(gssd_t)
+')
+
+optional_policy(`
+ kerberos_use(gssd_t)
+ kerberos_read_keytab(gssd_t)
+')
diff --git a/policy/modules/services/rshd.fc b/policy/modules/services/rshd.fc
new file mode 100644
index 0000000..6a4db03
--- /dev/null
+++ b/policy/modules/services/rshd.fc
@@ -0,0 +1,5 @@
+
+/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
+/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if
new file mode 100644
index 0000000..eefcd30
--- /dev/null
+++ b/policy/modules/services/rshd.if
@@ -0,0 +1,26 @@
+## <summary>Remote shell service.</summary>
+
+########################################
+## <summary>
+## Domain transition to rshd.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rshd_domtrans',`
+ gen_require(`
+ type rshd_exec_t, rshd_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,rshd_exec_t,rshd_t)
+
+ allow $1 rshd_t:fd use;
+ allow rshd_t $1:fd use;
+ allow rshd_t $1:fifo_file rw_file_perms;
+ allow rshd_t $1:process sigchld;
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
new file mode 100644
index 0000000..aaf4950
--- /dev/null
+++ b/policy/modules/services/rshd.te
@@ -0,0 +1,96 @@
+
+policy_module(rshd,1.1.1)
+
+########################################
+#
+# Declarations
+#
+type rshd_t;
+type rshd_exec_t;
+inetd_tcp_service_domain(rshd_t,rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
+
+########################################
+#
+# Local policy
+#
+allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+allow rshd_t self:fifo_file rw_file_perms;
+allow rshd_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(rshd_t)
+
+corenet_non_ipsec_sendrecv(rshd_t)
+corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
+corenet_tcp_sendrecv_all_nodes(rshd_t)
+corenet_udp_sendrecv_all_nodes(rshd_t)
+corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
+corenet_tcp_bind_all_nodes(rshd_t)
+corenet_tcp_bind_rsh_port(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
+
+auth_domtrans_chk_passwd(rshd_t)
+
+corecmd_read_bin_symlinks(rshd_t)
+corecmd_read_sbin_symlinks(rshd_t)
+
+files_list_home(rshd_t)
+files_read_etc_files(rshd_t)
+files_search_tmp(rshd_t)
+
+libs_use_ld_so(rshd_t)
+libs_use_shared_libs(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
+
+miscfiles_read_localization(rshd_t)
+
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
+
+sysnet_read_config(rshd_t)
+
+userdom_search_all_users_home_content(rshd_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(rshd_t)
+ unconfined_shell_domtrans(rshd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(rshd_t)
+ fs_read_nfs_symlinks(rshd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(rshd_t)
+ fs_read_cifs_symlinks(rshd_t)
+')
+
+optional_policy(`
+ kerberos_use(rshd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(rshd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`
+ allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
+')
diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc
new file mode 100644
index 0000000..231149a
--- /dev/null
+++ b/policy/modules/services/rsync.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
new file mode 100644
index 0000000..9f1bdd8
--- /dev/null
+++ b/policy/modules/services/rsync.if
@@ -0,0 +1,104 @@
+## <summary>Fast incremental file transfer for synchronization</summary>
+
+########################################
+## <summary>
+## Make rsync an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which init scripts are an entrypoint.
+## </summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_type',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_entry_file($1,rsync_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a rsync in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_spec_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_trans($1,rsync_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a rsync in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_auto_trans($1,rsync_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Execute rsync in the caller domain domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_exec',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ can_exec($1,rsync_exec_t)
+')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
new file mode 100644
index 0000000..5ba24bb
--- /dev/null
+++ b/policy/modules/services/rsync.te
@@ -0,0 +1,110 @@
+
+policy_module(rsync,1.2.4)
+
+########################################
+#
+# Declarations
+#
+
+type rsync_t;
+type rsync_exec_t;
+init_daemon_domain(rsync_t,rsync_exec_t)
+role system_r types rsync_t;
+
+type rsync_data_t;
+files_type(rsync_data_t)
+
+type rsync_tmp_t;
+files_tmp_file(rsync_tmp_t)
+
+type rsync_var_run_t;
+files_pid_file(rsync_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rsync_t self:capability sys_chroot;
+allow rsync_t self:process signal_perms;
+allow rsync_t self:fifo_file rw_file_perms;
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rsync_t self:capability { setuid setgid };
+#end for identd
+
+allow rsync_t rsync_data_t:dir r_dir_perms;
+allow rsync_t rsync_data_t:file r_file_perms;
+allow rsync_t rsync_data_t:lnk_file r_file_perms;
+
+allow rsync_t rsync_tmp_t:dir create_dir_perms;
+allow rsync_t rsync_tmp_t:file create_file_perms;
+files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
+
+allow rsync_t rsync_var_run_t:file create_file_perms;
+allow rsync_t rsync_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+
+kernel_read_kernel_sysctls(rsync_t)
+kernel_read_system_state(rsync_t)
+kernel_read_network_state(rsync_t)
+
+corenet_non_ipsec_sendrecv(rsync_t)
+corenet_tcp_sendrecv_all_if(rsync_t)
+corenet_udp_sendrecv_all_if(rsync_t)
+corenet_tcp_sendrecv_all_nodes(rsync_t)
+corenet_udp_sendrecv_all_nodes(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
+corenet_tcp_bind_all_nodes(rsync_t)
+corenet_tcp_bind_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
+
+dev_read_urand(rsync_t)
+
+fs_getattr_xattr_fs(rsync_t)
+
+files_read_etc_files(rsync_t)
+files_search_home(rsync_t)
+
+init_dontaudit_use_fds(rsync_t)
+
+libs_use_ld_so(rsync_t)
+libs_use_shared_libs(rsync_t)
+
+logging_send_syslog_msg(rsync_t)
+logging_dontaudit_search_logs(rsync_t)
+
+miscfiles_read_localization(rsync_t)
+miscfiles_read_public_files(rsync_t)
+
+sysnet_read_config(rsync_t)
+
+tunable_policy(`allow_rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(rsync_t)
+')
+
+optional_policy(`
+ inetd_service_domain(rsync_t,rsync_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rsync_t)
+')
+
+optional_policy(`
+ nscd_socket_use(rsync_t)
+')
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
new file mode 100644
index 0000000..d0e6b6d
--- /dev/null
+++ b/policy/modules/services/samba.fc
@@ -0,0 +1,45 @@
+
+#
+# /etc
+#
+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+
+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
+/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
new file mode 100644
index 0000000..7cacf8b
--- /dev/null
+++ b/policy/modules/services/samba.if
@@ -0,0 +1,392 @@
+## <summary>
+## SMB and CIFS client/server programs for UNIX and
+## name Service Switch daemon for resolving names
+## from Windows NT servers.
+## </summary>
+
+#######################################
+## <summary>
+## The per user domain template for the samba module.
+## </summary>
+## <desc>
+## <p>
+## This template allows smbd to manage files in
+## a user home directory, creating files with the
+## correct type.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`samba_per_userdomain_template',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs($1,smbd_t)
+ userdom_manage_user_home_content_files($1,smbd_t)
+ userdom_manage_user_home_content_symlinks($1,smbd_t)
+ userdom_manage_user_home_content_sockets($1,smbd_t)
+ userdom_manage_user_home_content_pipes($1,smbd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_net',`
+ gen_require(`
+ type samba_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,samba_net_exec_t,samba_net_t)
+
+ allow $1 samba_net_t:fd use;
+ allow samba_net_t $1:fd use;
+ allow samba_net_t $1:fifo_file rw_file_perms;
+ allow samba_net_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain, and
+## allow the specified role the samba_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_net domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the samba_net domain to use.
+## </summary>
+## </param>
+#
+interface(`samba_run_net',`
+ gen_require(`
+ type samba_net_t;
+ ')
+
+ samba_domtrans_net($1)
+ role $2 types samba_net_t;
+ allow samba_net_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute smbmount in the smbmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbmount',`
+ gen_require(`
+ type smbmount_t, smbmount_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,smbmount_exec_t,smbmount_t)
+
+ allow $1 smbmount_t:fd use;
+ allow smbmount_t $1:fd use;
+ allow smbmount_t $1:fifo_file rw_file_perms;
+ allow smbmount_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## samba configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_etc_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write samba configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_rw_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:dir r_dir_perms;
+ allow $1 samba_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Execute samba log in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_exec_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ can_exec($1,samba_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_secrets',`
+ gen_require(`
+ type samba_secrets_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_secrets_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## samba /var directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_search_var',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## read and write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_rw_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ allow $1 samba_var_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_write_smbmount_tcp_sockets',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ allow $1 smbmount_t:tcp_socket write;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read and write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_rw_smbmount_tcp_sockets',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ allow $1 smbmount_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute winbind_helper in the winbind_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_winbind_helper',`
+ gen_require(`
+ type winbind_helper_t, winbind_helper_exec_t;
+ ')
+
+ domain_auto_trans($1,winbind_helper_exec_t,winbind_helper_t)
+
+ allow $1 winbind_helper_t:fd use;
+ allow winbind_helper_t $1:fd use;
+ allow winbind_helper_t $1:fifo_file rw_file_perms;
+ allow winbind_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute winbind_helper in the winbind_helper domain, and
+## allow the specified role the winbind_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the winbind_helper domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the winbind_helper domain to use.
+## </summary>
+## </param>
+#
+interface(`samba_run_winbind_helper',`
+ gen_require(`
+ type winbind_helper_t;
+ ')
+
+ samba_domtrans_winbind_helper($1)
+ role $2 types winbind_helper_t;
+ allow winbind_helper_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read the winbind pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_winbind_pid',`
+ gen_require(`
+ type winbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 winbind_var_run_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to winbind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_stream_connect_winbind',`
+ gen_require(`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ allow $1 winbind_var_run_t:dir search_dir_perms;
+ allow $1 winbind_var_run_t:sock_file { getattr read write };
+ allow $1 winbind_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
new file mode 100644
index 0000000..5577c67
--- /dev/null
+++ b/policy/modules/services/samba.te
@@ -0,0 +1,778 @@
+
+policy_module(samba,1.2.8)
+
+#################################
+#
+# Declarations
+#
+
+type nmbd_t;
+type nmbd_exec_t;
+init_daemon_domain(nmbd_t,nmbd_exec_t)
+
+type nmbd_var_run_t;
+files_pid_file(nmbd_var_run_t)
+
+type samba_etc_t;
+files_config_file(samba_etc_t)
+
+type samba_log_t;
+logging_log_file(samba_log_t)
+
+type samba_net_t;
+domain_type(samba_net_t)
+role system_r types samba_net_t;
+
+type samba_net_exec_t;
+domain_entry_file(samba_net_t,samba_net_exec_t)
+
+type samba_net_tmp_t;
+files_tmp_file(samba_net_tmp_t)
+
+type samba_secrets_t;
+files_type(samba_secrets_t)
+
+type samba_share_t; # customizable
+files_type(samba_share_t)
+
+type samba_var_t;
+files_type(samba_var_t)
+
+type smbd_t;
+type smbd_exec_t;
+init_daemon_domain(smbd_t,smbd_exec_t)
+
+type smbd_tmp_t;
+files_tmp_file(smbd_tmp_t)
+
+type smbd_var_run_t;
+files_pid_file(smbd_var_run_t)
+
+type smbmount_t;
+domain_type(smbmount_t)
+
+type smbmount_exec_t;
+domain_entry_file(smbmount_t,smbmount_exec_t)
+
+type swat_t;
+type swat_exec_t;
+inetd_service_domain(swat_t,swat_exec_t)
+role system_r types swat_t;
+
+type swat_tmp_t;
+files_tmp_file(swat_tmp_t)
+
+type swat_var_run_t;
+files_pid_file(swat_var_run_t)
+
+type winbind_t;
+type winbind_exec_t;
+init_daemon_domain(winbind_t,winbind_exec_t)
+
+type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
+type winbind_helper_exec_t;
+domain_entry_file(winbind_helper_t,winbind_helper_exec_t)
+
+type winbind_log_t;
+logging_log_file(winbind_log_t)
+
+type winbind_tmp_t;
+files_tmp_file(winbind_tmp_t)
+
+type winbind_var_run_t;
+files_pid_file(winbind_var_run_t)
+
+########################################
+#
+# Samba net local policy
+#
+
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
+
+allow samba_net_t samba_etc_t:file r_file_perms;
+
+allow samba_net_t samba_secrets_t:file create_file_perms;
+allow samba_net_t samba_etc_t:dir rw_dir_perms;
+type_transition samba_net_t samba_etc_t:file samba_secrets_t;
+
+allow samba_net_t samba_net_tmp_t:dir create_dir_perms;
+allow samba_net_t samba_net_tmp_t:file create_file_perms;
+files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+
+allow samba_net_t samba_var_t:dir rw_dir_perms;
+allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
+allow samba_net_t samba_var_t:file create_file_perms;
+
+kernel_read_proc_symlinks(samba_net_t)
+
+corenet_tcp_sendrecv_all_if(samba_net_t)
+corenet_udp_sendrecv_all_if(samba_net_t)
+corenet_raw_sendrecv_all_if(samba_net_t)
+corenet_tcp_sendrecv_all_nodes(samba_net_t)
+corenet_udp_sendrecv_all_nodes(samba_net_t)
+corenet_raw_sendrecv_all_nodes(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_non_ipsec_sendrecv(samba_net_t)
+corenet_tcp_bind_all_nodes(samba_net_t)
+corenet_udp_bind_all_nodes(samba_net_t)
+corenet_tcp_connect_smbd_port(samba_net_t)
+
+dev_read_urand(samba_net_t)
+
+domain_use_interactive_fds(samba_net_t)
+
+files_read_etc_files(samba_net_t)
+
+libs_use_ld_so(samba_net_t)
+libs_use_shared_libs(samba_net_t)
+
+logging_send_syslog_msg(samba_net_t)
+
+miscfiles_read_localization(samba_net_t)
+
+sysnet_read_config(samba_net_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(samba_net_t)
+ term_use_unallocated_ttys(samba_net_t)
+')
+
+optional_policy(`
+ kerberos_use(samba_net_t)
+')
+
+optional_policy(`
+ allow samba_net_t self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if(samba_net_t)
+ corenet_raw_sendrecv_all_if(samba_net_t)
+ corenet_tcp_sendrecv_all_nodes(samba_net_t)
+ corenet_raw_sendrecv_all_nodes(samba_net_t)
+ corenet_tcp_sendrecv_ldap_port(samba_net_t)
+ corenet_non_ipsec_sendrecv(samba_net_t)
+ corenet_tcp_bind_all_nodes(samba_net_t)
+ sysnet_read_config(samba_net_t)
+ corenet_tcp_connect_ldap_port(samba_net_t)
+')
+
+optional_policy(`
+ nscd_socket_use(samba_net_t)
+')
+
+########################################
+#
+# smbd Local policy
+#
+allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
+dontaudit smbd_t self:capability sys_tty_config;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
+allow smbd_t self:fd use;
+allow smbd_t self:fifo_file rw_file_perms;
+allow smbd_t self:msg { send receive };
+allow smbd_t self:msgq create_msgq_perms;
+allow smbd_t self:sem create_sem_perms;
+allow smbd_t self:shm create_shm_perms;
+allow smbd_t self:sock_file r_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t samba_etc_t:dir rw_dir_perms;
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+allow smbd_t samba_log_t:dir ra_dir_perms;
+dontaudit smbd_t samba_log_t:dir remove_name;
+allow smbd_t samba_log_t:file { create ra_file_perms };
+
+allow smbd_t samba_net_tmp_t:file getattr;
+
+allow smbd_t samba_secrets_t:dir rw_dir_perms;
+allow smbd_t samba_secrets_t:file create_file_perms;
+type_transition smbd_t samba_etc_t:file samba_secrets_t;
+
+allow smbd_t samba_share_t:dir create_dir_perms;
+allow smbd_t samba_share_t:file create_file_perms;
+allow smbd_t samba_share_t:lnk_file create_lnk_perms;
+
+allow smbd_t samba_var_t:dir create_dir_perms;
+allow smbd_t samba_var_t:file create_file_perms;
+allow smbd_t samba_var_t:lnk_file create_lnk_perms;
+allow smbd_t samba_var_t:sock_file create_file_perms;
+
+allow smbd_t smbd_tmp_t:dir create_dir_perms;
+allow smbd_t smbd_tmp_t:file create_file_perms;
+files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t smbd_var_run_t:dir create_dir_perms;
+allow smbd_t smbd_var_run_t:file create_file_perms;
+allow smbd_t smbd_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(smbd_t,smbd_var_run_t,file)
+
+allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+
+kernel_getattr_core_if(smbd_t)
+kernel_getattr_message_if(smbd_t)
+kernel_read_network_state(smbd_t)
+kernel_read_fs_sysctls(smbd_t)
+kernel_read_kernel_sysctls(smbd_t)
+kernel_read_software_raid_state(smbd_t)
+kernel_read_system_state(smbd_t)
+
+corenet_tcp_sendrecv_all_if(smbd_t)
+corenet_udp_sendrecv_all_if(smbd_t)
+corenet_raw_sendrecv_all_if(smbd_t)
+corenet_tcp_sendrecv_all_nodes(smbd_t)
+corenet_udp_sendrecv_all_nodes(smbd_t)
+corenet_raw_sendrecv_all_nodes(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
+corenet_non_ipsec_sendrecv(smbd_t)
+corenet_tcp_bind_all_nodes(smbd_t)
+corenet_udp_bind_all_nodes(smbd_t)
+corenet_tcp_bind_smbd_port(smbd_t)
+corenet_tcp_connect_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
+
+dev_read_sysfs(smbd_t)
+dev_read_urand(smbd_t)
+dev_getattr_mtrr_dev(smbd_t)
+dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+
+fs_getattr_all_fs(smbd_t)
+fs_get_xattr_fs_quotas(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
+fs_getattr_rpc_dirs(smbd_t)
+
+term_dontaudit_use_console(smbd_t)
+
+auth_use_nsswitch(smbd_t)
+auth_domtrans_chk_passwd(smbd_t)
+
+domain_use_interactive_fds(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_files(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_read_usr_files(smbd_t)
+files_search_spool(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
+init_use_fds(smbd_t)
+init_use_script_ptys(smbd_t)
+init_rw_utmp(smbd_t)
+
+libs_use_ld_so(smbd_t)
+libs_use_shared_libs(smbd_t)
+
+logging_search_logs(smbd_t)
+logging_send_syslog_msg(smbd_t)
+
+miscfiles_read_localization(smbd_t)
+miscfiles_read_public_files(smbd_t)
+
+sysnet_read_config(smbd_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
+userdom_dontaudit_use_unpriv_user_fds(smbd_t)
+userdom_use_unpriv_users_fds(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_getattr_default_dirs(smbd_t)
+ files_dontaudit_getattr_boot_dirs(smbd_t)
+ fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+')
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_files(smbd_t)
+ term_dontaudit_use_generic_ptys(smbd_t)
+ term_dontaudit_use_unallocated_ttys(smbd_t)
+')
+
+tunable_policy(`allow_smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
+')
+
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_dirs(smbd_t)
+ fs_manage_nfs_files(smbd_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(smbd_t)
+')
+
+optional_policy(`
+ kerberos_use(smbd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(smbd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(smbd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(smbd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(smbd_t)
+')
+
+optional_policy(`
+ udev_read_db(smbd_t)
+')
+
+########################################
+#
+# nmbd Local policy
+#
+
+dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:fd use;
+allow nmbd_t self:fifo_file rw_file_perms;
+allow nmbd_t self:msg { send receive };
+allow nmbd_t self:msgq create_msgq_perms;
+allow nmbd_t self:sem create_sem_perms;
+allow nmbd_t self:shm create_shm_perms;
+allow nmbd_t self:sock_file r_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow nmbd_t nmbd_var_run_t:file create_file_perms;
+allow nmbd_t nmbd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
+
+allow nmbd_t samba_etc_t:dir { search getattr };
+allow nmbd_t samba_etc_t:file { getattr read };
+
+allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t samba_log_t:file { create ra_file_perms };
+
+allow nmbd_t samba_var_t:dir rw_dir_perms;
+allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
+
+allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+kernel_getattr_core_if(nmbd_t)
+kernel_getattr_message_if(nmbd_t)
+kernel_read_kernel_sysctls(nmbd_t)
+kernel_read_network_state(nmbd_t)
+kernel_read_software_raid_state(nmbd_t)
+kernel_read_system_state(nmbd_t)
+
+corenet_non_ipsec_sendrecv(nmbd_t)
+corenet_tcp_sendrecv_all_if(nmbd_t)
+corenet_udp_sendrecv_all_if(nmbd_t)
+corenet_tcp_sendrecv_all_nodes(nmbd_t)
+corenet_udp_sendrecv_all_nodes(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
+corenet_udp_bind_all_nodes(nmbd_t)
+corenet_udp_bind_nmbd_port(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
+
+dev_read_sysfs(nmbd_t)
+dev_getattr_mtrr_dev(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
+
+term_dontaudit_use_console(nmbd_t)
+
+domain_use_interactive_fds(nmbd_t)
+
+files_read_usr_files(nmbd_t)
+files_read_etc_files(nmbd_t)
+
+init_use_fds(nmbd_t)
+init_use_script_ptys(nmbd_t)
+
+libs_use_ld_so(nmbd_t)
+libs_use_shared_libs(nmbd_t)
+
+logging_search_logs(nmbd_t)
+logging_send_syslog_msg(nmbd_t)
+
+miscfiles_read_localization(nmbd_t)
+
+sysnet_read_config(nmbd_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
+userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
+userdom_use_unpriv_users_fds(nmbd_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_files(nmbd_t)
+ term_dontaudit_use_generic_ptys(nmbd_t)
+ term_dontaudit_use_unallocated_ttys(nmbd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nmbd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nmbd_t)
+')
+
+optional_policy(`
+ udev_read_db(nmbd_t)
+')
+
+########################################
+#
+# smbmount Local policy
+#
+
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow smbmount_t samba_etc_t:file r_file_perms;
+
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir r_dir_perms;
+allow smbmount_t samba_log_t:file create_file_perms;
+
+allow smbmount_t samba_secrets_t:file create_file_perms;
+
+allow smbmount_t samba_var_t:dir rw_dir_perms;
+allow smbmount_t samba_var_t:file create_file_perms;
+allow smbmount_t samba_var_t:lnk_file create_lnk_perms;
+
+kernel_read_system_state(smbmount_t)
+
+corenet_tcp_sendrecv_all_if(smbmount_t)
+corenet_raw_sendrecv_all_if(smbmount_t)
+corenet_udp_sendrecv_all_if(smbmount_t)
+corenet_tcp_sendrecv_all_nodes(smbmount_t)
+corenet_raw_sendrecv_all_nodes(smbmount_t)
+corenet_udp_sendrecv_all_nodes(smbmount_t)
+corenet_tcp_sendrecv_all_ports(smbmount_t)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_non_ipsec_sendrecv(smbmount_t)
+corenet_tcp_bind_all_nodes(smbmount_t)
+corenet_udp_bind_all_nodes(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
+
+fs_getattr_cifs(smbmount_t)
+fs_mount_cifs(smbmount_t)
+fs_remount_cifs(smbmount_t)
+fs_unmount_cifs(smbmount_t)
+fs_list_cifs(smbmount_t)
+fs_read_cifs_files(smbmount_t)
+
+storage_raw_read_fixed_disk(smbmount_t)
+storage_raw_write_fixed_disk(smbmount_t)
+
+term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
+
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t,file)
+files_read_etc_files(smbmount_t)
+
+miscfiles_read_localization(smbmount_t)
+
+mount_use_fds(smbmount_t)
+
+libs_use_ld_so(smbmount_t)
+libs_use_shared_libs(smbmount_t)
+
+locallogin_use_fds(smbmount_t)
+
+logging_search_logs(smbmount_t)
+
+sysnet_read_config(smbmount_t)
+
+userdom_use_all_users_fds(smbmount_t)
+userdom_use_sysadm_ttys(smbmount_t)
+
+optional_policy(`
+ cups_read_rw_config(smbd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(smbmount_t)
+')
+
+optional_policy(`
+ nscd_socket_use(smbmount_t)
+')
+
+########################################
+#
+# SWAT Local policy
+#
+
+allow swat_t self:capability { setuid setgid };
+allow swat_t self:process signal_perms;
+allow swat_t self:fifo_file rw_file_perms;
+allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow swat_t self:netlink_audit_socket create;
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
+
+
+allow swat_t nmbd_exec_t:file { execute read };
+
+allow swat_t samba_etc_t:dir search;
+allow swat_t samba_etc_t:file { getattr write read };
+
+allow swat_t samba_log_t:dir search;
+allow swat_t samba_log_t:file append;
+
+allow swat_t smbd_exec_t:file execute ;
+
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read;
+
+allow swat_t swat_tmp_t:dir create_dir_perms;
+allow swat_t swat_tmp_t:file create_file_perms;
+files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+
+allow swat_t swat_var_run_t:file create_file_perms;
+allow swat_t swat_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(swat_t,swat_var_run_t,file)
+
+allow swat_t winbind_exec_t:file execute;
+
+kernel_read_kernel_sysctls(swat_t)
+kernel_read_system_state(swat_t)
+kernel_read_network_state(swat_t)
+
+corecmd_search_sbin(swat_t)
+
+corenet_non_ipsec_sendrecv(swat_t)
+corenet_tcp_sendrecv_generic_if(swat_t)
+corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
+corenet_tcp_sendrecv_all_nodes(swat_t)
+corenet_udp_sendrecv_all_nodes(swat_t)
+corenet_raw_sendrecv_all_nodes(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
+corenet_tcp_bind_all_nodes(swat_t)
+corenet_udp_bind_all_nodes(swat_t)
+corenet_tcp_connect_smbd_port(swat_t)
+
+dev_read_urand(swat_t)
+
+files_read_etc_files(swat_t)
+files_search_home(swat_t)
+files_read_usr_files(swat_t)
+fs_getattr_xattr_fs(swat_t)
+
+auth_domtrans_chk_passwd(swat_t)
+
+libs_use_ld_so(swat_t)
+libs_use_shared_libs(swat_t)
+
+logging_send_syslog_msg(swat_t)
+logging_search_logs(swat_t)
+
+miscfiles_read_localization(swat_t)
+
+sysnet_read_config(swat_t)
+
+optional_policy(`
+ cups_read_rw_config(swat_t)
+')
+
+optional_policy(`
+ kerberos_use(swat_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(swat_t)
+')
+
+optional_policy(`
+ nscd_socket_use(swat_t)
+')
+
+########################################
+#
+# Winbind local policy
+#
+
+dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:process signal_perms;
+allow winbind_t self:fifo_file { read write };
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
+
+allow winbind_t samba_etc_t:dir r_dir_perms;
+allow winbind_t samba_etc_t:lnk_file { getattr read };
+allow winbind_t samba_etc_t:file r_file_perms;
+
+allow winbind_t samba_secrets_t:file create_file_perms;
+allow winbind_t samba_etc_t:dir rw_dir_perms;
+type_transition winbind_t samba_etc_t:file samba_secrets_t;
+
+allow winbind_t samba_log_t:dir rw_dir_perms;
+allow winbind_t samba_log_t:file create_file_perms;
+allow winbind_t samba_log_t:lnk_file create_lnk_perms;
+
+allow winbind_t samba_var_t:dir rw_dir_perms;
+allow winbind_t samba_var_t:file create_file_perms;
+allow winbind_t samba_var_t:lnk_file create_lnk_perms;
+
+allow winbind_t winbind_log_t:file create_file_perms;
+logging_log_filetrans(winbind_t,winbind_log_t,file)
+
+allow winbind_t winbind_tmp_t:dir create_dir_perms;
+allow winbind_t winbind_tmp_t:file create_file_perms;
+files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+
+allow winbind_t winbind_var_run_t:file create_file_perms;
+allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+allow winbind_t winbind_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(winbind_t,winbind_var_run_t,file)
+
+kernel_read_kernel_sysctls(winbind_t)
+kernel_list_proc(winbind_t)
+kernel_read_proc_symlinks(winbind_t)
+
+corenet_tcp_sendrecv_all_if(winbind_t)
+corenet_udp_sendrecv_all_if(winbind_t)
+corenet_raw_sendrecv_all_if(winbind_t)
+corenet_tcp_sendrecv_all_nodes(winbind_t)
+corenet_udp_sendrecv_all_nodes(winbind_t)
+corenet_raw_sendrecv_all_nodes(winbind_t)
+corenet_tcp_sendrecv_all_ports(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_non_ipsec_sendrecv(winbind_t)
+corenet_tcp_bind_all_nodes(winbind_t)
+corenet_udp_bind_all_nodes(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
+
+dev_read_sysfs(winbind_t)
+dev_read_urand(winbind_t)
+
+fs_getattr_all_fs(winbind_t)
+fs_search_auto_mountpoints(winbind_t)
+
+term_dontaudit_use_console(winbind_t)
+
+auth_domtrans_chk_passwd(winbind_t)
+
+domain_use_interactive_fds(winbind_t)
+
+files_read_etc_files(winbind_t)
+
+init_use_fds(winbind_t)
+init_use_script_ptys(winbind_t)
+
+libs_use_ld_so(winbind_t)
+libs_use_shared_libs(winbind_t)
+
+logging_send_syslog_msg(winbind_t)
+
+miscfiles_read_localization(winbind_t)
+
+sysnet_read_config(winbind_t)
+sysnet_dns_name_resolve(winbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
+userdom_priveleged_home_dir_manager(winbind_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(winbind_t)
+ term_dontaudit_use_generic_ptys(winbind_t)
+ files_dontaudit_read_root_files(winbind_t)
+')
+
+optional_policy(`
+ kerberos_use(winbind_t)
+')
+
+optional_policy(`
+ nscd_socket_use(winbind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(winbind_t)
+')
+
+optional_policy(`
+ udev_read_db(winbind_t)
+')
+
+########################################
+#
+# Winbind helper local policy
+#
+
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+allow winbind_helper_t samba_etc_t:dir r_dir_perms;
+allow winbind_helper_t samba_etc_t:lnk_file { getattr read };
+allow winbind_helper_t samba_etc_t:file r_file_perms;
+
+allow winbind_helper_t samba_var_t:dir search;
+
+allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
+allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write };
+allow winbind_helper_t winbind_t:unix_stream_socket connectto;
+
+term_list_ptys(winbind_helper_t)
+
+domain_use_interactive_fds(winbind_helper_t)
+
+libs_use_ld_so(winbind_helper_t)
+libs_use_shared_libs(winbind_helper_t)
+
+logging_send_syslog_msg(winbind_helper_t)
+
+miscfiles_read_localization(winbind_helper_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(winbind_helper_t)
+ term_use_unallocated_ttys(winbind_helper_t)
+')
+
+optional_policy(`
+ nscd_socket_use(winbind_helper_t)
+')
+
+optional_policy(`
+ squid_read_log(winbind_helper_t)
+ squid_append_log(winbind_helper_t)
+')
diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc
new file mode 100644
index 0000000..2bc1dd8
--- /dev/null
+++ b/policy/modules/services/sasl.fc
@@ -0,0 +1,10 @@
+
+#
+# /usr
+#
+/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
new file mode 100644
index 0000000..60a8cfe
--- /dev/null
+++ b/policy/modules/services/sasl.if
@@ -0,0 +1,22 @@
+## <summary>SASL authentication server</summary>
+
+########################################
+## <summary>
+## Connect to SASL.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sasl_connect',`
+ gen_require(`
+ type saslauthd_t, saslauthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 saslauthd_var_run_t:dir search;
+ allow $1 saslauthd_var_run_t:sock_file { read write };
+ allow $1 saslauthd_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
new file mode 100644
index 0000000..7e858d2
--- /dev/null
+++ b/policy/modules/services/sasl.te
@@ -0,0 +1,105 @@
+
+policy_module(sasl,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type saslauthd_t;
+type saslauthd_exec_t;
+init_daemon_domain(saslauthd_t,saslauthd_exec_t)
+
+type saslauthd_var_run_t;
+files_pid_file(saslauthd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow saslauthd_t self:capability setuid;
+dontaudit saslauthd_t self:capability sys_tty_config;
+allow saslauthd_t self:process signal_perms;
+allow saslauthd_t self:fifo_file { read write };
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
+
+allow saslauthd_t saslauthd_var_run_t:file create_file_perms;
+allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
+allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
+
+kernel_read_kernel_sysctls(saslauthd_t)
+kernel_read_system_state(saslauthd_t)
+
+corenet_non_ipsec_sendrecv(saslauthd_t)
+corenet_tcp_sendrecv_all_if(saslauthd_t)
+corenet_tcp_sendrecv_all_nodes(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
+corenet_tcp_connect_pop_port(saslauthd_t)
+corenet_sendrecv_pop_client_packets(saslauthd_t)
+
+dev_read_sysfs(saslauthd_t)
+dev_read_urand(saslauthd_t)
+
+fs_getattr_all_fs(saslauthd_t)
+fs_search_auto_mountpoints(saslauthd_t)
+
+term_dontaudit_use_console(saslauthd_t)
+
+auth_domtrans_chk_passwd(saslauthd_t)
+auth_use_nsswitch(saslauthd_t)
+
+domain_use_interactive_fds(saslauthd_t)
+
+files_read_etc_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
+files_search_var_lib(saslauthd_t)
+files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+
+init_use_fds(saslauthd_t)
+init_use_script_ptys(saslauthd_t)
+init_dontaudit_stream_connect_script(saslauthd_t)
+
+libs_use_ld_so(saslauthd_t)
+libs_use_shared_libs(saslauthd_t)
+
+logging_send_syslog_msg(saslauthd_t)
+
+miscfiles_read_localization(saslauthd_t)
+miscfiles_read_certs(saslauthd_t)
+
+seutil_dontaudit_read_config(saslauthd_t)
+
+sysnet_read_config(saslauthd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
+userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(saslauthd_t)
+ term_dontaudit_use_generic_ptys(saslauthd_t)
+ files_dontaudit_read_root_files(saslauthd_t)
+')
+
+# cjp: typeattribute dont work in conditionals yet
+auth_can_read_shadow_passwords(saslauthd_t)
+tunable_policy(`allow_saslauthd_read_shadow',`
+ auth_tunable_read_shadow(saslauthd_t)
+')
+
+optional_policy(`
+ mysql_search_db(saslauthd_t)
+ mysql_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(saslauthd_t)
+')
+
+optional_policy(`
+ udev_read_db(saslauthd_t)
+')
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
new file mode 100644
index 0000000..a86ec50
--- /dev/null
+++ b/policy/modules/services/sendmail.fc
@@ -0,0 +1,6 @@
+
+/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
+/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
new file mode 100644
index 0000000..28a0ca6
--- /dev/null
+++ b/policy/modules/services/sendmail.if
@@ -0,0 +1,112 @@
+## <summary>Policy for sendmail.</summary>
+
+########################################
+## <summary>
+## Sendmail stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`sendmail_stub',`
+ gen_require(`
+ type sendmail_t;
+ ')
+')
+
+########################################
+## <summary>
+## Domain transition to sendmail.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ mta_sendmail_domtrans($1,sendmail_t)
+
+ allow $1 sendmail_t:fd use;
+ allow sendmail_t $1:fd use;
+ allow sendmail_t $1:fifo_file rw_file_perms;
+ allow sendmail_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Read and write sendmail TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_rw_tcp_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:tcp_socket { read write };
+')
+########################################
+## <summary>
+## Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete sendmail logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_manage_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 sendmail_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create sendmail logs with the correct type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_create_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_log_filetrans($1,sendmail_log_t,file)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
new file mode 100644
index 0000000..66ae8fe
--- /dev/null
+++ b/policy/modules/services/sendmail.te
@@ -0,0 +1,159 @@
+
+policy_module(sendmail,1.2.2)
+
+########################################
+#
+# Declarations
+#
+
+type sendmail_log_t;
+logging_log_file(sendmail_log_t)
+
+type sendmail_tmp_t;
+files_tmp_file(sendmail_tmp_t)
+
+type sendmail_var_run_t;
+files_pid_file(sendmail_var_run_t)
+
+type sendmail_t;
+mta_sendmail_mailserver(sendmail_t)
+mta_mailserver_delivery(sendmail_t)
+mta_mailserver_sender(sendmail_t)
+
+########################################
+#
+# Sendmail local policy
+#
+
+allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process signal;
+allow sendmail_t self:fifo_file rw_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
+
+allow sendmail_t sendmail_log_t:file create_file_perms;
+allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir })
+
+kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
+kernel_read_system_state(sendmail_t)
+
+corenet_non_ipsec_sendrecv(sendmail_t)
+corenet_tcp_sendrecv_all_if(sendmail_t)
+corenet_tcp_sendrecv_all_nodes(sendmail_t)
+corenet_tcp_sendrecv_all_ports(sendmail_t)
+corenet_tcp_bind_all_nodes(sendmail_t)
+corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
+
+dev_read_urand(sendmail_t)
+dev_read_sysfs(sendmail_t)
+
+fs_getattr_all_fs(sendmail_t)
+fs_search_auto_mountpoints(sendmail_t)
+
+term_dontaudit_use_console(sendmail_t)
+
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+corecmd_search_sbin(sendmail_t)
+
+domain_use_interactive_fds(sendmail_t)
+
+files_read_etc_files(sendmail_t)
+files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
+
+init_use_fds(sendmail_t)
+init_use_script_ptys(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+init_read_utmp(sendmail_t)
+init_dontaudit_write_utmp(sendmail_t)
+
+libs_use_ld_so(sendmail_t)
+libs_use_shared_libs(sendmail_t)
+# Read /usr/lib/sasl2/.*
+libs_read_lib_files(sendmail_t)
+
+logging_send_syslog_msg(sendmail_t)
+
+miscfiles_read_localization(sendmail_t)
+
+sysnet_dns_name_resolve(sendmail_t)
+sysnet_read_config(sendmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+
+mta_read_config(sendmail_t)
+mta_etc_filetrans_aliases(sendmail_t)
+# Write to /etc/aliases and /etc/mail.
+mta_rw_aliases(sendmail_t)
+# Write to /var/spool/mail and /var/spool/mqueue.
+mta_manage_queue(sendmail_t)
+mta_manage_spool(sendmail_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(sendmail_t)
+ term_dontaudit_use_unallocated_ttys(sendmail_t)
+ term_dontaudit_use_generic_ptys(sendmail_t)
+ files_dontaudit_read_root_files(sendmail_t)
+',`
+ allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
+ allow sendmail_t sendmail_tmp_t:file create_file_perms;
+ files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+
+ allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
+ files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
+')
+
+optional_policy(`
+ nis_use_ypbind(sendmail_t)
+')
+
+optional_policy(`
+ nscd_socket_use(sendmail_t)
+')
+
+optional_policy(`
+ postfix_exec_master(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
+')
+
+optional_policy(`
+ procmail_domtrans(sendmail_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(sendmail_t)
+')
+
+optional_policy(`
+ udev_read_db(sendmail_t)
+')
+
+ifdef(`TODO',`
+allow sendmail_t etc_mail_t:dir rw_dir_perms;
+allow sendmail_t etc_mail_t:file create_file_perms;
+# for the start script to run make -C /etc/mail
+allow initrc_t etc_mail_t:dir rw_dir_perms;
+allow initrc_t etc_mail_t:file create_file_perms;
+allow system_mail_t initrc_t:fd use;
+allow system_mail_t initrc_t:fifo_file write;
+
+# When sendmail runs as user_mail_domain, it needs some extra permissions
+# to update /etc/mail/statistics.
+allow user_mail_domain etc_mail_t:file rw_file_perms;
+
+# Silently deny attempts to access /root.
+dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+
+dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+') dnl end TODO
diff --git a/policy/modules/services/slrnpull.fc b/policy/modules/services/slrnpull.fc
new file mode 100644
index 0000000..1714ce0
--- /dev/null
+++ b/policy/modules/services/slrnpull.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+
+/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0)
+
+#
+# /var
+#
+/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0)
diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if
new file mode 100644
index 0000000..bfac15a
--- /dev/null
+++ b/policy/modules/services/slrnpull.if
@@ -0,0 +1,42 @@
+## <summary>Service for downloading news feeds the slrn newsreader.</summary>
+
+########################################
+## <summary>
+## Allow the domain to search slrnpull spools.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`slrnpull_search_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 slrnpull_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the domain to create, read,
+## write, and delete slrnpull spools.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`slrnpull_manage_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 slrnpull_spool_t:dir create_dir_perms;
+ allow $1 slrnpull_spool_t:file create_file_perms;
+ allow $1 slrnpull_spool_t:lnk_file create_lnk_perms;
+')
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
new file mode 100644
index 0000000..c7de93a
--- /dev/null
+++ b/policy/modules/services/slrnpull.te
@@ -0,0 +1,87 @@
+
+policy_module(slrnpull,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type slrnpull_t;
+type slrnpull_exec_t;
+init_daemon_domain(slrnpull_t,slrnpull_exec_t)
+
+type slrnpull_var_run_t;
+files_pid_file(slrnpull_var_run_t)
+
+type slrnpull_spool_t;
+files_type(slrnpull_spool_t)
+
+type slrnpull_log_t;
+logging_log_file(slrnpull_log_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit slrnpull_t self:capability sys_tty_config;
+allow slrnpull_t self:process signal_perms;
+
+allow slrnpull_t slrnpull_log_t:file create_file_perms;
+logging_log_filetrans(slrnpull_t,slrnpull_log_t,file)
+
+allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms;
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
+allow slrnpull_t slrnpull_spool_t:file create_file_perms;
+allow slrnpull_t slrnpull_spool_t:lnk_file create_lnk_perms;
+files_search_spool(slrnpull_t)
+
+allow slrnpull_t slrnpull_var_run_t:file create_file_perms;
+allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(slrnpull_t,slrnpull_var_run_t,file)
+
+kernel_list_proc(slrnpull_t)
+kernel_read_kernel_sysctls(slrnpull_t)
+kernel_read_proc_symlinks(slrnpull_t)
+
+dev_read_sysfs(slrnpull_t)
+
+domain_use_interactive_fds(slrnpull_t)
+
+files_read_etc_files(slrnpull_t)
+
+fs_getattr_all_fs(slrnpull_t)
+fs_search_auto_mountpoints(slrnpull_t)
+
+term_dontaudit_use_console(slrnpull_t)
+
+init_use_fds(slrnpull_t)
+init_use_script_ptys(slrnpull_t)
+
+libs_use_ld_so(slrnpull_t)
+libs_use_shared_libs(slrnpull_t)
+
+logging_send_syslog_msg(slrnpull_t)
+
+miscfiles_read_localization(slrnpull_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
+userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_files(slrnpull_t)
+ term_dontaudit_use_unallocated_ttys(slrnpull_t)
+ term_dontaudit_use_generic_ptys(slrnpull_t)
+')
+
+optional_policy(`
+ cron_system_entry(slrnpull_t,slrnpull_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(slrnpull_t)
+')
+
+optional_policy(`
+ udev_read_db(slrnpull_t)
+')
diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc
new file mode 100644
index 0000000..a8863e8
--- /dev/null
+++ b/policy/modules/services/smartmon.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
+#
+# /var
+#
+/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
new file mode 100644
index 0000000..c976663
--- /dev/null
+++ b/policy/modules/services/smartmon.if
@@ -0,0 +1,19 @@
+## <summary>Smart disk monitoring daemon policy</summary>
+
+#######################################
+## <summary>
+## Allow caller to read smartmon temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type reading the temporary files.
+## </summary>
+## </param>
+#
+interface(`smartmon_read_tmp_files',`
+ gen_require(`
+ type fsdaemon_tmp_t;
+ ')
+
+ allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
+')
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
new file mode 100644
index 0000000..3edc67a
--- /dev/null
+++ b/policy/modules/services/smartmon.te
@@ -0,0 +1,102 @@
+
+policy_module(smartmon,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type fsdaemon_t;
+type fsdaemon_exec_t;
+init_daemon_domain(fsdaemon_t,fsdaemon_exec_t)
+
+type fsdaemon_var_run_t;
+files_pid_file(fsdaemon_var_run_t)
+
+type fsdaemon_tmp_t;
+files_tmp_file(fsdaemon_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+dontaudit fsdaemon_t self:capability sys_tty_config;
+allow fsdaemon_t self:process signal_perms;
+allow fsdaemon_t self:fifo_file rw_file_perms;
+allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
+allow fsdaemon_t self:udp_socket create_socket_perms;
+
+allow fsdaemon_t fsdaemon_tmp_t:dir create_dir_perms;
+allow fsdaemon_t fsdaemon_tmp_t:file create_file_perms;
+files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+
+allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms;
+allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t,file)
+
+kernel_read_kernel_sysctls(fsdaemon_t)
+kernel_read_software_raid_state(fsdaemon_t)
+kernel_read_system_state(fsdaemon_t)
+
+corecmd_exec_all_executables(fsdaemon_t)
+
+corenet_non_ipsec_sendrecv(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_all_nodes(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+dev_read_sysfs(fsdaemon_t)
+
+domain_use_interactive_fds(fsdaemon_t)
+
+files_exec_etc_files(fsdaemon_t)
+files_read_etc_runtime_files(fsdaemon_t)
+# for config
+files_read_etc_files(fsdaemon_t)
+
+fs_getattr_all_fs(fsdaemon_t)
+fs_search_auto_mountpoints(fsdaemon_t)
+
+storage_raw_read_fixed_disk(fsdaemon_t)
+storage_raw_write_fixed_disk(fsdaemon_t)
+
+term_dontaudit_use_console(fsdaemon_t)
+term_dontaudit_search_ptys(fsdaemon_t)
+
+init_use_fds(fsdaemon_t)
+init_use_script_ptys(fsdaemon_t)
+
+libs_use_ld_so(fsdaemon_t)
+libs_use_shared_libs(fsdaemon_t)
+libs_exec_ld_so(fsdaemon_t)
+libs_exec_lib_files(fsdaemon_t)
+
+logging_send_syslog_msg(fsdaemon_t)
+
+miscfiles_read_localization(fsdaemon_t)
+
+sysnet_read_config(fsdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(fsdaemon_t)
+ term_dontaudit_use_generic_ptys(fsdaemon_t)
+ files_dontaudit_read_root_files(fsdaemon_t)
+')
+
+optional_policy(`
+ mta_send_mail(fsdaemon_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fsdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(fsdaemon_t)
+')
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
new file mode 100644
index 0000000..5ebade8
--- /dev/null
+++ b/policy/modules/services/snmp.fc
@@ -0,0 +1,26 @@
+
+#
+# /etc
+#
+
+/etc/snmp/snmp(trap)?d\.conf -- gen_context(system_u:object_r:snmpd_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
+/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+#
+# /var
+#
+/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
+
+/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
new file mode 100644
index 0000000..f9ebe44
--- /dev/null
+++ b/policy/modules/services/snmp.if
@@ -0,0 +1,59 @@
+## <summary>Simple network management protocol services</summary>
+
+########################################
+## <summary>
+## Use snmp over a TCP connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_tcp_connect',`
+ gen_require(`
+ type snmpd_t;
+ ')
+
+ allow $1 snmpd_t:tcp_socket { connectto recvfrom };
+ allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic to SNMP
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_udp_chat',`
+ gen_require(`
+ type snmpd_t;
+ ')
+
+ allow $1 snmpd_t:udp_socket { sendto recvfrom };
+ allow snmpd_t $1:udp_socket { sendto recvfrom };
+')
+
+########################################
+## <summary>
+## Read snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+ allow $1 snmpd_var_lib_t:dir r_dir_perms;
+ allow $1 snmpd_var_lib_t:file r_file_perms;
+ allow $1 snmpd_var_lib_t:lnk_file { getattr read };
+')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
new file mode 100644
index 0000000..e00284d
--- /dev/null
+++ b/policy/modules/services/snmp.te
@@ -0,0 +1,158 @@
+
+policy_module(snmp,1.1.2)
+
+########################################
+#
+# Declarations
+#
+type snmpd_t;
+type snmpd_exec_t;
+init_daemon_domain(snmpd_t,snmpd_exec_t)
+
+type snmpd_etc_t;
+files_config_file(snmpd_etc_t)
+
+type snmpd_log_t;
+logging_log_file(snmpd_log_t)
+
+type snmpd_var_run_t;
+files_pid_file(snmpd_var_run_t)
+
+type snmpd_var_lib_t;
+files_type(snmpd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability sys_tty_config;
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
+allow snmpd_t self:udp_socket connected_stream_socket_perms;
+
+allow snmpd_t snmpd_etc_t:file { getattr read };
+
+allow snmpd_t snmpd_log_t:file create_file_perms;
+logging_log_filetrans(snmpd_t,snmpd_log_t,file)
+
+allow snmpd_t snmpd_var_lib_t:file create_file_perms;
+allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
+allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
+files_usr_filetrans(snmpd_t,snmpd_var_lib_t,file)
+files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t,file)
+
+allow snmpd_t snmpd_var_run_t:file create_file_perms;
+allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
+
+kernel_read_device_sysctls(snmpd_t)
+kernel_read_kernel_sysctls(snmpd_t)
+kernel_read_net_sysctls(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_system_state(snmpd_t)
+kernel_read_network_state(snmpd_t)
+kernel_tcp_recvfrom(snmpd_t)
+
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_sbin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
+corenet_non_ipsec_sendrecv(snmpd_t)
+corenet_tcp_sendrecv_all_if(snmpd_t)
+corenet_udp_sendrecv_all_if(snmpd_t)
+corenet_tcp_sendrecv_all_nodes(snmpd_t)
+corenet_udp_sendrecv_all_nodes(snmpd_t)
+corenet_tcp_sendrecv_all_ports(snmpd_t)
+corenet_udp_sendrecv_all_ports(snmpd_t)
+corenet_tcp_bind_all_nodes(snmpd_t)
+corenet_udp_bind_all_nodes(snmpd_t)
+corenet_tcp_bind_snmp_port(snmpd_t)
+corenet_udp_bind_snmp_port(snmpd_t)
+corenet_sendrecv_snmp_server_packets(snmpd_t)
+
+dev_list_sysfs(snmpd_t)
+dev_read_sysfs(snmpd_t)
+dev_read_urand(snmpd_t)
+dev_read_rand(snmpd_t)
+
+domain_use_interactive_fds(snmpd_t)
+domain_signull_all_domains(snmpd_t)
+domain_read_all_domains_state(snmpd_t)
+
+files_read_etc_files(snmpd_t)
+files_read_usr_files(snmpd_t)
+files_read_etc_runtime_files(snmpd_t)
+files_search_home(snmpd_t)
+
+fs_getattr_all_fs(snmpd_t)
+fs_getattr_rpc_dirs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+
+term_dontaudit_use_console(snmpd_t)
+
+init_read_utmp(snmpd_t)
+init_use_fds(snmpd_t)
+init_use_script_ptys(snmpd_t)
+init_dontaudit_write_utmp(snmpd_t)
+
+libs_use_ld_so(snmpd_t)
+libs_use_shared_libs(snmpd_t)
+
+logging_send_syslog_msg(snmpd_t)
+
+miscfiles_read_localization(snmpd_t)
+
+seutil_dontaudit_search_config(snmpd_t)
+
+sysnet_read_config(snmpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
+userdom_dontaudit_search_sysadm_home_dirs(snmpd_t)
+
+ifdef(`distro_redhat', `
+ optional_policy(`
+ rpm_read_db(snmpd_t)
+ rpm_dontaudit_manage_db(snmpd_t)
+ ')
+')
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(snmpd_t)
+ term_dontaudit_use_generic_ptys(snmpd_t)
+ files_dontaudit_read_root_files(snmpd_t)
+')
+
+optional_policy(`
+ amanda_dontaudit_read_dumpdates(snmpd_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(snmpd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(snmpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(snmpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(snmpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(snmpd_t)
+')
+
+optional_policy(`
+ udev_read_db(snmpd_t)
+')
diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc
new file mode 100644
index 0000000..cfd80ff
--- /dev/null
+++ b/policy/modules/services/snort.fc
@@ -0,0 +1,6 @@
+
+/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
+
+/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+
+/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
new file mode 100644
index 0000000..a32cfc8
--- /dev/null
+++ b/policy/modules/services/snort.if
@@ -0,0 +1 @@
+## <summary>Snort network intrusion detection system</summary>
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
new file mode 100644
index 0000000..eea79d6
--- /dev/null
+++ b/policy/modules/services/snort.te
@@ -0,0 +1,108 @@
+
+policy_module(snort,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type snort_t;
+type snort_exec_t;
+init_daemon_domain(snort_t,snort_exec_t)
+
+type snort_etc_t;
+files_type(snort_etc_t)
+
+type snort_log_t;
+logging_log_file(snort_log_t)
+
+type snort_tmp_t;
+files_tmp_file(snort_tmp_t)
+
+type snort_var_run_t;
+files_pid_file(snort_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+dontaudit snort_t self:capability sys_tty_config;
+allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:tcp_socket create_stream_socket_perms;
+allow snort_t self:udp_socket create_socket_perms;
+allow snort_t self:packet_socket create_socket_perms;
+
+allow snort_t snort_etc_t:dir r_dir_perms;
+allow snort_t snort_etc_t:file r_file_perms;
+allow snort_t snort_etc_t:lnk_file { getattr read };
+
+allow snort_t snort_log_t:file create_file_perms;
+allow snort_t snort_log_t:dir { create rw_dir_perms };
+logging_log_filetrans(snort_t,snort_log_t,{ file dir })
+
+allow snort_t snort_tmp_t:dir create_dir_perms;
+allow snort_t snort_tmp_t:file create_file_perms;
+files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
+
+allow snort_t snort_var_run_t:file create_file_perms;
+allow snort_t snort_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(snort_t,snort_var_run_t,file)
+
+kernel_read_kernel_sysctls(snort_t)
+kernel_list_proc(snort_t)
+kernel_read_proc_symlinks(snort_t)
+kernel_dontaudit_read_system_state(snort_t)
+
+corenet_non_ipsec_sendrecv(snort_t)
+corenet_tcp_sendrecv_generic_if(snort_t)
+corenet_udp_sendrecv_generic_if(snort_t)
+corenet_raw_sendrecv_generic_if(snort_t)
+corenet_tcp_sendrecv_all_nodes(snort_t)
+corenet_udp_sendrecv_all_nodes(snort_t)
+corenet_raw_sendrecv_all_nodes(snort_t)
+corenet_tcp_sendrecv_all_ports(snort_t)
+corenet_udp_sendrecv_all_ports(snort_t)
+
+dev_read_sysfs(snort_t)
+
+domain_use_interactive_fds(snort_t)
+
+files_read_etc_files(snort_t)
+files_dontaudit_read_etc_runtime_files(snort_t)
+
+fs_getattr_all_fs(snort_t)
+fs_search_auto_mountpoints(snort_t)
+
+term_dontaudit_use_console(snort_t)
+
+init_use_fds(snort_t)
+init_use_script_ptys(snort_t)
+
+libs_use_ld_so(snort_t)
+libs_use_shared_libs(snort_t)
+
+logging_send_syslog_msg(snort_t)
+
+miscfiles_read_localization(snort_t)
+
+sysnet_read_config(snort_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snort_t)
+userdom_dontaudit_search_sysadm_home_dirs(snort_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(snort_t)
+ term_dontaudit_use_generic_ptys(snort_t)
+ files_dontaudit_read_root_files(snort_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(snort_t)
+')
+
+optional_policy(`
+ udev_read_db(snort_t)
+')
diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc
new file mode 100644
index 0000000..b930d5f
--- /dev/null
+++ b/policy/modules/services/soundserver.fc
@@ -0,0 +1,10 @@
+/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
new file mode 100644
index 0000000..4156204
--- /dev/null
+++ b/policy/modules/services/soundserver.if
@@ -0,0 +1,21 @@
+## <summary>sound server for network audio server programs, nasd, yiff, etc</summary>
+
+########################################
+## <summary>
+## Connect to the sound server over a TCP socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`soundserver_tcp_connect',`
+ gen_require(`
+ type soundd_t;
+ ')
+
+ allow $1 soundd_t:tcp_socket { connectto recvfrom };
+ allow soundd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
new file mode 100644
index 0000000..22ba8e2
--- /dev/null
+++ b/policy/modules/services/soundserver.te
@@ -0,0 +1,121 @@
+
+policy_module(soundserver,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type soundd_t;
+type soundd_exec_t;
+init_daemon_domain(soundd_t,soundd_exec_t)
+
+type soundd_etc_t alias etc_soundd_t;
+files_type(soundd_etc_t)
+
+type soundd_state_t;
+files_type(soundd_state_t)
+
+type soundd_tmp_t;
+files_tmp_file(soundd_tmp_t)
+
+# for yiff - probably need some rules for the client support too
+type soundd_tmpfs_t;
+files_tmpfs_file(soundd_tmpfs_t)
+
+type soundd_var_run_t;
+files_pid_file(soundd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+dontaudit soundd_t self:capability sys_tty_config;
+allow soundd_t self:process { setpgid signal_perms };
+allow soundd_t self:tcp_socket create_stream_socket_perms;
+allow soundd_t self:udp_socket create_socket_perms;
+# for yiff
+allow soundd_t self:shm create_shm_perms;
+
+allow soundd_t soundd_etc_t:dir list_dir_perms;
+allow soundd_t soundd_etc_t:file read_file_perms;
+allow soundd_t soundd_etc_t:lnk_file { getattr read };
+
+allow soundd_t soundd_state_t:dir rw_dir_perms;
+allow soundd_t soundd_state_t:file manage_file_perms;
+allow soundd_t soundd_state_t:lnk_file create_lnk_perms;
+
+allow soundd_t soundd_tmp_t:dir manage_dir_perms;
+allow soundd_t soundd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir })
+
+allow soundd_t soundd_tmpfs_t:dir rw_dir_perms;
+allow soundd_t soundd_tmpfs_t:file manage_file_perms;
+allow soundd_t soundd_tmpfs_t:lnk_file create_lnk_perms;
+allow soundd_t soundd_tmpfs_t:sock_file manage_file_perms;
+allow soundd_t soundd_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow soundd_t soundd_var_run_t:file manage_file_perms;
+allow soundd_t soundd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(soundd_t,soundd_var_run_t,file)
+
+kernel_read_kernel_sysctls(soundd_t)
+kernel_list_proc(soundd_t)
+kernel_read_proc_symlinks(soundd_t)
+kernel_tcp_recvfrom(soundd_t)
+
+corenet_non_ipsec_sendrecv(soundd_t)
+corenet_tcp_sendrecv_generic_if(soundd_t)
+corenet_udp_sendrecv_generic_if(soundd_t)
+corenet_tcp_sendrecv_all_nodes(soundd_t)
+corenet_udp_sendrecv_all_nodes(soundd_t)
+corenet_tcp_sendrecv_all_ports(soundd_t)
+corenet_udp_sendrecv_all_ports(soundd_t)
+corenet_tcp_bind_all_nodes(soundd_t)
+corenet_tcp_bind_soundd_port(soundd_t)
+corenet_sendrecv_soundd_server_packets(soundd_t)
+
+dev_read_sysfs(soundd_t)
+dev_read_sound(soundd_t)
+dev_write_sound(soundd_t)
+
+domain_use_interactive_fds(soundd_t)
+
+files_read_etc_files(soundd_t)
+files_read_etc_runtime_files(soundd_t)
+
+fs_getattr_all_fs(soundd_t)
+fs_search_auto_mountpoints(soundd_t)
+
+term_dontaudit_use_console(soundd_t)
+
+init_use_fds(soundd_t)
+init_use_script_ptys(soundd_t)
+
+libs_use_ld_so(soundd_t)
+libs_use_shared_libs(soundd_t)
+
+logging_send_syslog_msg(soundd_t)
+
+miscfiles_read_localization(soundd_t)
+
+sysnet_read_config(soundd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(soundd_t)
+userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(soundd_t)
+ term_dontaudit_use_generic_ptys(soundd_t)
+ files_dontaudit_read_root_files(soundd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(soundd_t)
+')
+
+optional_policy(`
+ udev_read_db(soundd_t)
+')
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
new file mode 100644
index 0000000..3da7107
--- /dev/null
+++ b/policy/modules/services/spamassassin.fc
@@ -0,0 +1,13 @@
+
+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+')
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
new file mode 100644
index 0000000..1405466
--- /dev/null
+++ b/policy/modules/services/spamassassin.if
@@ -0,0 +1,511 @@
+## <summary>Filter used for removing unsolicited email.</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the spamassassin module.
+## </summary>
+## <desc>
+## <p>
+## The per user domain template for the spamassassin module.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+# cjp: when tunables are available, spamc stuff should be
+# toggled on activation of spamc, and similarly for spamd.
+template(`spamassassin_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_spamc_t;
+ domain_type($1_spamc_t)
+ domain_entry_file($1_spamc_t,spamc_exec_t)
+ role $3 types $1_spamc_t;
+
+ type $1_spamc_tmp_t;
+ files_tmp_file($1_spamc_tmp_t)
+
+ type $1_spamassassin_t;
+ domain_type($1_spamassassin_t)
+ domain_entry_file($1_spamassassin_t,spamassassin_exec_t)
+ role $3 types $1_spamassassin_t;
+
+ type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
+ userdom_user_home_content($1,$1_spamassassin_home_t)
+ files_poly_member($1_spamassassin_home_t)
+
+ type $1_spamassassin_tmp_t;
+ files_tmp_file($1_spamassassin_tmp_t)
+
+ ##############################
+ #
+ # $1_spamc_t local policy
+ #
+
+ allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_spamc_t self:fd use;
+ allow $1_spamc_t self:fifo_file rw_file_perms;
+ allow $1_spamc_t self:sock_file r_file_perms;
+ allow $1_spamc_t self:shm create_shm_perms;
+ allow $1_spamc_t self:sem create_sem_perms;
+ allow $1_spamc_t self:msgq create_msgq_perms;
+ allow $1_spamc_t self:msg { send receive };
+ allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
+ allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_spamc_t self:unix_dgram_socket sendto;
+ allow $1_spamc_t self:unix_stream_socket connectto;
+ allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
+ allow $1_spamc_t self:udp_socket create_socket_perms;
+
+ allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms;
+ allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
+
+ # Allow connecting to a local spamd
+ allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom };
+ allow spamd_t $1_spamc_t:tcp_socket { acceptfrom recvfrom };
+ allow $1_spamc_t spamd_t:unix_stream_socket connectto;
+ allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
+
+ domain_auto_trans($2, spamc_exec_t, $1_spamc_t)
+ allow $2 $1_spamc_t:fd use;
+ allow $1_spamc_t $2:fd use;
+ allow $1_spamc_t $2:fifo_file rw_file_perms;
+ allow $1_spamc_t $2:process sigchld;
+
+ kernel_read_kernel_sysctls($1_spamc_t)
+ kernel_tcp_recvfrom($1_spamc_t)
+
+ corenet_non_ipsec_sendrecv($1_spamc_t)
+ corenet_tcp_sendrecv_generic_if($1_spamc_t)
+ corenet_udp_sendrecv_generic_if($1_spamc_t)
+ corenet_tcp_sendrecv_all_nodes($1_spamc_t)
+ corenet_udp_sendrecv_all_nodes($1_spamc_t)
+ corenet_tcp_sendrecv_all_ports($1_spamc_t)
+ corenet_udp_sendrecv_all_ports($1_spamc_t)
+ corenet_tcp_connect_all_ports($1_spamc_t)
+ corenet_sendrecv_all_client_packets($1_spamc_t)
+
+ fs_search_auto_mountpoints($1_spamc_t)
+
+ # cjp: these should probably be removed:
+ corecmd_list_bin($1_spamc_t)
+ corecmd_read_bin_symlinks($1_spamc_t)
+ corecmd_read_bin_files($1_spamc_t)
+ corecmd_read_bin_pipes($1_spamc_t)
+ corecmd_read_bin_sockets($1_spamc_t)
+ corecmd_list_sbin($1_spamc_t)
+ corecmd_read_sbin_symlinks($1_spamc_t)
+ corecmd_read_sbin_files($1_spamc_t)
+ corecmd_read_sbin_pipes($1_spamc_t)
+ corecmd_read_sbin_sockets($1_spamc_t)
+
+ domain_use_interactive_fds($1_spamc_t)
+
+ files_read_etc_files($1_spamc_t)
+ files_read_etc_runtime_files($1_spamc_t)
+ files_read_usr_files($1_spamc_t)
+ files_dontaudit_search_var($1_spamc_t)
+ # cjp: this may be removable:
+ files_list_home($1_spamc_t)
+
+ libs_use_ld_so($1_spamc_t)
+ libs_use_shared_libs($1_spamc_t)
+
+ logging_send_syslog_msg($1_spamc_t)
+
+ miscfiles_read_localization($1_spamc_t)
+
+ # cjp: this should probably be removed:
+ seutil_read_config($1_spamc_t)
+
+ sysnet_read_config($1_spamc_t)
+
+ userdom_use_unpriv_users_fds($1_spamc_t)
+ # cjp: this really should just be the
+ # terminal specific to the role
+ userdom_use_unpriv_users_ptys($1_spamc_t)
+
+ # cjp: this should probably be removed:
+ tunable_policy(`read_default_t',`
+ files_list_default($1_spamc_t)
+ files_read_default_files($1_spamc_t)
+ files_read_default_symlinks($1_spamc_t)
+ files_read_default_sockets($1_spamc_t)
+ files_read_default_pipes($1_spamc_t)
+ ')
+
+ optional_policy(`
+ # Allow connection to spamd socket above
+ evolution_stream_connect($1,$1_spamc_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_spamc_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_spamc_t)
+ ')
+
+ optional_policy(`
+ mta_read_config($1_spamc_t)
+ sendmail_stub($1_spamc_t)
+ ')
+
+ ##############################
+ #
+ # $1_spamassassin_t local policy
+ #
+
+ allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_spamassassin_t self:fd use;
+ allow $1_spamassassin_t self:fifo_file rw_file_perms;
+ allow $1_spamassassin_t self:sock_file r_file_perms;
+ allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
+ allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_spamassassin_t self:unix_dgram_socket sendto;
+ allow $1_spamassassin_t self:unix_stream_socket connectto;
+ allow $1_spamassassin_t self:shm create_shm_perms;
+ allow $1_spamassassin_t self:sem create_sem_perms;
+ allow $1_spamassassin_t self:msgq create_msgq_perms;
+ allow $1_spamassassin_t self:msg { send receive };
+
+ allow $1_spamassassin_t $1_spamassassin_home_t:dir create_dir_perms;
+ allow $1_spamassassin_t $1_spamassassin_home_t:file create_file_perms;
+ allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
+ allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms;
+ allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms;
+ userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms;
+ allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
+
+ allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto };
+ allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto };
+ allow $2 $1_spamassassin_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+
+ domain_auto_trans($2, spamassassin_exec_t, $1_spamassassin_t)
+ allow $2 $1_spamassassin_t:fd use;
+ allow $1_spamassassin_t $2:fd use;
+ allow $1_spamassassin_t $2:fifo_file rw_file_perms;
+ allow $1_spamassassin_t $2:process sigchld;
+
+ allow spamd_t $1_spamassassin_home_t:dir create_dir_perms;
+ allow spamd_t $1_spamassassin_home_t:file create_file_perms;
+ allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
+ allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms;
+ allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
+ userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
+
+ kernel_read_kernel_sysctls($1_spamassassin_t)
+
+ dev_read_urand($1_spamassassin_t)
+
+ fs_search_auto_mountpoints($1_spamassassin_t)
+
+ # this should probably be removed
+ corecmd_list_bin($1_spamassassin_t)
+ corecmd_read_bin_symlinks($1_spamassassin_t)
+ corecmd_read_bin_files($1_spamassassin_t)
+ corecmd_read_bin_pipes($1_spamassassin_t)
+ corecmd_read_bin_sockets($1_spamassassin_t)
+ corecmd_list_sbin($1_spamassassin_t)
+ corecmd_read_sbin_symlinks($1_spamassassin_t)
+ corecmd_read_sbin_files($1_spamassassin_t)
+ corecmd_read_sbin_pipes($1_spamassassin_t)
+ corecmd_read_sbin_sockets($1_spamassassin_t)
+
+ domain_use_interactive_fds($1_spamassassin_t)
+
+ files_read_etc_files($1_spamassassin_t)
+ files_read_etc_runtime_files($1_spamassassin_t)
+ files_list_home($1_spamassassin_t)
+ files_read_usr_files($1_spamassassin_t)
+ files_dontaudit_search_var($1_spamassassin_t)
+
+ libs_use_ld_so($1_spamassassin_t)
+ libs_use_shared_libs($1_spamassassin_t)
+
+ logging_send_syslog_msg($1_spamassassin_t)
+
+ miscfiles_read_localization($1_spamassassin_t)
+
+ # cjp: this could probably be removed
+ seutil_read_config($1_spamassassin_t)
+
+ sysnet_dns_name_resolve($1_spamassassin_t)
+
+ userdom_use_unpriv_users_fds($1_spamassassin_t)
+ userdom_search_user_home_dirs($1,$1_spamassassin_t)
+ # cjp: this really should just be the
+ # terminal specific to the role
+ userdom_use_unpriv_users_ptys($1_spamassassin_t)
+
+ # this should probably be removed:
+ tunable_policy(`read_default_t',`
+ files_list_default($1_spamassassin_t)
+ files_read_default_files($1_spamassassin_t)
+ files_read_default_symlinks($1_spamassassin_t)
+ files_read_default_sockets($1_spamassassin_t)
+ files_read_default_pipes($1_spamassassin_t)
+ ')
+
+ # set tunable if you have spamassassin do DNS lookups
+ tunable_policy(`spamassassin_can_network',`
+ allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow $1_spamassassin_t self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv($1_spamassassin_t)
+ corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
+ corenet_udp_sendrecv_generic_if($1_spamassassin_t)
+ corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
+ corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
+ corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
+ corenet_udp_sendrecv_all_ports($1_spamassassin_t)
+ corenet_tcp_connect_all_ports($1_spamassassin_t)
+ corenet_sendrecv_all_client_packets($1_spamassassin_t)
+
+ sysnet_read_config($1_spamassassin_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_spamassassin_t)
+ fs_manage_nfs_files($1_spamassassin_t)
+ fs_manage_nfs_symlinks($1_spamassassin_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_spamassassin_t)
+ fs_manage_cifs_files($1_spamassassin_t)
+ fs_manage_cifs_symlinks($1_spamassassin_t)
+ ')
+
+ optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
+ ')
+
+ optional_policy(`
+ # cjp: clearly some redundancy here
+
+ nis_use_ypbind($1_spamassassin_t)
+
+ tunable_policy(`spamassassin_can_network && allow_ypbind',`
+ nis_use_ypbind_uncond($1_spamassassin_t)
+ ')
+ ')
+
+ optional_policy(`
+ mta_read_config($1_spamassassin_t)
+ sendmail_stub($1_spamassassin_t)
+ ')
+
+ # For perl libraries.
+ allow $1_spamassassin_t lib_t:file rx_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the standalone spamassassin
+## program in the caller directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_exec',`
+ gen_require(`
+ type spamassassin_exec_t;
+ ')
+
+ can_exec($1,spamassassin_exec_t)
+
+')
+
+########################################
+## <summary>
+## Singnal the spam assassin daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`spamassassin_signal_spamd',`
+ gen_require(`
+ type spamd_t;
+ ')
+
+ allow $1 spamd_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute the spamassassin daemon
+## program in the caller directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_exec_spamd',`
+ gen_require(`
+ type spamd_exec_t;
+ ')
+
+ can_exec($1,spamd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute spamassassin client in the user spamassassin client domain.
+## </summary>
+## <desc>
+## <p>
+## This is a template and should only be called
+## from per user domain tempaltes.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user domain. eg user would be the prefix of user_t.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+template(`spamassassin_domtrans_user_client',`
+ gen_require(`
+ type $1_spamc_t, spamc_exec_t;
+ ')
+
+ domain_auto_trans($2,spamc_exec_t,$1_spamc_t)
+
+ allow $2 $1_spamc_t:fd use;
+ allow $1_spamc_t $2:fd use;
+ allow $1_spamc_t $2:fifo_file rw_file_perms;
+ allow $1_spamc_t $2:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the spamassassin client
+## program in the caller directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_exec_client',`
+ gen_require(`
+ type spamc_exec_t;
+ ')
+
+ can_exec($1,spamc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute spamassassin in the user spamassassin domain.
+## </summary>
+## <desc>
+## <p>
+## This is a template and should only be called
+## from per user domain tempaltes.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user domain. eg user would be the prefix of user_t.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+template(`spamassassin_domtrans_user_local_client',`
+ gen_require(`
+ type $1_spamassassin_t, spamassassin_exec_t;
+ ')
+
+ domain_auto_trans($2,spamassassin_exec_t,$1_spamassassin_t)
+
+ allow $2 $1_spamassassin_t:fd use;
+ allow $1_spamassassin_t $2:fd use;
+ allow $1_spamassassin_t $2:fifo_file rw_file_perms;
+ allow $1_spamassassin_t $2:process sigchld;
+')
+
+########################################
+## <summary>
+## Read temporary spamd file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`spamassassin_read_spamd_tmp_files',`
+ gen_require(`
+ type spamd_tmp_t;
+ ')
+
+ allow $1 spamd_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attributes of temporary
+## spamd sockets/
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ gen_require(`
+ type spamd_tmp_t;
+ ')
+
+ dontaudit $1 spamd_tmp_t:sock_file getattr;
+')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
new file mode 100644
index 0000000..ba0d6e5
--- /dev/null
+++ b/policy/modules/services/spamassassin.te
@@ -0,0 +1,196 @@
+
+policy_module(spamassassin,1.3.9)
+
+########################################
+#
+# Declarations
+#
+
+# spamassassin client executable
+type spamc_exec_t;
+corecmd_executable_file(spamc_exec_t)
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t,spamd_exec_t)
+
+type spamd_spool_t;
+files_type(spamd_spool_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+type spamassassin_exec_t;
+corecmd_executable_file(spamassassin_exec_t)
+
+########################################
+#
+# Spamassassin daemon local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_file_perms;
+allow spamd_t self:sock_file r_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+
+allow spamd_t spamd_spool_t:file create_file_perms;
+allow spamd_t spamd_spool_t:dir create_dir_perms;
+files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
+
+allow spamd_t spamd_tmp_t:dir create_dir_perms;
+allow spamd_t spamd_tmp_t:file create_file_perms;
+files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+
+allow spamd_t spamd_var_run_t:file create_file_perms;
+allow spamd_t spamd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(spamd_t,spamd_var_run_t,file)
+
+kernel_read_all_sysctls(spamd_t)
+kernel_read_system_state(spamd_t)
+kernel_tcp_recvfrom(spamd_t)
+
+corenet_non_ipsec_sendrecv(spamd_t)
+corenet_tcp_sendrecv_all_if(spamd_t)
+corenet_udp_sendrecv_all_if(spamd_t)
+corenet_tcp_sendrecv_all_nodes(spamd_t)
+corenet_udp_sendrecv_all_nodes(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_udp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_all_nodes(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
+corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_sendrecv_spamd_server_packets(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_all_nodes(spamd_t)
+corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
+corenet_sendrecv_imaze_server_packets(spamd_t)
+corenet_sendrecv_generic_server_packets(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+term_dontaudit_use_console(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+corecmd_search_sbin(spamd_t)
+
+domain_use_interactive_fds(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+files_search_var_lib(spamd_t)
+
+init_use_fds(spamd_t)
+init_use_script_ptys(spamd_t)
+init_dontaudit_rw_utmp(spamd_t)
+
+libs_use_ld_so(spamd_t)
+libs_use_shared_libs(spamd_t)
+# Various Perl bits
+libs_use_lib_files(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+sysnet_read_config(spamd_t)
+sysnet_use_ldap(spamd_t)
+sysnet_dns_name_resolve(spamd_t)
+
+userdom_use_unpriv_users_fds(spamd_t)
+userdom_search_unpriv_users_home_dirs(spamd_t)
+userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(spamd_t)
+ term_dontaudit_use_generic_ptys(spamd_t)
+ files_dontaudit_read_root_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_generic_user_home_content_dirs(spamd_t)
+ userdom_manage_generic_user_home_content_files(spamd_t)
+ userdom_manage_generic_user_home_content_symlinks(spamd_t)
+ ')
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`
+ amavis_manage_lib_files(spamd_t)
+')
+
+optional_policy(`
+ cron_system_entry(spamd_t,spamd_exec_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(spamd_t,spamd_exec_t)
+')
+
+optional_policy(`
+ dcc_domtrans_client(spamd_t)
+ dcc_stream_connect_dccifd(spamd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(spamd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(spamd_t)
+')
+
+optional_policy(`
+ razor_domtrans(spamd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
+')
+
+optional_policy(`
+ udev_read_db(spamd_t)
+')
diff --git a/policy/modules/services/speedtouch.fc b/policy/modules/services/speedtouch.fc
new file mode 100644
index 0000000..9760d15
--- /dev/null
+++ b/policy/modules/services/speedtouch.fc
@@ -0,0 +1,2 @@
+/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
diff --git a/policy/modules/services/speedtouch.if b/policy/modules/services/speedtouch.if
new file mode 100644
index 0000000..826e2db
--- /dev/null
+++ b/policy/modules/services/speedtouch.if
@@ -0,0 +1 @@
+## <summary>Alcatel speedtouch USB ADSL modem</summary>
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
new file mode 100644
index 0000000..edf09ce
--- /dev/null
+++ b/policy/modules/services/speedtouch.te
@@ -0,0 +1,77 @@
+
+policy_module(speedtouch,1.0.0)
+
+#######################################
+#
+# Rules for the speedmgmt_t domain.
+#
+
+type speedmgmt_t;
+type speedmgmt_exec_t;
+init_daemon_domain(speedmgmt_t,speedmgmt_exec_t)
+
+type speedmgmt_tmp_t;
+files_tmp_file(speedmgmt_tmp_t)
+
+type speedmgmt_var_run_t;
+files_pid_file(speedmgmt_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit speedmgmt_t self:capability sys_tty_config;
+allow speedmgmt_t self:process signal_perms;
+
+allow speedmgmt_t speedmgmt_tmp_t:dir create_dir_perms;
+allow speedmgmt_t speedmgmt_tmp_t:file create_file_perms;
+files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir })
+
+allow speedmgmt_t speedmgmt_var_run_t:file create_file_perms;
+allow speedmgmt_t speedmgmt_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(speedmgmt_t,speedmgmt_var_run_t,file)
+
+kernel_read_kernel_sysctls(speedmgmt_t)
+kernel_list_proc(speedmgmt_t)
+kernel_read_proc_symlinks(speedmgmt_t)
+
+dev_read_sysfs(speedmgmt_t)
+dev_read_usbfs(speedmgmt_t)
+
+domain_use_interactive_fds(speedmgmt_t)
+
+files_read_etc_files(speedmgmt_t)
+files_read_usr_files(speedmgmt_t)
+
+fs_getattr_all_fs(speedmgmt_t)
+fs_search_auto_mountpoints(speedmgmt_t)
+
+term_dontaudit_use_console(speedmgmt_t)
+
+init_use_fds(speedmgmt_t)
+init_use_script_ptys(speedmgmt_t)
+
+libs_use_ld_so(speedmgmt_t)
+libs_use_shared_libs(speedmgmt_t)
+
+logging_send_syslog_msg(speedmgmt_t)
+
+miscfiles_read_localization(speedmgmt_t)
+
+userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
+userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(speedmgmt_t)
+ term_dontaudit_use_generic_ptys(speedmgmt_t)
+ files_dontaudit_read_root_files(speedmgmt_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(speedmgmt_t)
+')
+
+optional_policy(`
+ udev_read_db(speedmgmt_t)
+')
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
new file mode 100644
index 0000000..067b669
--- /dev/null
+++ b/policy/modules/services/squid.fc
@@ -0,0 +1,14 @@
+
+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+
+/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+
+/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+
+/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+
+/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
new file mode 100644
index 0000000..10e77d7
--- /dev/null
+++ b/policy/modules/services/squid.if
@@ -0,0 +1,125 @@
+## <summary>Squid caching http proxy server</summary>
+
+########################################
+## <summary>
+## Execute squid in the squid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`squid_domtrans',`
+ gen_require(`
+ type squid_t, squid_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,squid_exec_t,squid_t)
+
+ allow $1 squid_t:fd use;
+ allow squid_t $1:fd use;
+ allow squid_t $1:fifo_file rw_file_perms;
+ allow squid_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Read squid configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_read_config',`
+ gen_require(`
+ type squid_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 squid_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Append squid logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_read_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 squid_log_t:dir search_dir_perms;
+ allow $1 squid_log_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Append squid logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_append_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 squid_log_t:dir search_dir_perms;
+ allow $1 squid_log_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## squid logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_manage_logs',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 squid_log_t:dir rw_dir_perms;
+ allow $1 squid_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Use squid services by connecting over TCP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_use',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:tcp_socket { connectto recvfrom };
+ allow squid_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
new file mode 100644
index 0000000..a1480f4
--- /dev/null
+++ b/policy/modules/services/squid.te
@@ -0,0 +1,184 @@
+
+policy_module(squid,1.1.3)
+
+########################################
+#
+# Declarations
+#
+
+type squid_t;
+type squid_exec_t;
+init_daemon_domain(squid_t,squid_exec_t)
+
+# type for /var/cache/squid
+type squid_cache_t;
+files_type(squid_cache_t)
+
+type squid_conf_t;
+files_type(squid_conf_t)
+
+type squid_log_t;
+logging_log_file(squid_log_t)
+
+type squid_var_run_t;
+files_pid_file(squid_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow squid_t self:capability { setgid setuid dac_override };
+dontaudit squid_t self:capability sys_tty_config;
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow squid_t self:fifo_file rw_file_perms;
+allow squid_t self:sock_file r_file_perms;
+allow squid_t self:fd use;
+allow squid_t self:shm create_shm_perms;
+allow squid_t self:sem create_sem_perms;
+allow squid_t self:msgq create_msgq_perms;
+allow squid_t self:msg { send receive };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:tcp_socket create_stream_socket_perms;
+allow squid_t self:udp_socket create_socket_perms;
+
+# Grant permissions to create, access, and delete cache files.
+allow squid_t squid_cache_t:dir create_dir_perms;
+allow squid_t squid_cache_t:file create_file_perms;
+allow squid_t squid_cache_t:lnk_file create_lnk_perms;
+
+allow squid_t squid_conf_t:file r_file_perms;
+allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
+
+can_exec(squid_t,squid_exec_t)
+
+allow squid_t squid_log_t:file create_file_perms;
+allow squid_t squid_log_t:dir rw_dir_perms;
+logging_log_filetrans(squid_t,squid_log_t,{ file dir })
+
+allow squid_t squid_var_run_t:file create_file_perms;
+allow squid_t squid_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(squid_t,squid_var_run_t,file)
+
+kernel_read_kernel_sysctls(squid_t)
+kernel_read_system_state(squid_t)
+kernel_tcp_recvfrom(squid_t)
+
+files_dontaudit_getattr_boot_dirs(squid_t)
+
+corenet_non_ipsec_sendrecv(squid_t)
+corenet_tcp_sendrecv_all_if(squid_t)
+corenet_udp_sendrecv_all_if(squid_t)
+corenet_tcp_sendrecv_all_nodes(squid_t)
+corenet_udp_sendrecv_all_nodes(squid_t)
+corenet_tcp_sendrecv_all_ports(squid_t)
+corenet_udp_sendrecv_all_ports(squid_t)
+corenet_tcp_bind_all_nodes(squid_t)
+corenet_udp_bind_all_nodes(squid_t)
+corenet_tcp_bind_http_cache_port(squid_t)
+corenet_tcp_bind_ftp_port(squid_t)
+corenet_tcp_bind_gopher_port(squid_t)
+corenet_tcp_connect_ftp_port(squid_t)
+corenet_tcp_connect_gopher_port(squid_t)
+corenet_tcp_connect_http_port(squid_t)
+corenet_tcp_connect_http_cache_port(squid_t)
+corenet_sendrecv_http_client_packets(squid_t)
+corenet_sendrecv_ftp_client_packets(squid_t)
+corenet_sendrecv_gopher_client_packets(squid_t)
+corenet_sendrecv_http_cache_server_packets(squid_t)
+corenet_sendrecv_http_cache_client_packets(squid_t)
+
+dev_read_sysfs(squid_t)
+dev_read_urand(squid_t)
+
+fs_getattr_all_fs(squid_t)
+fs_search_auto_mountpoints(squid_t)
+
+selinux_dontaudit_getattr_dir(squid_t)
+
+term_dontaudit_use_console(squid_t)
+term_dontaudit_getattr_pty_dirs(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+corecmd_exec_bin(squid_t)
+corecmd_exec_sbin(squid_t)
+corecmd_exec_shell(squid_t)
+
+domain_use_interactive_fds(squid_t)
+
+files_read_etc_files(squid_t)
+files_read_etc_runtime_files(squid_t)
+files_read_usr_files(squid_t)
+files_search_spool(squid_t)
+files_dontaudit_getattr_tmp_dirs(squid_t)
+files_getattr_home_dir(squid_t)
+
+init_use_fds(squid_t)
+init_use_script_ptys(squid_t)
+
+libs_use_ld_so(squid_t)
+libs_use_shared_libs(squid_t)
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+libs_exec_lib_files(squid_t)
+
+logging_send_syslog_msg(squid_t)
+
+miscfiles_read_certs(squid_t)
+miscfiles_read_localization(squid_t)
+
+sysnet_dns_name_resolve(squid_t)
+sysnet_read_config(squid_t)
+
+userdom_use_unpriv_users_fds(squid_t)
+userdom_dontaudit_use_unpriv_user_fds(squid_t)
+userdom_dontaudit_search_sysadm_home_dirs(squid_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(squid_t)
+ term_dontaudit_use_generic_ptys(squid_t)
+ files_dontaudit_read_root_files(squid_t)
+')
+
+tunable_policy(`squid_connect_any',`
+ corenet_tcp_connect_all_ports(squid_t)
+')
+
+optional_policy(`
+ allow squid_t self:capability kill;
+ cron_use_fds(squid_t)
+ cron_use_system_job_fds(squid_t)
+ cron_rw_pipes(squid_t)
+ cron_write_system_job_pipes(squid_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(squid_t)
+')
+
+optional_policy(`
+ nscd_socket_use(squid_t)
+')
+
+optional_policy(`
+ samba_domtrans_winbind_helper(squid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(squid_t)
+')
+
+optional_policy(`
+ udev_read_db(squid_t)
+')
+
+ifdef(`TODO',`
+ifdef(`apache.te',`
+can_tcp_connect(squid_t, httpd_t)
+')
+#squid requires the following when run in diskd mode, the recommended setting
+allow squid_t tmpfs_t:file { read write };
+') dnl end TODO
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
new file mode 100644
index 0000000..e83a852
--- /dev/null
+++ b/policy/modules/services/ssh.fc
@@ -0,0 +1,19 @@
+/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
+/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
+/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+
+/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+ifdef(`targeted_policy', `', `
+/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+')
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
new file mode 100644
index 0000000..7c7f58b
--- /dev/null
+++ b/policy/modules/services/ssh.if
@@ -0,0 +1,754 @@
+## <summary>Secure shell client and server policy.</summary>
+
+#######################################
+## <summary>
+## Basic SSH client template.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for ssh client sessions. A derived
+## type is also created to protect the user ssh keys.
+## </p>
+## <p>
+## This template was added for NX.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`ssh_basic_client_template',`
+
+ gen_require(`
+ attribute ssh_server;
+ type ssh_exec_t, sshd_key_t;
+
+ ifdef(`strict_policy',`
+ type sshd_tmp_t;
+ ')
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_ssh_t;
+ domain_type($1_ssh_t)
+ domain_entry_file($1_ssh_t,ssh_exec_t)
+ role $3 types $1_ssh_t;
+
+ type $1_home_ssh_t;
+ files_type($1_home_ssh_t)
+
+ ##############################
+ #
+ # Client local policy
+ #
+
+ allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_ssh_t self:fd use;
+ allow $1_ssh_t self:fifo_file rw_file_perms;
+ allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_ssh_t self:shm create_shm_perms;
+ allow $1_ssh_t self:sem create_sem_perms;
+ allow $1_ssh_t self:msgq create_msgq_perms;
+ allow $1_ssh_t self:msg { send receive };
+ allow $1_ssh_t self:tcp_socket create_socket_perms;
+
+ # for rsync
+ allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
+ allow $1_ssh_t $2:unix_stream_socket connectto;
+
+ # Read the ssh key file.
+ allow $1_ssh_t sshd_key_t:file r_file_perms;
+
+ # Transition from the domain to the derived domain.
+ domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
+ allow $2 $1_ssh_t:fd use;
+ allow $1_ssh_t $2:fd use;
+ allow $1_ssh_t $2:fifo_file rw_file_perms;
+ allow $1_ssh_t $2:process sigchld;
+
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ # cjp: should probably fix target to be an attribute for ssh servers
+ # or "regular" (not special like sshd_extern_t) servers
+ allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+ # allow ps to show ssh
+ allow $2 $1_ssh_t:dir { search getattr read };
+ allow $2 $1_ssh_t:{ file lnk_file } { read getattr };
+ allow $2 $1_ssh_t:process getattr;
+
+ # user can manage the keys and config
+ allow $2 $1_home_ssh_t:dir rw_dir_perms;
+ allow $2 $1_home_ssh_t:file create_file_perms;
+ allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
+ allow $2 $1_home_ssh_t:sock_file create_file_perms;
+
+ # ssh client can manage the keys and config
+ allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
+ allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
+ allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
+
+ # ssh servers can read the user keys and config
+ allow ssh_server $1_home_ssh_t:dir r_dir_perms;
+ allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
+ allow ssh_server $1_home_ssh_t:file r_file_perms;
+
+ kernel_read_kernel_sysctls($1_ssh_t)
+
+ corenet_non_ipsec_sendrecv($1_ssh_t)
+ corenet_tcp_sendrecv_all_if($1_ssh_t)
+ corenet_tcp_sendrecv_all_nodes($1_ssh_t)
+ corenet_tcp_sendrecv_all_ports($1_ssh_t)
+ corenet_tcp_connect_ssh_port($1_ssh_t)
+ corenet_sendrecv_ssh_client_packets($1_ssh_t)
+
+ dev_read_urand($1_ssh_t)
+
+ fs_getattr_all_fs($1_ssh_t)
+ fs_search_auto_mountpoints($1_ssh_t)
+
+ # run helper programs - needed eg for x11-ssh-askpass
+ corecmd_exec_shell($1_ssh_t)
+ corecmd_exec_bin($1_ssh_t)
+ corecmd_list_sbin($1_ssh_t)
+ corecmd_read_sbin_symlinks($1_ssh_t)
+
+ domain_use_interactive_fds($1_ssh_t)
+
+ files_list_home($1_ssh_t)
+ files_read_usr_files($1_ssh_t)
+ files_read_etc_runtime_files($1_ssh_t)
+ files_read_etc_files($1_ssh_t)
+ files_read_var_files($1_ssh_t)
+
+ libs_use_ld_so($1_ssh_t)
+ libs_use_shared_libs($1_ssh_t)
+
+ logging_send_syslog_msg($1_ssh_t)
+ logging_read_generic_logs($1_ssh_t)
+
+ miscfiles_read_localization($1_ssh_t)
+
+ seutil_read_config($1_ssh_t)
+
+ sysnet_read_config($1_ssh_t)
+ sysnet_dns_name_resolve($1_ssh_t)
+
+ ifdef(`strict_policy',`
+ # Access the ssh temporary files.
+ allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
+ allow $1_ssh_t sshd_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
+ ')
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_ssh_t)
+ files_read_default_files($1_ssh_t)
+ files_read_default_symlinks($1_ssh_t)
+ files_read_default_sockets($1_ssh_t)
+ files_read_default_pipes($1_ssh_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_ssh_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_ssh_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_ssh_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the ssh module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for ssh client sessions and user ssh agents. A derived
+## type is also created to protect the user ssh keys.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`ssh_per_userdomain_template',`
+ gen_require(`
+ type ssh_agent_exec_t, ssh_keysign_exec_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ ssh_basic_client_template($1,$2,$3)
+
+ userdom_user_home_content($1,$1_home_ssh_t)
+
+ type $1_ssh_agent_t;
+ domain_type($1_ssh_agent_t)
+ domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
+ role $3 types $1_ssh_agent_t;
+
+ type $1_ssh_keysign_t;
+ domain_type($1_ssh_keysign_t)
+ domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
+ role $3 types $1_ssh_keysign_t;
+
+ type $1_ssh_tmpfs_t;
+ files_tmpfs_file($1_ssh_tmpfs_t)
+
+ ##############################
+ #
+ # Client local policy
+ #
+
+ allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms;
+ allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
+ userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
+
+ userdom_use_unpriv_users_fds($1_ssh_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
+ userdom_search_user_home_dirs($1,$1_ssh_t)
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_ssh_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_ssh_t)
+ fs_manage_nfs_files($1_ssh_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_ssh_t)
+ fs_manage_cifs_files($1_ssh_t)
+ ')
+
+ # for port forwarding
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_ssh_port($1_ssh_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
+ xserver_domtrans_user_xauth($1,$1_ssh_t)
+ ')
+
+ ifdef(`TODO',`
+ allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
+
+ # for /bin/sh used to execute xauth
+ dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
+
+ #allow ssh to access keys stored on removable media
+ # Should we have a boolean around this?
+ files_search_mnt($1_ssh_t)
+ r_dir_file($1_ssh_t, removable_t)
+
+ if (allow_ssh_keysign) {
+ domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+ allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+ allow $1_ssh_keysign_t self:capability { setgid setuid };
+ allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+ uses_shlib($1_ssh_keysign_t)
+ dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+ dontaudit $1_ssh_keysign_t proc_t:dir search;
+ dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+ allow $1_ssh_keysign_t usr_t:dir search;
+ allow $1_ssh_keysign_t etc_t:file { getattr read };
+ allow $1_ssh_keysign_t self:dir search;
+ allow $1_ssh_keysign_t self:file { getattr read };
+ allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+ }
+
+ ') dnl endif TODO
+
+ ##############################
+ #
+ # $1_ssh_agent_t local policy
+ #
+
+ allow $1_ssh_agent_t self:process setrlimit;
+ allow $1_ssh_agent_t self:capability setgid;
+
+ allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
+
+ allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms };
+
+ allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+
+ # for ssh-add
+ allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
+
+ # Allow the user shell to signal the ssh program.
+ allow $2 $1_ssh_agent_t:process signal;
+
+ # for the transition back to normal privs upon exec
+ allow $1_ssh_agent_t $2:fd use;
+ allow $2 $1_ssh_agent_t:fd use;
+ allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
+ allow $2 $1_ssh_agent_t:process sigchld;
+
+ # Allow the ssh program to communicate with ssh-agent.
+ allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+
+ domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
+ allow $2 $1_ssh_agent_t:fd use;
+ allow $1_ssh_agent_t $2:fd use;
+ allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
+ allow $1_ssh_agent_t $2:process sigchld;
+
+ kernel_read_kernel_sysctls($1_ssh_agent_t)
+
+ dev_read_urand($1_ssh_agent_t)
+ dev_read_rand($1_ssh_agent_t)
+
+ fs_search_auto_mountpoints($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ corecmd_shell_domtrans($1_ssh_agent_t,$1_t)
+ corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
+
+ domain_use_interactive_fds($1_ssh_agent_t)
+
+ files_read_etc_files($1_ssh_agent_t)
+ files_read_etc_runtime_files($1_ssh_agent_t)
+ files_search_home($1_ssh_agent_t)
+
+ libs_read_lib_files($1_ssh_agent_t)
+ libs_use_ld_so($1_ssh_agent_t)
+ libs_use_shared_libs($1_ssh_agent_t)
+
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+ miscfiles_read_localization($1_ssh_agent_t)
+
+ seutil_dontaudit_read_config($1_ssh_agent_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_ssh_agent_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ fs_nfs_domtrans($1_ssh_agent_t, $1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ fs_cifs_domtrans($1_ssh_agent_t, $1_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_ssh_agent_t)
+ ')
+
+# optional_policy(`
+# # KDM:
+# xdm_sigchld($1_ssh_agent_t)
+# ')
+
+ ifdef(`TODO',`
+ ifdef(`xdm.te',`
+ can_pipe_xdm($1_ssh_agent_t)
+ ')
+
+ # allow ps to show ssh
+ can_ps($1_t, $1_ssh_agent_t)
+
+ dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
+
+ # Access the ssh temporary files. Should we have an own type here
+ # to which only ssh, ssh-agent and ssh-add have access?
+ allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
+ file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
+
+ # transition back to normal privs upon exec
+ domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t)
+ allow $1_ssh_agent_t $1_home_dir_t:dir search;
+
+ allow $1_ssh_t $1_tmp_t:sock_file write;
+
+ #
+ # Allow command to ssh-agent > ~/.ssh_agent
+ #
+ allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
+ allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
+
+ # Allow the ssh program to communicate with ssh-agent.
+ allow $1_ssh_t $1_tmp_t:sock_file write;
+ allow $1_ssh_t $2:unix_stream_socket connectto;
+ ') dnl endif TODO
+
+ ##############################
+ #
+ # $1_ssh_keysign_t local policy
+ #
+
+ optional_policy(`
+ nscd_socket_use($1_ssh_keysign_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template to define a ssh server.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domains to be used for
+## creating a ssh server. This is typically done
+## to have multiple ssh servers of different sensitivities,
+## such as for an internal network-facing ssh server, and
+## a external network-facing ssh server.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the server domain (e.g., sshd
+## is the prefix for sshd_t).
+## </summary>
+## </param>
+#
+template(`ssh_server_template', `
+ type $1_t, ssh_server;
+
+ domain_type($1_t)
+ role system_r types $1_t;
+
+ type $1_devpts_t;
+ term_login_pty($1_devpts_t)
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:process { signal setsched setrlimit setexec };
+
+ allow $1_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+
+ allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
+ term_create_pty($1_t,$1_devpts_t)
+
+ allow $1_t $1_var_run_t:file create_file_perms;
+ files_pid_filetrans($1_t,$1_var_run_t,file)
+
+ can_exec($1_t, sshd_exec_t)
+
+ # Access key files
+ allow $1_t sshd_key_t:file { getattr read };
+
+ kernel_read_kernel_sysctls($1_t)
+
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_udp_sendrecv_all_if($1_t)
+ corenet_raw_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_nodes($1_t)
+ corenet_raw_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_non_ipsec_sendrecv($1_t)
+ corenet_tcp_bind_all_nodes($1_t)
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_ssh_server_packets($1_t)
+
+ dev_read_urand($1_t)
+
+ fs_dontaudit_getattr_all_fs($1_t)
+
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+ selinux_compute_access_vector($1_t)
+ selinux_compute_create_context($1_t)
+ selinux_compute_relabel_context($1_t)
+ selinux_compute_user_contexts($1_t)
+
+ auth_dontaudit_read_shadow($1_t)
+ auth_domtrans_chk_passwd($1_t)
+ auth_rw_login_records($1_t)
+ auth_rw_lastlog($1_t)
+ auth_append_faillog($1_t)
+
+ corecmd_read_bin_symlinks($1_t)
+ corecmd_getattr_bin_files($1_t)
+ # for sshd subsystems, such as sftp-server.
+ corecmd_getattr_bin_files($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_subj_id_change_exemption($1_t)
+ domain_role_change_exemption($1_t)
+ domain_obj_id_change_exemption($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ init_rw_utmp($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
+ logging_search_logs($1_t)
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ mls_file_read_up($1_t)
+ mls_file_write_down($1_t)
+ mls_file_upgrade($1_t)
+ mls_file_downgrade($1_t)
+ mls_process_set_level($1_t)
+
+ seutil_read_default_contexts($1_t)
+
+ sysnet_read_config($1_t)
+
+ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
+ userdom_search_all_users_home_content($1_t)
+
+ # Allow checking users mail at login
+ mta_getattr_spool($1_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1_t)
+ ')
+
+ # cjp: commenting out until typeattribute works in conditional
+ # and require block in optional else is resolved
+ #optional_policy(`
+ # tunable_policy(`run_ssh_inetd',`
+ # allow $1_t self:process signal;
+ # files_list_pids($1_t)
+ # ',`
+ # corenet_tcp_bind_ssh_port($1_t)
+ # init_use_fds($1_t)
+ # init_use_script_ptys($1_t)
+ # ')
+ #',`
+ # These rules should match the else block
+ # of the run_ssh_inetd tunable directly above
+ corenet_tcp_bind_ssh_port($1_t)
+ init_use_fds($1_t)
+ init_use_script_ptys($1_t)
+ #')
+
+ optional_policy(`
+ kerberos_use($1_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_t)
+ ')
+
+ optional_policy(`
+ nx_spec_domtrans_server($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the ssh server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_sigchld',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_pipes',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:fifo_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write ssh server unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_stream_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Read and write ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_tcp_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ssh_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ dontaudit $1 sshd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Connect to SSH daemons over TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_tcp_connect',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:tcp_socket { connectto recvfrom };
+ allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+########################################
+## <summary>
+## Execute the ssh client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_exec',`
+ gen_require(`
+ type ssh_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,ssh_exec_t)
+')
+
+########################################
+## <summary>
+## Read ssh server keys
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_dontaudit_read_server_keys',`
+ gen_require(`
+ type sshd_key_t;
+ ')
+
+ dontaudit $1 sshd_key_t:file { getattr read };
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
new file mode 100644
index 0000000..6296c6b
--- /dev/null
+++ b/policy/modules/services/ssh.te
@@ -0,0 +1,271 @@
+
+policy_module(ssh,1.3.5)
+
+########################################
+#
+# Declarations
+#
+
+attribute ssh_server;
+
+# ssh client executable.
+type ssh_exec_t;
+corecmd_executable_file(ssh_exec_t)
+
+type ssh_keygen_exec_t;
+corecmd_executable_file(ssh_keygen_exec_t)
+
+type ssh_keysign_exec_t;
+corecmd_executable_file(ssh_keysign_exec_t)
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type sshd_exec_t;
+')
+corecmd_executable_file(sshd_exec_t)
+
+type sshd_key_t;
+files_type(sshd_key_t)
+
+ifdef(`targeted_policy',`
+ unconfined_alias_domain(sshd_t)
+ init_system_domain(sshd_t,sshd_exec_t)
+
+ type sshd_var_run_t;
+ files_type(sshd_var_run_t)
+',`
+ # Type for the ssh-agent executable.
+ type ssh_agent_exec_t;
+ files_type(ssh_agent_exec_t)
+
+ type ssh_keygen_t;
+ init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+ role system_r types ssh_keygen_t;
+
+ ssh_server_template(sshd)
+ ssh_server_template(sshd_extern)
+
+ # cjp: commenting this out until typeattribute works in a conditional
+# optional_policy(`
+# tunable_policy(`run_ssh_inetd',`
+# inetd_tcp_service_domain(sshd_t,sshd_exec_t)
+# ',`
+# init_daemon_domain(sshd_t,sshd_exec_t)
+# ')
+# ',`
+ # These rules should match the else block
+ # of the run_ssh_inetd tunable directly above
+ init_daemon_domain(sshd_t,sshd_exec_t)
+# ')
+
+ type sshd_tmp_t;
+ files_tmp_file(sshd_tmp_t)
+')
+
+#################################
+#
+# sshd local policy
+#
+# sshd_t is the domain for the sshd program.
+#
+
+ifdef(`strict_policy',`
+ # so a tunnel can point to another ssh tunnel
+ allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
+ allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow sshd_t sshd_tmp_t:dir create_dir_perms;
+ allow sshd_t sshd_tmp_t:file create_file_perms;
+ allow sshd_t sshd_tmp_t:sock_file create_file_perms;
+ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+
+ # for X forwarding
+ corenet_tcp_bind_xserver_port(sshd_t)
+ corenet_sendrecv_xserver_server_packets(sshd_t)
+
+ mls_file_read_up(sshd_t)
+ mls_file_write_down(sshd_t)
+ mls_file_upgrade(sshd_t)
+ mls_file_downgrade(sshd_t)
+ mls_process_set_level(sshd_t)
+
+ auth_exec_pam(sshd_t)
+
+ seutil_read_config(sshd_t)
+
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ term_use_all_user_ptys(sshd_t)
+ term_setattr_all_user_ptys(sshd_t)
+ term_relabelto_all_user_ptys(sshd_t)
+
+ userdom_spec_domtrans_all_users(sshd_t)
+ userdom_signal_all_users(sshd_t)
+ ',`
+ userdom_spec_domtrans_unpriv_users(sshd_t)
+ userdom_signal_unpriv_users(sshd_t)
+
+ userdom_setattr_unpriv_users_ptys(sshd_t)
+ userdom_relabelto_unpriv_users_ptys(sshd_t)
+ userdom_use_unpriv_users_ptys(sshd_t)
+ ')
+
+ optional_policy(`
+ daemontools_service_domain(sshd_t, sshd_exec_t)
+ ')
+
+ optional_policy(`
+ rpm_use_script_fds(sshd_t)
+ ')
+
+ optional_policy(`
+ rssh_spec_domtrans_all_users(sshd_t)
+ # For reading /home/user/.ssh
+ rssh_read_all_users_ro_content(sshd_t)
+ ')
+
+ ifdef(`TODO',`
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t ptyfile:chr_file relabelto;
+
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, userdomain)
+ ')
+ ',`
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ ')
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
+ ')
+ ') dnl endif TODO
+')
+
+#################################
+#
+# sshd_extern local policy
+#
+# sshd_extern_t is the domain for ssh from outside our network
+#
+
+ifdef(`strict_policy',`
+ ifdef(`TODO',`
+ domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
+ # Signal the user domains.
+ allow sshd_extern_t user_mini_domain:process signal;
+
+ ifdef(`xauth.te', `
+ domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
+ ')
+
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
+
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
+
+ optional_policy(`
+ tunable_policy(`run_ssh_inetd',`
+ domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
+ ',`
+ domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+ ')
+ ',`
+ # These rules should match the else block
+ # of the run_ssh_inetd tunable directly above
+ domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+ ')
+
+ ifdef(`direct_sysadm_daemon', `
+ # Direct execution by sysadm_r.
+ domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
+ role_transition sysadm_r sshd_exec_t system_r;
+ ')
+
+ # for port forwarding
+ allow userdomain sshd_t:tcp_socket { connectto recvfrom };
+ allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
+ allow userdomain kernel_t:tcp_socket recvfrom;
+ allow sshd_t kernel_t:tcp_socket recvfrom;
+ ') dnl endif TODO
+')
+
+########################################
+#
+# ssh_keygen local policy
+#
+
+ifdef(`targeted_policy',`',`
+ # ssh_keygen_t is the type of the ssh-keygen program when run at install time
+ # and by sysadm_t
+
+ dontaudit ssh_keygen_t self:capability sys_tty_config;
+ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow ssh_keygen_t sshd_key_t:file create_file_perms;
+ files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
+
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+
+ dev_read_sysfs(ssh_keygen_t)
+ dev_read_urand(ssh_keygen_t)
+
+ term_dontaudit_use_console(ssh_keygen_t)
+
+ domain_use_interactive_fds(ssh_keygen_t)
+
+ files_read_etc_files(ssh_keygen_t)
+
+ init_use_fds(ssh_keygen_t)
+ init_use_script_ptys(ssh_keygen_t)
+
+ libs_use_ld_so(ssh_keygen_t)
+ libs_use_shared_libs(ssh_keygen_t)
+
+ logging_send_syslog_msg(ssh_keygen_t)
+
+ allow ssh_keygen_t proc_t:dir r_dir_perms;
+ allow ssh_keygen_t proc_t:lnk_file read;
+
+ userdom_use_sysadm_ttys(ssh_keygen_t)
+ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+ # cjp: with the old daemon_(base_)domain being broken up into
+ # a daemon and system interface, this probably is not needed:
+ ifdef(`direct_sysadm_daemon',`
+ userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
+ ')
+
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
+ term_dontaudit_use_generic_ptys(ssh_keygen_t)
+ files_dontaudit_read_root_files(ssh_keygen_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(ssh_keygen_t)
+ ')
+')
diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc
new file mode 100644
index 0000000..2806b91
--- /dev/null
+++ b/policy/modules/services/stunnel.fc
@@ -0,0 +1,6 @@
+
+/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
+
+/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
new file mode 100644
index 0000000..d137c27
--- /dev/null
+++ b/policy/modules/services/stunnel.if
@@ -0,0 +1 @@
+## <summary>SSL Tunneling Proxy</summary>
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
new file mode 100644
index 0000000..783fad6
--- /dev/null
+++ b/policy/modules/services/stunnel.te
@@ -0,0 +1,148 @@
+
+policy_module(stunnel,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type stunnel_t;
+domain_type(stunnel_t)
+role system_r types stunnel_t;
+
+type stunnel_exec_t;
+domain_entry_file(stunnel_t,stunnel_exec_t)
+
+ifdef(`distro_gentoo',`
+ init_daemon_domain(stunnel_t,stunnel_exec_t)
+',`
+ inetd_tcp_service_domain(stunnel_t,stunnel_exec_t)
+')
+
+type stunnel_etc_t;
+files_type(stunnel_etc_t)
+
+type stunnel_tmp_t;
+files_tmp_file(stunnel_tmp_t)
+
+type stunnel_var_run_t;
+files_pid_file(stunnel_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:process signal_perms;
+allow stunnel_t self:fifo_file rw_file_perms;
+allow stunnel_t self:tcp_socket create_stream_socket_perms;
+allow stunnel_t self:udp_socket create_socket_perms;
+
+allow stunnel_t stunnel_etc_t:dir { getattr read search };
+allow stunnel_t stunnel_etc_t:file { read getattr };
+allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+
+allow stunnel_t stunnel_tmp_t:dir create_dir_perms;
+allow stunnel_t stunnel_tmp_t:file create_file_perms;
+files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
+
+allow stunnel_t stunnel_var_run_t:file create_file_perms;
+allow stunnel_t stunnel_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(stunnel_t,stunnel_var_run_t,file)
+
+kernel_read_kernel_sysctls(stunnel_t)
+kernel_read_system_state(stunnel_t)
+kernel_read_network_state(stunnel_t)
+
+corenet_non_ipsec_sendrecv(stunnel_t)
+corenet_tcp_sendrecv_all_if(stunnel_t)
+corenet_udp_sendrecv_all_if(stunnel_t)
+corenet_tcp_sendrecv_all_nodes(stunnel_t)
+corenet_udp_sendrecv_all_nodes(stunnel_t)
+corenet_tcp_sendrecv_all_ports(stunnel_t)
+corenet_udp_sendrecv_all_ports(stunnel_t)
+corenet_tcp_bind_all_nodes(stunnel_t)
+#corenet_tcp_bind_stunnel_port(stunnel_t)
+
+fs_getattr_all_fs(stunnel_t)
+
+libs_use_ld_so(stunnel_t)
+libs_use_shared_libs(stunnel_t)
+
+logging_send_syslog_msg(stunnel_t)
+
+miscfiles_read_localization(stunnel_t)
+
+sysnet_read_config(stunnel_t)
+
+ifdef(`distro_gentoo', `
+ dontaudit stunnel_t self:capability sys_tty_config;
+ allow stunnel_t self:udp_socket create_socket_perms;
+
+ dev_read_sysfs(stunnel_t)
+
+ fs_search_auto_mountpoints(stunnel_t)
+
+ term_dontaudit_use_console(stunnel_t)
+
+ domain_use_interactive_fds(stunnel_t)
+
+ init_use_fds(stunnel_t)
+ init_use_script_ptys(stunnel_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
+ userdom_dontaudit_search_sysadm_home_dirs(stunnel_t)
+
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(stunnel_t)
+ term_dontaudit_use_generic_ptys(stunnel_t)
+ files_dontaudit_read_root_files(stunnel_t)
+ ')
+
+ optional_policy(`
+ daemontools_service_domain(stunnel_t, stunnel_exec_t)
+ ')
+
+ optional_policy(`
+ mount_send_nfs_client_request(stunnel_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole(stunnel_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(stunnel_t)
+ ')
+',`
+ allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+ dev_read_urand(stunnel_t)
+
+ files_read_etc_files(stunnel_t)
+ files_search_home(stunnel_t)
+
+ optional_policy(`
+ kerberos_use(stunnel_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind(stunnel_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(stunnel_t)
+ ')
+')
+
+tunable_policy(`stunnel_is_daemon',`
+ allow stunnel_t self:tcp_socket create_stream_socket_perms;
+
+ # hack since this port has no interfaces since it doesnt
+ # have net_contexts
+ gen_require(`
+ type stunnel_port_t;
+ ')
+ allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+')
diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
new file mode 100644
index 0000000..b319f6a
--- /dev/null
+++ b/policy/modules/services/sysstat.fc
@@ -0,0 +1,8 @@
+
+/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sa/sadc -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+
+/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if
new file mode 100644
index 0000000..d646197
--- /dev/null
+++ b/policy/modules/services/sysstat.if
@@ -0,0 +1,21 @@
+## <summary>Policy for sysstat. Reports on various system states</summary>
+
+########################################
+## <summary>
+## Manage sysstat logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysstat_manage_log',`
+ gen_require(`
+ type sysstat_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 sysstat_log_t:dir rw_dir_perms;
+ allow $1 sysstat_log_t:file manage_file_perms;
+')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
new file mode 100644
index 0000000..21ac35a
--- /dev/null
+++ b/policy/modules/services/sysstat.te
@@ -0,0 +1,70 @@
+
+policy_module(sysstat,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sysstat_t;
+type sysstat_exec_t;
+init_system_domain(sysstat_t,sysstat_exec_t)
+role system_r types sysstat_t;
+
+type sysstat_log_t;
+logging_log_file(sysstat_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sysstat_t self:capability sys_resource;
+dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:fifo_file rw_file_perms;
+
+can_exec(sysstat_t, sysstat_exec_t)
+
+allow sysstat_t sysstat_log_t:file create_file_perms;
+allow sysstat_t sysstat_log_t:dir rw_dir_perms;
+logging_log_filetrans(sysstat_t,sysstat_log_t,{ file dir })
+
+# get info from /proc
+kernel_read_system_state(sysstat_t)
+kernel_read_network_state(sysstat_t)
+kernel_read_kernel_sysctls(sysstat_t)
+kernel_read_fs_sysctls(sysstat_t)
+kernel_read_rpc_sysctls(sysstat_t)
+
+corecmd_dontaudit_search_sbin(sysstat_t)
+corecmd_exec_bin(sysstat_t)
+
+dev_read_urand(sysstat_t)
+
+files_search_var(sysstat_t)
+# for mtab
+files_read_etc_runtime_files(sysstat_t)
+#for fstab
+files_read_etc_files(sysstat_t)
+
+fs_getattr_xattr_fs(sysstat_t)
+
+term_use_console(sysstat_t)
+
+init_use_fds(sysstat_t)
+init_use_script_ptys(sysstat_t)
+
+libs_use_ld_so(sysstat_t)
+libs_use_shared_libs(sysstat_t)
+
+miscfiles_read_localization(sysstat_t)
+
+userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
+
+optional_policy(`
+ cron_system_entry(sysstat_t,sysstat_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(sysstat_t)
+')
diff --git a/policy/modules/services/tcpd.fc b/policy/modules/services/tcpd.fc
new file mode 100644
index 0000000..2e8d7a1
--- /dev/null
+++ b/policy/modules/services/tcpd.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if
new file mode 100644
index 0000000..16e8fb1
--- /dev/null
+++ b/policy/modules/services/tcpd.if
@@ -0,0 +1,24 @@
+## <summary>Policy for TCP daemon.</summary>
+
+########################################
+## <summary>
+## Execute tcpd in the tcpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`tcpd_domtrans',`
+ gen_require(`
+ type tcpd_t, tcpd_exec_t;
+ ')
+
+ domain_auto_trans($1,tcpd_exec_t,tcpd_t)
+
+ allow $1 tcpd_t:fd use;
+ allow tcpd_t $1:fd use;
+ allow tcpd_t $1:fifo_file rw_file_perms;
+ allow tcpd_t $1:process sigchld;
+')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
new file mode 100644
index 0000000..a902b93
--- /dev/null
+++ b/policy/modules/services/tcpd.te
@@ -0,0 +1,78 @@
+
+policy_module(tcpd,1.0.3)
+
+########################################
+#
+# Declarations
+#
+type tcpd_t;
+type tcpd_exec_t;
+inetd_tcp_service_domain(tcpd_t,tcpd_exec_t)
+role system_r types tcpd_t;
+
+type tcpd_tmp_t;
+files_tmp_file(tcpd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow tcpd_t self:tcp_socket create_stream_socket_perms;
+
+allow tcpd_t tcpd_tmp_t:dir create_dir_perms;
+allow tcpd_t tcpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
+
+corenet_non_ipsec_sendrecv(tcpd_t)
+corenet_tcp_sendrecv_all_if(tcpd_t)
+corenet_tcp_sendrecv_all_nodes(tcpd_t)
+corenet_tcp_sendrecv_all_ports(tcpd_t)
+
+fs_getattr_xattr_fs(tcpd_t)
+
+# Run other daemons in the inetd child domain.
+corecmd_search_bin(tcpd_t)
+corecmd_search_sbin(tcpd_t)
+
+files_read_etc_files(tcpd_t)
+# no good reason for files_dontaudit_search_var, probably nscd
+files_dontaudit_search_var(tcpd_t)
+
+libs_use_ld_so(tcpd_t)
+libs_use_shared_libs(tcpd_t)
+
+logging_send_syslog_msg(tcpd_t)
+
+miscfiles_read_localization(tcpd_t)
+
+sysnet_read_config(tcpd_t)
+
+inetd_domtrans_child(tcpd_t)
+
+optional_policy(`
+ finger_domtrans(tcpd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(tcpd_t)
+')
+
+optional_policy(`
+ nagios_domtrans_nrpe(tcpd_t)
+')
+
+optional_policy(`
+ portmap_udp_send(tcpd_t)
+')
+
+optional_policy(`
+ rlogin_domtrans(tcpd_t)
+')
+
+optional_policy(`
+ rshd_domtrans(tcpd_t)
+')
+
+optional_policy(`
+ uwimap_domtrans(tcpd_t)
+')
diff --git a/policy/modules/services/telnet.fc b/policy/modules/services/telnet.fc
new file mode 100644
index 0000000..7405170
--- /dev/null
+++ b/policy/modules/services/telnet.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
+
+/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
new file mode 100644
index 0000000..58e7ec0
--- /dev/null
+++ b/policy/modules/services/telnet.if
@@ -0,0 +1 @@
+## <summary>Telnet daemon</summary>
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
new file mode 100644
index 0000000..005992d
--- /dev/null
+++ b/policy/modules/services/telnet.te
@@ -0,0 +1,104 @@
+
+policy_module(telnet,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type telnetd_t;
+type telnetd_exec_t;
+inetd_service_domain(telnetd_t,telnetd_exec_t)
+role system_r types telnetd_t;
+
+type telnetd_devpts_t; #, userpty_type;
+term_login_pty(telnetd_devpts_t)
+
+type telnetd_tmp_t;
+files_tmp_file(telnetd_tmp_t)
+
+type telnetd_var_run_t;
+files_pid_file(telnetd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:process signal_perms;
+allow telnetd_t self:fifo_file rw_file_perms;
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow telnetd_t self:capability { setuid setgid };
+
+allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(telnetd_t,telnetd_devpts_t)
+
+allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
+allow telnetd_t telnetd_tmp_t:file create_file_perms;
+files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+
+allow telnetd_t telnetd_var_run_t:file create_file_perms;
+allow telnetd_t telnetd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(telnetd_t,telnetd_var_run_t,file)
+
+kernel_read_kernel_sysctls(telnetd_t)
+kernel_read_system_state(telnetd_t)
+kernel_read_network_state(telnetd_t)
+
+corenet_non_ipsec_sendrecv(telnetd_t)
+corenet_tcp_sendrecv_all_if(telnetd_t)
+corenet_udp_sendrecv_all_if(telnetd_t)
+corenet_tcp_sendrecv_all_nodes(telnetd_t)
+corenet_udp_sendrecv_all_nodes(telnetd_t)
+corenet_tcp_sendrecv_all_ports(telnetd_t)
+corenet_udp_sendrecv_all_ports(telnetd_t)
+
+dev_read_urand(telnetd_t)
+
+fs_getattr_xattr_fs(telnetd_t)
+
+auth_rw_login_records(telnetd_t)
+
+corecmd_search_sbin(telnetd_t)
+
+files_read_etc_files(telnetd_t)
+files_read_etc_runtime_files(telnetd_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(telnetd_t)
+
+init_rw_utmp(telnetd_t)
+
+libs_use_ld_so(telnetd_t)
+libs_use_shared_libs(telnetd_t)
+
+logging_send_syslog_msg(telnetd_t)
+
+miscfiles_read_localization(telnetd_t)
+
+seutil_dontaudit_search_config(telnetd_t)
+
+sysnet_read_config(telnetd_t)
+
+remotelogin_domtrans(telnetd_t)
+
+# for identd; cjp: this should probably only be inetd_child rules?
+optional_policy(`
+ kerberos_use(telnetd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(telnetd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(telnetd_t)
+')
+
+ifdef(`TODO',`
+# Allow krb5 telnetd to use fork and open /dev/tty for use
+allow telnetd_t userpty_type:chr_file setattr;
+')
diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc
new file mode 100644
index 0000000..bb4a3be
--- /dev/null
+++ b/policy/modules/services/tftp.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+
+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
new file mode 100644
index 0000000..ad41363
--- /dev/null
+++ b/policy/modules/services/tftp.if
@@ -0,0 +1 @@
+## <summary>Trivial file transfer protocol daemon</summary>
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
new file mode 100644
index 0000000..4df1189
--- /dev/null
+++ b/policy/modules/services/tftp.te
@@ -0,0 +1,102 @@
+
+policy_module(tftp,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type tftpd_t;
+type tftpd_exec_t;
+init_daemon_domain(tftpd_t,tftpd_exec_t)
+inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
+
+type tftpd_var_run_t;
+files_pid_file(tftpd_var_run_t)
+
+type tftpdir_t;
+files_type(tftpdir_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tftpd_t self:capability { setgid setuid sys_chroot };
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
+allow tftpd_t self:udp_socket create_socket_perms;
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit tftpd_t self:capability sys_tty_config;
+
+allow tftpd_t tftpdir_t:dir { getattr read search };
+allow tftpd_t tftpdir_t:file { read getattr };
+allow tftpd_t tftpdir_t:lnk_file { getattr read };
+
+allow tftpd_t tftpd_var_run_t:file create_file_perms;
+allow tftpd_t tftpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
+
+kernel_read_kernel_sysctls(tftpd_t)
+kernel_list_proc(tftpd_t)
+kernel_read_proc_symlinks(tftpd_t)
+
+corenet_non_ipsec_sendrecv(tftpd_t)
+corenet_tcp_sendrecv_all_if(tftpd_t)
+corenet_udp_sendrecv_all_if(tftpd_t)
+corenet_tcp_sendrecv_all_nodes(tftpd_t)
+corenet_udp_sendrecv_all_nodes(tftpd_t)
+corenet_tcp_sendrecv_all_ports(tftpd_t)
+corenet_udp_sendrecv_all_ports(tftpd_t)
+corenet_tcp_bind_all_nodes(tftpd_t)
+corenet_udp_bind_all_nodes(tftpd_t)
+corenet_udp_bind_tftp_port(tftpd_t)
+corenet_sendrecv_tftp_server_packets(tftpd_t)
+
+dev_read_sysfs(tftpd_t)
+
+fs_getattr_all_fs(tftpd_t)
+fs_search_auto_mountpoints(tftpd_t)
+
+term_dontaudit_use_console(tftpd_t)
+
+domain_use_interactive_fds(tftpd_t)
+
+files_read_etc_files(tftpd_t);
+files_read_var_files(tftpd_t)
+files_read_var_symlinks(tftpd_t)
+files_search_var(tftpd_t)
+
+init_use_fds(tftpd_t)
+init_use_script_ptys(tftpd_t)
+
+libs_use_ld_so(tftpd_t)
+libs_use_shared_libs(tftpd_t)
+
+logging_send_syslog_msg(tftpd_t)
+
+miscfiles_read_localization(tftpd_t)
+
+sysnet_read_config(tftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+userdom_dontaudit_use_sysadm_ttys(tftpd_t)
+userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(tftpd_t)
+ term_dontaudit_use_generic_ptys(tftpd_t)
+ files_dontaudit_read_root_files(tftpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(tftpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(tftpd_t)
+')
+
+optional_policy(`
+ udev_read_db(tftpd_t)
+')
diff --git a/policy/modules/services/timidity.fc b/policy/modules/services/timidity.fc
new file mode 100644
index 0000000..ed5eef3
--- /dev/null
+++ b/policy/modules/services/timidity.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0)
diff --git a/policy/modules/services/timidity.if b/policy/modules/services/timidity.if
new file mode 100644
index 0000000..989b240
--- /dev/null
+++ b/policy/modules/services/timidity.if
@@ -0,0 +1 @@
+## <summary>MIDI to WAV converter and player configured as a service</summary>
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
new file mode 100644
index 0000000..86d9c26
--- /dev/null
+++ b/policy/modules/services/timidity.te
@@ -0,0 +1,96 @@
+
+policy_module(timidity,1.1.1)
+
+# Note: You only need this policy if you want to run timidity as a server
+
+########################################
+#
+# Declarations
+#
+
+type timidity_t;
+type timidity_exec_t;
+init_daemon_domain(timidity_t,timidity_exec_t)
+
+type timidity_tmpfs_t;
+files_tmpfs_file(timidity_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow timidity_t self:capability { dac_override dac_read_search };
+dontaudit timidity_t self:capability sys_tty_config;
+allow timidity_t self:process { signal_perms getsched };
+allow timidity_t self:shm create_shm_perms;
+allow timidity_t self:unix_stream_socket create_stream_socket_perms;
+allow timidity_t self:tcp_socket create_stream_socket_perms;
+allow timidity_t self:udp_socket create_socket_perms;
+
+allow timidity_t timidity_tmpfs_t:dir create_dir_perms;
+allow timidity_t timidity_tmpfs_t:file create_file_perms;
+allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms;
+allow timidity_t timidity_tmpfs_t:sock_file create_file_perms;
+allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms;
+fs_tmpfs_filetrans(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(timidity_t)
+# read /proc/cpuinfo
+kernel_read_system_state(timidity_t)
+
+corenet_non_ipsec_sendrecv(timidity_t)
+corenet_tcp_sendrecv_generic_if(timidity_t)
+corenet_udp_sendrecv_generic_if(timidity_t)
+corenet_tcp_sendrecv_all_nodes(timidity_t)
+corenet_udp_sendrecv_all_nodes(timidity_t)
+corenet_tcp_sendrecv_all_ports(timidity_t)
+corenet_udp_sendrecv_all_ports(timidity_t)
+
+dev_read_sysfs(timidity_t)
+dev_read_sound(timidity_t)
+dev_write_sound(timidity_t)
+
+fs_search_auto_mountpoints(timidity_t)
+
+term_dontaudit_use_console(timidity_t)
+
+domain_use_interactive_fds(timidity_t)
+
+files_search_tmp(timidity_t)
+# read /usr/share/alsa/alsa.conf
+files_read_usr_files(timidity_t)
+# read /etc/esd.conf
+files_read_etc_files(timidity_t)
+
+init_use_fds(timidity_t)
+init_use_script_ptys(timidity_t)
+
+libs_use_ld_so(timidity_t)
+libs_use_shared_libs(timidity_t)
+# read libartscbackend.la
+libs_read_lib_files(timidity_t)
+
+logging_send_syslog_msg(timidity_t)
+
+sysnet_read_config(timidity_t)
+
+userdom_dontaudit_use_unpriv_user_fds(timidity_t)
+# stupid timidity won't start if it can't search its current directory.
+# allow this so /etc/init.d/alsasound start works from /root
+# cjp: this should be fixed if possible so this rule can be removed.
+userdom_search_sysadm_home_dirs(timidity_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(timidity_t)
+ term_dontaudit_use_generic_ptys(timidity_t)
+ files_dontaudit_read_root_files(timidity_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(timidity_t)
+')
+
+optional_policy(`
+ udev_read_db(timidity_t)
+')
diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
new file mode 100644
index 0000000..3ae4b72
--- /dev/null
+++ b/policy/modules/services/tor.fc
@@ -0,0 +1,7 @@
+/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
+
+/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
+/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)
+/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
new file mode 100644
index 0000000..7427b97
--- /dev/null
+++ b/policy/modules/services/tor.if
@@ -0,0 +1,24 @@
+## <summary>TOR, the onion router</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run TOR.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tor_domtrans',`
+ gen_require(`
+ type tor_t, tor_exec_t;
+ ')
+
+ domain_auto_trans($1,tor_exec_t,tor_t)
+
+ allow $1 tor_t:fd use;
+ allow tor_t $1:fd use;
+ allow tor_t $1:fifo_file rw_file_perms;
+ allow tor_t $1:process sigchld;
+')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
new file mode 100644
index 0000000..aa9c4a5
--- /dev/null
+++ b/policy/modules/services/tor.te
@@ -0,0 +1,99 @@
+
+policy_module(tor,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type tor_t;
+type tor_exec_t;
+init_daemon_domain(tor_t, tor_exec_t)
+
+# etc/tor
+type tor_etc_t;
+files_config_file(tor_etc_t)
+
+# var/lib/tor
+type tor_var_lib_t;
+files_type(tor_var_lib_t)
+
+# log files
+type tor_var_log_t;
+logging_log_file(tor_var_log_t)
+
+# pid files
+type tor_var_run_t;
+files_pid_file(tor_var_run_t)
+
+########################################
+#
+# tor local policy
+#
+
+allow tor_t self:fifo_file { read write };
+allow tor_t self:unix_stream_socket create_stream_socket_perms;
+allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+allow tor_t self:tcp_socket create_stream_socket_perms;
+
+# configuration files
+allow tor_t tor_etc_t:dir r_dir_perms;
+allow tor_t tor_etc_t:file r_file_perms;
+allow tor_t tor_etc_t:lnk_file { getattr read };
+
+# var/lib/tor files
+allow tor_t tor_var_lib_t:file create_file_perms;
+allow tor_t tor_var_lib_t:sock_file create_file_perms;
+allow tor_t tor_var_lib_t:dir create_dir_perms;
+files_usr_filetrans(tor_t,tor_var_lib_t,file)
+files_var_filetrans(tor_t,tor_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(tor_t,tor_var_lib_t,file)
+
+# log files
+allow tor_t tor_var_log_t:file create_file_perms;
+allow tor_t tor_var_log_t:sock_file create_file_perms;
+allow tor_t tor_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(tor_t,tor_var_log_t,{ sock_file file dir })
+
+# pid file
+allow tor_t tor_var_run_t:file manage_file_perms;
+allow tor_t tor_var_run_t:sock_file manage_file_perms;
+allow tor_t tor_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
+
+# networking basics
+corenet_non_ipsec_sendrecv(tor_t)
+corenet_tcp_sendrecv_all_if(tor_t)
+corenet_tcp_sendrecv_all_nodes(tor_t)
+corenet_tcp_sendrecv_all_ports(tor_t)
+corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+corenet_tcp_bind_all_nodes(tor_t)
+corenet_tcp_bind_tor_port(tor_t)
+corenet_sendrecv_tor_server_packets(tor_t)
+# TOR will need to connect to various ports
+corenet_tcp_connect_all_ports(tor_t)
+corenet_sendrecv_all_client_packets(tor_t)
+# ... especially including port 80 and other privileged ports
+corenet_tcp_connect_all_reserved_ports(tor_t)
+
+# tor uses crypto and needs random
+dev_read_urand(tor_t)
+
+domain_use_interactive_fds(tor_t)
+
+files_read_etc_files(tor_t)
+
+# comm with init
+init_use_fds(tor_t)
+init_use_script_ptys(tor_t)
+
+libs_use_ld_so(tor_t)
+libs_use_shared_libs(tor_t)
+
+miscfiles_read_localization(tor_t)
+
+sysnet_dns_name_resolve(tor_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(tor_t)
+')
diff --git a/policy/modules/services/transproxy.fc b/policy/modules/services/transproxy.fc
new file mode 100644
index 0000000..ce33f17
--- /dev/null
+++ b/policy/modules/services/transproxy.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
+
+/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/policy/modules/services/transproxy.if b/policy/modules/services/transproxy.if
new file mode 100644
index 0000000..23323f9
--- /dev/null
+++ b/policy/modules/services/transproxy.if
@@ -0,0 +1 @@
+## <summary>HTTP transperant proxy</summary>
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
new file mode 100644
index 0000000..91edbeb
--- /dev/null
+++ b/policy/modules/services/transproxy.te
@@ -0,0 +1,80 @@
+
+policy_module(transproxy,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type transproxy_t;
+type transproxy_exec_t;
+init_daemon_domain(transproxy_t,transproxy_exec_t)
+
+type transproxy_var_run_t;
+files_pid_file(transproxy_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow transproxy_t self:capability { setgid setuid };
+dontaudit transproxy_t self:capability sys_tty_config;
+allow transproxy_t self:process signal_perms;
+allow transproxy_t self:tcp_socket create_stream_socket_perms;
+
+allow transproxy_t transproxy_var_run_t:file create_file_perms;
+allow transproxy_t transproxy_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(transproxy_t,transproxy_var_run_t,file)
+
+kernel_read_kernel_sysctls(transproxy_t)
+kernel_list_proc(transproxy_t)
+kernel_read_proc_symlinks(transproxy_t)
+
+corenet_non_ipsec_sendrecv(transproxy_t)
+corenet_tcp_sendrecv_generic_if(transproxy_t)
+corenet_tcp_sendrecv_all_nodes(transproxy_t)
+corenet_tcp_sendrecv_all_ports(transproxy_t)
+corenet_tcp_bind_all_nodes(transproxy_t)
+corenet_tcp_bind_transproxy_port(transproxy_t)
+corenet_sendrecv_transproxy_server_packets(transproxy_t)
+
+dev_read_sysfs(transproxy_t)
+
+domain_use_interactive_fds(transproxy_t)
+
+files_read_etc_files(transproxy_t)
+
+fs_getattr_all_fs(transproxy_t)
+fs_search_auto_mountpoints(transproxy_t)
+
+term_dontaudit_use_console(transproxy_t)
+
+init_use_fds(transproxy_t)
+init_use_script_ptys(transproxy_t)
+
+libs_use_ld_so(transproxy_t)
+libs_use_shared_libs(transproxy_t)
+
+logging_send_syslog_msg(transproxy_t)
+
+miscfiles_read_localization(transproxy_t)
+
+sysnet_read_config(transproxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
+userdom_dontaudit_search_sysadm_home_dirs(transproxy_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(transproxy_t)
+ term_dontaudit_use_generic_ptys(transproxy_t)
+ files_dontaudit_read_root_files(transproxy_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(transproxy_t)
+')
+
+optional_policy(`
+ udev_read_db(transproxy_t)
+')
diff --git a/policy/modules/services/ucspitcp.fc b/policy/modules/services/ucspitcp.fc
new file mode 100644
index 0000000..667d0b5
--- /dev/null
+++ b/policy/modules/services/ucspitcp.fc
@@ -0,0 +1,3 @@
+
+/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
+/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0)
diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
new file mode 100644
index 0000000..03f11c5
--- /dev/null
+++ b/policy/modules/services/ucspitcp.if
@@ -0,0 +1,40 @@
+## <summary>ucspitcp policy</summary>
+## <desc>
+## <p>
+## Policy for DJB's ucspi-tcpd
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Define a specified domain as a ucspitcp service.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`ucspitcp_service_domain', `
+ gen_require(`
+ type ucspitcp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domain_auto_trans(ucspitcp_t, $2, $1)
+
+ allow $1 ucspitcp_t:fd use;
+ allow $1 ucspitcp_t:process sigchld;
+ allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+')
+
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
new file mode 100644
index 0000000..26fed63
--- /dev/null
+++ b/policy/modules/services/ucspitcp.te
@@ -0,0 +1,101 @@
+
+policy_module(ucspitcp,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type rblsmtpd_t;
+type rblsmtpd_exec_t;
+init_system_domain(rblsmtpd_t,rblsmtpd_exec_t)
+role system_r types rblsmtpd_t;
+
+type ucspitcp_t;
+type ucspitcp_exec_t;
+init_system_domain(ucspitcp_t,ucspitcp_exec_t)
+role system_r types ucspitcp_t;
+
+########################################
+#
+# Local policy for rblsmtpd
+#
+
+ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+corecmd_search_bin(rblsmtpd_t)
+
+corenet_tcp_sendrecv_all_if(rblsmtpd_t)
+corenet_udp_sendrecv_all_if(rblsmtpd_t)
+corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
+corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
+corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
+corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+corenet_non_ipsec_sendrecv(rblsmtpd_t)
+corenet_tcp_bind_all_nodes(rblsmtpd_t)
+corenet_udp_bind_generic_port(rblsmtpd_t)
+
+files_read_etc_files(rblsmtpd_t)
+files_search_var(rblsmtpd_t)
+
+libs_use_ld_so(rblsmtpd_t)
+libs_use_shared_libs(rblsmtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(rblsmtpd_t)
+')
+
+########################################
+#
+# Local policy for tcpserver
+#
+
+allow ucspitcp_t self:capability { setgid setuid };
+allow ucspitcp_t self:fifo_file { read write };
+allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+allow ucspitcp_t self:udp_socket create_socket_perms;
+
+corecmd_search_bin(ucspitcp_t)
+corecmd_search_sbin(ucspitcp_t)
+
+# base networking:
+corenet_non_ipsec_sendrecv(ucspitcp_t)
+corenet_tcp_sendrecv_all_if(ucspitcp_t)
+corenet_udp_sendrecv_all_if(ucspitcp_t)
+corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
+corenet_udp_sendrecv_all_nodes(ucspitcp_t)
+corenet_tcp_sendrecv_all_ports(ucspitcp_t)
+corenet_udp_sendrecv_all_ports(ucspitcp_t)
+corenet_tcp_bind_all_nodes(ucspitcp_t)
+corenet_udp_bind_all_nodes(ucspitcp_t)
+
+# server ports:
+corenet_tcp_bind_ftp_port(ucspitcp_t)
+corenet_tcp_bind_ftp_data_port(ucspitcp_t)
+corenet_tcp_bind_http_port(ucspitcp_t)
+corenet_tcp_bind_smtp_port(ucspitcp_t)
+corenet_tcp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_generic_port(ucspitcp_t)
+
+# server packets:
+corenet_sendrecv_ftp_server_packets(ucspitcp_t)
+corenet_sendrecv_http_server_packets(ucspitcp_t)
+corenet_sendrecv_smtp_server_packets(ucspitcp_t)
+corenet_sendrecv_dns_server_packets(ucspitcp_t)
+corenet_sendrecv_generic_server_packets(ucspitcp_t)
+
+files_search_var(ucspitcp_t)
+files_read_etc_files(ucspitcp_t)
+
+libs_use_ld_so(ucspitcp_t)
+libs_use_shared_libs(ucspitcp_t)
+
+sysnet_read_config(ucspitcp_t)
+
+optional_policy(`
+ daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
+ daemontools_read_svc(ucspitcp_t)
+')
diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc
new file mode 100644
index 0000000..1f22545
--- /dev/null
+++ b/policy/modules/services/uptime.fc
@@ -0,0 +1,6 @@
+
+/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0)
+
+/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
+
+/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0)
diff --git a/policy/modules/services/uptime.if b/policy/modules/services/uptime.if
new file mode 100644
index 0000000..447abf7
--- /dev/null
+++ b/policy/modules/services/uptime.if
@@ -0,0 +1 @@
+## <summary>Uptime daemon</summary>
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
new file mode 100644
index 0000000..0e02460
--- /dev/null
+++ b/policy/modules/services/uptime.te
@@ -0,0 +1,90 @@
+
+policy_module(uptime,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type uptimed_t;
+type uptimed_exec_t;
+init_daemon_domain(uptimed_t,uptimed_exec_t)
+
+type uptimed_etc_t alias etc_uptimed_t;
+files_config_file(uptimed_etc_t)
+
+type uptimed_spool_t;
+files_type(uptimed_spool_t)
+
+type uptimed_var_run_t;
+files_pid_file(uptimed_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uptimed_t self:capability sys_tty_config;
+allow uptimed_t self:process signal_perms;
+allow uptimed_t self:fifo_file { getattr write };
+
+allow uptimed_t uptimed_etc_t:file { getattr read };
+files_search_etc(uptimed_t)
+
+allow uptimed_t uptimed_spool_t:file manage_file_perms;
+
+allow uptimed_t uptimed_var_run_t:file manage_file_perms;
+allow uptimed_t uptimed_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(uptimed_t,uptimed_var_run_t,file)
+
+allow uptimed_t uptimed_spool_t:dir manage_dir_perms;
+allow uptimed_t uptimed_spool_t:file manage_file_perms;
+files_spool_filetrans(uptimed_t,uptimed_spool_t,{ dir file })
+
+kernel_read_system_state(uptimed_t)
+kernel_read_kernel_sysctls(uptimed_t)
+
+corecmd_exec_shell(uptimed_t)
+corecmd_search_sbin(uptimed_t)
+
+dev_read_sysfs(uptimed_t)
+
+domain_use_interactive_fds(uptimed_t)
+
+files_read_etc_runtime_files(uptimed_t)
+
+fs_getattr_all_fs(uptimed_t)
+fs_search_auto_mountpoints(uptimed_t)
+
+term_dontaudit_use_console(uptimed_t)
+
+init_use_fds(uptimed_t)
+init_use_script_ptys(uptimed_t)
+
+libs_use_ld_so(uptimed_t)
+libs_use_shared_libs(uptimed_t)
+
+logging_send_syslog_msg(uptimed_t)
+
+miscfiles_read_localization(uptimed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
+userdom_dontaudit_search_sysadm_home_dirs(uptimed_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(uptimed_t)
+ term_dontaudit_use_generic_ptys(uptimed_t)
+ files_dontaudit_read_root_files(uptimed_t)
+')
+
+optional_policy(`
+ mta_send_mail(uptimed_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(uptimed_t)
+')
+
+optional_policy(`
+ udev_read_db(uptimed_t)
+')
diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc
new file mode 100644
index 0000000..f1c2fea
--- /dev/null
+++ b/policy/modules/services/uucp.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
+
+/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+
+/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
new file mode 100644
index 0000000..5efdf15
--- /dev/null
+++ b/policy/modules/services/uucp.if
@@ -0,0 +1 @@
+## <summary>Unix to Unix Copy</summary>
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
new file mode 100644
index 0000000..0b78f3e
--- /dev/null
+++ b/policy/modules/services/uucp.te
@@ -0,0 +1,107 @@
+
+policy_module(uucp,1.1.1)
+
+########################################
+#
+# Declarations
+#
+type uucpd_t;
+type uucpd_exec_t;
+inetd_tcp_service_domain(uucpd_t,uucpd_exec_t)
+role system_r types uucpd_t;
+
+type uucpd_tmp_t;
+files_tmp_file(uucpd_tmp_t)
+
+type uucpd_var_run_t;
+files_pid_file(uucpd_var_run_t)
+
+type uucpd_rw_t;
+files_type(uucpd_rw_t)
+
+type uucpd_ro_t;
+files_type(uucpd_ro_t)
+
+type uucpd_spool_t;
+files_type(uucpd_spool_t)
+
+type uucpd_log_t;
+logging_log_file(uucpd_log_t)
+
+########################################
+#
+# Local policy
+#
+allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:process signal_perms;
+allow uucpd_t self:fifo_file rw_file_perms;
+allow uucpd_t self:tcp_socket connected_stream_socket_perms;
+allow uucpd_t self:udp_socket create_socket_perms;
+allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+allow uucpd_t uucpd_log_t:file create_file_perms;
+allow uucpd_t uucpd_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(uucpd_t,uucpd_log_t,{ file dir })
+
+allow uucpd_t uucpd_ro_t:dir r_dir_perms;
+allow uucpd_t uucpd_ro_t:file r_file_perms;
+allow uucpd_t uucpd_ro_t:lnk_file { getattr read };
+
+allow uucpd_t uucpd_rw_t:dir create_dir_perms;
+allow uucpd_t uucpd_rw_t:file create_file_perms;
+allow uucpd_t uucpd_rw_t:lnk_file create_lnk_perms;
+
+allow uucpd_t uucpd_spool_t:dir create_dir_perms;
+allow uucpd_t uucpd_spool_t:file create_file_perms;
+allow uucpd_t uucpd_spool_t:lnk_file create_lnk_perms;
+
+allow uucpd_t uucpd_tmp_t:dir create_dir_perms;
+allow uucpd_t uucpd_tmp_t:file create_file_perms;
+files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
+
+allow uucpd_t uucpd_var_run_t:file create_file_perms;
+allow uucpd_t uucpd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(uucpd_t,uucpd_var_run_t,file)
+
+kernel_read_kernel_sysctls(uucpd_t)
+kernel_read_system_state(uucpd_t)
+kernel_read_network_state(uucpd_t)
+
+corenet_non_ipsec_sendrecv(uucpd_t)
+corenet_tcp_sendrecv_all_if(uucpd_t)
+corenet_udp_sendrecv_all_if(uucpd_t)
+corenet_tcp_sendrecv_all_nodes(uucpd_t)
+corenet_udp_sendrecv_all_nodes(uucpd_t)
+corenet_tcp_sendrecv_all_ports(uucpd_t)
+corenet_udp_sendrecv_all_ports(uucpd_t)
+
+dev_read_urand(uucpd_t)
+
+fs_getattr_xattr_fs(uucpd_t)
+
+corecmd_exec_sbin(uucpd_t)
+
+files_read_etc_files(uucpd_t)
+files_search_home(uucpd_t)
+files_search_spool(uucpd_t)
+
+libs_use_ld_so(uucpd_t)
+libs_use_shared_libs(uucpd_t)
+
+logging_send_syslog_msg(uucpd_t)
+
+miscfiles_read_localization(uucpd_t)
+
+sysnet_read_config(uucpd_t)
+
+optional_policy(`
+ kerberos_use(uucpd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(uucpd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(uucpd_t)
+')
diff --git a/policy/modules/services/uwimap.fc b/policy/modules/services/uwimap.fc
new file mode 100644
index 0000000..43bdef0
--- /dev/null
+++ b/policy/modules/services/uwimap.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if
new file mode 100644
index 0000000..f228be9
--- /dev/null
+++ b/policy/modules/services/uwimap.if
@@ -0,0 +1,25 @@
+## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary>
+
+########################################
+## <summary>
+## Execute the UW IMAP/POP3 servers with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwimap_domtrans',`
+ gen_require(`
+ type imapd_t, imapd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,imapd_exec_t,imapd_t)
+
+ allow $1 imapd_t:fd use;
+ allow imapd_t $1:fd use;
+ allow imapd_t $1:fifo_file rw_file_perms;
+ allow imapd_t $1:process sigchld;
+')
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
new file mode 100644
index 0000000..07ec96b
--- /dev/null
+++ b/policy/modules/services/uwimap.te
@@ -0,0 +1,102 @@
+
+policy_module(uwimap,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type imapd_t;
+type imapd_exec_t;
+init_daemon_domain(imapd_t,imapd_exec_t)
+inetd_tcp_service_domain(imapd_t,imapd_exec_t)
+
+type imapd_tmp_t;
+files_tmp_file(imapd_tmp_t)
+
+type imapd_var_run_t;
+files_pid_file(imapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit imapd_t self:capability sys_tty_config;
+allow imapd_t self:process signal_perms;
+allow imapd_t self:fifo_file rw_file_perms;
+allow imapd_t self:tcp_socket create_stream_socket_perms;
+
+allow imapd_t imapd_tmp_t:dir create_dir_perms;
+allow imapd_t imapd_tmp_t:file create_file_perms;
+files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
+
+allow imapd_t imapd_var_run_t:file create_file_perms;
+allow imapd_t imapd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(imapd_t,imapd_var_run_t,file)
+
+kernel_read_kernel_sysctls(imapd_t)
+kernel_list_proc(imapd_t)
+kernel_read_proc_symlinks(imapd_t)
+
+corenet_non_ipsec_sendrecv(imapd_t)
+corenet_tcp_sendrecv_generic_if(imapd_t)
+corenet_tcp_sendrecv_all_nodes(imapd_t)
+corenet_tcp_sendrecv_all_ports(imapd_t)
+corenet_tcp_bind_all_nodes(imapd_t)
+corenet_tcp_bind_pop_port(imapd_t)
+corenet_tcp_connect_all_ports(imapd_t)
+corenet_sendrecv_pop_server_packets(imapd_t)
+corenet_sendrecv_all_client_packets(imapd_t)
+
+dev_read_sysfs(imapd_t)
+#urandom, for ssl
+dev_read_rand(imapd_t)
+dev_read_urand(imapd_t)
+
+domain_use_interactive_fds(imapd_t)
+
+#read /etc/ for hostname nsswitch.conf
+files_read_etc_files(imapd_t)
+
+fs_getattr_all_fs(imapd_t)
+fs_search_auto_mountpoints(imapd_t)
+
+term_dontaudit_use_console(imapd_t)
+
+auth_domtrans_chk_passwd(imapd_t)
+
+init_use_fds(imapd_t)
+init_use_script_ptys(imapd_t)
+
+libs_use_ld_so(imapd_t)
+libs_use_shared_libs(imapd_t)
+
+logging_send_syslog_msg(imapd_t)
+
+miscfiles_read_localization(imapd_t)
+
+sysnet_read_config(imapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(imapd_t)
+userdom_dontaudit_search_sysadm_home_dirs(imapd_t)
+# cjp: this is excessive, should be limited to the
+# mail directories
+userdom_priveleged_home_dir_manager(imapd_t)
+
+mta_rw_spool(imapd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(imapd_t)
+ term_dontaudit_use_generic_ptys(imapd_t)
+ files_dontaudit_read_root_files(imapd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(imapd_t)
+')
+
+optional_policy(`
+ udev_read_db(imapd_t)
+')
diff --git a/policy/modules/services/watchdog.fc b/policy/modules/services/watchdog.fc
new file mode 100644
index 0000000..7551c51
--- /dev/null
+++ b/policy/modules/services/watchdog.fc
@@ -0,0 +1,5 @@
+/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
+/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
+
+/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/policy/modules/services/watchdog.if b/policy/modules/services/watchdog.if
new file mode 100644
index 0000000..f8acf10
--- /dev/null
+++ b/policy/modules/services/watchdog.if
@@ -0,0 +1 @@
+## <summary>Software watchdog</summary>
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
new file mode 100644
index 0000000..f6928ff
--- /dev/null
+++ b/policy/modules/services/watchdog.te
@@ -0,0 +1,121 @@
+
+policy_module(watchdog,1.0.1)
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+type watchdog_t;
+type watchdog_exec_t;
+init_daemon_domain(watchdog_t,watchdog_exec_t)
+
+type watchdog_log_t;
+logging_log_file(watchdog_log_t)
+
+type watchdog_var_run_t;
+files_pid_file(watchdog_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+dontaudit watchdog_t self:capability sys_tty_config;
+allow watchdog_t self:process { setsched signal_perms };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+allow watchdog_t self:tcp_socket create_stream_socket_perms;
+allow watchdog_t self:udp_socket create_socket_perms;
+
+allow watchdog_t watchdog_log_t:file create_file_perms;
+logging_log_filetrans(watchdog_t,watchdog_log_t,file)
+
+allow watchdog_t watchdog_var_run_t:file create_file_perms;
+allow watchdog_t watchdog_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
+
+kernel_read_system_state(watchdog_t)
+kernel_read_kernel_sysctls(watchdog_t)
+kernel_unmount_proc(watchdog_t)
+
+corecmd_search_sbin(watchdog_t)
+# for orderly shutdown
+corecmd_exec_shell(watchdog_t)
+
+# cjp: why networking?
+corenet_non_ipsec_sendrecv(watchdog_t)
+corenet_tcp_sendrecv_generic_if(watchdog_t)
+corenet_udp_sendrecv_generic_if(watchdog_t)
+corenet_tcp_sendrecv_all_nodes(watchdog_t)
+corenet_udp_sendrecv_all_nodes(watchdog_t)
+corenet_tcp_sendrecv_all_ports(watchdog_t)
+corenet_udp_sendrecv_all_ports(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
+corenet_sendrecv_all_client_packets(watchdog_t)
+
+dev_read_sysfs(watchdog_t)
+dev_write_watchdog(watchdog_t)
+# do not care about saving the random seed
+dev_dontaudit_read_rand(watchdog_t)
+dev_dontaudit_read_urand(watchdog_t)
+
+domain_use_interactive_fds(watchdog_t)
+domain_getsession_all_domains(watchdog_t)
+domain_sigchld_all_domains(watchdog_t)
+domain_sigstop_all_domains(watchdog_t)
+domain_signull_all_domains(watchdog_t)
+domain_signal_all_domains(watchdog_t)
+domain_kill_all_domains(watchdog_t)
+
+files_read_etc_files(watchdog_t)
+# for updating mtab on umount
+files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t,file)
+
+fs_unmount_xattr_fs(watchdog_t)
+fs_getattr_all_fs(watchdog_t)
+fs_search_auto_mountpoints(watchdog_t)
+
+term_dontaudit_use_console(watchdog_t)
+
+# record the fact that we are going down
+auth_append_login_records(watchdog_t)
+
+init_use_fds(watchdog_t)
+init_use_script_ptys(watchdog_t)
+
+libs_use_ld_so(watchdog_t)
+libs_use_shared_libs(watchdog_t)
+
+logging_send_syslog_msg(watchdog_t)
+
+miscfiles_read_localization(watchdog_t)
+
+sysnet_read_config(watchdog_t)
+
+userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(watchdog_t)
+ term_dontaudit_use_generic_ptys(watchdog_t)
+ files_dontaudit_read_root_files(watchdog_t)
+')
+
+optional_policy(`
+ mta_send_mail(watchdog_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(watchdog_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(watchdog_t)
+')
+
+optional_policy(`
+ udev_read_db(watchdog_t)
+')
diff --git a/policy/modules/services/xfs.fc b/policy/modules/services/xfs.fc
new file mode 100644
index 0000000..8e70038
--- /dev/null
+++ b/policy/modules/services/xfs.fc
@@ -0,0 +1,8 @@
+
+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0)
+
+/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0)
+
+/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
new file mode 100644
index 0000000..d8bf4d1
--- /dev/null
+++ b/policy/modules/services/xfs.if
@@ -0,0 +1,63 @@
+## <summary>X Windows Font Server </summary>
+
+########################################
+## <summary>
+## Read a X font server named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_read_sockets',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xfs_tmp_t:dir search;
+ allow $1 xfs_tmp_t:sock_file { getattr read };
+')
+
+########################################
+## <summary>
+## Connect to a X font server over
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_stream_connect',`
+ gen_require(`
+ type xfs_tmp_t, xfs_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xfs_tmp_t:dir search;
+ allow $1 xfs_tmp_t:sock_file write;
+ allow $1 xfs_t:unix_stream_socket connectto;
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to execute xfs
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_exec',`
+ gen_require(`
+ type xfs_exec_t;
+ ')
+
+ can_exec($1,xfs_exec_t)
+')
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
new file mode 100644
index 0000000..5752f5d
--- /dev/null
+++ b/policy/modules/services/xfs.te
@@ -0,0 +1,100 @@
+
+policy_module(xfs,1.0.3)
+
+########################################
+#
+# Declarations
+#
+
+type xfs_t;
+type xfs_exec_t;
+init_daemon_domain(xfs_t,xfs_exec_t)
+
+type xfs_tmp_t;
+files_tmp_file(xfs_tmp_t)
+
+type xfs_var_run_t;
+files_pid_file(xfs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xfs_t self:capability { setgid setuid };
+dontaudit xfs_t self:capability sys_tty_config;
+allow xfs_t self:process { signal_perms setpgid };
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+
+allow xfs_t xfs_tmp_t:dir create_dir_perms;
+allow xfs_t xfs_tmp_t:sock_file create_file_perms;
+files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
+
+allow xfs_t xfs_var_run_t:file create_file_perms;
+allow xfs_t xfs_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xfs_t,xfs_var_run_t,file)
+
+# Bind to /tmp/.font-unix/fs-1.
+# cjp: I do not believe this has an effect.
+allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
+
+kernel_read_kernel_sysctls(xfs_t)
+kernel_read_system_state(xfs_t)
+
+corecmd_list_bin(xfs_t)
+corecmd_list_sbin(xfs_t)
+
+dev_read_sysfs(xfs_t)
+
+fs_getattr_all_fs(xfs_t)
+fs_search_auto_mountpoints(xfs_t)
+
+domain_use_interactive_fds(xfs_t)
+
+files_read_etc_files(xfs_t)
+files_read_etc_runtime_files(xfs_t)
+files_read_usr_files(xfs_t)
+
+term_dontaudit_use_console(xfs_t)
+
+auth_use_nsswitch(xfs_t)
+
+init_use_fds(xfs_t)
+init_use_script_ptys(xfs_t)
+
+libs_use_ld_so(xfs_t)
+libs_use_shared_libs(xfs_t)
+
+logging_send_syslog_msg(xfs_t)
+
+miscfiles_read_localization(xfs_t)
+miscfiles_read_fonts(xfs_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xfs_t)
+userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
+
+xfs_exec(xfs_t)
+
+ifdef(`distro_debian',`
+ # for /tmp/.font-unix/fs7100
+ init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(xfs_t)
+ term_dontaudit_use_generic_ptys(xfs_t)
+ files_dontaudit_read_root_files(xfs_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(xfs_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xfs_t)
+')
+
+optional_policy(`
+ udev_read_db(xfs_t)
+')
diff --git a/policy/modules/services/xprint.fc b/policy/modules/services/xprint.fc
new file mode 100644
index 0000000..6a857ff
--- /dev/null
+++ b/policy/modules/services/xprint.fc
@@ -0,0 +1 @@
+/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0)
diff --git a/policy/modules/services/xprint.if b/policy/modules/services/xprint.if
new file mode 100644
index 0000000..e69a82a
--- /dev/null
+++ b/policy/modules/services/xprint.if
@@ -0,0 +1 @@
+## <summary>X print server</summary>
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
new file mode 100644
index 0000000..f74a498
--- /dev/null
+++ b/policy/modules/services/xprint.te
@@ -0,0 +1,99 @@
+
+policy_module(xprint,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type xprint_t;
+type xprint_exec_t;
+init_daemon_domain(xprint_t,xprint_exec_t)
+
+type xprint_var_run_t;
+files_pid_file(xprint_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit xprint_t self:capability sys_tty_config;
+allow xprint_t self:process signal_perms;
+allow xprint_t self:fifo_file rw_file_perms;
+allow xprint_t self:tcp_socket create_stream_socket_perms;
+allow xprint_t self:udp_socket create_socket_perms;
+
+allow xprint_t xprint_var_run_t:file create_file_perms;
+allow xprint_t xprint_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xprint_t,xprint_var_run_t,file)
+
+kernel_read_system_state(xprint_t)
+kernel_read_kernel_sysctls(xprint_t)
+
+corecmd_exec_bin(xprint_t)
+corecmd_exec_sbin(xprint_t)
+corecmd_exec_ls(xprint_t)
+corecmd_exec_shell(xprint_t)
+
+corenet_non_ipsec_sendrecv(xprint_t)
+corenet_tcp_sendrecv_generic_if(xprint_t)
+corenet_udp_sendrecv_generic_if(xprint_t)
+corenet_tcp_sendrecv_all_nodes(xprint_t)
+corenet_udp_sendrecv_all_nodes(xprint_t)
+corenet_tcp_sendrecv_all_ports(xprint_t)
+corenet_udp_sendrecv_all_ports(xprint_t)
+
+dev_read_sysfs(xprint_t)
+dev_read_urand(xprint_t)
+
+domain_use_interactive_fds(xprint_t)
+
+files_read_etc_files(xprint_t)
+files_read_etc_runtime_files(xprint_t)
+files_read_usr_files(xprint_t)
+files_search_var_lib(xprint_t)
+files_search_tmp(xprint_t)
+
+fs_getattr_all_fs(xprint_t)
+fs_search_auto_mountpoints(xprint_t)
+
+term_dontaudit_use_console(xprint_t)
+
+init_use_fds(xprint_t)
+init_use_script_ptys(xprint_t)
+
+libs_use_ld_so(xprint_t)
+libs_use_shared_libs(xprint_t)
+
+logging_send_syslog_msg(xprint_t)
+
+miscfiles_read_fonts(xprint_t)
+miscfiles_read_localization(xprint_t)
+
+sysnet_read_config(xprint_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xprint_t)
+userdom_dontaudit_search_sysadm_home_dirs(xprint_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(xprint_t)
+ term_dontaudit_use_generic_ptys(xprint_t)
+ files_dontaudit_read_root_files(xprint_t)
+')
+
+optional_policy(`
+ cups_read_config(xprint_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(xprint_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xprint_t)
+')
+
+optional_policy(`
+ udev_read_db(xprint_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
new file mode 100644
index 0000000..e5e55a6
--- /dev/null
+++ b/policy/modules/services/xserver.fc
@@ -0,0 +1,105 @@
+#
+# HOME_DIR
+#
+ifdef(`strict_policy',`
+HOME_DIR/\.fonts.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
+HOME_DIR/\.fonts.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
+HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+')
+
+#
+# /dev
+#
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
+
+#
+# /etc
+#
+
+/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
+#
+# /opt
+#
+
+/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
+#
+# /tmp
+#
+
+/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
+/tmp/\.ICE-unix/.* -s <<none>>
+/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.X11-unix/.* -s <<none>>
+
+ifdef(`strict_policy',`
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
+')
+
+#
+# /usr
+#
+
+/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+')
+
+/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+
+/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+#
+# /var
+#
+
+/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
new file mode 100644
index 0000000..e0b8511
--- /dev/null
+++ b/policy/modules/services/xserver.if
@@ -0,0 +1,1131 @@
+## <summary>X Windows Server</summary>
+
+#######################################
+## <summary>
+## Template to create types and rules common to
+## all X server domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`xserver_common_domain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_xserver_t;
+ domain_type($1_xserver_t)
+ domain_entry_file($1_xserver_t,xserver_exec_t)
+
+ type $1_xserver_tmp_t;
+ files_tmp_file($1_xserver_tmp_t)
+
+ type $1_xserver_tmpfs_t;
+ files_tmpfs_file($1_xserver_tmpfs_t)
+
+ ##############################
+ #
+ # $1_xserver_t local policy
+ #
+
+ # setuid/setgid for the wrapper program to change UID
+ # sys_rawio is for iopl access - should not be needed for frame-buffer
+ # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
+ # admin of APM bios?
+ # sys_nice is so that the X server can set a negative nice value
+ # execheap needed until the X module loader is fixed.
+ # NVIDIA Needs execstack
+
+ allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+ dontaudit $1_xserver_t self:capability chown;
+ allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_xserver_t self:process { execmem execheap execstack setsched };
+ allow $1_xserver_t self:fd use;
+ allow $1_xserver_t self:fifo_file rw_file_perms;
+ allow $1_xserver_t self:sock_file r_file_perms;
+ allow $1_xserver_t self:shm create_shm_perms;
+ allow $1_xserver_t self:sem create_sem_perms;
+ allow $1_xserver_t self:msgq create_msgq_perms;
+ allow $1_xserver_t self:msg { send receive };
+ allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
+ allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
+ allow $1_xserver_t self:udp_socket create_socket_perms;
+
+ allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms;
+ allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms;
+ allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
+
+ allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms;
+ type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t;
+
+ allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms;
+ allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms;
+ allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms;
+ allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms;
+ allow $1_xserver_t xkb_var_lib_t:file manage_file_perms;
+ allow $1_xserver_t xkb_var_lib_t:lnk_file create_lnk_perms;
+ files_search_var_lib($1_xserver_t)
+
+ # Create files in /var/log with the xserver_log_t type.
+ allow $1_xserver_t xserver_log_t:file manage_file_perms;
+ allow $1_xserver_t xserver_log_t:dir r_dir_perms;
+ logging_log_filetrans($1_xserver_t,xserver_log_t,file)
+
+ kernel_read_system_state($1_xserver_t)
+ kernel_read_device_sysctls($1_xserver_t)
+ kernel_read_modprobe_sysctls($1_xserver_t)
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls($1_xserver_t)
+ kernel_write_proc_files($1_xserver_t)
+
+ # Run helper programs in $1_xserver_t.
+ corecmd_search_sbin($1_xserver_t)
+ corecmd_exec_bin($1_xserver_t)
+ corecmd_exec_shell($1_xserver_t)
+
+ corenet_non_ipsec_sendrecv($1_xserver_t)
+ corenet_tcp_sendrecv_generic_if($1_xserver_t)
+ corenet_udp_sendrecv_generic_if($1_xserver_t)
+ corenet_tcp_sendrecv_all_nodes($1_xserver_t)
+ corenet_udp_sendrecv_all_nodes($1_xserver_t)
+ corenet_tcp_sendrecv_all_ports($1_xserver_t)
+ corenet_udp_sendrecv_all_ports($1_xserver_t)
+ corenet_tcp_bind_all_nodes($1_xserver_t)
+ corenet_tcp_bind_xserver_port($1_xserver_t)
+ corenet_tcp_connect_all_ports($1_xserver_t)
+ corenet_sendrecv_xserver_server_packets($1_xserver_t)
+ corenet_sendrecv_all_client_packets($1_xserver_t)
+
+ dev_read_sysfs($1_xserver_t)
+ dev_rw_mouse($1_xserver_t)
+ dev_rw_mtrr($1_xserver_t)
+ dev_rw_apm_bios($1_xserver_t)
+ dev_rw_agp($1_xserver_t)
+ dev_rw_framebuffer($1_xserver_t)
+ dev_manage_dri_dev($1_xserver_t)
+ dev_create_generic_dirs($1_xserver_t)
+ dev_setattr_generic_dirs($1_xserver_t)
+ # raw memory access is needed if not using the frame buffer
+ dev_read_raw_memory($1_xserver_t)
+ dev_write_raw_memory($1_xserver_t)
+ # for other device nodes such as the NVidia binary-only driver
+ dev_rw_xserver_misc($1_xserver_t)
+ # read events - the synaptics touchpad driver reads raw events
+ dev_rw_input_dev($1_xserver_t)
+ dev_rwx_zero($1_xserver_t)
+
+ files_read_etc_files($1_xserver_t)
+ files_read_etc_runtime_files($1_xserver_t)
+ files_read_usr_files($1_xserver_t)
+
+ # brought on by rhgb
+ files_search_mnt($1_xserver_t)
+ # for nscd
+ files_dontaudit_search_pids($1_xserver_t)
+
+ fs_getattr_xattr_fs($1_xserver_t)
+ fs_search_nfs($1_xserver_t)
+ fs_search_auto_mountpoints($1_xserver_t)
+
+ init_getpgid($1_xserver_t)
+
+ term_setattr_unallocated_ttys($1_xserver_t)
+ term_use_unallocated_ttys($1_xserver_t)
+
+ libs_use_ld_so($1_xserver_t)
+ libs_use_shared_libs($1_xserver_t)
+
+ logging_send_syslog_msg($1_xserver_t)
+
+ miscfiles_read_localization($1_xserver_t)
+ miscfiles_read_fonts($1_xserver_t)
+
+ modutils_domtrans_insmod($1_xserver_t)
+
+ seutil_dontaudit_search_config($1_xserver_t)
+
+ sysnet_read_config($1_xserver_t)
+
+ optional_policy(`
+ auth_search_pam_console_data($1_xserver_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_xserver_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_xserver_t)
+ ')
+
+ optional_policy(`
+ xfs_stream_connect($1_xserver_t)
+ ')
+
+ ifdef(`TODO',`
+ ifdef(`distro_redhat',`
+ ifdef(`rpm.te', `
+ allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
+ allow $1_xserver_t rpm_tmpfs_t:file { read write };
+ rpm_use_fds($1_xserver_t)
+ ')
+ ')
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The per user domain template for the xserver module.
+## </summary>
+## <desc>
+## <p>
+## Define a derived domain for the X server when executed
+## by a user domain (e.g. via startx). See the xdm module
+## if using an X Display Manager.
+## </p>
+## <p>
+## This is invoked automatically for each user and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`xserver_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ xserver_common_domain_template($1)
+ role $3 types $1_xserver_t;
+
+ type $1_fonts_t, fonts_type;
+ userdom_user_home_content($1,$1_fonts_t)
+
+ type $1_fonts_cache_t, fonts_cache_type;
+ userdom_user_home_content($1,$1_fonts_cache_t)
+
+ type $1_fonts_config_t, fonts_config_type;
+ userdom_user_home_content($1,$1_fonts_cache_t)
+
+ type $1_iceauth_t;
+ domain_type($1_iceauth_t)
+ domain_entry_file($1_iceauth_t,iceauth_exec_t)
+ role $3 types $1_iceauth_t;
+
+ type $1_iceauth_home_t alias $1_iceauth_rw_t;
+ files_poly_member($1_iceauth_home_t)
+ userdom_user_home_content($1,$1_iceauth_home_t)
+
+ type $1_xauth_t;
+ domain_type($1_xauth_t)
+ domain_entry_file($1_xauth_t,xauth_exec_t)
+ role $3 types $1_xauth_t;
+
+ type $1_xauth_home_t alias $1_xauth_rw_t;
+ files_poly_member($1_xauth_home_t)
+ userdom_user_home_content($1,$1_xauth_home_t)
+
+ type $1_xauth_tmp_t;
+ files_tmp_file($1_xauth_tmp_t)
+
+ ##############################
+ #
+ # $1_xserver_t Local policy
+ #
+
+ domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
+ allow $1_xserver_t $1_xauth_t:fd use;
+ allow $1_xauth_t $1_xserver_t:fd use;
+ allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
+ allow $1_xauth_t $1_xserver_t:process sigchld;
+
+ allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+
+ domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
+ allow $2 $1_xserver_t:fd use;
+ allow $1_xserver_t $2:fd use;
+ allow $1_xserver_t $2:fifo_file rw_file_perms;
+ allow $1_xserver_t $2:process { signal sigchld };
+
+ allow $1_xserver_t $2:shm rw_shm_perms;
+
+ allow $2 $1_fonts_t:dir manage_dir_perms;
+ allow $2 $1_fonts_t:file manage_file_perms;
+ allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+ allow $2 $1_fonts_config_t:dir manage_dir_perms;
+ allow $2 $1_fonts_config_t:file manage_file_perms;
+ allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
+
+ # For startup relabel
+ allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
+ allow $2 $1_xserver_tmp_t:dir r_dir_perms;
+ allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
+ allow $2 $1_xserver_t:unix_stream_socket connectto;
+
+ allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+
+ # Communicate via System V shared memory.
+ allow $1_xserver_t $2:shm rw_shm_perms;
+ allow $2 $1_xserver_t:shm rw_shm_perms;
+
+ getty_use_fds($1_xserver_t)
+
+ locallogin_use_fds($1_xserver_t)
+
+ userdom_search_user_home_dirs($1,$1_xserver_t)
+ userdom_use_user_ttys($1,$1_xserver_t)
+ userdom_setattr_user_ttys($1,$1_xserver_t)
+ userdom_rw_user_tmpfs_files($1,$1_xserver_t)
+
+ xserver_use_user_fonts($1,$1_xserver_t)
+
+ optional_policy(`
+ userhelper_search_config($1_xserver_t)
+ ')
+
+ ifdef(`TODO',`
+ allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
+ allow $1_t xdm_xserver_t:unix_stream_socket connectto;
+
+ ifdef(`xdm.te', `
+ allow $1_t xdm_tmp_t:sock_file unlink;
+ allow $1_xserver_t xdm_var_run_t:dir search;
+ ')
+ ') dnl end TODO
+
+ ##############################
+ #
+ # $1_xauth_t Local policy
+ #
+
+ allow $1_xauth_t self:process signal;
+ allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
+
+ allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
+ allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+
+ domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
+ allow $2 $1_xauth_t:fd use;
+ allow $1_xauth_t $2:fd use;
+ allow $1_xauth_t $2:fifo_file rw_file_perms;
+ allow $1_xauth_t $2:process sigchld;
+
+ allow $2 $1_xauth_t:process signal;
+
+ # allow ps to show xauth
+ allow $2 $1_xauth_t:dir { search getattr read };
+ allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
+ allow $2 $1_xauth_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_xauth_t:process ptrace;
+
+ allow $2 $1_xauth_home_t:file manage_file_perms;
+ allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
+
+ allow xdm_t $1_xauth_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+
+ domain_use_interactive_fds($1_xauth_t)
+
+ files_read_etc_files($1_xauth_t)
+ files_search_pids($1_xauth_t)
+
+ fs_getattr_xattr_fs($1_xauth_t)
+ fs_search_auto_mountpoints($1_xauth_t)
+
+ # cjp: why?
+ term_use_ptmx($1_xauth_t)
+
+ libs_use_ld_so($1_xauth_t)
+ libs_use_shared_libs($1_xauth_t)
+
+ sysnet_dns_name_resolve($1_xauth_t)
+
+ userdom_use_user_terminals($1,$1_xauth_t)
+ userdom_read_user_tmp_files($1,$1_xauth_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_xauth_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_xauth_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_xauth_t)
+ ')
+
+ optional_policy(`
+ ssh_sigchld($1_xauth_t)
+ ssh_read_pipes($1_xauth_t)
+ ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
+ ')
+
+ ##############################
+ #
+ # $1_iceauth_t Local policy
+ #
+
+ domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
+ allow $2 $1_iceauth_t:fd use;
+ allow $1_iceauth_t $2:fd use;
+ allow $1_iceauth_t $2:fifo_file rw_file_perms;
+ allow $1_iceauth_t $2:process sigchld;
+
+ allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
+
+ # allow ps to show iceauth
+ allow $2 $1_iceauth_t:dir { search getattr read };
+ allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
+ allow $2 $1_iceauth_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_iceauth_t:process ptrace;
+
+ allow $2 $1_iceauth_home_t:file manage_file_perms;
+ allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+
+ fs_search_auto_mountpoints($1_iceauth_t)
+
+ libs_use_ld_so($1_iceauth_t)
+ libs_use_shared_libs($1_iceauth_t)
+
+ userdom_use_user_terminals($1,$1_iceauth_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_iceauth_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_iceauth_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Template for creating sessions on a
+## prefix X server, with read-only
+## access to the X server shared
+## memory segments.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_ro_session_template',`
+ gen_require(`
+ type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
+ ')
+
+ # Xserver read/write client shm
+ allow $1_xserver_t $2:fd use;
+ allow $1_xserver_t $2:shm rw_shm_perms;
+ allow $1_xserver_t $3:file rw_file_perms;
+
+ # Connect to xserver
+ allow $2 $1_xserver_t:unix_stream_socket connectto;
+ allow $2 $1_xserver_t:process signal;
+
+ # Read /tmp/.X0-lock
+ allow $2 $1_xserver_tmp_t:file { getattr read };
+
+ # Client read xserver shm
+ allow $2 $1_xserver_t:fd use;
+ allow $2 $1_xserver_t:shm r_shm_perms;
+ allow $2 $1_xserver_tmpfs_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Template for creating sessions on a
+## prefix X server, with read and write
+## access to the X server shared
+## memory segments.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_rw_session_template',`
+ gen_require(`
+ type $1_xserver_t, $1_xserver_tmpfs_t;
+ ')
+
+ xserver_ro_session_template($1,$2,$3)
+ allow $2 $1_xserver_t:shm rw_shm_perms;
+ allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+## Template for creating full client sessions
+## on a user X server.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_user_client_template',`
+
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
+ type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ ')
+
+ allow $2 self:shm create_shm_perms;
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+ allow $2 $1_xauth_home_t:file { getattr read };
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_tmp_t:dir search;
+ allow $2 xdm_tmp_t:sock_file { read write };
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+ files_search_tmp($2)
+
+ miscfiles_read_fonts($2)
+
+ userdom_search_user_home_dirs($1,$2)
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($1,$2)
+
+ xserver_ro_session_template(xdm,$2,$3)
+ xserver_rw_session_template($1,$2,$3)
+ xserver_use_user_fonts($1,$2)
+
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 $1_xserver_t:shm rw_shm_perms;
+ allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ ')
+
+ # for X over a ssh tunnel
+ optional_policy(`
+ kernel_tcp_recvfrom($2)
+ ssh_tcp_connect($2)
+ ')
+')
+
+########################################
+## <summary>
+## Read user fonts, user font configuration,
+## and manage the user font cache.
+## </summary>
+## <desc>
+## <p>
+## Read user fonts, user font configuration,
+## and manage the user font cache.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_use_user_fonts',`
+ gen_require(`
+ type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+ ')
+
+ # Read per user fonts
+ allow $2 $1_fonts_t:dir list_dir_perms;
+ allow $2 $1_fonts_t:file read_file_perms;
+
+ # Manipulate the global font cache
+ allow $2 $1_fonts_cache_t:dir manage_dir_perms;
+ allow $2 $1_fonts_cache_t:file manage_file_perms;
+
+ # Read per user font config
+ allow $2 $1_fonts_config_t:dir list_dir_perms;
+ allow $2 $1_fonts_config_t:file read_file_perms;
+
+ userdom_search_user_home_dirs($1,$2)
+')
+
+########################################
+## <summary>
+## Transition to a user Xauthority domain.
+## </summary>
+## <desc>
+## <p>
+## Transition to a user Xauthority domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_domtrans_user_xauth',`
+ gen_require(`
+ type $1_xauth_t, xauth_exec_t;
+ ')
+
+ domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
+ allow $2 $1_xauth_t:fd use;
+ allow $1_xauth_t $2:fd use;
+ allow $1_xauth_t $2:fifo_file rw_file_perms;
+ allow $1_xauth_t $2:process sigchld;
+')
+
+########################################
+## <summary>
+## Read all users fonts, user font configurations,
+## and manage all users font caches.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_use_all_users_fonts',`
+ gen_require(`
+ attribute fonts_type, fonts_cache_type, fonts_config_type;
+ ')
+
+ # Read per user fonts
+ allow $1 fonts_type:dir list_dir_perms;
+ allow $1 fonts_type:file read_file_perms;
+
+ # Manipulate the global font cache
+ allow $1 fonts_cache_type:dir manage_dir_perms;
+ allow $1 fonts_cache_type:file manage_file_perms;
+
+ # Read per user font config
+ allow $1 fonts_config_type:dir list_dir_perms;
+ allow $1 fonts_config_type:file read_file_perms;
+
+ userdom_search_all_users_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setattr_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the X windows console named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_console',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr read write };
+')
+
+########################################
+## <summary>
+## Use file descriptors for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_use_xdm_fds',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_pipes',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:fifo_file { getattr read write };
+')
+
+########################################
+## <summary>
+## Connect to XDM over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read xdm-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_rw_config',`
+ gen_require(`
+ type xdm_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 xdm_rw_etc_t:dir { getattr read };
+')
+
+########################################
+## <summary>
+## Set the attributes of XDM temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setattr_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Create a named socket in a XDM
+## temporary directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xdm_tmp_t:dir ra_dir_perms;
+ allow $1 xdm_tmp_t:sock_file create;
+')
+
+########################################
+## <summary>
+## Read XDM pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_pid',`
+ gen_require(`
+ type xdm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 xdm_var_run_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read XDM var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_lib_files',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Execute the X server in the XDM X server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_domtrans_xdm_xserver',`
+ gen_require(`
+ type xdm_xserver_t, xserver_exec_t;
+ ')
+
+ domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
+
+ allow $1 xdm_xserver_t:fd use;
+ allow xdm_xserver_t $1:fd use;
+ allow xdm_xserver_t $1:fifo_file rw_file_perms;
+ allow xdm_xserver_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Make an X session script an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_xsession_entry_type',`
+ gen_require(`
+ type xsession_exec_t;
+ ')
+
+ domain_entry_file($1,xsession_exec_t)
+')
+
+########################################
+## <summary>
+## Execute an X session in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute an Xsession in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the shell process.
+## </summary>
+## </param>
+#
+interface(`xserver_xsession_spec_domtrans',`
+ gen_require(`
+ type xsession_exec_t;
+ ')
+
+ domain_trans($1,xsession_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Get the attributes of X server logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_getattr_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xserver_log_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the X server
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_write_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ dontaudit $1 xserver_log_t:file { append write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the X server
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_delete_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xserver_log_t:dir rw_dir_perms;
+ allow $1 xserver_log_t:file unlink;
+')
+
+########################################
+## <summary>
+## Read X keyboard extension libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_read_xkb_libs',`
+ gen_require(`
+ type xkb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 xkb_var_lib_t:dir list_dir_perms;
+ allow $1 xkb_var_lib_t:file r_file_perms;
+ allow $1 xkb_var_lib_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_xserver_tmp_files',`
+ gen_require(`
+ type xdm_xserver_tmp_t;
+ ')
+
+ allow $1 xdm_xserver_tmp_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Kill XDM X servers
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_kill_xdm_xserver',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ allow $1 xdm_xserver_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write to
+## a XDM X server socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ dontaudit $1 xdm_xserver_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Connect to xdm_xserver over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect_xdm_xserver',`
+ gen_require(`
+ type xdm_xserver_t, xdm_xserver_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xdm_xserver_tmp_t:sock_file write;
+ allow $1 xdm_xserver_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
new file mode 100644
index 0000000..5bc2356
--- /dev/null
+++ b/policy/modules/services/xserver.te
@@ -0,0 +1,486 @@
+
+policy_module(xserver,1.1.10)
+
+########################################
+#
+# Declarations
+#
+
+attribute fonts_type;
+attribute fonts_cache_type;
+attribute fonts_config_type;
+
+type ice_tmp_t;
+files_tmp_file(ice_tmp_t)
+
+type iceauth_exec_t;
+corecmd_executable_file(iceauth_exec_t)
+
+type xauth_exec_t;
+corecmd_executable_file(xauth_exec_t)
+
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
+type xdm_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type xdm_exec_t;
+')
+init_domain(xdm_t,xdm_exec_t)
+init_daemon_domain(xdm_t,xdm_exec_t)
+
+type xdm_lock_t;
+files_lock_file(xdm_lock_t)
+
+type xdm_rw_etc_t;
+files_type(xdm_rw_etc_t)
+
+type xdm_var_lib_t;
+files_type(xdm_var_lib_t)
+
+type xdm_var_run_t;
+files_pid_file(xdm_var_run_t)
+
+type xdm_tmp_t;
+files_tmp_file(xdm_tmp_t)
+
+type xdm_tmpfs_t;
+files_tmpfs_file(xdm_tmpfs_t)
+
+# type for /var/lib/xkb
+type xkb_var_lib_t;
+files_type(xkb_var_lib_t)
+
+# Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_exec_t;
+corecmd_executable_file(xserver_exec_t)
+
+type xsession_exec_t;
+corecmd_executable_file(xsession_exec_t)
+
+# Type for the X server log file.
+type xserver_log_t;
+logging_log_file(xserver_log_t)
+
+xserver_common_domain_template(xdm)
+init_system_domain(xdm_xserver_t,xserver_exec_t)
+
+optional_policy(`
+ prelink_object_file(xkb_var_lib_t)
+')
+
+########################################
+#
+# XDM Local policy
+#
+
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:fifo_file rw_file_perms;
+allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:sem create_sem_perms;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:tcp_socket create_stream_socket_perms;
+allow xdm_t self:udp_socket create_socket_perms;
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+kernel_read_system_state(xdm_t)
+kernel_read_kernel_sysctls(xdm_t)
+
+corecmd_exec_shell(xdm_t)
+corecmd_exec_bin(xdm_t)
+corecmd_exec_sbin(xdm_t)
+
+corenet_non_ipsec_sendrecv(xdm_t)
+corenet_tcp_sendrecv_generic_if(xdm_t)
+corenet_udp_sendrecv_generic_if(xdm_t)
+corenet_tcp_sendrecv_all_nodes(xdm_t)
+corenet_udp_sendrecv_all_nodes(xdm_t)
+corenet_tcp_sendrecv_all_ports(xdm_t)
+corenet_udp_sendrecv_all_ports(xdm_t)
+corenet_tcp_bind_all_nodes(xdm_t)
+corenet_udp_bind_all_nodes(xdm_t)
+corenet_tcp_connect_all_ports(xdm_t)
+corenet_sendrecv_all_client_packets(xdm_t)
+# xdm tries to bind to biff_port_t
+corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
+dev_read_rand(xdm_t)
+dev_read_urand(xdm_t)
+dev_read_sysfs(xdm_t)
+dev_getattr_framebuffer_dev(xdm_t)
+dev_setattr_framebuffer_dev(xdm_t)
+dev_getattr_mouse_dev(xdm_t)
+dev_setattr_mouse_dev(xdm_t)
+dev_rw_apm_bios(xdm_t)
+dev_setattr_apm_bios_dev(xdm_t)
+dev_rw_dri(xdm_t)
+dev_rw_agp(xdm_t)
+dev_getattr_xserver_misc_dev(xdm_t)
+dev_setattr_xserver_misc_dev(xdm_t)
+dev_getattr_misc_dev(xdm_t)
+dev_setattr_misc_dev(xdm_t)
+dev_dontaudit_rw_misc(xdm_t)
+dev_getattr_video_dev(xdm_t)
+dev_setattr_video_dev(xdm_t)
+dev_getattr_scanner_dev(xdm_t)
+dev_setattr_scanner_dev(xdm_t)
+dev_getattr_sound_dev(xdm_t)
+dev_setattr_sound_dev(xdm_t)
+dev_getattr_power_mgmt_dev(xdm_t)
+dev_setattr_power_mgmt_dev(xdm_t)
+
+domain_use_interactive_fds(xdm_t)
+# Do not audit denied probes of /proc.
+domain_dontaudit_read_all_domains_state(xdm_t)
+
+files_read_etc_files(xdm_t)
+files_read_etc_runtime_files(xdm_t)
+files_exec_etc_files(xdm_t)
+files_list_mnt(xdm_t)
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+files_read_usr_files(xdm_t)
+# Poweroff wants to create the /poweroff file when run from xdm
+files_create_boot_flag(xdm_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_search_auto_mountpoints(xdm_t)
+
+selinux_get_fs_mount(xdm_t)
+selinux_validate_context(xdm_t)
+selinux_compute_access_vector(xdm_t)
+selinux_compute_create_context(xdm_t)
+selinux_compute_relabel_context(xdm_t)
+selinux_compute_user_contexts(xdm_t)
+
+storage_dontaudit_read_fixed_disk(xdm_t)
+storage_dontaudit_write_fixed_disk(xdm_t)
+storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
+storage_dontaudit_raw_read_removable_device(xdm_t)
+storage_dontaudit_raw_write_removable_device(xdm_t)
+storage_dontaudit_setattr_removable_dev(xdm_t)
+storage_dontaudit_rw_scsi_generic(xdm_t)
+
+term_setattr_console(xdm_t)
+term_dontaudit_use_console(xdm_t)
+term_use_unallocated_ttys(xdm_t)
+term_setattr_unallocated_ttys(xdm_t)
+
+auth_rw_lastlog(xdm_t)
+auth_read_login_records(xdm_t)
+auth_append_login_records(xdm_t)
+auth_manage_pam_pid(xdm_t)
+auth_exec_pam(xdm_t)
+auth_manage_pam_console_data(xdm_t)
+
+init_rw_utmp(xdm_t)
+init_use_script_ptys(xdm_t)
+# Run telinit->init to shutdown.
+init_exec(xdm_t)
+init_write_initctl(xdm_t)
+
+libs_use_ld_so(xdm_t)
+libs_use_shared_libs(xdm_t)
+libs_exec_lib_files(xdm_t)
+
+logging_send_syslog_msg(xdm_t)
+logging_read_generic_logs(xdm_t)
+
+miscfiles_read_localization(xdm_t)
+miscfiles_read_fonts(xdm_t)
+
+seutil_read_config(xdm_t)
+seutil_read_default_contexts(xdm_t)
+
+sysnet_read_config(xdm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
+userdom_create_all_users_keys(xdm_t)
+# for .dmrc
+userdom_read_unpriv_users_home_content_files(xdm_t)
+# Search /proc for any user domain processes.
+userdom_read_all_users_state(xdm_t)
+userdom_signal_all_users(xdm_t)
+
+ifdef(`enable_polyinstantiation',`
+ # xdm_t can polyinstantiate
+ files_polyinstantiate_all(xdm_t)
+')
+
+ifdef(`strict_policy',`
+ allow xdm_t xdm_lock_t:file create_file_perms;
+ files_lock_filetrans(xdm_t,xdm_lock_t,file)
+
+ allow xdm_t xdm_tmp_t:dir manage_dir_perms;
+ allow xdm_t xdm_tmp_t:file manage_file_perms;
+ allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+
+ allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
+ allow xdm_t xdm_tmpfs_t:file manage_file_perms;
+ allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
+ allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms;
+ allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow xdm_t xdm_var_lib_t:file create_file_perms;
+ allow xdm_t xdm_var_lib_t:dir create_dir_perms;
+ files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+
+ allow xdm_t xdm_var_run_t:dir manage_dir_perms;
+ allow xdm_t xdm_var_run_t:file manage_file_perms;
+ allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
+ files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
+
+ allow xdm_t xdm_xserver_t:process signal;
+ allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+
+ allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+ allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+
+ # transition to the xdm xserver
+ domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
+ allow xdm_t xdm_xserver_t:fd use;
+ allow xdm_xserver_t xdm_t:fd use;
+ allow xdm_xserver_t xdm_t:fifo_file rw_file_perms;
+ allow xdm_xserver_t xdm_t:process { signal sigchld };
+ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+ allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+
+ # connect to xdm xserver over stream socket
+ allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+ allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+ allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+
+ # Remove /tmp/.X11-unix/X0.
+ allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
+ allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
+ allow xdm_t xdm_xserver_tmp_t:file unlink;
+
+ allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
+ allow xdm_t xserver_log_t:file manage_file_perms;
+ allow xdm_t xserver_log_t:fifo_file manage_file_perms;
+ logging_log_filetrans(xdm_t,xserver_log_t,file)
+
+ domain_subj_id_change_exemption(xdm_t)
+ domain_role_change_exemption(xdm_t)
+ domain_obj_id_change_exemption(xdm_t)
+
+ auth_domtrans_chk_passwd(xdm_t)
+ auth_domtrans_pam_console(xdm_t)
+
+ xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
+
+ tunable_policy(`xdm_sysadm_login',`
+ userdom_xsession_spec_domtrans_all_users(xdm_t)
+ # FIXME:
+# xserver_rw_session_template(xdm,userdomain)
+ ',`
+ userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
+ # FIXME:
+# xserver_rw_session_template(xdm,unpriv_userdomain)
+# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
+# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+ ')
+
+ optional_policy(`
+ alsa_domtrans(xdm_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ allow xdm_t self:process { execheap execmem };
+ unconfined_domain(xdm_t)
+ unconfined_domtrans(xdm_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(xdm_t)
+ fs_manage_nfs_files(xdm_t)
+ fs_manage_nfs_symlinks(xdm_t)
+ fs_exec_nfs_files(xdm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xdm_t)
+ fs_manage_cifs_files(xdm_t)
+ fs_manage_cifs_symlinks(xdm_t)
+ fs_exec_cifs_files(xdm_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(xdm_t)
+')
+
+optional_policy(`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
+')
+
+optional_policy(`
+ hostname_exec(xdm_t)
+')
+
+optional_policy(`
+ loadkeys_exec(xdm_t)
+')
+
+optional_policy(`
+ locallogin_signull(xdm_t)
+')
+
+optional_policy(`
+ # Do not audit attempts to check whether user root has email
+ mta_dontaudit_getattr_spool_files(xdm_t)
+')
+
+optional_policy(`
+ nscd_socket_use(xdm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xdm_t)
+')
+
+optional_policy(`
+ udev_read_db(xdm_t)
+')
+
+optional_policy(`
+ userhelper_dontaudit_search_config(xdm_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(xdm_t)
+')
+
+optional_policy(`
+ xfs_stream_connect(xdm_t)
+')
+
+########################################
+#
+# XDM Xserver local policy
+#
+
+allow xdm_xserver_t xdm_t:process { signal getpgid };
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+
+# Label pid and temporary files with derived types.
+allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
+allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
+allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
+allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
+
+# Run xkbcomp.
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
+files_search_var_lib(xdm_xserver_t)
+
+# VNC v4 module in X server
+corenet_tcp_bind_vnc_port(xdm_xserver_t)
+
+fs_search_auto_mountpoints(xdm_xserver_t)
+
+init_use_fds(xdm_xserver_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(xdm_xserver_t)
+ fs_manage_nfs_files(xdm_xserver_t)
+ fs_manage_nfs_symlinks(xdm_xserver_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xdm_xserver_t)
+ fs_manage_cifs_files(xdm_xserver_t)
+ fs_manage_cifs_symlinks(xdm_xserver_t)
+')
+
+ifdef(`strict_policy',`
+ # FIXME: After per user fonts are properly working
+ # xdm_xserver_t may no longer have any reason
+ # to read ROLE_home_t - examine this in more detail
+ # (xauth?)
+ userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
+
+ xserver_use_all_users_fonts(xdm_xserver_t)
+')
+
+ifdef(`targeted_policy',`
+ allow xdm_xserver_t self:process { execheap execmem };
+
+ unconfined_domain_noaudit(xdm_xserver_t)
+ unconfined_domtrans(xdm_xserver_t)
+')
+
+optional_policy(`
+ resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ rhgb_rw_shm(xdm_xserver_t)
+ rhgb_rw_tmpfs_files(xdm_xserver_t)
+')
+
+ifdef(`TODO',`
+# Need to further investigate these permissions and
+# perhaps define derived types.
+allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
+allow xdm_t var_lib_t:file { create write unlink };
+
+# Do not audit attempts to write to index files under /usr
+dontaudit xdm_t usr_t:file write;
+
+ifdef(`rhgb.te', `
+allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow rhgb_t xdm_xserver_t:process signal;
+')
+
+ifdef(`enable_polyinstantiation',`
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
+#
+# Wants to delete .xsession-errors file
+#
+allow xdm_t user_home_type:file unlink;
+#
+# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+#
+allow pam_t xdm_t:fifo_file { getattr ioctl write };
+') dnl end TODO
diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc
new file mode 100644
index 0000000..33c70f1
--- /dev/null
+++ b/policy/modules/services/zebra.fc
@@ -0,0 +1,16 @@
+
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+
+/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+
+/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
new file mode 100644
index 0000000..4c6bcc9
--- /dev/null
+++ b/policy/modules/services/zebra.if
@@ -0,0 +1,22 @@
+## <summary>Zebra border gateway protocol network routing service</summary>
+
+########################################
+## <summary>
+## Read the configuration files for zebra.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zebra_read_config',`
+ gen_require(`
+ type zebra_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 zebra_conf_t:file r_file_perms;
+ allow $1 zebra_conf_t:dir r_dir_perms;
+ allow $1 zebra_conf_t:lnk_file r_file_perms;
+')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
new file mode 100644
index 0000000..3d331a3
--- /dev/null
+++ b/policy/modules/services/zebra.te
@@ -0,0 +1,137 @@
+
+policy_module(zebra,1.2.2)
+
+########################################
+#
+# Declarations
+#
+
+type zebra_t;
+type zebra_exec_t;
+init_daemon_domain(zebra_t,zebra_exec_t)
+
+type zebra_conf_t;
+files_type(zebra_conf_t)
+
+type zebra_log_t;
+logging_log_file(zebra_log_t)
+
+type zebra_tmp_t;
+files_tmp_file(zebra_tmp_t)
+
+type zebra_var_run_t;
+files_pid_file(zebra_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow zebra_t self:capability { setgid setuid net_admin net_raw };
+dontaudit zebra_t self:capability sys_tty_config;
+allow zebra_t self:process { signal_perms setcap };
+allow zebra_t self:file { ioctl read write getattr lock append };
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
+allow zebra_t self:udp_socket create_socket_perms;
+allow zebra_t self:rawip_socket create_socket_perms;
+
+allow zebra_t zebra_conf_t:dir r_dir_perms;
+allow zebra_t zebra_conf_t:file r_file_perms;
+allow zebra_t zebra_conf_t:lnk_file { getattr read };
+
+allow zebra_t zebra_log_t:file create_file_perms;
+allow zebra_t zebra_log_t:sock_file create_file_perms;
+allow zebra_t zebra_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir })
+
+# /tmp/.bgpd is such a bad idea!
+allow zebra_t zebra_tmp_t:sock_file create_file_perms;
+files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file)
+
+allow zebra_t zebra_var_run_t:file manage_file_perms;
+allow zebra_t zebra_var_run_t:sock_file manage_file_perms;
+allow zebra_t zebra_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
+
+kernel_read_system_state(zebra_t)
+kernel_read_kernel_sysctls(zebra_t)
+kernel_tcp_recvfrom(zebra_t)
+kernel_rw_net_sysctls(zebra_t)
+
+corenet_non_ipsec_sendrecv(zebra_t)
+corenet_tcp_sendrecv_all_if(zebra_t)
+corenet_udp_sendrecv_all_if(zebra_t)
+corenet_raw_sendrecv_all_if(zebra_t)
+corenet_tcp_sendrecv_all_nodes(zebra_t)
+corenet_udp_sendrecv_all_nodes(zebra_t)
+corenet_raw_sendrecv_all_nodes(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
+corenet_tcp_bind_all_nodes(zebra_t)
+corenet_udp_bind_all_nodes(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
+corenet_sendrecv_zebra_server_packets(zebra_t)
+corenet_sendrecv_router_server_packets(zebra_t)
+
+dev_associate_usbfs(zebra_var_run_t)
+dev_list_all_dev_nodes(zebra_t)
+dev_read_sysfs(zebra_t)
+dev_rw_zero(zebra_t)
+
+fs_getattr_all_fs(zebra_t)
+fs_search_auto_mountpoints(zebra_t)
+
+term_dontaudit_use_console(zebra_t)
+term_list_ptys(zebra_t)
+
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_files(zebra_t)
+files_read_etc_runtime_files(zebra_t)
+
+init_use_fds(zebra_t)
+init_use_script_ptys(zebra_t)
+
+libs_use_ld_so(zebra_t)
+libs_use_shared_libs(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
+
+miscfiles_read_localization(zebra_t)
+
+sysnet_read_config(zebra_t)
+
+userdom_dontaudit_use_unpriv_user_fds(zebra_t)
+userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(zebra_t)
+ term_dontaudit_use_generic_ptys(zebra_t)
+ files_dontaudit_read_root_files(zebra_t)
+ unconfined_sigchld(zebra_t)
+')
+
+optional_policy(`
+ ldap_use(zebra_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(zebra_t)
+')
+
+optional_policy(`
+ rpm_read_pipes(zebra_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(zebra_t)
+')
+
+optional_policy(`
+ udev_read_db(zebra_t)
+')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
new file mode 100644
index 0000000..370f411
--- /dev/null
+++ b/policy/modules/system/authlogin.fc
@@ -0,0 +1,41 @@
+
+/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+
+/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+
+/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ifdef(`distro_suse', `
+/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+')
+
+/usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+
+/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
+ifdef(`distro_gentoo', `
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+')
+
+/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
+/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
+/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
+/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+
+/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
new file mode 100644
index 0000000..a6bdb4e
--- /dev/null
+++ b/policy/modules/system/authlogin.if
@@ -0,0 +1,1337 @@
+## <summary>Common policy for authentication and user login.</summary>
+
+#######################################
+## <summary>
+## Common template to create a domain for authentication.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to authenticate users by using PAM unix_chkpwd support.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`authlogin_common_auth_domain_template',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ type chkpwd_exec_t, shadow_t;
+ ')
+
+ type $1_chkpwd_t, can_read_shadow_passwords;
+ domain_type($1_chkpwd_t)
+ domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
+
+ allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
+ allow $1_chkpwd_t self:process getattr;
+
+ files_list_etc($1_chkpwd_t)
+ allow $1_chkpwd_t shadow_t:file { getattr read };
+
+ # is_selinux_enabled
+ kernel_read_system_state($1_chkpwd_t)
+
+ dev_read_rand($1_chkpwd_t)
+ dev_read_urand($1_chkpwd_t)
+
+ fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
+
+ libs_use_ld_so($1_chkpwd_t)
+ libs_use_shared_libs($1_chkpwd_t)
+
+ files_read_etc_files($1_chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var($1_chkpwd_t)
+
+ logging_send_syslog_msg($1_chkpwd_t)
+
+ miscfiles_read_certs($1_chkpwd_t)
+ miscfiles_read_localization($1_chkpwd_t)
+
+ seutil_read_config($1_chkpwd_t)
+
+ sysnet_dns_name_resolve($1_chkpwd_t)
+ sysnet_use_ldap($1_chkpwd_t)
+
+ optional_policy(`
+ kerberos_use($1_chkpwd_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_chkpwd_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_chkpwd_t)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1_chkpwd_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the authlogin module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to authenticate users by using PAM unix_chkpwd support.
+## This domain will be used by any programs running in the
+## user domain which use PAM to authenticate.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`authlogin_per_userdomain_template',`
+
+ gen_require(`
+ type system_chkpwd_t, shadow_t;
+ ')
+
+ authlogin_common_auth_domain_template($1)
+
+ role $3 types $1_chkpwd_t;
+ role $3 types system_chkpwd_t;
+
+ allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ dontaudit $2 shadow_t:file { getattr read };
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
+ allow $1_chkpwd_t $2:fd use;
+ allow $2 $1_chkpwd_t:fd use;
+ allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+ allow $1_chkpwd_t $2:process sigchld;
+
+ domain_use_interactive_fds($1_chkpwd_t)
+
+ seutil_use_newrole_fds($1_chkpwd_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_chkpwd_t)
+')
+
+########################################
+## <summary>
+## Run unix_chkpwd to check a password
+## for a user domain.
+## </summary>
+## <desc>
+## <p>
+## Run unix_chkpwd to check a password
+## for a user domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`auth_domtrans_user_chk_passwd',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type system_chkpwd_t, chkpwd_exec_t;
+ ')
+
+ domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t)
+ allow $2 system_chkpwd_t:fd use;
+ allow system_chkpwd_t $2:fd use;
+ allow system_chkpwd_t $2:fifo_file rw_file_perms;
+ allow system_chkpwd_t $2:process sigchld;
+ ',`
+ gen_require(`
+ type $1_chkpwd_t, chkpwd_exec_t;
+ ')
+
+ corecmd_search_bin($2)
+ domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
+
+ allow $2 $1_chkpwd_t:fd use;
+ allow $1_chkpwd_t $2:fd use;
+ allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+ allow $1_chkpwd_t $2:process sigchld;
+ ')
+')
+
+########################################
+## <summary>
+## Use the login program as an entry point program.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of process using the login program as entry point.
+## </summary>
+## </param>
+#
+interface(`auth_login_entry_type',`
+ gen_require(`
+ type login_exec_t;
+ ')
+
+ domain_entry_file($1,login_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a login_program in the target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the login_program process.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_login_program',`
+ gen_require(`
+ type login_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,login_exec_t,$2)
+
+ allow $1 $2:fd use;
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_file_perms;
+ allow $2 $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Run unix_chkpwd to check a password.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_chk_passwd',`
+ gen_require(`
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
+
+ allow $1 self:capability { audit_write audit_control };
+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ allow $1 system_chkpwd_t:fd use;
+ allow system_chkpwd_t $1:fd use;
+ allow system_chkpwd_t $1:fifo_file rw_file_perms;
+ allow system_chkpwd_t $1:process sigchld;
+
+ dontaudit $1 shadow_t:file { getattr read };
+
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ miscfiles_read_certs($1)
+
+ sysnet_dns_name_resolve($1)
+ sysnet_use_ldap($1)
+
+ optional_policy(`
+ kerberos_use($1)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
+ ')
+')
+
+########################################
+## <summary>
+## Get the attributes of the shadow passwords file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_getattr_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the shadow passwords file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_getattr_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ dontaudit $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: these next three interfaces are split
+# since typeattribute does not work in conditionals
+# yet, otherwise they should be one interface.
+#
+interface(`auth_read_shadow',`
+ auth_can_read_shadow_passwords($1)
+ auth_tunable_read_shadow($1)
+')
+
+########################################
+## <summary>
+## Pass shadow assertion for reading.
+## </summary>
+## <desc>
+## <p>
+## Pass shadow assertion for reading.
+## This should only be used with
+## auth_tunable_read_shadow(), and
+## only exists because typeattribute
+## does not work in conditionals.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_can_read_shadow_passwords',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ ')
+
+ typeattribute $1 can_read_shadow_passwords;
+')
+
+########################################
+## <summary>
+## Read the shadow password file.
+## </summary>
+## <desc>
+## <p>
+## Read the shadow password file. This
+## should only be used in a conditional;
+## it does not pass the reading shadow
+## assertion.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_tunable_read_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 shadow_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the shadow
+## password file (/etc/shadow).
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_read_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ dontaudit $1 shadow_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write the shadow password file (/etc/shadow).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_shadow',`
+ gen_require(`
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 shadow_t:file rw_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the shadow
+## password file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_shadow',`
+ gen_require(`
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+ type shadow_t;
+ ')
+
+ allow $1 shadow_t:file create_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+')
+
+#######################################
+## <summary>
+## Automatic transition from etc to shadow.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_etc_filetrans_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_etc_filetrans($1,shadow_t,file)
+')
+
+#######################################
+## <summary>
+## Relabel to the shadow
+## password file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabelto_shadow',`
+ gen_require(`
+ attribute can_relabelto_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file relabelto;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
+## Relabel from and to the shadow
+## password file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_shadow',`
+ gen_require(`
+ attribute can_relabelto_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file { relabelfrom relabelto };
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
+## Append to the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_append_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Read and write the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+## Read the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { getattr read };
+')
+
+#######################################
+## <summary>
+## Append only to the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_append_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { getattr lock append };
+')
+
+#######################################
+## <summary>
+## Read and write to the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { getattr read write setattr };
+')
+
+########################################
+## <summary>
+## Execute pam programs in the pam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_pam',`
+ gen_require(`
+ type pam_t, pam_exec_t;
+ ')
+
+ domain_auto_trans($1,pam_exec_t,pam_t)
+
+ allow $1 pam_t:fd use;
+ allow pam_t $1:fd use;
+ allow pam_t $1:fifo_file rw_file_perms;
+ allow pam_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute pam programs in the PAM domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the PAM domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the PAM domain to use.
+## </summary>
+## </param>
+#
+interface(`auth_run_pam',`
+ gen_require(`
+ type pam_t;
+ ')
+
+ auth_domtrans_pam($1)
+ role $2 types pam_t;
+ allow pam_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the pam program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_exec_pam',`
+ gen_require(`
+ type pam_exec_t;
+ ')
+
+ can_exec($1,pam_exec_t)
+')
+
+########################################
+## <summary>
+## Manage var auth files. Used by various other applications
+## and pam applets etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_var_auth',`
+ gen_require(`
+ type var_auth_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_auth_t:dir create_dir_perms;
+ allow $1 var_auth_t:file rw_file_perms;
+ allow $1 var_auth_t:lnk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read PAM PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir r_dir_perms;
+ allow $1 pam_var_run_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attemps to read PAM PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_read_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ dontaudit $1 pam_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Delete pam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_delete_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir { getattr search read write remove_name };
+ allow $1 pam_var_run_t:file { getattr unlink };
+')
+
+########################################
+## <summary>
+## Manage pam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir create_dir_perms;
+ allow $1 pam_var_run_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Execute pam_console with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_pam_console',`
+ gen_require(`
+ type pam_console_t, pam_console_exec_t;
+ ')
+
+ domain_auto_trans($1,pam_console_exec_t,pam_console_t)
+
+ allow $1 pam_console_t:fd use;
+ allow pam_console_t $1:fd use;
+ allow pam_console_t $1:fifo_file rw_file_perms;
+ allow pam_console_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Search the contents of the
+## pam_console data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_search_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the pam_console
+## data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_list_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read pam_console data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir r_dir_perms;
+ allow $1 pam_var_console_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## pam_console data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir rw_dir_perms;
+ allow $1 pam_var_console_t:file create_file_perms;
+ allow $1 pam_var_console_t:lnk_file create_lnk_perms;
+')
+
+#######################################
+## <summary>
+## Delete pam_console data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_delete_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir rw_dir_perms;
+ allow $1 pam_var_console_t:file unlink;
+')
+
+########################################
+## <summary>
+## Read all directories on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`auth_read_all_dirs_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_dirs_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`auth_read_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_files_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read all symbolic links on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`auth_read_all_symlinks_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_symlinks_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Relabel all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+
+interface(`auth_relabel_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_relabel_all_files($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Manage all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+
+interface(`auth_manage_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_manage_all_files($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Execute utempter programs in the utempter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_utempter',`
+ gen_require(`
+ type utempter_t, utempter_exec_t;
+ ')
+
+ domain_auto_trans($1,utempter_exec_t,utempter_t)
+
+ allow $1 utempter_t:fd use;
+ allow utempter_t $1:fd use;
+ allow utempter_t $1:fifo_file rw_file_perms;
+ allow utempter_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute utempter programs in the utempter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the utempter domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the utempter domain to use.
+## </summary>
+## </param>
+#
+interface(`auth_run_utempter',`
+ gen_require(`
+ type utempter_t;
+ ')
+
+ auth_domtrans_utempter($1)
+ role $2 types utempter_t;
+ allow utempter_t $3:chr_file rw_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attemps to execute utempter executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_exec_utempter',`
+ gen_require(`
+ type utempter_exec_t;
+ ')
+
+ dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+## <summary>
+## Set the attributes of login record files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_setattr_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file setattr;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 wtmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to
+## login records files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_write_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file write;
+')
+
+#######################################
+## <summary>
+## Append to login records (wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_append_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file { getattr append };
+')
+
+#######################################
+## <summary>
+## Write to login records (wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_write_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file { write lock };
+')
+
+########################################
+## <summary>
+## Read and write login records.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file rw_file_perms;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Create a login records in the log directory
+## using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_log_filetrans_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_log_filetrans($1,wtmp_t,file)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete login
+## records files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 wtmp_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Use nsswitch to look up uid-username mappings.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_use_nsswitch',`
+ gen_require(`
+ type var_auth_t;
+ ')
+
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+ allow $1 var_auth_t:dir r_dir_perms;
+ allow $1 var_auth_t:file create_file_perms;
+ files_list_var_lib($1)
+
+ miscfiles_read_certs($1)
+
+ sysnet_dns_name_resolve($1)
+ sysnet_use_ldap($1)
+
+ optional_policy(`
+ nis_use_ypbind($1)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
+ ')
+')
+
+########################################
+## <summary>
+## Unconfined access to the authlogin module.
+## </summary>
+## <desc>
+## <p>
+## Unconfined access to the authlogin module.
+## </p>
+## <p>
+## Currently, this only allows assertions for
+## the shadow passwords file (/etc/shadow) to
+## be passed. No access is granted yet.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_unconfined',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
+ ')
+
+ typeattribute $1 can_read_shadow_passwords;
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
new file mode 100644
index 0000000..209101a
--- /dev/null
+++ b/policy/modules/system/authlogin.te
@@ -0,0 +1,317 @@
+
+policy_module(authlogin,1.3.7)
+
+########################################
+#
+# Declarations
+#
+
+attribute can_read_shadow_passwords;
+attribute can_write_shadow_passwords;
+attribute can_relabelto_shadow_passwords;
+
+type chkpwd_exec_t;
+files_type(chkpwd_exec_t)
+
+type faillog_t;
+logging_log_file(faillog_t)
+
+type lastlog_t;
+logging_log_file(lastlog_t)
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type login_exec_t;
+')
+files_type(login_exec_t)
+
+type pam_console_t;
+type pam_console_exec_t;
+init_system_domain(pam_console_t,pam_console_exec_t)
+role system_r types pam_console_t;
+
+type pam_t;
+domain_type(pam_t)
+role system_r types pam_t;
+
+type pam_exec_t;
+domain_entry_file(pam_t,pam_exec_t)
+
+type pam_tmp_t;
+files_tmp_file(pam_tmp_t)
+
+type pam_var_console_t;
+files_type(pam_var_console_t)
+
+type pam_var_run_t;
+files_pid_file(pam_var_run_t)
+
+type shadow_t;
+files_security_file(shadow_t)
+neverallow ~can_read_shadow_passwords shadow_t:file read;
+neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+
+authlogin_common_auth_domain_template(system)
+role system_r types system_chkpwd_t;
+
+type utempter_t;
+domain_type(utempter_t)
+
+type utempter_exec_t;
+domain_entry_file(utempter_t,utempter_exec_t)
+
+#
+# var_auth_t is the type of /var/lib/auth, usually
+# used for auth data in pam_able
+#
+type var_auth_t;
+files_type(var_auth_t)
+
+type wtmp_t;
+logging_log_file(wtmp_t)
+
+########################################
+#
+# PAM local policy
+#
+
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+dontaudit pam_t self:capability sys_tty_config;
+
+allow pam_t self:fd use;
+allow pam_t self:fifo_file rw_file_perms;
+allow pam_t self:unix_dgram_socket create_socket_perms;
+allow pam_t self:unix_stream_socket rw_stream_socket_perms;
+allow pam_t self:unix_dgram_socket sendto;
+allow pam_t self:unix_stream_socket connectto;
+allow pam_t self:shm create_shm_perms;
+allow pam_t self:sem create_sem_perms;
+allow pam_t self:msgq create_msgq_perms;
+allow pam_t self:msg { send receive };
+
+allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
+allow pam_t pam_var_run_t:file { getattr read unlink };
+
+allow pam_t pam_tmp_t:dir create_dir_perms;
+allow pam_t pam_tmp_t:file create_file_perms;
+files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
+
+kernel_read_system_state(pam_t)
+
+fs_search_auto_mountpoints(pam_t)
+
+term_use_all_user_ttys(pam_t)
+term_use_all_user_ptys(pam_t)
+
+init_dontaudit_rw_utmp(pam_t)
+
+files_read_etc_files(pam_t)
+files_list_pids(pam_t)
+
+libs_use_ld_so(pam_t)
+libs_use_shared_libs(pam_t)
+
+logging_send_syslog_msg(pam_t)
+
+userdom_use_unpriv_users_fds(pam_t)
+
+optional_policy(`
+ locallogin_use_fds(pam_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(pam_t)
+')
+
+optional_policy(`
+ nscd_socket_use(pam_t)
+')
+
+########################################
+#
+# PAM console local policy
+#
+
+allow pam_console_t self:capability { chown fowner fsetid };
+dontaudit pam_console_t self:capability sys_tty_config;
+
+allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
+
+# for /var/run/console.lock checking
+allow pam_console_t pam_var_console_t:dir r_dir_perms;;
+allow pam_console_t pam_var_console_t:file r_file_perms;
+dontaudit pam_console_t pam_var_console_t:file write;
+allow pam_console_t pam_var_console_t:lnk_file { getattr read };
+
+kernel_read_kernel_sysctls(pam_console_t)
+kernel_use_fds(pam_console_t)
+# Read /proc/meminfo
+kernel_read_system_state(pam_console_t)
+
+dev_read_sysfs(pam_console_t)
+dev_getattr_apm_bios_dev(pam_console_t)
+dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_dri_dev(pam_console_t)
+dev_setattr_dri_dev(pam_console_t)
+dev_getattr_framebuffer_dev(pam_console_t)
+dev_setattr_framebuffer_dev(pam_console_t)
+dev_getattr_generic_usb_dev(pam_console_t)
+dev_setattr_generic_usb_dev(pam_console_t)
+dev_getattr_misc_dev(pam_console_t)
+dev_setattr_misc_dev(pam_console_t)
+dev_getattr_mouse_dev(pam_console_t)
+dev_setattr_mouse_dev(pam_console_t)
+dev_getattr_power_mgmt_dev(pam_console_t)
+dev_setattr_power_mgmt_dev(pam_console_t)
+dev_getattr_scanner_dev(pam_console_t)
+dev_setattr_scanner_dev(pam_console_t)
+dev_getattr_sound_dev(pam_console_t)
+dev_setattr_sound_dev(pam_console_t)
+dev_getattr_video_dev(pam_console_t)
+dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
+
+fs_search_auto_mountpoints(pam_console_t)
+
+mls_file_read_up(pam_console_t)
+mls_file_write_down(pam_console_t)
+
+storage_getattr_fixed_disk_dev(pam_console_t)
+storage_setattr_fixed_disk_dev(pam_console_t)
+storage_getattr_removable_dev(pam_console_t)
+storage_setattr_removable_dev(pam_console_t)
+storage_getattr_scsi_generic_dev(pam_console_t)
+storage_setattr_scsi_generic_dev(pam_console_t)
+
+term_use_console(pam_console_t)
+term_use_all_user_ttys(pam_console_t)
+term_use_all_user_ptys(pam_console_t)
+term_setattr_console(pam_console_t)
+term_getattr_unallocated_ttys(pam_console_t)
+term_setattr_unallocated_ttys(pam_console_t)
+
+auth_use_nsswitch(pam_console_t)
+
+domain_use_interactive_fds(pam_console_t)
+
+files_read_etc_files(pam_console_t)
+files_search_pids(pam_console_t)
+files_list_mnt(pam_console_t)
+# read /etc/mtab
+files_read_etc_runtime_files(pam_console_t)
+
+init_use_fds(pam_console_t)
+init_use_script_ptys(pam_console_t)
+
+libs_use_ld_so(pam_console_t)
+libs_use_shared_libs(pam_console_t)
+
+logging_send_syslog_msg(pam_console_t)
+
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_certs(pam_console_t)
+
+seutil_read_file_contexts(pam_console_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
+
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
+ifdef(`direct_sysadm_daemon', `
+ userdom_dontaudit_use_sysadm_terms(pam_console_t)
+')
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(pam_console_t)
+ term_dontaudit_use_generic_ptys(pam_console_t)
+ files_dontaudit_read_root_files(pam_console_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(pam_console_t)
+ gpm_setattr_gpmctl(pam_console_t)
+')
+
+optional_policy(`
+ hotplug_use_fds(pam_console_t)
+ hotplug_dontaudit_search_config(pam_console_t)
+')
+
+optional_policy(`
+ nscd_socket_use(pam_console_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pam_console_t)
+')
+
+optional_policy(`
+ udev_read_db(pam_console_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(pam_console_t)
+')
+
+########################################
+#
+# System check password local policy
+#
+
+allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow system_chkpwd_t shadow_t:file { getattr read };
+
+corecmd_search_sbin(system_chkpwd_t)
+
+domain_dontaudit_use_interactive_fds(system_chkpwd_t)
+
+term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
+term_dontaudit_use_generic_ptys(system_chkpwd_t)
+
+userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+
+########################################
+#
+# Utempter local policy
+#
+
+allow utempter_t self:capability setgid;
+allow utempter_t self:unix_stream_socket create_stream_socket_perms;
+
+allow utempter_t wtmp_t:file rw_file_perms;
+
+dev_read_urand(utempter_t)
+
+term_getattr_all_user_ttys(utempter_t)
+term_getattr_all_user_ptys(utempter_t)
+term_dontaudit_use_all_user_ttys(utempter_t)
+term_dontaudit_use_all_user_ptys(utempter_t)
+term_dontaudit_use_ptmx(utempter_t)
+
+init_rw_utmp(utempter_t)
+
+files_read_etc_files(utempter_t)
+
+domain_use_interactive_fds(utempter_t)
+
+libs_use_ld_so(utempter_t)
+libs_use_shared_libs(utempter_t)
+
+logging_search_logs(utempter_t)
+
+# Allow utemper to write to /tmp/.xses-*
+userdom_write_unpriv_users_tmp_files(utempter_t)
+
+optional_policy(`
+ nscd_socket_use(utempter_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
+')
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
new file mode 100644
index 0000000..c5e05ca
--- /dev/null
+++ b/policy/modules/system/clock.fc
@@ -0,0 +1,5 @@
+
+/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
+
+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
new file mode 100644
index 0000000..d5c66e3
--- /dev/null
+++ b/policy/modules/system/clock.if
@@ -0,0 +1,93 @@
+## <summary>Policy for reading and setting the hardware clock.</summary>
+
+########################################
+## <summary>
+## Execute hwclock in the clock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`clock_domtrans',`
+ gen_require(`
+ type hwclock_t, hwclock_exec_t;
+ ')
+
+ domain_auto_trans($1,hwclock_exec_t,hwclock_t)
+
+ allow $1 hwclock_t:fd use;
+ allow hwclock_t $1:fd use;
+ allow hwclock_t $1:fifo_file rw_file_perms;
+ allow hwclock_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute hwclock in the clock domain, and
+## allow the specified role the hwclock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the clock domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the clock domain to use.
+## </summary>
+## </param>
+#
+interface(`clock_run',`
+ gen_require(`
+ type hwclock_t;
+ ')
+
+ clock_domtrans($1)
+ role $2 types hwclock_t;
+ allow hwclock_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Execute hwclock in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`clock_exec',`
+ gen_require(`
+ type hwclock_exec_t;
+ ')
+
+ can_exec($1,hwclock_exec_t)
+')
+
+########################################
+## <summary>
+## Allow executing domain to modify clock drift
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`clock_rw_adjtime',`
+ gen_require(`
+ type adjtime_t;
+ ')
+
+ allow $1 adjtime_t:file rw_file_perms;
+ files_list_etc($1)
+')
+
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
new file mode 100644
index 0000000..03d9885
--- /dev/null
+++ b/policy/modules/system/clock.te
@@ -0,0 +1,88 @@
+
+policy_module(clock,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type adjtime_t;
+files_type(adjtime_t)
+
+type hwclock_t;
+type hwclock_exec_t;
+init_system_domain(hwclock_t,hwclock_exec_t)
+role system_r types hwclock_t;
+
+########################################
+#
+# Local policy
+#
+
+# Give hwclock the capabilities it requires. dac_override is a surprise,
+# but hwclock does require it.
+allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config audit_write };
+dontaudit hwclock_t self:capability sys_tty_config;
+allow hwclock_t self:process signal_perms;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+# Allow hwclock to store & retrieve correction factors.
+allow hwclock_t adjtime_t:file { rw_file_perms setattr };
+
+kernel_read_kernel_sysctls(hwclock_t)
+kernel_list_proc(hwclock_t)
+kernel_read_proc_symlinks(hwclock_t)
+
+dev_read_sysfs(hwclock_t)
+dev_rw_realtime_clock(hwclock_t)
+
+fs_getattr_xattr_fs(hwclock_t)
+fs_search_auto_mountpoints(hwclock_t)
+
+term_dontaudit_use_console(hwclock_t)
+term_use_unallocated_ttys(hwclock_t)
+term_use_all_user_ttys(hwclock_t)
+term_use_all_user_ptys(hwclock_t)
+
+domain_use_interactive_fds(hwclock_t)
+
+init_use_fds(hwclock_t)
+init_use_script_ptys(hwclock_t)
+
+files_read_etc_files(hwclock_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(hwclock_t)
+
+libs_use_ld_so(hwclock_t)
+libs_use_shared_libs(hwclock_t)
+
+logging_send_syslog_msg(hwclock_t)
+
+miscfiles_read_localization(hwclock_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(hwclock_t)
+ term_dontaudit_use_generic_ptys(hwclock_t)
+ files_dontaudit_read_root_files(hwclock_t)
+')
+
+optional_policy(`
+ apm_append_log(hwclock_t)
+ apm_rw_stream_sockets(hwclock_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hwclock_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hwclock_t)
+')
+
+optional_policy(`
+ udev_read_db(hwclock_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
+')
diff --git a/policy/modules/system/daemontools.fc b/policy/modules/system/daemontools.fc
new file mode 100644
index 0000000..26df050
--- /dev/null
+++ b/policy/modules/system/daemontools.fc
@@ -0,0 +1,53 @@
+#
+# /service
+#
+
+/service -d gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0)
+/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+
+#
+# /var
+#
+
+/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+
+/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
+/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
new file mode 100644
index 0000000..598e580
--- /dev/null
+++ b/policy/modules/system/daemontools.if
@@ -0,0 +1,163 @@
+## <summary>Collection of tools for managing UNIX services</summary>
+## <desc>
+## <p>
+## Policy for DJB's daemontools
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## An ipc channel between the supervised domain and svc_start_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access to svc_start_t.
+## </summary>
+## </param>
+#
+interface(`daemontools_ipc_domain',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ allow $1 svc_start_t:process sigchld;
+ allow $1 svc_start_t:fd use;
+ allow $1 svc_start_t:fifo_file { read write getattr };
+ allow svc_start_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Define a specified domain as a supervised service.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`daemontools_service_domain',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ domain_auto_trans(svc_run_t, $2, $1)
+ daemontools_ipc_domain($1)
+
+ allow svc_run_t $1:process signal;
+ allow $1 svc_run_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute in the svc_start_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_domtrans_start',`
+ gen_require(`
+ type svc_start_t, svc_start_exec_t;
+ ')
+
+ domain_auto_trans($1, svc_start_exec_t, svc_start_t)
+
+ allow $1 svc_start_t:fd use;
+ allow svc_start_t $1:fd use;
+ allow svc_start_t $1:fifo_file rw_file_perms;
+ allow svc_start_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute in the svc_run_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_domtrans_run',`
+ gen_require(`
+ type svc_run_t, svc_run_exec_t;
+ ')
+
+ domain_auto_trans($1, svc_run_exec_t, svc_run_t)
+
+ allow $1 svc_run_t:fd use;
+ allow svc_run_t $1:fd use;
+ allow svc_run_t $1:fifo_file rw_file_perms;
+ allow svc_run_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute in the svc_multilog_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_domtrans_multilog',`
+ gen_require(`
+ type svc_multilog_t, svc_multilog_exec_t;
+ ')
+
+ domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t)
+
+ allow $1 svc_multilog_t:fd use;
+ allow svc_multilog_t $1:fd use;
+ allow svc_multilog_t $1:fifo_file rw_file_perms;
+ allow svc_multilog_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow a domain to read svc_svc_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_read_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir r_dir_perms;
+ allow $1 svc_svc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow a domain to create svc_svc_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_manage_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir create_dir_perms;
+ allow $1 svc_svc_t:fifo_file create_file_perms;
+ allow $1 svc_svc_t:file create_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+')
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
new file mode 100644
index 0000000..7f4a387
--- /dev/null
+++ b/policy/modules/system/daemontools.te
@@ -0,0 +1,124 @@
+
+policy_module(daemontools,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type svc_conf_t;
+files_type(svc_conf_t)
+
+type svc_log_t;
+files_type(svc_log_t)
+
+type svc_multilog_t;
+type svc_multilog_exec_t;
+domain_type(svc_multilog_t)
+domain_entry_file(svc_multilog_t,svc_multilog_exec_t)
+role system_r types svc_multilog_t;
+
+type svc_run_t;
+type svc_run_exec_t;
+domain_type(svc_run_t)
+domain_entry_file(svc_run_t,svc_run_exec_t)
+role system_r types svc_run_t;
+
+type svc_start_t;
+type svc_start_exec_t;
+init_domain(svc_start_t,svc_start_exec_t)
+init_system_domain(svc_start_t,svc_start_exec_t)
+role system_r types svc_start_t;
+
+type svc_svc_t;
+files_type(svc_svc_t)
+
+########################################
+#
+# multilog local policy
+#
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir rw_dir_perms;
+allow svc_multilog_t svc_svc_t:file create_file_perms;
+
+init_use_fds(svc_multilog_t)
+
+libs_use_ld_so(svc_multilog_t)
+libs_use_shared_libs(svc_multilog_t)
+
+# writes to /var/log/*/*
+logging_manage_generic_logs(svc_multilog_t)
+
+daemontools_ipc_domain(svc_multilog_t)
+
+########################################
+#
+# local policy for binaries that impose
+# a given environment to supervised daemons
+# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+#
+
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:process setrlimit;
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+
+allow svc_run_t svc_conf_t:dir r_dir_perms;
+allow svc_run_t svc_conf_t:file r_file_perms;
+
+can_exec(svc_run_t svc_run_exec_t)
+
+kernel_read_system_state(svc_run_t)
+
+corecmd_exec_bin(svc_run_t)
+corecmd_exec_sbin(svc_run_t)
+corecmd_exec_shell(svc_run_t)
+corecmd_exec_ls(svc_run_t)
+
+files_read_etc_files(svc_run_t)
+files_read_etc_runtime_files(svc_run_t)
+files_search_pids(svc_run_t)
+files_search_var_lib(svc_run_t)
+
+init_use_script_fds(svc_run_t)
+init_use_fds(svc_run_t)
+
+libs_use_ld_so(svc_run_t)
+libs_use_shared_libs(svc_run_t)
+
+daemontools_domtrans_multilog(svc_run_t)
+daemontools_read_svc(svc_run_t)
+
+optional_policy(`
+ qmail_read_config(svc_run_t)
+')
+
+########################################
+#
+# local policy for service monitoring programs
+# ie svc, svscan, supervise ...
+#
+
+allow svc_start_t svc_run_t:process signal;
+
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+can_exec(svc_start_t svc_start_exec_t)
+
+corecmd_read_sbin_symlinks(svc_start_t)
+corecmd_exec_bin(svc_start_t)
+corecmd_exec_shell(svc_start_t)
+
+files_read_etc_files(svc_start_t)
+files_read_etc_runtime_files(svc_start_t)
+files_search_var(svc_start_t)
+files_search_pids(svc_start_t)
+
+libs_use_ld_so(svc_start_t)
+libs_use_shared_libs(svc_start_t)
+
+daemontools_domtrans_run(svc_start_t)
+daemontools_manage_svc(svc_start_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
new file mode 100644
index 0000000..f55036c
--- /dev/null
+++ b/policy/modules/system/fstools.fc
@@ -0,0 +1,39 @@
+/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
new file mode 100644
index 0000000..29ec471
--- /dev/null
+++ b/policy/modules/system/fstools.if
@@ -0,0 +1,130 @@
+## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
+
+########################################
+## <summary>
+## Execute fs tools in the fstools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_domtrans',`
+ gen_require(`
+ type fsadm_t, fsadm_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,fsadm_exec_t,fsadm_t)
+
+ allow $1 fsadm_t:fd use;
+ allow fsadm_t $1:fd use;
+ allow fsadm_t $1:fifo_file rw_file_perms;
+ allow fsadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute fs tools in the fstools domain, and
+## allow the specified role the fs tools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the fs tools domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the fs tools domain to use.
+## </summary>
+## </param>
+#
+interface(`fstools_run',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ fstools_domtrans($1)
+ role $2 types fsadm_t;
+ allow fsadm_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Execute fsadm in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_exec',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ can_exec($1,fsadm_exec_t)
+')
+
+########################################
+## <summary>
+## Relabel a file to the type used by the
+## filesystem tools programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_relabelto_entry_files',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ allow $1 fsadm_exec_t:file relabelto;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete a file used by the
+## filesystem tools programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_manage_entry_files',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ allow $1 fsadm_exec_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Getattr swapfile
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_getattr_swap_files',`
+ gen_require(`
+ type swapfile_t;
+ ')
+
+ allow $1 swapfile_t:file getattr;
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
new file mode 100644
index 0000000..73a8fe0
--- /dev/null
+++ b/policy/modules/system/fstools.te
@@ -0,0 +1,180 @@
+
+policy_module(fstools,1.3.2)
+
+########################################
+#
+# Declarations
+#
+
+type fsadm_t;
+type fsadm_exec_t;
+init_system_domain(fsadm_t,fsadm_exec_t)
+mls_file_read_up(fsadm_t)
+role system_r types fsadm_t;
+
+type fsadm_tmp_t;
+files_tmp_file(fsadm_tmp_t)
+
+type swapfile_t; # customizable
+files_type(swapfile_t)
+
+########################################
+#
+# local policy
+#
+
+# ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+allow fsadm_t self:fd use;
+allow fsadm_t self:fifo_file rw_file_perms;
+allow fsadm_t self:sock_file r_file_perms;
+allow fsadm_t self:unix_dgram_socket create_socket_perms;
+allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
+allow fsadm_t self:unix_dgram_socket sendto;
+allow fsadm_t self:unix_stream_socket connectto;
+allow fsadm_t self:shm create_shm_perms;
+allow fsadm_t self:sem create_sem_perms;
+allow fsadm_t self:msgq create_msgq_perms;
+allow fsadm_t self:msg { send receive };
+
+can_exec(fsadm_t, fsadm_exec_t)
+
+allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
+allow fsadm_t fsadm_tmp_t:file create_file_perms;
+files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+
+# Enable swapping to files
+allow fsadm_t swapfile_t:file { read write getattr swapon };
+
+kernel_read_system_state(fsadm_t)
+kernel_read_kernel_sysctls(fsadm_t)
+# Allow console log change (updfstab)
+kernel_change_ring_buffer_level(fsadm_t)
+# mkreiserfs needs this
+kernel_getattr_proc(fsadm_t)
+kernel_getattr_core_if(fsadm_t)
+# Access to /initrd devices
+kernel_rw_unlabeled_dirs(fsadm_t)
+kernel_rw_unlabeled_blk_files(fsadm_t)
+
+files_getattr_boot_dirs(fsadm_t)
+
+dev_getattr_all_chr_files(fsadm_t)
+dev_dontaudit_getattr_all_blk_files(fsadm_t)
+# mkreiserfs and other programs need this for UUID
+dev_read_rand(fsadm_t)
+dev_read_urand(fsadm_t)
+# Recreate /dev/cdrom.
+dev_manage_generic_symlinks(fsadm_t)
+# fdisk needs this for early boot
+dev_manage_generic_blk_files(fsadm_t)
+# Access to /initrd devices
+dev_search_usbfs(fsadm_t)
+# for swapon
+dev_read_sysfs(fsadm_t)
+# Access to /initrd devices
+dev_getattr_usbfs_dirs(fsadm_t)
+# Access to /dev/mapper/control
+dev_rw_lvm_control(fsadm_t)
+
+fs_search_auto_mountpoints(fsadm_t)
+fs_getattr_xattr_fs(fsadm_t)
+fs_rw_ramfs_pipes(fsadm_t)
+fs_rw_tmpfs_files(fsadm_t)
+# remount file system to apply changes
+fs_remount_xattr_fs(fsadm_t)
+# for /dev/shm
+fs_search_tmpfs(fsadm_t)
+fs_getattr_tmpfs_dirs(fsadm_t)
+fs_read_tmpfs_symlinks(fsadm_t)
+
+mls_file_write_down(fsadm_t)
+
+storage_raw_read_fixed_disk(fsadm_t)
+storage_raw_write_fixed_disk(fsadm_t)
+storage_raw_read_removable_device(fsadm_t)
+storage_raw_write_removable_device(fsadm_t)
+storage_read_scsi_generic(fsadm_t)
+storage_swapon_fixed_disk(fsadm_t)
+
+term_use_console(fsadm_t)
+
+corecmd_list_bin(fsadm_t)
+corecmd_list_sbin(fsadm_t)
+corecmd_read_bin_symlinks(fsadm_t)
+corecmd_read_sbin_symlinks(fsadm_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(fsadm_t)
+corecmd_read_bin_pipes(fsadm_t)
+corecmd_read_bin_sockets(fsadm_t)
+corecmd_read_sbin_files(fsadm_t)
+corecmd_read_sbin_pipes(fsadm_t)
+corecmd_read_sbin_sockets(fsadm_t)
+
+domain_use_interactive_fds(fsadm_t)
+
+files_list_home(fsadm_t)
+files_read_usr_files(fsadm_t)
+files_read_etc_files(fsadm_t)
+files_manage_lost_found(fsadm_t)
+files_manage_isid_type_dirs(fsadm_t)
+# Write to /etc/mtab.
+files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t,file)
+# Access to /initrd devices
+files_rw_isid_type_dirs(fsadm_t)
+files_rw_isid_type_blk_files(fsadm_t)
+# Recreate /mnt/cdrom.
+files_manage_mnt_dirs(fsadm_t)
+# for tune2fs
+files_search_all(fsadm_t)
+
+init_use_fds(fsadm_t)
+init_use_script_ptys(fsadm_t)
+init_dontaudit_getattr_initctl(fsadm_t)
+
+libs_use_ld_so(fsadm_t)
+libs_use_shared_libs(fsadm_t)
+
+logging_send_syslog_msg(fsadm_t)
+
+miscfiles_read_localization(fsadm_t)
+
+modutils_read_module_config(fsadm_t)
+
+seutil_read_config(fsadm_t)
+
+userdom_use_unpriv_users_fds(fsadm_t)
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(fsadm_t)
+ term_use_generic_ptys(fsadm_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(fsadm_t)
+ files_read_default_files(fsadm_t)
+ files_read_default_symlinks(fsadm_t)
+ files_read_default_sockets(fsadm_t)
+ files_read_default_pipes(fsadm_t)
+')
+
+optional_policy(`
+ amanda_rw_dumpdates_files(fsadm_t)
+ amanda_append_log_files(fsadm_t)
+')
+
+optional_policy(`
+ # for smartctl cron jobs
+ cron_system_entry(fsadm_t,fsadm_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(fsadm_t)
+')
+
+optional_policy(`
+ fs_dontaudit_write_ramfs_pipes(fsadm_t)
+ rhgb_stub(fsadm_t)
+')
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
new file mode 100644
index 0000000..b778309
--- /dev/null
+++ b/policy/modules/system/getty.fc
@@ -0,0 +1,11 @@
+
+/etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0)
+
+/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
+/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+
+/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
new file mode 100644
index 0000000..79a89e7
--- /dev/null
+++ b/policy/modules/system/getty.if
@@ -0,0 +1,100 @@
+## <summary>Policy for getty.</summary>
+
+########################################
+## <summary>
+## Execute gettys in the getty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_domtrans',`
+ gen_require(`
+ type getty_t, getty_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,getty_exec_t,getty_t)
+
+ allow $1 getty_t:fd use;
+ allow getty_t $1:fd use;
+ allow getty_t $1:fifo_file rw_file_perms;
+ allow getty_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use getty file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_use_fds',`
+ gen_require(`
+ type getty_t;
+ ')
+
+ allow $1 getty_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow process to read getty log file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_read_log',`
+ gen_require(`
+ type getty_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 getty_log_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow process to read getty config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_read_config',`
+ gen_require(`
+ type getty_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 getty_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow process to edit getty config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_rw_config',`
+ gen_require(`
+ type getty_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 getty_etc_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
new file mode 100644
index 0000000..aaac752
--- /dev/null
+++ b/policy/modules/system/getty.te
@@ -0,0 +1,126 @@
+
+policy_module(getty,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type getty_t;
+')
+type getty_exec_t;
+init_domain(getty_t,getty_exec_t)
+domain_interactive_fd(getty_t)
+
+type getty_etc_t;
+typealias getty_etc_t alias etc_getty_t;
+files_config_file(getty_etc_t)
+
+type getty_lock_t;
+files_lock_file(getty_lock_t)
+
+type getty_log_t;
+logging_log_file(getty_log_t)
+
+type getty_tmp_t;
+files_tmp_file(getty_tmp_t)
+
+type getty_var_run_t;
+files_pid_file(getty_var_run_t)
+
+########################################
+#
+# Getty local policy
+#
+
+# Use capabilities.
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+dontaudit getty_t self:capability sys_tty_config;
+allow getty_t self:process { getpgid getsession signal_perms };
+
+allow getty_t getty_etc_t:dir r_dir_perms;
+allow getty_t getty_etc_t:file r_file_perms;
+allow getty_t getty_etc_t:lnk_file { getattr read };
+files_etc_filetrans(getty_t,getty_etc_t,{ file dir })
+
+allow getty_t getty_lock_t:file create_file_perms;
+files_lock_filetrans(getty_t,getty_lock_t,file)
+
+allow getty_t getty_log_t:file create_file_perms;
+logging_log_filetrans(getty_t,getty_log_t,file)
+
+allow getty_t getty_tmp_t:file create_file_perms;
+allow getty_t getty_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir })
+
+allow getty_t getty_var_run_t:file create_file_perms;
+allow getty_t getty_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(getty_t,getty_var_run_t,file)
+
+kernel_list_proc(getty_t)
+kernel_read_proc_symlinks(getty_t)
+
+dev_read_sysfs(getty_t)
+
+fs_search_auto_mountpoints(getty_t)
+# for error condition handling
+fs_getattr_xattr_fs(getty_t)
+
+mcs_process_set_categories(getty_t)
+
+mls_file_read_up(getty_t)
+mls_file_write_down(getty_t)
+
+# Chown, chmod, read and write ttys.
+term_use_all_user_ttys(getty_t)
+term_use_unallocated_ttys(getty_t)
+term_setattr_all_user_ttys(getty_t)
+term_setattr_unallocated_ttys(getty_t)
+term_setattr_console(getty_t)
+term_dontaudit_use_console(getty_t)
+
+auth_rw_login_records(getty_t)
+
+corecmd_search_bin(getty_t)
+corecmd_search_sbin(getty_t)
+
+files_rw_generic_pids(getty_t)
+files_read_etc_runtime_files(getty_t)
+files_read_etc_files(getty_t)
+
+init_rw_utmp(getty_t)
+init_use_script_ptys(getty_t)
+init_dontaudit_use_script_ptys(getty_t)
+
+libs_use_ld_so(getty_t)
+libs_use_shared_libs(getty_t)
+
+locallogin_domtrans(getty_t)
+
+logging_send_syslog_msg(getty_t)
+
+miscfiles_read_localization(getty_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(getty_t)
+ term_dontaudit_use_generic_ptys(getty_t)
+')
+
+optional_policy(`
+ mta_send_mail(getty_t)
+')
+
+optional_policy(`
+ nscd_socket_use(getty_t)
+')
+
+optional_policy(`
+ ppp_domtrans(getty_t)
+')
+
+optional_policy(`
+ udev_read_db(getty_t)
+')
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
new file mode 100644
index 0000000..9dfecf7
--- /dev/null
+++ b/policy/modules/system/hostname.fc
@@ -0,0 +1,2 @@
+
+/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
new file mode 100644
index 0000000..d7a3090
--- /dev/null
+++ b/policy/modules/system/hostname.if
@@ -0,0 +1,75 @@
+## <summary>Policy for changing the system host name.</summary>
+
+########################################
+## <summary>
+## Execute hostname in the hostname domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hostname_domtrans',`
+ gen_require(`
+ type hostname_t, hostname_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,hostname_exec_t,hostname_t)
+
+ allow $1 hostname_t:fd use;
+ allow hostname_t $1:fd use;
+ allow hostname_t $1:fifo_file rw_file_perms;
+ allow hostname_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute hostname in the hostname domain, and
+## allow the specified role the hostname domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the hostname domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the hostname domain to use.
+## </summary>
+## </param>
+#
+interface(`hostname_run',`
+ gen_require(`
+ type hostname_t;
+ ')
+
+ hostname_domtrans($1)
+ role $2 types hostname_t;
+ allow hostname_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Execute hostname in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hostname_exec',`
+ gen_require(`
+ type hostname_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,hostname_exec_t)
+')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
new file mode 100644
index 0000000..dbe028b
--- /dev/null
+++ b/policy/modules/system/hostname.te
@@ -0,0 +1,61 @@
+
+policy_module(hostname,1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostname_t;
+type hostname_exec_t;
+init_system_domain(hostname_t,hostname_exec_t)
+role system_r types hostname_t;
+
+########################################
+#
+# Local policy
+#
+
+# for setting the hostname
+allow hostname_t self:process { sigchld sigkill sigstop signull signal };
+allow hostname_t self:capability sys_admin;
+allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit hostname_t self:capability sys_tty_config;
+
+kernel_list_proc(hostname_t)
+kernel_read_proc_symlinks(hostname_t)
+
+dev_read_sysfs(hostname_t)
+
+fs_getattr_xattr_fs(hostname_t)
+fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+term_dontaudit_use_console(hostname_t)
+term_use_all_user_ttys(hostname_t)
+term_use_all_user_ptys(hostname_t)
+
+init_use_fds(hostname_t)
+init_use_script_fds(hostname_t)
+init_use_script_ptys(hostname_t)
+
+domain_use_interactive_fds(hostname_t)
+
+files_read_etc_files(hostname_t)
+files_dontaudit_search_var(hostname_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(hostname_t)
+
+libs_use_ld_so(hostname_t)
+libs_use_shared_libs(hostname_t)
+
+logging_send_syslog_msg(hostname_t)
+
+miscfiles_read_localization(hostname_t)
+
+sysnet_read_config(hostname_t)
+sysnet_dns_name_resolve(hostname_t)
+
+
+
+
diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
new file mode 100644
index 0000000..1af8916
--- /dev/null
+++ b/policy/modules/system/hotplug.fc
@@ -0,0 +1,11 @@
+
+/etc/hotplug(/.*)? gen_context(system_u:object_r:hotplug_etc_t,s0)
+/etc/hotplug/firmware.agent -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/etc/hotplug\.d/.* -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+/var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
new file mode 100644
index 0000000..e9e0ee9
--- /dev/null
+++ b/policy/modules/system/hotplug.if
@@ -0,0 +1,161 @@
+## <summary>
+## Policy for hotplug system, for supporting the
+## connection and disconnection of devices at runtime.
+## </summary>
+
+########################################
+## <summary>
+## Execute hotplug with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_domtrans',`
+ gen_require(`
+ type hotplug_t, hotplug_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,hotplug_exec_t,hotplug_t)
+
+ allow $1 hotplug_t:fd use;
+ allow hotplug_t $1:fd use;
+ allow hotplug_t $1:fifo_file rw_file_perms;
+ allow hotplug_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute hotplug in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_exec',`
+ gen_require(`
+ type hotplug_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,hotplug_exec_t)
+')
+
+########################################
+## <summary>
+## Inherit and use hotplug file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_use_fds',`
+ gen_require(`
+ type hotplug_t;
+ ')
+
+ allow $1 hotplug_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## hotplug file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hotplug_dontaudit_use_fds',`
+ gen_require(`
+ type hotplug_t;
+ ')
+
+ dontaudit $1 hotplug_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## hotplug configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hotplug_dontaudit_search_config',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ dontaudit $1 hotplug_etc_t:dir search;
+')
+
+########################################
+## <summary>
+## Get the attributes of the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_getattr_config_dirs',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ allow $1 hotplug_etc_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_search_config',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ allow $1 hotplug_etc_t:dir { getattr search };
+')
+
+########################################
+## <summary>
+## Read the configuration files for hotplug.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`hotplug_read_config',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 hotplug_etc_t:file r_file_perms;
+ allow $1 hotplug_etc_t:dir r_dir_perms;
+ allow $1 hotplug_etc_t:lnk_file r_file_perms;
+')
+
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
new file mode 100644
index 0000000..14bad2d
--- /dev/null
+++ b/policy/modules/system/hotplug.te
@@ -0,0 +1,207 @@
+
+policy_module(hotplug,1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type hotplug_t;
+type hotplug_exec_t;
+kernel_domtrans_to(hotplug_t,hotplug_exec_t)
+init_daemon_domain(hotplug_t,hotplug_exec_t)
+
+type hotplug_etc_t;
+files_config_file(hotplug_etc_t)
+init_daemon_domain(hotplug_t,hotplug_etc_t)
+
+type hotplug_var_run_t;
+files_pid_file(hotplug_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit hotplug_t self:capability { dac_override dac_read_search };
+allow hotplug_t self:process { getsession getattr signal_perms };
+allow hotplug_t self:fifo_file rw_file_perms;
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+allow hotplug_t self:udp_socket create_socket_perms;
+allow hotplug_t self:tcp_socket connected_stream_socket_perms;
+
+allow hotplug_t hotplug_etc_t:file r_file_perms;
+allow hotplug_t hotplug_etc_t:dir r_dir_perms;
+allow hotplug_t hotplug_etc_t:lnk_file r_file_perms;
+can_exec(hotplug_t,hotplug_etc_t)
+
+can_exec(hotplug_t,hotplug_exec_t)
+
+allow hotplug_t hotplug_var_run_t:file manage_file_perms;
+allow hotplug_t hotplug_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(hotplug_t,hotplug_var_run_t,file)
+
+kernel_sigchld(hotplug_t)
+kernel_setpgid(hotplug_t)
+kernel_read_system_state(hotplug_t)
+kernel_read_kernel_sysctls(hotplug_t)
+kernel_read_net_sysctls(hotplug_t)
+
+files_read_kernel_modules(hotplug_t)
+
+corenet_non_ipsec_sendrecv(hotplug_t)
+corenet_tcp_sendrecv_all_if(hotplug_t)
+corenet_udp_sendrecv_all_if(hotplug_t)
+corenet_tcp_sendrecv_all_nodes(hotplug_t)
+corenet_udp_sendrecv_all_nodes(hotplug_t)
+corenet_tcp_sendrecv_all_ports(hotplug_t)
+corenet_udp_sendrecv_all_ports(hotplug_t)
+
+dev_rw_sysfs(hotplug_t)
+dev_read_usbfs(hotplug_t)
+dev_setattr_printer_dev(hotplug_t)
+dev_setattr_sound_dev(hotplug_t)
+# for SSP:
+dev_read_urand(hotplug_t)
+
+fs_getattr_all_fs(hotplug_t)
+fs_search_auto_mountpoints(hotplug_t)
+
+storage_setattr_fixed_disk_dev(hotplug_t)
+storage_setattr_removable_dev(hotplug_t)
+
+term_dontaudit_use_console(hotplug_t)
+
+corecmd_exec_bin(hotplug_t)
+corecmd_exec_shell(hotplug_t)
+corecmd_exec_sbin(hotplug_t)
+corecmd_exec_ls(hotplug_t)
+
+domain_use_interactive_fds(hotplug_t)
+# for ps
+domain_dontaudit_read_all_domains_state(hotplug_t)
+domain_dontaudit_getattr_all_domains(hotplug_t)
+
+files_read_etc_files(hotplug_t)
+files_manage_etc_runtime_files(hotplug_t)
+files_etc_filetrans_etc_runtime(hotplug_t,file)
+files_exec_etc_files(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+files_dontaudit_search_isid_type_dirs(hotplug_t)
+
+init_use_fds(hotplug_t)
+init_use_script_ptys(hotplug_t)
+init_read_script_state(hotplug_t)
+# Allow hotplug (including /sbin/ifup-local) to start/stop services and
+# run sendmail -q
+init_domtrans_script(hotplug_t)
+# kernel threads inherit from shared descriptor table used by init
+init_dontaudit_rw_initctl(hotplug_t)
+
+logging_send_syslog_msg(hotplug_t)
+logging_search_logs(hotplug_t)
+
+libs_use_ld_so(hotplug_t)
+libs_use_shared_libs(hotplug_t)
+# Read /usr/lib/gconv/.*
+libs_read_lib_files(hotplug_t)
+
+miscfiles_read_hwdata(hotplug_t)
+miscfiles_read_localization(hotplug_t)
+
+modutils_domtrans_insmod(hotplug_t)
+modutils_read_module_deps(hotplug_t)
+
+seutil_dontaudit_search_config(hotplug_t)
+
+sysnet_read_config(hotplug_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
+userdom_dontaudit_search_sysadm_home_dirs(hotplug_t)
+
+ifdef(`distro_redhat', `
+ optional_policy(`
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(hotplug_t)
+ fs_rw_tmpfs_chr_files(hotplug_t)
+ ')
+ files_getattr_generic_locks(hotplug_t)
+')
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(hotplug_t)
+ term_dontaudit_use_generic_ptys(hotplug_t)
+
+ optional_policy(`
+ consoletype_domtrans(hotplug_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(hotplug,hotplug_t)
+')
+
+optional_policy(`
+ fstools_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ hal_dgram_send(hotplug_t)
+')
+
+optional_policy(`
+ hostname_exec(hotplug_t)
+')
+
+optional_policy(`
+ iptables_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ mount_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ mta_send_mail(hotplug_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(hotplug_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hotplug_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hotplug_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(hotplug_t)
+ sysnet_signal_dhcpc(hotplug_t)
+ sysnet_kill_dhcpc(hotplug_t)
+ sysnet_signull_dhcpc(hotplug_t)
+ sysnet_sigstop_dhcpc(hotplug_t)
+ sysnet_sigchld_dhcpc(hotplug_t)
+ sysnet_read_dhcpc_pid(hotplug_t)
+ sysnet_rw_dhcp_config(hotplug_t)
+ sysnet_domtrans_ifconfig(hotplug_t)
+')
+
+optional_policy(`
+ udev_domtrans(hotplug_t)
+ udev_helper_domtrans(hotplug_t)
+ udev_read_db(hotplug_t)
+')
+
+optional_policy(`
+ updfstab_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ usbmodules_domtrans(hotplug_t)
+')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
new file mode 100644
index 0000000..46ef80a
--- /dev/null
+++ b/policy/modules/system/init.fc
@@ -0,0 +1,64 @@
+#
+# /etc
+#
+/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ifdef(`targeted_policy', `', `
+/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
+#
+# /dev
+#
+/dev/initctl -p gen_context(system_u:object_r:initctl_t,s0)
+
+#
+# /sbin
+#
+/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+
+
+ifdef(`distro_gentoo', `
+/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
+#
+# /usr
+#
+/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+#
+# /var
+#
+ifdef(`distro_gentoo', `
+/var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+
+/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+
+ifdef(`distro_suse', `
+/var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
new file mode 100644
index 0000000..4e76bd4
--- /dev/null
+++ b/policy/modules/system/init.if
@@ -0,0 +1,1139 @@
+## <summary>System initialization programs (init and init scripts).</summary>
+
+########################################
+## <summary>
+## Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_domain',`
+ gen_require(`
+ type init_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domain_auto_trans(init_t,$2,$1)
+
+ allow $1 init_t:fd use;
+ allow init_t $1:fd use;
+ allow $1 init_t:fifo_file rw_file_perms;
+ allow $1 init_t:process sigchld;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds($1)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for long running processes
+## (daemons) which can be started by init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_daemon_domain',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+ type initrc_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ ifdef(`direct_sysadm_daemon',`
+ domain_auto_trans(direct_run_init,$2,$1)
+
+ allow direct_run_init $1:fd use;
+ allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+ allow $1 direct_run_init:fd use;
+ allow $1 direct_run_init:fifo_file rw_file_perms;
+ allow $1 direct_run_init:process sigchld;
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds($1)
+ ')
+ ')
+
+ ifdef(`targeted_policy',`
+ # this regex is a hack, since it assumes there is a
+ # _t at the end of the domain type. If there is no _t
+ # at the end of the type, it returns empty!
+ ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
+ bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
+ ')
+ if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+ can_exec(initrc_t,$2)
+ can_exec(direct_run_init,$2)
+ } else {
+ domain_auto_trans(initrc_t,$2,$1)
+ allow initrc_t $1:fd use;
+ allow $1 initrc_t:fd use;
+ allow $1 initrc_t:fifo_file rw_file_perms;
+ allow $1 initrc_t:process sigchld;
+ allow initrc_t $1:process { noatsecure siginh rlimitinh };
+ }
+ ',`
+ domain_auto_trans(initrc_t,$2,$1)
+ allow initrc_t $1:fd use;
+ allow $1 initrc_t:fd use;
+ allow $1 initrc_t:fifo_file rw_file_perms;
+ allow $1 initrc_t:process sigchld;
+ dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for short running processes
+## which can be started by init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_system_domain',`
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domain_auto_trans(initrc_t,$2,$1)
+
+ allow initrc_t $1:fd use;
+ allow $1 initrc_t:fd use;
+ allow $1 initrc_t:fifo_file rw_file_perms;
+ allow $1 initrc_t:process sigchld;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds($1)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Execute init (/sbin/init) with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_domtrans',`
+ gen_require(`
+ type init_t, init_exec_t;
+ ')
+
+ domain_auto_trans($1,init_exec_t,init_t)
+
+ allow $1 init_t:fd use;
+ allow init_t $1:fd use;
+ allow init_t $1:fifo_file rw_file_perms;
+ allow init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec',`
+ gen_require(`
+ type init_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,init_exec_t)
+')
+
+########################################
+## <summary>
+## Get the process group of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getpgid',`
+ gen_require(`
+ type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
+ ')
+
+ allow $1 init_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send init a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signull',`
+ gen_require(`
+ type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
+ ')
+
+ allow $1 init_t:process signull;
+')
+
+########################################
+## <summary>
+## Send init a SIGCHLD signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_sigchld',`
+ gen_require(`
+ type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
+ ')
+
+ allow $1 init_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_fds',`
+ gen_require(`
+ type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
+ ')
+
+ allow $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit file
+## descriptors from init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_fds',`
+ gen_require(`
+ type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
+ ')
+
+ dontaudit $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_send',`
+ gen_require(`
+ type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
+ ')
+
+ allow $1 init_t:udp_socket sendto;
+ allow init_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Get the attributes of initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Write to initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Make init scripts an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which init scripts are an entrypoint.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ domain_entry_file($1,initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute init scripts with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_domtrans_script',`
+ gen_require(`
+ type initrc_t, initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domain_auto_trans($1,initrc_exec_t,initrc_t)
+
+ allow initrc_t $1:fd use;
+ allow initrc_t $1:fifo_file rw_file_perms;
+ allow initrc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a init script in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain to transition from.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domain_auto_trans($1,initrc_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Start and stop daemon programs directly.
+## </summary>
+## <desc>
+## <p>
+## Start and stop daemon programs directly
+## in the traditional "/etc/init.d/daemon start"
+## style, and do not require run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal of the user.
+## </summary>
+## </param>
+#
+interface(`init_run_daemon',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+ role system_r;
+ ')
+
+ typeattribute $1 direct_run_init;
+ role_transition $2 direct_init_entry system_r;
+ dontaudit direct_init $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Write an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+## <summary>
+## Execute init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ can_exec($1,initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of the init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_state',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ #FIXME: search proc dir
+ allow $1 initrc_t:dir r_dir_perms;
+ allow $1 initrc_t:{ file lnk_file } r_file_perms;
+ allow $1 initrc_t:process getattr;
+
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $1 initrc_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Inherit and use init script file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## init script file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+## Get the process group ID of init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getpgid_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send SIGCHLD signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_sigchld_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signal_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send null signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signull_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signull;
+')
+
+########################################
+## <summary>
+## Read and write init script unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_send_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:udp_socket sendto;
+ allow initrc_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## init scripts with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_stream_sockets',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Dont audit the specified domain connecting to
+## init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write the init script pty.
+## </summary>
+## <desc>
+## <p>
+## Read and write the init script pty. This
+## pty is generally opened by the open_init_pty
+## portion of the run_init program so that the
+## daemon does not require direct access to
+## the administrator terminal.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ term_list_ptys($1)
+ allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the init script pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Read init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ dontaudit $1 initrc_state_t:dir search_dir_perms;
+ dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 initrc_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in a init script
+## temporary data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`init_script_tmp_filetrans',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+
+ allow $1 initrc_tmp_t:dir rw_dir_perms;
+ type_transition $1 initrc_tmp_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Get the attributes of init script process id files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { write lock };
+')
+
+########################################
+## <summary>
+## Write to utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file { getattr write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to lock
+## init script pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_lock_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file lock;
+')
+
+########################################
+## <summary>
+## Read and write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { getattr read write append };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain access allowed.
+## </summary>
+## </param>
+#
+interface(`init_manage_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:file create_file_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
new file mode 100644
index 0000000..65cf3de
--- /dev/null
+++ b/policy/modules/system/init.te
@@ -0,0 +1,744 @@
+
+policy_module(init,1.3.17)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+# used for direct running of init scripts
+# by admin domains
+attribute direct_run_init;
+attribute direct_init;
+attribute direct_init_entry;
+
+#
+# init_t is the domain of the init process.
+#
+# real declaration moved to mls until
+# range_transition works in loadable modules
+# also remove the extra init_exec_t dependencies
+# in init_t interfaces when the decl gets moved back here.
+gen_require(`
+ type init_t;
+')
+domain_type(init_t)
+role system_r types init_t;
+
+#
+# init_exec_t is the type of the init program.
+#
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type init_exec_t;
+')
+kernel_domtrans_to(init_t,init_exec_t)
+domain_entry_file(init_t,init_exec_t)
+
+#
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_pid_file(init_var_run_t)
+
+#
+# initctl_t is the type of the named pipe created
+# by init during initialization. This pipe is used
+# to communicate with init.
+#
+type initctl_t;
+files_type(initctl_t)
+mls_trusted_object(initctl_t)
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type initrc_t;
+')
+domain_type(initrc_t)
+role system_r types initrc_t;
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type initrc_exec_t;
+')
+domain_entry_file(initrc_t,initrc_exec_t)
+
+type initrc_devpts_t;
+term_pty(initrc_devpts_t)
+files_type(initrc_devpts_t)
+
+type initrc_state_t;
+files_type(initrc_state_t)
+
+type initrc_tmp_t;
+files_tmp_file(initrc_tmp_t)
+
+type initrc_var_run_t;
+files_pid_file(initrc_var_run_t)
+
+########################################
+#
+# Init local policy
+#
+
+# Use capabilities. old rule:
+allow init_t self:capability ~sys_module;
+# is ~sys_module really needed? observed:
+# sys_boot
+# sys_tty_config
+# kill: now provided by domain_kill_all_domains()
+# setuid (from /sbin/shutdown)
+# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
+
+allow init_t self:fifo_file rw_file_perms;
+
+# Re-exec itself
+allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
+
+allow init_t initrc_t:unix_stream_socket connectto;
+
+# For /var/run/shutdown.pid.
+allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
+files_pid_filetrans(init_t,init_var_run_t,file)
+
+allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
+fs_associate_tmpfs(initctl_t)
+dev_filetrans(init_t,initctl_t,fifo_file)
+
+# Modify utmp.
+allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+
+kernel_read_system_state(init_t)
+kernel_share_state(init_t)
+
+corecmd_exec_chroot(init_t)
+corecmd_exec_bin(init_t)
+corecmd_exec_sbin(init_t)
+
+dev_read_sysfs(init_t)
+
+domain_kill_all_domains(init_t)
+domain_signal_all_domains(init_t)
+domain_signull_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigchld_all_domains(init_t)
+
+files_read_etc_files(init_t)
+files_rw_generic_pids(init_t)
+files_dontaudit_search_isid_type_dirs(init_t)
+files_manage_etc_runtime_files(init_t)
+files_etc_filetrans_etc_runtime(init_t,file)
+# Run /etc/X11/prefdm:
+files_exec_etc_files(init_t)
+# file descriptors inherited from the rootfs:
+files_dontaudit_rw_root_files(init_t)
+files_dontaudit_rw_root_chr_files(init_t)
+
+# cjp: this may be related to /dev/log
+fs_write_ramfs_sockets(init_t)
+
+mcs_process_set_categories(init_t)
+
+mls_process_write_down(init_t)
+
+selinux_set_boolean(init_t)
+
+term_use_all_terms(init_t)
+
+# Run init scripts.
+init_domtrans_script(init_t)
+
+libs_use_ld_so(init_t)
+libs_use_shared_libs(init_t)
+libs_rw_ld_so_cache(init_t)
+
+logging_send_syslog_msg(init_t)
+logging_rw_generic_logs(init_t)
+
+mcs_killall(init_t)
+
+mls_file_read_up(init_t)
+mls_file_write_down(init_t)
+mls_rangetrans_target(init_t)
+
+seutil_read_config(init_t)
+
+miscfiles_read_localization(init_t)
+
+ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(init_t)
+')
+
+optional_policy(`
+ auth_rw_login_records(init_t)
+')
+
+optional_policy(`
+ nscd_socket_use(init_t)
+')
+
+optional_policy(`
+ portmap_udp_send(init_t)
+')
+
+# Run the shell in the sysadm_t domain for single-user mode.
+optional_policy(`
+ userdom_shell_domtrans_sysadm(init_t)
+')
+
+########################################
+#
+# Init script local policy
+#
+
+allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:passwd rootok;
+
+# Allow IPC with self
+allow initrc_t self:unix_dgram_socket create_socket_perms;
+allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
+allow initrc_t self:tcp_socket create_stream_socket_perms;
+allow initrc_t self:udp_socket create_socket_perms;
+allow initrc_t self:fifo_file rw_file_perms;
+allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
+term_create_pty(initrc_t,initrc_devpts_t)
+
+can_exec(initrc_t,initrc_exec_t)
+
+allow initrc_t initrc_state_t:dir create_dir_perms;
+allow initrc_t initrc_state_t:file create_file_perms;
+allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
+
+allow initrc_t initrc_var_run_t:file create_file_perms;
+files_pid_filetrans(initrc_t,initrc_var_run_t,file)
+
+can_exec(initrc_t,initrc_tmp_t)
+allow initrc_t initrc_tmp_t:file create_file_perms;
+allow initrc_t initrc_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir })
+
+init_write_initctl(initrc_t)
+
+kernel_read_system_state(initrc_t)
+kernel_read_software_raid_state(initrc_t)
+kernel_read_network_state(initrc_t)
+kernel_read_ring_buffer(initrc_t)
+kernel_change_ring_buffer_level(initrc_t)
+kernel_clear_ring_buffer(initrc_t)
+kernel_get_sysvipc_info(initrc_t)
+kernel_read_all_sysctls(initrc_t)
+kernel_rw_all_sysctls(initrc_t)
+# for lsof which is used by alsa shutdown:
+kernel_dontaudit_getattr_message_if(initrc_t)
+
+files_read_kernel_symbol_table(initrc_t)
+
+corenet_non_ipsec_sendrecv(initrc_t)
+corenet_tcp_sendrecv_all_if(initrc_t)
+corenet_udp_sendrecv_all_if(initrc_t)
+corenet_tcp_sendrecv_all_nodes(initrc_t)
+corenet_udp_sendrecv_all_nodes(initrc_t)
+corenet_tcp_sendrecv_all_ports(initrc_t)
+corenet_udp_sendrecv_all_ports(initrc_t)
+corenet_tcp_connect_all_ports(initrc_t)
+corenet_sendrecv_all_client_packets(initrc_t)
+
+dev_read_rand(initrc_t)
+dev_read_urand(initrc_t)
+dev_write_rand(initrc_t)
+dev_write_urand(initrc_t)
+dev_rw_sysfs(initrc_t)
+dev_list_usbfs(initrc_t)
+dev_read_framebuffer(initrc_t)
+dev_read_realtime_clock(initrc_t)
+dev_read_sound_mixer(initrc_t)
+dev_write_sound_mixer(initrc_t)
+dev_setattr_all_chr_files(initrc_t)
+dev_read_lvm_control(initrc_t)
+dev_delete_lvm_control_dev(initrc_t)
+dev_manage_generic_symlinks(initrc_t)
+dev_manage_generic_files(initrc_t)
+# Wants to remove udev.tbl:
+dev_delete_generic_symlinks(initrc_t)
+
+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+
+selinux_get_enforce_mode(initrc_t)
+
+storage_getattr_fixed_disk_dev(initrc_t)
+storage_setattr_fixed_disk_dev(initrc_t)
+storage_setattr_removable_dev(initrc_t)
+
+term_use_all_terms(initrc_t)
+term_reset_tty_labels(initrc_t)
+
+auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
+auth_rw_lastlog(initrc_t)
+auth_read_pam_pid(initrc_t)
+auth_delete_pam_pid(initrc_t)
+auth_delete_pam_console_data(initrc_t)
+
+corecmd_exec_all_executables(initrc_t)
+
+domain_kill_all_domains(initrc_t)
+domain_signal_all_domains(initrc_t)
+domain_signull_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigchld_all_domains(initrc_t)
+domain_read_all_domains_state(initrc_t)
+domain_getattr_all_domains(initrc_t)
+domain_dontaudit_ptrace_all_domains(initrc_t)
+domain_getsession_all_domains(initrc_t)
+domain_use_interactive_fds(initrc_t)
+# for lsof which is used by alsa shutdown:
+domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
+domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
+domain_dontaudit_getattr_all_pipes(initrc_t)
+
+files_getattr_all_dirs(initrc_t)
+files_getattr_all_files(initrc_t)
+files_getattr_all_symlinks(initrc_t)
+files_getattr_all_pipes(initrc_t)
+files_getattr_all_sockets(initrc_t)
+files_purge_tmp(initrc_t)
+files_delete_all_locks(initrc_t)
+files_read_all_pids(initrc_t)
+files_delete_all_pids(initrc_t)
+files_delete_all_pid_dirs(initrc_t)
+files_read_etc_files(initrc_t)
+files_manage_etc_runtime_files(initrc_t)
+files_etc_filetrans_etc_runtime(initrc_t,file)
+files_manage_generic_locks(initrc_t)
+files_exec_etc_files(initrc_t)
+files_read_usr_files(initrc_t)
+files_manage_urandom_seed(initrc_t)
+files_manage_generic_spool(initrc_t)
+# Mount and unmount file systems.
+# cjp: not sure why these are here; should use mount policy
+files_list_isid_type_dirs(initrc_t)
+files_mounton_isid_type_dirs(initrc_t)
+files_list_default(initrc_t)
+files_mounton_default(initrc_t)
+
+libs_rw_ld_so_cache(initrc_t)
+libs_use_ld_so(initrc_t)
+libs_use_shared_libs(initrc_t)
+libs_exec_lib_files(initrc_t)
+
+logging_send_syslog_msg(initrc_t)
+logging_manage_generic_logs(initrc_t)
+logging_read_all_logs(initrc_t)
+logging_append_all_logs(initrc_t)
+logging_read_audit_config(initrc_t)
+
+miscfiles_read_localization(initrc_t)
+# slapd needs to read cert files from its initscript
+miscfiles_read_certs(initrc_t)
+
+mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
+
+mls_file_read_up(initrc_t)
+mls_file_write_down(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+mls_rangetrans_source(initrc_t)
+mls_rangetrans_target(initrc_t)
+
+modutils_read_module_config(initrc_t)
+modutils_domtrans_insmod(initrc_t)
+
+seutil_read_config(initrc_t)
+
+sysnet_read_config(initrc_t)
+
+userdom_read_all_users_home_content_files(initrc_t)
+# Allow access to the sysadm TTYs. Note that this will give access to the
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+userdom_use_sysadm_terms(initrc_t)
+
+ifdef(`distro_debian',`
+ dev_setattr_generic_dirs(initrc_t)
+
+ fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
+
+ # for storing state under /dev/shm
+ fs_setattr_tmpfs_dirs(initrc_t)
+ storage_manage_fixed_disk(initrc_t)
+ storage_tmpfs_filetrans_fixed_disk(initrc_t)
+
+ files_setattr_etc_dirs(initrc_t)
+')
+
+ifdef(`distro_gentoo',`
+ optional_policy(`
+ arpwatch_manage_data_files(initrc_t)
+ ')
+
+ optional_policy(`
+ dhcpd_setattr_state_files(initrc_t)
+ ')
+')
+
+ifdef(`distro_redhat',`
+ # this is from kmodule, which should get its own policy:
+ allow initrc_t self:capability sys_admin;
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+ kernel_dontaudit_use_fds(initrc_t)
+ files_dontaudit_read_root_files(initrc_t)
+
+ selinux_set_enforce_mode(initrc_t)
+
+ # Create and read /boot/kernel.h and /boot/System.map.
+ # Redhat systems typically create this file at boot time.
+ bootloader_create_runtime_file(initrc_t)
+ files_rw_boot_symlinks(initrc_t)
+
+ # These seem to be from the initrd
+ # during device initialization:
+ dev_create_generic_dirs(initrc_t)
+ dev_rwx_zero(initrc_t)
+ dev_rx_raw_memory(initrc_t)
+ dev_wx_raw_memory(initrc_t)
+ storage_raw_read_fixed_disk(initrc_t)
+ storage_raw_write_fixed_disk(initrc_t)
+
+ files_create_boot_flag(initrc_t)
+ # wants to read /.fonts directory
+ files_read_default_files(initrc_t)
+ files_mountpoint(initrc_tmp_t)
+
+ fs_rw_tmpfs_chr_files(initrc_t)
+
+ storage_manage_fixed_disk(initrc_t)
+ storage_dev_filetrans_fixed_disk(initrc_t)
+ storage_getattr_removable_dev(initrc_t)
+
+ # readahead asks for these
+ auth_dontaudit_read_shadow(initrc_t)
+
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+
+ optional_policy(`
+ bind_manage_config_dirs(initrc_t)
+ bind_write_config(initrc_t)
+ ')
+
+ optional_policy(`
+ #for /etc/rc.d/init.d/nfs to create /etc/exports
+ rpc_write_exports(initrc_t)
+ ')
+
+ optional_policy(`
+ sysnet_rw_dhcp_config(initrc_t)
+ ')
+
+ optional_policy(`
+ xserver_delete_log(initrc_t)
+ ')
+')
+
+ifdef(`distro_suse',`
+ optional_policy(`
+ # set permissions on /tmp/.X11-unix
+ xserver_setattr_xdm_tmp_dirs(initrc_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ domain_subj_id_change_exemption(initrc_t)
+ unconfined_domain(initrc_t)
+
+ optional_policy(`
+ mono_domtrans(initrc_t)
+ ')
+',`
+ # cjp: require doesnt work in optionals :\
+ # this also would result in a type transition
+ # conflict if sendmail is enabled
+# optional_policy(`',`
+# mta_send_mail(initrc_t)
+# ')
+')
+
+optional_policy(`
+ amavis_search_lib(initrc_t)
+ amavis_setattr_pid_files(initrc_t)
+')
+
+optional_policy(`
+ dev_rw_apm_bios(initrc_t)
+')
+
+optional_policy(`
+ apache_read_config(initrc_t)
+ apache_list_modules(initrc_t)
+')
+
+optional_policy(`
+ automount_exec_config(initrc_t)
+')
+
+optional_policy(`
+ bind_read_config(initrc_t)
+
+ # for chmod in start script
+ bind_setattr_pid_dirs(initrc_t)
+')
+
+optional_policy(`
+ dev_read_usbfs(initrc_t)
+ bluetooth_read_config(initrc_t)
+')
+
+optional_policy(`
+ clamav_read_config(initrc_t)
+')
+
+optional_policy(`
+ cpucontrol_stub(initrc_t)
+ dev_getattr_cpu_dev(initrc_t)
+')
+
+optional_policy(`
+ dev_getattr_printer_dev(initrc_t)
+
+ cups_read_log(initrc_t)
+ cups_read_rw_config(initrc_t)
+')
+
+optional_policy(`
+ daemontools_manage_svc(initrc_t)
+')
+
+optional_policy(`
+ dbus_connect_system_bus(initrc_t)
+ dbus_send_system_bus(initrc_t)
+ dbus_system_bus_client_template(initrc,initrc_t)
+ dbus_read_config(initrc_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(initrc_t)
+ ')
+')
+
+optional_policy(`
+ ftp_read_config(initrc_t)
+')
+
+optional_policy(`
+ gpm_setattr_gpmctl(initrc_t)
+')
+
+optional_policy(`
+ dev_read_usbfs(initrc_t)
+
+ # init scripts run /etc/hotplug/usb.rc
+ hotplug_read_config(initrc_t)
+
+ modutils_read_module_deps(initrc_t)
+')
+
+optional_policy(`
+ inn_exec_config(initrc_t)
+')
+
+optional_policy(`
+ ipsec_read_config(initrc_t)
+ ipsec_manage_pid(initrc_t)
+')
+
+optional_policy(`
+ kerberos_use(initrc_t)
+')
+
+optional_policy(`
+ ldap_read_config(initrc_t)
+ ldap_list_db(initrc_t)
+')
+
+optional_policy(`
+ loadkeys_exec(initrc_t)
+')
+
+optional_policy(`
+ # This is needed to permit chown to read /var/spool/lpd/lp.
+ # This is opens up security more than necessary; this means that ANYTHING
+ # running in the initrc_t domain can read the printer spool directory.
+ # Perhaps executing /etc/rc.d/init.d/lpd should transition
+ # to domain lpd_t, instead of waiting for executing lpd.
+ lpd_list_spool(initrc_t)
+
+ lpd_read_config(initrc_t)
+')
+
+optional_policy(`
+ #allow initrc_t lvm_control_t:chr_file unlink;
+
+ dev_read_lvm_control(initrc_t)
+ dev_create_generic_chr_files(initrc_t)
+
+ lvm_read_config(initrc_t)
+')
+
+optional_policy(`
+ mailman_list_data(initrc_t)
+ mailman_read_data_symlinks(initrc_t)
+')
+
+optional_policy(`
+ mta_read_config(initrc_t)
+ mta_dontaudit_read_spool_symlinks(initrc_t)
+')
+
+optional_policy(`
+ ifdef(`distro_redhat',`
+ mysql_manage_db_dirs(initrc_t)
+ ')
+
+ mysql_stream_connect(initrc_t)
+ mysql_write_log(initrc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(initrc_t)
+ nis_udp_send_ypbind(initrc_t)
+ nis_list_var_yp(initrc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(initrc_t)
+')
+
+optional_policy(`
+ openvpn_read_config(initrc_t)
+')
+
+optional_policy(`
+ postgresql_manage_db(initrc_t)
+ postgresql_read_config(initrc_t)
+')
+
+optional_policy(`
+ postfix_list_spool(initrc_t)
+')
+
+optional_policy(`
+ quota_manage_flags(initrc_t)
+')
+
+optional_policy(`
+ raid_manage_mdadm_pid(initrc_t)
+')
+
+optional_policy(`
+ corecmd_shell_entry_type(initrc_t)
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+ rhgb_rw_stream_sockets(initrc_t)
+ rhgb_stream_connect(initrc_t)
+')
+
+optional_policy(`
+ rpc_read_exports(initrc_t)
+')
+
+optional_policy(`
+ # bash tries to access a block device in the initrd
+ kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
+
+ # for a bug in rm
+ files_dontaudit_write_all_pids(initrc_t)
+
+ # bash tries ioctl for some reason
+ files_dontaudit_ioctl_all_pids(initrc_t)
+
+ # why is this needed:
+ rpm_manage_db(initrc_t)
+')
+
+optional_policy(`
+ samba_rw_config(initrc_t)
+ samba_read_winbind_pid(initrc_t)
+')
+
+optional_policy(`
+ squid_read_config(initrc_t)
+ squid_manage_logs(initrc_t)
+')
+
+optional_policy(`
+ ssh_dontaudit_read_server_keys(initrc_t)
+')
+
+# allow init scripts to su
+optional_policy(`
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+')
+
+optional_policy(`
+ sysnet_read_dhcpc_state(initrc_t)
+')
+
+optional_policy(`
+ udev_rw_db(initrc_t)
+')
+
+optional_policy(`
+ uml_setattr_util_sockets(initrc_t)
+')
+
+optional_policy(`
+ vmware_read_system_config(initrc_t)
+ vmware_append_system_config(initrc_t)
+')
+
+optional_policy(`
+ miscfiles_manage_fonts(initrc_t)
+
+ # cjp: is this really needed?
+ xfs_read_sockets(initrc_t)
+')
+
+optional_policy(`
+ # Set device ownerships/modes.
+ xserver_setattr_console_pipes(initrc_t)
+
+ # init script wants to check if it needs to update windowmanagerlist
+ xserver_read_xdm_rw_config(initrc_t)
+')
+
+optional_policy(`
+ zebra_read_config(initrc_t)
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
new file mode 100644
index 0000000..f0aa1f1
--- /dev/null
+++ b/policy/modules/system/ipsec.fc
@@ -0,0 +1,34 @@
+/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
+/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
new file mode 100644
index 0000000..a3fc91d
--- /dev/null
+++ b/policy/modules/system/ipsec.if
@@ -0,0 +1,120 @@
+## <summary>TCP/IP encryption</summary>
+
+########################################
+## <summary>
+## Execute ipsec in the ipsec domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans',`
+ gen_require(`
+ type ipsec_t, ipsec_exec_t;
+ ')
+
+ domain_auto_trans($1,ipsec_exec_t,ipsec_t)
+
+ allow $1 ipsec_t:fd use;
+ allow ipsec_t $1:fd use;
+ allow ipsec_t $1:fifo_file rw_file_perms;
+ allow ipsec_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Connect to IPSEC using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_stream_connect',`
+ gen_require(`
+ type ipsec_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ipsec_var_run_t:dir search;
+ allow $1 ipsec_var_run_t:sock_file write;
+ allow $1 ipsec_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Get the attributes of an IPSEC key socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_getattr_key_sockets',`
+ gen_require(`
+ type ipsec_t;
+ ')
+
+ allow $1 ipsec_t:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Execute the IPSEC management program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_exec_mgmt',`
+ gen_require(`
+ type ipsec_exec_t;
+ ')
+
+ can_exec($1,ipsec_exec_t)
+')
+
+########################################
+## <summary>
+## Read the IPSEC configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_read_config',`
+ gen_require(`
+ type ipsec_conf_file_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ipsec_conf_file_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the IPSEC pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_manage_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ipsec_var_run_t:dir rw_dir_perms;
+ allow $1 ipsec_var_run_t:file create_file_perms;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
new file mode 100644
index 0000000..930c8dc
--- /dev/null
+++ b/policy/modules/system/ipsec.te
@@ -0,0 +1,274 @@
+
+policy_module(ipsec,1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type ipsec_t;
+type ipsec_exec_t;
+init_daemon_domain(ipsec_t,ipsec_exec_t)
+role system_r types ipsec_t;
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t;
+files_type(ipsec_conf_file_t)
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t;
+files_type(ipsec_key_file_t)
+
+# type for runtime files, including pluto.ctl
+type ipsec_var_run_t;
+files_pid_file(ipsec_var_run_t)
+
+type ipsec_mgmt_t;
+type ipsec_mgmt_exec_t;
+init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
+corecmd_shell_entry_type(ipsec_mgmt_t)
+role system_r types ipsec_mgmt_t;
+
+type ipsec_mgmt_lock_t;
+files_lock_file(ipsec_mgmt_lock_t)
+
+type ipsec_mgmt_var_run_t;
+files_pid_file(ipsec_mgmt_var_run_t)
+
+########################################
+#
+# ipsec Local policy
+#
+
+allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:process signal;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+allow ipsec_t self:tcp_socket create_stream_socket_perms;
+allow ipsec_t self:key_socket { create write read setopt };
+allow ipsec_t self:fifo_file { read getattr };
+
+allow ipsec_t ipsec_conf_file_t:dir r_dir_perms;
+allow ipsec_t ipsec_conf_file_t:file r_file_perms;
+allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms;
+
+allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
+allow ipsec_t ipsec_key_file_t:file r_file_perms;
+allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms;
+
+allow ipsec_t ipsec_var_run_t:file create_file_perms;
+allow ipsec_t ipsec_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+
+# pluto runs an updown script (by calling popen()!); as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
+allow ipsec_t ipsec_mgmt_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+kernel_read_kernel_sysctls(ipsec_t)
+kernel_list_proc(ipsec_t)
+kernel_read_proc_symlinks(ipsec_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_t)
+kernel_read_network_state(ipsec_t)
+kernel_read_software_raid_state(ipsec_t)
+kernel_getattr_core_if(ipsec_t)
+kernel_getattr_message_if(ipsec_t)
+
+# Pluto needs network access
+corenet_non_ipsec_sendrecv(ipsec_t)
+corenet_tcp_sendrecv_all_if(ipsec_t)
+corenet_raw_sendrecv_all_if(ipsec_t)
+corenet_tcp_sendrecv_all_nodes(ipsec_t)
+corenet_raw_sendrecv_all_nodes(ipsec_t)
+corenet_tcp_sendrecv_all_ports(ipsec_t)
+corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_tcp_bind_reserved_port(ipsec_t)
+corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_sendrecv_generic_server_packets(ipsec_t)
+corenet_sendrecv_isakmp_server_packets(ipsec_t)
+
+dev_read_sysfs(ipsec_t)
+dev_read_rand(ipsec_t)
+dev_read_urand(ipsec_t)
+
+fs_getattr_all_fs(ipsec_t)
+fs_search_auto_mountpoints(ipsec_t)
+
+term_use_console(ipsec_t)
+term_dontaudit_use_all_user_ttys(ipsec_t)
+
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
+domain_use_interactive_fds(ipsec_t)
+
+files_read_etc_files(ipsec_t)
+
+init_use_fds(ipsec_t)
+init_use_script_ptys(ipsec_t)
+
+libs_use_ld_so(ipsec_t)
+libs_use_shared_libs(ipsec_t)
+
+logging_send_syslog_msg(ipsec_t)
+
+miscfiles_read_localization(ipsec_t)
+
+sysnet_read_config(ipsec_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
+userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ipsec_t)
+ term_dontaudit_use_generic_ptys(ipsec_t)
+ files_dontaudit_read_root_files(ipsec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ipsec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+')
+
+optional_policy(`
+ udev_read_db(ipsec_t)
+')
+
+########################################
+#
+# ipsec_mgmt Local policy
+#
+
+allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
+allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
+allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+allow ipsec_mgmt_t self:key_socket { create setopt };
+allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
+files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
+
+allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
+files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
+
+allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms;
+
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms;
+files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
+
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+
+allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
+allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
+allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
+files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
+
+# whack needs to connect to pluto
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
+
+can_exec(ipsec_mgmt_t, ipsec_exec_t)
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+
+domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_t ipsec_mgmt_t:fd use;
+allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms;
+allow ipsec_t ipsec_mgmt_t:process sigchld;
+
+kernel_rw_net_sysctls(ipsec_mgmt_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_mgmt_t)
+kernel_read_network_state(ipsec_mgmt_t)
+kernel_read_software_raid_state(ipsec_mgmt_t)
+kernel_read_kernel_sysctls(ipsec_mgmt_t)
+kernel_getattr_core_if(ipsec_mgmt_t)
+kernel_getattr_message_if(ipsec_mgmt_t)
+
+files_read_kernel_symbol_table(ipsec_mgmt_t)
+files_getattr_kernel_modules(ipsec_mgmt_t)
+
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+
+# the default updown script wants to run route
+corecmd_exec_sbin(ipsec_mgmt_t)
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+corecmd_exec_bin(ipsec_mgmt_t)
+
+domain_use_interactive_fds(ipsec_mgmt_t)
+# denials when ps tries to search /proc. Do not audit these denials.
+domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
+# suppress audit messages about unnecessary socket access
+# cjp: this seems excessive
+domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+
+files_read_etc_files(ipsec_mgmt_t)
+files_exec_etc_files(ipsec_mgmt_t)
+files_read_etc_runtime_files(ipsec_mgmt_t)
+files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+
+init_use_script_ptys(ipsec_mgmt_t)
+init_exec_script_files(ipsec_mgmt_t)
+init_use_fds(ipsec_mgmt_t)
+
+libs_use_ld_so(ipsec_mgmt_t)
+libs_use_shared_libs(ipsec_mgmt_t)
+
+miscfiles_read_localization(ipsec_mgmt_t)
+
+modutils_domtrans_insmod(ipsec_mgmt_t)
+
+seutil_dontaudit_search_config(ipsec_mgmt_t)
+
+sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+
+userdom_use_sysadm_terms(ipsec_mgmt_t)
+
+optional_policy(`
+ consoletype_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ipsec_mgmt_t)
+')
+
+ifdef(`TODO',`
+# ideally it would not need this. It wants to write to /root/.rnd
+file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+') dnl end TODO
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
new file mode 100644
index 0000000..f715d71
--- /dev/null
+++ b/policy/modules/system/iptables.fc
@@ -0,0 +1,8 @@
+
+/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
new file mode 100644
index 0000000..2d748cb
--- /dev/null
+++ b/policy/modules/system/iptables.if
@@ -0,0 +1,75 @@
+## <summary>Policy for iptables.</summary>
+
+########################################
+## <summary>
+## Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_domtrans',`
+ gen_require(`
+ type iptables_t, iptables_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,iptables_exec_t,iptables_t)
+
+ allow $1 iptables_t:fd use;
+ allow iptables_t $1:fd use;
+ allow iptables_t $1:fifo_file rw_file_perms;
+ allow iptables_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute iptables in the iptables domain, and
+## allow the specified role the iptables domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the iptables domain to use.
+## </summary>
+## </param>
+#
+interface(`iptables_run',`
+ gen_require(`
+ type iptables_t;
+ ')
+
+ iptables_domtrans($1)
+ role $2 types iptables_t;
+ allow iptables_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute iptables in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_exec',`
+ gen_require(`
+ type iptables_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,iptables_exec_t)
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
new file mode 100644
index 0000000..4e12496
--- /dev/null
+++ b/policy/modules/system/iptables.te
@@ -0,0 +1,106 @@
+
+policy_module(iptables,1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type iptables_t;
+type iptables_exec_t;
+init_system_domain(iptables_t,iptables_exec_t)
+role system_r types iptables_t;
+
+type iptables_tmp_t;
+files_tmp_file(iptables_tmp_t)
+
+type iptables_var_run_t;
+files_pid_file(iptables_var_run_t)
+
+########################################
+#
+# Iptables local policy
+#
+
+allow iptables_t self:capability { net_admin net_raw };
+dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+
+allow iptables_t iptables_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(iptables_t,iptables_var_run_t,file)
+
+can_exec(iptables_t,iptables_exec_t)
+
+allow iptables_t iptables_tmp_t:dir create_dir_perms;
+allow iptables_t iptables_tmp_t:file create_file_perms;
+files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
+allow iptables_t self:rawip_socket create_socket_perms;
+
+kernel_read_system_state(iptables_t)
+kernel_read_network_state(iptables_t)
+kernel_read_kernel_sysctls(iptables_t)
+kernel_read_modprobe_sysctls(iptables_t)
+kernel_use_fds(iptables_t)
+
+corenet_relabelto_all_packets(iptables_t)
+
+dev_read_sysfs(iptables_t)
+
+fs_getattr_xattr_fs(iptables_t)
+fs_search_auto_mountpoints(iptables_t)
+
+mls_file_read_up(iptables_t)
+
+term_dontaudit_use_console(iptables_t)
+
+domain_use_interactive_fds(iptables_t)
+
+files_read_etc_files(iptables_t)
+
+init_use_fds(iptables_t)
+init_use_script_ptys(iptables_t)
+# to allow rules to be saved on reboot:
+init_rw_script_tmp_files(iptables_t)
+
+libs_use_ld_so(iptables_t)
+libs_use_shared_libs(iptables_t)
+
+logging_send_syslog_msg(iptables_t)
+# system-config-network appends to /var/log
+#logging_append_system_logs(iptables_t)
+
+miscfiles_read_localization(iptables_t)
+
+sysnet_domtrans_ifconfig(iptables_t)
+sysnet_dns_name_resolve(iptables_t)
+
+userdom_use_all_users_fds(iptables_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(iptables_t)
+ term_dontaudit_use_generic_ptys(iptables_t)
+ files_dontaudit_read_root_files(iptables_t)
+')
+
+optional_policy(`
+ firstboot_use_fds(iptables_t)
+ firstboot_write_pipes(iptables_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(iptables_t)
+')
+
+optional_policy(`
+ # for iptables -L
+ nis_use_ypbind(iptables_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(iptables_t)
+')
+
+optional_policy(`
+ udev_read_db(iptables_t)
+')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
new file mode 100644
index 0000000..9126380
--- /dev/null
+++ b/policy/modules/system/libraries.fc
@@ -0,0 +1,264 @@
+#
+# /emul
+#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+#
+# /etc
+#
+/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+
+/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:shlib_t,s0)
+
+#
+# /lib(64)?
+#
+/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib64/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/lib/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/lib64/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_gentoo',`
+/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/lib32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+#
+# /opt
+#
+/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib64/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cisco-vpnclient/lib/libvpnapi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+
+#
+# /usr
+#
+/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/RealPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+
+/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib64/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
+
+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/(.*/)?nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
+
+/usr/lib(64)?/xulrunner-[^/]*/libxul.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ati-fglrx/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
+
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
+# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/libgstmms\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/vorbisrend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Fedora Extras packages: ladspa, imlib2, ocaml
+/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/php/modules/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Flash plugin, Macromedia
+HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Jai, Sun Microsystems (Jpackage SPRM)
+/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxdecore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# vmware
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*/bin/glnx86/libmwlapack.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+') dnl end distro_redhat
+
+#
+# /var
+#
+/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+
+/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- gen_context(system_u:object_r:shlib_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.*\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
+')
+
+/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
new file mode 100644
index 0000000..64e70c8
--- /dev/null
+++ b/policy/modules/system/libraries.if
@@ -0,0 +1,473 @@
+## <summary>Policy for system libraries.</summary>
+
+########################################
+## <summary>
+## Execute ldconfig in the ldconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_domtrans_ldconfig',`
+ gen_require(`
+ type ldconfig_t, ldconfig_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
+
+ allow $1 ldconfig_t:fd use;
+ allow ldconfig_t $1:fd use;
+ allow ldconfig_t $1:fifo_file rw_file_perms;
+ allow ldconfig_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute ldconfig in the ldconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ldconfig domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ldconfig domain to use.
+## </summary>
+## </param>
+#
+interface(`libs_run_ldconfig',`
+ gen_require(`
+ type ldconfig_t;
+ ')
+
+ libs_domtrans_ldconfig($1)
+ role $2 types ldconfig_t;
+ allow ldconfig_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Use the dynamic link/loader for automatic loading
+## of shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_use_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t, ld_so_cache_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:file rx_file_perms;
+ allow $1 ld_so_cache_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Use the dynamic link/loader for automatic loading
+## of shared libraries with legacy support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_legacy_use_ld_so',`
+ gen_require(`
+ type ld_so_t, ld_so_cache_t;
+ ')
+
+ libs_use_ld_so($1)
+ allow $1 ld_so_t:file execmod;
+ allow $1 ld_so_cache_t:file execute;
+')
+
+########################################
+## <summary>
+## Execute the dynamic link/loader in the caller's domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_exec_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 ld_so_t:lnk_file r_file_perms;
+ can_exec($1,ld_so_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the
+## dynamic link/loader.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ allow $1 lib_t:dir rw_dir_perms;
+ allow $1 ld_so_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from the type used for
+## the dynamic link/loader.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 ld_so_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Modify the dynamic link/loader's cached listing
+## of shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_rw_ld_so_cache',`
+ gen_require(`
+ type ld_so_cache_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 ld_so_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Search library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_search_lib',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir search;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_manage_lib_dirs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the library directories, such
+## as static libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_read_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute library scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_exec_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ can_exec($1,lib_t)
+')
+
+########################################
+## <summary>
+## Load and execute functions from generic
+## lib files as shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_use_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ files_list_usr($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 lib_t:file rx_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## files in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir rw_dir_perms;
+ allow $1 lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel files to the type used in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_relabelto_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 lib_t:file relabelto;
+')
+
+########################################
+## <summary>
+## Relabel to and from the type used
+## for generic lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 lib_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Delete generic symlinks in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_delete_lib_symlinks',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir { getattr search read write remove_name };
+ allow $1 lib_t:lnk_file unlink;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_shared_libs',`
+ gen_require(`
+ type lib_t, shlib_t, textrel_shlib_t;
+ ')
+
+ allow $1 lib_t:dir rw_dir_perms;
+ allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Load and execute functions from shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_use_shared_libs',`
+ gen_require(`
+ type lib_t, shlib_t, textrel_shlib_t;
+ ')
+
+ files_list_usr($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
+ allow $1 { shlib_t textrel_shlib_t }:file rx_file_perms;
+ allow $1 textrel_shlib_t:file execmod;
+')
+
+########################################
+## <summary>
+## Load and execute functions from shared libraries,
+## with legacy support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_legacy_use_shared_libs',`
+ gen_require(`
+ type shlib_t, textrel_shlib_t;
+ ')
+
+ libs_use_shared_libs($1)
+ allow $1 { shlib_t textrel_shlib_t }:file execmod;
+')
+
+########################################
+## <summary>
+## Relabel to and from the type used for
+## shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_shared_libs',`
+ gen_require(`
+ type lib_t, shlib_t, textrel_shlib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Create an object in lib directories, with
+## the shared libraries type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_lib_filetrans_shared_lib',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ type_transition $1 root_t:$2 shlib_t;
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
new file mode 100644
index 0000000..03ce1fa
--- /dev/null
+++ b/policy/modules/system/libraries.te
@@ -0,0 +1,98 @@
+
+policy_module(libraries,1.3.9)
+
+########################################
+#
+# Declarations
+#
+
+#
+# ld_so_cache_t is the type of /etc/ld.so.cache.
+#
+type ld_so_cache_t;
+files_type(ld_so_cache_t)
+
+#
+# ld_so_t is the type of the system dynamic loaders.
+#
+type ld_so_t;
+files_type(ld_so_t)
+
+#
+# lib_t is the type of files in the system lib directories.
+#
+type lib_t;
+files_type(lib_t)
+
+#
+# shlib_t is the type of shared objects in the system lib
+# directories.
+#
+ifdef(`targeted_policy',`
+ typealias lib_t alias shlib_t;
+',`
+ type shlib_t;
+ files_type(shlib_t)
+')
+
+#
+# textrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type textrel_shlib_t alias texrel_shlib_t;
+files_type(textrel_shlib_t)
+
+########################################
+#
+# ldconfig local policy
+#
+type ldconfig_t;
+type ldconfig_exec_t;
+init_system_domain(ldconfig_t,ldconfig_exec_t)
+role system_r types ldconfig_t;
+
+allow ldconfig_t ld_so_cache_t:file create_file_perms;
+files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
+
+allow ldconfig_t lib_t:dir rw_dir_perms;
+allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
+allow ldconfig_t ld_so_t:lnk_file r_file_perms;
+allow ldconfig_t ld_so_t:file rx_file_perms;
+allow ldconfig_t ld_so_cache_t:file r_file_perms;
+allow ldconfig_t { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
+allow ldconfig_t { shlib_t textrel_shlib_t }:file rx_file_perms;
+
+kernel_read_system_state(ldconfig_t)
+
+fs_getattr_xattr_fs(ldconfig_t)
+
+domain_use_interactive_fds(ldconfig_t)
+
+files_search_var_lib(ldconfig_t)
+files_read_etc_files(ldconfig_t)
+files_search_tmp(ldconfig_t)
+files_search_usr(ldconfig_t)
+# for when /etc/ld.so.cache is mislabeled:
+files_delete_etc_files(ldconfig_t)
+
+init_use_script_ptys(ldconfig_t)
+
+logging_send_syslog_msg(ldconfig_t)
+
+userdom_use_all_users_fds(ldconfig_t)
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ allow ldconfig_t lib_t:file r_file_perms;
+ unconfined_domain(ldconfig_t)
+')
+
+optional_policy(`
+ # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+ apache_dontaudit_search_modules(ldconfig_t)
+')
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
new file mode 100644
index 0000000..7570583
--- /dev/null
+++ b/policy/modules/system/locallogin.fc
@@ -0,0 +1,2 @@
+
+/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
new file mode 100644
index 0000000..801aa12
--- /dev/null
+++ b/policy/modules/system/locallogin.if
@@ -0,0 +1,73 @@
+## <summary>Policy for local logins.</summary>
+
+########################################
+## <summary>
+## Execute local logins in the local login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`locallogin_domtrans',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ auth_domtrans_login_program($1,local_login_t)
+')
+
+########################################
+## <summary>
+## Allow processes to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`locallogin_use_fds',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ allow $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`locallogin_dontaudit_use_fds',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ dontaudit $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a null signal to local login processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locallogin_signull',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ allow $1 local_login_t:process signull;
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
new file mode 100644
index 0000000..6a16f92
--- /dev/null
+++ b/policy/modules/system/locallogin.te
@@ -0,0 +1,290 @@
+
+policy_module(locallogin,1.2.3)
+
+########################################
+#
+# Declarations
+#
+
+type local_login_t;
+auth_login_entry_type(local_login_t)
+domain_type(local_login_t)
+domain_obj_id_change_exemption(local_login_t)
+domain_subj_id_change_exemption(local_login_t)
+domain_role_change_exemption(local_login_t)
+domain_interactive_fd(local_login_t)
+role system_r types local_login_t;
+
+type local_login_lock_t;
+files_lock_file(local_login_lock_t)
+
+type local_login_tmp_t;
+files_tmp_file(local_login_tmp_t)
+files_poly_parent(local_login_tmp_t)
+
+type sulogin_t;
+type sulogin_exec_t;
+domain_obj_id_change_exemption(sulogin_t)
+domain_subj_id_change_exemption(sulogin_t)
+domain_role_change_exemption(sulogin_t)
+domain_interactive_fd(sulogin_t)
+init_domain(sulogin_t,sulogin_exec_t)
+init_system_domain(sulogin_t,sulogin_exec_t)
+role system_r types sulogin_t;
+
+########################################
+#
+# Local login local policy
+#
+
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:fd use;
+allow local_login_t self:fifo_file rw_file_perms;
+allow local_login_t self:sock_file r_file_perms;
+allow local_login_t self:unix_dgram_socket create_socket_perms;
+allow local_login_t self:unix_stream_socket create_stream_socket_perms;
+allow local_login_t self:unix_dgram_socket sendto;
+allow local_login_t self:unix_stream_socket connectto;
+allow local_login_t self:shm create_shm_perms;
+allow local_login_t self:sem create_sem_perms;
+allow local_login_t self:msgq create_msgq_perms;
+allow local_login_t self:msg { send receive };
+
+allow local_login_t local_login_lock_t:file create_file_perms;
+files_lock_filetrans(local_login_t,local_login_lock_t,file)
+
+allow local_login_t local_login_tmp_t:dir create_dir_perms;
+allow local_login_t local_login_tmp_t:file create_file_perms;
+files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+
+kernel_read_system_state(local_login_t)
+kernel_read_kernel_sysctls(local_login_t)
+
+dev_setattr_mouse_dev(local_login_t)
+dev_getattr_mouse_dev(local_login_t)
+dev_getattr_power_mgmt_dev(local_login_t)
+dev_setattr_power_mgmt_dev(local_login_t)
+dev_getattr_sound_dev(local_login_t)
+dev_setattr_sound_dev(local_login_t)
+dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+dev_dontaudit_read_framebuffer(local_login_t)
+dev_dontaudit_setattr_framebuffer_dev(local_login_t)
+dev_dontaudit_getattr_generic_blk_files(local_login_t)
+dev_dontaudit_setattr_generic_blk_files(local_login_t)
+dev_dontaudit_getattr_generic_chr_files(local_login_t)
+dev_dontaudit_setattr_generic_chr_files(local_login_t)
+dev_dontaudit_setattr_generic_symlinks(local_login_t)
+dev_dontaudit_getattr_misc_dev(local_login_t)
+dev_dontaudit_setattr_misc_dev(local_login_t)
+dev_dontaudit_getattr_scanner_dev(local_login_t)
+dev_dontaudit_setattr_scanner_dev(local_login_t)
+dev_dontaudit_search_sysfs(local_login_t)
+dev_dontaudit_getattr_video_dev(local_login_t)
+dev_dontaudit_setattr_video_dev(local_login_t)
+# for SSP/ProPolice
+dev_read_urand(local_login_t)
+
+fs_search_auto_mountpoints(local_login_t)
+
+selinux_get_fs_mount(local_login_t)
+selinux_validate_context(local_login_t)
+selinux_compute_access_vector(local_login_t)
+selinux_compute_create_context(local_login_t)
+selinux_compute_relabel_context(local_login_t)
+selinux_compute_user_contexts(local_login_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
+storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
+storage_dontaudit_getattr_removable_dev(local_login_t)
+storage_dontaudit_setattr_removable_dev(local_login_t)
+
+term_use_all_user_ttys(local_login_t)
+term_use_unallocated_ttys(local_login_t)
+term_relabel_unallocated_ttys(local_login_t)
+term_relabel_all_user_ttys(local_login_t)
+term_setattr_all_user_ttys(local_login_t)
+term_setattr_unallocated_ttys(local_login_t)
+
+auth_domtrans_chk_passwd(local_login_t)
+auth_dontaudit_read_shadow(local_login_t)
+auth_rw_login_records(local_login_t)
+auth_rw_lastlog(local_login_t)
+auth_rw_faillog(local_login_t)
+auth_exec_pam(local_login_t)
+auth_manage_pam_console_data(local_login_t)
+auth_domtrans_pam_console(local_login_t)
+
+corecmd_list_bin(local_login_t)
+corecmd_list_sbin(local_login_t)
+corecmd_read_bin_symlinks(local_login_t)
+corecmd_read_sbin_symlinks(local_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(local_login_t)
+corecmd_read_bin_pipes(local_login_t)
+corecmd_read_bin_sockets(local_login_t)
+corecmd_read_sbin_files(local_login_t)
+corecmd_read_sbin_pipes(local_login_t)
+corecmd_read_sbin_sockets(local_login_t)
+
+domain_read_all_entry_files(local_login_t)
+
+files_read_etc_files(local_login_t)
+files_read_etc_runtime_files(local_login_t)
+files_read_usr_files(local_login_t)
+files_list_mnt(local_login_t)
+files_list_world_readable(local_login_t)
+files_read_world_readable_files(local_login_t)
+files_read_world_readable_symlinks(local_login_t)
+files_read_world_readable_pipes(local_login_t)
+files_read_world_readable_sockets(local_login_t)
+# for when /var/mail is a symlink
+files_read_var_symlinks(local_login_t)
+# Login can polyinstantiate
+files_polyinstantiate_all(local_login_t)
+
+init_rw_utmp(local_login_t)
+init_dontaudit_use_fds(local_login_t)
+
+libs_use_ld_so(local_login_t)
+libs_use_shared_libs(local_login_t)
+
+logging_send_syslog_msg(local_login_t)
+
+miscfiles_read_localization(local_login_t)
+
+mls_file_read_up(local_login_t)
+mls_file_write_down(local_login_t)
+mls_file_upgrade(local_login_t)
+mls_file_downgrade(local_login_t)
+mls_process_set_level(local_login_t)
+
+seutil_read_config(local_login_t)
+seutil_read_default_contexts(local_login_t)
+
+userdom_spec_domtrans_all_users(local_login_t)
+userdom_signal_all_users(local_login_t)
+userdom_search_all_users_home_content(local_login_t)
+userdom_use_unpriv_users_fds(local_login_t)
+userdom_sigchld_all_users(local_login_t)
+userdom_create_all_users_keys(local_login_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(local_login_t)
+ unconfined_shell_domtrans(local_login_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(local_login_t)
+ files_read_default_files(local_login_t)
+ files_read_default_symlinks(local_login_t)
+ files_read_default_sockets(local_login_t)
+ files_read_default_pipes(local_login_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(local_login_t)
+ fs_read_nfs_symlinks(local_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(local_login_t)
+ fs_read_cifs_symlinks(local_login_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(local_login_t)
+ gpm_setattr_gpmctl(local_login_t)
+')
+
+optional_policy(`
+ # Search for mail spool file.
+ mta_getattr_spool(local_login_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(local_login_t)
+')
+
+optional_policy(`
+ nscd_socket_use(local_login_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(local_login_t)
+')
+
+optional_policy(`
+ alsa_domtrans(local_login_t)
+')
+
+#################################
+#
+# Sulogin local policy
+#
+
+allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sulogin_t self:fd use;
+allow sulogin_t self:fifo_file rw_file_perms;
+allow sulogin_t self:unix_dgram_socket create_socket_perms;
+allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
+allow sulogin_t self:unix_dgram_socket sendto;
+allow sulogin_t self:unix_stream_socket connectto;
+allow sulogin_t self:shm create_shm_perms;
+allow sulogin_t self:sem create_sem_perms;
+allow sulogin_t self:msgq create_msgq_perms;
+allow sulogin_t self:msg { send receive };
+
+kernel_read_system_state(sulogin_t)
+
+fs_search_auto_mountpoints(sulogin_t)
+fs_rw_tmpfs_chr_files(sulogin_t)
+
+files_read_etc_files(sulogin_t)
+# because file systems are not mounted:
+files_dontaudit_search_isid_type_dirs(sulogin_t)
+
+init_getpgid_script(sulogin_t)
+
+libs_use_ld_so(sulogin_t)
+libs_use_shared_libs(sulogin_t)
+
+logging_send_syslog_msg(sulogin_t)
+
+seutil_read_config(sulogin_t)
+seutil_read_default_contexts(sulogin_t)
+
+auth_read_shadow(sulogin_t)
+
+userdom_shell_domtrans_sysadm(sulogin_t)
+userdom_use_unpriv_users_fds(sulogin_t)
+userdom_use_sysadm_ptys(sulogin_t)
+userdom_search_staff_home_dirs(sulogin_t)
+userdom_search_sysadm_home_dirs(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
+ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ifdef(`distro_debian', `define(`sulogin_no_pam')')
+
+ifdef(`sulogin_no_pam', `
+ allow sulogin_t self:capability sys_tty_config;
+ init_getpgid(sulogin_t)
+', `
+ allow sulogin_t self:process setexec;
+ selinux_get_fs_mount(sulogin_t)
+ selinux_validate_context(sulogin_t)
+ selinux_compute_access_vector(sulogin_t)
+ selinux_compute_create_context(sulogin_t)
+ selinux_compute_relabel_context(sulogin_t)
+ selinux_compute_user_contexts(sulogin_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(sulogin_t)
+')
+
+optional_policy(`
+ nscd_socket_use(sulogin_t)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
new file mode 100644
index 0000000..cdd15cd
--- /dev/null
+++ b/policy/modules/system/logging.fc
@@ -0,0 +1,40 @@
+
+/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+
+/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
+
+/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ifdef(`distro_gentoo', `
+/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+')
+
+ifdef(`distro_suse', `
+/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+')
+
+/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
+/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+
+/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+
+/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
+/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+
+/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
new file mode 100644
index 0000000..32bf657
--- /dev/null
+++ b/policy/modules/system/logging.if
@@ -0,0 +1,553 @@
+## <summary>Policy for the kernel message logger and system logging daemon.</summary>
+
+#######################################
+## <summary>
+## Make the specified type a file
+## used for logs.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a log.
+## </summary>
+## </param>
+#
+interface(`logging_log_file',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_type($1)
+ files_associate_tmp($1)
+ fs_associate_tmpfs($1)
+ typeattribute $1 logfile;
+')
+
+########################################
+## <summary>
+## Read the audit log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_read_audit_log',`
+ gen_require(`
+ type auditd_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 auditd_log_t:dir r_dir_perms;
+ allow $1 auditd_log_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute auditctl in the auditctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_auditctl',`
+ gen_require(`
+ type auditctl_t, auditctl_exec_t;
+ ')
+
+ domain_auto_trans($1,auditctl_exec_t,auditctl_t)
+
+ allow $1 auditctl_t:fd use;
+ allow auditctl_t $1:fd use;
+ allow auditctl_t $1:fifo_file rw_file_perms;
+ allow auditctl_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute auditctl in the auditctl domain, and
+## allow the specified role the auditctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the auditctl domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the auditctl domain to use.
+## </summary>
+## </param>
+#
+interface(`logging_run_auditctl',`
+ gen_require(`
+ type auditctl_t;
+ ')
+
+ logging_domtrans_auditctl($1)
+ role $2 types auditctl_t;
+ allow auditctl_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute auditd in the auditd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_auditd',`
+ gen_require(`
+ type auditd_t, auditd_exec_t;
+ ')
+
+ domain_auto_trans($1,auditd_exec_t,auditd_t)
+
+ allow auditd_t $1:fd use;
+ allow auditd_t $1:fifo_file rw_file_perms;
+ allow auditd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute auditd in the auditd domain, and
+## allow the specified role the auditd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the auditd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the auditd domain to use.
+## </summary>
+## </param>
+#
+interface(`logging_run_auditd',`
+ gen_require(`
+ type auditd_t;
+ ')
+
+ logging_domtrans_auditd($1)
+ role $2 types auditd_t;
+ allow auditd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Manage the auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 auditd_etc_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Manage the audit log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_audit_log',`
+ gen_require(`
+ type auditd_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 auditd_log_t:dir create_dir_perms;
+ allow $1 auditd_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Execute syslogd in the syslog domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_syslog',`
+ gen_require(`
+ type syslogd_t, syslogd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,syslogd_exec_t,syslogd_t)
+
+ allow $1 syslogd_t:fd use;
+ allow syslogd_t $1:fd use;
+ allow syslogd_t $1:fifo_file rw_file_perms;
+ allow syslogd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Create an object in the log directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`logging_log_filetrans',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
+ type_transition $1 var_log_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Send system log messages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_send_syslog_msg',`
+ gen_require(`
+ type syslogd_t, devlog_t;
+ ')
+
+ allow $1 devlog_t:lnk_file read;
+ allow $1 devlog_t:sock_file rw_file_perms;
+
+ # the type of socket depends on the syslog daemon
+ allow $1 syslogd_t:unix_dgram_socket sendto;
+ allow $1 syslogd_t:unix_stream_socket connectto;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ # cjp: this should most likely be removed:
+ term_use_console($1)
+')
+
+########################################
+## <summary>
+## Read the auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_read_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 auditd_etc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allows the domain to open a file in the
+## log directory, but does not allow the listing
+## of the contents of the log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_search_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir search;
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to search the var log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_search_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search;
+')
+
+#######################################
+## <summary>
+## List the contents of the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_list_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir r_dir_perms;
+')
+
+#######################################
+## <summary>
+## Read and write the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_rw_generic_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the atttributes
+## of any log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_getattr_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ dontaudit $1 logfile:file getattr;
+')
+
+########################################
+## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 logfile:file { getattr append };
+')
+
+########################################
+## <summary>
+## Read all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 logfile:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute all log files in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: not sure why this is needed. This was added
+# because of logrotate.
+interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir r_dir_perms;
+ can_exec($1,logfile)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir rw_dir_perms;
+ allow $1 logfile:lnk_file read;
+ allow $1 logfile:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_read_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Write generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_write_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:file { getattr write };
+')
+
+########################################
+## <summary>
+## Read and write generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_rw_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
+ allow $1 var_log_t:file create_file_perms;
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
new file mode 100644
index 0000000..74aee44
--- /dev/null
+++ b/policy/modules/system/logging.te
@@ -0,0 +1,385 @@
+
+policy_module(logging,1.3.7)
+
+########################################
+#
+# Declarations
+#
+
+attribute logfile;
+
+type auditctl_t;
+type auditctl_exec_t;
+init_system_domain(auditctl_t,auditctl_exec_t)
+role system_r types auditctl_t;
+
+type auditd_etc_t;
+files_security_file(auditd_etc_t)
+
+type auditd_log_t;
+files_security_file(auditd_log_t)
+
+type auditd_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type auditd_exec_t;
+')
+init_daemon_domain(auditd_t,auditd_exec_t)
+
+type auditd_var_run_t;
+files_pid_file(auditd_var_run_t)
+
+type devlog_t;
+files_type(devlog_t)
+mls_trusted_object(devlog_t)
+
+type klogd_t;
+type klogd_exec_t;
+init_daemon_domain(klogd_t,klogd_exec_t)
+
+type klogd_tmp_t;
+files_tmp_file(klogd_tmp_t)
+
+type klogd_var_run_t;
+files_pid_file(klogd_var_run_t)
+
+type syslogd_t;
+type syslogd_exec_t;
+init_daemon_domain(syslogd_t,syslogd_exec_t)
+
+type syslogd_tmp_t;
+files_tmp_file(syslogd_tmp_t)
+
+type syslogd_var_run_t;
+files_pid_file(syslogd_var_run_t)
+
+type var_log_t;
+logging_log_file(var_log_t)
+
+########################################
+#
+# Auditd local policy
+#
+
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+
+libs_use_ld_so(auditctl_t)
+libs_use_shared_libs(auditctl_t)
+
+allow auditctl_t etc_t:file { getattr read };
+
+allow auditctl_t auditd_etc_t:dir r_dir_perms;
+allow auditctl_t auditd_etc_t:file r_file_perms;
+
+# Needed for adding watches
+files_getattr_all_dirs(auditctl_t)
+files_read_etc_files(auditctl_t)
+
+kernel_read_kernel_sysctls(auditctl_t)
+kernel_read_proc_symlinks(auditctl_t)
+
+domain_read_all_domains_state(auditctl_t)
+domain_use_interactive_fds(auditctl_t)
+
+mls_file_read_up(auditctl_t)
+
+term_use_all_terms(auditctl_t)
+
+init_use_script_ptys(auditctl_t)
+init_dontaudit_use_fds(auditctl_t)
+
+locallogin_dontaudit_use_fds(auditctl_t)
+
+logging_send_syslog_msg(auditctl_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(auditctl_t)
+ term_use_unallocated_ttys(auditctl_t)
+')
+
+########################################
+#
+# Auditd local policy
+#
+
+allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+dontaudit auditd_t self:capability sys_tty_config;
+allow auditd_t self:process { signal_perms setpgid setsched };
+allow auditd_t self:file { getattr read write };
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditd_t self:fifo_file rw_file_perms;
+
+allow auditd_t auditd_etc_t:dir r_dir_perms;
+allow auditd_t auditd_etc_t:file r_file_perms;
+
+allow auditd_t auditd_log_t:dir rw_dir_perms;
+allow auditd_t auditd_log_t:file create_file_perms;
+allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
+allow auditd_t var_log_t:dir search;
+
+allow auditd_t auditd_var_run_t:file create_file_perms;
+allow auditd_t auditd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(auditd_t,auditd_var_run_t,file)
+
+kernel_read_kernel_sysctls(auditd_t)
+# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+kernel_read_system_state(auditd_t)
+
+dev_read_sysfs(auditd_t)
+
+fs_getattr_all_fs(auditd_t)
+fs_search_auto_mountpoints(auditd_t)
+
+term_dontaudit_use_console(auditd_t)
+
+# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+corecmd_exec_sbin(auditd_t)
+corecmd_exec_bin(auditd_t)
+
+
+domain_use_interactive_fds(auditd_t)
+
+files_read_etc_files(auditd_t)
+files_list_usr(auditd_t)
+
+init_use_fds(auditd_t)
+init_exec(auditd_t)
+init_write_initctl(auditd_t)
+init_dontaudit_use_script_ptys(auditd_t)
+
+logging_send_syslog_msg(auditd_t)
+
+libs_use_ld_so(auditd_t)
+libs_use_shared_libs(auditd_t)
+
+miscfiles_read_localization(auditd_t)
+
+mls_file_read_up(auditd_t)
+mls_rangetrans_target(auditd_t)
+
+seutil_dontaudit_read_config(auditd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+# cjp: this is questionable
+userdom_use_sysadm_ttys(auditd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(auditd_t)
+ term_dontaudit_use_unallocated_ttys(auditd_t)
+ unconfined_dontaudit_read_pipes(auditd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(auditd_t)
+')
+
+optional_policy(`
+ udev_read_db(auditd_t)
+')
+
+########################################
+#
+# klogd local policy
+#
+
+allow klogd_t self:capability sys_admin;
+dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+allow klogd_t self:process signal_perms;
+
+allow klogd_t klogd_tmp_t:file create_file_perms;
+allow klogd_t klogd_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir })
+
+allow klogd_t klogd_var_run_t:file create_file_perms;
+allow klogd_t klogd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(klogd_t,klogd_var_run_t,file)
+
+kernel_read_system_state(klogd_t)
+kernel_read_messages(klogd_t)
+kernel_read_kernel_sysctls(klogd_t)
+# Control syslog and console logging
+kernel_clear_ring_buffer(klogd_t)
+kernel_change_ring_buffer_level(klogd_t)
+
+files_read_kernel_symbol_table(klogd_t)
+
+dev_read_raw_memory(klogd_t)
+dev_read_sysfs(klogd_t)
+
+fs_getattr_all_fs(klogd_t)
+fs_search_auto_mountpoints(klogd_t)
+
+term_dontaudit_use_console(klogd_t)
+
+domain_use_interactive_fds(klogd_t)
+
+files_read_etc_runtime_files(klogd_t)
+# read /etc/nsswitch.conf
+files_read_etc_files(klogd_t)
+
+init_use_fds(klogd_t)
+init_use_script_ptys(klogd_t)
+
+libs_use_ld_so(klogd_t)
+libs_use_shared_libs(klogd_t)
+
+logging_send_syslog_msg(klogd_t)
+
+miscfiles_read_localization(klogd_t)
+
+mls_file_read_up(klogd_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
+
+optional_policy(`
+ udev_read_db(klogd_t)
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(klogd_t)
+ term_dontaudit_use_unallocated_ttys(klogd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(klogd_t)
+')
+
+########################################
+#
+# syslogd local policy
+#
+
+# sys_admin chown fsetid for syslog-ng
+# cjp: why net_admin!
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:process signal_perms;
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+# receive messages to be logged
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t self:udp_socket create_socket_perms;
+
+# Create and bind to /dev/log or /var/run/log.
+allow syslogd_t devlog_t:sock_file create_file_perms;
+files_pid_filetrans(syslogd_t,devlog_t,sock_file)
+
+# create/append log files.
+allow syslogd_t var_log_t:dir rw_dir_perms;
+allow syslogd_t var_log_t:file create_file_perms;
+# Allow access for syslog-ng
+allow syslogd_t var_log_t:dir { create setattr };
+
+# manage temporary files
+allow syslogd_t syslogd_tmp_t:file create_file_perms;
+allow syslogd_t syslogd_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
+
+allow syslogd_t syslogd_var_run_t:file create_file_perms;
+files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
+
+# manage pid file
+allow syslogd_t syslogd_var_run_t:file create_file_perms;
+allow syslogd_t syslogd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
+
+kernel_read_kernel_sysctls(syslogd_t)
+kernel_read_proc_symlinks(syslogd_t)
+# Allow access to /proc/kmsg for syslog-ng
+kernel_read_messages(syslogd_t)
+kernel_clear_ring_buffer(syslogd_t)
+kernel_change_ring_buffer_level(syslogd_t)
+
+dev_filetrans(syslogd_t,devlog_t,sock_file)
+dev_read_sysfs(syslogd_t)
+
+fs_search_auto_mountpoints(syslogd_t)
+
+term_write_console(syslogd_t)
+# Allow syslog to a terminal
+term_write_unallocated_ttys(syslogd_t)
+
+# for sending messages to logged in users
+init_read_utmp(syslogd_t)
+init_dontaudit_write_utmp(syslogd_t)
+term_write_all_user_ttys(syslogd_t)
+
+corenet_non_ipsec_sendrecv(syslogd_t)
+corenet_udp_sendrecv_all_if(syslogd_t)
+corenet_udp_sendrecv_all_nodes(syslogd_t)
+corenet_udp_sendrecv_all_ports(syslogd_t)
+corenet_udp_bind_all_nodes(syslogd_t)
+corenet_udp_bind_syslogd_port(syslogd_t)
+# syslog-ng can send or receive logs
+corenet_sendrecv_syslogd_client_packets(syslogd_t)
+corenet_sendrecv_syslogd_server_packets(syslogd_t)
+
+fs_getattr_all_fs(syslogd_t)
+
+init_use_fds(syslogd_t)
+init_use_script_ptys(syslogd_t)
+
+domain_use_interactive_fds(syslogd_t)
+
+files_read_etc_files(syslogd_t)
+files_read_etc_runtime_files(syslogd_t)
+# /initrd is not umounted before minilog starts
+files_dontaudit_search_isid_type_dirs(syslogd_t)
+
+libs_use_ld_so(syslogd_t)
+libs_use_shared_libs(syslogd_t)
+
+# cjp: this doesnt make sense
+logging_send_syslog_msg(syslogd_t)
+
+sysnet_read_config(syslogd_t)
+
+miscfiles_read_localization(syslogd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
+
+ifdef(`distro_suse',`
+ # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+ files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
+')
+
+ifdef(`targeted_policy',`
+ allow syslogd_t var_run_t:fifo_file { ioctl read write };
+ term_dontaudit_use_unallocated_ttys(syslogd_t)
+ term_dontaudit_use_generic_ptys(syslogd_t)
+ files_dontaudit_read_root_files(syslogd_t)
+')
+
+optional_policy(`
+ inn_manage_log(syslogd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(syslogd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(syslogd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(syslogd_t)
+')
+
+optional_policy(`
+ udev_read_db(syslogd_t)
+')
+
+optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
new file mode 100644
index 0000000..0339693
--- /dev/null
+++ b/policy/modules/system/lvm.fc
@@ -0,0 +1,90 @@
+
+# LVM creates lock files in /var before /var is mounted
+# configure LVM to put lockfiles in /etc/lvm/lock instead
+# for this policy to work (unless you have no separate /var)
+
+#
+# /etc
+#
+/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
+/etc/lvm/\.cache -- gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+
+/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+
+#
+# /lib
+#
+/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
+/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /var
+#
+/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+
+/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
new file mode 100644
index 0000000..193069c
--- /dev/null
+++ b/policy/modules/system/lvm.if
@@ -0,0 +1,76 @@
+## <summary>Policy for logical volume management programs.</summary>
+
+########################################
+## <summary>
+## Execute lvm programs in the lvm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`lvm_domtrans',`
+ gen_require(`
+ type lvm_t, lvm_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, lvm_exec_t, lvm_t)
+
+ allow $1 lvm_t:fd use;
+ allow lvm_t $1:fd use;
+ allow lvm_t $1:fifo_file rw_file_perms;
+ allow lvm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute lvm programs in the lvm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the LVM domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the LVM domain to use.
+## </summary>
+## </param>
+#
+interface(`lvm_run',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ lvm_domtrans($1)
+ role $2 types lvm_t;
+ allow lvm_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read LVM configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`lvm_read_config',`
+ gen_require(`
+ type lvm_t, lvm_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 lvm_etc_t:dir r_dir_perms;
+ allow $1 lvm_etc_t:file r_file_perms;
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
new file mode 100644
index 0000000..5aca3d0
--- /dev/null
+++ b/policy/modules/system/lvm.te
@@ -0,0 +1,268 @@
+
+policy_module(lvm,1.3.4)
+
+########################################
+#
+# Declarations
+#
+
+type clvmd_t;
+type clvmd_exec_t;
+init_daemon_domain(clvmd_t,clvmd_exec_t)
+
+type clvmd_var_run_t;
+files_pid_file(clvmd_var_run_t)
+
+type lvm_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type lvm_exec_t;
+')
+init_system_domain(lvm_t,lvm_exec_t)
+# needs privowner because it assigns the identity system_u to device nodes
+# but runs as the identity of the sysadmin
+domain_obj_id_change_exemption(lvm_t)
+role system_r types lvm_t;
+
+type lvm_etc_t;
+files_type(lvm_etc_t)
+
+type lvm_lock_t;
+files_lock_file(lvm_lock_t)
+
+type lvm_metadata_t;
+files_type(lvm_metadata_t)
+
+type lvm_var_run_t;
+files_pid_file(lvm_var_run_t)
+
+type lvm_tmp_t;
+files_tmp_file(lvm_tmp_t)
+
+########################################
+#
+# Cluster LVM daemon local policy
+#
+
+dontaudit clvmd_t self:capability sys_tty_config;
+allow clvmd_t self:process signal_perms;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t self:tcp_socket create_stream_socket_perms;
+allow clvmd_t self:udp_socket create_socket_perms;
+
+allow clvmd_t clvmd_var_run_t:file create_file_perms;
+allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
+
+kernel_read_kernel_sysctls(clvmd_t)
+kernel_list_proc(clvmd_t)
+kernel_read_proc_symlinks(clvmd_t)
+
+corenet_non_ipsec_sendrecv(clvmd_t)
+corenet_tcp_sendrecv_all_if(clvmd_t)
+corenet_udp_sendrecv_all_if(clvmd_t)
+corenet_raw_sendrecv_all_if(clvmd_t)
+corenet_tcp_sendrecv_all_nodes(clvmd_t)
+corenet_udp_sendrecv_all_nodes(clvmd_t)
+corenet_raw_sendrecv_all_nodes(clvmd_t)
+corenet_tcp_sendrecv_all_ports(clvmd_t)
+corenet_udp_sendrecv_all_ports(clvmd_t)
+corenet_tcp_bind_all_nodes(clvmd_t)
+corenet_tcp_bind_reserved_port(clvmd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+corenet_sendrecv_generic_server_packets(clvmd_t)
+
+dev_read_sysfs(clvmd_t)
+
+fs_getattr_all_fs(clvmd_t)
+fs_search_auto_mountpoints(clvmd_t)
+
+term_dontaudit_use_console(clvmd_t)
+
+domain_use_interactive_fds(clvmd_t)
+
+files_list_usr(clvmd_t)
+
+init_use_fds(clvmd_t)
+init_use_script_ptys(clvmd_t)
+
+libs_use_ld_so(clvmd_t)
+libs_use_shared_libs(clvmd_t)
+
+logging_send_syslog_msg(clvmd_t)
+
+miscfiles_read_localization(clvmd_t)
+
+seutil_dontaudit_search_config(clvmd_t)
+seutil_sigchld_newrole(clvmd_t)
+
+sysnet_read_config(clvmd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
+userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(clvmd_t)
+ term_dontaudit_use_generic_ptys(clvmd_t)
+ files_dontaudit_read_root_files(clvmd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(clvmd_t)
+')
+
+optional_policy(`
+ udev_read_db(clvmd_t)
+')
+
+########################################
+#
+# LVM Local policy
+#
+
+# DAC overrides and mknod for modifying /dev entries (vgmknodes)
+# rawio needed for dmraid
+allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+dontaudit lvm_t self:capability sys_tty_config;
+allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+# LVM will complain a lot if it cannot set its priority.
+allow lvm_t self:process setsched;
+allow lvm_t self:file rw_file_perms;
+allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
+
+allow lvm_t lvm_tmp_t:dir create_dir_perms;
+allow lvm_t lvm_tmp_t:file create_file_perms;
+files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
+
+# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
+allow lvm_t lvm_exec_t:dir search;
+allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
+
+# LVM is split into many individual binaries
+can_exec(lvm_t, lvm_exec_t)
+
+# Creating lock files
+allow lvm_t lvm_lock_t:dir rw_dir_perms;
+allow lvm_t lvm_lock_t:file create_file_perms;
+files_lock_filetrans(lvm_t,lvm_lock_t,file)
+
+allow lvm_t lvm_var_run_t:file create_file_perms;
+allow lvm_t lvm_var_run_t:dir create_dir_perms;
+files_pid_filetrans(lvm_t,lvm_var_run_t,file)
+
+allow lvm_t lvm_etc_t:file r_file_perms;
+allow lvm_t lvm_etc_t:lnk_file r_file_perms;
+# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+allow lvm_t lvm_etc_t:dir rw_dir_perms;
+allow lvm_t lvm_metadata_t:file create_file_perms;
+allow lvm_t lvm_metadata_t:dir rw_dir_perms;
+type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
+files_etc_filetrans(lvm_t,lvm_metadata_t,file)
+
+kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctls(lvm_t)
+# Read system variables in /proc/sys
+kernel_read_kernel_sysctls(lvm_t)
+# it has no reason to need this
+kernel_dontaudit_getattr_core_if(lvm_t)
+
+selinux_get_fs_mount(lvm_t)
+selinux_validate_context(lvm_t)
+selinux_compute_access_vector(lvm_t)
+selinux_compute_create_context(lvm_t)
+selinux_compute_relabel_context(lvm_t)
+selinux_compute_user_contexts(lvm_t)
+
+dev_create_generic_chr_files(lvm_t)
+dev_read_rand(lvm_t)
+dev_read_urand(lvm_t)
+dev_rw_lvm_control(lvm_t)
+dev_manage_generic_symlinks(lvm_t)
+dev_relabel_generic_dev_dirs(lvm_t)
+dev_manage_generic_blk_files(lvm_t)
+# Read /sys/block. Device mapper metadata is kept there.
+dev_read_sysfs(lvm_t)
+# cjp: this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
+# perhaps this should be blk_files?
+dev_relabel_generic_symlinks(lvm_t)
+# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
+dev_dontaudit_read_all_chr_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
+dev_dontaudit_getattr_generic_chr_files(lvm_t)
+dev_dontaudit_getattr_generic_blk_files(lvm_t)
+dev_dontaudit_getattr_generic_pipes(lvm_t)
+dev_create_generic_dirs(lvm_t)
+
+fs_getattr_xattr_fs(lvm_t)
+fs_search_auto_mountpoints(lvm_t)
+fs_read_tmpfs_symlinks(lvm_t)
+fs_dontaudit_read_removable_files(lvm_t)
+
+storage_relabel_fixed_disk(lvm_t)
+storage_dontaudit_read_removable_device(lvm_t)
+# LVM creates block devices in /dev/mapper or /dev/<vg>
+# depending on its version
+# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
+# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
+# cjp: need create interface here for fixed disk create
+storage_dev_filetrans_fixed_disk(lvm_t)
+# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+storage_manage_fixed_disk(lvm_t)
+
+term_dontaudit_getattr_all_user_ttys(lvm_t)
+term_dontaudit_getattr_pty_dirs(lvm_t)
+
+corecmd_search_sbin(lvm_t)
+corecmd_dontaudit_getattr_sbin_files(lvm_t)
+
+domain_use_interactive_fds(lvm_t)
+
+files_read_etc_files(lvm_t)
+files_read_etc_runtime_files(lvm_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(lvm_t)
+
+init_use_fds(lvm_t)
+init_dontaudit_getattr_initctl(lvm_t)
+init_use_script_ptys(lvm_t)
+
+libs_use_ld_so(lvm_t)
+libs_use_shared_libs(lvm_t)
+
+logging_send_syslog_msg(lvm_t)
+
+miscfiles_read_localization(lvm_t)
+
+seutil_read_config(lvm_t)
+seutil_read_file_contexts(lvm_t)
+seutil_search_default_contexts(lvm_t)
+seutil_sigchld_newrole(lvm_t)
+
+ifdef(`distro_redhat',`
+ # this is from the initrd:
+ files_rw_isid_type_dirs(lvm_t)
+')
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(lvm_t)
+ term_dontaudit_use_generic_ptys(lvm_t)
+
+ files_dontaudit_read_root_files(lvm_t)
+')
+
+optional_policy(`
+ bootloader_rw_tmp_files(lvm_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(lvm_t)
+')
+
+optional_policy(`
+ udev_read_db(lvm_t)
+')
diff --git a/policy/modules/system/metadata.xml b/policy/modules/system/metadata.xml
new file mode 100644
index 0000000..4866e97
--- /dev/null
+++ b/policy/modules/system/metadata.xml
@@ -0,0 +1,3 @@
+<summary>
+ Policy modules for system functions from init to multi-user login.
+</summary>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
new file mode 100644
index 0000000..7f4bdcd
--- /dev/null
+++ b/policy/modules/system/miscfiles.fc
@@ -0,0 +1,66 @@
+#
+# /emul
+#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
+# /etc
+#
+/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+#
+# /srv
+#
+/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
+/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:public_content_t,s0)
+
+#
+# /usr
+#
+/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+
+/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
+/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+
+/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+#
+# /var
+#
+/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
+
+ifdef(`distro_debian', `
+/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+')
+
+/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+
+/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
new file mode 100644
index 0000000..7838a10
--- /dev/null
+++ b/policy/modules/system/miscfiles.if
@@ -0,0 +1,364 @@
+## <summary>Miscelaneous files.</summary>
+
+########################################
+## <summary>
+## Read system SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_certs',`
+ gen_require(`
+ type cert_t;
+ ')
+
+ allow $1 cert_t:dir r_dir_perms;
+ allow $1 cert_t:file r_file_perms;
+ allow $1 cert_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ # cjp: fonts can be in either of these dirs
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ allow $1 fonts_t:dir r_dir_perms;
+ allow $1 fonts_t:file r_file_perms;
+ allow $1 fonts_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ # cjp: fonts can be in either of these dirs
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ allow $1 fonts_t:dir create_dir_perms;
+ allow $1 fonts_t:file create_file_perms;
+ allow $1 fonts_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read hardware identification data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_hwdata',`
+ gen_require(`
+ type hwdata_t;
+ ')
+
+ allow $1 hwdata_t:dir r_dir_perms;
+ allow $1 hwdata_t:file r_file_perms;
+ allow $1 hwdata_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow process to read localization info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_search_etc($1)
+ # FIXME: $1 read etc_t:lnk_file here
+ files_search_usr($1)
+ allow $1 locale_t:dir r_dir_perms;
+ allow $1 locale_t:lnk_file r_file_perms;
+ allow $1 locale_t:file r_file_perms;
+
+ # why?
+ libs_read_lib_files($1)
+')
+
+########################################
+## <summary>
+## Allow process to read legacy time localization info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_legacy_read_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ miscfiles_read_localization($1)
+ allow $1 locale_t:file execute;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search man pages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`miscfiles_dontaudit_search_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ dontaudit $1 man_t:dir search;
+')
+
+########################################
+## <summary>
+## Read man pages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 man_t:dir r_dir_perms;
+ allow $1 man_t:file r_file_perms;
+ allow $1 man_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Delete man pages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 man_t:dir { setattr rw_dir_perms rmdir };
+ allow $1 man_t:file { getattr unlink };
+ allow $1 man_t:lnk_file { getattr unlink };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete man pages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 man_t:dir create_dir_perms;
+ allow $1 man_t:file create_file_perms;
+ allow $1 man_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read public files used for file
+## transfer services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_public_files',`
+ gen_require(`
+ type public_content_t, public_content_rw_t;
+ ')
+
+ allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
+ allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
+ allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete public files
+## and directories used for file transfer services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_public_files',`
+ gen_require(`
+ type public_content_rw_t;
+ ')
+
+ allow $1 public_content_rw_t:dir create_dir_perms;
+ allow $1 public_content_rw_t:file create_file_perms;
+ allow $1 public_content_rw_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read TeX data
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_tetex_data',`
+ gen_require(`
+ type tetex_data_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+
+ # cjp: TeX data can be in either of the above dirs
+ allow $1 tetex_data_t:dir r_dir_perms;
+ allow $1 tetex_data_t:file r_file_perms;
+ allow $1 tetex_data_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute TeX data programs in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_exec_tetex_data',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+
+ # cjp: TeX data can be in either of the above dirs
+ allow $1 tetex_data_t:dir r_dir_perms;
+ can_exec($1,tetex_data_t)
+')
+
+########################################
+## <summary>
+## Let test files be an entry point for
+## a specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be entered.
+## </summary>
+## </param>
+#
+interface(`miscfiles_domain_entry_test_files',`
+ gen_require(`
+ type test_file_t;
+ ')
+
+ domain_entry_file($1, test_file_t)
+')
+
+########################################
+## <summary>
+## Read test files and directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_test_files',`
+ gen_require(`
+ type test_file_t;
+ ')
+
+ allow $1 test_file_t:dir r_dir_perms;
+ allow $1 test_file_t:file r_file_perms;
+ allow $1 test_file_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute test files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_exec_test_files',`
+ gen_require(`
+ type test_file_t;
+ ')
+
+ allow $1 test_file_t:dir r_dir_perms;
+ allow $1 test_file_t:lnk_file r_file_perms;
+ can_exec($1, test_file_t)
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
new file mode 100644
index 0000000..7ccd2bc
--- /dev/null
+++ b/policy/modules/system/miscfiles.te
@@ -0,0 +1,59 @@
+
+policy_module(miscfiles,1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+#
+# cert_t is the type of files in the system certs directories.
+#
+type cert_t;
+files_type(cert_t)
+
+#
+# fonts_t is the type of various font
+# files in /usr
+#
+type fonts_t;
+files_type(fonts_t)
+
+#
+# type for /usr/share/hwdata
+#
+type hwdata_t;
+files_type(hwdata_t)
+
+#
+# locale_t is the type for system localization
+#
+type locale_t;
+files_type(locale_t)
+
+#
+# man_t is the type for the man directories.
+#
+type man_t alias catman_t;
+files_type(man_t)
+
+#
+# Types for public content
+#
+type public_content_t; #, customizable;
+files_type(public_content_t)
+
+type public_content_rw_t; #, customizable;
+files_type(public_content_rw_t)
+
+#
+# Base type for the tests directory.
+#
+type test_file_t;
+files_type(test_file_t)
+
+#
+# for /var/{spool,lib}/texmf index files
+#
+type tetex_data_t;
+files_tmp_file(tetex_data_t)
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
new file mode 100644
index 0000000..aa219c1
--- /dev/null
+++ b/policy/modules/system/modutils.fc
@@ -0,0 +1,16 @@
+
+/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+
+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
+/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
new file mode 100644
index 0000000..b1dca23
--- /dev/null
+++ b/policy/modules/system/modutils.if
@@ -0,0 +1,307 @@
+## <summary>Policy for kernel module utilities</summary>
+
+########################################
+## <summary>
+## Read the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_deps',`
+ gen_require(`
+ type modules_dep_t;
+ ')
+
+ files_list_kernel_modules($1)
+ allow $1 modules_dep_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ # This file type can be in /etc or
+ # /lib(64)?/modules
+ files_search_etc($1)
+ files_search_boot($1)
+
+ allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Rename a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_rename_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ allow $1 modules_conf_t:file rename;
+')
+
+########################################
+## <summary>
+## Unconditionally execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this is added for pppd, due to nested
+# conditionals not working.
+interface(`modutils_domtrans_insmod_uncond',`
+ gen_require(`
+ type insmod_t, insmod_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, insmod_exec_t, insmod_t)
+
+ allow $1 insmod_t:fd use;
+ allow insmod_t $1:fd use;
+ allow insmod_t $1:fifo_file rw_file_perms;
+ allow insmod_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_insmod',`
+ gen_require(`
+ bool secure_mode_insmod;
+ ')
+
+ if (!secure_mode_insmod) {
+ modutils_domtrans_insmod_uncond($1)
+ }
+')
+
+########################################
+## <summary>
+## Execute insmod in the insmod domain, and
+## allow the specified role the insmod domain,
+## and use the caller's terminal. Has a sigchld
+## backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the insmod domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the insmod domain to use.
+## </summary>
+## </param>
+#
+interface(`modutils_run_insmod',`
+ gen_require(`
+ type insmod_t;
+ ')
+
+ modutils_domtrans_insmod($1)
+ role $2 types insmod_t;
+ allow insmod_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute insmod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_insmod',`
+ gen_require(`
+ type insmod_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1, insmod_exec_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_depmod',`
+ gen_require(`
+ type depmod_t, depmod_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, depmod_exec_t, depmod_t)
+
+ allow $1 depmod_t:fd use;
+ allow depmod_t $1:fd use;
+ allow depmod_t $1:fifo_file rw_file_perms;
+ allow depmod_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the depmod domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the depmod domain to use.
+## </summary>
+## </param>
+#
+interface(`modutils_run_depmod',`
+ gen_require(`
+ type depmod_t;
+ ')
+
+ modutils_domtrans_depmod($1)
+ role $2 types depmod_t;
+ allow insmod_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute depmod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_depmod',`
+ gen_require(`
+ type depmod_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1, depmod_exec_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_update_mods',`
+ gen_require(`
+ type update_modules_t, update_modules_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, update_modules_exec_t, update_modules_t)
+
+ allow $1 update_modules_t:fd use;
+ allow update_modules_t $1:fd use;
+ allow update_modules_t $1:fifo_file rw_file_perms;
+ allow update_modules_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute update_modules in the update_modules domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the update_modules domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the update_modules domain to use.
+## </summary>
+## </param>
+#
+interface(`modutils_run_update_mods',`
+ gen_require(`
+ type update_modules_t;
+ ')
+
+ modutils_domtrans_update_mods($1)
+ role $2 types update_modules_t;
+ allow update_modules_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute update_modules in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_update_mods',`
+ gen_require(`
+ type update_modules_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1, update_modules_exec_t)
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
new file mode 100644
index 0000000..9ac0adf
--- /dev/null
+++ b/policy/modules/system/modutils.te
@@ -0,0 +1,281 @@
+
+policy_module(modutils,1.1.2)
+
+gen_require(`
+ bool secure_mode_insmod;
+')
+
+########################################
+#
+# Declarations
+#
+
+# module loading config
+type modules_conf_t;
+files_type(modules_conf_t)
+
+# module dependencies
+type modules_dep_t;
+files_type(modules_dep_t)
+
+type insmod_t;
+type insmod_exec_t;
+domain_type(insmod_t)
+domain_entry_file(insmod_t,insmod_exec_t)
+mls_file_write_down(insmod_t)
+role system_r types insmod_t;
+
+type depmod_t;
+type depmod_exec_t;
+init_system_domain(depmod_t,depmod_exec_t)
+role system_r types depmod_t;
+
+type update_modules_t;
+type update_modules_exec_t;
+init_system_domain(update_modules_t,update_modules_exec_t)
+role system_r types update_modules_t;
+
+type update_modules_tmp_t;
+files_tmp_file(update_modules_tmp_t)
+
+########################################
+#
+# insmod local policy
+#
+
+allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
+
+# Read module config and dependency information
+allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
+
+can_exec(insmod_t, insmod_exec_t)
+
+kernel_load_module(insmod_t)
+kernel_read_system_state(insmod_t)
+kernel_write_proc_files(insmod_t)
+kernel_mount_debugfs(insmod_t)
+kernel_read_debugfs(insmod_t)
+# Rules for /proc/sys/kernel/tainted
+kernel_read_kernel_sysctls(insmod_t)
+kernel_rw_kernel_sysctl(insmod_t)
+kernel_read_hotplug_sysctls(insmod_t)
+
+files_read_kernel_modules(insmod_t)
+# for locking: (cjp: ????)
+files_write_kernel_modules(insmod_t)
+
+dev_search_sysfs(insmod_t)
+dev_search_usbfs(insmod_t)
+dev_write_mtrr(insmod_t)
+dev_read_urand(insmod_t)
+dev_rw_agp(insmod_t)
+dev_read_sound(insmod_t)
+dev_write_sound(insmod_t)
+dev_rw_apm_bios(insmod_t)
+# cjp: why is this needed? insmod cannot mounton any dir
+# and it also transitions to mount
+dev_mount_usbfs(insmod_t)
+
+fs_getattr_xattr_fs(insmod_t)
+
+corecmd_exec_bin(insmod_t)
+corecmd_exec_sbin(insmod_t)
+corecmd_exec_shell(insmod_t)
+
+domain_signal_all_domains(insmod_t)
+domain_use_interactive_fds(insmod_t)
+
+files_read_etc_runtime_files(insmod_t)
+files_read_etc_files(insmod_t)
+files_read_usr_files(insmod_t)
+files_exec_etc_files(insmod_t)
+# for nscd:
+files_dontaudit_search_pids(insmod_t)
+# for when /var is not mounted early in the boot:
+files_dontaudit_search_isid_type_dirs(insmod_t)
+
+init_rw_initctl(insmod_t)
+init_use_fds(insmod_t)
+init_use_script_fds(insmod_t)
+init_use_script_ptys(insmod_t)
+
+libs_use_ld_so(insmod_t)
+libs_use_shared_libs(insmod_t)
+
+logging_send_syslog_msg(insmod_t)
+logging_search_logs(insmod_t)
+
+miscfiles_read_localization(insmod_t)
+
+seutil_read_file_contexts(insmod_t)
+
+if( ! secure_mode_insmod ) {
+ kernel_domtrans_to(insmod_t,insmod_exec_t)
+}
+
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_cardmgr(insmod_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(insmod_t)
+')
+
+optional_policy(`
+ hotplug_search_config(insmod_t)
+')
+
+optional_policy(`
+ mount_domtrans(insmod_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(insmod_t)
+')
+
+optional_policy(`
+ nscd_socket_use(insmod_t)
+')
+
+optional_policy(`
+ fs_manage_ramfs_files(insmod_t)
+
+ rhgb_use_fds(insmod_t)
+
+ ifdef(`hide_broken_symptoms',`
+ xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)
+ ')
+')
+
+optional_policy(`
+ rpm_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+ # cjp: why is this needed:
+ dev_rw_xserver_misc(insmod_t)
+
+ xserver_getattr_log(insmod_t)
+')
+
+########################################
+#
+# depmod local policy
+#
+
+can_exec(depmod_t, depmod_exec_t)
+
+# Read conf.modules.
+allow depmod_t modules_conf_t:file r_file_perms;
+
+allow depmod_t modules_dep_t:file create_file_perms;
+files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
+
+kernel_read_system_state(depmod_t)
+
+files_read_kernel_symbol_table(depmod_t)
+files_read_kernel_modules(depmod_t)
+
+fs_getattr_xattr_fs(depmod_t)
+
+term_use_console(depmod_t)
+
+corecmd_search_bin(depmod_t)
+corecmd_search_sbin(depmod_t)
+
+domain_use_interactive_fds(depmod_t)
+
+init_use_fds(depmod_t)
+init_use_script_fds(depmod_t)
+init_use_script_ptys(depmod_t)
+
+files_read_etc_runtime_files(depmod_t)
+files_read_etc_files(depmod_t)
+files_read_usr_src_files(depmod_t)
+files_list_usr(depmod_t)
+
+libs_use_ld_so(depmod_t)
+libs_use_shared_libs(depmod_t)
+
+# Read System.map from home directories.
+files_list_home(depmod_t)
+userdom_read_staff_home_content_files(depmod_t)
+userdom_read_sysadm_home_content_files(depmod_t)
+
+ifdef(`targeted_policy', `
+ term_use_unallocated_ttys(depmod_t)
+ term_use_generic_ptys(depmod_t)
+')
+
+optional_policy(`
+ rpm_rw_pipes(depmod_t)
+')
+
+#################################
+#
+# update-modules local policy
+#
+
+allow update_modules_t self:fifo_file rw_file_perms;
+
+allow update_modules_t modules_dep_t:file rw_file_perms;
+
+can_exec(update_modules_t, insmod_exec_t)
+can_exec(update_modules_t, update_modules_exec_t)
+
+# manage module loading configuration
+allow update_modules_t modules_conf_t:file create_file_perms;
+files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file)
+files_etc_filetrans(update_modules_t,modules_conf_t,file)
+
+# transition to depmod
+domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
+allow update_modules_t depmod_t:fd use;
+allow depmod_t update_modules_t:fd use;
+allow depmod_t update_modules_t:fifo_file rw_file_perms;
+allow depmod_t update_modules_t:process sigchld;
+
+allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
+allow update_modules_t update_modules_tmp_t:file create_file_perms;
+files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(update_modules_t)
+kernel_read_system_state(update_modules_t)
+
+dev_read_urand(update_modules_t)
+
+fs_getattr_xattr_fs(update_modules_t)
+
+term_use_console(update_modules_t)
+
+init_use_fds(update_modules_t)
+init_use_script_fds(update_modules_t)
+init_use_script_ptys(update_modules_t)
+
+domain_use_interactive_fds(update_modules_t)
+
+files_read_etc_runtime_files(update_modules_t)
+files_read_etc_files(update_modules_t)
+files_exec_etc_files(update_modules_t)
+
+corecmd_exec_bin(update_modules_t)
+corecmd_exec_sbin(update_modules_t)
+corecmd_exec_shell(update_modules_t)
+
+libs_use_ld_so(update_modules_t)
+libs_use_shared_libs(update_modules_t)
+
+logging_send_syslog_msg(update_modules_t)
+
+miscfiles_read_localization(update_modules_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(update_modules_t)
+ term_use_unallocated_ttys(update_modules_t)
+')
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
new file mode 100644
index 0000000..b2b7f82
--- /dev/null
+++ b/policy/modules/system/mount.fc
@@ -0,0 +1,7 @@
+
+########################################
+#
+# mount file contexts
+#
+/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
new file mode 100644
index 0000000..2bfa5f2
--- /dev/null
+++ b/policy/modules/system/mount.if
@@ -0,0 +1,148 @@
+## <summary>Policy for mount.</summary>
+
+########################################
+## <summary>
+## Execute mount in the mount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans',`
+ gen_require(`
+ type mount_t, mount_exec_t;
+ ')
+
+ domain_auto_trans($1,mount_exec_t,mount_t)
+
+ allow $1 mount_t:fd use;
+ allow mount_t $1:fd use;
+ allow mount_t $1:fifo_file rw_file_perms;
+ allow mount_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute mount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mount domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the mount domain to use.
+## </summary>
+## </param>
+#
+interface(`mount_run',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ mount_domtrans($1)
+ role $2 types mount_t;
+ allow mount_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Execute mount in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mount_exec',`
+ gen_require(`
+ type mount_exec_t;
+ ')
+
+ allow $1 mount_exec_t:dir r_dir_perms;
+ allow $1 mount_exec_t:lnk_file r_file_perms;
+ can_exec($1,mount_exec_t)
+
+')
+
+########################################
+## <summary>
+## Use file descriptors for mount.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mount_use_fds',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ allow $1 mount_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow the mount domain to send nfs requests for mounting
+## network drives
+## </summary>
+## <desc>
+## <p>
+## Allow the mount domain to send nfs requests for mounting
+## network drives
+## </p>
+## <p>
+## This interface has been deprecated as these rules were
+## a side effect of leaked mount file descriptors. This
+## interface has no effect.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_send_nfs_client_request',`
+ errprint(__file__:__line__:` $0($*) has been deprecated.'__endline__)
+')
+
+########################################
+## <summary>
+## Execute mount in the unconfined mount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_unconfined',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type unconfined_mount_t, mount_exec_t;
+ ')
+
+ domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
+
+ allow $1 unconfined_mount_t:fd use;
+ allow unconfined_mount_t $1:fd use;
+ allow unconfined_mount_t $1:fifo_file rw_file_perms;
+ allow unconfined_mount_t $1:process sigchld;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
new file mode 100644
index 0000000..cb763fe
--- /dev/null
+++ b/policy/modules/system/mount.te
@@ -0,0 +1,179 @@
+
+policy_module(mount,1.3.8)
+
+########################################
+#
+# Declarations
+#
+
+type mount_t;
+type mount_exec_t;
+init_system_domain(mount_t,mount_exec_t)
+role system_r types mount_t;
+
+type mount_tmp_t;
+files_tmp_file(mount_tmp_t)
+
+ifdef(`targeted_policy',`
+ type unconfined_mount_t;
+ domain_type(unconfined_mount_t)
+ domain_entry_file(unconfined_mount_t,mount_exec_t)
+')
+
+########################################
+#
+# mount local policy
+#
+
+# setuid/setgid needed to mount cifs
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+
+allow mount_t mount_tmp_t:file create_file_perms;
+allow mount_t mount_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
+
+kernel_read_system_state(mount_t)
+kernel_dontaudit_getattr_core_if(mount_t)
+
+dev_getattr_all_blk_files(mount_t)
+dev_list_all_dev_nodes(mount_t)
+dev_rw_lvm_control(mount_t)
+dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_memory_dev(mount_t)
+dev_getattr_sound_dev(mount_t)
+
+storage_raw_read_fixed_disk(mount_t)
+storage_raw_write_fixed_disk(mount_t)
+storage_raw_read_removable_device(mount_t)
+storage_raw_write_removable_device(mount_t)
+
+fs_getattr_xattr_fs(mount_t)
+fs_getattr_cifs(mount_t)
+fs_mount_all_fs(mount_t)
+fs_unmount_all_fs(mount_t)
+fs_remount_all_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
+fs_list_auto_mountpoints(mount_t)
+fs_rw_tmpfs_chr_files(mount_t)
+fs_read_tmpfs_symlinks(mount_t)
+
+term_use_all_terms(mount_t)
+
+# required for mount.smbfs
+corecmd_exec_sbin(mount_t)
+corecmd_exec_bin(mount_t)
+
+domain_use_interactive_fds(mount_t)
+
+files_search_all(mount_t)
+files_read_etc_files(mount_t)
+files_manage_etc_runtime_files(mount_t)
+files_etc_filetrans_etc_runtime(mount_t,file)
+files_mounton_all_mountpoints(mount_t)
+files_unmount_rootfs(mount_t)
+# These rules need to be generalized. Only admin, initrc should have it:
+files_relabelto_all_file_type_fs(mount_t)
+files_mount_all_file_type_fs(mount_t)
+files_unmount_all_file_type_fs(mount_t)
+# for when /etc/mtab loses its type
+# cjp: this seems wrong, the type should probably be etc
+files_read_isid_type_files(mount_t)
+# For reading cert files
+files_read_usr_files(mount_t)
+
+init_use_fds(mount_t)
+init_use_script_ptys(mount_t)
+init_dontaudit_getattr_initctl(mount_t)
+
+libs_use_ld_so(mount_t)
+libs_use_shared_libs(mount_t)
+
+logging_send_syslog_msg(mount_t)
+
+miscfiles_read_localization(mount_t)
+
+mls_file_read_up(mount_t)
+mls_file_write_down(mount_t)
+
+sysnet_use_portmap(mount_t)
+
+userdom_use_all_users_fds(mount_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ auth_read_pam_console_data(mount_t)
+ # mount config by default sets fscontext=removable_t
+ fs_relabelfrom_dos_fs(mount_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ tunable_policy(`allow_mount_anyfile',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ auth_read_all_files_except_shadow(mount_t)
+ files_mounton_non_security(mount_t)
+ ')
+')
+
+optional_policy(`
+ # for nfs
+ corenet_non_ipsec_sendrecv(mount_t)
+ corenet_tcp_sendrecv_all_if(mount_t)
+ corenet_raw_sendrecv_all_if(mount_t)
+ corenet_udp_sendrecv_all_if(mount_t)
+ corenet_tcp_sendrecv_all_nodes(mount_t)
+ corenet_raw_sendrecv_all_nodes(mount_t)
+ corenet_udp_sendrecv_all_nodes(mount_t)
+ corenet_tcp_sendrecv_all_ports(mount_t)
+ corenet_udp_sendrecv_all_ports(mount_t)
+ corenet_tcp_bind_all_nodes(mount_t)
+ corenet_udp_bind_all_nodes(mount_t)
+ corenet_tcp_bind_generic_port(mount_t)
+ corenet_udp_bind_generic_port(mount_t)
+ corenet_tcp_bind_reserved_port(mount_t)
+ corenet_udp_bind_reserved_port(mount_t)
+ corenet_tcp_bind_all_rpc_ports(mount_t)
+ corenet_udp_bind_all_rpc_ports(mount_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
+ corenet_tcp_connect_all_ports(mount_t)
+
+ fs_search_rpc(mount_t)
+
+ portmap_udp_chat(mount_t)
+
+ optional_policy(`
+ nis_use_ypbind(mount_t)
+ ')
+')
+
+optional_policy(`
+ apm_use_fds(mount_t)
+')
+
+optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ # for a bug in the X server
+ rhgb_dontaudit_rw_stream_sockets(mount_t)
+ term_dontaudit_use_ptmx(mount_t)
+ ')
+')
+
+# for kernel package installation
+optional_policy(`
+ rpm_rw_pipes(mount_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbmount(mount_t)
+')
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+ifdef(`targeted_policy',`
+ files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
+ unconfined_domain(unconfined_mount_t)
+')
diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc
new file mode 100644
index 0000000..9cf0e56
--- /dev/null
+++ b/policy/modules/system/pcmcia.fc
@@ -0,0 +1,10 @@
+
+/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+
+/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
new file mode 100644
index 0000000..15155f4
--- /dev/null
+++ b/policy/modules/system/pcmcia.if
@@ -0,0 +1,175 @@
+## <summary>PCMCIA card management services</summary>
+
+########################################
+## <summary>
+## PCMCIA stub interface. No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`pcmcia_stub',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+')
+
+########################################
+## <summary>
+## Execute cardmgr in the cardmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`pcmcia_domtrans_cardmgr',`
+ gen_require(`
+ type cardmgr_t, cardmgr_exec_t;
+ ')
+
+ domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
+
+ allow $1 cardmgr_t:fd use;
+ allow cardmgr_t $1:fd use;
+ allow cardmgr_t $1:fifo_file rw_file_perms;
+ allow cardmgr_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from cardmgr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_use_cardmgr_fds',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ allow $1 cardmgr_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute cardctl in the cardmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`pcmcia_domtrans_cardctl',`
+ gen_require(`
+ type cardmgr_t, cardctl_exec_t;
+ ')
+
+ domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
+
+ allow $1 cardmgr_t:fd use;
+ allow cardmgr_t $1:fd use;
+ allow cardmgr_t $1:fifo_file rw_file_perms;
+ allow cardmgr_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute cardmgr in the cardctl domain, and
+## allow the specified role the cardmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the cardmgr domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the cardmgr domain to use.
+## </summary>
+## </param>
+#
+interface(`pcmcia_run_cardctl',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ pcmcia_domtrans_cardctl($1)
+ role $2 types cardmgr_t;
+ allow cardmgr_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read cardmgr pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_read_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cardmgr_var_run_t:dir r_dir_perms;
+ allow $1 cardmgr_var_run_t:file r_file_perms;
+ allow $1 cardmgr_var_run_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## cardmgr pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_manage_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cardmgr_var_run_t:dir rw_dir_perms;
+ allow $1 cardmgr_var_run_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## cardmgr runtime character nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_manage_pid_chr_files',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cardmgr_var_run_t:dir rw_dir_perms;
+ allow $1 cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
new file mode 100644
index 0000000..e2d419f
--- /dev/null
+++ b/policy/modules/system/pcmcia.te
@@ -0,0 +1,152 @@
+
+policy_module(pcmcia,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type cardmgr_t;
+type cardmgr_exec_t;
+init_daemon_domain(cardmgr_t,cardmgr_exec_t)
+
+# Create symbolic links in /dev.
+# cjp: this should probably be eliminated
+type cardmgr_lnk_t;
+files_type(cardmgr_lnk_t)
+
+type cardmgr_var_lib_t;
+files_type(cardmgr_var_lib_t)
+
+type cardmgr_var_run_t;
+files_pid_file(cardmgr_var_run_t)
+
+type cardctl_exec_t;
+domain_entry_file(cardmgr_t,cardctl_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+dontaudit cardmgr_t self:capability sys_tty_config;
+allow cardmgr_t self:process signal_perms;
+allow cardmgr_t self:fifo_file rw_file_perms;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+
+allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
+dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file)
+
+# Create stab file
+allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
+allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file)
+
+allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
+files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file)
+
+kernel_read_system_state(cardmgr_t)
+kernel_read_kernel_sysctls(cardmgr_t)
+kernel_dontaudit_getattr_message_if(cardmgr_t)
+
+files_search_kernel_modules(cardmgr_t)
+
+dev_read_sysfs(cardmgr_t)
+dev_manage_cardmgr_dev(cardmgr_t)
+dev_create_cardmgr_dev(cardmgr_t)
+dev_getattr_all_chr_files(cardmgr_t)
+dev_getattr_all_blk_files(cardmgr_t)
+# for SSP
+dev_read_urand(cardmgr_t)
+
+fs_getattr_all_fs(cardmgr_t)
+fs_search_auto_mountpoints(cardmgr_t)
+
+term_use_unallocated_ttys(cardmgr_t)
+term_getattr_all_user_ttys(cardmgr_t)
+term_dontaudit_use_console(cardmgr_t)
+term_dontaudit_getattr_all_user_ptys(cardmgr_t)
+
+corecmd_exec_all_executables(cardmgr_t)
+
+domain_use_interactive_fds(cardmgr_t)
+# Read /proc/PID directories for all domains (for fuser).
+domain_read_confined_domains_state(cardmgr_t)
+domain_getattr_confined_domains(cardmgr_t)
+domain_dontaudit_ptrace_confined_domains(cardmgr_t)
+# cjp: these look excessive:
+domain_dontaudit_getattr_all_pipes(cardmgr_t)
+domain_dontaudit_getattr_all_sockets(cardmgr_t)
+
+files_list_usr(cardmgr_t)
+files_search_home(cardmgr_t)
+files_read_etc_runtime_files(cardmgr_t)
+files_exec_etc_files(cardmgr_t)
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+files_read_var_lib_files(cardmgr_t)
+# cjp: these look excessive:
+files_dontaudit_getattr_all_dirs(cardmgr_t)
+files_dontaudit_getattr_all_files(cardmgr_t)
+files_dontaudit_getattr_all_symlinks(cardmgr_t)
+files_dontaudit_getattr_all_pipes(cardmgr_t)
+files_dontaudit_getattr_all_sockets(cardmgr_t)
+
+init_use_fds(cardmgr_t)
+init_use_script_ptys(cardmgr_t)
+
+libs_use_ld_so(cardmgr_t)
+libs_use_shared_libs(cardmgr_t)
+libs_exec_ld_so(cardmgr_t)
+libs_exec_lib_files(cardmgr_t)
+
+logging_send_syslog_msg(cardmgr_t)
+
+miscfiles_read_localization(cardmgr_t)
+
+modutils_domtrans_insmod(cardmgr_t)
+
+sysnet_domtrans_ifconfig(cardmgr_t)
+# for /etc/resolv.conf
+sysnet_etc_filetrans_config(cardmgr_t)
+sysnet_manage_config(cardmgr_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
+userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t)
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(cardmgr_t)
+ term_use_generic_ptys(cardmgr_t)
+ term_dontaudit_use_unallocated_ttys(cardmgr_t)
+ term_dontaudit_use_generic_ptys(cardmgr_t)
+ files_dontaudit_read_root_files(cardmgr_t)
+')
+
+optional_policy(`
+ seutil_dontaudit_read_config(cardmgr_t)
+ seutil_sigchld_newrole(cardmgr_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(cardmgr_t)
+
+ sysnet_read_dhcpc_pid(cardmgr_t)
+ sysnet_delete_dhcpc_pid(cardmgr_t)
+ sysnet_kill_dhcpc(cardmgr_t)
+ sysnet_sigchld_dhcpc(cardmgr_t)
+ sysnet_signal_dhcpc(cardmgr_t)
+ sysnet_signull_dhcpc(cardmgr_t)
+ sysnet_sigstop_dhcpc(cardmgr_t)
+')
+
+optional_policy(`
+ udev_read_db(cardmgr_t)
+')
+
+# Create device files in /tmp.
+# cjp: why is this created all over the place?
+allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
+type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
new file mode 100644
index 0000000..0709927
--- /dev/null
+++ b/policy/modules/system/raid.fc
@@ -0,0 +1,5 @@
+
+/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
+/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
new file mode 100644
index 0000000..04673a8
--- /dev/null
+++ b/policy/modules/system/raid.if
@@ -0,0 +1,54 @@
+## <summary>RAID array management tools</summary>
+
+########################################
+## <summary>
+## Execute software raid tools in the mdadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`raid_domtrans_mdadm',`
+ gen_require(`
+ type mdadm_t, mdadm_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,mdadm_exec_t,mdadm_t)
+
+ allow $1 mdadm_t:fd use;
+ allow mdadm_t $1:fd use;
+ allow mdadm_t $1:fifo_file rw_file_perms;
+ allow mdadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the mdadm pid files.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete the mdadm pid files.
+## </p>
+## <p>
+## Added for use in the init module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file create_file_perms;
+')
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
new file mode 100644
index 0000000..8e18595
--- /dev/null
+++ b/policy/modules/system/raid.te
@@ -0,0 +1,84 @@
+
+policy_module(raid,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mdadm_t;
+type mdadm_exec_t;
+init_daemon_domain(mdadm_t,mdadm_exec_t)
+role system_r types mdadm_t;
+
+type mdadm_var_run_t;
+files_pid_file(mdadm_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability sys_tty_config;
+allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+
+allow mdadm_t mdadm_var_run_t:file create_file_perms;
+files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
+
+kernel_read_system_state(mdadm_t)
+kernel_read_kernel_sysctls(mdadm_t)
+kernel_rw_software_raid_state(mdadm_t)
+
+dev_read_sysfs(mdadm_t)
+# Ignore attempts to read every device file
+dev_dontaudit_getattr_all_blk_files(mdadm_t)
+dev_dontaudit_getattr_all_chr_files(mdadm_t)
+
+fs_search_auto_mountpoints(mdadm_t)
+fs_dontaudit_list_tmpfs(mdadm_t)
+
+# RAID block device access
+storage_manage_fixed_disk(mdadm_t)
+
+term_dontaudit_use_console(mdadm_t)
+term_dontaudit_list_ptys(mdadm_t)
+
+# Helper program access
+corecmd_exec_bin(mdadm_t)
+corecmd_exec_sbin(mdadm_t)
+
+domain_use_interactive_fds(mdadm_t)
+
+files_read_etc_files(mdadm_t)
+files_read_etc_runtime_files(mdadm_t)
+
+init_use_fds(mdadm_t)
+init_use_script_ptys(mdadm_t)
+init_dontaudit_getattr_initctl(mdadm_t)
+
+libs_use_ld_so(mdadm_t)
+libs_use_shared_libs(mdadm_t)
+
+logging_send_syslog_msg(mdadm_t)
+
+miscfiles_read_localization(mdadm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+userdom_dontaudit_use_sysadm_ttys(mdadm_t)
+
+mta_send_mail(mdadm_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(mdadm_t)
+ term_dontaudit_use_generic_ptys(mdadm_t)
+ files_dontaudit_read_root_files(mdadm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mdadm_t)
+')
+
+optional_policy(`
+ udev_read_db(mdadm_t)
+')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
new file mode 100644
index 0000000..8cb4179
--- /dev/null
+++ b/policy/modules/system/selinuxutil.fc
@@ -0,0 +1,50 @@
+# SELinux userland utilities
+
+#
+# /etc
+#
+/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
+
+#
+# /root
+#
+/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
+
+#
+# /sbin
+#
+/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
+/sbin/restorecon -- gen_context(system_u:object_r:restorecon_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
+
+/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+
+/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+
+ifdef(`distro_debian', `
+/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+')
+
+#
+# /var/run
+#
+/var/run/restorecond.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
new file mode 100644
index 0000000..4e2f51b
--- /dev/null
+++ b/policy/modules/system/selinuxutil.if
@@ -0,0 +1,1047 @@
+## <summary>Policy for SELinux policy and userland applications.</summary>
+
+#######################################
+## <summary>
+## Execute checkpolicy in the checkpolicy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_checkpolicy',`
+ gen_require(`
+ type checkpolicy_t, checkpolicy_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
+
+ allow $1 checkpolicy_t:fd use;
+ allow checkpolicy_t $1:fd use;
+ allow checkpolicy_t $1:fifo_file rw_file_perms;
+ allow checkpolicy_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute checkpolicy in the checkpolicy domain, and
+## allow the specified role the checkpolicy domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the checkpolicy domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the checkpolicy domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_checkpolicy',`
+ gen_require(`
+ type checkpolicy_t;
+ ')
+
+ seutil_domtrans_checkpolicy($1)
+ role $2 types checkpolicy_t;
+ allow checkpolicy_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute checkpolicy in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_checkpolicy',`
+ gen_require(`
+ type checkpolicy_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,checkpolicy_exec_t)
+')
+
+#######################################
+## <summary>
+## Execute load_policy in the load_policy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_loadpolicy',`
+ gen_require(`
+ type load_policy_t, load_policy_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,load_policy_exec_t,load_policy_t)
+
+ allow $1 load_policy_t:fd use;
+ allow load_policy_t $1:fd use;
+ allow load_policy_t $1:fifo_file rw_file_perms;
+ allow load_policy_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute load_policy in the load_policy domain, and
+## allow the specified role the load_policy domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the load_policy domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the load_policy domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_loadpolicy',`
+ gen_require(`
+ type load_policy_t;
+ ')
+
+ seutil_domtrans_loadpolicy($1)
+ role $2 types load_policy_t;
+ allow load_policy_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute load_policy in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_loadpolicy',`
+ gen_require(`
+ type load_policy_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,load_policy_exec_t)
+')
+
+########################################
+## <summary>
+## Read the load_policy program file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_loadpolicy',`
+ gen_require(`
+ type load_policy_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ allow $1 load_policy_exec_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Execute newrole in the load_policy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_newrole',`
+ gen_require(`
+ type newrole_t, newrole_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,newrole_exec_t,newrole_t)
+
+ allow $1 newrole_t:fd use;
+ allow newrole_t $1:fd use;
+ allow newrole_t $1:fifo_file rw_file_perms;
+ allow newrole_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute newrole in the newrole domain, and
+## allow the specified role the newrole domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the newrole domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the newrole domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_newrole',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ seutil_domtrans_newrole($1)
+ role $2 types newrole_t;
+ allow newrole_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute newrole in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_newrole',`
+ gen_require(`
+ type newrole_t, newrole_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,newrole_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit the caller attempts to send
+## a signal to newrole.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_signal_newrole',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ dontaudit $1 newrole_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to newrole.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_sigchld_newrole',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ allow $1 newrole_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use newrole file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_use_newrole_fds',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ allow $1 newrole_t:fd use;
+')
+
+#######################################
+## <summary>
+## Execute restorecon in the restorecon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_restorecon',`
+ gen_require(`
+ type restorecon_t, restorecon_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,restorecon_exec_t,restorecon_t)
+
+ allow $1 restorecon_t:fd use;
+ allow restorecon_t $1:fd use;
+ allow restorecon_t $1:fifo_file rw_file_perms;
+ allow restorecon_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute restorecon in the restorecon domain, and
+## allow the specified role the restorecon domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the restorecon domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the restorecon domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_restorecon',`
+ gen_require(`
+ type restorecon_t;
+ ')
+
+ seutil_domtrans_restorecon($1)
+ role $2 types restorecon_t;
+ allow restorecon_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute restorecon in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_restorecon',`
+ gen_require(`
+ type restorecon_t, restorecon_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,restorecon_exec_t)
+')
+
+########################################
+## <summary>
+## Execute run_init in the run_init domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_runinit',`
+ gen_require(`
+ type run_init_t, run_init_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,run_init_exec_t,run_init_t)
+
+ allow $1 run_init_t:fd use;
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute init scripts in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute init scripts in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_init_script_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ init_script_file_domtrans($1,run_init_t)
+
+ allow $1 run_init_t:fd use;
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute run_init in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the run_init domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the run_init domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_runinit',`
+ gen_require(`
+ type run_init_t;
+ role system_r;
+ ')
+
+ seutil_domtrans_runinit($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file rw_term_perms;
+ allow $2 system_r;
+')
+
+########################################
+## <summary>
+## Execute init scripts in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute init scripts in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the run_init domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the run_init domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_init_script_run_runinit',`
+ gen_require(`
+ type run_init_t;
+ role system_r;
+ ')
+
+ seutil_init_script_domtrans_runinit($1)
+ role $2 types run_init_t;
+ allow run_init_t $3:chr_file rw_term_perms;
+ allow $2 system_r;
+')
+
+########################################
+## <summary>
+## Inherit and use run_init file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_use_runinit_fds',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ allow $1 run_init_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles',`
+ gen_require(`
+ type setfiles_t, setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,setfiles_exec_t,setfiles_t)
+
+ allow $1 setfiles_t:fd use;
+ allow setfiles_t $1:fd use;
+ allow setfiles_t $1:fifo_file rw_file_perms;
+ allow setfiles_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles domain, and
+## allow the specified role the setfiles domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setfiles domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the setfiles domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_setfiles',`
+ gen_require(`
+ type setfiles_t;
+ ')
+
+ seutil_domtrans_setfiles($1)
+ role $2 types setfiles_t;
+ allow setfiles_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute setfiles in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_setfiles',`
+ gen_require(`
+ type setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ can_exec($1,setfiles_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the SELinux
+## configuration directory (/etc/selinux).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_search_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ dontaudit $1 selinux_config_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the SELinux
+## userland configuration (/etc/selinux).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_read_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read the general SELinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir r_dir_perms;
+ allow $1 selinux_config_t:file r_file_perms;
+ allow $1 selinux_config_t:lnk_file { getattr read };
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## the general selinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_selinux_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir rw_dir_perms;
+ allow $1 selinux_config_t:file manage_file_perms;
+ allow $1 selinux_config_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Search the policy directory with default_context files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_search_default_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search;
+')
+
+
+########################################
+## <summary>
+## Read the default_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_default_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 default_context_t:dir r_dir_perms;
+ allow $1 default_context_t:file r_file_perms;
+ allow $1 default_context_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_file_contexts',`
+ gen_require(`
+ type selinux_config_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 file_context_t:dir r_dir_perms;
+ allow $1 file_context_t:file r_file_perms;
+ allow $1 file_context_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_rw_file_contexts',`
+ gen_require(`
+ type selinux_config_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 file_context_t:dir r_dir_perms;
+ allow $1 file_context_t:file rw_file_perms;
+ allow $1 file_context_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_file_contexts',`
+ gen_require(`
+ type selinux_config_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 file_context_t:dir rw_dir_perms;
+ allow $1 file_context_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read the SELinux binary policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_bin_policy',`
+ gen_require(`
+ type selinux_config_t, policy_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_config_t:dir r_dir_perms;
+ allow $1 policy_config_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create the SELinux binary policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_create_bin_policy',`
+ gen_require(`
+# attribute can_write_binary_policy;
+ type selinux_config_t, policy_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_config_t:dir ra_dir_perms;
+ allow $1 policy_config_t:file { getattr create write };
+# typeattribute $1 can_write_binary_policy;
+')
+
+########################################
+## <summary>
+## Allow the caller to relabel a file to the binary policy type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_relabelto_bin_policy',`
+ gen_require(`
+ attribute can_relabelto_binary_policy;
+ type policy_config_t;
+ ')
+
+ allow $1 policy_config_t:file relabelto;
+ typeattribute $1 can_relabelto_binary_policy;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the SELinux
+## binary policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_bin_policy',`
+ gen_require(`
+ attribute can_write_binary_policy;
+ type selinux_config_t, policy_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_config_t:dir rw_dir_perms;
+ allow $1 policy_config_t:file create_file_perms;
+ typeattribute $1 can_write_binary_policy;
+')
+
+########################################
+## <summary>
+## Read SELinux policy source files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_src_policy',`
+ gen_require(`
+ type selinux_config_t, policy_src_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_src_t:dir r_dir_perms;
+ allow $1 policy_src_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete SELinux
+## policy source files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_src_policy',`
+ gen_require(`
+ type selinux_config_t, policy_src_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 policy_src_t:dir create_dir_perms;
+ allow $1 policy_src_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run semanage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_semanage',`
+ gen_require(`
+ type semanage_t, semanage_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,semanage_exec_t,semanage_t)
+
+ allow $1 semanage_t:fd use;
+ allow semanage_t $1:fd use;
+ allow semanage_t $1:fifo_file rw_file_perms;
+ allow semanage_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute semanage in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the checkpolicy domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the semanage domain to use.
+## </summary>
+## </param>
+#
+interface(`seutil_run_semanage',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_semanage($1)
+ role $2 types semanage_t;
+ allow semanage_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Full management of the semanage
+## module store.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_module_store',`
+ gen_require(`
+ type selinux_config_t, semanage_store_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir rw_dir_perms;
+ type_transition $1 selinux_config_t:dir semanage_store_t;
+
+ allow $1 semanage_store_t:dir create_dir_perms;
+ allow $1 semanage_store_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Get read lock on module store
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_get_semanage_read_lock',`
+ gen_require(`
+ type selinux_config_t, semanage_read_lock_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 semanage_read_lock_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+## Get trans lock on module store
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_get_semanage_trans_lock',`
+ gen_require(`
+ type selinux_config_t, semanage_trans_lock_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 semanage_trans_lock_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
new file mode 100644
index 0000000..05aea9f
--- /dev/null
+++ b/policy/modules/system/selinuxutil.te
@@ -0,0 +1,666 @@
+
+policy_module(selinuxutil,1.2.8)
+
+gen_require(`
+ bool secure_mode;
+')
+
+########################################
+#
+# Declarations
+#
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+# cjp: this is out of order due to rules
+# in the domain_type interface
+# (fix dup decl)
+type selinux_config_t;
+files_type(selinux_config_t)
+
+type checkpolicy_t, can_write_binary_policy;
+domain_type(checkpolicy_t)
+role system_r types checkpolicy_t;
+
+type checkpolicy_exec_t;
+domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_type(default_context_t)
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_type(file_context_t)
+
+type load_policy_t;
+domain_type(load_policy_t)
+role system_r types load_policy_t;
+
+type load_policy_exec_t;
+domain_entry_file(load_policy_t,load_policy_exec_t)
+
+type newrole_t;
+domain_role_change_exemption(newrole_t)
+domain_obj_id_change_exemption(newrole_t)
+domain_type(newrole_t)
+domain_interactive_fd(newrole_t)
+
+type newrole_exec_t;
+domain_entry_file(newrole_t,newrole_exec_t)
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+type policy_config_t;
+files_type(policy_config_t)
+
+neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+#neverallow ~can_write_binary_policy policy_config_t:file { write append };
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t;
+files_type(policy_src_t)
+
+type restorecon_t, can_relabelto_binary_policy;
+type restorecon_exec_t;
+domain_obj_id_change_exemption(restorecon_t)
+init_system_domain(restorecon_t,restorecon_exec_t)
+role system_r types restorecon_t;
+
+type restorecond_t;
+type restorecond_exec_t;
+init_daemon_domain(restorecond_t,restorecond_exec_t)
+domain_obj_id_change_exemption(restorecond_t)
+role system_r types restorecond_t;
+
+type restorecond_var_run_t;
+files_pid_file(restorecond_var_run_t)
+
+# real declaration moved to mls until
+# range transitions work in modules
+gen_require(`
+ type run_init_t;
+')
+type run_init_exec_t;
+domain_type(run_init_t)
+domain_entry_file(run_init_t,run_init_exec_t)
+domain_system_change_exemption(run_init_t)
+
+type semanage_t;
+domain_type(semanage_t)
+
+type semanage_exec_t;
+domain_entry_file(semanage_t, semanage_exec_t)
+role system_r types semanage_t;
+
+type semanage_store_t;
+files_type(semanage_store_t)
+
+type semanage_read_lock_t;
+files_type(semanage_read_lock_t)
+
+type semanage_tmp_t;
+files_tmp_file(semanage_tmp_t)
+
+type semanage_trans_lock_t;
+files_type(semanage_trans_lock_t)
+
+type setfiles_t, can_relabelto_binary_policy;
+domain_obj_id_change_exemption(setfiles_t)
+domain_type(setfiles_t)
+role system_r types setfiles_t;
+
+type setfiles_exec_t;
+domain_entry_file(setfiles_t,setfiles_exec_t)
+
+ifdef(`distro_redhat',`
+ init_system_domain(setfiles_t,setfiles_exec_t)
+')
+
+########################################
+#
+# Checkpolicy local policy
+#
+
+allow checkpolicy_t self:capability dac_override;
+
+# able to create and modify binary policy files
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
+
+# allow test policies to be created in src directories
+allow checkpolicy_t policy_src_t:dir rw_dir_perms;
+type_transition checkpolicy_t policy_src_t:file policy_config_t;
+
+# only allow read of policy source files
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:file r_file_perms;
+allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
+allow checkpolicy_t selinux_config_t:dir search;
+
+fs_getattr_xattr_fs(checkpolicy_t)
+
+term_use_console(checkpolicy_t)
+
+domain_use_interactive_fds(checkpolicy_t)
+
+files_list_usr(checkpolicy_t)
+# directory search permissions for path to source and binary policy files
+files_search_etc(checkpolicy_t)
+
+init_use_fds(checkpolicy_t)
+init_use_script_ptys(checkpolicy_t)
+
+libs_use_ld_so(checkpolicy_t)
+libs_use_shared_libs(checkpolicy_t)
+
+userdom_use_all_users_fds(checkpolicy_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(checkpolicy_t)
+ term_use_unallocated_ttys(checkpolicy_t)
+')
+
+########################################
+#
+# Load_policy local policy
+#
+
+allow load_policy_t self:capability dac_override;
+
+# only allow read of policy config files
+allow load_policy_t policy_src_t:dir search;
+allow load_policy_t policy_config_t:dir r_dir_perms;
+allow load_policy_t policy_config_t:file r_file_perms;
+allow load_policy_t policy_config_t:lnk_file r_file_perms;
+
+allow load_policy_t selinux_config_t:dir r_dir_perms;
+allow load_policy_t selinux_config_t:file r_file_perms;
+allow load_policy_t selinux_config_t:lnk_file r_file_perms;
+
+domain_use_interactive_fds(load_policy_t)
+
+# for mcs.conf
+files_read_etc_files(load_policy_t)
+files_read_etc_runtime_files(load_policy_t)
+
+fs_getattr_xattr_fs(load_policy_t)
+
+mls_file_read_up(load_policy_t)
+
+selinux_get_fs_mount(load_policy_t)
+selinux_load_policy(load_policy_t)
+selinux_set_boolean(load_policy_t)
+
+term_use_console(load_policy_t)
+term_list_ptys(load_policy_t)
+
+init_use_script_fds(load_policy_t)
+init_use_script_ptys(load_policy_t)
+
+libs_use_ld_so(load_policy_t)
+libs_use_shared_libs(load_policy_t)
+
+miscfiles_read_localization(load_policy_t)
+
+userdom_use_all_users_fds(load_policy_t)
+
+ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
+ optional_policy(`
+ unconfined_dontaudit_read_pipes(load_policy_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(load_policy_t)
+ term_use_generic_ptys(load_policy_t)
+')
+
+########################################
+#
+# Newrole local policy
+#
+
+allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow newrole_t self:process setexec;
+allow newrole_t self:fd use;
+allow newrole_t self:fifo_file rw_file_perms;
+allow newrole_t self:sock_file r_file_perms;
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
+allow newrole_t self:msg { send receive };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+
+allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
+allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
+allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
+
+kernel_read_system_state(newrole_t)
+kernel_read_kernel_sysctls(newrole_t)
+
+dev_read_urand(newrole_t)
+
+fs_getattr_xattr_fs(newrole_t)
+fs_search_auto_mountpoints(newrole_t)
+
+mls_file_read_up(newrole_t)
+mls_file_write_down(newrole_t)
+mls_file_upgrade(newrole_t)
+mls_file_downgrade(newrole_t)
+mls_process_set_level(newrole_t)
+
+selinux_get_fs_mount(newrole_t)
+selinux_validate_context(newrole_t)
+selinux_compute_access_vector(newrole_t)
+selinux_compute_create_context(newrole_t)
+selinux_compute_relabel_context(newrole_t)
+selinux_compute_user_contexts(newrole_t)
+
+term_use_all_user_ttys(newrole_t)
+term_use_all_user_ptys(newrole_t)
+term_relabel_all_user_ttys(newrole_t)
+term_relabel_all_user_ptys(newrole_t)
+term_getattr_unallocated_ttys(newrole_t)
+term_dontaudit_use_unallocated_ttys(newrole_t)
+
+auth_domtrans_chk_passwd(newrole_t)
+
+corecmd_list_bin(newrole_t)
+corecmd_read_bin_symlinks(newrole_t)
+
+domain_use_interactive_fds(newrole_t)
+# for when the user types "exec newrole" at the command line:
+domain_sigchld_interactive_fds(newrole_t)
+
+# Write to utmp.
+init_rw_utmp(newrole_t)
+
+files_read_etc_files(newrole_t)
+files_read_var_files(newrole_t)
+files_read_var_symlinks(newrole_t)
+
+libs_use_ld_so(newrole_t)
+libs_use_shared_libs(newrole_t)
+
+logging_send_syslog_msg(newrole_t)
+
+miscfiles_read_localization(newrole_t)
+
+userdom_use_unpriv_users_fds(newrole_t)
+# for some PAM modules and for cwd
+userdom_dontaudit_search_all_users_home_content(newrole_t)
+
+ifdef(`strict_policy',`
+ # if secure mode is enabled, then newrole
+ # can only transition to unprivileged users
+ if(secure_mode) {
+ userdom_spec_domtrans_unpriv_users(newrole_t)
+ } else {
+ userdom_spec_domtrans_all_users(newrole_t)
+ }
+')
+
+optional_policy(`
+ nis_use_ypbind(newrole_t)
+')
+
+optional_policy(`
+ nscd_socket_use(newrole_t)
+')
+
+########################################
+#
+# Restorecon local policy
+#
+
+allow restorecon_t self:capability { dac_override dac_read_search fowner };
+allow restorecon_t self:fifo_file rw_file_perms;
+
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
+
+kernel_use_fds(restorecon_t)
+kernel_rw_pipes(restorecon_t)
+kernel_read_system_state(restorecon_t)
+kernel_rw_unix_dgram_sockets(restorecon_t)
+kernel_relabelfrom_unlabeled_dirs(restorecon_t)
+kernel_relabelfrom_unlabeled_files(restorecon_t)
+kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
+kernel_relabelfrom_unlabeled_pipes(restorecon_t)
+kernel_relabelfrom_unlabeled_sockets(restorecon_t)
+
+dev_relabel_all_dev_nodes(restorecon_t)
+# cjp: why is this needed?
+dev_rw_generic_files(restorecon_t)
+
+fs_getattr_xattr_fs(restorecon_t)
+fs_search_auto_mountpoints(restorecon_t)
+
+mls_file_read_up(restorecon_t)
+mls_file_write_down(restorecon_t)
+mls_file_upgrade(restorecon_t)
+mls_file_downgrade(restorecon_t)
+
+selinux_get_fs_mount(restorecon_t)
+selinux_validate_context(restorecon_t)
+selinux_compute_access_vector(restorecon_t)
+selinux_compute_create_context(restorecon_t)
+selinux_compute_relabel_context(restorecon_t)
+selinux_compute_user_contexts(restorecon_t)
+
+term_use_unallocated_ttys(restorecon_t)
+term_use_all_user_ttys(restorecon_t)
+term_use_all_user_ptys(restorecon_t)
+
+init_use_fds(restorecon_t)
+init_use_script_ptys(restorecon_t)
+
+domain_use_interactive_fds(restorecon_t)
+domain_dontaudit_search_all_domains_state(restorecon_t)
+
+files_read_etc_runtime_files(restorecon_t)
+files_read_etc_files(restorecon_t)
+
+libs_use_ld_so(restorecon_t)
+libs_use_shared_libs(restorecon_t)
+
+logging_send_syslog_msg(restorecon_t)
+
+userdom_use_all_users_fds(restorecon_t)
+
+files_relabel_all_files(restorecon_t)
+fs_relabelfrom_noxattr_fs(restorecon_t)
+
+files_list_all(restorecon_t)
+# this is to satisfy the assertion:
+auth_relabelto_shadow(restorecon_t)
+
+ifdef(`distro_redhat', `
+ fs_rw_tmpfs_chr_files(restorecon_t)
+ fs_rw_tmpfs_blk_files(restorecon_t)
+ fs_relabel_tmpfs_blk_file(restorecon_t)
+ fs_relabel_tmpfs_chr_file(restorecon_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ udev_dontaudit_rw_dgram_sockets(restorecon_t)
+ ')
+')
+
+optional_policy(`
+ hotplug_use_fds(restorecon_t)
+')
+
+########################################
+#
+# Restorecond local policy
+#
+
+allow restorecond_t self:capability { dac_override dac_read_search fowner };
+allow restorecond_t self:fifo_file rw_file_perms;
+
+allow restorecond_t restorecond_var_run_t:file create_file_perms;
+files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
+
+auth_relabel_all_files_except_shadow(restorecond_t )
+auth_read_all_files_except_shadow(restorecond_t)
+fs_relabelfrom_noxattr_fs(restorecond_t)
+
+kernel_use_fds(restorecond_t)
+kernel_rw_pipes(restorecond_t)
+kernel_read_system_state(restorecond_t)
+
+fs_getattr_xattr_fs(restorecond_t)
+fs_list_inotifyfs(restorecond_t)
+
+selinux_get_fs_mount(restorecond_t)
+selinux_validate_context(restorecond_t)
+selinux_compute_access_vector(restorecond_t)
+selinux_compute_create_context(restorecond_t)
+selinux_compute_relabel_context(restorecond_t)
+selinux_compute_user_contexts(restorecond_t)
+
+term_dontaudit_use_generic_ptys(restorecond_t)
+
+init_use_fds(restorecond_t)
+
+libs_use_ld_so(restorecond_t)
+libs_use_shared_libs(restorecond_t)
+
+logging_send_syslog_msg(restorecond_t)
+
+miscfiles_read_localization(restorecond_t)
+
+#################################
+#
+# Run_init local policy
+#
+
+selinux_get_fs_mount(run_init_t)
+selinux_validate_context(run_init_t)
+selinux_compute_access_vector(run_init_t)
+selinux_compute_create_context(run_init_t)
+selinux_compute_relabel_context(run_init_t)
+selinux_compute_user_contexts(run_init_t)
+
+mls_rangetrans_source(run_init_t)
+
+ifdef(`direct_sysadm_daemon',`',`
+ ifdef(`distro_gentoo',`
+ # Gentoo integrated run_init:
+ init_script_file_entry_type(run_init_t)
+ ')
+')
+
+ifdef(`targeted_policy',`',`
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
+ allow run_init_t self:fifo_file rw_file_perms;
+ allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ # often the administrator runs such programs from a directory that is owned
+ # by a different user or has restrictive SE permissions, do not want to audit
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
+
+ fs_getattr_xattr_fs(run_init_t)
+
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
+
+ term_dontaudit_list_ptys(run_init_t)
+
+ auth_domtrans_chk_passwd(run_init_t)
+ auth_dontaudit_read_shadow(run_init_t)
+
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
+
+ domain_use_interactive_fds(run_init_t)
+
+ files_read_etc_files(run_init_t)
+ files_dontaudit_search_all_dirs(run_init_t)
+
+ init_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
+
+ libs_use_ld_so(run_init_t)
+ libs_use_shared_libs(run_init_t)
+
+ seutil_read_config(run_init_t)
+ seutil_read_default_contexts(run_init_t)
+
+ miscfiles_read_localization(run_init_t)
+
+ logging_send_syslog_msg(run_init_t)
+
+ optional_policy(`
+ daemontools_domtrans_start(run_init_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(run_init_t)
+ ')
+
+') dnl end ifdef targeted policy
+
+########################################
+#
+# semodule local policy
+#
+
+allow semanage_t self:capability dac_override;
+allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+allow semanage_t self:unix_dgram_socket create_socket_perms;
+allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow semanage_t policy_config_t:file { read write };
+
+allow semanage_t semanage_tmp_t:dir create_dir_perms;
+allow semanage_t semanage_tmp_t:file create_file_perms;
+files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+
+kernel_read_system_state(semanage_t)
+kernel_read_kernel_sysctls(semanage_t)
+
+corecmd_exec_bin(semanage_t)
+corecmd_exec_sbin(semanage_t)
+
+dev_read_urand(semanage_t)
+
+files_read_etc_files(semanage_t)
+files_read_usr_files(semanage_t)
+files_list_pids(semanage_t)
+
+mls_file_write_down(semanage_t)
+mls_rangetrans_target(semanage_t)
+mls_file_read_up(semanage_t)
+
+selinux_get_enforce_mode(semanage_t)
+# for setsebool:
+selinux_set_boolean(semanage_t)
+
+term_use_all_terms(semanage_t)
+
+libs_use_ld_so(semanage_t)
+libs_use_shared_libs(semanage_t)
+libs_use_lib_files(semanage_t)
+
+logging_send_syslog_msg(semanage_t)
+
+miscfiles_read_localization(semanage_t)
+
+seutil_search_default_contexts(semanage_t)
+seutil_manage_file_contexts(semanage_t)
+seutil_manage_selinux_config(semanage_t)
+seutil_domtrans_setfiles(semanage_t)
+seutil_domtrans_loadpolicy(semanage_t)
+seutil_read_config(semanage_t)
+seutil_manage_bin_policy(semanage_t)
+seutil_use_newrole_fds(semanage_t)
+seutil_manage_module_store(semanage_t)
+seutil_get_semanage_trans_lock(semanage_t)
+seutil_get_semanage_read_lock(semanage_t)
+
+userdom_search_sysadm_home_dirs(semanage_t)
+
+ifdef(`targeted_policy',`
+# Handle pp files created in homedir and /tmp
+ files_read_generic_tmp_files(semanage_t)
+ userdom_read_generic_user_home_content_files(semanage_t)
+')
+
+optional_policy(`
+ nscd_socket_use(semanage_t)
+')
+
+########################################
+#
+# Setfiles local policy
+#
+
+allow setfiles_t self:capability { dac_override dac_read_search fowner };
+allow setfiles_t self:fifo_file rw_file_perms;
+
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
+
+kernel_read_system_state(setfiles_t)
+kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+kernel_relabelfrom_unlabeled_files(setfiles_t)
+kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+
+dev_relabel_all_dev_nodes(setfiles_t)
+
+fs_getattr_xattr_fs(setfiles_t)
+fs_list_all(setfiles_t)
+
+mls_file_read_up(setfiles_t)
+mls_file_write_down(setfiles_t)
+mls_file_upgrade(setfiles_t)
+mls_file_downgrade(setfiles_t)
+
+selinux_get_fs_mount(setfiles_t)
+selinux_validate_context(setfiles_t)
+selinux_compute_access_vector(setfiles_t)
+selinux_compute_create_context(setfiles_t)
+selinux_compute_relabel_context(setfiles_t)
+selinux_compute_user_contexts(setfiles_t)
+
+term_use_all_user_ttys(setfiles_t)
+term_use_all_user_ptys(setfiles_t)
+term_use_unallocated_ttys(setfiles_t)
+
+# this is to satisfy the assertion:
+auth_relabelto_shadow(setfiles_t)
+
+init_use_fds(setfiles_t)
+init_use_script_fds(setfiles_t)
+init_use_script_ptys(setfiles_t)
+
+domain_use_interactive_fds(setfiles_t)
+
+libs_use_ld_so(setfiles_t)
+libs_use_shared_libs(setfiles_t)
+
+files_read_etc_runtime_files(setfiles_t)
+files_read_etc_files(setfiles_t)
+files_list_all(setfiles_t)
+files_relabel_all_files(setfiles_t)
+fs_relabelfrom_noxattr_fs(setfiles_t)
+
+logging_send_syslog_msg(setfiles_t)
+
+miscfiles_read_localization(setfiles_t)
+
+userdom_use_all_users_fds(setfiles_t)
+# for config files in a home directory
+userdom_read_all_users_home_content_files(setfiles_t)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
new file mode 100644
index 0000000..71c374f
--- /dev/null
+++ b/policy/modules/system/setrans.fc
@@ -0,0 +1,3 @@
+/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
+/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
new file mode 100644
index 0000000..9547503
--- /dev/null
+++ b/policy/modules/system/setrans.if
@@ -0,0 +1,25 @@
+## <summary>SELinux MLS/MCS label translation service.</summary>
+
+#######################################
+## <summary>
+## Allow a domain to translate contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setrans_translate_context',`
+ gen_require(`
+ type setrans_t, setrans_var_run_t;
+ ')
+
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1 setrans_t:unix_stream_socket connectto;
+ allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
+ allow $1 setrans_var_run_t:sock_file rw_file_perms;
+ allow $1 setrans_var_run_t:dir search_dir_perms;
+ files_list_pids($1)
+')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
new file mode 100644
index 0000000..4ef391e
--- /dev/null
+++ b/policy/modules/system/setrans.te
@@ -0,0 +1,70 @@
+
+policy_module(setrans,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type setrans_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type setrans_exec_t;
+')
+init_daemon_domain(setrans_t, setrans_exec_t)
+
+type setrans_var_run_t;
+files_pid_file(setrans_var_run_t)
+mls_trusted_object(setrans_var_run_t)
+
+########################################
+#
+# setrans local policy
+#
+
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit setcap signal_perms };
+allow setrans_t self:unix_stream_socket create_stream_socket_perms;
+allow setrans_t self:unix_dgram_socket create_socket_perms;
+allow setrans_t self:netlink_selinux_socket create_socket_perms;
+
+can_exec(setrans_t, setrans_exec_t)
+corecmd_search_sbin(setrans_t)
+
+# create unix domain socket in /var
+allow setrans_t setrans_var_run_t:sock_file manage_file_perms;
+allow setrans_t setrans_var_run_t:file manage_file_perms;
+allow setrans_t setrans_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(setrans_t,setrans_var_run_t,file)
+
+kernel_read_kernel_sysctls(setrans_t)
+kernel_read_proc_symlinks(setrans_t)
+
+# allow performing getpidcon() on all processes
+domain_read_all_domains_state(setrans_t)
+domain_getattr_all_domains(setrans_t)
+domain_getsession_all_domains(setrans_t)
+
+files_read_etc_runtime_files(setrans_t)
+
+mls_file_read_up(setrans_t)
+mls_file_write_down(setrans_t)
+mls_net_receive_all_levels(setrans_t)
+mls_rangetrans_target(setrans_t)
+
+selinux_compute_access_vector(setrans_t)
+
+term_dontaudit_use_generic_ptys(setrans_t)
+
+init_use_fds(setrans_t)
+init_dontaudit_use_script_ptys(setrans_t)
+
+libs_use_ld_so(setrans_t)
+libs_use_shared_libs(setrans_t)
+
+logging_send_syslog_msg(setrans_t)
+
+miscfiles_read_localization(setrans_t)
+
+seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
new file mode 100644
index 0000000..f58df4f
--- /dev/null
+++ b/policy/modules/system/sysnetwork.fc
@@ -0,0 +1,56 @@
+
+#
+# /bin
+#
+/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /etc
+#
+/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
+/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+
+/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
new file mode 100644
index 0000000..be11fc0
--- /dev/null
+++ b/policy/modules/system/sysnetwork.if
@@ -0,0 +1,562 @@
+## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
+
+#######################################
+## <summary>
+## Execute dhcp client in dhcpc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_domtrans_dhcpc',`
+ gen_require(`
+ type dhcpc_t, dhcpc_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
+
+ allow $1 dhcpc_t:fd use;
+ allow dhcpc_t $1:fd use;
+ allow dhcpc_t $1:fifo_file rw_file_perms;
+ allow dhcpc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute DHCP clients in the dhcpc domain, and
+## allow the specified role the dhcpc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the clock domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the clock domain to use.
+## </summary>
+## </param>
+#
+interface(`sysnet_run_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ sysnet_domtrans_dhcpc($1)
+ role $2 types dhcpc_t;
+ allow dhcpc_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGCHLD.
+## </summary>
+## </param>
+#
+interface(`sysnet_sigchld_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGKILL.
+## </summary>
+## </param>
+#
+interface(`sysnet_kill_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a SIGSTOP signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGSTOP.
+## </summary>
+## </param>
+#
+interface(`sysnet_sigstop_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a null signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the null signal.
+## </summary>
+## </param>
+#
+interface(`sysnet_signull_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a generic signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the signal.
+## </summary>
+## </param>
+#
+interface(`sysnet_signal_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## dhcpc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_dbus_chat_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dhcpc_t:dbus send_msg;
+ allow dhcpc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write dhcp configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_rw_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ allow $1 dhcpc_state_t:file { getattr read };
+')
+
+#######################################
+## <summary>
+## Allow network init to read network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ dontaudit $1 net_conf_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+## Create files in /etc with the type used for
+## the network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_etc_filetrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_etc_filetrans($1,net_conf_t,file)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Read the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 dhcpc_var_run_t:file { getattr read };
+')
+
+#######################################
+## <summary>
+## Delete the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ allow $1 dhcpc_var_run_t:file unlink;
+')
+
+#######################################
+## <summary>
+## Execute ifconfig in the ifconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_domtrans_ifconfig',`
+ gen_require(`
+ type ifconfig_t, ifconfig_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
+
+ allow $1 ifconfig_t:fd use;
+ allow ifconfig_t $1:fd use;
+ allow ifconfig_t $1:fifo_file rw_file_perms;
+ allow ifconfig_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute ifconfig in the ifconfig domain, and
+## allow the specified role the ifconfig domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ifconfig domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ifconfig domain to use.
+## </summary>
+## </param>
+#
+interface(`sysnet_run_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ corecmd_search_sbin($1)
+ sysnet_domtrans_ifconfig($1)
+ role $2 types ifconfig_t;
+ allow ifconfig_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## Execute ifconfig in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_exec_ifconfig',`
+ gen_require(`
+ type ifconfig_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,ifconfig_exec_t)
+')
+
+########################################
+## <summary>
+## Read the DHCP configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:dir search;
+ allow $1 dhcp_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Search the DHCP state data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcp_state',`
+ gen_require(`
+ type dhcp_state_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcp_state_t:dir search;
+')
+
+########################################
+## <summary>
+## Create DHCP state data.
+## </summary>
+## <desc>
+## <p>
+## Create DHCP state data.
+## </p>
+## <p>
+## This is added for DHCP server, as
+## the server and client put their state
+## files in the same directory.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`sysnet_dhcp_state_filetrans',`
+ gen_require(`
+ type dhcp_state_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcp_state_t:dir rw_dir_perms;
+ type_transition $1 dhcp_state_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Perform a DNS name resolution.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_dns_name_resolve',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_dns_port($1)
+ corenet_udp_sendrecv_dns_port($1)
+ corenet_tcp_connect_dns_port($1)
+ corenet_sendrecv_dns_client_packets($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Connect and use a LDAP server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_use_ldap',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+ corenet_tcp_connect_ldap_port($1)
+ corenet_sendrecv_ldap_client_packets($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Connect and use remote port mappers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_use_portmap',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_portmap_port($1)
+ corenet_udp_sendrecv_portmap_port($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_sendrecv_portmap_client_packets($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
new file mode 100644
index 0000000..2404432
--- /dev/null
+++ b/policy/modules/system/sysnetwork.te
@@ -0,0 +1,354 @@
+
+policy_module(sysnetwork,1.1.8)
+
+########################################
+#
+# Declarations
+#
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_etc_t;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+files_config_file(dhcp_etc_t)
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_state_t;
+files_type(dhcp_state_t)
+
+type dhcpc_t;
+type dhcpc_exec_t;
+init_daemon_domain(dhcpc_t,dhcpc_exec_t)
+role system_r types dhcpc_t;
+
+type dhcpc_state_t;
+files_type(dhcpc_state_t)
+
+type dhcpc_tmp_t;
+files_tmp_file(dhcpc_tmp_t)
+
+type dhcpc_var_run_t;
+files_pid_file(dhcpc_var_run_t)
+
+type ifconfig_t;
+type ifconfig_exec_t;
+init_system_domain(ifconfig_t, ifconfig_exec_t)
+role system_r types ifconfig_t;
+
+type net_conf_t alias resolv_conf_t;
+files_type(net_conf_t)
+
+########################################
+#
+# DHCP client local policy
+#
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability sys_tty_config;
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+allow dhcpc_t self:process signal_perms;
+allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+allow dhcpc_t self:udp_socket create_socket_perms;
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+
+allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
+allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
+allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
+
+allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
+allow dhcpc_t dhcp_state_t:file { getattr read };
+allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
+allow dhcpc_t dhcpc_state_t:file create_file_perms;
+type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
+
+# create pid file
+allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
+allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file)
+
+# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+# in /etc created by dhcpcd will be labelled net_conf_t.
+allow dhcpc_t net_conf_t:file create_file_perms;
+files_etc_filetrans(dhcpc_t,net_conf_t,file)
+
+# create temp files
+allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
+allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
+files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
+
+can_exec(dhcpc_t, dhcpc_exec_t)
+
+# transition to ifconfig
+domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
+allow dhcpc_t ifconfig_t:fd use;
+allow ifconfig_t dhcpc_t:fd use;
+allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
+allow ifconfig_t dhcpc_t:process sigchld;
+
+kernel_read_system_state(dhcpc_t)
+kernel_read_network_state(dhcpc_t)
+kernel_read_kernel_sysctls(dhcpc_t)
+kernel_use_fds(dhcpc_t)
+
+corenet_non_ipsec_sendrecv(dhcpc_t)
+corenet_tcp_sendrecv_all_if(dhcpc_t)
+corenet_raw_sendrecv_all_if(dhcpc_t)
+corenet_udp_sendrecv_all_if(dhcpc_t)
+corenet_tcp_sendrecv_all_nodes(dhcpc_t)
+corenet_raw_sendrecv_all_nodes(dhcpc_t)
+corenet_udp_sendrecv_all_nodes(dhcpc_t)
+corenet_tcp_sendrecv_all_ports(dhcpc_t)
+corenet_udp_sendrecv_all_ports(dhcpc_t)
+corenet_tcp_bind_all_nodes(dhcpc_t)
+corenet_udp_bind_all_nodes(dhcpc_t)
+corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_tcp_connect_all_ports(dhcpc_t)
+corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+
+dev_read_sysfs(dhcpc_t)
+# for SSP:
+dev_read_urand(dhcpc_t)
+
+fs_getattr_all_fs(dhcpc_t)
+fs_search_auto_mountpoints(dhcpc_t)
+
+term_dontaudit_use_console(dhcpc_t)
+term_dontaudit_use_all_user_ttys(dhcpc_t)
+term_dontaudit_use_all_user_ptys(dhcpc_t)
+term_dontaudit_use_unallocated_ttys(dhcpc_t)
+term_dontaudit_use_generic_ptys(dhcpc_t)
+
+corecmd_exec_bin(dhcpc_t)
+corecmd_exec_sbin(dhcpc_t)
+corecmd_exec_shell(dhcpc_t)
+
+domain_use_interactive_fds(dhcpc_t)
+domain_dontaudit_list_all_domains_state(dhcpc_t)
+
+files_read_etc_files(dhcpc_t)
+files_read_etc_runtime_files(dhcpc_t)
+files_search_home(dhcpc_t)
+files_search_var_lib(dhcpc_t)
+files_dontaudit_search_locks(dhcpc_t)
+
+init_use_fds(dhcpc_t)
+init_use_script_ptys(dhcpc_t)
+init_rw_utmp(dhcpc_t)
+
+logging_send_syslog_msg(dhcpc_t)
+
+libs_use_ld_so(dhcpc_t)
+libs_use_shared_libs(dhcpc_t)
+
+miscfiles_read_localization(dhcpc_t)
+
+modutils_domtrans_insmod(dhcpc_t)
+
+userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
+
+ifdef(`distro_redhat', `
+ files_exec_etc_files(dhcpc_t)
+')
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+ term_dontaudit_use_generic_ptys(dhcpc_t)
+ files_dontaudit_read_root_files(dhcpc_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow dhcpc_t self:dbus send_msg;
+
+ init_dbus_chat_script(dhcpc_t)
+
+ dbus_system_bus_client_template(dhcpc,dhcpc_t)
+ dbus_connect_system_bus(dhcpc_t)
+ dbus_send_system_bus(dhcpc_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(dhcpc_t)
+ ')
+')
+
+optional_policy(`
+ hostname_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ hotplug_getattr_config_dirs(dhcpc_t)
+ hotplug_search_config(dhcpc_t)
+
+ ifdef(`distro_redhat',`
+ logging_domtrans_syslog(dhcpc_t)
+ ')
+')
+
+# for the dhcp client to run ping to check IP addresses
+optional_policy(`
+ netutils_domtrans_ping(dhcpc_t)
+ netutils_domtrans(dhcpc_t)
+',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+')
+
+optional_policy(`
+ nis_use_ypbind(dhcpc_t)
+ nis_signal_ypbind(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
+ nis_delete_ypbind_pid(dhcpc_t)
+
+ # dhclient sometimes starts ypbind
+ init_exec_script_files(dhcpc_t)
+ nis_domtrans_ypbind(dhcpc_t)
+')
+
+optional_policy(`
+ nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
+')
+
+optional_policy(`
+ # dhclient sometimes starts ntpd
+ init_exec_script_files(dhcpc_t)
+ ntp_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ pcmcia_stub(dhcpc_t)
+ dev_rw_cardmgr(dhcpc_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dhcpc_t)
+ seutil_dontaudit_search_config(dhcpc_t)
+')
+
+optional_policy(`
+ udev_read_db(dhcpc_t)
+')
+
+optional_policy(`
+ userdom_use_all_users_fds(dhcpc_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(dhcpc_t)
+ kernel_write_xen_state(dhcpc_t)
+ xen_append_log(dhcpc_t)
+ xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
+')
+
+########################################
+#
+# Ifconfig local policy
+#
+
+allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+dontaudit ifconfig_t self:capability sys_module;
+
+allow ifconfig_t self:fd use;
+allow ifconfig_t self:fifo_file rw_file_perms;
+allow ifconfig_t self:sock_file r_file_perms;
+allow ifconfig_t self:socket create_socket_perms;
+allow ifconfig_t self:unix_dgram_socket create_socket_perms;
+allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
+allow ifconfig_t self:unix_dgram_socket sendto;
+allow ifconfig_t self:unix_stream_socket connectto;
+allow ifconfig_t self:shm create_shm_perms;
+allow ifconfig_t self:sem create_sem_perms;
+allow ifconfig_t self:msgq create_msgq_perms;
+allow ifconfig_t self:msg { send receive };
+
+# Create UDP sockets, necessary when called from dhcpc
+allow ifconfig_t self:udp_socket create_socket_perms;
+
+# for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+allow ifconfig_t self:tcp_socket { create ioctl };
+files_read_etc_files(ifconfig_t);
+
+kernel_use_fds(ifconfig_t)
+kernel_read_system_state(ifconfig_t)
+kernel_read_network_state(ifconfig_t)
+kernel_search_network_sysctl(ifconfig_t)
+kernel_rw_net_sysctls(ifconfig_t)
+
+corenet_rw_tun_tap_dev(ifconfig_t)
+
+dev_read_sysfs(ifconfig_t)
+# for IPSEC setup:
+dev_read_urand(ifconfig_t)
+
+fs_getattr_xattr_fs(ifconfig_t)
+fs_search_auto_mountpoints(ifconfig_t)
+
+term_dontaudit_use_all_user_ttys(ifconfig_t)
+term_dontaudit_use_all_user_ptys(ifconfig_t)
+
+domain_use_interactive_fds(ifconfig_t)
+
+files_dontaudit_read_root_files(ifconfig_t)
+
+init_use_fds(ifconfig_t)
+init_use_script_ptys(ifconfig_t)
+
+libs_use_ld_so(ifconfig_t)
+libs_use_shared_libs(ifconfig_t)
+libs_read_lib_files(ifconfig_t)
+
+logging_send_syslog_msg(ifconfig_t)
+
+miscfiles_read_localization(ifconfig_t)
+
+modutils_domtrans_insmod(ifconfig_t)
+
+seutil_use_runinit_fds(ifconfig_t)
+
+userdom_use_all_users_fds(ifconfig_t)
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ dev_dontaudit_rw_cardmgr(ifconfig_t)
+ ')
+
+ optional_policy(`
+ udev_dontaudit_rw_dgram_sockets(ifconfig_t)
+ ')
+')
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(ifconfig_t)
+ term_use_unallocated_ttys(ifconfig_t)
+')
+
+optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ifconfig_t)
+')
+
+optional_policy(`
+ ppp_use_fds(ifconfig_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(ifconfig_t)
+ kernel_write_xen_state(ifconfig_t)
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
new file mode 100644
index 0000000..1a6c288
--- /dev/null
+++ b/policy/modules/system/udev.fc
@@ -0,0 +1,19 @@
+# udev
+
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+
+/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
new file mode 100644
index 0000000..6aa57ce
--- /dev/null
+++ b/policy/modules/system/udev.if
@@ -0,0 +1,143 @@
+## <summary>Policy for udev.</summary>
+
+########################################
+## <summary>
+## Execute udev in the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`udev_domtrans',`
+ gen_require(`
+ type udev_t, udev_exec_t;
+ ')
+
+ domain_auto_trans($1, udev_exec_t, udev_t)
+
+ allow $1 udev_t:fd use;
+ allow udev_t $1:fd use;
+ allow udev_t $1:fifo_file rw_file_perms;
+ allow udev_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a udev helper in the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`udev_helper_domtrans',`
+ gen_require(`
+ type udev_t, udev_helper_exec_t;
+ ')
+
+ domain_auto_trans($1, udev_helper_exec_t, udev_t)
+
+ allow $1 udev_t:fd use;
+ allow udev_t $1:fd use;
+ allow udev_t $1:fifo_file rw_file_perms;
+ allow udev_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow process to read udev process state.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_state',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 udev_t:file r_file_perms;
+ allow $1 udev_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit a
+## udev file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_use_fds',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ dontaudit $1 udev_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## to a udev unix datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_rw_dgram_sockets',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ dontaudit $1 udev_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+## Allow process to read list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`udev_read_db',`
+ gen_require(`
+ type udev_tdb_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 udev_tdb_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`udev_rw_db',`
+ gen_require(`
+ type udev_tdb_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 udev_tdb_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
new file mode 100644
index 0000000..06dec28
--- /dev/null
+++ b/policy/modules/system/udev.te
@@ -0,0 +1,201 @@
+
+policy_module(udev,1.3.3)
+
+########################################
+#
+# Declarations
+#
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type udev_exec_t;
+')
+
+type udev_t;
+type udev_helper_exec_t;
+kernel_domtrans_to(udev_t,udev_exec_t)
+domain_obj_id_change_exemption(udev_t)
+domain_entry_file(udev_t,udev_helper_exec_t)
+domain_interactive_fd(udev_t)
+init_daemon_domain(udev_t,udev_exec_t)
+
+type udev_etc_t alias etc_udev_t;
+files_config_file(udev_etc_t)
+
+# udev_runtime_t is the type of the udev table file
+# cjp: this is probably a copy of udev_tbl_t and can be removed
+type udev_runtime_t;
+files_type(udev_runtime_t)
+
+type udev_tbl_t alias udev_tdb_t;
+files_type(udev_tbl_t)
+
+type udev_var_run_t;
+files_pid_file(udev_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process { execmem setfscreate };
+allow udev_t self:fd use;
+allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:sock_file r_file_perms;
+allow udev_t self:shm create_shm_perms;
+allow udev_t self:sem create_sem_perms;
+allow udev_t self:msgq create_msgq_perms;
+allow udev_t self:msg { send receive };
+allow udev_t self:unix_stream_socket { listen accept };
+allow udev_t self:unix_dgram_socket sendto;
+allow udev_t self:unix_stream_socket connectto;
+allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:rawip_socket create_socket_perms;
+
+allow udev_t udev_exec_t:file write;
+can_exec(udev_t, udev_exec_t)
+
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
+
+# read udev config
+allow udev_t udev_etc_t:file r_file_perms;
+
+# create udev database in /dev/.udevdb
+allow udev_t udev_tbl_t:file create_file_perms;
+dev_filetrans(udev_t,udev_tbl_t,file)
+
+allow udev_t udev_var_run_t:file create_file_perms;
+allow udev_t udev_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(udev_t,udev_var_run_t,file)
+
+kernel_read_system_state(udev_t)
+kernel_getattr_core_if(udev_t)
+kernel_use_fds(udev_t)
+kernel_read_device_sysctls(udev_t)
+kernel_read_hotplug_sysctls(udev_t)
+kernel_read_modprobe_sysctls(udev_t)
+kernel_read_kernel_sysctls(udev_t)
+kernel_rw_hotplug_sysctls(udev_t)
+kernel_rw_unix_dgram_sockets(udev_t)
+kernel_dgram_send(udev_t)
+kernel_signal(udev_t)
+
+dev_rw_sysfs(udev_t)
+dev_manage_all_dev_nodes(udev_t)
+dev_rw_generic_files(udev_t)
+dev_delete_generic_files(udev_t)
+
+fs_getattr_all_fs(udev_t)
+fs_list_inotifyfs(udev_t)
+
+selinux_get_fs_mount(udev_t)
+selinux_validate_context(udev_t)
+selinux_compute_access_vector(udev_t)
+selinux_compute_create_context(udev_t)
+selinux_compute_relabel_context(udev_t)
+selinux_compute_user_contexts(udev_t)
+
+auth_use_nsswitch(udev_t)
+
+corecmd_exec_all_executables(udev_t)
+
+domain_read_all_domains_state(udev_t)
+
+files_read_etc_runtime_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
+files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
+
+init_use_fds(udev_t)
+init_read_utmp(udev_t)
+init_dontaudit_write_utmp(udev_t)
+
+libs_use_ld_so(udev_t)
+libs_use_shared_libs(udev_t)
+
+logging_search_logs(udev_t)
+logging_send_syslog_msg(udev_t)
+
+miscfiles_read_localization(udev_t)
+
+mls_file_read_up(udev_t)
+mls_file_write_down(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
+modutils_domtrans_insmod(udev_t)
+
+seutil_read_config(udev_t)
+seutil_read_default_contexts(udev_t)
+seutil_read_file_contexts(udev_t)
+seutil_domtrans_restorecon(udev_t)
+
+sysnet_domtrans_ifconfig(udev_t)
+
+userdom_use_sysadm_ttys(udev_t)
+userdom_dontaudit_search_all_users_home_content(udev_t)
+
+ifdef(`distro_redhat',`
+ fs_manage_tmpfs_dirs(udev_t)
+ fs_manage_tmpfs_files(udev_t)
+ fs_manage_tmpfs_symlinks(udev_t)
+ fs_manage_tmpfs_sockets(udev_t)
+ fs_manage_tmpfs_blk_files(udev_t)
+ fs_manage_tmpfs_chr_files(udev_t)
+ fs_relabel_tmpfs_blk_file(udev_t)
+ fs_relabel_tmpfs_chr_file(udev_t)
+
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(udev_t)
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(udev_t)
+ term_dontaudit_use_generic_ptys(udev_t)
+
+ unconfined_domain(udev_t)
+')
+
+optional_policy(`
+ auth_read_pam_console_data(udev_t)
+ auth_domtrans_pam_console(udev_t)
+')
+
+optional_policy(`
+ consoletype_exec(udev_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(udev,udev_t)
+')
+
+optional_policy(`
+ hal_dgram_send(udev_t)
+')
+
+optional_policy(`
+ hotplug_read_config(udev_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(udev_t)
+')
+
+optional_policy(`
+ nscd_socket_use(udev_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(udev_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(udev_t)
+')
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
new file mode 100644
index 0000000..08643f9
--- /dev/null
+++ b/policy/modules/system/unconfined.fc
@@ -0,0 +1,12 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+ifdef(`targeted_policy',`
+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
new file mode 100644
index 0000000..e2f4bc5
--- /dev/null
+++ b/policy/modules/system/unconfined.if
@@ -0,0 +1,507 @@
+## <summary>The unconfined domain.</summary>
+
+########################################
+## <summary>
+## Make the specified domain unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to make unconfined.
+## </summary>
+## </param>
+#
+interface(`unconfined_domain_noaudit',`
+ gen_require(`
+ class dbus all_dbus_perms;
+ class nscd all_nscd_perms;
+ class passwd all_passwd_perms;
+ ')
+
+ # Use any Linux capability.
+ allow $1 self:capability *;
+ allow $1 self:fifo_file create_file_perms;
+
+ # Transition to myself, to make get_ordered_context_list happy.
+ allow $1 self:process transition;
+
+ # Write access is for setting attributes under /proc/self/attr.
+ allow $1 self:file rw_file_perms;
+
+ # Userland object managers
+ allow $1 self:nscd *;
+ allow $1 self:dbus *;
+ allow $1 self:passwd *;
+
+ kernel_unconfined($1)
+ corenet_unconfined($1)
+ dev_unconfined($1)
+ domain_unconfined($1)
+ domain_dontaudit_read_all_domains_state($1)
+ files_unconfined($1)
+ fs_unconfined($1)
+ selinux_unconfined($1)
+
+ tunable_policy(`allow_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+ ')
+
+ tunable_policy(`allow_execmem',`
+ # Allow making anonymous memory executable, e.g.
+ # for runtime-code generation or executable stack.
+ allow $1 self:process execmem;
+ ')
+
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execstack;
+# auditallow $1 self:process execstack;
+ ')
+
+
+ optional_policy(`
+ auth_unconfined($1)
+ ')
+
+ optional_policy(`
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
+ ')
+
+ optional_policy(`
+ # this is to handle execmod on shared
+ # libs with text relocations
+ libs_use_shared_libs($1)
+ ')
+
+ optional_policy(`
+ nscd_unconfined($1)
+ ')
+
+ optional_policy(`
+ seutil_create_bin_policy($1)
+ seutil_relabelto_bin_policy($1)
+ ')
+
+ optional_policy(`
+ storage_unconfined($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified domain unconfined and
+## audit executable memory and executable heap
+## usage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to make unconfined.
+## </summary>
+## </param>
+#
+interface(`unconfined_domain',`
+ unconfined_domain_noaudit($1)
+
+ tunable_policy(`allow_execheap',`
+ auditallow $1 self:process execheap;
+ ')
+
+# Turn off this audit for FC5
+# tunable_policy(`allow_execmem',`
+# auditallow $1 self:process execmem;
+# ')
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ ')
+
+ domain_auto_trans($1,unconfined_exec_t,unconfined_t)
+
+ allow $1 unconfined_t:fd use;
+ allow unconfined_t $1:fd use;
+ allow unconfined_t $1:fifo_file rw_file_perms;
+ allow unconfined_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the unconfined domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the unconfined domain to use.
+## </summary>
+## </param>
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+ allow unconfined_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ corecmd_shell_domtrans($1,unconfined_t)
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ domain_auto_trans(unconfined_t,$2,$1)
+ allow $1 unconfined_t:fd use;
+ allow $1 unconfined_t:fifo_file rw_file_perms;
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signull',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+## Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+## Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to the unconfined domain using
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom in ldconfig.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Add an alias type to the unconfined domain.
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined domain.
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_alias_domain',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ typealias unconfined_t alias $1;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 unconfined_t:dbus acquire_svc;
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
new file mode 100644
index 0000000..887ac68
--- /dev/null
+++ b/policy/modules/system/unconfined.te
@@ -0,0 +1,198 @@
+
+policy_module(unconfined,1.3.12)
+
+########################################
+#
+# Declarations
+#
+
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type unconfined_t;
+')
+type unconfined_exec_t;
+init_system_domain(unconfined_t,unconfined_exec_t)
+
+ifdef(`targeted_policy',`
+ type unconfined_execmem_t;
+ type unconfined_execmem_exec_t;
+ init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+unconfined_domain(unconfined_t)
+
+logging_send_syslog_msg(unconfined_t)
+
+ifdef(`targeted_policy',`
+ allow unconfined_t self:system syslog_read;
+ dontaudit unconfined_t self:capability sys_module;
+
+ domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+
+ files_create_boot_flag(unconfined_t)
+
+ init_domtrans_script(unconfined_t)
+
+ libs_domtrans_ldconfig(unconfined_t)
+
+ logging_domtrans_auditctl(unconfined_t)
+
+ mount_domtrans_unconfined(unconfined_t)
+
+ seutil_domtrans_restorecon(unconfined_t)
+ seutil_domtrans_semanage(unconfined_t)
+
+ userdom_unconfined(unconfined_t)
+ userdom_priveleged_home_dir_manager(unconfined_t)
+
+ optional_policy(`
+ ada_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ amanda_domtrans_recover(unconfined_t)
+ ')
+
+ optional_policy(`
+ apache_domtrans_helper(unconfined_t)
+ ')
+
+ optional_policy(`
+ bind_domtrans_ndc(unconfined_t)
+ ')
+
+ optional_policy(`
+ bluetooth_domtrans_helper(unconfined_t)
+ ')
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_t)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
+ avahi_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ bluetooth_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat_config(unconfined_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_t)
+ ')
+ ')
+
+ optional_policy(`
+ dmidecode_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ firstboot_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ ftp_domtrans_ftpdctl(unconfined_t)
+ ')
+
+ optional_policy(`
+ inn_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ java_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ lpd_domtrans_checkpc(unconfined_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_update_mods(unconfined_t)
+ ')
+
+ optional_policy(`
+ mono_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ prelink_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ portmap_domtrans_helper(unconfined_t)
+ ')
+
+ optional_policy(`
+ postfix_domtrans_map(unconfined_t)
+ # cjp: this should probably be removed:
+ postfix_domtrans_master(unconfined_t)
+ ')
+
+ optional_policy(`
+ # cjp: this should probably be removed:
+ rpc_domtrans_nfsd(unconfined_t)
+ ')
+
+ optional_policy(`
+ rpm_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ samba_domtrans_net(unconfined_t)
+ samba_domtrans_winbind_helper(unconfined_t)
+ ')
+
+ optional_policy(`
+ sendmail_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ sysnet_domtrans_dhcpc(unconfined_t)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ ')
+
+ optional_policy(`
+ usermanage_domtrans_admin_passwd(unconfined_t)
+ ')
+
+ optional_policy(`
+ vpn_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ webalizer_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ wine_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
+ xserver_domtrans_xdm_xserver(unconfined_t)
+ ')
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+ifdef(`targeted_policy',`
+ allow unconfined_execmem_t self:process { execstack execmem };
+ unconfined_domain_noaudit(unconfined_execmem_t)
+')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
new file mode 100644
index 0000000..58d0e2d
--- /dev/null
+++ b/policy/modules/system/userdomain.fc
@@ -0,0 +1,9 @@
+
+# temporary hack till genhomedircon is fixed
+ifdef(`targeted_policy',`
+HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+',`
+HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
+HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
new file mode 100644
index 0000000..bb6212b
--- /dev/null
+++ b/policy/modules/system/userdomain.if
@@ -0,0 +1,4791 @@
+## <summary>Policy for user domains</summary>
+
+#######################################
+## <summary>
+## The template containing rules common to unprivileged
+## users and administrative users.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## <p>
+## This generally should not be used, rather the
+## unpriv_user_template or admin_user_template should
+## be used.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`base_user_template',`
+
+ attribute $1_file_type;
+
+ type $1_t, userdomain;
+ domain_type($1_t)
+ corecmd_shell_entry_type($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_sbin_entry_type($1_t)
+ domain_user_exemption_target($1_t)
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ # user pseudoterminal
+ type $1_devpts_t;
+ term_user_pty($1_t,$1_devpts_t)
+ files_type($1_devpts_t)
+
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_type($1_home_t)
+ files_associate_tmp($1_home_t)
+ fs_associate_tmpfs($1_home_t)
+
+ # type of home directory
+ type $1_home_dir_t, home_dir_type, home_type;
+ files_type($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
+
+ type $1_tmp_t, $1_file_type;
+ files_tmp_file($1_tmp_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ # types for network-obtained content
+ type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+ files_type($1_untrusted_content_t)
+ files_poly_member($1_untrusted_content_t)
+
+ type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+ files_tmp_file($1_untrusted_content_tmp_t)
+
+ type $1_tty_device_t;
+ term_tty($1_t,$1_tty_device_t)
+
+ ##############################
+ #
+ # User home directory file rules
+ #
+
+ allow $1_file_type $1_home_t:filesystem associate;
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:process { ptrace setfscreate };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ dontaudit $1_t self:socket create;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket { create_socket_perms sendto recvfrom };
+
+ # evolution and gnome-session try to create a netlink socket
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+ # execute files in the home directory
+ can_exec($1_t,$1_home_t)
+
+ # full control of the home directory
+ allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+ type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+ files_search_home($1_t)
+
+ can_exec($1_t,$1_tmp_t)
+
+ # user temporary files
+ allow $1_t $1_tmp_t:file create_file_perms;
+ allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmp_t:dir create_dir_perms;
+ allow $1_t $1_tmp_t:sock_file create_file_perms;
+ allow $1_t $1_tmp_t:fifo_file create_file_perms;
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir notdevfile_class_set })
+
+ # Bind to a Unix domain socket in /tmp.
+ # cjp: this is combination is not checked and should be removed
+ allow $1_t $1_tmp_t:unix_stream_socket name_bind;
+
+ allow $1_t $1_tmpfs_t:dir rw_dir_perms;
+ allow $1_t $1_tmpfs_t:file create_file_perms;
+ allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmpfs_t:sock_file create_file_perms;
+ allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
+ fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
+
+ allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+
+ # Allow user to relabel untrusted content
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
+ allow $1_t unpriv_userdomain:fd use;
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_net_sysctls($1_t)
+ kernel_dontaudit_list_unlabeled($1_t)
+ kernel_dontaudit_getattr_unlabeled_files($1_t)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+ # Very permissive allowing every domain to see every type:
+ kernel_get_sysvipc_info($1_t)
+ # Find CDROM devices:
+ kernel_read_device_sysctls($1_t)
+
+ dev_rw_power_management($1_t)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
+
+ corenet_non_ipsec_sendrecv($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_udp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_all_nodes($1_t)
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_all_client_packets($1_t)
+
+ dev_read_input($1_t)
+ dev_read_misc($1_t)
+ dev_write_misc($1_t)
+ dev_write_sound($1_t)
+ dev_read_sound($1_t)
+ dev_read_sound_mixer($1_t)
+ dev_write_sound_mixer($1_t)
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+ # open office is looking for the following
+ dev_getattr_agp_dev($1_t)
+ dev_dontaudit_rw_dri($1_t)
+
+ fs_get_all_fs_quotas($1_t)
+ fs_getattr_all_fs($1_t)
+ fs_getattr_all_dirs($1_t)
+ fs_search_auto_mountpoints($1_t)
+
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+ selinux_compute_access_vector($1_t)
+ selinux_compute_create_context($1_t)
+ selinux_compute_relabel_context($1_t)
+ selinux_compute_user_contexts($1_t)
+
+ # for eject
+ storage_getattr_fixed_disk_dev($1_t)
+
+ auth_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
+ auth_search_pam_console_data($1_t)
+ auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+
+ corecmd_exec_bin($1_t)
+ corecmd_exec_sbin($1_t)
+ corecmd_exec_ls($1_t)
+
+ domain_use_interactive_fds($1_t)
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+ domain_dontaudit_read_all_domains_state($1_t)
+ domain_dontaudit_getattr_all_domains($1_t)
+ domain_dontaudit_getsession_all_domains($1_t)
+
+ files_exec_etc_files($1_t)
+ files_search_locks($1_t)
+ # Check to see if cdrom is mounted
+ files_search_mnt($1_t)
+ # old broswer_domain():
+ files_dontaudit_list_non_security($1_t)
+ files_dontaudit_getattr_non_security_files($1_t)
+ files_dontaudit_getattr_non_security_symlinks($1_t)
+ files_dontaudit_getattr_non_security_pipes($1_t)
+ files_dontaudit_getattr_non_security_sockets($1_t)
+ files_dontaudit_getattr_non_security_blk_files($1_t)
+ files_dontaudit_getattr_non_security_chr_files($1_t)
+
+ # Caused by su - init scripts
+ init_dontaudit_use_script_ptys($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+ libs_exec_ld_so($1_t)
+ libs_exec_lib_files($1_t)
+
+ logging_dontaudit_getattr_all_logs($1_t)
+
+ miscfiles_read_localization($1_t)
+ # for running TeX programs
+ miscfiles_read_tetex_data($1_t)
+ miscfiles_exec_tetex_data($1_t)
+
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
+ seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+
+ tunable_policy(`allow_execmem',`
+ # Allow loading DSOs that require executable stack.
+ allow $1_t self:process execmem;
+ ')
+
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
+
+ tunable_policy(`read_default_t',`
+ files_list_default($1_t)
+ files_read_default_files($1_t)
+ files_read_default_symlinks($1_t)
+ files_read_default_sockets($1_t)
+ files_read_default_pipes($1_t)
+ ',`
+ files_dontaudit_list_default($1_t)
+ files_dontaudit_read_default_files($1_t)
+ ')
+
+ tunable_policy(`read_untrusted_content',`
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
+ ',`
+ dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
+ dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ fs_manage_nfs_symlinks($1_t)
+ fs_manage_nfs_named_sockets($1_t)
+ fs_manage_nfs_named_pipes($1_t)
+ fs_exec_nfs_files($1_t)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1_t)
+ fs_dontaudit_manage_nfs_files($1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ fs_manage_cifs_symlinks($1_t)
+ fs_manage_cifs_named_sockets($1_t)
+ fs_manage_cifs_named_pipes($1_t)
+ fs_exec_cifs_files($1_t)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1_t)
+ fs_dontaudit_manage_cifs_files($1_t)
+ ')
+
+ tunable_policy(`user_direct_mouse',`
+ dev_read_mouse($1_t)
+ ')
+
+ tunable_policy(`user_ttyfile_stat',`
+ term_getattr_all_user_ttys($1_t)
+ ')
+
+ optional_policy(`
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ canna_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ cups_stream_connect_ptal($1_t)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client_template($1,$1_t)
+
+ optional_policy(`
+ cups_dbus_chat_config($1_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat($1_t)
+ ')
+ ')
+
+ optional_policy(`
+ dictd_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`ftpd_is_daemon',`
+ ftp_tcp_connect($1_t)
+ ')
+ ')
+
+ optional_policy(`
+ finger_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ i18n_use($1_t)
+ ')
+
+ optional_policy(`
+ inetd_tcp_connect($1_t)
+ inetd_udp_send($1_t)
+ inetd_use_fds($1_t)
+ inetd_rw_tcp_sockets($1_t)
+ ')
+
+ optional_policy(`
+ inn_read_config($1_t)
+ inn_read_news_lib($1_t)
+ inn_read_news_spool($1_t)
+ ')
+
+ optional_policy(`
+ jabber_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ mta_rw_spool($1_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
+
+ optional_policy(`
+ ifdef(`strict_policy',`
+ tunable_policy(`allow_user_mysql_connect',`
+ mysql_stream_connect($1_t)
+ ')
+ ')
+ ')
+
+ optional_policy(`
+ nessus_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_t)
+ ')
+
+ optional_policy(`
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_t)
+ ')
+
+ optional_policy(`
+ perdition_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ portmap_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ quota_dontaudit_getattr_db($1_t)
+ ')
+
+ optional_policy(`
+ resmgr_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_t)
+ rpc_manage_nfs_rw_content($1_t)
+ ')
+
+ optional_policy(`
+ files_getattr_var_lib_dirs($1_t)
+ files_search_var_lib($1_t)
+ rpm_read_db($1_t)
+ rpm_dontaudit_manage_db($1_t)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1_t)
+ ')
+
+ optional_policy(`
+ slrnpull_search_spool($1_t)
+ ')
+
+ optional_policy(`
+ soundserver_tcp_connect($1_t)
+ ')
+
+ optional_policy(`
+ squid_use($1_t)
+ ')
+
+ optional_policy(`
+ usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ ')
+
+ optional_policy(`
+ usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ ')
+
+ optional_policy(`
+ dev_rw_xserver_misc($1_t)
+ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a unprivileged user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`unpriv_user_template', `
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ base_user_template($1)
+
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+
+ typeattribute $1_devpts_t user_ptynode;
+
+ typeattribute $1_home_dir_t user_home_dir_type;
+ files_poly($1_home_dir_t)
+
+ typeattribute $1_home_t user_home_type;
+ files_poly_member($1_home_t)
+
+ typeattribute $1_tmp_t user_tmpfile;
+ typeattribute $1_tty_device_t user_ttynode;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ term_create_pty($1_t,$1_devpts_t)
+
+ # Rules used to associate a homedir as a mountpoint
+ allow $1_home_t self:filesystem associate;
+ allow $1_file_type $1_home_t:filesystem associate;
+
+ # privileged home directory writers
+ allow privhome $1_home_t:file create_file_perms;
+ allow privhome $1_home_t:lnk_file create_lnk_perms;
+ allow privhome $1_home_t:dir create_dir_perms;
+ allow privhome $1_home_t:sock_file create_file_perms;
+ allow privhome $1_home_t:fifo_file create_file_perms;
+ type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+
+ dev_read_sysfs($1_t)
+
+ corecmd_exec_all_executables($1_t)
+
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_list_home($1_t)
+ files_read_usr_files($1_t)
+ files_exec_usr_files($1_t)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+ files_list_world_readable($1_t)
+ files_read_world_readable_files($1_t)
+ files_read_world_readable_symlinks($1_t)
+ files_read_world_readable_pipes($1_t)
+ files_read_world_readable_sockets($1_t)
+ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
+
+ init_read_utmp($1_t)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_write_utmp($1_t)
+ # Stop warnings about access to /dev/console
+ init_dontaudit_use_fds($1_t)
+ init_dontaudit_use_script_fds($1_t)
+
+ miscfiles_read_man_pages($1_t)
+
+ seutil_read_config($1_t)
+ # Allow users to execute checkpolicy without a domain transition
+ # so it can be used without privilege to write real binary policy file
+ seutil_exec_checkpolicy($1_t)
+
+ ifdef(`enable_polyinstantiation',`
+ type_member $1_t $1_home_dir_t:dir $1_home_t;
+ files_poly_member_tmp($1_t,$1_tmp_t)
+ ')
+
+ tunable_policy(`user_dmesg',`
+ kernel_read_ring_buffer($1_t)
+ ',`
+ kernel_dontaudit_read_ring_buffer($1_t)
+ ')
+
+ # Allow users to rw usb devices
+ tunable_policy(`user_rw_usb',`
+ dev_rw_usbfs($1_t)
+ ',`
+ dev_read_usbfs($1_t)
+ ')
+
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_generic_port($1_t)
+ ')
+
+ optional_policy(`
+ dbus_stub($1_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat($1_t)
+ ')
+ ')
+
+ optional_policy(`
+ kerberos_use($1_t)
+ ')
+
+ optional_policy(`
+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ ')
+
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+ modutils_read_module_config($1_t)
+ ')
+
+ optional_policy(`
+ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
+ optional_policy(`
+ # for when the network connection is killed
+ seutil_dontaudit_signal_newrole($1_t)
+ ')
+
+ # Need the following rule to allow users to run vpnc
+ optional_policy(`
+ corenet_tcp_bind_xserver_port($1_t)
+ ')
+
+ ifdef(`TODO',`
+ ifndef(`enable_mls',`
+ fs_exec_noxattr($1_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ create_dir_file($1_t, noexattrfile)
+ # Write floppies
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ # cjp: what does this have to do with removable devices?
+ allow $1_t usbtty_device_t:chr_file write;
+ ',`
+ fs_read_noxattr_files($1_t)
+ r_dir_file($1_t, noexattrfile)
+ allow $1_t removable_device_t:blk_file r_file_perms;
+ ')
+ ')
+
+ dontaudit $1_t boot_t:lnk_file read;
+ dontaudit $1_t boot_t:file read;
+
+ # do not audit read on disk devices
+ dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
+
+ ifdef(`xdm.te', `
+ allow xdm_t $1_home_t:lnk_file read;
+ allow xdm_t $1_home_t:dir search;
+ #
+ # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
+ #
+ dontaudit xdm_t $1_home_t:file rw_file_perms;
+ ')
+
+ ifdef(`ftpd.te', `
+ tunable_policy(`ftp_home_dir',`
+ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+ ')
+ ')
+
+ ifdef(`useradd.te', `
+ # Useradd relabels /etc/skel files so needs these privs
+ allow useradd_t $1_file_type:dir create_dir_perms;
+ allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+ ')
+
+ # Stat lost+found.
+ allow $1_t lost_found_t:dir getattr;
+
+ # Read /var, /var/spool, /var/run.
+ r_dir_file($1_t, var_t)
+ # what about pipes and sockets under /var/spool?
+ r_dir_file($1_t, var_spool_t)
+ r_dir_file($1_t, var_run_t)
+ allow $1_t var_lib_t:dir r_dir_perms;
+ allow $1_t var_lib_t:file { getattr read };
+
+ # Do not audit write denials to /etc/ld.so.cache.
+ dontaudit $1_t ld_so_cache_t:file write;
+
+ dontaudit $1_t sysadm_home_t:file { read append };
+
+ allow $1_t initrc_t:fifo_file write;
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The template for creating an administrative user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## <p>
+## The privileges given to administrative users are:
+## <ul>
+## <li>Raw disk access</li>
+## <li>Set all sysctls</li>
+## <li>All kernel ring buffer controls</li>
+## <li>Create, read, write, and delete all files but shadow</li>
+## <li>Manage source and binary format SELinux policy</li>
+## <li>Run insmod</li>
+## </ul>
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., sysadm
+## is the prefix for sysadm_t).
+## </summary>
+## </param>
+#
+template(`admin_user_template',`
+ gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ base_user_template($1)
+
+ typeattribute $1_t privhome;
+ domain_obj_id_change_exemption($1_t)
+ role system_r types $1_t;
+
+ ifdef(`direct_sysadm_daemon',`
+ domain_system_change_exemption($1_t)
+ ')
+
+ typeattribute $1_devpts_t admin_terminal;
+
+ typeattribute $1_tty_device_t admin_terminal;
+
+ ##############################
+ #
+ # $1_t local policy
+ #
+
+ allow $1_t self:capability ~sys_module;
+ allow $1_t self:process { setexec setfscreate };
+
+ # Set password information for other users.
+ allow $1_t self:passwd { passwd chfn chsh };
+
+ # Skip authentication when pam_rootok is specified.
+ allow $1_t self:passwd rootok;
+
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
+
+ # for the administrator to run TCP servers directly
+ allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
+
+ allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+
+ allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ term_create_pty($1_t,$1_devpts_t)
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_change_ring_buffer_level($1_t)
+ kernel_clear_ring_buffer($1_t)
+ kernel_read_ring_buffer($1_t)
+ kernel_get_sysvipc_info($1_t)
+ kernel_rw_all_sysctls($1_t)
+ # signal unlabeled processes:
+ kernel_kill_unlabeled($1_t)
+ kernel_signal_unlabeled($1_t)
+ kernel_sigstop_unlabeled($1_t)
+ kernel_signull_unlabeled($1_t)
+ kernel_sigchld_unlabeled($1_t)
+ # for the administrator to run TCP servers directly
+ kernel_tcp_recvfrom($1_t)
+
+ corenet_tcp_bind_generic_port($1_t)
+ # allow setting up tunnels
+ corenet_rw_tun_tap_dev($1_t)
+
+ dev_getattr_generic_blk_files($1_t)
+ dev_getattr_generic_chr_files($1_t)
+ dev_getattr_all_blk_files($1_t)
+ dev_getattr_all_chr_files($1_t)
+
+ fs_getattr_all_fs($1_t)
+ fs_set_all_quotas($1_t)
+ fs_exec_noxattr($1_t)
+
+ # Get security policy decisions:
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+ selinux_compute_access_vector($1_t)
+ selinux_compute_create_context($1_t)
+ selinux_compute_relabel_context($1_t)
+ selinux_compute_user_contexts($1_t)
+
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+
+ term_use_console($1_t)
+ term_use_unallocated_ttys($1_t)
+ term_use_all_user_ptys($1_t)
+ term_use_all_user_ttys($1_t)
+
+ auth_getattr_shadow($1_t)
+ # Manage almost all files
+ auth_manage_all_files_except_shadow($1_t)
+ # Relabel almost all files
+ auth_relabel_all_files_except_shadow($1_t)
+
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
+ domain_dontaudit_ptrace_all_domains($1_t)
+ # signal all domains:
+ domain_kill_all_domains($1_t)
+ domain_signal_all_domains($1_t)
+ domain_signull_all_domains($1_t)
+ domain_sigstop_all_domains($1_t)
+ domain_sigstop_all_domains($1_t)
+ domain_sigchld_all_domains($1_t)
+ # for lsof
+ domain_getattr_all_sockets($1_t)
+
+ files_exec_usr_src_files($1_t)
+
+ init_rw_initctl($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ modutils_domtrans_insmod($1_t)
+
+ seutil_read_config($1_t)
+ # The following rule is temporary until such time that a complete
+ # policy management infrastructure is in place so that an administrator
+ # cannot directly manipulate policy files with arbitrary programs.
+ seutil_manage_src_policy($1_t)
+ # Violates the goal of limiting write access to checkpolicy.
+ # But presently necessary for installing the file_contexts file.
+ seutil_manage_bin_policy($1_t)
+
+ optional_policy(`
+ cron_admin_template($1,$1_t,$1_r)
+ ')
+
+ optional_policy(`
+ ethereal_admin_template($1,$1_t,$1_r)
+ ')
+
+ optional_policy(`
+ lpr_admin_template($1,$1_t,$1_r)
+ ')
+
+ optional_policy(`
+ mta_admin_template($1,$1_t,$1_r)
+ ')
+
+ ifdef(`TODO',`
+
+ # for lsof
+ allow $1_t mtrr_device_t:file getattr;
+ allow $1_t eventpollfs_t:file getattr;
+
+ allow $1_t serial_device:chr_file setattr;
+
+ allow $1_t ptyfile:chr_file getattr;
+
+ # Run admin programs that require different permissions in their own domain.
+ # These rules were moved into the appropriate program domain file.
+
+ ifdef(`xserver.te', `
+ # Create files in /tmp/.X11-unix with our X servers derived
+ # tmp type rather than user_xserver_tmp_t.
+ file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
+ ')
+
+
+ ifdef(`xdm.te', `
+ tunable_policy(`xdm_sysadm_login',`
+ allow xdm_t $1_home_t:lnk_file read;
+ allow xdm_t $1_home_t:dir search;
+ ')
+ can_pipe_xdm($1_t)
+ ')
+
+ # Allow MAKEDEV to work
+ allow $1_t device_t:dir rw_dir_perms;
+ allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+ allow $1_t device_t:lnk_file { create read };
+
+ #
+ # A user who is authorized for sysadm_t may nonetheless have
+ # a home directory labeled with user_home_t if the user is expected
+ # to login in either user_t or sysadm_t. Hence, the derived domains
+ # for programs need to be able to access user_home_t.
+ #
+
+ # Allow our gph domain to write to .xsession-errors.
+ ifdef(`gnome-pty-helper.te', `
+ allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
+ allow $1_gph_t user_home_type:file create_file_perms;
+ ')
+
+ # Run programs from staff home directories.
+ # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+ can_exec($1_t, staff_home_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ create_dir_file($1_t, noexattrfile)
+ # Write floppies
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ # cjp: what does this have to do with removable devices?
+ allow $1_t usbtty_device_t:chr_file write;
+ ',`
+ r_dir_file($1_t, noexattrfile)
+ storage_raw_read_removable_device($1_t)
+ ')
+ ') dnl endif TODO
+')
+
+########################################
+## <summary>
+## Make the specified type usable in a
+## user home directory.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable in a
+## user home directory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## Type to be used as a file in the
+## user home directory.
+## </summary>
+## </param>
+#
+template(`userdom_user_home_content',`
+ gen_require(`
+ attribute $1_file_type;
+ ')
+
+ typeattribute $2 $1_file_type;
+ files_type($2)
+')
+
+########################################
+## <summary>
+## Set the attributes of a user pty.
+## </summary>
+## <desc>
+## <p>
+## Set the attributes of a user pty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_setattr_user_ptys',`
+ ifdef(`strict_policy',`
+ gen_require(`
+ type $1_devpts_t;
+ ')
+
+ allow $2 $1_devpts_t:chr_file setattr;
+ ')
+')
+
+########################################
+## <summary>
+## Create a user pty.
+## </summary>
+## <desc>
+## <p>
+## Create a user pty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_create_user_pty',`
+ ifdef(`strict_policy',`
+ gen_require(`
+ type $1_devpts_t;
+ ')
+
+ term_create_pty($2,$1_devpts_t)
+ ')
+')
+
+########################################
+## <summary>
+## Search user home directories.
+## </summary>
+## <desc>
+## <p>
+## Search user home directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_search_user_home_dirs',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir { getattr search };
+')
+
+########################################
+## <summary>
+## List user home directories.
+## </summary>
+## <desc>
+## <p>
+## List user home directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_list_user_home_dirs',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
+## </summary>
+## <desc>
+## <p>
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="source_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+template(`userdom_user_home_domtrans',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ domain_auto_trans($2,$1_home_t,$3)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user home subdirectories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to list user home subdirectories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_list_user_home_dirs',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ dontaudit $2 $1_home_dir_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete directories
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_home_content_dirs',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir rw_dir_perms;
+ allow $2 $1_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the
+## attributes of user home files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to set the
+## attributes of user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:file setattr;
+')
+
+########################################
+## <summary>
+## Read user home files.
+## </summary>
+## <desc>
+## <p>
+## Read user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_home_content_files',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir search_dir_perms;
+ allow $2 $1_home_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read user home files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+ type $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:dir r_dir_perms;
+ dontaudit $2 $1_home_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to write user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_write_user_home_content_files',`
+ gen_require(`
+ type $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:file write;
+')
+
+########################################
+## <summary>
+## Read user home subdirectory symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user home subdirectory symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir search;
+ allow $2 $1_home_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute user home files.
+## </summary>
+## <desc>
+## <p>
+## Execute user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_exec_user_home_content_files',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir search;
+ can_exec($2,$1_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute user home files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to execute user home files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_exec_user_home_content_files',`
+ gen_require(`
+ type $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:file execute;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete files
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_home_content_files',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read, write, and delete directories
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to create, read, write, and delete directories
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_manage_user_home_content_dirs',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ dontaudit $2 $1_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete symbolic links
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_home_content_symlinks',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named pipes
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete named pipes
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_home_content_pipes',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_home_content_sockets',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <desc>
+## <p>
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created. If not
+## specified, file is used.
+## </summary>
+## </param>
+#
+template(`userdom_user_home_dir_filetrans',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir rw_dir_perms;
+ type_transition $2 $1_home_dir_t:$4 $3;
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
+## </summary>
+## <desc>
+## <p>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created. If not
+## specified, file is used.
+## </summary>
+## </param>
+#
+template(`userdom_user_home_dir_filetrans_user_home_content',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir rw_dir_perms;
+ type_transition $2 $1_home_dir_t:$3 $1_home_t;
+')
+
+########################################
+## <summary>
+## Write to user temporary named sockets.
+## </summary>
+## <desc>
+## <p>
+## Write to user temporary named sockets.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_write_user_tmp_sockets',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:sock_file write;
+')
+
+########################################
+## <summary>
+## List user temporary directories.
+## </summary>
+## <desc>
+## <p>
+## List user temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_list_user_tmp',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## temporary directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to list user
+## temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_list_user_tmp',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to manage users
+## temporary directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to manage users
+## temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_manage_user_tmp_dirs',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary files.
+## </summary>
+## <desc>
+## <p>
+## Read user temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir r_dir_perms;
+ allow $2 $1_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## temporary files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read users
+## temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_read_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append users
+## temporary files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to append users
+## temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_append_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:file append;
+')
+
+########################################
+## <summary>
+## Read and write user temporary files.
+## </summary>
+## <desc>
+## <p>
+## Read and write user temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_rw_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir r_dir_perms;
+ allow $2 $1_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to manage users
+## temporary files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to manage users
+## temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_manage_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read user
+## temporary symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user
+## temporary symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_tmp_symlinks',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir r_dir_perms;
+ allow $2 $1_tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary directories.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete user
+## temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_tmp_dirs',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary files.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete user
+## temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete user
+## temporary symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named sockets.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete user
+## temporary named sockets.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_tmp_sockets',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_tmp_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read user tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read user tmpfs files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type $1_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ allow $2 $1_tmpfs_t:file rw_file_perms;
+ allow $2 $1_tmpfs_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## List users untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## List users untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read user
+## untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Read user untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir r_dir_perms;
+ allow $2 $1_untrusted_content_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Manage user untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ allow $2 $1_untrusted_content_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read users
+## untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_read_user_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read user untrusted symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user untrusted symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_untrusted_content_symlinks',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir r_dir_perms;
+ allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## List users temporary untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## List users temporary untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_list_user_tmp_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## temporary untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to list user
+## temporary directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Read user temporary untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_tmp_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+ allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## temporary untrusted files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read users
+## temporary untrusted files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary untrusted symbolic links.
+## </summary>
+## <desc>
+## <p>
+## Read user temporary untrusted symbolic links.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_tmp_untrusted_content_symlinks',`
+ gen_require(`
+ type $1_untrusted_content_tmp_t;
+ ')
+
+ allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+ allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read all user untrusted content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_untrusted_content',`
+ gen_require(`
+ attribute untrusted_content_type;
+ ')
+
+ allow $1 untrusted_content_type:dir r_dir_perms;
+ allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Read all user temporary untrusted content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_tmp_untrusted_content',`
+ gen_require(`
+ attribute untrusted_content_tmp_type;
+ ')
+
+ allow $1 untrusted_content_tmp_type:dir r_dir_perms;
+ allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of a user domain tty.
+## </summary>
+## <desc>
+## <p>
+## Set the attributes of a user domain tty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_setattr_user_ttys',`
+ ifdef(`targeted_policy',`
+ term_setattr_unallocated_ttys($2)
+ ',`
+ gen_require(`
+ type $1_tty_device_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file setattr;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write a user domain tty.
+## </summary>
+## <desc>
+## <p>
+## Read and write a user domain tty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_use_user_ttys',`
+ ifdef(`targeted_policy',`
+ term_use_unallocated_ttys($2)
+ ',`
+ gen_require(`
+ type $1_tty_device_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write a user domain tty and pty.
+## </summary>
+## <desc>
+## <p>
+## Read and write a user domain tty and pty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_use_user_terminals',`
+ ifdef(`targeted_policy',`
+ term_use_unallocated_ttys($2)
+ term_use_generic_ptys($2)
+ ',`
+ gen_require(`
+ type $1_tty_device_t, $1_devpts_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ allow $2 $1_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($2)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## a user domain tty and pty.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read and write
+## a user domain tty and pty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type $1_tty_device_t, $1_devpts_t;
+ ')
+
+ dontaudit $2 $1_tty_device_t:chr_file rw_term_perms;
+ dontaudit $2 $1_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute a shell in all user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ corecmd_shell_spec_domtrans($1,userdomain)
+ allow $1 userdomain:fd use;
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ xserver_xsession_spec_domtrans($1,userdomain)
+ allow $1 userdomain:fd use;
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a shell in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_shell_spec_domtrans($1,unpriv_userdomain)
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ xserver_xsession_spec_domtrans($1,unpriv_userdomain)
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Manage unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem create_sem_perms;
+')
+
+########################################
+## <summary>
+## Manage unpriviledged user SysV shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_user_shared_mem',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:shm create_shm_perms;
+')
+
+########################################
+## <summary>
+## Execute bin_t in the unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_bin_spec_domtrans($1,unpriv_userdomain)
+
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute generic sbin programs in all unprivileged user
+## domains. This is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_sbin_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
+
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in unprivileged user
+## domains. This is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ domain_entry_file_spec_domtrans($1,unpriv_userdomain)
+
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a shell in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_shell_domtrans_sysadm',`
+ ifdef(`targeted_policy',`
+ #cjp: need to doublecheck this one
+ unconfined_shell_domtrans($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_shell_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+ ')
+')
+
+########################################
+## <summary>
+## Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a generic sbin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_sbin_spec_domtrans_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_sbin_spec_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in the sysadm domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans($1,sysadm_t)
+
+ allow $1 sysadm_t:fd use;
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow sysadm to execute a generic bin program in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute a generic bin program in
+## a specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+#
+interface(`userdom_sysadm_bin_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans(sysadm_t,$1)
+
+ allow sysadm_t $1:fd use;
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow sysadm to execute a generic sbin program in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute a generic sbin program in
+## a specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+#
+interface(`userdom_sysadm_sbin_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_sbin_spec_domtrans(sysadm_t, $1)
+
+ allow sysadm_t $1:fd use;
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow sysadm to execute all entrypoint files
+## in the specified domain. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute all entrypoint files
+## in the specified domain. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+#
+interface(`userdom_sysadm_entry_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans(sysadm_t, $1)
+
+ allow sysadm_t $1:fd use;
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Search the staff users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_staff_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the staff
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_staff_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ dontaudit $1 staff_home_dir_t:dir search;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete staff
+## home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_staff_home_dirs',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir manage_dir_perms;
+ ',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir manage_dir_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append to the staff
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_staff_home_content_files',`
+ gen_require(`
+ type staff_home_t;
+ ')
+
+ dontaudit $1 staff_home_t:file append;
+')
+
+########################################
+## <summary>
+## Read files in the staff users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_staff_home_content_files',`
+ gen_require(`
+ type staff_home_dir_t, staff_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
+ allow $1 staff_home_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_sigchld_sysadm',`
+ ifdef(`targeted_policy',`
+ unconfined_sigchld($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:process sigchld;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attepts to get the attributes
+## of sysadm ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_sysadm_ttys',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_getattr_unallocated_ttys($1)
+ ',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write sysadm ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_sysadm_ttys',`
+ ifdef(`targeted_policy',`
+ term_use_unallocated_ttys($1)
+ ',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use sysadm ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_sysadm_ttys',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys($1)
+ ',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_sysadm_ptys',`
+ ifdef(`targeted_policy',`
+ term_use_generic_ptys($1)
+ ',`
+ gen_require(`
+ type sysadm_devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Dont audit attempts to read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_sysadm_ptys',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys($1)
+ ',`
+ gen_require(`
+ type sysadm_devpts_t;
+ ')
+
+ dontaudit $1 sysadm_devpts_t:chr_file { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Read and write sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_sysadm_terms',`
+ userdom_use_sysadm_ttys($1)
+ userdom_use_sysadm_ptys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_sysadm_terms',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys($1)
+ ',`
+ gen_require(`
+ attribute admin_terminal;
+ ')
+
+ dontaudit $1 admin_terminal:chr_file { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_sysadm_fds',`
+ ifdef(`targeted_policy',`
+ unconfined_use_fds($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:fd use;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_sysadm_pipes',`
+ ifdef(`targeted_policy',`
+ #cjp: need to doublecheck this one
+ unconfined_rw_pipes($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Get the attributes of the sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_getattr_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir getattr;
+ ', `
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir getattr;
+ ')
+')
+
+########################################
+## <summary>
+## Search the sysadm users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_search_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the sysadm
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_sysadm_home_dirs',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir search_dir_perms;
+ ',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ ')
+')
+
+########################################
+## <summary>
+## List the sysadm users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the sysadm
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the sysadm
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_sysadm_home_content_files',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir search_dir_perms;
+ dontaudit $1 user_home_t:file r_file_perms;
+ ',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:dir r_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Create objects in sysadm home directories
+## with automatic file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## If not specified, file is used.
+## </summary>
+## </param>
+#
+interface(`userdom_sysadm_home_dir_filetrans',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir rw_dir_perms;
+ type_transition $1 sysadm_home_dir_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Search the sysadm users home sub directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_search_sysadm_home_content_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the sysadm users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_sysadm_home_content_files',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
+ allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Search all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_dirs',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_all_users_home_dirs',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Search all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_content',`
+ gen_require(`
+ attribute home_dir_type, home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 { home_dir_type home_type }:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_all_users_home_content',`
+ gen_require(`
+ attribute home_dir_type, home_type;
+ ')
+
+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all files in all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_home_content_files',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_type:dir r_dir_perms;
+ allow $1 home_type:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all directories
+## in all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_type:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all files
+## in all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_home_content_files',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_type:dir rw_dir_perms;
+ allow $1 home_type:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all symlinks
+## in all users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_home_content_symlinks',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_type:dir rw_dir_perms;
+ allow $1 home_type:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Make the specified domain a privileged
+## home directory manager.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain a privileged
+## home directory manager. This domain will be
+## able to manage the contents of all users
+## general home directory content, and create
+## files with the correct context.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_priveleged_home_dir_manager',`
+ gen_require(`
+ attribute privhome;
+ ')
+
+ files_list_home($1)
+ typeattribute $1 privhome;
+')
+
+########################################
+## <summary>
+## Send general signals to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signal_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signal;
+')
+
+########################################
+## <summary>
+## Inherit the file descriptors from unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_unpriv_users_fds',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit the
+## file descriptors from all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_unpriv_user_fds',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ dontaudit $1 unpriv_userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Create generic user home directories
+## with automatic file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_home_filetrans_generic_user_home_dir',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_home_filetrans($1,user_home_dir_t,dir)
+')
+
+########################################
+## <summary>
+## Search generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_generic_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in generic user home directories
+## with automatic file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## If not specified, file is used.
+## </summary>
+## </param>
+#
+interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir rw_dir_perms;
+ type_transition $1 user_home_dir_t:$2 user_home_t;
+')
+
+########################################
+## <summary>
+## Don't audit search on the user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_generic_user_home_dirs',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir search;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## subdirectories of generic user
+## home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_user_home_content_dirs',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_generic_user_home_content_files',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_t:dir r_dir_perms;
+ allow $1 user_home_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic
+## links in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named
+## pipes in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_user_home_content_pipes',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named
+## sockets in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_user_home_content_sockets',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_t:dir rw_dir_perms;
+ allow $1 user_home_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Search all unprivileged users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_unpriv_users_home_dirs',`
+ gen_require(`
+ attribute user_home_dir_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all unprivileged users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+ allow $1 user_home_type:dir r_dir_perms;
+ allow $1 user_home_type:lnk_file { getattr read };
+ allow $1 user_home_type:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories in
+## unprivileged users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_users_home_content_dirs',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+ allow $1 user_home_type:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in
+## unprivileged users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+ allow $1 user_home_type:dir rw_dir_perms;
+ allow $1 user_home_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_setattr_unpriv_users_ptys',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ allow $1 user_ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write unprivileged user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_unpriv_users_ptys',`
+ ifdef(`targeted_policy',`
+ term_use_generic_ptys($1)
+ ',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ term_search_ptys($1)
+ allow $1 user_ptynode:chr_file rw_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use unprivileged
+## user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_unpriv_users_ptys',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys($1)
+ ',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ dontaudit $1 user_ptynode:chr_file rw_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Relabel files to unprivileged user pty types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_unpriv_users_ptys',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ allow $1 user_ptynode:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to relabel files from
+## unprivileged user pty types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ dontaudit $1 user_ptynode:chr_file relabelfrom;
+')
+
+########################################
+## <summary>
+## Read all unprivileged users temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_unpriv_users_tmp',`
+ ifdef(`targeted_policy',`
+ files_list_tmp($1)
+ ',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:dir list_dir_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Read all unprivileged users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_unpriv_users_tmp_files',`
+ ifdef(`targeted_policy',`
+ files_read_generic_tmp_files($1)
+ ',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:file { read getattr };
+ ')
+')
+
+########################################
+## <summary>
+## Read all unprivileged users temporary symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_unpriv_users_tmp_symlinks',`
+ ifdef(`targeted_policy',`
+ files_read_generic_tmp_symlinks($1)
+ ',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:lnk_file { getattr read };
+ ')
+')
+
+########################################
+## <summary>
+## Write all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_unpriv_users_tmp_files',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:file { getattr write append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use unprivileged
+## user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys($1)
+ ',`
+ gen_require(`
+ attribute user_ttynode;
+ ')
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:dir search_dir_perms;
+ allow $1 userdomain:file r_file_perms;
+ kernel_search_proc($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process getattr;
+')
+
+########################################
+## <summary>
+## Inherit the file descriptors from all user domains
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_all_users_fds',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit the file
+## descriptors from any user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_all_users_fds',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Send general signals to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signal_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process signal;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_sigchld_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process sigchld;
+')
+
+########################################
+## <summary>
+## Create keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_all_users_keys',`
+ ifdef(`strict_policy',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key create;
+ ',`
+ unconfined_create_keys($1)
+ ')
+')
+
+########################################
+## <summary>
+## Send a dbus message to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+ ')
+
+ allow $1 userdomain:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Unconfined access to user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unconfined',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir create_dir_perms;
+ files_home_filetrans($1,user_home_dir_t,dir)
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
new file mode 100644
index 0000000..cdec392
--- /dev/null
+++ b/policy/modules/system/userdomain.te
@@ -0,0 +1,501 @@
+
+policy_module(userdomain,1.3.29)
+
+gen_require(`
+ role sysadm_r, staff_r, user_r;
+
+ ifdef(`enable_mls',`
+ role secadm_r;
+ role auditadm_r;
+ ')
+')
+
+########################################
+#
+# Declarations
+#
+
+# admin users terminals (tty and pty)
+attribute admin_terminal;
+
+# users home directory
+attribute home_dir_type;
+
+# users home directory contents
+attribute home_type;
+
+# The privhome attribute identifies every domain that can create files under
+# regular user home directories in the regular context (IE act on behalf of
+# a user in writing regular files)
+attribute privhome;
+
+# all unprivileged users home directories
+attribute user_home_dir_type;
+attribute user_home_type;
+
+# all unprivileged users ptys
+attribute user_ptynode;
+
+# all unprivileged users tmp files
+attribute user_tmpfile;
+
+# all unprivileged users ttys
+attribute user_ttynode;
+
+# all user domains
+attribute userdomain;
+
+# unprivileged user domains
+attribute unpriv_userdomain;
+
+attribute untrusted_content_type;
+attribute untrusted_content_tmp_type;
+
+########################################
+#
+# Local policy
+#
+
+define(`role_change',`
+ allow $1_r $2_r;
+ type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+ type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+ # avoid annoying messages on terminal hangup
+ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+ifdef(`targeted_policy',`
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+ unconfined_alias_domain(secadm_t)
+ unconfined_alias_domain(auditadm_t)
+ unconfined_alias_domain(sysadm_t)
+
+ # User home directory type.
+ type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
+ files_type(user_home_t)
+ files_associate_tmp(user_home_t)
+ fs_associate_tmpfs(user_home_t)
+
+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
+ files_type(user_home_dir_t)
+ files_associate_tmp(user_home_dir_t)
+ fs_associate_tmpfs(user_home_dir_t)
+
+ # compatibility for switching from strict
+# dominance { role secadm_r { role system_r; }}
+# dominance { role auditadm_r { role system_r; }}
+# dominance { role sysadm_r { role system_r; }}
+# dominance { role user_r { role system_r; }}
+# dominance { role staff_r { role system_r; }}
+
+ # dont need to use the full role_change()
+ allow sysadm_r system_r;
+ allow sysadm_r user_r;
+ allow user_r system_r;
+ allow user_r sysadm_r;
+ allow system_r sysadm_r;
+ allow system_r sysadm_r;
+
+ allow privhome user_home_t:dir manage_dir_perms;
+ allow privhome user_home_t:file create_file_perms;
+ allow privhome user_home_t:lnk_file create_lnk_perms;
+ allow privhome user_home_t:fifo_file create_file_perms;
+ allow privhome user_home_t:sock_file create_file_perms;
+ allow privhome user_home_dir_t:dir rw_dir_perms;
+ type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
+ files_search_home(privhome)
+
+ ifdef(`enable_mls',`
+ allow secadm_r system_r;
+ allow auditadm_r system_r;
+ allow secadm_r user_r;
+ allow staff_r secadm_r;
+ allow staff_r auditadm_r;
+ ')
+
+ optional_policy(`
+ samba_per_userdomain_template(user)
+ ')
+',`
+ admin_user_template(sysadm)
+ unpriv_user_template(staff)
+ unpriv_user_template(user)
+
+ # user role change rules:
+ # sysadm_r can change to user roles
+ role_change(sysadm, user)
+ role_change(sysadm, staff)
+
+ # only staff_r can change to sysadm_r
+ role_change(staff, sysadm)
+
+ ifdef(`enable_mls',`
+ unpriv_user_template(secadm)
+ unpriv_user_template(auditadm)
+
+ role_change(staff,auditadm)
+ role_change(staff,secadm)
+
+ role_change(sysadm,secadm)
+ role_change(sysadm,auditadm)
+
+ role_change(auditadm,secadm)
+ role_change(auditadm,sysadm)
+
+ role_change(secadm,auditadm)
+ role_change(secadm,sysadm)
+ ')
+
+ # this should be tunable_policy, but
+ # currently type_change and RBAC allow
+ # do not work in conditionals
+ ifdef(`user_canbe_sysadm',`
+ role_change(user,sysadm)
+ ')
+
+ allow privhome home_root_t:dir { getattr search };
+
+ ########################################
+ #
+ # Sysadm local policy
+ #
+
+ # for su
+ allow sysadm_t userdomain:fd use;
+
+ # Add/remove user home directories
+ allow sysadm_t user_home_dir_t:dir create_dir_perms;
+ files_home_filetrans(sysadm_t,user_home_dir_t,dir)
+
+ corecmd_exec_shell(sysadm_t)
+
+ mls_process_read_up(sysadm_t)
+
+ init_exec(sysadm_t)
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
+ ')
+
+ ifdef(`enable_mls',`
+ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ domain_kill_all_domains(auditadm_t)
+ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+
+ allow secadm_t self:capability dac_override;
+ corecmd_exec_shell(secadm_t)
+ domain_obj_id_change_exemption(secadm_t)
+ mls_process_read_up(secadm_t)
+ mls_file_read_up(secadm_t)
+ mls_file_write_down(secadm_t)
+ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+ auth_relabel_all_files_except_shadow(secadm_t)
+ auth_relabel_shadow(secadm_t)
+ init_exec(secadm_t)
+ logging_read_audit_log(secadm_t)
+ logging_read_generic_logs(secadm_t)
+ userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ ', `
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
+ optional_policy(`
+ amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
+ #apache_run_all_scripts(sysadm_t,sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+ ')
+
+ optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+ ')
+
+ optional_policy(`
+ apt_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ backup_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ bootloader_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ consoletype_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ clock_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ certwatach_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ cvs_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+ consoletype_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+ consoletype_exec(secadm_t)
+ consoletype_exec(auditadm_t)
+ ')
+ ')
+
+ optional_policy(`
+ dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
+ dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
+ dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ dmesg_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+ dmesg_exec(secadm_t)
+ dmesg_exec(auditadm_t)
+ ')
+ ')
+
+ optional_policy(`
+ dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ dpkg_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
+ ')
+
+ optional_policy(`
+ fstools_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ hostname_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+ ')
+
+ optional_policy(`
+ iptables_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ lvm_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ kudzu_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ mount_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(sysadm_t)
+ ')
+
+ optional_policy(`
+ netutils_run(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+ ')
+
+ optional_policy(`
+ munin_stream_connect(sysadm_t)
+ ')
+
+ optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+ ')
+
+ optional_policy(`
+ oav_run_update(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ portage_run(sysadm_t,sysadm_r,admin_terminal)
+ portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ quota_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ radius_use(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ rpm_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ rsync_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+ samba_run_net(sysadm_t,sysadm_r,admin_terminal)
+ samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+
+ ifdef(`enable_mls',`
+ selinux_set_enforce_mode(secadm_t)
+ selinux_set_boolean(secadm_t)
+ selinux_set_parameters(secadm_t)
+
+ seutil_manage_bin_policy(secadm_t)
+ seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
+ seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
+ seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
+ seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+ seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
+ ', `
+ selinux_set_enforce_mode(sysadm_t)
+ selinux_set_boolean(sysadm_t)
+ selinux_set_parameters(sysadm_t)
+
+ seutil_manage_bin_policy(sysadm_t)
+ seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
+
+ optional_policy(`
+ sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
+ sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
+ tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
+ tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
+ tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ vpn_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ webalizer_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
+ yam_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
new file mode 100644
index 0000000..339e7a9
--- /dev/null
+++ b/policy/modules/system/xen.fc
@@ -0,0 +1,20 @@
+/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+
+/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
+/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+
+/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+
+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
new file mode 100644
index 0000000..bfdc355
--- /dev/null
+++ b/policy/modules/system/xen.if
@@ -0,0 +1,129 @@
+## <summary>Xen hypervisor</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run xend.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_domtrans',`
+ gen_require(`
+ type xend_t, xend_exec_t;
+ ')
+
+ domain_auto_trans($1,xend_exec_t,xend_t)
+
+ allow $1 xend_t:fd use;
+ allow xend_t $1:fd use;
+ allow xend_t $1:fifo_file rw_file_perms;
+ allow xend_t $1:process sigchld;
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## xend log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_append_log',`
+ gen_require(`
+ type var_log_t, xend_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xend_var_log_t:file { getattr append };
+ dontaudit $1 xend_var_log_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## Xen unix domain stream sockets. These
+## are leaked file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xen_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Connect to xenstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_stream_connect_xenstore',`
+ gen_require(`
+ type xenstored_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 xenstored_var_run_t:dir search;
+ allow $1 xenstored_var_run_t:sock_file { getattr write };
+ allow $1 xenstored_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Connect to xend over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_stream_connect',`
+ gen_require(`
+ type xend_t, xend_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 xend_var_run_t:dir search;
+ allow $1 xend_var_run_t:sock_file { getattr write };
+ allow $1 xend_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_domtrans_xm',`
+ gen_require(`
+ type xm_t, xm_exec_t;
+ ')
+
+ domain_auto_trans($1,xm_exec_t,xm_t)
+ allow xm_t $1:fd use;
+ allow xm_t $1:fifo_file rw_file_perms;
+ allow xm_t $1:process sigchld;
+')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
new file mode 100644
index 0000000..4f80cc0
--- /dev/null
+++ b/policy/modules/system/xen.te
@@ -0,0 +1,302 @@
+
+policy_module(xen,1.0.7)
+
+########################################
+#
+# Declarations
+#
+
+# console ptys
+type xen_devpts_t;
+term_pty(xen_devpts_t);
+files_type(xen_devpts_t);
+
+# Xen Image files
+type xen_image_t; # customizable
+files_type(xen_image_t)
+
+type xend_t;
+type xend_exec_t;
+domain_type(xend_t)
+init_daemon_domain(xend_t, xend_exec_t)
+
+# var/lib files
+type xend_var_lib_t;
+files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
+
+# log files
+type xend_var_log_t;
+logging_log_file(xend_var_log_t)
+
+# pid files
+type xend_var_run_t;
+files_pid_file(xend_var_run_t)
+
+type xenstored_t;
+type xenstored_exec_t;
+domain_type(xenstored_t)
+domain_entry_file(xenstored_t,xenstored_exec_t)
+role system_r types xenstored_t;
+
+# var/lib files
+type xenstored_var_lib_t;
+files_type(xenstored_var_lib_t)
+
+# pid files
+type xenstored_var_run_t;
+files_pid_file(xenstored_var_run_t)
+
+type xenconsoled_t;
+type xenconsoled_exec_t;
+domain_type(xenconsoled_t)
+domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
+role system_r types xenconsoled_t;
+
+# pid files
+type xenconsoled_var_run_t;
+files_pid_file(xenconsoled_var_run_t)
+
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_daemon_domain(xm_t, xm_exec_t)
+
+########################################
+#
+# xend local policy
+#
+
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+allow xend_t self:process { signal sigkill };
+# internal communication is often done using fifo and unix sockets.
+allow xend_t self:fifo_file rw_file_perms;
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
+allow xend_t self:packet_socket create_socket_perms;
+
+allow xend_t xen_image_t:dir r_dir_perms;
+allow xend_t xen_image_t:file r_file_perms;
+
+# pid file
+allow xend_t xend_var_run_t:file manage_file_perms;
+allow xend_t xend_var_run_t:sock_file manage_file_perms;
+allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+
+# log files
+allow xend_t xend_var_log_t:file create_file_perms;
+allow xend_t xend_var_log_t:sock_file create_file_perms;
+allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
+
+# var/lib files for xend
+allow xend_t xend_var_lib_t:file create_file_perms;
+allow xend_t xend_var_lib_t:sock_file create_file_perms;
+allow xend_t xend_var_lib_t:fifo_file create_file_perms;
+allow xend_t xend_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
+
+# transition to store
+domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+allow xenstored_t xend_t:fd use;
+allow xenstored_t xend_t:process sigchld;
+allow xenstored_t xend_t:fifo_file write;
+
+# transition to console
+domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
+allow xenconsoled_t xend_t:fd use;
+
+kernel_read_kernel_sysctls(xend_t)
+kernel_read_system_state(xend_t)
+kernel_write_xen_state(xend_t)
+kernel_read_xen_state(xend_t)
+kernel_rw_net_sysctls(xend_t)
+kernel_read_network_state(xend_t)
+
+corecmd_exec_sbin(xend_t)
+corecmd_exec_bin(xend_t)
+corecmd_exec_shell(xend_t)
+
+corenet_non_ipsec_sendrecv(xend_t)
+corenet_tcp_sendrecv_all_if(xend_t)
+corenet_tcp_sendrecv_all_nodes(xend_t)
+corenet_tcp_sendrecv_all_ports(xend_t)
+corenet_tcp_bind_all_nodes(xend_t)
+corenet_tcp_bind_xen_port(xend_t)
+corenet_tcp_bind_soundd_port(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
+
+dev_read_urand(xend_t)
+dev_manage_xen(xend_t)
+dev_filetrans_xen(xend_t)
+dev_rw_sysfs(xend_t)
+
+domain_read_all_domains_state(xend_t)
+domain_dontaudit_read_all_domains_state(xend_t)
+
+files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
+files_read_kernel_img(xend_t)
+files_manage_etc_runtime_files(xend_t)
+files_etc_filetrans_etc_runtime(xend_t,file)
+
+storage_raw_read_fixed_disk(xend_t)
+
+term_dontaudit_getattr_all_user_ptys(xend_t)
+term_dontaudit_use_generic_ptys(xend_t)
+
+init_use_fds(xend_t)
+
+libs_use_ld_so(xend_t)
+libs_use_shared_libs(xend_t)
+
+logging_send_syslog_msg(xend_t)
+
+miscfiles_read_localization(xend_t)
+
+sysnet_domtrans_dhcpc(xend_t)
+sysnet_signal_dhcpc(xend_t)
+sysnet_domtrans_ifconfig(xend_t)
+sysnet_dns_name_resolve(xend_t)
+sysnet_delete_dhcpc_pid(xend_t)
+sysnet_read_dhcpc_pid(xend_t)
+
+xen_stream_connect_xenstore(xend_t)
+
+netutils_domtrans(xend_t)
+
+optional_policy(`
+ consoletype_domtrans(xend_t)
+')
+
+########################################
+#
+# Xen console local policy
+#
+
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+allow xenconsoled_t self:fifo_file { read write };
+
+allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
+# pid file
+allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
+allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
+allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(xenconsoled_t)
+kernel_write_xen_state(xenconsoled_t)
+kernel_read_xen_state(xenconsoled_t)
+
+term_create_pty(xenconsoled_t,xen_devpts_t);
+term_dontaudit_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
+
+init_use_fds(xenconsoled_t)
+
+libs_use_ld_so(xenconsoled_t)
+libs_use_shared_libs(xenconsoled_t)
+
+miscfiles_read_localization(xenconsoled_t)
+
+xen_append_log(xenconsoled_t)
+xen_stream_connect_xenstore(xenconsoled_t)
+
+########################################
+#
+# Xen store local policy
+#
+
+allow xenstored_t self:capability { dac_override mknod ipc_lock };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+# pid file
+allow xenstored_t xenstored_var_run_t:file manage_file_perms;
+allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
+allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
+
+# var/lib files for xenstored
+allow xenstored_t xenstored_var_lib_t:file create_file_perms;
+allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
+allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
+
+kernel_write_xen_state(xenstored_t)
+kernel_read_xen_state(xenstored_t)
+
+dev_create_generic_dirs(xenstored_t)
+dev_manage_xen(xenconsoled_t)
+dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
+
+term_dontaudit_use_generic_ptys(xenstored_t)
+term_dontaudit_use_console(xenconsoled_t)
+
+init_use_fds(xenstored_t)
+
+libs_use_ld_so(xenstored_t)
+libs_use_shared_libs(xenstored_t)
+
+logging_send_syslog_msg(xenstored_t)
+
+miscfiles_read_localization(xenstored_t)
+
+xen_append_log(xenstored_t)
+
+########################################
+#
+# xm local policy
+#
+
+allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file { read write };
+allow xm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xm_t xend_var_lib_t:dir rw_dir_perms;
+allow xm_t xend_var_lib_t:fifo_file create_file_perms;
+allow xm_t xend_var_lib_t:file create_file_perms;
+files_search_var_lib(xm_t)
+
+allow xm_t xen_image_t:dir rw_dir_perms;
+allow xm_t xen_image_t:file r_file_perms;
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_sbin(xm_t)
+
+dev_read_urand(xm_t)
+
+files_read_etc_runtime_files(xm_t)
+files_read_usr_files(xm_t)
+files_list_mnt(xm_t)
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+
+term_use_all_terms(xm_t)
+
+init_rw_script_stream_sockets(xm_t)
+init_use_fds(xm_t)
+
+libs_use_ld_so(xm_t)
+libs_use_shared_libs(xm_t)
+
+miscfiles_read_localization(xm_t)
+
+xen_append_log(xm_t)
+xen_stream_connect(xm_t)
+xen_stream_connect_xenstore(xm_t)
diff --git a/policy/rolemap b/policy/rolemap
new file mode 100644
index 0000000..3e8d368
--- /dev/null
+++ b/policy/rolemap
@@ -0,0 +1,20 @@
+#
+# This file contains the mappings
+# used for per-userdomain template
+# infrastructure. Each line describes
+# the prefix and user domain type
+# corresponding to each role.
+#
+# syntax: role prefix user_domain
+#
+
+ifdef(`strict_policy',`
+ user_r user user_t
+ staff_r staff staff_t
+ sysadm_r sysadm sysadm_t
+
+ ifdef(`enable_mls',`
+ secadm_r secadm secadm_t
+ auditadm_r auditadm auditadm_t
+ ')
+')
diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
new file mode 100644
index 0000000..b30be16
--- /dev/null
+++ b/policy/support/loadable_module.spt
@@ -0,0 +1,170 @@
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+ ifndef(`self_contained_policy',`
+ module $1 $2;
+
+ require {
+ role system_r;
+ all_kernel_class_perms
+ }
+ ')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a require block
+#
+define(`gen_require',`
+ ifdef(`self_contained_policy',`
+ ifdef(`__in_optional_policy',`
+ require {
+ $1
+ } # end require
+ ')
+ ',`
+ require {
+ $1
+ } # end require
+ ')
+')
+
+# helper function, since m4 wont expand macros
+# if a line is a comment (#):
+define(`policy_m4_comment',`
+##### $2 depth: $1
+')dnl
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# template(name,rules)
+#
+define(`template',` dnl
+ ifdef(`$1',`errprint(__file__:__line__`: duplicate definition of $1(). Original definition on '$1. __endline__) define(`__if_error')',`define(`$1',__line__)') dnl
+ `define(`$1',` dnl
+ define(`policy_temp',incr(policy_call_depth)) dnl
+ pushdef(`policy_call_depth',policy_temp) dnl
+ undefine(`policy_temp') dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ $2 dnl
+ define(`policy_temp',decr(policy_call_depth)) dnl
+ pushdef(`policy_call_depth',policy_temp) dnl
+ undefine(`policy_temp') dnl
+ policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ '')
+')
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# interface(name,rules)
+#
+define(`interface',` dnl
+ ifdef(`$1',`errprint(__file__:__line__`: duplicate definition of $1(). Original definition on '$1. __endline__) define(`__if_error')',`define(`$1',__line__)') dnl
+ `define(`$1',` dnl
+ define(`policy_temp',incr(policy_call_depth)) dnl
+ pushdef(`policy_call_depth',policy_temp) dnl
+ undefine(`policy_temp') dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ $2
+ define(`policy_temp',decr(policy_call_depth)) dnl
+ pushdef(`policy_call_depth',policy_temp) dnl
+ undefine(`policy_temp') dnl
+ policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ '')
+')
+
+define(`policy_call_depth',0)
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+ ifelse(regexp(`$1',`\W'),`-1',`
+ errprint(__file__:__line__`: deprecated use of module name ($1) as first parameter of optional_policy() block.' __endline__)
+ optional_policy(shift($*))
+ ',`
+ optional {`'pushdef(`__in_optional_policy')
+ $1
+ ifelse(`$2',`',`',`} else {
+ $2
+ ')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional')
+ ')
+')
+
+##############################
+#
+# Determine if we should use the default
+# tunable value as specified by the policy
+# or if the override value should be used
+#
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
+
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`delcare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Tunable declaration
+#
+define(`gen_tunable',`
+ ifdef(`self_contained_policy',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ',`
+ # loadable module tunable
+ # declaration will go here
+ # instead of bool when
+ # loadable modules support
+ # tunables
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ')
+')
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+ ifdef(`self_contained_policy',`
+ if (`$1') {
+ $2
+ ifelse(`$3',`',`',`} else {
+ $3
+ ')}
+ ',`
+ # structure for tunables
+ # will go here instead of a
+ # conditional when loadable
+ # modules support tunables
+ gen_require(`
+ delcare_required_symbols(`$1')
+ ')
+ if (`$1') {
+ $2
+ ifelse(`$3',`',`',`} else {
+ $3
+ ')}
+ ')
+')
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
new file mode 100644
index 0000000..3471b66
--- /dev/null
+++ b/policy/support/misc_macros.spt
@@ -0,0 +1,61 @@
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+#
+# ifndef(expr,true_block,false_block)
+#
+# m4 does not have this.
+#
+define(`ifndef',`ifdef(`$1',`$3',`$2')')
+
+#
+# __endline__
+#
+# dummy macro to insert a newline. used for
+# errprint, so the close parentheses can be
+# indented correctly.
+#
+define(`__endline__',`
+')
+
+########################################
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`dnl
+ifdef(`users_extra',`dnl
+ifelse(`$2',,,`user $1 prefix $2;')
+',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
+')dnl
+')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
+
+########################################
+#
+# can_exec(domain,executable)
+#
+define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
new file mode 100644
index 0000000..eea1598
--- /dev/null
+++ b/policy/support/obj_perm_sets.spt
@@ -0,0 +1,226 @@
+########################################
+#
+# Support macros for sets of object classes and permissions
+#
+# This file should only have object class and permission set macros - they
+# can only reference object classes and/or permissions.
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+
+
+#
+# Datagram socket classes.
+#
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+########################################
+#
+# Macros for sets of permissions
+#
+
+#
+# Permissions for getting file attributes.
+#
+define(`stat_file_perms', `{ getattr }')
+
+#
+# Permissions for executing files.
+#
+define(`x_file_perms', `{ getattr execute }')
+
+#
+# Permissions for reading files and their attributes.
+#
+define(`r_file_perms', `{ read getattr lock ioctl }')
+
+#
+# Permissions for reading and executing files.
+#
+define(`rx_file_perms', `{ read getattr lock execute ioctl }')
+
+#
+# Permissions for reading and appending to files.
+#
+define(`ra_file_perms', `{ ioctl read getattr lock append }')
+
+#
+# Permissions for linking, unlinking and renaming files.
+#
+define(`link_file_perms', `{ getattr link unlink rename }')
+
+#
+# Permissions for creating lnk_files.
+#
+define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
+
+#
+# Permissions for creating and using files.
+#
+define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
+
+#
+# Permissions for reading directories and their attributes.
+#
+define(`r_dir_perms', `{ read getattr lock search ioctl }')
+
+#
+# Permissions for reading and writing directories and their attributes.
+#
+define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
+
+#
+# Permissions for reading and adding names to directories.
+#
+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
+
+
+#
+# Permissions for creating and using directories.
+#
+define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+#
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+#
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+#
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+#
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+#
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+#
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+########################################
+#
+# New permission sets
+#
+
+#
+# Directory
+#
+define(`search_dir_perms',`{ getattr search }')
+define(`getattr_dir_perms',`{ getattr }')
+define(`setattr_dir_perms',`{ setattr }')
+define(`list_dir_perms',`{ getattr search read lock ioctl }')
+define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
+define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
+define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+
+#
+# File
+#
+define(`getattr_file_perms',`{ getattr }')
+define(`setattr_file_perms',`{ setattr }')
+define(`read_file_perms',`{ getattr read lock ioctl }')
+define(`append_file_perms',`{ getattr append lock ioctl }')
+define(`write_file_perms',`{ getattr write append lock ioctl }')
+define(`rw_file_perms',`{ getattr read write append ioctl lock }')
+define(`delete_file_perms',`{ getattr unlink }')
+define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+
+#
+# Use (read and write) terminals
+#
+define(`rw_term_perms', `{ getattr read write ioctl }')
+
+#
+# Sockets
+#
+define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
diff --git a/policy/users b/policy/users
new file mode 100644
index 0000000..fecd3c3
--- /dev/null
+++ b/policy/users
@@ -0,0 +1,51 @@
+
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix wil not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined. The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user. If you do not want to
+# permit any access to such users, then remove this entry.
+#
+ifdef(`targeted_policy',`
+gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+',`
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+')
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell. Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+ifdef(`targeted_policy',`
+ gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+',`
+ ifdef(`direct_sysadm_daemon',`
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+ ',`
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+ ')
+')
diff --git a/refpolicy/COPYING b/refpolicy/COPYING
deleted file mode 100644
index 5b6e7c6..0000000
--- a/refpolicy/COPYING
+++ /dev/null
@@ -1,340 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-�
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-�
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-�
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-�
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-�
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Library General
-Public License instead of this License.
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
deleted file mode 100644
index c79ac18..0000000
--- a/refpolicy/Changelog
+++ /dev/null
@@ -1,409 +0,0 @@
-- Change eventpollfs to task SID labeling.
-- Add key support from Michael LeMay.
-- Add ftpdctl domain to ftp, from Paul Howarth.
-- Fix build system to not move type declarations out of optionals.
-- Add gcc-config domain to portage.
-- Add packet object class and support in corenetwork.
-- Add a copy of genhomedircon for monolithic policy building, so that a
- policycoreutils package update is not required for RHEL4 systems.
-- Add appletalk sockets for use in cups.
-- Add Make target to validate module linking.
-- Make duplicate template and interface declarations a fatal error.
-- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
-- Move xconsole_device_t from devices to xserver since it is
- not actually a device, it is a named pipe.
-- Handle nonexistant .fc and .if files in devel Makefile by
- automatically creating empty files.
-- Remove unused devfs_control_t.
-- Add rhel4 distro, which also implies redhat distro.
-- Remove unneeded range_transition for su_exec_t and move the
- type declaration back to the su module.
-- Constrain transitions in MCS so unconfined_t cannot have
- arbitrary category sets.
-- Change reiserfs from xattr filesystem to genfscon as it's xattrs
- are currently nonfunctional.
-- Change files and filesystem modules to use their own interfaces.
-- Add user fonts to xserver.
-- Additional interfaces in corecommands, miscfiles, and userdomain
- from Joy Latten.
-- Miscellaneous fixes from Thomas Bleher.
-- Deprecate module name as first parameter of optional_policy()
- now that optionals are allowed everywhere.
-- Enable optional blocks in base module and monolithic policy.
- This requires checkpolicy 1.30.1.
-- Fix vpn module declaration.
-- Numerous fixes from Dan Walsh.
-- Change build order to preserve m4 line number information so policy
- compile errors are useful again.
-- Additional MLS interfaces from Chad Hanson.
-- Move some rules out of domain_type() and domain_base_type()
- to the TE file, to use the domain attribute to take advantage
- of space savings from attribute use.
-- Add global stack smashing protector rule for urandom access from
- Petre Rodan.
-- Fix temporary rules at the bottom of portmap.
-- Updated comments in mls file from Chad Hanson.
-- Patches from Dan Walsh:
- Fri, 17 Mar 2006
- Wed, 29 Mar 2006
- Tue, 11 Apr 2006
- Fri, 14 Apr 2006
- Tue, 18 Apr 2006
- Thu, 20 Apr 2006
- Tue, 02 May 2006
- Mon, 15 May 2006
- Thu, 18 May 2006
- Tue, 06 Jun 2006
- Mon, 12 Jun 2006
- Tue, 20 Jun 2006
-- Added modules:
- afs
- amavis (Erich Schubert)
- apt (Erich Schubert)
- asterisk
- audioentropy
- authbind
- backup
- calamaris
- cipe
- clamav (Erich Schubert)
- clockspeed (Petre Rodan)
- courier
- dante
- dcc
- ddclient
- dpkg (Erich Schubert)
- dnsmasq
- ethereal
- evolution
- games
- gatekeeper
- gift
- imaze
- ircd
- jabber
- monop
- mozilla
- mplayer
- munin
- nagios
- nessus
- nsd
- ntop
- nx
- oav
- openca
- openvpn (Petre Rodan)
- perdition
- portslave
- postgrey
- pxe
- pyzor (Dan Walsh)
- qmail (Petre Rodan)
- razor
- resmgr
- rhgb
- rssh
- snort
- soundserver
- speedtouch
- sxid
- thunderbird
- tor (Erich Schubert)
- transproxy
- tripwire
- uptime
- uwimap
- vmware
- watchdog
- xen (Dan Walsh)
- xprint
- yam
-
-* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
-- Make all interface parameters required.
-- Move boot_t, system_map_t, and modules_object_t to files module,
- and move bootloader to admin layer.
-- Add semanage policy for semodule from Dan Walsh.
-- Remove allow_execmem from targeted policy domain_base_type().
-- Add users_extra and seusers support.
-- Postfix fixes from Serge Hallyn.
-- Run python and shell directly to interpret scripts so policy
- sources need not be executable.
-- Add desc tag XML to booleans and tunables, and add summary
- to param XML tag, to make future translations possible.
-- Remove unused lvm_vg_t.
-- Many interface renames to improve naming consistency.
-- Merge xdm into xserver.
-- Remove kernel module reversed interfaces.
-- Add filename attribute to module XML tag and lineno attribute to
- interface XML tag.
-- Changed QUIET build option to a yes or no option.
-- Add a Makefile used for compiling loadable modules in a
- user's development environment, building against policy headers.
-- Add Make target for installing policy headers.
-- Separate per-userdomain template expansion from the userdomain
- module and add infrastructure to expand templates in the modules
- that own the template.
-- Enable secadm only for MLS policies.
-- Remove role change rules in su and sudo since this functionality has been
- removed from these programs.
-- Add ctags Make target from Thomas Bleher.
-- Collapse commands with grep piped to sed into one sed command.
-- Fix type_change bug in term_user_pty().
-- Move ice_tmp_t from miscfiles to xserver.
-- Login fixes from Serge Hallyn.
-- Move xserver_log_t from xdm to xserver.
-- Add lpr per-userdomain policy to lpd.
-- Miscellaneous fixes from Dan Walsh.
-- Change initrc_var_run_t interface noun from script_pid to utmp,
- for greater clarity.
-- Added modules:
- certwatch
- mono (Dan Walsh)
- mrtg
- portage
- tvtime
- userhelper
- usernetctl
- wine (Dan Walsh)
- xserver
-
-* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
-- Adds support for generating corenetwork interfaces based on attributes
- in addition to types.
-- Permits the listing of multiple nodes in a network_node() that will be
- given the same type.
-- Add two new permission sets for stream sockets.
-- Rename file type transition interfaces verb from create to
- filetrans to differentiate it from create interfaces without
- type transitions.
-- Fix expansion of interfaces from disabled modules.
-- Rsync can be long running from init,
- added rules to allow this.
-- Add polyinstantiation build option.
-- Add setcontext to the association object class.
-- Add apache relay and db connect tunables.
-- Rename texrel_shlib_t to textrel_shlib_t.
-- Add swat to samba module.
-- Numerous miscellaneous fixes from Dan Walsh.
-- Added modules:
- alsa
- automount
- cdrecord
- daemontools (Petre Rodan)
- ddcprobe
- djbdns (Petre Rodan)
- fetchmail
- irc
- java
- lockdev
- logwatch (Dan Walsh)
- openct
- prelink (Dan Walsh)
- publicfile (Petre Rodan)
- readahead
- roundup
- screen
- slocate (Dan Walsh)
- slrnpull
- smartmon
- sysstat
- ucspitcp (Petre Rodan)
- usbmodules
- vbetool (Dan Walsh)
-
-* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
-- Add unlabeled IPSEC association rule to domains with
- networking permissions.
-- Merge systemuser back in to users, as these files
- do not need to be split.
-- Add check for duplicate interface/template definitions.
-- Move domain, files, and corecommands modules to kernel
- layer to resolve some layering inconsistencies.
-- Move policy build options out of Makefile into build.conf.
-- Add yppasswd to nis module.
-- Change optional_policy() to refer to the module name
- rather than modulename.te.
-- Fix labeling targets to use installed file_contexts rather
- than partial file_contexts in the policy source directory.
-- Fix build process to use make's internal vpath functions
- to detect modules rather than using subshells and find.
-- Add install target for modular policy.
-- Add load target for modular policy.
-- Add appconfig dependency to the load target.
-- Miscellaneous fixes from Dan Walsh.
-- Fix corenetwork gen_context()'s to expand during the policy
- build phase instead of during the generation phase.
-- Added policies:
- amanda
- avahi
- canna
- cyrus
- dbskk
- dovecot
- distcc
- i18n_input
- irqbalance
- lpd
- networkmanager
- pegasus
- postfix
- procmail
- radius
- rdisc
- rpc
- spamassassin
- timidity
- xdm
- xfs
-
-* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
-- Many fixes to make loadable modules build.
-- Add targets for sechecker.
-- Updated to sedoctool to read bool files and tunable
- files separately.
-- Changed the xml tag of <boolean> to <bool> to be consistent
- with gen_bool().
-- Modified the implementation of segenxml to use regular
- expressions.
-- Rename context_template() to gen_context() to clarify
- that its not a Reference Policy template, but a support
- macro.
-- Add disable_*_trans bool support for targeted policy.
-- Add MLS module to handle MLS constraint exceptions,
- such as reading up and writing down.
-- Fix errors uncovered by sediff.
-- Added policies:
- anaconda
- apache
- apm
- arpwatch
- bluetooth
- dmidecode
- finger
- ftp
- kudzu
- mailman
- ppp
- radvd
- sasl
- webalizer
-
-* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
-- Make logrotate, sendmail, sshd, and rpm policies
- unconfined in the targeted policy so no special
- modules.conf is required.
-- Add experimental MCS support.
-- Add appconfig for MLS.
-- Add equivalents for old can_resolve(), can_ldap(), and
- can_portmap() to sysnetwork.
-- Fix base module compile issues.
-- Added policies:
- cpucontrol
- cvs
- ktalk
- portmap
- postgresql
- rlogin
- samba
- snmp
- stunnel
- telnet
- tftp
- uucp
- vpn
- zebra
-
-* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
-- Fix errors uncovered by sediff.
-- Doc tool will explicitly say a module does not have interfaces
- or templates on the module page.
-- Added policies:
- comsat
- dbus
- dhcp
- dictd
- hal
- inn
- ntp
- squid
-
-* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
-- Add Makefile support for building loadable modules.
-- Add genclassperms.py tool to add require blocks
- for loadable modules.
-- Change sedoctool to make required modules part of base
- by default, otherwise make as modules, in modules.conf.
-- Fix segenxml to handle modules with no interfaces.
-- Rename ipsec connect interface for consistency.
-- Add missing parts of unix stream socket connect interface
- of ipsec.
-- Rename inetd connect interface for consistency.
-- Rename interface for purging contents of tmp, for clarity,
- since it allows deletion of classes other than file.
-- Misc. cleanups.
-- Added policies:
- acct
- bind
- firstboot
- gpm
- howl
- ldap
- loadkeys
- mysql
- privoxy
- quota
- rshd
- rsync
- su
- sudo
- tcpd
- tmpreaper
- updfstab
-
-* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
-- Fix comparison bug in fc_sort.
-- Fix handling of ordered and unordered HTML lists.
-- Corenetwork now supports multiple network interfaces having the
- same type.
-- Doc tool now creates pages for global Booleans and global tunables.
-- Doc tool now links directly to the interface/template in the
- module page when it is selected in the interface/template index.
-- Added support for layer summaries.
-- Added policies:
- ipsec
- nscd
- pcmcia
- raid
-
-* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
-- Changed xml to have modules encapsulated by layer tags, rather
- than putting layer="foo" in the module tags. Also in the future
- we can put a summary and description for each layer.
-- Added tool to infer interface, module, and layer tags. This will
- now list all interfaces, even if they are missing xml docs.
-- Shortened xml tag names.
-- Added macros to declare interfaces and templates.
-- Added interface call trace.
-- Updated all xml documentation for shorter and inferred tags.
-- Doc tool now displays templates in the web pages.
-- Doc tool retains the user's settings in modules.conf and
- tunables.conf if the files already exist.
-- Modules.conf behavior has been changed to be a list of all
- available modules, and the user can specify if the module is
- built as a loadable module, included in the monolithic policy,
- or excluded.
-- Added policies:
- fstools (fsck, mkfs, swapon, etc. tools)
- logrotate
- inetd
- kerberos
- nis (ypbind and ypserv)
- ssh (server, client, and agent)
- unconfined
-- Added infrastructure for targeted policy support, only missing
- transition boolean support.
-
-* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
- - Initial release
diff --git a/refpolicy/INSTALL b/refpolicy/INSTALL
deleted file mode 100644
index 0b2632c..0000000
--- a/refpolicy/INSTALL
+++ /dev/null
@@ -1,48 +0,0 @@
-Reference Policy has a requirement of checkpolicy 1.28. Red Hat
-Enterprise Linux 4 and Fedora Core 4 RPMs are available on
-the Reference Policy download page at http://serefpolicy.sf.net,
-and can be installed thusly:
-
-Red Hat Enterprise Linux 4:
-
- rpm -i libsepol-1.11.7-1.i386.rpm
- rpm -U checkpolicy-1.28-4.i386.rpm
-
-Fedora Core 4:
-
- rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
-
-To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
-
- make install-src
-
-This will back up a pre-existing source policy to the
-/etc/selinux/refpolicy/src/policy.bak directory.
-
-If you do not have a modules.conf, one can be generated:
-
- make conf
-
-This will create a default modules.conf. Options for the policy
-build process can be found in build.conf. After installing the policy sources,
-the old Make targets have been maintained for the monolithic policy:
-
-Local policy development:
-
- make policy
-
-Compile and install the policy:
-
- make install
-
-Compile, install, and load the policy:
-
- make load
-
-Filesystem labeling:
-
- make relabel
- make checklabels
- make restorelabels
-
-See the README for more information on available make targets.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
deleted file mode 100644
index 51304e9..0000000
--- a/refpolicy/Makefile
+++ /dev/null
@@ -1,609 +0,0 @@
-#
-# Makefile for the security policy.
-#
-# Targets:
-#
-# install - compile and install the policy configuration, and context files.
-# load - compile, install, and load the policy configuration.
-# reload - compile, install, and load/reload the policy configuration.
-# relabel - relabel filesystems based on the file contexts configuration.
-# checklabels - check filesystems against the file context configuration
-# restorelabels - check filesystems against the file context configuration
-# and restore the label of files with incorrect labels
-# policy - compile the policy configuration locally for testing/development.
-#
-# The default target is 'policy'.
-#
-#
-# Please see build.conf for policy build options.
-#
-
-########################################
-#
-# NO OPTIONS BELOW HERE
-#
-
-# Include the local build.conf if it exists, otherwise
-# include the configuration of the root directory.
-include build.conf
-
-ifdef LOCAL_ROOT
- -include $(LOCAL_ROOT)/build.conf
-endif
-
-# refpolicy version
-VERSION = $(shell cat VERSION)
-
-ifdef LOCAL_ROOT
-BUILDDIR := $(LOCAL_ROOT)/
-TMPDIR := $(LOCAL_ROOT)/tmp
-TAGS := $(LOCAL_ROOT)/tags
-else
-TMPDIR := tmp
-TAGS := tags
-endif
-
-# executable paths
-BINDIR ?= /usr/bin
-SBINDIR ?= /usr/sbin
-ifdef TEST_TOOLCHAIN
-tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
-else
-tc_bindir := $(BINDIR)
-tc_sbindir := $(SBINDIR)
-endif
-CHECKPOLICY ?= $(tc_bindir)/checkpolicy
-CHECKMODULE ?= $(tc_bindir)/checkmodule
-SEMODULE ?= $(tc_sbindir)/semodule
-SEMOD_PKG ?= $(tc_bindir)/semodule_package
-SEMOD_LNK ?= $(tc_bindir)/semodule_link
-SEMOD_EXP ?= $(tc_bindir)/semodule_expand
-LOADPOLICY ?= $(tc_sbindir)/load_policy
-SETFILES ?= $(tc_sbindir)/setfiles
-XMLLINT ?= $(BINDIR)/xmllint
-SECHECK ?= $(BINDIR)/sechecker
-
-# interpreters and aux tools
-AWK ?= gawk
-GREP ?= egrep
-M4 ?= m4
-PYTHON ?= python
-SED ?= sed
-SORT ?= LC_ALL=C sort
-
-CFLAGS += -Wall
-
-# policy source layout
-POLDIR := policy
-MODDIR := $(POLDIR)/modules
-FLASKDIR := $(POLDIR)/flask
-SECCLASS := $(FLASKDIR)/security_classes
-ISIDS := $(FLASKDIR)/initial_sids
-AVS := $(FLASKDIR)/access_vectors
-
-# local source layout
-ifdef LOCAL_ROOT
-LOCAL_POLDIR := $(LOCAL_ROOT)/policy
-LOCAL_MODDIR := $(LOCAL_POLDIR)/modules
-endif
-
-# policy building support tools
-SUPPORT := support
-GENXML := $(PYTHON) $(SUPPORT)/segenxml.py
-GENDOC := $(PYTHON) $(SUPPORT)/sedoctool.py
-GENPERM := $(PYTHON) $(SUPPORT)/genclassperms.py
-FCSORT := $(TMPDIR)/fc_sort
-SETBOOLS := $(AWK) -f $(SUPPORT)/set_bools_tuns.awk
-get_type_attr_decl := $(SED) -r -f $(SUPPORT)/get_type_attr_decl.sed
-comment_move_decl := $(SED) -r -f $(SUPPORT)/comment_move_decl.sed
-gennetfilter := $(PYTHON) $(SUPPORT)/gennetfilter.py
-# use our own genhomedircon to make sure we have a known usable one,
-# so policycoreutils updates are not required (RHEL4)
-genhomedircon := $(PYTHON) $(SUPPORT)/genhomedircon
-
-# documentation paths
-DOCS := doc
-XMLDTD = $(DOCS)/policy.dtd
-LAYERXML = metadata.xml
-DOCTEMPLATE = $(DOCS)/templates
-DOCFILES = $(DOCS)/Makefile.example $(addprefix $(DOCS)/,example.te example.if example.fc)
-
-ifndef LOCAL_ROOT
-POLXML = $(DOCS)/policy.xml
-TUNXML = $(DOCS)/global_tunables.xml
-BOOLXML = $(DOCS)/global_booleans.xml
-HTMLDIR = $(DOCS)/html
-else
-POLXML = $(LOCAL_ROOT)/doc/policy.xml
-TUNXML = $(LOCAL_ROOT)/doc/global_tunables.xml
-BOOLXML = $(LOCAL_ROOT)/doc/global_booleans.xml
-HTMLDIR = $(LOCAL_ROOT)/doc/html
-endif
-
-# config file paths
-GLOBALTUN = $(POLDIR)/global_tunables
-GLOBALBOOL = $(POLDIR)/global_booleans
-TUNABLES = $(POLDIR)/tunables.conf
-ROLEMAP = $(POLDIR)/rolemap
-USER_FILES := $(POLDIR)/users
-
-# local config file paths
-ifndef LOCAL_ROOT
-MOD_CONF = $(POLDIR)/modules.conf
-BOOLEANS = $(POLDIR)/booleans.conf
-else
-MOD_CONF = $(LOCAL_POLDIR)/modules.conf
-BOOLEANS = $(LOCAL_POLDIR)/booleans.conf
-endif
-
-# install paths
-PKGNAME ?= refpolicy-$(VERSION)
-PREFIX = $(DESTDIR)/usr
-TOPDIR = $(DESTDIR)/etc/selinux
-INSTALLDIR = $(TOPDIR)/$(NAME)
-SRCPATH = $(INSTALLDIR)/src
-USERPATH = $(INSTALLDIR)/users
-CONTEXTPATH = $(INSTALLDIR)/contexts
-FCPATH = $(CONTEXTPATH)/files/file_contexts
-SHAREDIR = $(PREFIX)/share/selinux
-MODPKGDIR = $(SHAREDIR)/$(NAME)
-HEADERDIR = $(MODPKGDIR)/include
-DOCSDIR = $(PREFIX)/share/doc/$(PKGNAME)
-
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
-# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
- M4PARAM += -D enable_mls
- CHECKPOLICY += -M
- CHECKMODULE += -M
- gennetfilter += -m
-endif
-
-# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
- M4PARAM += -D enable_mcs
- CHECKPOLICY += -M
- CHECKMODULE += -M
- gennetfilter += -c
-endif
-
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
- M4PARAM += -D distro_$(DISTRO)
-endif
-
-# rhel4 also implies redhat
-ifeq "$(DISTRO)" "rhel4"
- M4PARAM += -D distro_redhat
-endif
-
-# enable polyinstantiation
-ifeq ($(POLY),y)
- M4PARAM += -D enable_polyinstantiation
-endif
-
-ifneq ($(OUTPUT_POLICY),)
- CHECKPOLICY += -c $(OUTPUT_POLICY)
-endif
-
-# if not set, use the type as the name.
-NAME ?= $(TYPE)
-
-ifeq ($(DIRECT_INITRC),y)
- M4PARAM += -D direct_sysadm_daemon
-endif
-
-ifeq ($(QUIET),y)
- verbose = @
-endif
-
-M4PARAM += -D hide_broken_symptoms
-
-# we need exuberant ctags; unfortunately it is named
-# differently on different distros
-ifeq ($(DISTRO),debian)
- CTAGS := ctags-exuberant
-endif
-
-ifeq ($(DISTRO),gentoo)
- CTAGS := exuberant-ctags
-endif
-
-CTAGS ?= ctags
-
-# determine the policy version and current kernel version if possible
-PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
-KV := $(shell cat /selinux/policyvers)
-
-# dont print version warnings if we are unable to determine
-# the currently running kernel's policy version
-ifeq ($(KV),)
- KV := $(PV)
-endif
-
-M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
-ifdef LOCAL_ROOT
-M4SUPPORT += $(wildcard $(LOCAL_POLDIR)/support/*.spt)
-endif
-
-APPCONF := config/appconfig-$(TYPE)
-SEUSERS := $(APPCONF)/seusers
-APPDIR := $(CONTEXTPATH)
-APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
-CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-net_contexts := $(BUILDDIR)net_contexts
-
-ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
-ifdef LOCAL_ROOT
-ALL_LAYERS += $(filter-out $(LOCAL_MODDIR)/CVS,$(shell find $(wildcard $(LOCAL_MODDIR)/*) -maxdepth 0 -type d))
-endif
-
-GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
-GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
-GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
-
-# sort here since it removes duplicates, which can happen
-# when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
-
-# modules.conf setting for base module
-MODBASE := base
-
-# modules.conf setting for loadable module
-MODMOD := module
-
-# modules.conf setting for unused module
-MODUNUSED := off
-
-# test for module overrides from command line
-MOD_TEST = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
-MOD_TEST += $(filter $(APPS_MODS), $(APPS_BASE))
-ifneq ($(strip $(MOD_TEST)),)
- $(error Applications must be base, module, or off, and not in more than one list! $(strip $(MOD_TEST)) found in multiple lists!)
-endif
-
-# add on suffix to modules specified on command line
-CMDLINE_BASE := $(addsuffix .te,$(APPS_BASE))
-CMDLINE_MODS := $(addsuffix .te,$(APPS_MODS))
-CMDLINE_OFF := $(addsuffix .te,$(APPS_OFF))
-
-# extract settings from modules.conf
-MOD_CONF_BASE := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null)))
-MOD_CONF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null)))
-MOD_CONF_OFF := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null)))
-
-BASE_MODS := $(CMDLINE_BASE)
-MOD_MODS := $(CMDLINE_MODS)
-OFF_MODS := $(CMDLINE_OFF)
-
-BASE_MODS += $(filter-out $(CMDLINE_OFF) $(CMDLINE_BASE) $(CMDLINE_MODS), $(MOD_CONF_BASE))
-MOD_MODS += $(filter-out $(CMDLINE_OFF) $(CMDLINE_BASE) $(CMDLINE_MODS), $(MOD_CONF_MODS))
-OFF_MODS += $(filter-out $(CMDLINE_OFF) $(CMDLINE_BASE) $(CMDLINE_MODS), $(MOD_CONF_OFF))
-
-# add modules not in modules.conf to the off list
-OFF_MODS += $(filter-out $(BASE_MODS) $(MOD_MODS) $(OFF_MODS),$(notdir $(DETECTED_MODS)))
-
-# filesystems to be used in labeling targets
-FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
-
-########################################
-#
-# Functions
-#
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
- $(verbose) m4 $(M4PARAM) $(ROLEMAP) | \
- awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# peruser-expansion modulename,outputfile
-define peruser-expansion
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-endef
-
-########################################
-#
-# Load appropriate rules
-#
-
-ifeq ($(MONOLITHIC),y)
- include Rules.monolithic
-else
- include Rules.modular
-endif
-
-########################################
-#
-# Generated files
-#
-# NOTE: There is no "local" version of these files.
-#
-generate: $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
-
-$(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/kernel/corenetwork.if.in
- @echo "#" > $@
- @echo "# This is a generated file! Instead of modifying this file, the" >> $@
- @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
- @echo "#" >> $@
- $(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
- $(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
- | m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
- | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
-
-$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
- @echo "#" > $@
- @echo "# This is a generated file! Instead of modifying this file, the" >> $@
- @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
- @echo "#" >> $@
- $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ \
- | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
-
-########################################
-#
-# Network packet labeling
-#
-$(net_contexts): $(MODDIR)/kernel/corenetwork.te.in
- @echo "Creating netfilter network labeling rules"
- $(verbose) $(gennetfilter) $^ > $@
-
-########################################
-#
-# Create config files
-#
-conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
-
-$(MOD_CONF) $(BOOLEANS): $(POLXML)
- @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
- $(verbose) $(GENDOC) -b $(BOOLEANS) -m $(MOD_CONF) -x $(POLXML)
-
-########################################
-#
-# Generate the fc_sort program
-#
-$(FCSORT) : $(SUPPORT)/fc_sort.c
- $(verbose) $(CC) $(CFLAGS) $(SUPPORT)/fc_sort.c -o $(FCSORT)
-
-########################################
-#
-# Documentation generation
-#
-
-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change. Also use all .if files here, rather then just the
-# enabled modules.
-xml: $(POLXML)
-$(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXML))
- @echo "Creating $(@F)"
- @test -d $(dir $(POLXML)) || mkdir -p $(dir $(POLXML))
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
- $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
- $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
- $(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
- $(XMLLINT) --noout --path $(dir $(XMLDTD)) --dtdvalid $(XMLDTD) $@ ;\
- fi
-
-$(TUNXML) $(BOOLXML): $(POLXML)
-
-html $(TMPDIR)/html: $(POLXML)
- @echo "Building html interface reference documentation in $(HTMLDIR)"
- @test -d $(HTMLDIR) || mkdir -p $(HTMLDIR)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(GENDOC) -d $(HTMLDIR) -T $(DOCTEMPLATE) -x $(POLXML)
- $(verbose) cp $(DOCTEMPLATE)/*.css $(HTMLDIR)
- @touch $(TMPDIR)/html
-
-########################################
-#
-# Runtime binary policy patching of users
-#
-$(USERPATH)/system.users: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(USER_FILES)
- @mkdir -p $(TMPDIR)
- @mkdir -p $(USERPATH)
- @echo "Installing system.users"
- @echo "# " > $(TMPDIR)/system.users
- @echo "# Do not edit this file. " >> $(TMPDIR)/system.users
- @echo "# This file is replaced on reinstalls of this policy." >> $(TMPDIR)/system.users
- @echo "# Please edit local.users to make local changes." >> $(TMPDIR)/system.users
- @echo "#" >> $(TMPDIR)/system.users
- $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \
- -e '/^[[:blank:]]*($$|#)/d' >> $(TMPDIR)/system.users
- $(verbose) install -m 644 $(TMPDIR)/system.users $@
-
-$(USERPATH)/local.users: config/local.users
- @mkdir -p $(USERPATH)
- @echo "Installing local.users"
- $(verbose) install -b -m 644 $< $@
-
-########################################
-#
-# Appconfig files
-#
-install-appconfig: $(APPFILES)
-
-$(INSTALLDIR)/booleans: $(BOOLEANS)
- @mkdir -p $(TMPDIR)
- @mkdir -p $(INSTALLDIR)
- $(verbose) sed -r -e 's/false/0/g' -e 's/true/1/g' \
- -e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | sort > $(TMPDIR)/booleans
- $(verbose) install -m 644 $(TMPDIR)/booleans $@
-
-$(CONTEXTPATH)/files/media: $(APPCONF)/media
- @mkdir -p $(CONTEXTPATH)/files/
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/default_contexts: $(APPCONF)/default_contexts
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/removable_context: $(APPCONF)/removable_context
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/default_type: $(APPCONF)/default_type
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/initrc_context: $(APPCONF)/initrc_context
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
- @mkdir -p $(APPDIR)
- $(verbose) install -m 644 $< $@
-
-$(APPDIR)/users/root: $(APPCONF)/root_default_contexts
- @mkdir -p $(APPDIR)/users
- $(verbose) install -m 644 $< $@
-
-########################################
-#
-# Install policy headers
-#
-install-headers: $(TUNXML) $(BOOLXML)
- @mkdir -p $(HEADERDIR)
- @echo "Installing $(TYPE) policy headers."
- $(verbose) install -m 644 $(TUNXML) $(BOOLXML) $(HEADERDIR)
- $(verbose) m4 $(M4PARAM) $(ROLEMAP) > $(HEADERDIR)/$(notdir $(ROLEMAP))
- $(verbose) mkdir -p $(HEADERDIR)/support
- $(verbose) install -m 644 $(M4SUPPORT) $(word $(words $(GENXML)),$(GENXML)) $(XMLDTD) $(HEADERDIR)/support
- $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/support/all_perms.spt
- $(verbose) for i in $(notdir $(ALL_LAYERS)); do \
- mkdir -p $(HEADERDIR)/$$i ;\
- install -m 644 $(MODDIR)/$$i/*.if \
- $(MODDIR)/$$i/metadata.xml \
- $(HEADERDIR)/$$i ;\
- done
- $(verbose) echo "TYPE ?= $(TYPE)" > $(HEADERDIR)/build.conf
- $(verbose) echo "NAME ?= $(NAME)" >> $(HEADERDIR)/build.conf
-ifneq "$(DISTRO)" ""
- $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(HEADERDIR)/build.conf
-endif
- $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
- $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
- $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
- $(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
-
-########################################
-#
-# Install policy documentation
-#
-install-docs: $(TMPDIR)/html
- @mkdir -p $(DOCSDIR)/html
- @echo "Installing policy documentation"
- $(verbose) install -m 644 $(DOCFILES) $(DOCSDIR)
- $(verbose) install -m 644 $(wildcard $(HTMLDIR)/*) $(DOCSDIR)/html
-
-########################################
-#
-# Install policy sources
-#
-install-src:
- rm -rf $(SRCPATH)/policy.old
- -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- mkdir -p $(SRCPATH)/policy
- cp -R . $(SRCPATH)/policy
-
-########################################
-#
-# Generate tags file
-#
-tags: $(TAGS)
-$(TAGS):
- @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
- @LC_ALL=C $(CTAGS) -f $(TAGS) --langdef=te --langmap=te:..te.if.spt \
- --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
- --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
- --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
- --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
- --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
- --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
-
-########################################
-#
-# Filesystem labeling
-#
-checklabels:
- @echo "Checking labels on filesystem types: ext2 ext3 xfs jfs"
- @if test -z "$(FILESYSTEMS)"; then \
- echo "No filesystems with extended attributes found!" ;\
- false ;\
- fi
- $(verbose) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS)
-
-restorelabels:
- @echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
- @if test -z "$(FILESYSTEMS)"; then \
- echo "No filesystems with extended attributes found!" ;\
- false ;\
- fi
- $(verbose) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS)
-
-relabel:
- @echo "Relabeling filesystem types: ext2 ext3 xfs jfs"
- @if test -z "$(FILESYSTEMS)"; then \
- echo "No filesystems with extended attributes found!" ;\
- false ;\
- fi
- $(verbose) $(SETFILES) $(FCPATH) $(FILESYSTEMS)
-
-resetlabels:
- @echo "Resetting labels on filesystem types: ext2 ext3 xfs jfs"
- @if test -z "$(FILESYSTEMS)"; then \
- echo "No filesystems with extended attributes found!" ;\
- false ;\
- fi
- $(verbose) $(SETFILES) -F $(FCPATH) $(FILESYSTEMS)
-
-########################################
-#
-# Clean everything
-#
-bare: clean
- rm -f $(POLXML)
- rm -f $(TUNXML)
- rm -f $(BOOLXML)
- rm -f $(MOD_CONF)
- rm -f $(BOOLEANS)
- rm -fR $(HTMLDIR)
- rm -f $(TAGS)
-# don't remove these files if we're given a local root
-ifndef LOCAL_ROOT
- rm -f $(FCSORT)
- rm -f $(SUPPORT)/*.pyc
-ifneq ($(GENERATED_TE),)
- rm -f $(GENERATED_TE)
-endif
-ifneq ($(GENERATED_IF),)
- rm -f $(GENERATED_IF)
-endif
-ifneq ($(GENERATED_FC),)
- rm -f $(GENERATED_FC)
-endif
-endif
-
-.PHONY: install-src install-appconfig generate xml conf html bare tags
-.SUFFIXES:
-.SUFFIXES: .c
diff --git a/refpolicy/README b/refpolicy/README
deleted file mode 100644
index 9b43465..0000000
--- a/refpolicy/README
+++ /dev/null
@@ -1,209 +0,0 @@
-1) Reference Policy make targets:
-
-General Make targets:
-
-install-src Install the policy sources into
- /etc/selinux/NAME/src/policy, where NAME is defined in
- the Makefile. If not defined, the TYPE, as defined in
- the Makefile, is used. The default NAME is refpolicy.
- A pre-existing source policy will be moved to
- /etc/selinux/NAME/src/policy.bak.
-
-conf Regenerate policy.xml, and update/create modules.conf
- and booleans.conf. This should be done after adding
- or removing modules, or after running the bare target.
- If the configuration files exist, their settings will
- be preserved. This must be ran on policy sources that
- are checked out from the CVS repository before they can
- be used.
-
-clean Delete all temporary files, compiled policies,
- and file_contexts. Configuration files are left intact.
-
-bare Do the clean make target and also delete configuration
- files, web page documentation, and policy.xml.
-
-html Regenerate policy.xml and create web page documentation
- in the doc/html directory.
-
-Make targets specific to modular (loadable modules) policies:
-
-base Compile and package the base module. This is the
- default target for modular policies.
-
-modules Compile and package all Reference Policy modules
- configured to be built as loadable modules.
-
-MODULENAME.pp Compile and package the MODULENAME Reference Policy
- module.
-
-all Compile and package the base module and all Reference
- Policy modules configured to be built as loadable
- modules.
-
-install Compile, package, and install the base module and
- Reference Policy modules configured to be built as
- loadable modules.
-
-load Compile, package, and install the base module and
- Reference Policy modules configured to be built as
- loadable modules, then insert them into the module
- store.
-
-validate Validate if the configured modules can successfully
- link and expand.
-
-Make targets specific to monolithic policies:
-
-policy Compile a policy locally for development and testing.
- This is the default target for monolithic policies.
-
-install Compile and install the policy and file contexts.
-
-load Compile and install the policy and file contexts, then
- load the policy.
-
-enableaudit Remove all dontaudit rules from policy.conf.
-
-relabel Relabel the filesystem.
-
-checklabels Check the labels on the filesystem, and report when
- a file would be relabeled, but do not change its label.
-
-restorelabels Relabel the filesystem and report each file that is
- relabeled.
-
-
-2) Reference Policy Build Options (build.conf)
-
-TYPE String. Available options are strict, targeted,
- strict-mls, targeted-mls, strict-mcs, and targeted-mcs.
- This sets the policy type as strict or targeted, and
- optionally enables multi-leve security (MLS) or
- multi-category security (MCS) features. This option
- controls strict_policy, targeted_policy, enable_mls,
- and enable_mcs policy blocks.
-
-NAME String (optional). Sets the name of the policy; the
- NAME is used when installing files to e.g.,
- /etc/selinux/NAME and /usr/share/selinux/NAME. If not
- set, the policy type (TYPE) is used.
-
-DISTRO String (optional). Enable distribution-specific policy.
- Available options are redhat, rhel4, gentoo, debian,
- and suse. This option controls distro_redhat,
- distro_rhel4, distro_gentoo, distro_debian, and
- distro_suse policy blocks.
-
-MONOLITHIC Boolean. If set, a monolithic policy is built,
- otherwise a modular policy is built.
-
-DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
- run init scripts, instead of requiring the run_init
- tool. This is a build option instead of a tunable since
- role transitions do not work in conditional policy.
- This option controls direct_sysadm_daemon policy
- blocks.
-
-POLY Boolean. If set, policy for polyinstantiated
- directories will be enabled. This option controls
- enable_polyinstantiation policy blocks.
-
-OUTPUT_POLICY Integer. Set the version of the policy created when
- building a monolithic policy. This option has no effect
- on modular policy.
-
-QUIET Boolean. If set, the build system will only display
- status messages and error messages. This option has no
- effect on policy.
-
-
-3) Reference Policy Files and Directories
-All directories relative to the root of the Reference Policy sources directory.
-
-Makefile General rules for building the policy.
-
-Rules.modular Makefile rules specific to building loadable module
- policies.
-
-Rules.monolithic Makefile rules specific to building monolithic policies.
-
-build.conf Options which influence the building of the policy,
- such as the policy type (strict, targeted, etc.)
- and distribution.
-
-config/appconfig-* Application configuration files for all configurations
- of the Reference Policy (targeted/strict with or without
- MLS or MCS). These are used by SELinux-aware programs.
-
-config/local.users The file read by load policy for adding SELinux users
- to the policy on the fly.
-
-doc/html/* This contains the contents of the in-policy XML
- documentation, presented in web page form.
-
-doc/policy.dtd The doc/policy.xml file is validated against this DTD.
-
-doc/policy.xml This file is generated/updated by the conf and html make
- targets. It contains the complete XML documentation
- included in the policy.
-
-doc/templates/* Templates used for documentation web pages.
-
-policy/booleans.conf This file is generated/updated by the conf make target.
- It contains the booleans in the policy, and their
- default values. If tunables are implemented as
- booleans, tunables will also be included. This file
- will be installed as the /etc/selinux/NAME/booleans
- file.
-
-policy/constraints This file defines additional constraints on permissions
- in the form of boolean expressions that must be
- satisfied in order for specified permissions to be
- granted. These constraints are used to further refine
- the type enforcement rules and the role allow rules.
- Typically, these constraints are used to restrict
- changes in user identity or role to certain domains.
-
-policy/global_booleans This file defines all booleans that have a global scope,
- their default value, and documentation.
-
-policy/global_tunables This file defines all tunables that have a global scope,
- their default value, and documentation.
-
-policy/flask/initial_sids This file has declarations for each initial SID.
-
-policy/flask/security_classes This file has declarations for each security class.
-
-policy/flask/access_vectors This file defines the access vectors. Common
- prefixes for access vectors may be defined at the
- beginning of the file. After the common prefixes are
- defined, an access vector may be defined for each
- security class.
-
-policy/mcs The multi-category security (MCS) configuration.
-
-policy/mls The multi-level security (MLS) configuration.
-
-policy/modules/* Each directory represents a layer in Reference Policy
- all of the modules are contained in one of these layers.
-
-policy/modules.conf This file contains a listing of available modules, and
- how they will be used when building Reference Policy. To
- prevent a module from being used, set the module to
- "off". For monolithic policies, modules set to "base"
- and "module" will be included in the policy. For
- modular policies, modules set to "base" will be included
- in the base module; those set to "module" will be
- compiled as individual loadable modules.
-
-policy/rolemap This file contains prefix and user domain type that
- corresponds to each user role. The contents of this
- file will be used to expand the per-user domain
- templates for each module.
-
-policy/support/* Support macros.
-
-policy/users This file defines the users included in the policy.
-
-support/* Tools used in the build process.
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
deleted file mode 100644
index 9962498..0000000
--- a/refpolicy/Rules.modular
+++ /dev/null
@@ -1,231 +0,0 @@
-########################################
-#
-# Rules and Targets for building modular policies
-#
-
-ALL_MODULES := $(BASE_MODS) $(MOD_MODS) $(OFF_MODS)
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-
-BASE_PKG := $(BUILDDIR)base.pp
-BASE_FC := $(BUILDDIR)base.fc
-BASE_CONF := $(BUILDDIR)base.conf
-BASE_MOD := $(TMPDIR)/base.mod
-
-USERS_EXTRA := $(TMPDIR)/users_extra
-
-BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/global_bools.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
-
-BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
-BASE_TE_FILES := $(BASE_MODS)
-BASE_POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
-BASE_FC_FILES := $(BASE_MODS:.te=.fc)
-
-MOD_MODULES := $(MOD_MODS:.te=.mod)
-MOD_PKGS := $(addprefix $(BUILDDIR),$(notdir $(MOD_MODS:.te=.pp)))
-
-# policy packages to install
-INSTPKG := $(addprefix $(MODPKGDIR)/,$(notdir $(BASE_PKG)) $(MOD_PKGS))
-
-# search layer dirs for source files
-vpath %.te $(ALL_LAYERS)
-vpath %.if $(ALL_LAYERS)
-vpath %.fc $(ALL_LAYERS)
-
-# broken in make 3.81:
-#.SECONDARY:
-
-########################################
-#
-# default action: create all module packages
-#
-default: policy
-
-all policy: base modules
-
-base: $(BASE_PKG)
-
-modules: $(MOD_PKGS)
-
-install: $(INSTPKG) $(APPFILES)
-
-########################################
-#
-# Load all configured modules
-#
-load: $(INSTPKG) $(APPFILES)
- @echo "Loading configured modules."
- $(verbose) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(notdir $(BASE_PKG)) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod))
-
-########################################
-#
-# Install policy packages
-#
-$(MODPKGDIR)/%.pp: $(BUILDDIR)%.pp
- @mkdir -p $(MODPKGDIR)
- @echo "Installing $(NAME) $(@F) policy package."
- $(verbose) install -m 0644 $^ $(MODPKGDIR)
-
-########################################
-#
-# Build module packages
-#
-$(TMPDIR)/%.mod: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(call peruser-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-$(TMPDIR)/%.mod.fc: $(M4SUPPORT) %.fc
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $(M4SUPPORT) $^ > $@
-
-$(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
- @echo "Creating $(NAME) $(@F) policy package"
- @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
- $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-
-########################################
-#
-# Create a base module package
-#
-$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS)
- @echo "Creating $(NAME) base module package"
- @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
- $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS)
-
-$(BASE_MOD): $(BASE_CONF)
- @echo "Compiling $(NAME) base module"
- $(verbose) $(CHECKMODULE) $^ -o $@
-
-$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
- $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
-
-########################################
-#
-# Construct a base.conf
-#
-$(BASE_CONF): $(BASE_SECTIONS)
- @echo "Creating $(NAME) base module $(@F)"
- @test -d $(@D) || mkdir -p $(@D)
- $(verbose) cat $^ > $@
-
-$(TMPDIR)/pre_te_files.conf: M4PARAM += -D self_contained_policy
-$(TMPDIR)/pre_te_files.conf: $(BASE_PRE_TE_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-$(TMPDIR)/generated_definitions.conf: $(BASE_TE_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
-# define all available object classes
- $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@
-# per-userdomain templates
- $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
- $(verbose) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
- echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
- >> $@ ;\
- done
- $(verbose) echo "')" >> $@
- $(verbose) test -f $(BOOLEANS) && $(SETBOOLS) $(BOOLEANS) >> $@ || true
-
-$(TMPDIR)/global_bools.conf: M4PARAM += -D self_contained_policy
-$(TMPDIR)/global_bools.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(GLOBALBOOL) $(GLOBALTUN)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-$(TMPDIR)/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(TMPDIR)/iferror.m4
- @echo "divert(-1)" > $@
- $(verbose) $(M4) $^ $(TMPDIR)/iferror.m4 >> $(TMPDIR)/$(@F).tmp
- $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(TMPDIR)/$(@F).tmp >> $@
- @echo "divert" >> $@
-
-$(TMPDIR)/rolemap.conf: M4PARAM += -D self_contained_policy
-$(TMPDIR)/rolemap.conf: $(ROLEMAP)
- $(call parse-rolemap,base,$@)
-
-$(TMPDIR)/all_te_files.conf: M4PARAM += -D self_contained_policy
-$(TMPDIR)/all_te_files.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(BASE_TE_FILES) $(TMPDIR)/rolemap.conf
-ifeq "$(strip $(BASE_TE_FILES))" ""
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) -s $^ > $@
-
-$(TMPDIR)/post_te_files.conf: M4PARAM += -D self_contained_policy
-$(TMPDIR)/post_te_files.conf: $(M4SUPPORT) $(BASE_POST_TE_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last.
-$(TMPDIR)/all_attrs_types.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf: $(TMPDIR)/all_te_files.conf $(TMPDIR)/post_te_files.conf
- $(verbose) $(get_type_attr_decl) $(TMPDIR)/all_te_files.conf | $(SORT) > $(TMPDIR)/all_attrs_types.conf
- $(verbose) cat $(TMPDIR)/post_te_files.conf > $(TMPDIR)/all_post.conf
-# these have to run individually because order matters:
- $(verbose) $(GREP) '^sid ' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^portcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^netifcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^nodecon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(comment_move_decl) $(TMPDIR)/all_te_files.conf > $(TMPDIR)/only_te_rules.conf
-
-########################################
-#
-# Construct a base.fc
-#
-$(BASE_FC): $(TMPDIR)/$(notdir $(BASE_FC)).tmp $(FCSORT)
- $(verbose) $(FCSORT) $< $@
-
-$(TMPDIR)/$(notdir $(BASE_FC)).tmp: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(BASE_FC_FILES)
-ifeq ($(BASE_FC_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @echo "Creating $(NAME) base module file contexts."
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-########################################
-#
-# Remove the dontaudit rules from the base.conf
-#
-enableaudit: $(BASE_CONF)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- @echo "Removing dontaudit rules from $(^F)"
- $(verbose) $(GREP) -v dontaudit $(BASE_CONF) > $(TMPDIR)/base.audit
- $(verbose) mv $(TMPDIR)/base.audit $(BASE_CONF)
-
-########################################
-#
-# Appconfig files
-#
-$(APPDIR)/customizable_types: $(BASE_CONF)
- @mkdir -p $(APPDIR)
- $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
- $(verbose) install -m 644 $(TMPDIR)/customizable_types $@
-
-########################################
-#
-# Validate linking and expanding of modules
-#
-validate: $(BASE_PKG) $(MOD_PKGS)
- @echo "Validating policy linking."
- $(verbose) $(SEMOD_LNK) -o $(TMPDIR)/test.lnk $^
- $(verbose) $(SEMOD_EXP) $(TMPDIR)/test.lnk $(TMPDIR)/policy.bin
- @echo "Success."
-
-########################################
-#
-# Clean the sources
-#
-clean:
- rm -f $(BASE_CONF)
- rm -f $(BASE_FC)
- rm -f $(BUILDDIR)*.pp
- rm -f $(net_contexts)
- rm -fR $(TMPDIR)
-
-.PHONY: default all policy base modules install load clean validate
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
deleted file mode 100644
index b066653..0000000
--- a/refpolicy/Rules.monolithic
+++ /dev/null
@@ -1,236 +0,0 @@
-########################################
-#
-# Rules and Targets for building monolithic policies
-#
-
-POLICY_CONF = $(BUILDDIR)policy.conf
-FC = $(BUILDDIR)file_contexts
-POLVER = $(BUILDDIR)policy.$(PV)
-HOMEDIR_TEMPLATE = $(BUILDDIR)homedir_template
-
-M4PARAM += -D self_contained_policy
-
-# install paths
-POLICYPATH = $(INSTALLDIR)/policy
-LOADPATH = $(POLICYPATH)/$(notdir $(POLVER))
-HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
-
-APPFILES += $(INSTALLDIR)/booleans
-
-# for monolithic policy use all base and module to create policy
-ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
-# off module interfaces included to make sure all interfaces are expanded.
-ALL_INTERFACES := $(ALL_MODULES:.te=.if) $(OFF_MODS:.te=.if)
-ALL_TE_FILES := $(ALL_MODULES)
-ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
-
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
-POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
-
-POLICY_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/global_bools.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
-
-# search layer dirs for source files
-vpath %.te $(ALL_LAYERS)
-vpath %.if $(ALL_LAYERS)
-vpath %.fc $(ALL_LAYERS)
-
-########################################
-#
-# default action: build policy locally
-#
-default: policy
-
-policy: $(POLVER)
-
-install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
-
-load: $(TMPDIR)/load
-
-checklabels: $(FCPATH)
-restorelabels: $(FCPATH)
-relabel: $(FCPATH)
-resetlabels: $(FCPATH)
-
-########################################
-#
-# Build a binary policy locally
-#
-$(POLVER): $(POLICY_CONF)
- @echo "Compiling $(NAME) $(POLVER)"
-ifneq ($(PV),$(KV))
- @echo
- @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
- @echo
-endif
- $(verbose) $(CHECKPOLICY) $^ -o $@
-
-########################################
-#
-# Install a binary policy
-#
-$(LOADPATH): $(POLICY_CONF)
- @mkdir -p $(POLICYPATH)
- @echo "Compiling and installing $(NAME) $(LOADPATH)"
-ifneq ($(PV),$(KV))
- @echo
- @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
- @echo
-endif
- $(verbose) $(CHECKPOLICY) $^ -o $@
-
-########################################
-#
-# Load the binary policy
-#
-reload $(TMPDIR)/load: $(LOADPATH) $(FCPATH) $(APPFILES)
- @echo "Loading $(NAME) $(LOADPATH)"
- $(verbose) $(LOADPOLICY) -q $(LOADPATH)
- @touch $(TMPDIR)/load
-
-########################################
-#
-# Construct a monolithic policy.conf
-#
-$(POLICY_CONF): $(POLICY_SECTIONS)
- @echo "Creating $(NAME) $(@F)"
- @test -d $(@D) || mkdir -p $(@D)
- $(verbose) cat $^ > $@
-
-$(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
-# define all available object classes
- $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@
-# per-userdomain templates:
- $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
- $(verbose) $(foreach mod,$(basename $(notdir $(ALL_MODULES))), \
- echo "ifdef(\`""$(mod)""_per_userdomain_template',\`""$(mod)""_per_userdomain_template("'$$*'")')" >> $@ ;)
- $(verbose) echo "')" >> $@
- $(verbose) test -f $(BOOLEANS) && $(SETBOOLS) $(BOOLEANS) >> $@ || true
-
-$(TMPDIR)/global_bools.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(GLOBALBOOL) $(GLOBALTUN)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-$(TMPDIR)/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(TMPDIR)/iferror.m4
- @echo "divert(-1)" > $@
- $(verbose) $(M4) $^ $(TMPDIR)/iferror.m4 >> $(TMPDIR)/$(@F).tmp
- $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(TMPDIR)/$(@F).tmp >> $@
- @echo "divert" >> $@
-
-$(TMPDIR)/rolemap.conf: $(ROLEMAP)
- $(call parse-rolemap,base,$@)
-
-$(TMPDIR)/all_te_files.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(ALL_TE_FILES) $(TMPDIR)/rolemap.conf
-ifeq "$(strip $(ALL_TE_FILES))" ""
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) -s $^ > $@
-
-$(TMPDIR)/post_te_files.conf: $(M4SUPPORT) $(POST_TE_FILES)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last.
-$(TMPDIR)/all_attrs_types.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf: $(TMPDIR)/all_te_files.conf $(TMPDIR)/post_te_files.conf
- $(verbose) $(get_type_attr_decl) $(TMPDIR)/all_te_files.conf | $(SORT) > $(TMPDIR)/all_attrs_types.conf
- $(verbose) cat $(TMPDIR)/post_te_files.conf > $(TMPDIR)/all_post.conf
-# these have to run individually because order matters:
- $(verbose) $(GREP) '^sid ' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^portcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^netifcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(GREP) ^nodecon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
- $(verbose) $(comment_move_decl) $(TMPDIR)/all_te_files.conf > $(TMPDIR)/only_te_rules.conf
-
-########################################
-#
-# Remove the dontaudit rules from the policy.conf
-#
-enableaudit: $(POLICY_CONF)
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- @echo "Removing dontaudit rules from $(notdir $(POLICY_CONF))"
- $(verbose) $(GREP) -v dontaudit $^ > $(TMPDIR)/policy.audit
- $(verbose) mv $(TMPDIR)/policy.audit $(POLICY_CONF)
-
-########################################
-#
-# Construct file_contexts
-#
-$(FC): $(TMPDIR)/$(notdir $(FC)).tmp $(FCSORT)
- $(verbose) $(FCSORT) $< $@
- $(verbose) $(GREP) -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE)
- $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d $@
-
-$(TMPDIR)/$(notdir $(FC)).tmp: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(ALL_FC_FILES)
-ifeq ($(ALL_FC_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @echo "Creating $(NAME) file_contexts."
- @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-$(HOMEDIR_TEMPLATE): $(FC)
-
-########################################
-#
-# Install file_contexts
-#
-$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
- @echo "Validating $(NAME) file_contexts."
- $(verbose) $(SETFILES) -q -c $(LOADPATH) $(FC)
- @echo "Installing file_contexts."
- @mkdir -p $(CONTEXTPATH)/files
- $(verbose) install -m 644 $(FC) $(FCPATH)
- $(verbose) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
- $(verbose) $(genhomedircon) -d $(TOPDIR) -t $(NAME) $(USEPWD)
-ifeq "$(DISTRO)" "rhel4"
-# Setfiles in RHEL4 does not look at file_contexts.homedirs.
- $(verbose) cat $@.homedirs >> $@
-# Delete the file_contexts.homedirs in case the toolchain has
-# been updated, to prevent duplicate match errors.
- $(verbose) rm -f $@.homedirs
-endif
-
-########################################
-#
-# Run policy source checks
-#
-check: $(BUILDDIR)check.res
-$(BUILDDIR)check.res: $(POLICY_CONF) $(FC)
- $(SECHECK) -s --profile=development --policy=$(POLICY_CONF) --fcfile=$(FC) > $@
-
-longcheck: $(BUILDDIR)longcheck.res
-$(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
- $(SECHECK) -s --profile=all --policy=$(POLICY_CONF) --fcfile=$(FC) > $@
-
-########################################
-#
-# Appconfig files
-#
-$(APPDIR)/customizable_types: $(POLICY_CONF)
- @mkdir -p $(APPDIR)
- $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
- $(verbose) install -m 644 $(TMPDIR)/customizable_types $@
-
-########################################
-#
-# Clean the sources
-#
-clean:
- rm -f $(POLICY_CONF)
- rm -f $(POLVER)
- rm -f $(FC)
- rm -f $(HOMEDIR_TEMPLATE)
- rm -f $(net_contexts)
- rm -f *.res
- rm -fR $(TMPDIR)
-
-.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/refpolicy/VERSION b/refpolicy/VERSION
deleted file mode 100644
index 5caa3c8..0000000
--- a/refpolicy/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-20060307
diff --git a/refpolicy/build.conf b/refpolicy/build.conf
deleted file mode 100644
index 7bfd7e7..0000000
--- a/refpolicy/build.conf
+++ /dev/null
@@ -1,51 +0,0 @@
-########################################
-#
-# Policy build options
-#
-
-# Policy version
-# By default, checkpolicy will create the highest
-# version policy it supports. Setting this will
-# override the version. This only has an
-# effect for monolithic policies.
-#OUTPUT_POLICY = 18
-
-# Policy Type
-# strict, targeted,
-# strict-mls, targeted-mls,
-# strict-mcs, targeted-mcs
-TYPE = strict
-
-# Policy Name
-# If set, this will be used as the policy
-# name. Otherwise the policy type will be
-# used for the name.
-NAME = refpolicy
-
-# Distribution
-# Some distributions have portions of policy
-# for programs or configurations specific to the
-# distribution. Setting this will enable options
-# for the distribution.
-# redhat, gentoo, debian, suse, and rhel4 are current options.
-# Fedora users should enable redhat.
-#DISTRO = redhat
-
-# Direct admin init
-# Setting this will allow sysadm to directly
-# run init scripts, instead of requring run_init.
-# This is a build option, as role transitions do
-# not work in conditional policy.
-DIRECT_INITRC=n
-
-# Build monolithic policy. Putting n here
-# will build a loadable module policy.
-MONOLITHIC=y
-
-# Polyinstantiation
-# Enable polyinstantiated directory support.
-POLY=n
-
-# Set this to y to only display status messages
-# during build.
-QUIET=n
diff --git a/refpolicy/config/appconfig-strict-mcs/dbus_contexts b/refpolicy/config/appconfig-strict-mcs/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig-strict-mcs/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/refpolicy/config/appconfig-strict-mcs/default_contexts b/refpolicy/config/appconfig-strict-mcs/default_contexts
deleted file mode 100644
index 7bf43ff..0000000
--- a/refpolicy/config/appconfig-strict-mcs/default_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
-system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/default_type b/refpolicy/config/appconfig-strict-mcs/default_type
deleted file mode 100644
index 5212ca4..0000000
--- a/refpolicy/config/appconfig-strict-mcs/default_type
+++ /dev/null
@@ -1,3 +0,0 @@
-sysadm_r:sysadm_t
-staff_r:staff_t
-user_r:user_t
diff --git a/refpolicy/config/appconfig-strict-mcs/failsafe_context b/refpolicy/config/appconfig-strict-mcs/failsafe_context
deleted file mode 100644
index 999abd9..0000000
--- a/refpolicy/config/appconfig-strict-mcs/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-sysadm_r:sysadm_t:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/initrc_context b/refpolicy/config/appconfig-strict-mcs/initrc_context
deleted file mode 100644
index 30ab971..0000000
--- a/refpolicy/config/appconfig-strict-mcs/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:initrc_t:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/media b/refpolicy/config/appconfig-strict-mcs/media
deleted file mode 100644
index 81f3463..0000000
--- a/refpolicy/config/appconfig-strict-mcs/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/removable_context b/refpolicy/config/appconfig-strict-mcs/removable_context
deleted file mode 100644
index 7fcc56e..0000000
--- a/refpolicy/config/appconfig-strict-mcs/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/root_default_contexts b/refpolicy/config/appconfig-strict-mcs/root_default_contexts
deleted file mode 100644
index e9d95e8..0000000
--- a/refpolicy/config/appconfig-strict-mcs/root_default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/seusers b/refpolicy/config/appconfig-strict-mcs/seusers
deleted file mode 100644
index c400c79..0000000
--- a/refpolicy/config/appconfig-strict-mcs/seusers
+++ /dev/null
@@ -1,2 +0,0 @@
-root:root:s0-s0:c0.c255
-__default__:user_u:s0
diff --git a/refpolicy/config/appconfig-strict-mcs/userhelper_context b/refpolicy/config/appconfig-strict-mcs/userhelper_context
deleted file mode 100644
index dc37a69..0000000
--- a/refpolicy/config/appconfig-strict-mcs/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:sysadm_r:sysadm_t:s0
diff --git a/refpolicy/config/appconfig-strict-mls/dbus_contexts b/refpolicy/config/appconfig-strict-mls/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig-strict-mls/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/refpolicy/config/appconfig-strict-mls/default_contexts b/refpolicy/config/appconfig-strict-mls/default_contexts
deleted file mode 100644
index 7bf43ff..0000000
--- a/refpolicy/config/appconfig-strict-mls/default_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
-system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/refpolicy/config/appconfig-strict-mls/default_type b/refpolicy/config/appconfig-strict-mls/default_type
deleted file mode 100644
index c3315fe..0000000
--- a/refpolicy/config/appconfig-strict-mls/default_type
+++ /dev/null
@@ -1,5 +0,0 @@
-sysadm_r:sysadm_t
-secadm_r:secadm_t
-staff_r:staff_t
-user_r:user_t
-auditadm_r:auditadm_t
diff --git a/refpolicy/config/appconfig-strict-mls/failsafe_context b/refpolicy/config/appconfig-strict-mls/failsafe_context
deleted file mode 100644
index 999abd9..0000000
--- a/refpolicy/config/appconfig-strict-mls/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-sysadm_r:sysadm_t:s0
diff --git a/refpolicy/config/appconfig-strict-mls/initrc_context b/refpolicy/config/appconfig-strict-mls/initrc_context
deleted file mode 100644
index 5435ea4..0000000
--- a/refpolicy/config/appconfig-strict-mls/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:initrc_t:s0-s15:c0.c255
diff --git a/refpolicy/config/appconfig-strict-mls/media b/refpolicy/config/appconfig-strict-mls/media
deleted file mode 100644
index 81f3463..0000000
--- a/refpolicy/config/appconfig-strict-mls/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/refpolicy/config/appconfig-strict-mls/removable_context b/refpolicy/config/appconfig-strict-mls/removable_context
deleted file mode 100644
index 7fcc56e..0000000
--- a/refpolicy/config/appconfig-strict-mls/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t:s0
diff --git a/refpolicy/config/appconfig-strict-mls/root_default_contexts b/refpolicy/config/appconfig-strict-mls/root_default_contexts
deleted file mode 100644
index e9d95e8..0000000
--- a/refpolicy/config/appconfig-strict-mls/root_default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/refpolicy/config/appconfig-strict-mls/seusers b/refpolicy/config/appconfig-strict-mls/seusers
deleted file mode 100644
index 9a0516d..0000000
--- a/refpolicy/config/appconfig-strict-mls/seusers
+++ /dev/null
@@ -1,2 +0,0 @@
-root:root:s0-s15:c0.c255
-__default__:user_u:s0
diff --git a/refpolicy/config/appconfig-strict-mls/userhelper_context b/refpolicy/config/appconfig-strict-mls/userhelper_context
deleted file mode 100644
index dc37a69..0000000
--- a/refpolicy/config/appconfig-strict-mls/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:sysadm_r:sysadm_t:s0
diff --git a/refpolicy/config/appconfig-strict/dbus_contexts b/refpolicy/config/appconfig-strict/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig-strict/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/refpolicy/config/appconfig-strict/default_contexts b/refpolicy/config/appconfig-strict/default_contexts
deleted file mode 100644
index 3ea48aa..0000000
--- a/refpolicy/config/appconfig-strict/default_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-system_r:sulogin_t sysadm_r:sysadm_t
-system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-system_r:remote_login_t user_r:user_t staff_r:staff_t
-system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
-system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
-staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
-user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/refpolicy/config/appconfig-strict/default_type b/refpolicy/config/appconfig-strict/default_type
deleted file mode 100644
index 5212ca4..0000000
--- a/refpolicy/config/appconfig-strict/default_type
+++ /dev/null
@@ -1,3 +0,0 @@
-sysadm_r:sysadm_t
-staff_r:staff_t
-user_r:user_t
diff --git a/refpolicy/config/appconfig-strict/failsafe_context b/refpolicy/config/appconfig-strict/failsafe_context
deleted file mode 100644
index 2f96c9f..0000000
--- a/refpolicy/config/appconfig-strict/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-sysadm_r:sysadm_t
diff --git a/refpolicy/config/appconfig-strict/initrc_context b/refpolicy/config/appconfig-strict/initrc_context
deleted file mode 100644
index 7fcf70b..0000000
--- a/refpolicy/config/appconfig-strict/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:initrc_t
diff --git a/refpolicy/config/appconfig-strict/media b/refpolicy/config/appconfig-strict/media
deleted file mode 100644
index de2a652..0000000
--- a/refpolicy/config/appconfig-strict/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t
-floppy system_u:object_r:removable_device_t
-disk system_u:object_r:fixed_disk_device_t
diff --git a/refpolicy/config/appconfig-strict/removable_context b/refpolicy/config/appconfig-strict/removable_context
deleted file mode 100644
index d4921f0..0000000
--- a/refpolicy/config/appconfig-strict/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t
diff --git a/refpolicy/config/appconfig-strict/root_default_contexts b/refpolicy/config/appconfig-strict/root_default_contexts
deleted file mode 100644
index acdcc08..0000000
--- a/refpolicy/config/appconfig-strict/root_default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
-staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/refpolicy/config/appconfig-strict/seusers b/refpolicy/config/appconfig-strict/seusers
deleted file mode 100644
index f7c5bd2..0000000
--- a/refpolicy/config/appconfig-strict/seusers
+++ /dev/null
@@ -1,2 +0,0 @@
-root:root
-__default__:user_u
diff --git a/refpolicy/config/appconfig-strict/userhelper_context b/refpolicy/config/appconfig-strict/userhelper_context
deleted file mode 100644
index 081e93b..0000000
--- a/refpolicy/config/appconfig-strict/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:sysadm_r:sysadm_t
diff --git a/refpolicy/config/appconfig-targeted-mcs/dbus_contexts b/refpolicy/config/appconfig-targeted-mcs/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/refpolicy/config/appconfig-targeted-mcs/default_contexts b/refpolicy/config/appconfig-targeted-mcs/default_contexts
deleted file mode 100644
index b3dddce..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:crond_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:sshd_t:s0 system_r:unconfined_t:s0
-system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/default_type b/refpolicy/config/appconfig-targeted-mcs/default_type
deleted file mode 100644
index 7ba74a9..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/default_type
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted-mcs/failsafe_context b/refpolicy/config/appconfig-targeted-mcs/failsafe_context
deleted file mode 100644
index 30fd6c0..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/initrc_context b/refpolicy/config/appconfig-targeted-mcs/initrc_context
deleted file mode 100644
index f185cd4..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-user_u:system_r:initrc_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/media b/refpolicy/config/appconfig-targeted-mcs/media
deleted file mode 100644
index 81f3463..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/removable_context b/refpolicy/config/appconfig-targeted-mcs/removable_context
deleted file mode 100644
index 7fcc56e..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/root_default_contexts b/refpolicy/config/appconfig-targeted-mcs/root_default_contexts
deleted file mode 100644
index 7326fba..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/root_default_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/seusers b/refpolicy/config/appconfig-targeted-mcs/seusers
deleted file mode 100644
index c400c79..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/seusers
+++ /dev/null
@@ -1,2 +0,0 @@
-root:root:s0-s0:c0.c255
-__default__:user_u:s0
diff --git a/refpolicy/config/appconfig-targeted-mcs/userhelper_context b/refpolicy/config/appconfig-targeted-mcs/userhelper_context
deleted file mode 100644
index 01f02a3..0000000
--- a/refpolicy/config/appconfig-targeted-mcs/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/dbus_contexts b/refpolicy/config/appconfig-targeted-mls/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig-targeted-mls/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/refpolicy/config/appconfig-targeted-mls/default_contexts b/refpolicy/config/appconfig-targeted-mls/default_contexts
deleted file mode 100644
index b3dddce..0000000
--- a/refpolicy/config/appconfig-targeted-mls/default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:crond_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:sshd_t:s0 system_r:unconfined_t:s0
-system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/default_type b/refpolicy/config/appconfig-targeted-mls/default_type
deleted file mode 100644
index 7ba74a9..0000000
--- a/refpolicy/config/appconfig-targeted-mls/default_type
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted-mls/failsafe_context b/refpolicy/config/appconfig-targeted-mls/failsafe_context
deleted file mode 100644
index 30fd6c0..0000000
--- a/refpolicy/config/appconfig-targeted-mls/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/initrc_context b/refpolicy/config/appconfig-targeted-mls/initrc_context
deleted file mode 100644
index 63a0923..0000000
--- a/refpolicy/config/appconfig-targeted-mls/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-user_u:system_r:initrc_t:s0-s15:c0.c255
diff --git a/refpolicy/config/appconfig-targeted-mls/media b/refpolicy/config/appconfig-targeted-mls/media
deleted file mode 100644
index 81f3463..0000000
--- a/refpolicy/config/appconfig-targeted-mls/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/removable_context b/refpolicy/config/appconfig-targeted-mls/removable_context
deleted file mode 100644
index 7fcc56e..0000000
--- a/refpolicy/config/appconfig-targeted-mls/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/root_default_contexts b/refpolicy/config/appconfig-targeted-mls/root_default_contexts
deleted file mode 100644
index 7326fba..0000000
--- a/refpolicy/config/appconfig-targeted-mls/root_default_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/seusers b/refpolicy/config/appconfig-targeted-mls/seusers
deleted file mode 100644
index 9a0516d..0000000
--- a/refpolicy/config/appconfig-targeted-mls/seusers
+++ /dev/null
@@ -1,2 +0,0 @@
-root:root:s0-s15:c0.c255
-__default__:user_u:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/userhelper_context b/refpolicy/config/appconfig-targeted-mls/userhelper_context
deleted file mode 100644
index 01f02a3..0000000
--- a/refpolicy/config/appconfig-targeted-mls/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted/dbus_contexts b/refpolicy/config/appconfig-targeted/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/refpolicy/config/appconfig-targeted/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/refpolicy/config/appconfig-targeted/default_contexts b/refpolicy/config/appconfig-targeted/default_contexts
deleted file mode 100644
index d91373a..0000000
--- a/refpolicy/config/appconfig-targeted/default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:crond_t system_r:unconfined_t
-system_r:initrc_t system_r:unconfined_t
-system_r:local_login_t system_r:unconfined_t
-system_r:remote_login_t system_r:unconfined_t
-system_r:rshd_t system_r:unconfined_t
-system_r:sshd_t system_r:unconfined_t
-system_r:sysadm_su_t system_r:unconfined_t
-system_r:unconfined_t system_r:unconfined_t
-system_r:xdm_t system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/default_type b/refpolicy/config/appconfig-targeted/default_type
deleted file mode 100644
index 7ba74a9..0000000
--- a/refpolicy/config/appconfig-targeted/default_type
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/failsafe_context b/refpolicy/config/appconfig-targeted/failsafe_context
deleted file mode 100644
index 7ba74a9..0000000
--- a/refpolicy/config/appconfig-targeted/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/initrc_context b/refpolicy/config/appconfig-targeted/initrc_context
deleted file mode 100644
index 505f810..0000000
--- a/refpolicy/config/appconfig-targeted/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-user_u:system_r:initrc_t
diff --git a/refpolicy/config/appconfig-targeted/media b/refpolicy/config/appconfig-targeted/media
deleted file mode 100644
index de2a652..0000000
--- a/refpolicy/config/appconfig-targeted/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t
-floppy system_u:object_r:removable_device_t
-disk system_u:object_r:fixed_disk_device_t
diff --git a/refpolicy/config/appconfig-targeted/removable_context b/refpolicy/config/appconfig-targeted/removable_context
deleted file mode 100644
index d4921f0..0000000
--- a/refpolicy/config/appconfig-targeted/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t
diff --git a/refpolicy/config/appconfig-targeted/root_default_contexts b/refpolicy/config/appconfig-targeted/root_default_contexts
deleted file mode 100644
index 5e3e986..0000000
--- a/refpolicy/config/appconfig-targeted/root_default_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-system_r:unconfined_t system_r:unconfined_t
-system_r:initrc_t system_r:unconfined_t
diff --git a/refpolicy/config/appconfig-targeted/seusers b/refpolicy/config/appconfig-targeted/seusers
deleted file mode 100644
index f7c5bd2..0000000
--- a/refpolicy/config/appconfig-targeted/seusers
+++ /dev/null
@@ -1,2 +0,0 @@
-root:root
-__default__:user_u
diff --git a/refpolicy/config/appconfig-targeted/userhelper_context b/refpolicy/config/appconfig-targeted/userhelper_context
deleted file mode 100644
index 4d47460..0000000
--- a/refpolicy/config/appconfig-targeted/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:unconfined_t
diff --git a/refpolicy/config/local.users b/refpolicy/config/local.users
deleted file mode 100644
index 7e2bf7a..0000000
--- a/refpolicy/config/local.users
+++ /dev/null
@@ -1,21 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines additional users recognized by the system security policy.
-# Only the user identities defined in this file and the system.users file
-# may be used as the user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ level default_level range allowed_range ];
-#
-# The MLS default level and allowed range should only be specified if
-# MLS was enabled in the policy.
-
-# sample for administrative user
-# user jadmin roles { staff_r sysadm_r };
-
-# sample for regular user
-#user jdoe roles { user_r };
diff --git a/refpolicy/doc/Makefile.example b/refpolicy/doc/Makefile.example
deleted file mode 100644
index 9f2a8d5..0000000
--- a/refpolicy/doc/Makefile.example
+++ /dev/null
@@ -1,8 +0,0 @@
-
-AWK ?= gawk
-
-NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-SHAREDIR ?= /usr/share/selinux
-HEADERDIR := $(SHAREDIR)/$(NAME)/include
-
-include $(HEADERDIR)/Makefile
diff --git a/refpolicy/doc/example.fc b/refpolicy/doc/example.fc
deleted file mode 100644
index 9cf7c4c..0000000
--- a/refpolicy/doc/example.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# myapp executable will have:
-# label: system_u:object_r:myapp_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
-/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
diff --git a/refpolicy/doc/example.if b/refpolicy/doc/example.if
deleted file mode 100644
index 48f5bc9..0000000
--- a/refpolicy/doc/example.if
+++ /dev/null
@@ -1,55 +0,0 @@
-## <summary>Myapp example policy</summary>
-## <desc>
-## <p>
-## More descriptive text about myapp. The <desc>
-## tag can also use <p>, <ul>, and <ol>
-## html tags for formatting.
-## </p>
-## <p>
-## This policy supports the following myapp features:
-## <ul>
-## <li>Feature A</li>
-## <li>Feature B</li>
-## <li>Feature C</li>
-## </ul>
-## </p>
-## </desc>
-#
-
-########################################
-## <summary>
-## Execute a domain transition to run myapp.
-## </summary>
-## <param name="domain">
-## Domain allowed to transition.
-## </param>
-#
-interface(`myapp_domtrans',`
- gen_require(`
- type myapp_t, myapp_exec_t;
- ')
-
- domain_auto_trans($1,myapp_exec_t,myapp_t)
-
- allow $1 myapp_t:fd use;
- allow myapp_t $1:fd use;
- allow $1 myapp_t:fifo_file rw_file_perms;
- allow $1 myapp_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Read myapp log files.
-## </summary>
-## <param name="domain">
-## Domain allowed to read the log files.
-## </param>
-#
-interface(`myapp_read_log',`
- gen_require(`
- type myapp_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 myapp_log_t:file r_file_perms;
-')
diff --git a/refpolicy/doc/example.te b/refpolicy/doc/example.te
deleted file mode 100644
index d624e0c..0000000
--- a/refpolicy/doc/example.te
+++ /dev/null
@@ -1,28 +0,0 @@
-
-policy_module(myapp,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type myapp_t;
-type myapp_exec_t;
-domain_type(myapp_t)
-domain_entry_file(myapp_t, myapp_exec_t)
-
-type myapp_log_t;
-logging_log_file(myapp_log_t)
-
-type myapp_tmp_t;
-files_tmp_file(myapp_tmp_t)
-
-########################################
-#
-# Myapp local policy
-#
-
-allow myapp_t myapp_log_t:file ra_file_perms;
-
-allow myapp_t myapp_tmp_t:file manage_file_perms;
-files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
diff --git a/refpolicy/doc/policy.dtd b/refpolicy/doc/policy.dtd
deleted file mode 100644
index 7990cff..0000000
--- a/refpolicy/doc/policy.dtd
+++ /dev/null
@@ -1,41 +0,0 @@
-<!ENTITY % inline.class "pre|p|ul|ol|li">
-
-<!ELEMENT policy (layer+,(tunable|bool)*)>
-<!ELEMENT layer (summary,module+)>
-<!ATTLIST layer
- name CDATA #REQUIRED>
-<!ELEMENT module (summary,desc?,required?,(interface|template)*)>
-<!ATTLIST module
- name CDATA #REQUIRED
- filename CDATA #REQUIRED>
-<!ELEMENT required (#PCDATA)>
-<!ATTLIST required
- val (true|false) "false">
-<!ELEMENT tunable (desc)>
-<!ATTLIST tunable
- name CDATA #REQUIRED
- dftval CDATA #REQUIRED>
-<!ELEMENT bool (desc)>
-<!ATTLIST bool
- name CDATA #REQUIRED
- dftval CDATA #REQUIRED>
-<!ELEMENT summary (#PCDATA)>
-<!ELEMENT interface (summary,desc?,param+,infoflow?)>
-<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT template (summary,desc?,param+)>
-<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT desc (#PCDATA|%inline.class;)*>
-<!ELEMENT param (summary)>
-<!ATTLIST param
- name CDATA #REQUIRED
- optional (true|false) "false">
-<!ELEMENT infoflow EMPTY>
-<!ATTLIST infoflow
- type CDATA #REQUIRED
- weight CDATA #IMPLIED>
-
-<!ATTLIST pre caption CDATA #IMPLIED>
-<!ELEMENT p (#PCDATA|%inline.class;)*>
-<!ELEMENT ul (li+)>
-<!ELEMENT ol (li+)>
-<!ELEMENT li (#PCDATA|%inline.class;)*>
diff --git a/refpolicy/doc/templates/global_bool_list.html b/refpolicy/doc/templates/global_bool_list.html
deleted file mode 100644
index a8065af..0000000
--- a/refpolicy/doc/templates/global_bool_list.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<h3>Global booleans:</h3>
-
-[[for bool in booleans]]
-<div id="interface">
-<div id="codeblock">[[bool['bool_name']]]</div>
-<div id="description">
-<h5>Default value</h5>
-<p>[[bool['def_val']]]</p>
-[[if bool['desc']]]
-<h5>Description</h5>
-[[bool['desc']]]
-[[end]]
-</div></div>
-[[end]]
diff --git a/refpolicy/doc/templates/global_tun_list.html b/refpolicy/doc/templates/global_tun_list.html
deleted file mode 100644
index 6ed8013..0000000
--- a/refpolicy/doc/templates/global_tun_list.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<h3>Global tunables:</h3>
-
-[[for tun in tunables]]
-<div id="interface">
-<div id="codeblock">[[tun['tun_name']]]</div>
-<div id="description">
-<h5>Default value</h5>
-<p>[[tun['def_val']]]</p>
-[[if tun['desc']]]
-<h5>Description</h5>
-[[tun['desc']]]
-[[end]]
-</div></div>
-[[end]]
diff --git a/refpolicy/doc/templates/header.html b/refpolicy/doc/templates/header.html
deleted file mode 100644
index 9ef487c..0000000
--- a/refpolicy/doc/templates/header.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<html>
-<head>
-<title>
- Security Enhanced Linux Reference Policy
- </title>
-<style type="text/css" media="all">@import "style.css";</style>
-</head>
-<body>
-<div id="Header">Security Enhanced Linux Reference Policy</div>
-[[menu]]
-<div id="Content">
-[[content]]
-</div>
-</body>
-</html>
diff --git a/refpolicy/doc/templates/int_list.html b/refpolicy/doc/templates/int_list.html
deleted file mode 100644
index b95c343..0000000
--- a/refpolicy/doc/templates/int_list.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<h3>Master interface index:</h3>
-
-[[for int in interfaces]]
-<div id="interfacesmall">
-Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
-[[int['mod_name']]]</a><p/>
-Layer: <a href='[[int['mod_layer']]].html'>
-[[int['mod_layer']]]</a><p/>
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[int['interface_name']]]</b>(
- [[for arg in int['interface_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-[[if int['interface_summary']]]
-<div id="description">
-[[int['interface_summary']]]
-</div>
-[[end]]
-</div>
-[[end]]
diff --git a/refpolicy/doc/templates/interface.html b/refpolicy/doc/templates/interface.html
deleted file mode 100644
index ae7bf49..0000000
--- a/refpolicy/doc/templates/interface.html
+++ /dev/null
@@ -1,52 +0,0 @@
-[[for int in interfaces]]
-<a name="link_[[int['interface_name']]]"></a>
-<div id="interface">
-[[if int.has_key("mod_layer")]]
- Layer: [[mod_layer]]<br>
-[[end]]
-[[if int.has_key("mod_name")]]
- Module: [[mod_name]]<br>
-[[end]]
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[int['interface_name']]]</b>(
- [[for arg in int['interface_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-<div id="description">
-[[if int['interface_summary']]]
-<h5>Summary</h5>
-[[int['interface_summary']]]
-[[end]]
-[[if int['interface_desc']]]
-<h5>Description</h5>
-[[int['interface_desc']]]
-[[end]]
-<h5>Parameters</h5>
-<table border="1" cellspacing="0" cellpadding="3" width="80%">
-<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
-[[for arg in int['interface_parameters']]]
-<tr><td>
-[[arg['name']]]
-</td><td>
-[[arg['desc']]]
-</td><td>
-[[arg['optional']]]
-</td></tr>
-[[end]]
-</table>
-</div>
-</div>
-[[end]]
diff --git a/refpolicy/doc/templates/menu.html b/refpolicy/doc/templates/menu.html
deleted file mode 100644
index 6d2cce3..0000000
--- a/refpolicy/doc/templates/menu.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<div id='Menu'>
- [[for layer_name, layer_mods in menulist]]
- <a href="[[layer_name]].html">+
- [[layer_name]]</a></br/>
- <div id='subitem'>
- [[for module, s in layer_mods]]
- - <a href='[[layer_name + "_" + module]].html'>
- [[module]]</a><br/>
- [[end]]
- </div>
- [[end]]
- <br/><p/>
- <a href="global_booleans.html">* Global Booleans </a>
- <br/><p/>
- <a href="global_tunables.html">* Global Tunables </a>
- <p/><br/><p/>
- <a href="index.html">* Layer Index</a>
- <br/><p/>
- <a href="interfaces.html">* Interface Index</a>
- <br/><p/>
- <a href="templates.html">* Template Index</a>
-</div>
diff --git a/refpolicy/doc/templates/module.html b/refpolicy/doc/templates/module.html
deleted file mode 100644
index 71341fe..0000000
--- a/refpolicy/doc/templates/module.html
+++ /dev/null
@@ -1,31 +0,0 @@
-<a name="top":></a>
-<h1>Layer: [[mod_layer]]</h1><p/>
-<h2>Module: [[mod_name]]</h2><p/>
-[[if interfaces and templates]]
-<a href=#interfaces>Interfaces</a>
-<a href=#templates>Templates</a>
-[[end]]
-<h3>Description:</h3>
-[[if mod_desc]]
-<p>[[mod_desc]]</p>
-[[else]]
-<p>[[mod_summary]]</p>
-[[end]]
-[[if mod_req]]
-<p>This module is required to be included in all policies.</p>
-[[end]]
-[[if interfaces]]
-<a name="interfaces"></a>
-<h3>Interfaces: </h3>
-[[interfaces]]
-<a href=#top>Return</a>
-[[end]]
-[[if templates]]
-<a name="templates"></a>
-<h3>Templates: </h3>
-[[templates]]
-<a href=#top>Return</a>
-[[end]]
-[[if not templates and not interfaces]]
-<h3>No interfaces or templates.</h3>
-[[end]]
diff --git a/refpolicy/doc/templates/module_list.html b/refpolicy/doc/templates/module_list.html
deleted file mode 100644
index 7317a6b..0000000
--- a/refpolicy/doc/templates/module_list.html
+++ /dev/null
@@ -1,19 +0,0 @@
-[[if mod_layer]]
-<h1>Layer: [[mod_layer]]</h1><p/>
-[[if layer_summary]]
-<p>[[layer_summary]]</p><br/>
-[[end]]
-[[end]]
-<table border="1" cellspacing="0" cellpadding="3" width="75%">
-<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
- [[for layer_name, layer_mods in menulist]]
- [[for module, s in layer_mods]]
- <tr><td>
- <a href='[[layer_name + "_" + module]].html'>
- [[module]]</a></td>
- <td>[[s]]</td>
- [[end]]
- </td></tr>
- [[end]]
-</table>
-<p/><br/><br/>
diff --git a/refpolicy/doc/templates/style.css b/refpolicy/doc/templates/style.css
deleted file mode 100644
index 9bac0d9..0000000
--- a/refpolicy/doc/templates/style.css
+++ /dev/null
@@ -1,216 +0,0 @@
-body {
- margin:0px;
- padding:0px;
- font-family:verdana, arial, helvetica, sans-serif;
- color:#333;
- background-color:white;
- }
-h1 {
- margin:0px 0px 5px 0px;
- padding:0px;
- font-size:150%
- line-height:28px;
- font-weight:900;
- color:#ccc;
- }
-h2 {
- font-size:125%;
- margin:0px;
- padding:5px 0px 10px 0px;
- }
-h3 {
- font-size:110%;
- margin:0px;
- padding:5px 0px 10px 5px;
- }
-h4 {
- font-size:100%;
- margin:0px;
- padding:5px 0px 10px 5px;
- }
-h5 {
- font-size:100%;
- margin:0px;
- font-weight:600;
- padding:0px 0px 5px 0px;
- margin:0px 0px 0px 5px;
-}
-li {
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin:0px 0px 0px 10px;
- padding:0px;
- }
-p {
- /* normal */
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin:0px 0px 0px 10px;
- padding:0px;
- }
-
-tt {
- /* inline code */
- font-family: monospace;
- }
-
-table {
- background-color:#efefef;
- /*background-color: white;*/
- border-style:solid;
- border-color:black;
- border-width:0px 1px 1px 0px;
- color: black;
- text-align: left;
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin-left: 5%;
- margin-right: 5%;
-}
-
-th {
- font-weight:500;
- background-color: #eaeaef;
- text-align: center;
-}
-
-td.header {
- font-weight: bold;
-}
-
-#Content>p {margin:0px;}
-#Content>p+p {text-indent:30px;}
-a {
- color:#09c;
- font-size:11px;
- text-decoration:none;
- font-weight:600;
- font-family:verdana, arial, helvetica, sans-serif;
- }
-a:link {color:#09c;}
-a:visited {color:#07a;}
-a:hover {background-color:#eee;}
-
-#Codeblock {
- margin:5px 50px 5px 10px;
- padding:5px 0px 5px 15px;
- border-style:solid;
- border-color:lightgrey;
- border-width:1px 1px 1px 1px;
- background-color:#f5f5ff;
- font-size:100%;
- font-weight:600;
- text-decoration:none;
- font-family:monospace;
-}
-#Interface {
- margin:5px 0px 25px 5px;
- padding:5px 0px 5px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Interfacesmall {
- margin:0px 0px 5px 0px;
- padding:5px 0px 0px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Template {
- margin:5px 0px 25px 5px;
- padding:5px 0px 5px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Templatesmall {
- margin:0px 0px 5px 0px;
- padding:5px 0px 0px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Description {
- margin:0px 0px 0px 5px;
- padding:0px 0px 0px 5px;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
- font-size:12px;
- font-weight:400;
-}
-pre {
- margin:0px;
- padding:0px;
- font-size:14px;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-dl {
- /* definition text block */
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin:0px 0px 16px 0px;
- padding:0px;
- }
-dt {
- /* definition term */
- font-weight: bold;
- }
-
-#Header {
- margin:50px 0px 10px 0px;
- padding:17px 0px 0px 20px;
- /* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
- height:33px; /* 14px + 17px + 2px = 33px */
- border-style:solid;
- border-color:black;
- border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
- line-height:11px;
- font-size:110%;
- background-color:#eee;
- voice-family: "\"}\"";
- voice-family:inherit;
- height:14px; /* the correct height */
- }
-body>#Header {height:14px;}
-#Content {
- margin:0px 50px 0px 200px;
- padding:10px;
- }
-
-#Menu {
- position:absolute;
- top:100px;
- left:20px;
- width:162px;
- padding:10px;
- background-color:#eee;
- border:1px solid #aaa;
- line-height:17px;
- text-align:left;
- voice-family: "\"}\"";
- voice-family:inherit;
- width:160px;
- }
-#Menu subitem {
- font-size: 5px;
-}
-
-body>#Menu {width:160px;}
diff --git a/refpolicy/doc/templates/temp_list.html b/refpolicy/doc/templates/temp_list.html
deleted file mode 100644
index 9d635d8..0000000
--- a/refpolicy/doc/templates/temp_list.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<h3>Master template index:</h3>
-
-[[for temp in templates]]
-<div id="templatesmall">
-Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
-[[temp['mod_name']]]</a><p/>
-Layer: <a href='[[temp['mod_layer']]].html'>
-[[temp['mod_layer']]]</a><p/>
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[temp['template_name']]]</b>(
- [[for arg in temp['template_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-[[if temp['template_summary']]]
-<div id="description">
-[[temp['template_summary']]]
-</div>
-[[end]]
-</div>
-[[end]]
diff --git a/refpolicy/doc/templates/template.html b/refpolicy/doc/templates/template.html
deleted file mode 100644
index c24a83e..0000000
--- a/refpolicy/doc/templates/template.html
+++ /dev/null
@@ -1,52 +0,0 @@
-[[for temp in templates]]
-<a name="link_[[temp['template_name']]]"></a>
-<div id="template">
-[[if temp.has_key("mod_layer")]]
- Layer: [[mod_layer]]<br>
-[[end]]
-[[if temp.has_key("mod_name")]]
- Module: [[mod_name]]<br>
-[[end]]
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[temp['template_name']]]</b>(
- [[for arg in temp['template_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-<div id="description">
-[[if temp['template_summary']]]
-<h5>Summary</h5>
-[[temp['template_summary']]]
-[[end]]
-[[if temp['template_desc']]]
-<h5>Description</h5>
-[[temp['template_desc']]]
-[[end]]
-<h5>Parameters</h5>
-<table border="1" cellspacing="0" cellpadding="3" width="80%">
-<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
-[[for arg in temp['template_parameters']]]
-<tr><td>
-[[arg['name']]]
-</td><td>
-[[arg['desc']]]
-</td><td>
-[[arg['optional']]]
-</td></tr>
-[[end]]
-</table>
-</div>
-</div>
-[[end]]
diff --git a/refpolicy/man/man8/ftpd_selinux.8 b/refpolicy/man/man8/ftpd_selinux.8
deleted file mode 100644
index 017b212..0000000
--- a/refpolicy/man/man8/ftpd_selinux.8
+++ /dev/null
@@ -1,56 +0,0 @@
-.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
-.SH "NAME"
-ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the ftpd server via flexible mandatory access
-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
-.TP
-chcon -R -t public_content_t /var/ftp
-.TP
-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
-.TP
-chcon -t public_content_rw_t /var/ftp/incoming
-.TP
-You must also turn on the boolean allow_ftpd_anon_write.
-.TP
-setsebool -P allow_ftpd_anon_write=1
-.TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-.TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
-/var/ftp(/.*)? system_u:object_r:public_content_t
-/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
-
-.SH BOOLEANS
-SELinux ftp daemon policy is customizable based on least access required. So by
-default SElinux does not allow users to login and read their home directories.
-.br
-If you are setting up this machine as a ftpd server and wish to allow users to access their home
-directorories, you need to set the ftp_home_dir boolean.
-.TP
-setsebool -P ftp_home_dir 1
-.TP
-ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
-.TP
-setsebool -P ftpd_is_daemon 1
-.TP
-You can disable SELinux protection for the ftpd daemon by executing:
-.TP
-setsebool -P ftpd_disable_trans 1
-.br
-service vsftpd restart
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), ftpd(8), chcon(1), setsebool(8)
-
-
diff --git a/refpolicy/man/man8/httpd_selinux.8 b/refpolicy/man/man8/httpd_selinux.8
deleted file mode 100644
index e9d4774..0000000
--- a/refpolicy/man/man8/httpd_selinux.8
+++ /dev/null
@@ -1,123 +0,0 @@
-.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
-.SH "NAME"
-httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the httpd server via flexible mandatory access
-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.TP
-The following file contexts types are defined for httpd:
-.br
-
-httpd_sys_content_t
-.br
-- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
-.br
-
-httpd_sys_script_exec_t
-.br
-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
-.br
-
-httpd_sys_script_ro_t
-.br
-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
-.br
-
-httpd_sys_script_rw_t
-.br
-- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
-.br
-
-httpd_sys_script_ra_t
-.br
-- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
-
-httpd_unconfined_script_exec_t
-.br
-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
-.br
-
-.SH NOTE
-With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
-
-.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
-
-setsebool -P allow_httpd_anon_write=1
-
-or
-
-setsebool -P allow_httpd_sys_script_anon_write=1
-
-.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
-.TP
-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
-.br
-
-setsebool -P httpd_enable_cgi 1
-
-.TP
-httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
-.br
-
-setsebool -P httpd_enable_homedirs 1
-.br
-chcon -R -t httpd_sys_content_t ~user/public_html
-
-.TP
-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
-.br
-
-setsebool -P httpd_tty_comm 1
-
-.TP
-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
-.br
-
-setsebool -P httpd_unified 0
-
-.TP
-httpd can be configured to turn off internal scripting (PHP). PHP and other
-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
-.br
-
-setsebool -P httpd_builtin_scripting 0
-
-.TP
-httpd scripts by default are not allowed to connect out to the network.
-This would prevent a hacker from breaking into you httpd server and attacking
-other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
-.br
-
-setsebool -P httpd_can_network_connect 1
-
-.TP
-You can disable suexec transition, set httpd_suexec_disable_trans deny this
-.br
-
-setsebool -P httpd_suexec_disable_trans 1
-
-.TP
-You can disable SELinux protection for the httpd daemon by executing:
-.br
-
-setsebool -P httpd_disable_trans 1
-.br
-service httpd restart
-
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), httpd(8), chcon(1), setsebool(8)
-
-
diff --git a/refpolicy/man/man8/kerberos_selinux.8 b/refpolicy/man/man8/kerberos_selinux.8
deleted file mode 100644
index 94b3228..0000000
--- a/refpolicy/man/man8/kerberos_selinux.8
+++ /dev/null
@@ -1,31 +0,0 @@
-.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
-.SH "NAME"
-kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.
-.SH BOOLEANS
-.TP
-You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
-.TP
-setsebool -P allow_kerberos 1
-.TP
-If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans.
-.br
-
-setsebool -P krb5kdc_disable_trans 1
-.br
-service krb5kdc restart
-.br
-setsebool -P kadmind_disable_trans booleans 1
-.br
-service kadmind restart
-
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/refpolicy/man/man8/named_selinux.8 b/refpolicy/man/man8/named_selinux.8
deleted file mode 100644
index 2381614..0000000
--- a/refpolicy/man/man8/named_selinux.8
+++ /dev/null
@@ -1,29 +0,0 @@
-.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
-.SH "NAME"
-named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the named server via flexible mandatory access
-control.
-.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
-.TP
-.br
-setsebool -P named_write_master_zones 1
-
-.TP
-You can disable SELinux protection for the named daemon by executing:
-.TP
-setsebool -P named_disable_trans 1
-.br
-service named restart
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), named(8), chcon(1), setsebool(8)
-
-
diff --git a/refpolicy/man/man8/nfs_selinux.8 b/refpolicy/man/man8/nfs_selinux.8
deleted file mode 100644
index 422f042..0000000
--- a/refpolicy/man/man8/nfs_selinux.8
+++ /dev/null
@@ -1,30 +0,0 @@
-.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
-.SH "NAME"
-nfs_selinux \- Security Enhanced Linux Policy for NFS
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the nfs server via flexible mandatory access
-control.
-.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux policy does not allow nfs to share files. If you want to
-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
-
-.TP
-setsebool -P nfs_export_all_ro 1
-.TP
-If you want to share files read/write you must set the nfs_export_all_rw boolean.
-.TP
-setsebool -P nfs_export_all_rw 1
-
-.TP
-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
-.TP
-setsebool -P use_nfs_home_dirs 1
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSpppO"
-selinux(8), chcon(1), setsebool(8)
diff --git a/refpolicy/man/man8/nis_selinux.8 b/refpolicy/man/man8/nis_selinux.8
deleted file mode 100644
index 6271c95..0000000
--- a/refpolicy/man/man8/nis_selinux.8
+++ /dev/null
@@ -1 +0,0 @@
-.so man8/ypbind_selinux.8
diff --git a/refpolicy/man/man8/rsync_selinux.8 b/refpolicy/man/man8/rsync_selinux.8
deleted file mode 100644
index 8ff4429..0000000
--- a/refpolicy/man/man8/rsync_selinux.8
+++ /dev/null
@@ -1,41 +0,0 @@
-.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
-.SH "NAME"
-rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the rsync server via flexible mandatory access
-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
-would need to label the directory with the chcon tool.
-.TP
-chcon -t public_content_t /var/rsync
-.TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-.TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
-/var/rsync(/.*)? system_u:object_r:public_content_t
-
-.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
-
-setsebool -P allow_rsync_anon_write=1
-
-
-.SH BOOLEANS
-.TP
-You can disable SELinux protection for the rsync daemon by executing:
-.TP
-setsebool -P rsync_disable_trans 1
-.br
-service xinetd restart
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), rsync(1), chcon(1), setsebool(8)
diff --git a/refpolicy/man/man8/samba_selinux.8 b/refpolicy/man/man8/samba_selinux.8
deleted file mode 100644
index f0268cc..0000000
--- a/refpolicy/man/man8/samba_selinux.8
+++ /dev/null
@@ -1,60 +0,0 @@
-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
-.SH "NAME"
-samba_selinux \- Security Enhanced Linux Policy for Samba
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the Samba server via flexible mandatory access
-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files other than home directories, those files must be
-labeled samba_share_t. So if you created a special directory /var/eng, you
-would need to label the directory with the chcon tool.
-.TP
-chcon -t samba_share_t /var/eng
-.TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-.TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
-/var/eng(/.*)? system_u:object_r:samba_share_t
-
-.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
-
-setsebool -P allow_smbd_anon_write=1
-
-.SH BOOLEANS
-.br
-SELinux policy is customizable based on least access required. So by
-default SElinux policy turns off SELinux sharing of home directories and
-the use of Samba shares from a remote machine as a home directory.
-.TP
-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
-.br
-
-setsebool -P samba_enable_home_dirs 1
-.TP
-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
-.br
-
-setsebool -P use_samba_home_dirs 1
-.TP
-You can disable SELinux protection for the samba daemon by executing:
-.br
-
-setsebool -P smbd_disable_trans 1
-.br
-service smb restart
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-
-
-
-
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8)
diff --git a/refpolicy/man/man8/ypbind_selinux.8 b/refpolicy/man/man8/ypbind_selinux.8
deleted file mode 100644
index ed07681..0000000
--- a/refpolicy/man/man8/ypbind_selinux.8
+++ /dev/null
@@ -1,19 +0,0 @@
-.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
-.SH "NAME"
-ypbind_selinux \- Security Enhanced Linux Policy for NIS.
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
-.SH BOOLEANS
-.TP
-You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
-.TP
-setsebool -P allow_ypbind 1
-.TP
-system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
deleted file mode 100644
index d4dab72..0000000
--- a/refpolicy/policy/constraints
+++ /dev/null
@@ -1,92 +0,0 @@
-
-#
-# Define the constraints
-#
-# constrain class_set perm_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_op r2
-# | t1 op t2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-#
-# op : == | !=
-# role_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# SELinux process identity change constraint:
-#
-constrain process transition
- ( u1 == u2
-
-ifdef(`targeted_policy',`
- or t1 == can_change_process_identity
-',`
- or ( t1 == can_change_process_identity and t2 == process_user_target )
-
- or ( t1 == cron_source_domain
- and ( t2 == cron_job_domain or u2 == system_u )
- )
-
- or (t1 == process_uncond_exempt)
-
- or (t1 == can_system_change and u2 == system_u )
-')
-);
-
-#
-# SELinux process role change constraint:
-#
-constrain process transition
- ( r1 == r2
-
-ifdef(`targeted_policy',`
- or t1 == can_change_process_role
-',`
- or ( t1 == can_change_process_role and t2 == process_user_target )
-
- or ( t1 == cron_source_domain and t2 == cron_job_domain )
-
- or ( t1 == process_uncond_exempt )
-
- # FIXME:
- ifdef(`postfix.te',`
- ifdef(`direct_sysadm_daemon',`
- or (
- t1 == sysadm_mail_t
- and t2 == system_mail_t
- and r2 == system_r
- )
- ')
- ')
-
- or (t1 == can_system_change and r2 == system_r )
-')
-);
-
-#
-# SELinux dynamic transition constraint:
-#
-constrain process dyntransition
- ( u1 == u2 and r1 == r2 );
-
-#
-# SElinux object identity change constraint:
-#
-constrain dir_file_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == can_change_object_identity );
-
-constrain socket_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == can_change_object_identity );
diff --git a/refpolicy/policy/flask/Makefile b/refpolicy/policy/flask/Makefile
deleted file mode 100644
index 970b9fe..0000000
--- a/refpolicy/policy/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all: $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
- install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
- install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:
- rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
diff --git a/refpolicy/policy/flask/access_vectors b/refpolicy/policy/flask/access_vectors
deleted file mode 100644
index 6a847d1..0000000
--- a/refpolicy/policy/flask/access_vectors
+++ /dev/null
@@ -1,631 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- recv_msg
- send_msg
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- transition
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
-}
-
-class netif
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
-}
-
-class unix_dgram_socket
-inherits socket
-
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
-}
-
-#
-# Define the access vector interpretation for controling capabilies
-#
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
-}
-
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
-class passwd
-{
- passwd # change another user passwd
- chfn # change another user finger info
- chsh # change another user shell
- rootok # pam_rootok check (skip auth)
- crontab # crontab on another user
-}
-
-#
-# SE-X Windows stuff
-#
-class drawable
-{
- create
- destroy
- draw
- copy
- getattr
-}
-
-class gc
-{
- create
- free
- getattr
- setattr
-}
-
-class window
-{
- addchild
- create
- destroy
- map
- unmap
- chstack
- chproplist
- chprop
- listprop
- getattr
- setattr
- setfocus
- move
- chselection
- chparent
- ctrllife
- enumerate
- transparent
- mousemotion
- clientcomevent
- inputevent
- drawevent
- windowchangeevent
- windowchangerequest
- serverchangeevent
- extensionevent
-}
-
-class font
-{
- load
- free
- getattr
- use
-}
-
-class colormap
-{
- create
- free
- install
- uninstall
- list
- read
- store
- getattr
- setattr
-}
-
-class property
-{
- create
- free
- read
- write
-}
-
-class cursor
-{
- create
- createglyph
- free
- assign
- setattr
-}
-
-class xclient
-{
- kill
-}
-
-class xinput
-{
- lookup
- getattr
- setattr
- setfocus
- warppointer
- activegrab
- passivegrab
- ungrab
- bell
- mousemotion
- relabelinput
-}
-
-class xserver
-{
- screensaver
- gethostlist
- sethostlist
- getfontpath
- setfontpath
- getattr
- grab
- ungrab
-}
-
-class xextension
-{
- query
- use
-}
-
-#
-# Define the access vector interpretation for controlling
-# PaX flags
-#
-class pax
-{
- pageexec # Paging based non-executable pages
- emutramp # Emulate trampolines
- mprotect # Restrict mprotect()
- randmmap # Randomize mmap() base
- randexec # Randomize ET_EXEC base
- segmexec # Segmentation based non-executable pages
-}
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
-}
-
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access and communication through the D-BUS messaging
-# system.
-#
-class dbus
-{
- acquire_svc
- send_msg
-}
-
-# Define the access vector interpretation for controlling
-# access through the name service cache daemon (nscd).
-#
-class nscd
-{
- getpwd
- getgrp
- gethost
- getstat
- admin
- shmempwd
- shmemgrp
- shmemhost
-}
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
diff --git a/refpolicy/policy/flask/initial_sids b/refpolicy/policy/flask/initial_sids
deleted file mode 100644
index 95894eb..0000000
--- a/refpolicy/policy/flask/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/refpolicy/policy/flask/mkaccess_vector.sh b/refpolicy/policy/flask/mkaccess_vector.sh
deleted file mode 100755
index b5da734..0000000
--- a/refpolicy/policy/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,227 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
-av_perm_to_string="av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$av_permissions\"
- inheritfile = \"$av_inherit\"
- cpermfile = \"$common_perm_to_string\"
- avpermfile = \"$av_perm_to_string\"
- "'
- nextstate = "COMMON_OR_AV";
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
-;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "common" {
- if (nextstate != "COMMON_OR_AV")
- {
- printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
- next;
- }
-
- if ($2 in common_defined)
- {
- printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
- next;
- }
- common_defined[$2] = 1;
-
- tclass = $2;
- common_name = $2;
- permission = 1;
-
- printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
-
- nextstate = "COMMON-OPENBRACKET";
- next;
- }
-$1 == "class" {
- if (nextstate != "COMMON_OR_AV" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- tclass = $2;
-
- if (tclass in av_defined)
- {
- printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
- next;
- }
- av_defined[tclass] = 1;
-
- inherits = "";
- permission = 1;
-
- nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "inherits" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
- next;
- }
-
- if (!($2 in common_defined))
- {
- printf("COMMON %s is not defined (line %d).\n", $2, NR);
- next;
- }
-
- inherits = $2;
- permission = common_base[$2];
-
- for (combined in common_perms)
- {
- split(combined,separate, SUBSEP);
- if (separate[1] == inherits)
- {
- inherited_perms[common_perms[combined]] = separate[2];
- }
- }
-
- j = 1;
- for (i in inherited_perms) {
- ind[j] = i + 0;
- j++;
- }
- n = asort(ind);
- for (i = 1; i <= n; i++) {
- perm = inherited_perms[ind[i]];
- printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
- spaces = 40 - (length(perm) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (j = 0; j < spaces; j++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", ind[i]) > outfile;
- }
- printf("\n") > outfile;
- for (i in ind) delete ind[i];
- for (i in inherited_perms) delete inherited_perms[i];
-
- printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
-
- nextstate = "CLASS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "{" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
- nextstate != "COMMON-OPENBRACKET")
- {
- printf("Parse error: Unexpected { on line %d\n", NR);
- next;
- }
-
- if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "COMMON-OPENBRACKET")
- nextstate = "COMMON-CLOSEBRACKET";
- }
-/[a-z][a-z_]*/ {
- if (nextstate != "COMMON-CLOSEBRACKET" &&
- nextstate != "CLASS-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- if ((common_name,$1) in common_perms)
- {
- printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
- next;
- }
-
- common_perms[common_name,$1] = permission;
-
- printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
-
- printf(" S_(\"%s\")\n", $1) > cpermfile;
- }
- else
- {
- if ((tclass,$1) in av_perms)
- {
- printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
- next;
- }
-
- av_perms[tclass,$1] = permission;
-
- if (inherits != "")
- {
- if ((inherits,$1) in common_perms)
- {
- printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
- next;
- }
- }
-
- printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
-
- printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
- }
-
- spaces = 40 - (length($1) + length(tclass));
- if (spaces < 1)
- spaces = 1;
-
- for (i = 0; i < spaces; i++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", permission) > outfile;
- permission = permission * 2;
- }
-$1 == "}" {
- if (nextstate != "CLASS-CLOSEBRACKET" &&
- nextstate != "COMMON-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected } on line %d\n", NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- common_base[common_name] = permission;
- printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
- }
-
- printf("\n") > outfile;
-
- nextstate = "COMMON_OR_AV";
- }
-END {
- if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- printf("Parse error: Unexpected end of file\n");
-
- }'
-
-# FLASK
diff --git a/refpolicy/policy/flask/mkflask.sh b/refpolicy/policy/flask/mkflask.sh
deleted file mode 100755
index 9c84754..0000000
--- a/refpolicy/policy/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$output_file\"
- debugfile = \"$debug_file\"
- debugfile2 = \"$debug_file2\"
- "'
- nextstate = "CLASS";
-
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
-
- printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
- printf("#define _SELINUX_FLASK_H_\n") > outfile;
- printf("\n/*\n * Security object class definitions\n */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
- printf("/*\n * Security object class definitions\n */\n") > debugfile;
- printf(" S_(\"null\")\n") > debugfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
- printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
- printf(" \"null\",\n") > debugfile2;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "class" {
- if (nextstate != "CLASS")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- if ($2 in class_found)
- {
- printf("Duplicate class definition for %s on line %d.\n", $2, NR);
- next;
- }
- class_found[$2] = 1;
-
- class_value++;
-
- printf("#define SECCLASS_%s", toupper($2)) > outfile;
- for (i = 0; i < 40 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", class_value) > outfile;
-
- printf(" S_(\"%s\")\n", $2) > debugfile;
- }
-$1 == "sid" {
- if (nextstate == "CLASS")
- {
- nextstate = "SID";
- printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
- }
-
- if ($2 in sid_found)
- {
- printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
- next;
- }
- sid_found[$2] = 1;
- sid_value++;
-
- printf("#define SECINITSID_%s", toupper($2)) > outfile;
- for (i = 0; i < 37 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf(" \"%s\",\n", $2) > debugfile2;
- }
-END {
- if (nextstate != "SID")
- printf("Parse error: Unexpected end of file\n");
-
- printf("\n#define SECINITSID_NUM") > outfile;
- for (i = 0; i < 34; i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf("\n#endif\n") > outfile;
- printf("};\n\n") > debugfile2;
- }'
-
-# FLASK
diff --git a/refpolicy/policy/flask/security_classes b/refpolicy/policy/flask/security_classes
deleted file mode 100644
index 57f49bc..0000000
--- a/refpolicy/policy/flask/security_classes
+++ /dev/null
@@ -1,96 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-#
-# userspace object manager classes
-#
-
-# passwd/chfn/chsh
-class passwd # userspace
-
-# SE-X Windows stuff
-class drawable # userspace
-class window # userspace
-class gc # userspace
-class font # userspace
-class colormap # userspace
-class property # userspace
-class cursor # userspace
-class xclient # userspace
-class xinput # userspace
-class xserver # userspace
-class xextension # userspace
-
-# pax flags
-class pax
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_firewall_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_ip6fw_socket
-class netlink_dnrt_socket
-
-class dbus # userspace
-class nscd # userspace
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-# FLASK
diff --git a/refpolicy/policy/global_booleans b/refpolicy/policy/global_booleans
deleted file mode 100644
index 111d004..0000000
--- a/refpolicy/policy/global_booleans
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# This file is for the declaration of global booleans.
-# To change the default value at build time, the booleans.conf
-# file should be used.
-#
-
-## <desc>
-## <p>
-## Enabling secure mode disallows programs, such as
-## newrole, from transitioning to administrative
-## user domains.
-## </p>
-## </desc>
-gen_bool(secure_mode,false)
-
-## <desc>
-## <p>
-## Disable transitions to insmod.
-## </p>
-## </desc>
-gen_bool(secure_mode_insmod,false)
-
-## <desc>
-## <p>
-## boolean to determine whether the system permits loading policy, setting
-## enforcing mode, and changing boolean values. Set this to true and you
-## have to reboot to set it back
-## </p>
-## </desc>
-gen_bool(secure_mode_policyload,false)
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
deleted file mode 100644
index ec5cc93..0000000
--- a/refpolicy/policy/global_tunables
+++ /dev/null
@@ -1,587 +0,0 @@
-#
-# This file is for the declaration of global tunables.
-# To change the default value at build time, the booleans.conf
-# file should be used.
-#
-
-########################################
-#
-# Common tunables
-#
-
-## <desc>
-## <p>
-## Allow cvs daemon to read shadow
-## </p>
-## </desc>
-#
-gen_tunable(allow_cvs_read_shadow,false)
-
-## <desc>
-## <p>
-## Allow making the heap executable.
-## </p>
-## </desc>
-gen_tunable(allow_execheap,false)
-
-## <desc>
-## <p>
-## Allow making anonymous memory executable, e.g.
-## for runtime-code generation or executable stack.
-## </p>
-## </desc>
-gen_tunable(allow_execmem,false)
-
-## <desc>
-## <p>
-## Allow making a modified private file
-## mapping executable (text relocation).
-## </p>
-## </desc>
-gen_tunable(allow_execmod,false)
-
-## <desc>
-## <p>
-## Allow making the stack executable via mprotect.
-## Also requires allow_execmem.
-## </p>
-## </desc>
-gen_tunable(allow_execstack,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_use_cifs,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_use_nfs,false)
-
-## <desc>
-## <p>
-## Allow gssd to read temp directory.
-## </p>
-## </desc>
-gen_tunable(allow_gssd_read_tmp,true)
-
-## <desc>
-## <p>
-## Allow Apache to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_httpd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow java executable stack
-## </p>
-## </desc>
-gen_tunable(allow_java_execstack,false)
-
-## <desc>
-## <p>
-## Allow system to run with kerberos
-## </p>
-## </desc>
-gen_tunable(allow_kerberos,false)
-
-## <desc>
-## <p>
-## Allow nfs servers to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_nfsd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow rsync to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_rsync_anon_write,false)
-
-## <desc>
-## <p>
-## Allow sasl to read shadow
-## </p>
-## </desc>
-gen_tunable(allow_saslauthd_read_shadow,false)
-
-## <desc>
-## <p>
-## Allow samba to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_smbd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow sysadm to ptrace all processes
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
-
-## <desc>
-## <p>
-## Allow system to run with NIS
-## </p>
-## </desc>
-gen_tunable(allow_ypbind,false)
-
-## <desc>
-## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
-## </desc>
-gen_tunable(fcron_crond,false)
-
-## <desc>
-## <p>
-## Allow ftp to read and write files in the user home directories
-## </p>
-## </desc>
-gen_tunable(ftp_home_dir,false)
-
-## <desc>
-## <p>
-## Allow ftpd to run directly without inetd
-## </p>
-## </desc>
-gen_tunable(ftpd_is_daemon,false)
-
-## <desc>
-## <p>
-## Enable reading of urandom for all domains.
-## </p>
-## <p>
-## This should be enabled when all programs
-## are compiled with ProPolice/SSP
-## stack smashing protection. All domains will
-## be allowed to read from /dev/urandom.
-## </p>
-## </desc>
-gen_tunable(global_ssp,false)
-
-## <desc>
-## <p>
-## Allow httpd to use built in scripting (usually php)
-## </p>
-## </desc>
-gen_tunable(httpd_builtin_scripting,false)
-
-## <desc>
-## <p>
-## Allow http daemon to tcp connect
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_connect,false)
-
-## <desc>
-## <p>
-## Allow httpd to connect to mysql/posgresql
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
-
-## <desc>
-## <p>
-## Allow httpd to act as a relay
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_relay, false)
-
-## <desc>
-## <p>
-## Allow httpd cgi support
-## </p>
-## </desc>
-gen_tunable(httpd_enable_cgi,false)
-
-## <desc>
-## <p>
-## Allow httpd to act as a FTP server by
-## listening on the ftp port.
-## </p>
-## </desc>
-gen_tunable(httpd_enable_ftp_server,false)
-
-## <desc>
-## <p>
-## Allow httpd to read home directories
-## </p>
-## </desc>
-gen_tunable(httpd_enable_homedirs,false)
-
-## <desc>
-## <p>
-## Run SSI execs in system CGI script domain.
-## </p>
-## </desc>
-gen_tunable(httpd_ssi_exec,false)
-
-## <desc>
-## <p>
-## Allow http daemon to communicate with the TTY
-## </p>
-## </desc>
-gen_tunable(httpd_tty_comm,false)
-
-## <desc>
-## <p>
-## Run CGI in the main httpd domain
-## </p>
-## </desc>
-gen_tunable(httpd_unified,false)
-
-## <desc>
-## <p>
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS.
-## </p>
-## </desc>
-gen_tunable(named_write_master_zones,false)
-
-## <desc>
-## <p>
-## Allow nfs to be exported read/write.
-## </p>
-## </desc>
-gen_tunable(nfs_export_all_rw,false)
-
-## <desc>
-## <p>
-## Allow nfs to be exported read only
-## </p>
-## </desc>
-gen_tunable(nfs_export_all_ro,false)
-
-## <desc>
-## <p>
-## Allow pppd to load kernel modules for certain modems
-## </p>
-## </desc>
-gen_tunable(pppd_can_insmod,false)
-
-## <desc>
-## <p>
-## Allow reading of default_t files.
-## </p>
-## </desc>
-gen_tunable(read_default_t,false)
-
-## <desc>
-## <p>
-## Allow ssh to run from inetd instead of as a daemon.
-## </p>
-## </desc>
-gen_tunable(run_ssh_inetd,false)
-
-## <desc>
-## <p>
-## Allow samba to export user home directories.
-## </p>
-## </desc>
-gen_tunable(samba_enable_home_dirs,false)
-
-## <desc>
-## <p>
-## Allow samba to export NFS volumes.
-## </p>
-## </desc>
-gen_tunable(samba_share_nfs,false)
-
-## <desc>
-## <p>
-## Allow spamassassin to do DNS lookups
-## </p>
-## </desc>
-gen_tunable(spamassasin_can_network,false)
-
-## <desc>
-## <p>
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-## </p>
-## </desc>
-gen_tunable(squid_connect_any,false)
-
-## <desc>
-## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
-## <desc>
-## <p>
-## Configure stunnel to be a standalone daemon or
-## inetd service.
-## </p>
-## </desc>
-gen_tunable(stunnel_is_daemon,false)
-
-## <desc>
-## <p>
-## Support NFS home directories
-## </p>
-## </desc>
-gen_tunable(use_nfs_home_dirs,false)
-
-## <desc>
-## <p>
-## Support SAMBA home directories
-## </p>
-## </desc>
-gen_tunable(use_samba_home_dirs,false)
-
-## <desc>
-## <p>
-## Control users use of ping and traceroute
-## </p>
-## </desc>
-gen_tunable(user_ping,false)
-
-########################################
-#
-# Strict policy specific
-#
-
-ifdef(`strict_policy',`
-## <desc>
-## <p>
-## Allow gpg executable stack
-## </p>
-## </desc>
-gen_tunable(allow_gpg_execstack,false)
-
-## <desc>
-## <p>
-## Allow mplayer executable stack
-## </p>
-## </desc>
-gen_tunable(allow_mplayer_execstack,false)
-
-## <desc>
-## <p>
-## allow host key based authentication
-## </p>
-## </desc>
-gen_tunable(allow_ssh_keysign,false)
-
-## <desc>
-## <p>
-## Allow users to connect to mysql
-## </p>
-## </desc>
-gen_tunable(allow_user_mysql_connect,false)
-
-## <desc>
-## <p>
-## Allows clients to write to the X server shared
-## memory segments.
-## </p>
-## </desc>
-gen_tunable(allow_write_xshm,false)
-
-## <desc>
-## <p>
-## Allow cdrecord to read various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
-## </desc>
-gen_tunable(cdrecord_read_content,false)
-
-## <desc>
-## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
-## </desc>
-gen_tunable(cron_can_relabel,false)
-
-## <desc>
-## <p>
-## force to games to run in user_t
-## mapping executable (text relocation).
-## </p>
-## </desc>
-gen_tunable(disable_games_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to evolution domains.
-## </p>
-## </desc>
-gen_tunable(disable_evolution_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to user mozilla domains
-## </p>
-## </desc>
-gen_tunable(disable_mozilla_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to user thunderbird domains
-## </p>
-## </desc>
-gen_tunable(disable_thunderbird_trans,false)
-
-## <desc>
-## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
-## <desc>
-## <p>
-## Control mozilla content access
-## </p>
-## </desc>
-gen_tunable(mozilla_read_content,false)
-
-## <desc>
-## <p>
-## Allow pppd to be run for a regular user
-## </p>
-## </desc>
-gen_tunable(pppd_for_user,false)
-
-## <desc>
-## <p>
-## Allow applications to read untrusted content
-## If this is disallowed, Internet content has
-## to be manually relabeled for read access to be granted
-## </p>
-## </desc>
-gen_tunable(read_untrusted_content,false)
-
-## <desc>
-## <p>
-## Allow user spamassassin clients to use the network.
-## </p>
-## </desc>
-gen_tunable(spamassassin_can_network,false)
-
-## <desc>
-## <p>
-## Allow staff_r users to search the sysadm home
-## dir and read files (such as ~/.bashrc)
-## </p>
-## </desc>
-gen_tunable(staff_read_sysadm_file,false)
-
-## <desc>
-## <p>
-## Allow regular users direct mouse access
-## </p>
-## </desc>
-gen_tunable(user_direct_mouse,false)
-
-## <desc>
-## <p>
-## Allow users to read system messages.
-## </p>
-## </desc>
-gen_tunable(user_dmesg,false)
-
-## <desc>
-## <p>
-## Allow users to control network interfaces
-## (also needs USERCTL=true)
-## </p>
-## </desc>
-gen_tunable(user_net_control,false)
-
-## <desc>
-## <p>
-## Allow user to r/w files on filesystems
-## that do not have extended attributes (FAT, CDROM, FLOPPY)
-## </p>
-## </desc>
-gen_tunable(user_rw_noexattrfile,false)
-
-## <desc>
-## <p>
-## Allow users to rw usb devices
-## </p>
-## </desc>
-gen_tunable(user_rw_usb,false)
-
-## <desc>
-## <p>
-## Allow users to run TCP servers (bind to ports and accept connection from
-## the same domain and outside users) disabling this forces FTP passive mode
-## and may change other protocols.
-## </p>
-## </desc>
-gen_tunable(user_tcp_server,false)
-
-## <desc>
-## <p>
-## Allow w to display everyone
-## </p>
-## </desc>
-gen_tunable(user_ttyfile_stat,false)
-
-## <desc>
-## <p>
-## Allow applications to write untrusted content
-## If this is disallowed, no Internet content
-## will be stored.
-## </p>
-## </desc>
-gen_tunable(write_untrusted_content,false)
-
-## <desc>
-## <p>
-## Allow xdm logins as sysadm
-## </p>
-## </desc>
-gen_tunable(xdm_sysadm_login,false)
-')
-
-########################################
-#
-# Targeted policy specific
-#
-
-ifdef(`targeted_policy',`
-## <desc>
-## <p>
-## Allow mount to mount any file
-## </p>
-## </desc>
-gen_tunable(allow_mount_anyfile,false)
-
-## <desc>
-## <p>
-## Allow spammd to read/write user home directories.
-## </p>
-## </desc>
-gen_tunable(spamd_enable_home_dirs,true)
-')
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
deleted file mode 100644
index c33b667..0000000
--- a/refpolicy/policy/mcs
+++ /dev/null
@@ -1,168 +0,0 @@
-ifdef(`enable_mcs',`
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-# MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0; category c1; category c2; category c3;
-category c4; category c5; category c6; category c7;
-category c8; category c9; category c10; category c11;
-category c12; category c13; category c14; category c15;
-category c16; category c17; category c18; category c19;
-category c20; category c21; category c22; category c23;
-category c24; category c25; category c26; category c27;
-category c28; category c29; category c30; category c31;
-category c32; category c33; category c34; category c35;
-category c36; category c37; category c38; category c39;
-category c40; category c41; category c42; category c43;
-category c44; category c45; category c46; category c47;
-category c48; category c49; category c50; category c51;
-category c52; category c53; category c54; category c55;
-category c56; category c57; category c58; category c59;
-category c60; category c61; category c62; category c63;
-category c64; category c65; category c66; category c67;
-category c68; category c69; category c70; category c71;
-category c72; category c73; category c74; category c75;
-category c76; category c77; category c78; category c79;
-category c80; category c81; category c82; category c83;
-category c84; category c85; category c86; category c87;
-category c88; category c89; category c90; category c91;
-category c92; category c93; category c94; category c95;
-category c96; category c97; category c98; category c99;
-category c100; category c101; category c102; category c103;
-category c104; category c105; category c106; category c107;
-category c108; category c109; category c110; category c111;
-category c112; category c113; category c114; category c115;
-category c116; category c117; category c118; category c119;
-category c120; category c121; category c122; category c123;
-category c124; category c125; category c126; category c127;
-category c128; category c129; category c130; category c131;
-category c132; category c133; category c134; category c135;
-category c136; category c137; category c138; category c139;
-category c140; category c141; category c142; category c143;
-category c144; category c145; category c146; category c147;
-category c148; category c149; category c150; category c151;
-category c152; category c153; category c154; category c155;
-category c156; category c157; category c158; category c159;
-category c160; category c161; category c162; category c163;
-category c164; category c165; category c166; category c167;
-category c168; category c169; category c170; category c171;
-category c172; category c173; category c174; category c175;
-category c176; category c177; category c178; category c179;
-category c180; category c181; category c182; category c183;
-category c184; category c185; category c186; category c187;
-category c188; category c189; category c190; category c191;
-category c192; category c193; category c194; category c195;
-category c196; category c197; category c198; category c199;
-category c200; category c201; category c202; category c203;
-category c204; category c205; category c206; category c207;
-category c208; category c209; category c210; category c211;
-category c212; category c213; category c214; category c215;
-category c216; category c217; category c218; category c219;
-category c220; category c221; category c222; category c223;
-category c224; category c225; category c226; category c227;
-category c228; category c229; category c230; category c231;
-category c232; category c233; category c234; category c235;
-category c236; category c237; category c238; category c239;
-category c240; category c241; category c242; category c243;
-category c244; category c245; category c246; category c247;
-category c248; category c249; category c250; category c251;
-category c252; category c253; category c254; category c255;
-
-#
-# Each MCS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-
-#
-# Define the MCS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MCS policy for the file classes
-#
-# Constrain file access so that the high range of the process dominates
-# the high range of the file. We use the high range of the process so
-# that processes can always simply run at s0.
-#
-# Note that getattr on files is always permitted.
-#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
- ( h1 dom h2 );
-
-# New filesystem object labels must be dominated by the relabeling subject
-# clearance, also the objects are single-level.
-mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
-# At this time we do not restrict "ps" type operations via MCS. This
-# will probably change in future.
-mlsconstrain file { read }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-
-# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- ( h1 dom h2 );
-
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
-mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
-
-mlsconstrain process { ptrace }
- ( h1 dom h2 );
-
-mlsconstrain process { sigkill sigstop }
- (( h1 dom h2 ) or ( t1 == mcskillall ));
-
-') dnl end enable_mcs
diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls
deleted file mode 100644
index 3a35bde..0000000
--- a/refpolicy/policy/mls
+++ /dev/null
@@ -1,674 +0,0 @@
-
-ifdef(`enable_mls',`
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0; category c1; category c2; category c3;
-category c4; category c5; category c6; category c7;
-category c8; category c9; category c10; category c11;
-category c12; category c13; category c14; category c15;
-category c16; category c17; category c18; category c19;
-category c20; category c21; category c22; category c23;
-category c24; category c25; category c26; category c27;
-category c28; category c29; category c30; category c31;
-category c32; category c33; category c34; category c35;
-category c36; category c37; category c38; category c39;
-category c40; category c41; category c42; category c43;
-category c44; category c45; category c46; category c47;
-category c48; category c49; category c50; category c51;
-category c52; category c53; category c54; category c55;
-category c56; category c57; category c58; category c59;
-category c60; category c61; category c62; category c63;
-category c64; category c65; category c66; category c67;
-category c68; category c69; category c70; category c71;
-category c72; category c73; category c74; category c75;
-category c76; category c77; category c78; category c79;
-category c80; category c81; category c82; category c83;
-category c84; category c85; category c86; category c87;
-category c88; category c89; category c90; category c91;
-category c92; category c93; category c94; category c95;
-category c96; category c97; category c98; category c99;
-category c100; category c101; category c102; category c103;
-category c104; category c105; category c106; category c107;
-category c108; category c109; category c110; category c111;
-category c112; category c113; category c114; category c115;
-category c116; category c117; category c118; category c119;
-category c120; category c121; category c122; category c123;
-category c124; category c125; category c126; category c127;
-category c128; category c129; category c130; category c131;
-category c132; category c133; category c134; category c135;
-category c136; category c137; category c138; category c139;
-category c140; category c141; category c142; category c143;
-category c144; category c145; category c146; category c147;
-category c148; category c149; category c150; category c151;
-category c152; category c153; category c154; category c155;
-category c156; category c157; category c158; category c159;
-category c160; category c161; category c162; category c163;
-category c164; category c165; category c166; category c167;
-category c168; category c169; category c170; category c171;
-category c172; category c173; category c174; category c175;
-category c176; category c177; category c178; category c179;
-category c180; category c181; category c182; category c183;
-category c184; category c185; category c186; category c187;
-category c188; category c189; category c190; category c191;
-category c192; category c193; category c194; category c195;
-category c196; category c197; category c198; category c199;
-category c200; category c201; category c202; category c203;
-category c204; category c205; category c206; category c207;
-category c208; category c209; category c210; category c211;
-category c212; category c213; category c214; category c215;
-category c216; category c217; category c218; category c219;
-category c220; category c221; category c222; category c223;
-category c224; category c225; category c226; category c227;
-category c228; category c229; category c230; category c231;
-category c232; category c233; category c234; category c235;
-category c236; category c237; category c238; category c239;
-category c240; category c241; category c242; category c243;
-category c244; category c245; category c246; category c247;
-category c248; category c249; category c250; category c251;
-category c252; category c253; category c254; category c255;
-
-
-#
-# Each MLS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
-
-
-#
-# Define the MLS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MLS policy for the file classes
-#
-
-# make sure these file classes are "single level"
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
- ( l2 eq h2 );
-
-# new file labels must be dominated by the relabeling subjects clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
-
-# the file "read" ops (note the check is dominance of the low level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir search
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-# the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
-#
-# { file chr_file } { execute_no_trans entrypoint execmod }
-
-# the file upgrade/downgrade rule
-mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
- ((( l1 eq l2 ) or
- (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( h1 eq h2 ) or
- (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
-
-# create can also require the upgrade/downgrade checks if the creating process
-# has used setfscreate (note that both the high and low level of the object
-# default to the process sensitivity level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
- ((( l1 eq l2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( l1 eq h2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
-
-
-
-
-#
-# MLS policy for the filesystem class
-#
-
-# new filesystem labels must be dominated by the relabeling subjects clearance
-mlsconstrain filesystem relabelto
- ( h1 dom h2 );
-
-# the filesystem "read" ops (implicit single level)
-mlsconstrain filesystem { getattr quotaget }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ));
-
-# all the filesystem "write" ops (implicit single level)
-mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ));
-
-# these access vectors have no MLS restrictions
-# filesystem { transition associate }
-
-
-
-
-#
-# MLS policy for the socket classes
-#
-
-# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
- ( h1 dom h2 );
-
-# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
-
-# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
-#
-# { tcp_socket udp_socket rawip_socket } node_bind
-#
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
-#
-# tcp_socket name_connect
-#
-# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
-#
-# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
-#
-# netlink_kobject_uevent_socket *
-#
-
-
-
-
-#
-# MLS policy for the ipc classes
-#
-
-# the ipc "read" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-mlsconstrain msg receive
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-# the ipc "write" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msgq enqueue
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain shm lock
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msg send
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-# these access vectors have no MLS restrictions
-# { ipc sem msgq shm } associate
-
-
-
-
-#
-# MLS policy for the fd class
-#
-
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
-
-#
-# MLS policy for the network object classes
-#
-
-# the netif/node "read" ops (implicit single level socket doing the read)
-# (note the check is dominance of the low level)
-mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
- (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
-
-# the netif/node "write" ops (implicit single level socket doing the write)
-mlsconstrain { netif node } { tcp_send udp_send rawip_send }
- (( l1 dom l2 ) and ( l1 domby h2 ));
-
-# these access vectors have no MLS restrictions
-# node enforce_dest
-
-
-
-
-#
-# MLS policy for the process class
-#
-
-# new process labels must be dominated by the relabeling subjects clearance
-# and sensitivity level changes require privilege
-mlsconstrain process transition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
- (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
-mlsconstrain process dyntransition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
-
-# all the process "read" ops
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (( l1 dom l2 ) or
- (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsprocread ));
-
-# all the process "write" ops (note the check is equality on the low level)
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
- (( l1 eq l2 ) or
- (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsprocwrite ));
-
-# these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
-
-
-
-
-#
-# MLS policy for the security class
-#
-
-# these access vectors have no MLS restrictions
-# security *
-
-
-
-
-#
-# MLS policy for the system class
-#
-
-# these access vectors have no MLS restrictions
-# system *
-
-
-
-
-#
-# MLS policy for the capability class
-#
-
-# these access vectors have no MLS restrictions
-# capability *
-
-
-
-
-#
-# MLS policy for the passwd class
-#
-
-# these access vectors have no MLS restrictions
-# passwd *
-
-
-
-
-#
-# MLS policy for the drawable class
-#
-
-# the drawable "read" ops (implicit single level)
-mlsconstrain drawable { getattr copy }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the drawable "write" ops (implicit single level)
-mlsconstrain drawable { create destroy draw copy }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the gc class
-#
-
-# the gc "read" ops (implicit single level)
-mlsconstrain gc getattr
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the gc "write" ops (implicit single level)
-mlsconstrain gc { create free setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the window class
-#
-
-# the window "read" ops (implicit single level)
-mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the window "write" ops (implicit single level)
-mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# window { map unmap }
-
-
-
-
-#
-# MLS policy for the font class
-#
-
-# the font "read" ops (implicit single level)
-mlsconstrain font { load getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the font "write" ops (implicit single level)
-mlsconstrain font free
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-# these access vectors have no MLS restrictions
-# font use
-
-
-
-
-#
-# MLS policy for the colormap class
-#
-
-# the colormap "read" ops (implicit single level)
-mlsconstrain colormap { list read getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinreadcolormap ) or
- ( t1 == mlsxwinread ));
-
-# the colormap "write" ops (implicit single level)
-mlsconstrain colormap { create free install uninstall store setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwritecolormap ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the property class
-#
-
-# the property "read" ops (implicit single level)
-mlsconstrain property { read }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinreadproperty ) or
- ( t1 == mlsxwinread ));
-
-# the property "write" ops (implicit single level)
-mlsconstrain property { create free write }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwriteproperty ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the cursor class
-#
-
-# the cursor "write" ops (implicit single level)
-mlsconstrain cursor { create createglyph free assign setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xclient class
-#
-
-# the xclient "write" ops (implicit single level)
-mlsconstrain xclient kill
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xinput class
-#
-
-# these access vectors have no MLS restrictions
-# xinput ~{ relabelinput setattr }
-
-# the xinput "write" ops (implicit single level)
-mlsconstrain xinput { setattr relabelinput }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwritexinput ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xserver class
-#
-
-# these access vectors have no MLS restrictions
-# xserver *
-
-
-
-
-#
-# MLS policy for the xextension class
-#
-
-# these access vectors have no MLS restrictions
-# xextension { query use }
-
-
-#
-# MLS policy for the pax class
-#
-
-# these access vectors have no MLS restrictions
-# pax { pageexec emutramp mprotect randmmap randexec segmexec }
-
-
-
-
-#
-# MLS policy for the dbus class
-#
-
-# these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
-
-
-
-
-#
-# MLS policy for the nscd class
-#
-
-# these access vectors have no MLS restrictions
-# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
-
-
-
-
-#
-# MLS policy for the association class
-#
-
-# these access vectors have no MLS restrictions
-# association *
-
-') dnl end enable_mls
diff --git a/refpolicy/policy/modules/admin/acct.fc b/refpolicy/policy/modules/admin/acct.fc
deleted file mode 100644
index ab5b5e7..0000000
--- a/refpolicy/policy/modules/admin/acct.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-
-/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
-
-/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
-
-/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
-
-/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/refpolicy/policy/modules/admin/acct.if b/refpolicy/policy/modules/admin/acct.if
deleted file mode 100644
index 831295c..0000000
--- a/refpolicy/policy/modules/admin/acct.if
+++ /dev/null
@@ -1,86 +0,0 @@
-## <summary>Berkeley process accounting</summary>
-
-########################################
-## <summary>
-## Transition to the accounting management domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`acct_domtrans',`
- gen_require(`
- type acct_t, acct_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,acct_exec_t,acct_t)
-
- allow $1 acct_t:fd use;
- allow acct_t $1:fd use;
- allow acct_t $1:fifo_file rw_file_perms;
- allow acct_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute accounting management tools in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`acct_exec',`
- gen_require(`
- type acct_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,acct_exec_t)
-')
-
-########################################
-## <summary>
-## Execute accounting management data in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-# cjp: this is added for logrotate, and does
-# not make sense to me.
-interface(`acct_exec_data',`
- gen_require(`
- type acct_data_t;
- ')
-
- files_search_var($1)
- can_exec($1,acct_data_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete process accounting data.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`acct_manage_data',`
- gen_require(`
- type acct_data_t;
- ')
-
- files_search_var($1)
- allow $1 acct_data_t:dir rw_dir_perms;
- allow $1 acct_data_t:file create_file_perms;
- allow $1 acct_data_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
deleted file mode 100644
index 7d06f6b..0000000
--- a/refpolicy/policy/modules/admin/acct.te
+++ /dev/null
@@ -1,101 +0,0 @@
-
-policy_module(acct,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type acct_t;
-type acct_exec_t;
-init_system_domain(acct_t,acct_exec_t)
-
-type acct_data_t;
-logging_log_file(acct_data_t)
-
-########################################
-#
-# Local Policy
-#
-
-# gzip needs chown capability for some reason
-allow acct_t self:capability { sys_pacct chown fsetid };
-# not sure why we need kill, the command "last" is reported as using it
-dontaudit acct_t self:capability { kill sys_tty_config };
-
-allow acct_t self:fifo_file { read write getattr };
-allow acct_t self:process signal_perms;
-
-allow acct_t acct_data_t:dir rw_dir_perms;
-allow acct_t acct_data_t:file create_file_perms;
-allow acct_t acct_data_t:lnk_file create_lnk_perms;
-
-can_exec(acct_t,acct_exec_t)
-
-kernel_list_proc(acct_t)
-kernel_read_system_state(acct_t)
-kernel_read_kernel_sysctls(acct_t)
-
-dev_read_sysfs(acct_t)
-# for SSP
-dev_read_urand(acct_t)
-
-fs_search_auto_mountpoints(acct_t)
-fs_getattr_xattr_fs(acct_t)
-
-term_dontaudit_use_console(acct_t)
-
-corecmd_search_sbin(acct_t)
-corecmd_exec_bin(acct_t)
-corecmd_exec_shell(acct_t)
-
-domain_use_interactive_fds(acct_t)
-
-files_read_etc_files(acct_t)
-files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
-# for nscd
-files_dontaudit_search_pids(acct_t)
-
-init_use_fds(acct_t)
-init_use_script_ptys(acct_t)
-init_exec_script_files(acct_t)
-
-libs_use_ld_so(acct_t)
-libs_use_shared_libs(acct_t)
-
-logging_send_syslog_msg(acct_t)
-
-miscfiles_read_localization(acct_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(acct_t)
-userdom_dontaudit_use_unpriv_user_fds(acct_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(acct_t)
- term_dontaudit_use_generic_ptys(acct_t)
- files_dontaudit_read_root_files(acct_t)
-')
-
-optional_policy(`
- optional_policy(`
- # for monthly cron job
- auth_log_filetrans_login_records(acct_t)
- auth_manage_login_records(acct_t)
- ')
-
- cron_system_entry(acct_t,acct_exec_t)
-')
-
-optional_policy(`
- nscd_socket_use(acct_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(acct_t)
-')
-
-optional_policy(`
- udev_read_db(acct_t)
-')
-
diff --git a/refpolicy/policy/modules/admin/alsa.fc b/refpolicy/policy/modules/admin/alsa.fc
deleted file mode 100644
index 99c414d..0000000
--- a/refpolicy/policy/modules/admin/alsa.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-
-/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/alsa.if b/refpolicy/policy/modules/admin/alsa.if
deleted file mode 100644
index 0381c21..0000000
--- a/refpolicy/policy/modules/admin/alsa.if
+++ /dev/null
@@ -1,81 +0,0 @@
-## <summary>Ainit ALSA configuration tool</summary>
-
-########################################
-## <summary>
-## Domain transition to alsa
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_domtrans',`
- gen_require(`
- type alsa_t;
- type alsa_exec_t;
- ')
-
- domain_auto_trans($1, alsa_exec_t, alsa_t)
-
- allow $1 alsa_t:fd use;
- allow alsa_t $1:fd use;
- allow alsa_t $1:fifo_file rw_file_perms;
- allow alsa_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow read and write access to alsa semaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_rw_semaphores',`
- gen_require(`
- type alsa_t;
- ')
-
- allow $1 alsa_t:sem { unix_read unix_write associate read write };
-')
-
-########################################
-## <summary>
-## Allow read and write access to alsa shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_rw_shared_mem',`
- gen_require(`
- type alsa_t;
- ')
-
- allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
-')
-
-########################################
-## <summary>
-## Read alsa writable config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_read_rw_config',`
- gen_require(`
- type alsa_etc_rw_t;
- ')
-
- allow $1 alsa_etc_rw_t:dir r_dir_perms;
- allow $1 alsa_etc_rw_t:file r_file_perms;
- allow $1 alsa_etc_rw_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/admin/alsa.te b/refpolicy/policy/modules/admin/alsa.te
deleted file mode 100644
index e93af95..0000000
--- a/refpolicy/policy/modules/admin/alsa.te
+++ /dev/null
@@ -1,51 +0,0 @@
-
-policy_module(alsa,1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type alsa_t;
-type alsa_exec_t;
-domain_type(alsa_t)
-domain_entry_file(alsa_t, alsa_exec_t)
-role system_r types alsa_t;
-
-type alsa_etc_rw_t;
-files_type(alsa_etc_rw_t)
-
-########################################
-#
-# Local policy
-#
-
-allow alsa_t self:capability { setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
-allow alsa_t self:sem create_sem_perms;
-allow alsa_t self:shm create_shm_perms;
-allow alsa_t self:unix_stream_socket create_stream_socket_perms;
-allow alsa_t self:unix_dgram_socket create_socket_perms;
-
-allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
-allow alsa_t alsa_etc_rw_t:file create_file_perms;
-allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
-
-files_read_etc_files(alsa_t)
-
-term_use_generic_ptys(alsa_t)
-term_dontaudit_use_unallocated_ttys(alsa_t)
-
-libs_use_ld_so(alsa_t)
-libs_use_shared_libs(alsa_t)
-
-logging_send_syslog_msg(alsa_t)
-
-miscfiles_read_localization(alsa_t)
-
-userdom_manage_unpriv_user_semaphores(alsa_t)
-userdom_manage_unpriv_user_shared_mem(alsa_t)
-
-optional_policy(`
- nscd_socket_use(alsa_t)
-')
diff --git a/refpolicy/policy/modules/admin/amanda.fc b/refpolicy/policy/modules/admin/amanda.fc
deleted file mode 100644
index 2780ecb..0000000
--- a/refpolicy/policy/modules/admin/amanda.fc
+++ /dev/null
@@ -1,72 +0,0 @@
-
-/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
-/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
-/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
-/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
-
-/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-
-/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
-
-/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
-/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
-
-/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
-/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-
-/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
-/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
-/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
-/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
-/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
-/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
-/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
-
-/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/amanda.if b/refpolicy/policy/modules/admin/amanda.if
deleted file mode 100644
index f7b1645..0000000
--- a/refpolicy/policy/modules/admin/amanda.if
+++ /dev/null
@@ -1,129 +0,0 @@
-## <summary>Automated backup program.</summary>
-
-########################################
-## <summary>
-## Execute amrecover in the amanda_recover domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`amanda_domtrans_recover',`
- gen_require(`
- type amanda_recover_t, amanda_recover_exec_t;
- ')
-
- domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
-
- allow $1 amanda_recover_t:fd use;
- allow amanda_recover_t $1:fd use;
- allow amanda_recover_t $1:fifo_file rw_file_perms;
- allow amanda_recover_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute amrecover in the amanda_recover domain, and
-## allow the specified role the amanda_recover domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the amanda_recover domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the amanda_recover domain to use.
-## </summary>
-## </param>
-#
-interface(`amanda_run_recover',`
- gen_require(`
- type amanda_recover_t;
- ')
-
- amanda_domtrans_recover($1)
- role $2 types amanda_recover_t;
- allow amanda_recover_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Search amanda library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`amanda_search_lib',`
- gen_require(`
- type amanda_usr_lib_t;
- ')
-
- allow $1 amanda_usr_lib_t:dir search;
- files_search_usr($1)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read /etc/dumpdates.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`amanda_dontaudit_read_dumpdates',`
- gen_require(`
- type amanda_dumpdates_t;
- ')
-
- dontaudit $1 amanda_dumpdates_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow read/writing /etc/dumpdates.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to allow
-## </summary>
-## </param>
-#
-interface(`amanda_rw_dumpdates_files',`
- gen_require(`
- type amanda_dumpdates_t;
- ')
-
- allow $1 amanda_dumpdates_t:file rw_file_perms;
-')
-########################################
-## <summary>
-## Allow read/writing amanda logs
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to allow
-## </summary>
-## </param>
-#
-interface(`amanda_append_log_files',`
- gen_require(`
- type amanda_log_t;
- ')
-
- allow $1 amanda_log_t:file ra_file_perms;
-')
-
-
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
deleted file mode 100644
index cf3b552..0000000
--- a/refpolicy/policy/modules/admin/amanda.te
+++ /dev/null
@@ -1,257 +0,0 @@
-
-policy_module(amanda,1.3.4)
-
-#######################################
-#
-# Declarations
-#
-
-type amanda_t;
-type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t,amanda_inetd_exec_t)
-role system_r types amanda_t;
-
-type amanda_exec_t;
-domain_entry_file(amanda_t,amanda_exec_t)
-
-type amanda_log_t;
-logging_log_file(amanda_log_t)
-
-# type for amanda configurations files
-type amanda_config_t;
-files_type(amanda_config_t)
-
-# type for files in /usr/lib/amanda
-type amanda_usr_lib_t;
-files_type(amanda_usr_lib_t)
-
-# type for all files in /var/lib/amanda
-type amanda_var_lib_t;
-files_type(amanda_var_lib_t)
-
-# type for all files in /var/lib/amanda/gnutar-lists/
-type amanda_gnutarlists_t;
-files_type(amanda_gnutarlists_t)
-
-# type for user startable files
-type amanda_user_exec_t;
-corecmd_executable_file(amanda_user_exec_t)
-
-# type for same awk and other scripts
-type amanda_script_exec_t;
-corecmd_executable_file(amanda_script_exec_t)
-
-# type for the shell configuration files
-type amanda_shellconfig_t;
-files_type(amanda_shellconfig_t)
-
-type amanda_tmp_t;
-files_tmp_file(amanda_tmp_t)
-
-# type for /etc/amandates
-type amanda_amandates_t;
-files_type(amanda_amandates_t)
-
-# type for /etc/dumpdates
-type amanda_dumpdates_t;
-files_type(amanda_dumpdates_t)
-
-# type for amanda data
-type amanda_data_t;
-files_type(amanda_data_t)
-
-# type for amrecover
-type amanda_recover_t;
-type amanda_recover_exec_t;
-domain_type(amanda_recover_t)
-domain_entry_file(amanda_recover_t,amanda_recover_exec_t)
-role system_r types amanda_recover_t;
-
-# type for recover files ( restored data )
-type amanda_recover_dir_t;
-files_type(amanda_recover_dir_t)
-
-optional_policy(`
- prelink_object_file(amanda_usr_lib_t)
-')
-
-########################################
-#
-# Amanda local policy
-#
-
-allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
-allow amanda_t self:fifo_file { getattr read write ioctl lock };
-allow amanda_t self:unix_stream_socket create_stream_socket_perms;
-allow amanda_t self:unix_dgram_socket create_socket_perms;
-allow amanda_t self:tcp_socket create_stream_socket_perms;
-allow amanda_t self:udp_socket create_socket_perms;
-
-# access to amanda_amandates_t
-allow amanda_t amanda_amandates_t:file { getattr lock read write };
-
-# configuration files -> read only
-allow amanda_t amanda_config_t:file { getattr read };
-
-# access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file { read write };
-
-# access to amanda_dumpdates_t
-allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-
-can_exec(amanda_t,amanda_exec_t)
-
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
-allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
-allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
-
-allow amanda_t amanda_log_t:file create_file_perms;
-allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
-
-allow amanda_t amanda_tmp_t:dir create_dir_perms;
-allow amanda_t amanda_tmp_t:file create_file_perms;
-files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
-
-kernel_read_system_state(amanda_t)
-kernel_read_kernel_sysctls(amanda_t)
-kernel_dontaudit_getattr_unlabeled_files(amanda_t)
-kernel_dontaudit_read_proc_symlinks(amanda_t)
-
-# Added for targeted policy
-term_use_unallocated_ttys(amanda_t)
-
-corenet_non_ipsec_sendrecv(amanda_t)
-corenet_tcp_sendrecv_all_if(amanda_t)
-corenet_udp_sendrecv_all_if(amanda_t)
-corenet_raw_sendrecv_all_if(amanda_t)
-corenet_tcp_sendrecv_all_nodes(amanda_t)
-corenet_udp_sendrecv_all_nodes(amanda_t)
-corenet_raw_sendrecv_all_nodes(amanda_t)
-corenet_tcp_sendrecv_all_ports(amanda_t)
-corenet_udp_sendrecv_all_ports(amanda_t)
-corenet_tcp_bind_all_nodes(amanda_t)
-corenet_udp_bind_all_nodes(amanda_t)
-
-dev_getattr_all_blk_files(amanda_t)
-dev_getattr_all_chr_files(amanda_t)
-
-fs_getattr_xattr_fs(amanda_t)
-fs_list_all(amanda_t)
-
-storage_raw_read_fixed_disk(amanda_t)
-
-files_read_etc_files(amanda_t)
-files_read_etc_runtime_files(amanda_t)
-files_list_all(amanda_t)
-files_read_all_files(amanda_t)
-files_read_all_symlinks(amanda_t)
-files_read_all_blk_files(amanda_t)
-files_read_all_chr_files(amanda_t)
-files_getattr_all_pipes(amanda_t)
-files_getattr_all_sockets(amanda_t)
-
-corecmd_exec_shell(amanda_t)
-corecmd_exec_sbin(amanda_t)
-corecmd_exec_bin(amanda_t)
-
-libs_use_ld_so(amanda_t)
-libs_use_shared_libs(amanda_t)
-
-sysnet_read_config(amanda_t)
-
-optional_policy(`
- auth_read_shadow(amanda_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(amanda_t)
-')
-
-optional_policy(`
- nis_use_ypbind(amanda_t)
-')
-
-optional_policy(`
- nscd_socket_use(amanda_t)
-')
-
-########################################
-#
-# Amanda recover local policy
-
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
-allow amanda_recover_t self:process { sigkill sigstop signal };
-allow amanda_recover_t self:fifo_file { getattr ioctl read write };
-allow amanda_recover_t self:unix_stream_socket { connect create read write };
-allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
-allow amanda_recover_t self:udp_socket create_socket_perms;
-
-allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
-allow amanda_recover_t amanda_log_t:file manage_file_perms;
-allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
-
-# access to amanda_recover_dir_t
-allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
-allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
-allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
-allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
-allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
-userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
-
-allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
-allow amanda_recover_t amanda_tmp_t:file create_file_perms;
-allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
-allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
-allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
-files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
-
-kernel_read_system_state(amanda_recover_t)
-kernel_read_kernel_sysctls(amanda_recover_t)
-
-corenet_non_ipsec_sendrecv(amanda_recover_t)
-corenet_tcp_sendrecv_all_if(amanda_recover_t)
-corenet_udp_sendrecv_all_if(amanda_recover_t)
-corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
-corenet_udp_sendrecv_all_nodes(amanda_recover_t)
-corenet_tcp_sendrecv_all_ports(amanda_recover_t)
-corenet_udp_sendrecv_all_ports(amanda_recover_t)
-corenet_tcp_bind_all_nodes(amanda_recover_t)
-corenet_udp_bind_all_nodes(amanda_recover_t)
-corenet_tcp_bind_reserved_port(amanda_recover_t)
-corenet_tcp_connect_amanda_port(amanda_recover_t)
-corenet_sendrecv_amanda_client_packets(amanda_recover_t)
-
-corecmd_exec_shell(amanda_recover_t)
-corecmd_exec_bin(amanda_recover_t)
-
-domain_use_interactive_fds(amanda_recover_t)
-
-files_read_etc_files(amanda_recover_t)
-files_read_etc_runtime_files(amanda_recover_t)
-files_search_tmp(amanda_recover_t)
-files_search_pids(amanda_recover_t)
-
-fstools_domtrans(amanda_t)
-
-libs_use_ld_so(amanda_recover_t)
-libs_use_shared_libs(amanda_recover_t)
-
-logging_search_logs(amanda_recover_t)
-
-miscfiles_read_localization(amanda_recover_t)
-
-sysnet_read_config(amanda_recover_t)
-
-userdom_search_sysadm_home_content_dirs(amanda_recover_t)
-
-optional_policy(`
- nis_use_ypbind(amanda_recover_t)
-')
-
-optional_policy(`
- nscd_socket_use(amanda_recover_t)
-')
diff --git a/refpolicy/policy/modules/admin/anaconda.fc b/refpolicy/policy/modules/admin/anaconda.fc
deleted file mode 100644
index 3afd63b..0000000
--- a/refpolicy/policy/modules/admin/anaconda.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# Currently anaconda does not have any file context since it is
-# started during install. This is a placeholder to satisfy
-# the policy Makefile dependencies.
-#
diff --git a/refpolicy/policy/modules/admin/anaconda.if b/refpolicy/policy/modules/admin/anaconda.if
deleted file mode 100644
index 18491c8..0000000
--- a/refpolicy/policy/modules/admin/anaconda.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Policy for the Anaconda installer.</summary>
diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te
deleted file mode 100644
index 9ec5e44..0000000
--- a/refpolicy/policy/modules/admin/anaconda.te
+++ /dev/null
@@ -1,59 +0,0 @@
-
-policy_module(anaconda,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type anaconda_t;
-domain_type(anaconda_t)
-domain_obj_id_change_exemption(anaconda_t)
-role system_r types anaconda_t;
-
-########################################
-#
-# Local policy
-#
-
-# Run other rc scripts in the anaconda_t domain.
-init_domtrans_script(anaconda_t)
-
-libs_domtrans_ldconfig(anaconda_t)
-
-logging_send_syslog_msg(anaconda_t)
-
-modutils_domtrans_insmod(anaconda_t)
-
-unconfined_domain(anaconda_t)
-
-ifdef(`distro_redhat',`
- bootloader_create_runtime_file(anaconda_t)
-')
-
-optional_policy(`
- dmesg_domtrans(anaconda_t)
-')
-
-optional_policy(`
- kudzu_domtrans(anaconda_t)
-')
-
-optional_policy(`
- rpm_domtrans(anaconda_t)
-')
-
-optional_policy(`
- udev_domtrans(anaconda_t)
-')
-
-optional_policy(`
- usermanage_domtrans_admin_passwd(anaconda_t)
-')
-
-ifdef(`TODO',`
-optional_policy(`
- role system_r types sysadm_ssh_agent_t;
- domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-')
diff --git a/refpolicy/policy/modules/admin/apt.fc b/refpolicy/policy/modules/admin/apt.fc
deleted file mode 100644
index d31952b..0000000
--- a/refpolicy/policy/modules/admin/apt.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-# apt-shell is redhat specific
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
-# other package managers
-/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
-
-# package cache repository
-/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
-
-# package list repository
-/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/admin/apt.if b/refpolicy/policy/modules/admin/apt.if
deleted file mode 100644
index 180f05e..0000000
--- a/refpolicy/policy/modules/admin/apt.if
+++ /dev/null
@@ -1,178 +0,0 @@
-## <summary>APT advanced package toll.</summary>
-
-########################################
-## <summary>
-## Execute apt programs in the apt domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apt_domtrans',`
- gen_require(`
- type apt_t, apt_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,apt_exec_t,apt_t)
-
- # allow basic communication
- allow $1 apt_t:fd use;
- allow apt_t $1:fd use;
- allow apt_t $1:fifo_file rw_file_perms;
- allow apt_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute apt programs in the apt domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the apt domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the apt domain to use.
-## </summary>
-## </param>
-#
-interface(`apt_run',`
- gen_require(`
- type apt_t;
- ')
-
- apt_domtrans($1)
- role $2 types apt_t;
- allow apt_t $3:chr_file rw_term_perms;
- # TODO: likely have to add dpkg_run here.
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from apt.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apt_use_fds',`
- gen_require(`
- type apt_t;
- ')
-
- allow $1 apt_t:fd use;
- # TODO: enforce dpkg_use_fd?
-')
-
-########################################
-## <summary>
-## Read from an unnamed apt pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apt_read_pipes',`
- gen_require(`
- type apt_t;
- ')
-
- allow $1 apt_t:fifo_file r_file_perms;
- # TODO: enforce dpkg_read_pipes?
-')
-
-########################################
-## <summary>
-## Read and write an unnamed apt pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apt_rw_pipes',`
- gen_require(`
- type apt_t;
- ')
-
- allow $1 apt_t:fifo_file rw_file_perms;
- # TODO: enforce dpkg_rw_pipes?
-')
-
-########################################
-## <summary>
-## Read the apt package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apt_read_db',`
- gen_require(`
- type apt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 apt_var_lib_t:dir r_dir_perms;
- allow $1 apt_var_lib_t:file { getattr read };
- allow $1 apt_var_lib_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the apt package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apt_manage_db',`
- gen_require(`
- type apt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 apt_var_lib_t:dir rw_dir_perms;
- allow $1 apt_var_lib_t:file { getattr create read write append unlink };
- allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete the apt package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apt_dontaudit_manage_db',`
- gen_require(`
- type apt_var_lib_t;
- ')
-
- dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
- dontaudit $1 apt_var_lib_t:file create_file_perms;
- dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/admin/apt.te b/refpolicy/policy/modules/admin/apt.te
deleted file mode 100644
index 995ede0..0000000
--- a/refpolicy/policy/modules/admin/apt.te
+++ /dev/null
@@ -1,137 +0,0 @@
-
-policy_module(apt,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type apt_t;
-type apt_exec_t;
-init_system_domain(apt_t,apt_exec_t)
-domain_system_change_exemption(apt_t)
-domain_getattr_all_domains(apt_t)
-role system_r types apt_t;
-
-type apt_tmp_t;
-files_tmp_file(apt_tmp_t)
-
-type apt_tmpfs_t;
-files_tmpfs_file(apt_tmpfs_t)
-
-# status files
-type apt_var_lib_t alias var_lib_apt_t;
-files_type(apt_var_lib_t)
-
-# package cache
-type apt_var_cache_t alias var_cache_apt_t;
-files_type(apt_var_cache_t)
-
-########################################
-#
-# apt Local policy
-#
-
-allow apt_t self:capability { chown dac_override fowner fsetid };
-allow apt_t self:process { signal setpgid fork };
-allow apt_t self:fd use;
-allow apt_t self:fifo_file rw_file_perms;
-allow apt_t self:unix_dgram_socket create_socket_perms;
-allow apt_t self:unix_stream_socket rw_stream_socket_perms;
-allow apt_t self:unix_dgram_socket sendto;
-allow apt_t self:unix_stream_socket connectto;
-allow apt_t self:udp_socket { connect create_socket_perms };
-allow apt_t self:tcp_socket create_stream_socket_perms;
-allow apt_t self:shm create_shm_perms;
-allow apt_t self:sem create_sem_perms;
-allow apt_t self:msgq create_msgq_perms;
-allow apt_t self:msg { send receive };
-
-# Access /var/cache/apt files
-allow apt_t apt_var_cache_t:file create_file_perms;
-allow apt_t apt_var_cache_t:dir rw_dir_perms;
-files_var_filetrans(apt_t,apt_var_cache_t,dir)
-
-allow apt_t apt_tmp_t:dir create_dir_perms;
-allow apt_t apt_tmp_t:file create_file_perms;
-files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
-
-allow apt_t apt_tmpfs_t:dir create_dir_perms;
-allow apt_t apt_tmpfs_t:file create_file_perms;
-allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
-allow apt_t apt_tmpfs_t:sock_file create_file_perms;
-allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
-fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-# Access /var/lib/apt files
-allow apt_t apt_var_lib_t:file create_file_perms;
-allow apt_t apt_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
-
-kernel_read_system_state(apt_t)
-kernel_read_kernel_sysctls(apt_t)
-
-# to launch dpkg-preconfigure
-corecmd_exec_bin(apt_t)
-corecmd_exec_shell(apt_t)
-corecmd_exec_sbin(apt_t)
-
-corenet_non_ipsec_sendrecv(apt_t)
-corenet_tcp_sendrecv_all_if(apt_t)
-corenet_udp_sendrecv_all_if(apt_t)
-corenet_tcp_sendrecv_all_nodes(apt_t)
-corenet_udp_sendrecv_all_nodes(apt_t)
-corenet_tcp_sendrecv_all_ports(apt_t)
-corenet_udp_sendrecv_all_ports(apt_t)
-# TODO: reall allow all these?
-corenet_tcp_bind_all_nodes(apt_t)
-corenet_udp_bind_all_nodes(apt_t)
-corenet_tcp_connect_all_ports(apt_t)
-corenet_sendrecv_all_client_packets(apt_t)
-
-dev_read_urand(apt_t)
-
-files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
-files_read_etc_runtime_files(apt_t)
-
-term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
-
-libs_use_ld_so(apt_t)
-libs_use_shared_libs(apt_t)
-libs_exec_ld_so(apt_t)
-libs_exec_lib_files(apt_t)
-
-logging_send_syslog_msg(apt_t)
-
-miscfiles_read_localization(apt_t)
-
-seutil_use_newrole_fds(apt_t)
-
-sysnet_read_config(apt_t)
-
-ifdef(`targeted_policy',`
- unconfined_domain(apt_t)
-')
-
-# with boolean, for cron-apt and such?
-#optional_policy(`
-# cron_system_entry(apt_t,apt_exec_t)
-#')
-
-optional_policy(`
- # dpkg interaction
- dpkg_read_db(apt_t)
- dpkg_domtrans(apt_t)
- dpkg_lock_db(apt_t)
-')
-
-optional_policy(`
- nis_use_ypbind(apt_t)
-')
-
-optional_policy(`
- rpm_read_db(apt_t)
- rpm_domtrans(apt_t)
-')
diff --git a/refpolicy/policy/modules/admin/backup.fc b/refpolicy/policy/modules/admin/backup.fc
deleted file mode 100644
index b4671ae..0000000
--- a/refpolicy/policy/modules/admin/backup.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# backup
-# label programs that do backups to other files on disk (IE a cron job that
-# calls tar) in backup_exec_t and label the directory for storing them as
-# backup_store_t, Debian uses /var/backups
-
-#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0)
-/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
diff --git a/refpolicy/policy/modules/admin/backup.if b/refpolicy/policy/modules/admin/backup.if
deleted file mode 100644
index 64beebe..0000000
--- a/refpolicy/policy/modules/admin/backup.if
+++ /dev/null
@@ -1,53 +0,0 @@
-## <summary>System backup scripts</summary>
-
-########################################
-## <summary>
-## Execute backup in the backup domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`backup_domtrans',`
- gen_require(`
- type backup_t, backup_exec_t;
- ')
-
- domain_auto_trans($1,backup_exec_t,backup_t)
- allow backup_t $1:fd use;
- allow backup_t $1:fifo_file rw_file_perms;
- allow backup_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute backup in the backup domain, and
-## allow the specified role the backup domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the backup domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`backup_run',`
- gen_require(`
- type backup_t;
- ')
-
- backup_domtrans($1)
- role $2 types backup_t;
- allow backup_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/backup.te b/refpolicy/policy/modules/admin/backup.te
deleted file mode 100644
index c37f701..0000000
--- a/refpolicy/policy/modules/admin/backup.te
+++ /dev/null
@@ -1,84 +0,0 @@
-
-policy_module(backup,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type backup_t;
-type backup_exec_t;
-domain_type(backup_t)
-domain_entry_file(backup_t,backup_exec_t)
-role system_r types backup_t;
-
-type backup_store_t;
-files_type(backup_store_t)
-
-########################################
-#
-# Local policy
-#
-
-allow backup_t self:capability dac_override;
-allow backup_t self:process signal;
-allow backup_t self:fifo_file rw_file_perms;
-allow backup_t self:tcp_socket create_socket_perms;
-allow backup_t self:udp_socket create_socket_perms;
-
-allow backup_t backup_store_t:dir ra_dir_perms;
-allow backup_t backup_store_t:file { create rw_file_perms setattr };
-allow backup_t backup_store_t:lnk_file { getattr read };
-
-kernel_read_system_state(backup_t)
-kernel_read_kernel_sysctls(backup_t)
-
-corecmd_exec_bin(backup_t)
-
-corenet_non_ipsec_sendrecv(backup_t)
-corenet_tcp_sendrecv_generic_if(backup_t)
-corenet_udp_sendrecv_generic_if(backup_t)
-corenet_raw_sendrecv_generic_if(backup_t)
-corenet_tcp_sendrecv_all_nodes(backup_t)
-corenet_udp_sendrecv_all_nodes(backup_t)
-corenet_raw_sendrecv_all_nodes(backup_t)
-corenet_tcp_sendrecv_all_ports(backup_t)
-corenet_udp_sendrecv_all_ports(backup_t)
-corenet_tcp_connect_all_ports(backup_t)
-corenet_sendrecv_all_client_packets(backup_t)
-
-dev_getattr_all_blk_files(backup_t)
-dev_getattr_all_chr_files(backup_t)
-# for SSP
-dev_read_urand(backup_t)
-
-domain_use_interactive_fds(backup_t)
-
-files_read_all_files(backup_t)
-files_read_all_symlinks(backup_t)
-files_getattr_all_pipes(backup_t)
-files_getattr_all_sockets(backup_t)
-
-fs_getattr_xattr_fs(backup_t)
-fs_list_all(backup_t)
-
-auth_read_shadow(backup_t)
-
-libs_use_ld_so(backup_t)
-libs_use_shared_libs(backup_t)
-
-logging_send_syslog_msg(backup_t)
-
-sysnet_read_config(backup_t)
-
-optional_policy(`
- cron_system_entry(backup_t,backup_exec_t)
-')
-
-optional_policy(`
- hostname_exec(backup_t)
-')
-
-optional_policy(`
- nis_use_ypbind(backup_t)
-')
diff --git a/refpolicy/policy/modules/admin/bootloader.fc b/refpolicy/policy/modules/admin/bootloader.fc
deleted file mode 100644
index bcedf95..0000000
--- a/refpolicy/policy/modules/admin/bootloader.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-
-/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/bootloader.if b/refpolicy/policy/modules/admin/bootloader.if
deleted file mode 100644
index 8f6707b..0000000
--- a/refpolicy/policy/modules/admin/bootloader.if
+++ /dev/null
@@ -1,134 +0,0 @@
-## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
-
-########################################
-## <summary>
-## Execute bootloader in the bootloader domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`bootloader_domtrans',`
- gen_require(`
- type bootloader_t, bootloader_exec_t;
- ')
-
- domain_auto_trans($1, bootloader_exec_t, bootloader_t)
-
- allow $1 bootloader_t:fd use;
- allow bootloader_t $1:fd use;
- allow bootloader_t $1:fifo_file rw_file_perms;
- allow bootloader_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute bootloader interactively and do
-## a domain transition to the bootloader domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the bootloader domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the bootloader domain to use.
-## </summary>
-## </param>
-#
-interface(`bootloader_run',`
- gen_require(`
- type bootloader_t;
- ')
-
- bootloader_domtrans($1)
-
- role $2 types bootloader_t;
- allow bootloader_t $3:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read the bootloader configuration file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`bootloader_read_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
- allow $1 bootloader_etc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the bootloader
-## configuration file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`bootloader_rw_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
- allow $1 bootloader_etc_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the bootloader
-## temporary data in /tmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`bootloader_rw_tmp_files',`
- gen_require(`
- type bootloader_tmp_t;
- ')
-
- # FIXME: read tmp_t dir
- allow $1 bootloader_tmp_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the bootloader
-## temporary data in /tmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`bootloader_create_runtime_file',`
- gen_require(`
- type boot_t, boot_runtime_t;
- ')
-
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_runtime_t:file { rw_file_perms create unlink };
- type_transition $1 boot_t:file boot_runtime_t;
-')
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
deleted file mode 100644
index 41b4027..0000000
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ /dev/null
@@ -1,216 +0,0 @@
-
-policy_module(bootloader,1.2.4)
-
-########################################
-#
-# Declarations
-#
-
-#
-# boot_runtime_t is the type for /boot/kernel.h,
-# which is automatically generated at boot time.
-# only for Red Hat
-#
-type boot_runtime_t;
-files_type(boot_runtime_t)
-
-type bootloader_t;
-domain_type(bootloader_t)
-role system_r types bootloader_t;
-
-type bootloader_exec_t;
-domain_entry_file(bootloader_t,bootloader_exec_t)
-
-#
-# bootloader_etc_t is the configuration file,
-# grub.conf, lilo.conf, etc.
-#
-type bootloader_etc_t alias etc_bootloader_t;
-files_type(bootloader_etc_t)
-
-#
-# The temp file is used for initrd creation;
-# it consists of files and device nodes
-#
-type bootloader_tmp_t;
-files_tmp_file(bootloader_tmp_t)
-dev_node(bootloader_tmp_t)
-
-#
-# /var/log/ksyms
-# cjp: this probably can be removed, I do not
-# think it is used on 2.6 kernels
-type var_log_ksyms_t;
-logging_log_file(var_log_ksyms_t)
-
-########################################
-#
-# bootloader local policy
-#
-
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal execmem };
-allow bootloader_t self:fifo_file rw_file_perms;
-
-allow bootloader_t bootloader_etc_t:file r_file_perms;
-# uncomment the following lines if you use "lilo -p"
-#allow bootloader_t bootloader_etc_t:file manage_file_perms;
-#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
-
-allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
-allow bootloader_t bootloader_tmp_t:file create_file_perms;
-allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
-files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
-# for tune2fs (cjp: ?)
-files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
-
-kernel_getattr_core_if(bootloader_t)
-kernel_read_system_state(bootloader_t)
-kernel_read_software_raid_state(bootloader_t)
-kernel_read_kernel_sysctls(bootloader_t)
-
-storage_raw_read_fixed_disk(bootloader_t)
-storage_raw_write_fixed_disk(bootloader_t)
-storage_raw_read_removable_device(bootloader_t)
-storage_raw_write_removable_device(bootloader_t)
-
-dev_getattr_all_chr_files(bootloader_t)
-dev_getattr_all_blk_files(bootloader_t)
-dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
-dev_read_rand(bootloader_t)
-dev_read_urand(bootloader_t)
-dev_read_sysfs(bootloader_t)
-# for reading BIOS data
-dev_read_raw_memory(bootloader_t)
-
-fs_getattr_xattr_fs(bootloader_t)
-fs_read_tmpfs_symlinks(bootloader_t)
-
-mls_file_read_up(bootloader_t)
-
-term_getattr_all_user_ttys(bootloader_t)
-term_dontaudit_manage_pty_dirs(bootloader_t)
-
-corecmd_exec_all_executables(bootloader_t)
-
-domain_use_interactive_fds(bootloader_t)
-
-files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
-files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
-files_read_usr_src_files(bootloader_t)
-files_read_usr_files(bootloader_t)
-files_read_var_files(bootloader_t)
-files_read_kernel_modules(bootloader_t)
-# for nscd
-files_dontaudit_search_pids(bootloader_t)
-# for blkid.tab
-files_manage_etc_runtime_files(bootloader_t)
-files_etc_filetrans_etc_runtime(bootloader_t,file)
-files_dontaudit_search_home(bootloader_t)
-
-init_getattr_initctl(bootloader_t)
-init_use_script_ptys(bootloader_t)
-init_use_script_fds(bootloader_t)
-init_rw_script_pipes(bootloader_t)
-
-libs_use_ld_so(bootloader_t)
-libs_use_shared_libs(bootloader_t)
-libs_read_lib_files(bootloader_t)
-libs_exec_lib_files(bootloader_t)
-
-logging_send_syslog_msg(bootloader_t)
-logging_rw_generic_logs(bootloader_t)
-
-miscfiles_read_localization(bootloader_t)
-
-modutils_domtrans_insmod_uncond(bootloader_t)
-
-seutil_read_bin_policy(bootloader_t)
-seutil_read_loadpolicy(bootloader_t)
-seutil_dontaudit_search_config(bootloader_t)
-
-ifdef(`distro_debian',`
- allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
- fs_list_tmpfs(bootloader_t)
-
- files_relabel_kernel_modules(bootloader_t)
- files_relabelfrom_boot_files(bootloader_t)
- files_delete_kernel_modules(bootloader_t)
- files_relabelto_usr_files(bootloader_t)
- files_search_var_lib(bootloader_t)
- # for /usr/share/initrd-tools/scripts
- files_exec_usr_files(bootloader_t)
-
- fstools_manage_entry_files(bootloader_t)
- fstools_relabelto_entry_files(bootloader_t)
-
- libs_relabelto_lib_files(bootloader_t)
-')
-
-ifdef(`distro_redhat',`
- # for memlock
- allow bootloader_t self:capability ipc_lock;
-
- # new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
-
- # mkinitrd mount initrd on bootloader temp dir
- files_mountpoint(bootloader_tmp_t)
-
- # new file system defaults to file_t, granting file_t access is still bad.
- files_manage_isid_type_dirs(bootloader_t)
- files_manage_isid_type_files(bootloader_t)
- files_manage_isid_type_symlinks(bootloader_t)
- files_manage_isid_type_blk_files(bootloader_t)
- files_manage_isid_type_chr_files(bootloader_t)
-
- # for mke2fs
- mount_domtrans(bootloader_t)
-')
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(bootloader_t)
- term_use_generic_ptys(bootloader_t)
-')
-
-optional_policy(`
- fstools_exec(bootloader_t)
-')
-
-optional_policy(`
- kudzu_domtrans(bootloader_t)
-')
-
-optional_policy(`
- dev_rw_lvm_control(bootloader_t)
-
- lvm_domtrans(bootloader_t)
- lvm_read_config(bootloader_t)
-')
-
-optional_policy(`
- modutils_exec_insmod(bootloader_t)
- modutils_read_module_deps(bootloader_t)
- modutils_read_module_config(bootloader_t)
- modutils_exec_insmod(bootloader_t)
- modutils_exec_depmod(bootloader_t)
- modutils_exec_update_mods(bootloader_t)
-')
-
-optional_policy(`
- nscd_socket_use(bootloader_t)
-')
-
-optional_policy(`
- rpm_rw_pipes(bootloader_t)
-')
-
-optional_policy(`
- userdom_dontaudit_search_staff_home_dirs(bootloader_t)
- userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
-')
diff --git a/refpolicy/policy/modules/admin/certwatch.fc b/refpolicy/policy/modules/admin/certwatch.fc
deleted file mode 100644
index b8a3414..0000000
--- a/refpolicy/policy/modules/admin/certwatch.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/certwatch.if b/refpolicy/policy/modules/admin/certwatch.if
deleted file mode 100644
index 84e3852..0000000
--- a/refpolicy/policy/modules/admin/certwatch.if
+++ /dev/null
@@ -1,59 +0,0 @@
-## <summary>Digital Certificate Tracking</summary>
-
-########################################
-## <summary>
-## Domain transition to certwatch.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`certwatch_domtrans',`
- gen_require(`
- type certwatch_exec_t, certwatch_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- domain_auto_trans($1,certwatch_exec_t,certwatch_t)
-
- allow $1 certwatch_t:fd use;
- allow certwatch_t $1:fd use;
- allow certwatch_t $1:fifo_file rw_file_perms;
- allow certwatch_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute certwatch in the certwatch domain, and
-## allow the specified role the certwatch domain,
-## and use the caller's terminal. Has a sigchld
-## backchannel.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the certwatch domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the certwatch domain to use.
-## </summary>
-## </param>
-#
-interface(`certwatach_run',`
- gen_require(`
- type certwatch_t;
- ')
-
- certwatch_domtrans($1)
- role $2 types certwatch_t;
- allow certwatch_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/certwatch.te b/refpolicy/policy/modules/admin/certwatch.te
deleted file mode 100644
index daca9e1..0000000
--- a/refpolicy/policy/modules/admin/certwatch.te
+++ /dev/null
@@ -1,34 +0,0 @@
-
-policy_module(certwatch,1.0)
-
-########################################
-#
-# Declarations
-#
-
-type certwatch_t;
-type certwatch_exec_t;
-domain_type(certwatch_t)
-domain_entry_file(certwatch_t,certwatch_exec_t)
-role system_r types certwatch_t;
-
-########################################
-#
-# Local policy
-#
-
-files_read_etc_files(certwatch_t)
-
-libs_use_ld_so(certwatch_t)
-libs_use_shared_libs(certwatch_t)
-
-logging_send_syslog_msg(certwatch_t)
-
-miscfiles_read_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
-
-apache_exec_modules(certwatch_t)
-
-optional_policy(`
- cron_system_entry(certwatch_t,certwatch_exec_t)
-')
diff --git a/refpolicy/policy/modules/admin/consoletype.fc b/refpolicy/policy/modules/admin/consoletype.fc
deleted file mode 100644
index b7f053b..0000000
--- a/refpolicy/policy/modules/admin/consoletype.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
deleted file mode 100644
index 58a2018..0000000
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ /dev/null
@@ -1,77 +0,0 @@
-## <summary>
-## Determine of the console connected to the controlling terminal.
-## </summary>
-
-########################################
-## <summary>
-## Execute consoletype in the consoletype domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`consoletype_domtrans',`
- gen_require(`
- type consoletype_t, consoletype_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,consoletype_exec_t,consoletype_t)
-
- allow $1 consoletype_t:fd use;
- allow consoletype_t $1:fd use;
- allow consoletype_t $1:fifo_file rw_file_perms;
- allow consoletype_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute consoletype in the consoletype domain, and
-## allow the specified role the consoletype domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the consoletype domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the consoletype domain to use.
-## </summary>
-## </param>
-#
-interface(`consoletype_run',`
- gen_require(`
- type consoletype_t;
- ')
-
- consoletype_domtrans($1)
- role $2 types consoletype_t;
- allow consoletype_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute consoletype in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`consoletype_exec',`
- gen_require(`
- type consoletype_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,consoletype_exec_t)
-')
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
deleted file mode 100644
index 84a5306..0000000
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ /dev/null
@@ -1,116 +0,0 @@
-
-policy_module(consoletype,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type consoletype_t;
-type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
-mls_file_read_up(consoletype_t)
-mls_file_write_down(consoletype_t)
-role system_r types consoletype_t;
-
-ifdef(`targeted_policy',`',`
- init_system_domain(consoletype_t,consoletype_exec_t)
-')
-
-########################################
-#
-# Local declarations
-#
-
-allow consoletype_t self:capability sys_admin;
-allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow consoletype_t self:fd use;
-allow consoletype_t self:fifo_file rw_file_perms;
-allow consoletype_t self:sock_file r_file_perms;
-allow consoletype_t self:unix_dgram_socket create_socket_perms;
-allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
-allow consoletype_t self:unix_dgram_socket sendto;
-allow consoletype_t self:unix_stream_socket connectto;
-allow consoletype_t self:shm create_shm_perms;
-allow consoletype_t self:sem create_sem_perms;
-allow consoletype_t self:msgq create_msgq_perms;
-allow consoletype_t self:msg { send receive };
-
-kernel_use_fds(consoletype_t)
-kernel_dontaudit_read_system_state(consoletype_t)
-
-fs_getattr_all_fs(consoletype_t)
-fs_search_auto_mountpoints(consoletype_t)
-fs_write_nfs_files(consoletype_t)
-
-term_use_console(consoletype_t)
-term_use_unallocated_ttys(consoletype_t)
-
-init_use_fds(consoletype_t)
-init_use_script_ptys(consoletype_t)
-init_use_script_fds(consoletype_t)
-init_write_script_pipes(consoletype_t)
-
-domain_use_interactive_fds(consoletype_t)
-
-files_dontaudit_read_root_files(consoletype_t)
-files_list_usr(consoletype_t)
-
-libs_use_ld_so(consoletype_t)
-libs_use_shared_libs(consoletype_t)
-
-userdom_use_sysadm_terms(consoletype_t)
-userdom_use_sysadm_fds(consoletype_t)
-userdom_rw_sysadm_pipes(consoletype_t)
-
-ifdef(`distro_redhat',`
- fs_rw_tmpfs_chr_files(consoletype_t)
-')
-
-optional_policy(`
- apm_use_fds(consoletype_t)
- apm_write_pipes(consoletype_t)
-')
-
-optional_policy(`
- auth_read_pam_pid(consoletype_t)
-')
-
-optional_policy(`
- cron_read_pipes(consoletype_t)
- cron_use_system_job_fds(consoletype_t)
-')
-
-optional_policy(`
- files_read_etc_files(consoletype_t)
- firstboot_use_fds(consoletype_t)
- firstboot_write_pipes(consoletype_t)
-')
-
-optional_policy(`
- logrotate_dontaudit_use_fds(consoletype_t)
-')
-
-optional_policy(`
- lpd_read_config(consoletype_t)
-')
-
-optional_policy(`
- nis_use_ypbind(consoletype_t)
-')
-
-optional_policy(`
- # Commonly used from postinst scripts
- rpm_read_pipes(consoletype_t)
-')
-
-optional_policy(`
- userdom_use_unpriv_users_fds(consoletype_t)
-')
-
-optional_policy(`
- kernel_read_xen_state(consoletype_t)
- kernel_write_xen_state(consoletype_t)
- xen_append_log(consoletype_t)
- xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
-')
diff --git a/refpolicy/policy/modules/admin/ddcprobe.fc b/refpolicy/policy/modules/admin/ddcprobe.fc
deleted file mode 100644
index a38ca33..0000000
--- a/refpolicy/policy/modules/admin/ddcprobe.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/ddcprobe.if b/refpolicy/policy/modules/admin/ddcprobe.if
deleted file mode 100644
index 875b7d2..0000000
--- a/refpolicy/policy/modules/admin/ddcprobe.if
+++ /dev/null
@@ -1,55 +0,0 @@
-## <summary>ddcprobe retrieves monitor and graphics card information</summary>
-
-########################################
-## <summary>
-## Execute ddcprobe in the ddcprobe domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ddcprobe_domtrans',`
- gen_require(`
- type ddcprobe_t, ddcprobe_exec_t;
- ')
-
- domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
-
- allow $1 ddcprobe_t:fd use;
- allow ddcprobe_t $1:fd use;
- allow ddcprobe_t $1:fifo_file rw_file_perms;
- allow ddcprobe_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute ddcprobe in the ddcprobe domain, and
-## allow the specified role the ddcprobe domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role to be authenticated for ddcprobe domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the clock domain to use.
-## </summary>
-## </param>
-#
-interface(`ddcprobe_run',`
- gen_require(`
- type ddcprobe_t;
- ')
-
- ddcprobe_domtrans($1)
- role $2 types ddcprobe_t;
- allow ddcprobe_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/ddcprobe.te b/refpolicy/policy/modules/admin/ddcprobe.te
deleted file mode 100644
index 67982aa..0000000
--- a/refpolicy/policy/modules/admin/ddcprobe.te
+++ /dev/null
@@ -1,55 +0,0 @@
-
-policy_module(ddcprobe,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type ddcprobe_t;
-type ddcprobe_exec_t;
-domain_type(ddcprobe_t)
-domain_entry_file(ddcprobe_t,ddcprobe_exec_t)
-role system_r types ddcprobe_t;
-
-########################################
-#
-# Local policy
-#
-
-allow ddcprobe_t self:capability { sys_rawio sys_admin };
-allow ddcprobe_t self:process execmem;
-
-kernel_read_system_state(ddcprobe_t)
-kernel_read_kernel_sysctls(ddcprobe_t)
-kernel_change_ring_buffer_level(ddcprobe_t)
-
-files_search_kernel_modules(ddcprobe_t)
-
-corecmd_list_sbin(ddcprobe_t)
-corecmd_list_bin(ddcprobe_t)
-corecmd_exec_sbin(ddcprobe_t)
-
-dev_read_urand(ddcprobe_t)
-dev_read_raw_memory(ddcprobe_t)
-dev_wx_raw_memory(ddcprobe_t)
-
-files_read_etc_files(ddcprobe_t)
-files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
-
-term_use_all_user_ttys(ddcprobe_t)
-term_use_all_user_ptys(ddcprobe_t)
-
-libs_read_lib_files(ddcprobe_t)
-libs_use_ld_so(ddcprobe_t)
-libs_use_shared_libs(ddcprobe_t)
-
-miscfiles_read_localization(ddcprobe_t)
-
-modutils_read_module_deps(ddcprobe_t)
-
-userdom_use_all_users_fds(ddcprobe_t)
-
-#reh why? this does not seem even necessary to function properly
-kudzu_getattr_exec_files(ddcprobe_t)
diff --git a/refpolicy/policy/modules/admin/dmesg.fc b/refpolicy/policy/modules/admin/dmesg.fc
deleted file mode 100644
index d6cc2d9..0000000
--- a/refpolicy/policy/modules/admin/dmesg.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
deleted file mode 100644
index 0ca1319..0000000
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ /dev/null
@@ -1,60 +0,0 @@
-## <summary>Policy for dmesg.</summary>
-
-########################################
-## <summary>
-## Execute dmesg in the dmesg domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dmesg_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type dmesg_exec_t;
- ')
-
- # $0(): disabled in targeted policy as there
- # is no dmesg domain.
- ',`
- gen_require(`
- type dmesg_t, dmesg_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,dmesg_exec_t,dmesg_t)
-
- allow $1 dmesg_t:fd use;
- allow dmesg_t $1:fd use;
- allow dmesg_t $1:fifo_file rw_file_perms;
- allow dmesg_t $1:process sigchld;
- ')
-')
-
-########################################
-## <summary>
-## Execute dmesg in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dmesg_exec',`
- ifdef(`targeted_policy',`
- # $0(): the dmesg program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type dmesg_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,dmesg_exec_t)
- ')
-')
-
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
deleted file mode 100644
index 150feec..0000000
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ /dev/null
@@ -1,74 +0,0 @@
-
-policy_module(dmesg,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-ifdef(`strict_policy',`
- type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t,dmesg_exec_t)
- role system_r types dmesg_t;
-')
-
-ifdef(`targeted_policy',`
- # dmesg domain is disabled in the
- # targeted policy. for compatibility
- # with strict:
- corecmd_bin_alias(dmesg_exec_t)
-')
-
-########################################
-#
-# Local policy
-#
-
-ifdef(`strict_policy',`
- allow dmesg_t self:capability sys_admin;
- dontaudit dmesg_t self:capability sys_tty_config;
-
- allow dmesg_t self:process signal_perms;
-
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
- kernel_change_ring_buffer_level(dmesg_t)
- kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-
- fs_search_auto_mountpoints(dmesg_t)
-
- term_dontaudit_use_console(dmesg_t)
-
- domain_use_interactive_fds(dmesg_t)
-
- files_list_etc(dmesg_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(dmesg_t)
-
- init_use_fds(dmesg_t)
- init_use_script_ptys(dmesg_t)
-
- libs_use_ld_so(dmesg_t)
- libs_use_shared_libs(dmesg_t)
-
- logging_send_syslog_msg(dmesg_t)
- logging_write_generic_logs(dmesg_t)
-
- miscfiles_read_localization(dmesg_t)
-
- userdom_use_sysadm_terms(dmesg_t)
- userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-
- optional_policy(`
- seutil_sigchld_newrole(dmesg_t)
- ')
-
- optional_policy(`
- udev_read_db(dmesg_t)
- ')
-')
diff --git a/refpolicy/policy/modules/admin/dmidecode.fc b/refpolicy/policy/modules/admin/dmidecode.fc
deleted file mode 100644
index 016e6b8..0000000
--- a/refpolicy/policy/modules/admin/dmidecode.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
-/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
-/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/dmidecode.if b/refpolicy/policy/modules/admin/dmidecode.if
deleted file mode 100644
index 70d6044..0000000
--- a/refpolicy/policy/modules/admin/dmidecode.if
+++ /dev/null
@@ -1,55 +0,0 @@
-## <summary>Decode DMI data for x86/ia64 bioses.</summary>
-
-########################################
-## <summary>
-## Execute dmidecode in the dmidecode domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dmidecode_domtrans',`
- gen_require(`
- type dmidecode_t, dmidecode_exec_t;
- ')
-
- domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
-
- allow $1 dmidecode_t:fd use;
- allow dmidecode_t $1:fd use;
- allow dmidecode_t $1:fifo_file rw_file_perms;
- allow dmidecode_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute dmidecode in the dmidecode domain, and
-## allow the specified role the dmidecode domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the dmidecode domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the dmidecode domain to use.
-## </summary>
-## </param>
-#
-interface(`dmidecode_run',`
- gen_require(`
- type dmidecode_t;
- ')
-
- dmidecode_domtrans($1)
- role $2 types dmidecode_t;
- allow dmidecode_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te
deleted file mode 100644
index ae975cd..0000000
--- a/refpolicy/policy/modules/admin/dmidecode.te
+++ /dev/null
@@ -1,40 +0,0 @@
-
-policy_module(dmidecode,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type dmidecode_t;
-domain_type(dmidecode_t)
-role system_r types dmidecode_t;
-
-type dmidecode_exec_t;
-domain_entry_file(dmidecode_t,dmidecode_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dmidecode_t self:capability sys_rawio;
-
-# Allow dmidecode to read /dev/mem
-dev_read_raw_memory(dmidecode_t)
-
-mls_file_read_up(dmidecode_t)
-
-term_list_ptys(dmidecode_t)
-
-files_list_usr(dmidecode_t)
-
-libs_use_ld_so(dmidecode_t)
-libs_use_shared_libs(dmidecode_t)
-
-locallogin_use_fds(dmidecode_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(dmidecode_t)
- term_use_unallocated_ttys(dmidecode_t)
-')
diff --git a/refpolicy/policy/modules/admin/dpkg.fc b/refpolicy/policy/modules/admin/dpkg.fc
deleted file mode 100644
index 6d0f9ee..0000000
--- a/refpolicy/policy/modules/admin/dpkg.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# Debian package manager
-/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
-/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
-# not sure if dselect should be in apt instead?
-/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
-
-/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
-# lockfile is treated specially, since used by apt, too
-/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
-
-/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
-/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/dpkg.if b/refpolicy/policy/modules/admin/dpkg.if
deleted file mode 100644
index 5d494be..0000000
--- a/refpolicy/policy/modules/admin/dpkg.if
+++ /dev/null
@@ -1,240 +0,0 @@
-## <summary>Policy for the Debian package manager.</summary>
-# TODO: need debconf policy
-# TODO: need install-menu policy
-
-########################################
-## <summary>
-## Execute dpkg programs in the dpkg domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_domtrans',`
- gen_require(`
- type dpkg_t, dpkg_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,dpkg_exec_t,dpkg_t)
-
- # allow basic communication
- allow $1 dpkg_t:fd use;
- allow dpkg_t $1:fd use;
- allow dpkg_t $1:fifo_file rw_file_perms;
- allow dpkg_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute dpkg_script programs in the dpkg_script domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dpkg_domtrans_script',`
- gen_require(`
- type dpkg_script_t;
- ')
-
- # transition to dpkg script:
- corecmd_shell_domtrans($1,dpkg_script_t)
-
- allow $1 dpkg_script_t:fd use;
- allow dpkg_script_t $1:fd use;
- allow dpkg_script_t $1:fifo_file rw_file_perms;
- allow dpkg_script_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute dpkg programs in the dpkg domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the dpkg domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the dpkg domain to use.
-## </summary>
-## </param>
-#
-interface(`dpkg_run',`
- gen_require(`
- type dpkg_t, dpkg_script_t;
- ')
-
- dpkg_domtrans($1)
- role $2 types dpkg_t;
- role $2 types dpkg_script_t;
- seutil_run_loadpolicy(dpkg_script_t,$2,$3)
- allow dpkg_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from dpkg.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_use_fds',`
- gen_require(`
- type dpkg_t;
- ')
-
- allow $1 dpkg_t:fd use;
-')
-
-########################################
-## <summary>
-## Read from an unnamed dpkg pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_read_pipes',`
- gen_require(`
- type dpkg_t;
- ')
-
- allow $1 dpkg_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write an unnamed dpkg pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_rw_pipes',`
- gen_require(`
- type dpkg_t;
- ')
-
- allow $1 dpkg_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from dpkg scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_use_script_fds',`
- gen_require(`
- type dpkg_script_t;
- ')
-
- allow $1 dpkg_script_t:fd use;
-')
-
-########################################
-## <summary>
-## Read the dpkg package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_read_db',`
- gen_require(`
- type dpkg_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 dpkg_var_lib_t:dir r_dir_perms;
- allow $1 dpkg_var_lib_t:file { getattr read };
- allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the dpkg package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_manage_db',`
- gen_require(`
- type dpkg_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 dpkg_var_lib_t:dir rw_dir_perms;
- allow $1 dpkg_var_lib_t:file manage_file_perms;
- allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete the dpkg package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dpkg_dontaudit_manage_db',`
- gen_require(`
- type dpkg_var_lib_t;
- ')
-
- dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
- dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
- dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Lock the dpkg package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dpkg_lock_db',`
- gen_require(`
- type dpkg_lock_t;
- ')
-
- files_search_var_lib($1)
- allow $1 dpkg_var_lib_t:dir r_dir_perms;
- allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
-')
diff --git a/refpolicy/policy/modules/admin/dpkg.te b/refpolicy/policy/modules/admin/dpkg.te
deleted file mode 100644
index 12a842b..0000000
--- a/refpolicy/policy/modules/admin/dpkg.te
+++ /dev/null
@@ -1,339 +0,0 @@
-
-policy_module(dpkg,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type dpkg_t;
-type dpkg_exec_t;
-# dpkg can start/stop services
-init_system_domain(dpkg_t,dpkg_exec_t)
-# dpkg can change file labels, roles, IO
-domain_obj_id_change_exemption(dpkg_t)
-domain_role_change_exemption(dpkg_t)
-domain_system_change_exemption(dpkg_t)
-domain_interactive_fd(dpkg_t)
-role system_r types dpkg_t;
-
-# lockfile
-type dpkg_lock_t;
-files_type(dpkg_lock_t)
-
-type dpkg_tmp_t;
-files_tmp_file(dpkg_tmp_t)
-
-type dpkg_tmpfs_t;
-files_tmpfs_file(dpkg_tmpfs_t)
-
-# status files
-type dpkg_var_lib_t alias var_lib_dpkg_t;
-files_type(dpkg_var_lib_t)
-
-# package scripts
-type dpkg_script_t;
-domain_type(dpkg_script_t)
-domain_entry_file(dpkg_t, dpkg_var_lib_t)
-corecmd_shell_entry_type(dpkg_script_t)
-domain_obj_id_change_exemption(dpkg_script_t)
-domain_system_change_exemption(dpkg_script_t)
-domain_interactive_fd(dpkg_script_t)
-role system_r types dpkg_script_t;
-
-type dpkg_script_tmp_t;
-files_tmp_file(dpkg_script_tmp_t)
-
-type dpkg_script_tmpfs_t;
-files_tmpfs_file(dpkg_script_tmpfs_t)
-
-########################################
-#
-# dpkg Local policy
-#
-
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
-allow dpkg_t self:process { setpgid fork getsched setfscreate };
-allow dpkg_t self:fd use;
-allow dpkg_t self:fifo_file rw_file_perms;
-allow dpkg_t self:unix_dgram_socket create_socket_perms;
-allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
-allow dpkg_t self:unix_dgram_socket sendto;
-allow dpkg_t self:unix_stream_socket connectto;
-allow dpkg_t self:udp_socket { connect create_socket_perms };
-allow dpkg_t self:tcp_socket create_stream_socket_perms;
-allow dpkg_t self:shm create_shm_perms;
-allow dpkg_t self:sem create_sem_perms;
-allow dpkg_t self:msgq create_msgq_perms;
-allow dpkg_t self:msg { send receive };
-
-allow dpkg_t dpkg_lock_t:file manage_file_perms;
-
-allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
-allow dpkg_t dpkg_tmp_t:file manage_file_perms;
-files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
-
-allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
-allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
-allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
-allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
-allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
-fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-# Access /var/lib/dpkg files
-allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
-allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
-
-kernel_read_system_state(dpkg_t)
-kernel_read_kernel_sysctls(dpkg_t)
-
-corecmd_exec_all_executables(dpkg_t)
-
-# TODO: do we really need all networking?
-corenet_non_ipsec_sendrecv(dpkg_t)
-corenet_tcp_sendrecv_all_if(dpkg_t)
-corenet_raw_sendrecv_all_if(dpkg_t)
-corenet_udp_sendrecv_all_if(dpkg_t)
-corenet_tcp_sendrecv_all_nodes(dpkg_t)
-corenet_raw_sendrecv_all_nodes(dpkg_t)
-corenet_udp_sendrecv_all_nodes(dpkg_t)
-corenet_tcp_sendrecv_all_ports(dpkg_t)
-corenet_udp_sendrecv_all_ports(dpkg_t)
-corenet_tcp_connect_all_ports(dpkg_t)
-corenet_sendrecv_all_client_packets(dpkg_t)
-
-dev_list_sysfs(dpkg_t)
-dev_list_usbfs(dpkg_t)
-dev_read_urand(dpkg_t)
-#devices_manage_all_device_types(dpkg_t)
-
-domain_read_all_domains_state(dpkg_t)
-domain_getattr_all_domains(dpkg_t)
-domain_dontaudit_ptrace_all_domains(dpkg_t)
-domain_use_interactive_fds(dpkg_t)
-domain_dontaudit_getattr_all_pipes(dpkg_t)
-domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
-domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
-domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
-domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
-domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
-domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
-
-fs_manage_nfs_dirs(dpkg_t)
-fs_manage_nfs_files(dpkg_t)
-fs_manage_nfs_symlinks(dpkg_t)
-fs_getattr_all_fs(dpkg_t)
-fs_search_auto_mountpoints(dpkg_t)
-
-mls_file_read_up(dpkg_t)
-mls_file_write_down(dpkg_t)
-mls_file_upgrade(dpkg_t)
-
-selinux_get_fs_mount(dpkg_t)
-selinux_validate_context(dpkg_t)
-selinux_compute_access_vector(dpkg_t)
-selinux_compute_create_context(dpkg_t)
-selinux_compute_relabel_context(dpkg_t)
-selinux_compute_user_contexts(dpkg_t)
-
-storage_raw_write_fixed_disk(dpkg_t)
-# for installing kernel packages
-storage_raw_read_fixed_disk(dpkg_t)
-
-term_list_ptys(dpkg_t)
-
-auth_relabel_all_files_except_shadow(dpkg_t)
-auth_manage_all_files_except_shadow(dpkg_t)
-auth_dontaudit_read_shadow(dpkg_t)
-
-files_exec_etc_files(dpkg_t)
-
-init_domtrans_script(dpkg_t)
-
-libs_use_ld_so(dpkg_t)
-libs_use_shared_libs(dpkg_t)
-libs_exec_ld_so(dpkg_t)
-libs_exec_lib_files(dpkg_t)
-libs_domtrans_ldconfig(dpkg_t)
-
-logging_send_syslog_msg(dpkg_t)
-
-# allow compiling and loading new policy
-seutil_manage_src_policy(dpkg_t)
-seutil_manage_bin_policy(dpkg_t)
-
-sysnet_read_config(dpkg_t)
-
-userdom_use_unpriv_users_fds(dpkg_t)
-
-# transition to dpkg script:
-dpkg_domtrans_script(dpkg_t)
-# since the scripts aren't labeled correctly yet...
-allow dpkg_t dpkg_var_lib_t:file execute;
-
-ifdef(`targeted_policy',`
- unconfined_domain(dpkg_t)
-')
-
-# TODO: allow?
-#optional_policy(`
-# cron_system_entry(dpkg_t,dpkg_exec_t)
-#')
-
-optional_policy(`
- nis_use_ypbind(dpkg_t)
-')
-
-# TODO: the following was copied from dpkg_script_t, and could probably
-# be removed again when dpkg_script_t is actually used...
-domain_signal_all_domains(dpkg_t)
-domain_signull_all_domains(dpkg_t)
-files_read_etc_runtime_files(dpkg_t)
-files_exec_usr_files(dpkg_t)
-miscfiles_read_localization(dpkg_t)
-modutils_domtrans_depmod(dpkg_t)
-modutils_domtrans_insmod(dpkg_t)
-seutil_domtrans_loadpolicy(dpkg_t)
-seutil_domtrans_restorecon(dpkg_t)
-userdom_use_all_users_fds(dpkg_t)
-optional_policy(`
- mta_send_mail(dpkg_t)
-')
-optional_policy(`
- usermanage_domtrans_groupadd(dpkg_t)
- usermanage_domtrans_useradd(dpkg_t)
-')
-
-########################################
-#
-# dpkg-script Local policy
-#
-# TODO: actually use dpkg_script_t
-
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow dpkg_script_t self:fd use;
-allow dpkg_script_t self:fifo_file rw_file_perms;
-allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
-allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
-allow dpkg_script_t self:unix_dgram_socket sendto;
-allow dpkg_script_t self:unix_stream_socket connectto;
-allow dpkg_script_t self:shm create_shm_perms;
-allow dpkg_script_t self:sem create_sem_perms;
-allow dpkg_script_t self:msgq create_msgq_perms;
-allow dpkg_script_t self:msg { send receive };
-
-allow dpkg_script_t dpkg_tmp_t:file r_file_perms;
-
-allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
-allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
-files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
-
-allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms;
-fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-kernel_read_kernel_sysctls(dpkg_script_t)
-kernel_read_system_state(dpkg_script_t)
-
-corecmd_exec_all_executables(dpkg_script_t)
-
-dev_list_sysfs(dpkg_script_t)
-# ideally we would not need this
-dev_manage_generic_blk_files(dpkg_script_t)
-dev_manage_generic_chr_files(dpkg_script_t)
-dev_manage_all_blk_files(dpkg_script_t)
-dev_manage_all_chr_files(dpkg_script_t)
-
-domain_read_all_domains_state(dpkg_script_t)
-domain_getattr_all_domains(dpkg_script_t)
-domain_dontaudit_ptrace_all_domains(dpkg_script_t)
-domain_use_interactive_fds(dpkg_script_t)
-domain_signal_all_domains(dpkg_script_t)
-domain_signull_all_domains(dpkg_script_t)
-
-files_exec_etc_files(dpkg_script_t)
-files_read_etc_runtime_files(dpkg_script_t)
-files_exec_usr_files(dpkg_script_t)
-
-fs_manage_nfs_files(dpkg_script_t)
-fs_getattr_nfs(dpkg_script_t)
-# why is this not using mount?
-fs_getattr_xattr_fs(dpkg_script_t)
-fs_mount_xattr_fs(dpkg_script_t)
-fs_unmount_xattr_fs(dpkg_script_t)
-fs_search_auto_mountpoints(dpkg_script_t)
-
-mls_file_read_up(dpkg_script_t)
-mls_file_write_down(dpkg_script_t)
-
-selinux_get_fs_mount(dpkg_script_t)
-selinux_validate_context(dpkg_script_t)
-selinux_compute_access_vector(dpkg_script_t)
-selinux_compute_create_context(dpkg_script_t)
-selinux_compute_relabel_context(dpkg_script_t)
-selinux_compute_user_contexts(dpkg_script_t)
-
-storage_raw_read_fixed_disk(dpkg_script_t)
-storage_raw_write_fixed_disk(dpkg_script_t)
-
-term_getattr_unallocated_ttys(dpkg_script_t)
-term_list_ptys(dpkg_script_t)
-term_use_all_terms(dpkg_script_t)
-
-auth_dontaudit_getattr_shadow(dpkg_script_t)
-# ideally we would not need this
-auth_manage_all_files_except_shadow(dpkg_script_t)
-
-init_domtrans_script(dpkg_script_t)
-
-libs_use_ld_so(dpkg_script_t)
-libs_use_shared_libs(dpkg_script_t)
-libs_exec_ld_so(dpkg_script_t)
-libs_exec_lib_files(dpkg_script_t)
-libs_domtrans_ldconfig(dpkg_script_t)
-
-logging_send_syslog_msg(dpkg_script_t)
-
-miscfiles_read_localization(dpkg_script_t)
-
-modutils_domtrans_depmod(dpkg_script_t)
-modutils_domtrans_insmod(dpkg_script_t)
-
-seutil_domtrans_loadpolicy(dpkg_script_t)
-seutil_domtrans_restorecon(dpkg_script_t)
-
-userdom_use_all_users_fds(dpkg_script_t)
-
-ifdef(`distro_redhat',`
- unconfined_domain(dpkg_script_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(dpkg_script_t)
-',`
- optional_policy(`
- bootloader_domtrans(dpkg_script_t)
- ')
-')
-
-tunable_policy(`allow_execmem',`
- allow dpkg_script_t self:process execmem;
-')
-
-optional_policy(`
- mta_send_mail(dpkg_script_t)
-')
-
-optional_policy(`
- nis_use_ypbind(dpkg_script_t)
-')
-
-optional_policy(`
- usermanage_domtrans_groupadd(dpkg_script_t)
- usermanage_domtrans_useradd(dpkg_script_t)
-')
diff --git a/refpolicy/policy/modules/admin/firstboot.fc b/refpolicy/policy/modules/admin/firstboot.fc
deleted file mode 100644
index ab57cde..0000000
--- a/refpolicy/policy/modules/admin/firstboot.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# firstboot
-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot gen_context(system_u:object_r:firstboot_rw_t,s0)
-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if
deleted file mode 100644
index ceb0580..0000000
--- a/refpolicy/policy/modules/admin/firstboot.if
+++ /dev/null
@@ -1,130 +0,0 @@
-## <summary>
-## Final system configuration run during the first boot
-## after installation of Red Hat/Fedora systems.
-## </summary>
-
-########################################
-## <summary>
-## Execute firstboot in the firstboot domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`firstboot_domtrans',`
- gen_require(`
- type firstboot_t, firstboot_exec_t;
- ')
-
- domain_auto_trans($1,firstboot_exec_t,firstboot_t)
-
- allow $1 firstboot_t:fd use;
- allow firstboot_t $1:fd use;
- allow firstboot_t $1:fifo_file rw_file_perms;
- allow firstboot_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute firstboot in the firstboot domain, and
-## allow the specified role the firstboot domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the firstboot domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the firstboot domain to use.
-## </summary>
-## </param>
-#
-interface(`firstboot_run',`
- gen_require(`
- type firstboot_t;
- ')
-
- firstboot_domtrans($1)
- role $2 types firstboot_t;
- allow firstboot_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Inherit and use a file descriptor from firstboot.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`firstboot_use_fds',`
- gen_require(`
- type firstboot_t;
- ')
-
- allow $1 firstboot_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit a
-## file descriptor from firstboot.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`firstboot_dontaudit_use_fds',`
- gen_require(`
- type firstboot_t;
- ')
-
- dontaudit $1 firstboot_t:fd use;
-')
-
-########################################
-## <summary>
-## Write to a firstboot unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`firstboot_write_pipes',`
- gen_require(`
- type firstboot_t;
- ')
-
- allow $1 firstboot_t:fifo_file write;
-')
-########################################
-## <summary>
-## Read firstboot writable config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`firstboot_read_rw_files',`
- gen_require(`
- type firstboot_rw_t;
- ')
-
- allow $1 firstboot_rw_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
deleted file mode 100644
index b03616f..0000000
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ /dev/null
@@ -1,138 +0,0 @@
-
-policy_module(firstboot,1.1.2)
-
-gen_require(`
- class passwd rootok;
-')
-
-########################################
-#
-# Declarations
-#
-
-type firstboot_t;
-type firstboot_exec_t;
-init_system_domain(firstboot_t,firstboot_exec_t)
-domain_obj_id_change_exemption(firstboot_t)
-domain_subj_id_change_exemption(firstboot_t)
-role system_r types firstboot_t;
-
-type firstboot_etc_t;
-files_config_file(firstboot_etc_t)
-
-type firstboot_rw_t;
-files_type(firstboot_rw_t)
-
-########################################
-#
-# Local policy
-#
-
-allow firstboot_t self:capability { dac_override setgid };
-allow firstboot_t self:process setfscreate;
-allow firstboot_t self:file { read write };
-allow firstboot_t self:fifo_file { getattr read write };
-allow firstboot_t self:tcp_socket create_stream_socket_perms;
-allow firstboot_t self:unix_stream_socket { connect create };
-allow firstboot_t self:passwd rootok;
-
-allow firstboot_t firstboot_etc_t:file { getattr read };
-
-allow firstboot_t firstboot_rw_t:dir create_dir_perms;
-allow firstboot_t firstboot_rw_t:file create_file_perms;
-files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
-
-# The big hammer
-unconfined_domain(firstboot_t)
-
-kernel_read_system_state(firstboot_t)
-kernel_read_kernel_sysctls(firstboot_t)
-
-corenet_non_ipsec_sendrecv(firstboot_t)
-corenet_tcp_sendrecv_all_if(firstboot_t)
-corenet_tcp_sendrecv_all_nodes(firstboot_t)
-corenet_tcp_sendrecv_all_ports(firstboot_t)
-
-dev_read_urand(firstboot_t)
-
-selinux_get_fs_mount(firstboot_t)
-selinux_validate_context(firstboot_t)
-selinux_compute_access_vector(firstboot_t)
-selinux_compute_create_context(firstboot_t)
-selinux_compute_relabel_context(firstboot_t)
-selinux_compute_user_contexts(firstboot_t)
-
-auth_dontaudit_getattr_shadow(firstboot_t)
-
-corecmd_exec_all_executables(firstboot_t)
-
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_read_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-
-init_domtrans_script(firstboot_t)
-init_rw_utmp(firstboot_t)
-
-libs_use_ld_so(firstboot_t)
-libs_use_shared_libs(firstboot_t)
-libs_exec_ld_so(firstboot_t)
-libs_exec_lib_files(firstboot_t)
-
-locallogin_use_fds(firstboot_t)
-
-logging_send_syslog_msg(firstboot_t)
-
-miscfiles_read_localization(firstboot_t)
-
-modutils_domtrans_insmod(firstboot_t)
-modutils_read_module_config(firstboot_t)
-modutils_read_module_deps(firstboot_t)
-
-# Add/remove user home directories
-userdom_manage_generic_user_home_content_dirs(firstboot_t)
-userdom_manage_generic_user_home_content_files(firstboot_t)
-userdom_manage_generic_user_home_content_symlinks(firstboot_t)
-userdom_manage_generic_user_home_content_pipes(firstboot_t)
-userdom_manage_generic_user_home_content_sockets(firstboot_t)
-userdom_home_filetrans_generic_user_home_dir(firstboot_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
-
-ifdef(`targeted_policy',`
- unconfined_domtrans(firstboot_t)
-')
-
-optional_policy(`
- nis_use_ypbind(firstboot_t)
-')
-
-optional_policy(`
- samba_rw_config(firstboot_t)
-')
-
-optional_policy(`
- usermanage_domtrans_chfn(firstboot_t)
- usermanage_domtrans_groupadd(firstboot_t)
- usermanage_domtrans_passwd(firstboot_t)
- usermanage_domtrans_useradd(firstboot_t)
-')
-
-ifdef(`TODO',`
-allow firstboot_t proc_t:file write;
-
-ifdef(`printconf.te', `
- can_exec(firstboot_t, printconf_t)
-')
-
-ifdef(`userhelper.te', `
- role system_r types sysadm_userhelper_t;
- domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-ifdef(`xserver.te', `
- domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/kudzu.fc b/refpolicy/policy/modules/admin/kudzu.fc
deleted file mode 100644
index dd88f74..0000000
--- a/refpolicy/policy/modules/admin/kudzu.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-
-/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/kudzu.if b/refpolicy/policy/modules/admin/kudzu.if
deleted file mode 100644
index 605a394..0000000
--- a/refpolicy/policy/modules/admin/kudzu.if
+++ /dev/null
@@ -1,74 +0,0 @@
-## <summary>Hardware detection and configuration tools</summary>
-
-########################################
-## <summary>
-## Execute kudzu in the kudzu domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`kudzu_domtrans',`
- gen_require(`
- type kudzu_t, kudzu_exec_t;
- ')
-
- domain_auto_trans($1,kudzu_exec_t,kudzu_t)
-
- allow $1 kudzu_t:fd use;
- allow kudzu_t $1:fd use;
- allow kudzu_t $1:fifo_file rw_file_perms;
- allow kudzu_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute kudzu in the kudzu domain, and
-## allow the specified role the kudzu domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the kudzu domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the kudzu domain to use.
-## </summary>
-## </param>
-#
-interface(`kudzu_run',`
- gen_require(`
- type kudzu_t;
- ')
-
- kudzu_domtrans($1)
- role $2 types kudzu_t;
- allow kudzu_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Get attributes of kudzu executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-# cjp: added for ddcprobe
-interface(`kudzu_getattr_exec_files',`
- gen_require(`
- type kudzu_exec_t;
- ')
-
- allow $1 kudzu_exec_t:file getattr;
-')
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
deleted file mode 100644
index 481f0d5..0000000
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ /dev/null
@@ -1,169 +0,0 @@
-
-policy_module(kudzu,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type kudzu_t;
-type kudzu_exec_t;
-init_system_domain(kudzu_t,kudzu_exec_t)
-
-type kudzu_tmp_t;
-files_tmp_file(kudzu_tmp_t)
-
-type kudzu_var_run_t;
-files_pid_file(kudzu_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability sys_tty_config;
-allow kudzu_t self:process { signal_perms execmem };
-allow kudzu_t self:fifo_file rw_file_perms;
-allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow kudzu_t self:unix_dgram_socket create_socket_perms;
-allow kudzu_t self:udp_socket { create ioctl };
-
-allow kudzu_t kudzu_tmp_t:dir create_file_perms;
-allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
-files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
-
-allow kudzu_t kudzu_var_run_t:file create_file_perms;
-allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
-files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
-
-kernel_change_ring_buffer_level(kudzu_t)
-kernel_list_proc(kudzu_t)
-kernel_read_device_sysctls(kudzu_t)
-kernel_read_kernel_sysctls(kudzu_t)
-kernel_read_proc_symlinks(kudzu_t)
-kernel_read_network_state(kudzu_t)
-kernel_read_system_state(kudzu_t)
-kernel_rw_hotplug_sysctls(kudzu_t)
-kernel_rw_kernel_sysctl(kudzu_t)
-
-files_read_kernel_modules(kudzu_t)
-
-dev_list_sysfs(kudzu_t)
-dev_read_usbfs(kudzu_t)
-dev_read_sysfs(kudzu_t)
-dev_rx_raw_memory(kudzu_t)
-dev_wx_raw_memory(kudzu_t)
-dev_rw_mouse(kudzu_t)
-dev_rwx_zero(kudzu_t)
-
-fs_search_auto_mountpoints(kudzu_t)
-fs_search_ramfs(kudzu_t)
-fs_write_ramfs_sockets(kudzu_t)
-
-mls_file_read_up(kudzu_t)
-mls_file_write_down(kudzu_t)
-
-modutils_read_module_deps(kudzu_t)
-modutils_read_module_config(kudzu_t)
-modutils_rename_module_config(kudzu_t)
-
-storage_read_scsi_generic(kudzu_t)
-storage_read_tape(kudzu_t)
-storage_raw_write_fixed_disk(kudzu_t)
-storage_raw_write_removable_device(kudzu_t)
-storage_raw_read_fixed_disk(kudzu_t)
-storage_raw_read_removable_device(kudzu_t)
-
-term_search_ptys(kudzu_t)
-term_dontaudit_use_console(kudzu_t)
-# so it can write messages to the console
-term_use_unallocated_ttys(kudzu_t)
-
-corecmd_exec_all_executables(kudzu_t)
-
-domain_use_interactive_fds(kudzu_t)
-
-files_search_var(kudzu_t)
-files_search_locks(kudzu_t)
-files_manage_etc_files(kudzu_t)
-files_manage_etc_runtime_files(kudzu_t)
-files_etc_filetrans_etc_runtime(kudzu_t,file)
-files_manage_mnt_files(kudzu_t)
-files_manage_mnt_symlinks(kudzu_t)
-files_dontaudit_search_src(kudzu_t)
-# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
-files_read_usr_files(kudzu_t)
-# for /etc/sysconfig/hwconf - probably need a new type
-files_rw_etc_runtime_files(kudzu_t)
-# for file systems that are not yet mounted
-files_dontaudit_search_isid_type_dirs(kudzu_t)
-
-init_use_fds(kudzu_t)
-init_use_script_ptys(kudzu_t)
-init_stream_connect_script(kudzu_t)
-
-libs_use_ld_so(kudzu_t)
-libs_use_shared_libs(kudzu_t)
-# Read /usr/lib/gconv/gconv-modules.*
-libs_read_lib_files(kudzu_t)
-
-logging_send_syslog_msg(kudzu_t)
-
-miscfiles_read_hwdata(kudzu_t)
-miscfiles_read_localization(kudzu_t)
-
-modutils_read_module_config(kudzu_t)
-modutils_domtrans_insmod(kudzu_t)
-
-sysnet_read_config(kudzu_t)
-
-userdom_search_sysadm_home_dirs(kudzu_t)
-userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(kudzu_t)
- term_dontaudit_use_generic_ptys(kudzu_t)
- files_dontaudit_read_root_files(kudzu_t)
-
- # cjp: this was originally in the else block
- # of ifdef userhelper.te, but it seems to
- # make more sense here. also, require
- # blocks curently do not work in the
- # else block of optionals
- unconfined_domain(kudzu_t)
-')
-
-optional_policy(`
- gpm_getattr_gpmctl(kudzu_t)
-')
-
-optional_policy(`
- nscd_socket_use(kudzu_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(kudzu_t)
-')
-
-optional_policy(`
- udev_read_db(kudzu_t)
-')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
- allow kudzu_t printconf_t:file { getattr read };
-')
-optional_policy(`
- allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
- allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
- role system_r types sysadm_userhelper_t;
- domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
-')
diff --git a/refpolicy/policy/modules/admin/logrotate.fc b/refpolicy/policy/modules/admin/logrotate.fc
deleted file mode 100644
index 483c261..0000000
--- a/refpolicy/policy/modules/admin/logrotate.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
-
-/usr/sbin/logcheck -- gen_context(system_u:object_r:logrotate_exec_t,s0)
-/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
-
-/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-
-# using a hard-coded name under /var/tmp is a bug - new version fixes it
-/var/tmp/logcheck -d gen_context(system_u:object_r:logrotate_tmp_t,s0)
-
-ifdef(`distro_debian', `
-/usr/bin/savelog -- gen_context(system_u:object_r:logrotate_exec_t,s0)
-/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-', `
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-')
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
deleted file mode 100644
index 988ddfc..0000000
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ /dev/null
@@ -1,128 +0,0 @@
-## <summary>Rotate and archive system logs</summary>
-
-########################################
-## <summary>
-## Execute logrotate in the logrotate domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`logrotate_domtrans',`
- gen_require(`
- type logrotate_t, logrotate_exec_t;
- ')
-
- domain_auto_trans($1,logrotate_exec_t,logrotate_t)
-
- allow $1 logrotate_t:fd use;
- allow logrotate_t $1:fd use;
- allow logrotate_t $1:fifo_file rw_file_perms;
- allow logrotate_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute logrotate in the logrotate domain, and
-## allow the specified role the logrotate domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the logrotate domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the logrotate domain to use.
-## </summary>
-## </param>
-#
-interface(`logrotate_run',`
- gen_require(`
- type logrotate_t;
- ')
-
- logrotate_domtrans($1)
- role $2 types logrotate_t;
- allow logrotate_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute logrotate in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`logrotate_exec',`
- gen_require(`
- type logrotate_exec_t;
- ')
-
- can_exec($1,logrotate_exec_t)
-')
-
-########################################
-## <summary>
-## Inherit and use logrotate file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logrotate_use_fds',`
- gen_require(`
- type logrotate_t;
- ')
-
- allow $1 logrotate_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit logrotate file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`logrotate_dontaudit_use_fds',`
- gen_require(`
- type logrotate_t;
- ')
-
- dontaudit $1 logrotate_t:fd use;
-')
-
-########################################
-## <summary>
-## Read a logrotate temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`logrotate_read_tmp_files',`
- gen_require(`
- type logrotate_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 logrotate_tmp_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
deleted file mode 100644
index 0352a4c..0000000
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ /dev/null
@@ -1,211 +0,0 @@
-
-policy_module(logrotate,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type logrotate_t;
-domain_type(logrotate_t)
-domain_obj_id_change_exemption(logrotate_t)
-domain_system_change_exemption(logrotate_t)
-role system_r types logrotate_t;
-
-type logrotate_exec_t;
-domain_entry_file(logrotate_t,logrotate_exec_t)
-
-type logrotate_lock_t;
-files_lock_file(logrotate_lock_t)
-
-type logrotate_tmp_t;
-files_tmp_file(logrotate_tmp_t)
-
-type logrotate_var_lib_t;
-files_type(logrotate_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-# Change ownership on log files.
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
-
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-
-# Set a context other than the default one for newly created files.
-allow logrotate_t self:process setfscreate;
-
-allow logrotate_t self:fd use;
-allow logrotate_t self:fifo_file rw_file_perms;
-allow logrotate_t self:unix_dgram_socket create_socket_perms;
-allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
-allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket connectto;
-allow logrotate_t self:shm create_shm_perms;
-allow logrotate_t self:sem create_sem_perms;
-allow logrotate_t self:msgq create_msgq_perms;
-allow logrotate_t self:msg { send receive };
-
-allow logrotate_t logrotate_lock_t:file create_file_perms;
-files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
-
-can_exec(logrotate_t, logrotate_tmp_t)
-
-allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
-allow logrotate_t logrotate_tmp_t:file create_file_perms;
-files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
-
-# for /var/lib/logrotate.status and /var/lib/logcheck
-allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
-allow logrotate_t logrotate_var_lib_t:file create_file_perms;
-files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
-
-kernel_read_system_state(logrotate_t)
-kernel_read_kernel_sysctls(logrotate_t)
-
-dev_read_urand(logrotate_t)
-
-fs_search_auto_mountpoints(logrotate_t)
-fs_getattr_xattr_fs(logrotate_t)
-
-mls_file_read_up(logrotate_t)
-mls_file_write_down(logrotate_t)
-mls_file_upgrade(logrotate_t)
-
-selinux_get_fs_mount(logrotate_t)
-selinux_get_enforce_mode(logrotate_t)
-
-auth_manage_login_records(logrotate_t)
-
-# Run helper programs.
-corecmd_exec_bin(logrotate_t)
-corecmd_exec_sbin(logrotate_t)
-corecmd_exec_shell(logrotate_t)
-corecmd_exec_ls(logrotate_t)
-
-domain_signal_all_domains(logrotate_t)
-domain_use_interactive_fds(logrotate_t)
-domain_getattr_all_entry_files(logrotate_t)
-# Read /proc/PID directories for all domains.
-domain_read_all_domains_state(logrotate_t)
-
-files_read_usr_files(logrotate_t)
-files_read_etc_files(logrotate_t)
-files_read_etc_runtime_files(logrotate_t)
-files_read_all_pids(logrotate_t)
-# Write to /var/spool/slrnpull - should be moved into its own type.
-files_manage_generic_spool(logrotate_t)
-files_manage_generic_spool_dirs(logrotate_t)
-
-# cjp: why is this needed?
-init_domtrans_script(logrotate_t)
-
-logging_manage_all_logs(logrotate_t)
-logging_send_syslog_msg(logrotate_t)
-# cjp: why is this needed?
-logging_exec_all_logs(logrotate_t)
-
-libs_use_ld_so(logrotate_t)
-libs_use_shared_libs(logrotate_t)
-
-miscfiles_read_localization(logrotate_t)
-
-seutil_dontaudit_read_config(logrotate_t)
-
-sysnet_read_config(logrotate_t)
-
-userdom_use_unpriv_users_fds(logrotate_t)
-
-cron_system_entry(logrotate_t, logrotate_exec_t)
-cron_search_spool(logrotate_t)
-
-mta_send_mail(logrotate_t)
-
-ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
- # for savelog
- can_exec(logrotate_t, logrotate_exec_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(logrotate_t)
-')
-
-optional_policy(`
- acct_domtrans(logrotate_t)
- acct_manage_data(logrotate_t)
- acct_exec_data(logrotate_t)
-')
-
-optional_policy(`
- apache_read_config(logrotate_t)
- apache_domtrans(logrotate_t)
- apache_signull(logrotate_t)
-')
-
-optional_policy(`
- consoletype_exec(logrotate_t)
-')
-
-optional_policy(`
- cups_domtrans(logrotate_t)
-')
-
-optional_policy(`
- hostname_exec(logrotate_t)
-')
-
-optional_policy(`
- samba_exec_log(logrotate_t)
-')
-
-optional_policy(`
- mailman_exec(logrotate_t)
- mailman_search_data(logrotate_t)
- mailman_manage_log(logrotate_t)
-')
-
-optional_policy(`
- munin_read_config(logrotate_t)
- munin_stream_connect(logrotate_t)
- munin_search_lib(logrotate_t)
-')
-
-optional_policy(`
- mysql_read_config(logrotate_t)
- mysql_search_db(logrotate_t)
- mysql_stream_connect(logrotate_t)
-')
-
-optional_policy(`
- nis_use_ypbind(logrotate_t)
-')
-
-optional_policy(`
- nscd_socket_use(logrotate_t)
-')
-
-optional_policy(`
- slrnpull_manage_spool(logrotate_t)
-')
-
-optional_policy(`
- # cjp: why?
- squid_domtrans(logrotate_t)
-')
-
-ifdef(`TODO',`
-# it should not require this
-allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
-
-# for /var/backups on Debian
-ifdef(`backup.te', `
-rw_dir_create_file(logrotate_t, backup_store_t)
-')
-
-allow logrotate_t syslogd_exec_t:file r_file_perms;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/logwatch.fc b/refpolicy/policy/modules/admin/logwatch.fc
deleted file mode 100644
index 67ff2c1..0000000
--- a/refpolicy/policy/modules/admin/logwatch.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/usr/share/logwatch/scripts/logwatch.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
-
-/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
diff --git a/refpolicy/policy/modules/admin/logwatch.if b/refpolicy/policy/modules/admin/logwatch.if
deleted file mode 100644
index 3de6722..0000000
--- a/refpolicy/policy/modules/admin/logwatch.if
+++ /dev/null
@@ -1,20 +0,0 @@
-## <summary>System log analyzer and reporter</summary>
-
-########################################
-## <summary>
-## Read logwatch temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logwatch_read_tmp_files',`
- gen_require(`
- type logwatch_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 logwatch_tmp_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
deleted file mode 100644
index d879781..0000000
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ /dev/null
@@ -1,113 +0,0 @@
-
-policy_module(logwatch,1.1.2)
-
-#################################
-#
-# Declarations
-#
-
-type logwatch_t;
-type logwatch_exec_t;
-domain_type(logwatch_t)
-domain_entry_file(logwatch_t,logwatch_exec_t)
-role system_r types logwatch_t;
-
-type logwatch_cache_t;
-files_type(logwatch_cache_t)
-
-type logwatch_tmp_t;
-files_tmp_file(logwatch_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow logwatch_t self:capability { dac_override dac_read_search setgid };
-allow logwatch_t self:fifo_file rw_file_perms;
-allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-
-allow logwatch_t logwatch_cache_t:dir create_dir_perms;
-allow logwatch_t logwatch_cache_t:file create_file_perms;
-
-allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
-allow logwatch_t logwatch_tmp_t:file create_file_perms;
-files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
-
-kernel_read_fs_sysctls(logwatch_t)
-kernel_read_kernel_sysctls(logwatch_t)
-kernel_read_system_state(logwatch_t)
-
-corecmd_read_sbin_symlinks(logwatch_t)
-corecmd_read_sbin_files(logwatch_t)
-corecmd_exec_bin(logwatch_t)
-corecmd_exec_shell(logwatch_t)
-
-dev_read_urand(logwatch_t)
-
-# Read /proc/PID directories for all domains.
-domain_read_all_domains_state(logwatch_t)
-
-files_read_etc_files(logwatch_t)
-files_read_etc_runtime_files(logwatch_t)
-files_read_usr_files(logwatch_t)
-files_search_spool(logwatch_t)
-files_search_mnt(logwatch_t)
-files_dontaudit_search_home(logwatch_t)
-
-fs_getattr_all_fs(logwatch_t)
-
-term_dontaudit_getattr_pty_dirs(logwatch_t)
-term_dontaudit_list_ptys(logwatch_t)
-
-auth_dontaudit_read_shadow(logwatch_t)
-
-libs_use_ld_so(logwatch_t)
-libs_use_shared_libs(logwatch_t)
-libs_read_lib_files(logwatch_t)
-
-logging_read_all_logs(logwatch_t)
-
-miscfiles_read_localization(logwatch_t)
-
-selinux_dontaudit_getattr_dir(logwatch_t)
-
-sysnet_dns_name_resolve(logwatch_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-
-mta_send_mail(logwatch_t)
-
-optional_policy(`
- apache_read_log(logwatch_t)
-')
-
-optional_policy(`
- bind_read_config(logwatch_t)
- bind_read_zone(logwatch_t)
-')
-
-optional_policy(`
- cron_system_entry(logwatch_t, logwatch_exec_t)
-')
-
-optional_policy(`
- mta_getattr_spool(logwatch_t)
-')
-
-optional_policy(`
- nscd_socket_use(logwatch_t)
-')
-
-optional_policy(`
- ntp_domtrans(logwatch_t)
-')
-
-optional_policy(`
- rpc_search_nfs_state_data(logwatch_t)
-')
-
-optional_policy(`
- samba_read_log(logwatch_t)
-')
diff --git a/refpolicy/policy/modules/admin/metadata.xml b/refpolicy/policy/modules/admin/metadata.xml
deleted file mode 100644
index bd8d174..0000000
--- a/refpolicy/policy/modules/admin/metadata.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<summary>
- Policy modules for administrative functions, such as package management.
-</summary>
diff --git a/refpolicy/policy/modules/admin/mrtg.fc b/refpolicy/policy/modules/admin/mrtg.fc
deleted file mode 100644
index c59caa5..0000000
--- a/refpolicy/policy/modules/admin/mrtg.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# /etc
-#
-/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0)
-
-#
-# /usr
-#
-/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0)
-/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0)
-
-#
-# /var
-#
-/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
-/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
-/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
-
diff --git a/refpolicy/policy/modules/admin/mrtg.if b/refpolicy/policy/modules/admin/mrtg.if
deleted file mode 100644
index fab860b..0000000
--- a/refpolicy/policy/modules/admin/mrtg.if
+++ /dev/null
@@ -1,19 +0,0 @@
-## <summary>Network traffic graphing</summary>
-
-########################################
-## <summary>
-## Create and append mrtg logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mrtg_append_create_logs',`
- gen_require(`
- type mrtg_log_t;
- ')
- allow $1 mrtg_log_t:dir rw_dir_perms;
- allow $1 mrtg_log_t:file { create append getattr };
-')
diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te
deleted file mode 100644
index 3625067..0000000
--- a/refpolicy/policy/modules/admin/mrtg.te
+++ /dev/null
@@ -1,169 +0,0 @@
-
-policy_module(mrtg,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type mrtg_t;
-type mrtg_exec_t;
-init_system_domain(mrtg_t,mrtg_exec_t)
-
-type mrtg_etc_t;
-files_config_file(mrtg_etc_t)
-
-type mrtg_lock_t;
-files_lock_file(mrtg_lock_t)
-
-type mrtg_log_t;
-logging_log_file(mrtg_log_t)
-
-type mrtg_var_lib_t;
-files_type(mrtg_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mrtg_t self:capability { setgid setuid };
-dontaudit mrtg_t self:capability sys_tty_config;
-allow mrtg_t self:process signal_perms;
-allow mrtg_t self:fifo_file { getattr read write ioctl };
-allow mrtg_t self:unix_stream_socket create_socket_perms;
-allow mrtg_t self:tcp_socket create_socket_perms;
-allow mrtg_t self:udp_socket create_socket_perms;
-
-allow mrtg_t mrtg_etc_t:file r_file_perms;
-allow mrtg_t mrtg_etc_t:dir r_dir_perms;
-allow mrtg_t mrtg_etc_t:lnk_file { getattr read };
-files_search_etc(mrtg_t)
-
-allow mrtg_t mrtg_lock_t:dir rw_dir_perms;
-allow mrtg_t mrtg_lock_t:file create_file_perms;
-allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms;
-
-allow mrtg_t mrtg_log_t:file create_file_perms;
-allow mrtg_t mrtg_log_t:dir rw_dir_perms;
-logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
-
-allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
-allow mrtg_t mrtg_var_lib_t:file create_file_perms;
-allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
-
-# read config files
-dontaudit mrtg_t mrtg_etc_t:dir write;
-dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-files_read_etc_files(mrtg_t)
-
-kernel_read_system_state(mrtg_t)
-kernel_read_network_state(mrtg_t)
-kernel_read_kernel_sysctls(mrtg_t)
-
-corecmd_exec_bin(mrtg_t)
-corecmd_exec_sbin(mrtg_t)
-corecmd_exec_shell(mrtg_t)
-
-corenet_non_ipsec_sendrecv(mrtg_t)
-corenet_tcp_sendrecv_generic_if(mrtg_t)
-corenet_udp_sendrecv_generic_if(mrtg_t)
-corenet_tcp_sendrecv_all_nodes(mrtg_t)
-corenet_udp_sendrecv_all_nodes(mrtg_t)
-corenet_tcp_sendrecv_all_ports(mrtg_t)
-corenet_udp_sendrecv_all_ports(mrtg_t)
-corenet_tcp_connect_all_ports(mrtg_t)
-corenet_sendrecv_all_client_packets(mrtg_t)
-
-dev_read_sysfs(mrtg_t)
-dev_read_urand(mrtg_t)
-
-domain_use_interactive_fds(mrtg_t)
-
-files_read_usr_files(mrtg_t)
-files_search_var(mrtg_t)
-files_search_locks(mrtg_t)
-files_search_var_lib(mrtg_t)
-files_search_spool(mrtg_t)
-files_getattr_tmp_dirs(mrtg_t)
-# for uptime
-files_read_etc_runtime_files(mrtg_t)
-
-fs_search_auto_mountpoints(mrtg_t)
-fs_getattr_xattr_fs(mrtg_t)
-
-term_dontaudit_use_console(mrtg_t)
-
-init_use_fds(mrtg_t)
-init_use_script_ptys(mrtg_t)
-# for uptime
-init_read_utmp(mrtg_t)
-init_dontaudit_write_utmp(mrtg_t)
-
-libs_read_lib_files(mrtg_t)
-libs_use_ld_so(mrtg_t)
-libs_use_shared_libs(mrtg_t)
-
-logging_send_syslog_msg(mrtg_t)
-
-miscfiles_read_localization(mrtg_t)
-
-selinux_dontaudit_getattr_dir(mrtg_t)
-
-# Use the network.
-sysnet_read_config(mrtg_t)
-
-userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-userdom_use_sysadm_terms(mrtg_t)
-
-ifdef(`distro_redhat',`
- allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
- allow mrtg_t mrtg_lock_t:file create_file_perms;
- type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t;
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mrtg_t)
- term_dontaudit_use_generic_ptys(mrtg_t)
- files_dontaudit_read_root_files(mrtg_t)
-')
-
-optional_policy(`
- apache_manage_sys_content(mrtg_t)
-')
-
-optional_policy(`
- cron_system_entry(mrtg_t,mrtg_exec_t)
-')
-
-optional_policy(`
- hostname_exec(mrtg_t)
-')
-
-optional_policy(`
- nis_use_ypbind(mrtg_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(mrtg_t)
-')
-
-optional_policy(`
- quota_dontaudit_getattr_db(mrtg_t)
-')
-
-optional_policy(`
- snmp_udp_chat(mrtg_t)
- snmp_read_snmp_var_lib_files(mrtg_t)
-')
-
-optional_policy(`
- udev_read_db(mrtg_t)
-')
-
-ifdef(`TODO',`
- # should not need this!
- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
- dontaudit mrtg_t root_t:lnk_file getattr;
-')
diff --git a/refpolicy/policy/modules/admin/netutils.fc b/refpolicy/policy/modules/admin/netutils.fc
deleted file mode 100644
index a2fecb4..0000000
--- a/refpolicy/policy/modules/admin/netutils.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-
-/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
-/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
-/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
-/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
-/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
deleted file mode 100644
index 9fdfc1f..0000000
--- a/refpolicy/policy/modules/admin/netutils.if
+++ /dev/null
@@ -1,323 +0,0 @@
-## <summary>Network analysis utilities</summary>
-
-########################################
-## <summary>
-## Execute network utilities in the netutils domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_domtrans',`
- gen_require(`
- type netutils_t, netutils_exec_t;
- ')
-
- domain_auto_trans($1,netutils_exec_t,netutils_t)
-
- allow $1 netutils_t:fd use;
- allow netutils_t $1:fd use;
- allow netutils_t $1:fifo_file rw_file_perms;
- allow netutils_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute network utilities in the netutils domain, and
-## allow the specified role the netutils domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the netutils domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the netutils domain to use.
-## </summary>
-## </param>
-#
-interface(`netutils_run',`
- gen_require(`
- type netutils_t;
- ')
-
- netutils_domtrans($1)
- role $2 types netutils_t;
- allow netutils_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute network utilities in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_exec',`
- gen_require(`
- type netutils_exec_t;
- ')
-
- can_exec($1,netutils_exec_t)
-')
-
-########################################
-## <summary>
-## Execute ping in the ping domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_domtrans_ping',`
- gen_require(`
- type ping_t, ping_exec_t;
- ')
-
- domain_auto_trans($1,ping_exec_t,ping_t)
-
- allow $1 ping_t:fd use;
- allow ping_t $1:fd use;
- allow ping_t $1:fifo_file rw_file_perms;
- allow ping_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a kill (SIGKILL) signal to ping.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_kill_ping',`
- gen_require(`
- type ping_t;
- ')
-
- allow $1 ping_t:process sigkill;
-')
-
-########################################
-## <summary>
-## Send generic signals to ping.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_signal_ping',`
- gen_require(`
- type ping_t;
- ')
-
- allow $1 ping_t:process signal;
-')
-
-########################################
-## <summary>
-## Execute ping in the ping domain, and
-## allow the specified role the ping domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the ping domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the ping domain to use.
-## </summary>
-## </param>
-#
-interface(`netutils_run_ping',`
- gen_require(`
- type ping_t;
- ')
-
- netutils_domtrans_ping($1)
- role $2 types ping_t;
- allow ping_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Conditionally execute ping in the ping domain, and
-## allow the specified role the ping domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the ping domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the ping domain to use.
-## </summary>
-## </param>
-#
-interface(`netutils_run_ping_cond',`
- gen_require(`
- type ping_t;
- bool user_ping;
- ')
-
- role $2 types ping_t;
-
- if ( user_ping ) {
- netutils_domtrans_ping($1)
- allow ping_t $3:chr_file rw_term_perms;
- }
-')
-
-########################################
-## <summary>
-## Execute ping in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_exec_ping',`
- gen_require(`
- type ping_exec_t;
- ')
-
- can_exec($1,ping_exec_t)
-')
-
-########################################
-## <summary>
-## Execute traceroute in the traceroute domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_domtrans_traceroute',`
- gen_require(`
- type traceroute_t, traceroute_exec_t;
- ')
-
- domain_auto_trans($1,traceroute_exec_t,traceroute_t)
-
- allow $1 traceroute_t:fd use;
- allow traceroute_t $1:fd use;
- allow traceroute_t $1:fifo_file rw_file_perms;
- allow traceroute_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute traceroute in the traceroute domain, and
-## allow the specified role the traceroute domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the traceroute domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the traceroute domain to use.
-## </summary>
-## </param>
-#
-interface(`netutils_run_traceroute',`
- gen_require(`
- type traceroute_t;
- ')
-
- netutils_domtrans_traceroute($1)
- role $2 types traceroute_t;
- allow traceroute_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Conditionally execute traceroute in the traceroute domain, and
-## allow the specified role the traceroute domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the traceroute domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the traceroute domain to use.
-## </summary>
-## </param>
-#
-interface(`netutils_run_traceroute_cond',`
- gen_require(`
- type traceroute_t;
- bool user_ping;
- ')
-
- role $2 types traceroute_t;
-
- if( user_ping ) {
- netutils_domtrans_traceroute($1)
- allow traceroute_t $3:chr_file rw_term_perms;
- }
-')
-
-########################################
-## <summary>
-## Execute traceroute in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`netutils_exec_traceroute',`
- gen_require(`
- type traceroute_exec_t;
- ')
-
- can_exec($1,traceroute_exec_t)
-')
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
deleted file mode 100644
index d5766aa..0000000
--- a/refpolicy/policy/modules/admin/netutils.te
+++ /dev/null
@@ -1,227 +0,0 @@
-
-policy_module(netutils,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-type netutils_t;
-type netutils_exec_t;
-init_system_domain(netutils_t,netutils_exec_t)
-role system_r types netutils_t;
-
-type netutils_tmp_t;
-files_tmp_file(netutils_tmp_t)
-
-type ping_t;
-type ping_exec_t;
-init_system_domain(ping_t,ping_exec_t)
-role system_r types ping_t;
-
-type traceroute_t;
-type traceroute_exec_t;
-init_system_domain(traceroute_t,traceroute_exec_t)
-role system_r types traceroute_t;
-
-########################################
-#
-# Netutils local policy
-#
-
-# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-allow netutils_t self:process { sigkill sigstop signull signal };
-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow netutils_t self:packet_socket create_socket_perms;
-allow netutils_t self:udp_socket create_socket_perms;
-allow netutils_t self:tcp_socket create_stream_socket_perms;
-
-allow netutils_t netutils_tmp_t:dir create_dir_perms;
-allow netutils_t netutils_tmp_t:file create_file_perms;
-files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
-
-kernel_search_proc(netutils_t)
-
-corenet_non_ipsec_sendrecv(netutils_t)
-corenet_tcp_sendrecv_all_if(netutils_t)
-corenet_raw_sendrecv_all_if(netutils_t)
-corenet_udp_sendrecv_all_if(netutils_t)
-corenet_tcp_sendrecv_all_nodes(netutils_t)
-corenet_raw_sendrecv_all_nodes(netutils_t)
-corenet_udp_sendrecv_all_nodes(netutils_t)
-corenet_tcp_sendrecv_all_ports(netutils_t)
-corenet_udp_sendrecv_all_ports(netutils_t)
-corenet_tcp_connect_all_ports(netutils_t)
-corenet_sendrecv_all_client_packets(netutils_t)
-corenet_udp_bind_generic_node(netutils_t)
-
-fs_getattr_xattr_fs(netutils_t)
-
-domain_use_interactive_fds(netutils_t)
-
-files_read_etc_files(netutils_t)
-# for nscd
-files_dontaudit_search_var(netutils_t)
-
-init_use_fds(netutils_t)
-init_use_script_ptys(netutils_t)
-
-libs_use_ld_so(netutils_t)
-libs_use_shared_libs(netutils_t)
-
-logging_send_syslog_msg(netutils_t)
-
-miscfiles_read_localization(netutils_t)
-
-sysnet_read_config(netutils_t)
-
-userdom_use_all_users_fds(netutils_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(netutils_t)
- term_use_unallocated_ttys(netutils_t)
-')
-
-optional_policy(`
- nis_use_ypbind(netutils_t)
-')
-
-########################################
-#
-# Ping local policy
-#
-
-allow ping_t self:capability { setuid net_raw };
-dontaudit ping_t self:capability sys_tty_config;
-
-allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
-
-corenet_non_ipsec_sendrecv(ping_t)
-corenet_tcp_sendrecv_all_if(ping_t)
-corenet_raw_sendrecv_all_if(ping_t)
-corenet_raw_sendrecv_all_nodes(ping_t)
-corenet_tcp_sendrecv_all_nodes(ping_t)
-corenet_tcp_sendrecv_all_ports(ping_t)
-
-fs_dontaudit_getattr_xattr_fs(ping_t)
-
-domain_use_interactive_fds(ping_t)
-
-files_read_etc_files(ping_t)
-files_dontaudit_search_var(ping_t)
-
-libs_use_ld_so(ping_t)
-libs_use_shared_libs(ping_t)
-
-sysnet_read_config(ping_t)
-sysnet_dns_name_resolve(ping_t)
-
-logging_send_syslog_msg(ping_t)
-
-ifdef(`hide_broken_symptoms',`
- init_dontaudit_use_fds(ping_t)
-')
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(ping_t)
- term_use_generic_ptys(ping_t)
- term_use_all_user_ttys(ping_t)
- term_use_all_user_ptys(ping_t)
-',`
- tunable_policy(`user_ping',`
- term_use_all_user_ttys(ping_t)
- term_use_all_user_ptys(ping_t)
- ')
-')
-
-optional_policy(`
- nis_use_ypbind(ping_t)
-')
-
-optional_policy(`
- nscd_socket_use(ping_t)
-')
-
-optional_policy(`
- pcmcia_use_cardmgr_fds(ping_t)
-')
-
-optional_policy(`
- hotplug_use_fds(ping_t)
-')
-
-########################################
-#
-# Traceroute local policy
-#
-
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
-allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow traceroute_t self:udp_socket create_socket_perms;
-
-kernel_read_system_state(traceroute_t)
-kernel_read_network_state(traceroute_t)
-
-corenet_non_ipsec_sendrecv(traceroute_t)
-corenet_tcp_sendrecv_all_if(traceroute_t)
-corenet_udp_sendrecv_all_if(traceroute_t)
-corenet_raw_sendrecv_all_if(traceroute_t)
-corenet_tcp_sendrecv_all_nodes(traceroute_t)
-corenet_udp_sendrecv_all_nodes(traceroute_t)
-corenet_raw_sendrecv_all_nodes(traceroute_t)
-corenet_tcp_sendrecv_all_ports(traceroute_t)
-corenet_udp_sendrecv_all_ports(traceroute_t)
-corenet_udp_bind_all_nodes(traceroute_t)
-corenet_tcp_bind_all_nodes(traceroute_t)
-# traceroute needs this but not tracepath
-corenet_raw_bind_all_nodes(traceroute_t)
-corenet_udp_bind_traceroute_port(traceroute_t)
-corenet_tcp_connect_all_ports(traceroute_t)
-corenet_sendrecv_all_client_packets(traceroute_t)
-corenet_sendrecv_traceroute_server_packets(traceroute_t)
-
-fs_dontaudit_getattr_xattr_fs(traceroute_t)
-
-domain_use_interactive_fds(traceroute_t)
-
-files_read_etc_files(traceroute_t)
-files_dontaudit_search_var(traceroute_t)
-
-init_use_fds(traceroute_t)
-
-libs_use_ld_so(traceroute_t)
-libs_use_shared_libs(traceroute_t)
-
-logging_send_syslog_msg(traceroute_t)
-
-miscfiles_read_localization(traceroute_t)
-
-#rules needed for nmap
-dev_read_rand(traceroute_t)
-dev_read_urand(traceroute_t)
-files_read_usr_files(traceroute_t)
-
-sysnet_read_config(traceroute_t)
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(traceroute_t)
- term_use_generic_ptys(traceroute_t)
-')
-
-tunable_policy(`user_ping',`
- term_use_all_user_ttys(traceroute_t)
- term_use_all_user_ptys(traceroute_t)
-')
-
-optional_policy(`
- nis_use_ypbind(traceroute_t)
-')
-
-optional_policy(`
- nscd_socket_use(traceroute_t)
-')
diff --git a/refpolicy/policy/modules/admin/portage.fc b/refpolicy/policy/modules/admin/portage.fc
deleted file mode 100644
index 76d3408..0000000
--- a/refpolicy/policy/modules/admin/portage.fc
+++ /dev/null
@@ -1,22 +0,0 @@
-/etc/make.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
-/etc/make.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
-/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
-
-/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
-/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
-
-/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/ebuild.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
-
-/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
-
-/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
-/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
-/var/log/emerge.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
-/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
-/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
-/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
deleted file mode 100644
index 39407bc..0000000
--- a/refpolicy/policy/modules/admin/portage.if
+++ /dev/null
@@ -1,409 +0,0 @@
-## <summary>
-## Portage Package Management System. The primary package management and
-## distribution system for Gentoo.
-## </summary>
-
-########################################
-## <summary>
-## Execute emerge in the portage domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portage_domtrans',`
- gen_require(`
- type portage_t, portage_t.merge, portage_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
-
- # constraining domain
- domain_trans($1,portage_exec_t,portage_t)
- allow portage_t $1:fd use;
- allow portage_t $1:fifo_file rw_file_perms;
- allow portage_t $1:process sigchld;
-
- # transition to portage
- domain_auto_trans($1,portage_exec_t,portage_t.merge)
- allow portage_t.merge $1:fd use;
- allow portage_t.merge $1:fifo_file rw_file_perms;
- allow portage_t.merge $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute emerge in the portage domain, and
-## allow the specified role the portage domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the portage domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow for portage to use.
-## </summary>
-## </param>
-#
-interface(`portage_run',`
- gen_require(`
- type portage_t;
- type portage_t.merge, portage_t.fetch, portage_t.sandbox;
- ')
-
- portage_domtrans($1)
-
- # constraining access
- role $2 types portage_t;
- allow portage_t $3:chr_file rw_term_perms;
-
- # specific access
- role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
- allow portage_t.merge $3:chr_file rw_term_perms;
- allow portage_t.fetch $3:chr_file rw_term_perms;
- allow portage_t.sandbox $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Template for portage sandbox.
-## </summary>
-## <desc>
-## <p>
-## Template for portage sandbox. Portage
-## does all compiling in the sandbox.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain Allowed Access
-## </summary>
-## </param>
-#
-interface(`portage_compile_domain',`
-
- gen_require(`
- class dbus send_msg;
- ')
-
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
- dontaudit $1 self:capability sys_chroot;
- allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
- allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1 self:fd use;
- allow $1 self:fifo_file rw_file_perms;
- allow $1 self:shm create_shm_perms;
- allow $1 self:sem create_sem_perms;
- allow $1 self:msgq create_msgq_perms;
- allow $1 self:msg { send receive };
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 self:unix_stream_socket create_stream_socket_perms;
- allow $1 self:unix_dgram_socket sendto;
- allow $1 self:unix_stream_socket connectto;
- # really shouldnt need this
- allow $1 self:tcp_socket create_stream_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
- # misc networking stuff (esp needed for compiling perl):
- allow $1 self:rawip_socket { create ioctl };
- allow $1 self:udp_socket recvfrom;
- # needed for merging dbus:
- allow $1 self:netlink_selinux_socket { bind create read };
- allow $1 self:dbus send_msg;
-
- allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
- term_create_pty($1,portage_devpts_t)
-
- # write compile logs
- allow $1 portage_log_t:dir setattr;
- allow $1 portage_log_t:file { append write setattr };
-
- # run scripts out of the build directory
- can_exec(portage_sandbox_t,portage_tmp_t)
-
- allow $1 portage_tmp_t:dir manage_dir_perms;
- allow $1 portage_tmp_t:file manage_file_perms;
- allow $1 portage_tmp_t:lnk_file create_lnk_perms;
- allow $1 portage_tmp_t:fifo_file manage_file_perms;
- allow $1 portage_tmp_t:sock_file manage_file_perms;
- files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1 portage_tmpfs_t:dir rw_dir_perms;
- allow $1 portage_tmpfs_t:file manage_file_perms;
- allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
- allow $1 portage_tmpfs_t:sock_file manage_file_perms;
- allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- kernel_read_system_state($1)
- kernel_read_network_state($1)
- kernel_read_software_raid_state($1)
- kernel_getattr_core_if($1)
- kernel_getattr_message_if($1)
- kernel_read_kernel_sysctls($1)
-
- corecmd_exec_all_executables($1)
-
- # really shouldnt need this but some packages test
- # network access, such as during configure
- # also distcc--need to reinvestigate confining distcc client
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_raw_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_raw_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_all_ports($1)
- corenet_udp_sendrecv_all_ports($1)
- corenet_tcp_connect_all_reserved_ports($1)
- corenet_tcp_connect_distccd_port($1)
-
- dev_read_sysfs($1)
- dev_read_rand($1)
- dev_read_urand($1)
-
- domain_use_interactive_fds($1)
-
- files_exec_etc_files($1)
- files_exec_usr_src_files($1)
-
- fs_getattr_xattr_fs($1)
- fs_list_noxattr_fs($1)
- fs_read_noxattr_fs_files($1)
- fs_read_noxattr_fs_symlinks($1)
- fs_search_auto_mountpoints($1)
-
- # needed for merging dbus:
- selinux_compute_access_vector($1)
-
- auth_read_all_dirs_except_shadow($1)
- auth_read_all_files_except_shadow($1)
- auth_read_all_symlinks_except_shadow($1)
-
- libs_use_ld_so($1)
- libs_use_shared_libs($1)
- libs_exec_lib_files($1)
- # some config scripts use ldd
- libs_exec_ld_so($1)
- # this violates the idea of sandbox, but
- # regular sandbox allows it
- libs_domtrans_ldconfig($1)
-
- logging_send_syslog_msg($1)
-
- ifdef(`TODO',`
- # some gui ebuilds want to interact with X server, like xawtv
- optional_policy(`
- allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
- allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
- ')
- ') dnl end TODO
-')
-
-########################################
-## <summary>
-## Template for portage fetch.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain Allowed Access
-## </summary>
-## </param>
-#
-interface(`portage_fetch_domain',`
-
- allow $1 self:capability dac_override;
- dontaudit $1 self:capability { fowner fsetid };
- allow $1 self:process signal;
- allow $1 self:unix_stream_socket create_socket_perms;
- allow $1 self:tcp_socket create_stream_socket_perms;
-
- allow $1 portage_conf_t:dir list_dir_perms;
- allow $1 portage_conf_t:file read_file_perms;
-
- allow $1 portage_ebuild_t:dir manage_dir_perms;
- allow $1 portage_ebuild_t:file manage_file_perms;
-
- allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
- allow $1 portage_fetch_tmp_t:file manage_file_perms;
-
- # portage makes home dir the portage tmp dir, so
- # wget looks for .wgetrc there
- dontaudit $1 portage_tmp_t:dir search_dir_perms;
-
- kernel_read_system_state($1)
- kernel_read_kernel_sysctls($1)
-
- corecmd_exec_bin($1)
- corecmd_exec_sbin($1)
-
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_all_ports($1)
- # would rather not connect to unspecified ports, but
- # it occasionally comes up
- corenet_tcp_connect_all_reserved_ports($1)
- corenet_tcp_connect_generic_port($1)
-
- dev_dontaudit_read_rand($1)
-
- domain_use_interactive_fds($1)
-
- files_read_etc_files($1)
- files_read_etc_runtime_files($1)
- files_search_var($1)
- files_dontaudit_search_pids($1)
-
- term_search_ptys($1)
-
- libs_use_ld_so($1)
- libs_use_shared_libs($1)
-
- miscfiles_read_localization($1)
-
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
-
- userdom_dontaudit_read_sysadm_home_content_files($1)
-
- ifdef(`hide_broken_symptoms',`
- dontaudit $1 portage_cache_t:file read;
- ')
-')
-
-########################################
-## <summary>
-## Template for portage main.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain Allowed Access
-## </summary>
-## </param>
-#
-interface(`portage_main_domain',`
-
- # - setfscreate for merging to live fs
- # - setexec to run portage fetch
- allow $1 self:process { setfscreate setexec };
-
- # if sesandbox is disabled, compiles are
- # performed in the main domain
- portage_compile_domain($1)
-
- allow $1 portage_log_t:file create_file_perms;
- logging_log_filetrans($1,portage_log_t,file)
-
- # run scripts out of the build directory
- can_exec($1,portage_tmp_t)
-
- # merging baselayout will need this:
- kernel_write_proc_files($1)
-
- domain_dontaudit_read_all_domains_state($1)
-
- # modify any files in the system
- files_manage_all_files($1)
-
- selinux_get_fs_mount($1)
-
- auth_manage_shadow($1)
-
- # merging baselayout will need this:
- init_exec($1)
-
- # run setfiles -r
- seutil_domtrans_setfiles($1)
-
- portage_domtrans_gcc_config($1)
-
- optional_policy(`
- bootloader_domtrans($1)
- ')
-
- optional_policy(`
- modutils_domtrans_depmod($1)
- modutils_domtrans_update_mods($1)
- #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
- ')
-
- optional_policy(`
- usermanage_domtrans_groupadd($1)
- usermanage_domtrans_useradd($1)
- ')
-
- ifdef(`TODO',`
- # seems to work ok without these
- dontaudit portage_t device_t:{ blk_file chr_file } getattr;
- dontaudit portage_t proc_t:dir setattr;
- dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
- ')
-')
-
-########################################
-## <summary>
-## Execute gcc-config in the gcc_config domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portage_domtrans_gcc_config',`
- gen_require(`
- type gcc_config_t, gcc_config_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
-
- domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
- allow gcc_config_t $1:fd use;
- allow gcc_config_t $1:fifo_file rw_file_perms;
- allow gcc_config_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute gcc-config in the gcc_config domain, and
-## allow the specified role the gcc_config domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the gcc_config domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow for gcc_config to use.
-## </summary>
-## </param>
-#
-interface(`portage_run_gcc_config',`
- gen_require(`
- type gcc_config_t;
- ')
-
- portage_domtrans_gcc_config($1)
-
- # constraining access
- role $2 types gcc_config_t;
- allow gcc_config_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
deleted file mode 100644
index 00351d1..0000000
--- a/refpolicy/policy/modules/admin/portage.te
+++ /dev/null
@@ -1,194 +0,0 @@
-
-policy_module(portage,1.0.4)
-
-########################################
-#
-# Declarations
-#
-
-type gcc_config_t;
-type gcc_config_exec_t;
-domain_type(gcc_config_t)
-domain_entry_file(gcc_config_t,gcc_config_exec_t)
-
-# constraining type
-type portage_t;
-type portage_exec_t;
-domain_type(portage_t)
-domain_entry_file(portage_t,portage_exec_t)
-rsync_entry_type(portage_t)
-corecmd_shell_entry_type(portage_t)
-domain_entry_file(portage_t,portage_exec_t)
-
-# portage domain for merging packages to the live fs
-type portage_t.merge;
-domain_type(portage_t.merge)
-domain_entry_file(portage_t.merge,portage_exec_t)
-domain_obj_id_change_exemption(portage_t.merge)
-
-# portage compile sandbox domain
-type portage_t.sandbox alias portage_sandbox_t;
-domain_type(portage_t.sandbox)
-# the shell is the entrypoint if regular sandbox is disabled
-# portage_exec_t is the entrypoint if regular sandbox is enabled
-corecmd_shell_entry_type(portage_t.sandbox)
-domain_entry_file(portage_t.sandbox,portage_exec_t)
-
-# portage package fetching domain
-type portage_t.fetch alias portage_fetch_t;
-domain_type(portage_t.fetch)
-corecmd_shell_entry_type(portage_t.fetch)
-rsync_entry_type(portage_t.fetch)
-
-type portage_devpts_t;
-term_pty(portage_devpts_t)
-
-type portage_ebuild_t;
-files_type(portage_ebuild_t)
-
-type portage_fetch_tmp_t;
-files_tmp_file(portage_fetch_tmp_t)
-
-type portage_db_t;
-files_type(portage_db_t)
-
-type portage_conf_t;
-files_type(portage_conf_t)
-
-type portage_cache_t;
-files_type(portage_cache_t)
-
-type portage_log_t;
-logging_log_file(portage_log_t)
-
-type portage_tmp_t;
-files_tmp_file(portage_tmp_t)
-
-type portage_tmpfs_t;
-files_tmpfs_file(portage_tmpfs_t)
-
-########################################
-#
-# gcc-config policy
-#
-
-allow gcc_config_t self:capability { chown fsetid };
-allow gcc_config_t self:fifo_file rw_file_perms;
-
-allow gcc_config_t portage_cache_t:dir rw_dir_perms;
-allow gcc_config_t portage_cache_t:file create_file_perms;
-
-allow gcc_config_t portage_conf_t:dir search_dir_perms;
-allow gcc_config_t portage_conf_t:file read_file_perms;
-
-allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
-allow gcc_config_t portage_ebuild_t:file read_file_perms;
-
-allow gcc_config_t portage_exec_t:file { execute getattr };
-
-kernel_read_system_state(gcc_config_t)
-kernel_read_kernel_sysctls(gcc_config_t)
-
-corecmd_exec_shell(gcc_config_t)
-corecmd_exec_ls(gcc_config_t)
-corecmd_exec_bin(gcc_config_t)
-corecmd_exec_sbin(gcc_config_t)
-corecmd_manage_bin_files(gcc_config_t)
-corecmd_read_sbin_symlinks(gcc_config_t)
-
-files_manage_etc_files(gcc_config_t)
-files_rw_etc_runtime_files(gcc_config_t)
-files_search_var_lib(gcc_config_t)
-files_search_pids(gcc_config_t)
-# complains loudly about not being able to list
-# the directory it is being run from
-files_list_all(gcc_config_t)
-
-term_search_ptys(gcc_config_t)
-
-# seems to be ok without this
-init_dontaudit_read_script_status_files(gcc_config_t)
-
-libs_use_ld_so(gcc_config_t)
-libs_use_shared_libs(gcc_config_t)
-libs_read_lib_files(gcc_config_t)
-libs_domtrans_ldconfig(gcc_config_t)
-libs_manage_shared_libs(gcc_config_t)
-files_lib_filetrans_shared_lib(gcc_config_t,file)
-# gcc-config creates a temp dir for the libs
-libs_manage_lib_dirs(gcc_config_t)
-
-logging_send_syslog_msg(gcc_config_t)
-
-miscfiles_read_localization(gcc_config_t)
-
-consoletype_exec(gcc_config_t)
-
-optional_policy(`
- seutil_use_newrole_fds(gcc_config_t)
-')
-
-########################################
-#
-# Portage Constraining Rules
-#
-
-portage_main_domain(portage_t)
-portage_compile_domain(portage_t)
-portage_fetch_domain(portage_t)
-
-# transition between child domains on shells and rsync
-corecmd_shell_spec_domtrans(portage_t,portage_t)
-rsync_entry_spec_domtrans(portage_t,portage_t)
-
-########################################
-#
-# Portage Merging Rules
-#
-
-portage_main_domain(portage_t.merge)
-
-# if sesandbox is disabled, compiling is performed in this domain
-portage_compile_domain(portage_t.merge)
-
-allow portage_t.merge portage_t.fetch:process signal;
-
-# transition for rsync and wget
-corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
-rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
-allow portage_t.fetch portage_t.merge:fd use;
-allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
-allow portage_t.fetch portage_t.merge:process sigchld;
-
-# transition to sandbox for compiling
-domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
-corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
-allow portage_t.sandbox portage_t.merge:fd use;
-allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
-allow portage_t.sandbox portage_t.merge:process sigchld;
-
-##########################################
-#
-# Portage fetch domain
-# - for rsync and distfile fetching
-#
-
-portage_fetch_domain(portage_t.fetch)
-
-# this rule is outside of the above macro to fix conflicting type
-# transitions seen in the rules for the constraining type (portage_t)
-files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
-
-##########################################
-#
-# Portage sandbox domain
-# - SELinux-enforced sandbox
-#
-
-portage_compile_domain(portage_t.sandbox)
-
-ifdef(`hide_broken_symptoms',`
- # leaked descriptors
- dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
- dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
-')
diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc
deleted file mode 100644
index 7d2b81b..0000000
--- a/refpolicy/policy/modules/admin/prelink.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
-
-/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-
-/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/prelink.if b/refpolicy/policy/modules/admin/prelink.if
deleted file mode 100644
index 899fc9d..0000000
--- a/refpolicy/policy/modules/admin/prelink.if
+++ /dev/null
@@ -1,102 +0,0 @@
-## <summary>Prelink ELF shared library mappings.</summary>
-
-########################################
-## <summary>
-## Execute the prelink program in the prelink domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`prelink_domtrans',`
- gen_require(`
- type prelink_t, prelink_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, prelink_exec_t, prelink_t)
-
- allow $1 prelink_t:fd use;
- allow prelink_t $1:fd use;
- allow prelink_t $1:fifo_file rw_file_perms;
- allow prelink_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Make the specified file type prelinkable.
-## </summary>
-## <param name="file_type">
-## <summary>
-## File type to be prelinked.
-## </summary>
-## </param>
-#
-# cjp: added for misc non-entrypoint objects
-interface(`prelink_object_file',`
- gen_require(`
- attribute prelink_object;
- ')
-
- typeattribute $1 prelink_object;
-')
-
-########################################
-## <summary>
-## Read the prelink cache.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`prelink_read_cache',`
- gen_require(`
- type prelink_cache_t;
- ')
-
- files_search_etc($1)
- allow $1 prelink_cache_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Delete the prelink cache.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`prelink_delete_cache',`
- gen_require(`
- type prelink_cache_t;
- ')
-
- allow $1 prelink_cache_t:file unlink;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## prelink log files.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`prelink_manage_log',`
- gen_require(`
- type prelink_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 prelink_log_t:dir rw_dir_perms;
- allow $1 prelink_log_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
deleted file mode 100644
index 506215a..0000000
--- a/refpolicy/policy/modules/admin/prelink.te
+++ /dev/null
@@ -1,78 +0,0 @@
-
-policy_module(prelink,1.1.4)
-
-########################################
-#
-# Declarations
-
-attribute prelink_object;
-
-type prelink_t;
-type prelink_exec_t;
-init_system_domain(prelink_t,prelink_exec_t)
-domain_obj_id_change_exemption(prelink_t)
-
-type prelink_cache_t;
-files_type(prelink_cache_t)
-
-type prelink_log_t;
-logging_log_file(prelink_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow prelink_t self:capability { chown dac_override fowner fsetid };
-allow prelink_t self:process { execheap execmem execstack };
-allow prelink_t self:fifo_file rw_file_perms;
-
-allow prelink_t prelink_cache_t:file manage_file_perms;
-files_etc_filetrans(prelink_t, prelink_cache_t, file)
-files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
-
-allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
-allow prelink_t prelink_log_t:file { create ra_file_perms };
-allow prelink_t prelink_log_t:lnk_file read;
-logging_log_filetrans(prelink_t, prelink_log_t, file)
-
-# prelink misc objects that are not system
-# libraries or entrypoints
-allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
-
-kernel_read_system_state(prelink_t)
-kernel_dontaudit_search_kernel_sysctl(prelink_t)
-kernel_dontaudit_search_sysctl(prelink_t)
-
-corecmd_manage_all_executables(prelink_t)
-corecmd_relabel_all_executables(prelink_t)
-corecmd_mmap_all_executables(prelink_t)
-corecmd_read_sbin_symlinks(prelink_t)
-
-dev_read_urand(prelink_t)
-
-files_list_all(prelink_t)
-files_getattr_all_files(prelink_t)
-files_write_non_security_dirs(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
-
-fs_getattr_xattr_fs(prelink_t)
-
-libs_use_ld_so(prelink_t)
-libs_exec_ld_so(prelink_t)
-libs_manage_ld_so(prelink_t)
-libs_relabel_ld_so(prelink_t)
-libs_use_shared_libs(prelink_t)
-libs_manage_shared_libs(prelink_t)
-libs_relabel_shared_libs(prelink_t)
-libs_use_lib_files(prelink_t)
-libs_manage_lib_files(prelink_t)
-libs_relabel_lib_files(prelink_t)
-libs_delete_lib_symlinks(prelink_t)
-
-miscfiles_read_localization(prelink_t)
-
-optional_policy(`
- cron_system_entry(prelink_t, prelink_exec_t)
-')
diff --git a/refpolicy/policy/modules/admin/quota.fc b/refpolicy/policy/modules/admin/quota.fc
deleted file mode 100644
index b760aa3..0000000
--- a/refpolicy/policy/modules/admin/quota.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-
-ifdef(`distro_redhat',`
-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-',`
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-')
-
-HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
-/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if
deleted file mode 100644
index 8d3bac7..0000000
--- a/refpolicy/policy/modules/admin/quota.if
+++ /dev/null
@@ -1,95 +0,0 @@
-## <summary>File system quota management</summary>
-
-########################################
-## <summary>
-## Execute quota management tools in the quota domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`quota_domtrans',`
- gen_require(`
- type quota_t, quota_exec_t;
- ')
-
- domain_auto_trans($1,quota_exec_t,quota_t)
-
- allow $1 quota_t:fd use;
- allow quota_t $1:fd use;
- allow quota_t $1:fifo_file rw_file_perms;
- allow quota_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute quota management tools in the quota domain, and
-## allow the specified role the quota domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the quota domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the quota domain to use.
-## </summary>
-## </param>
-#
-interface(`quota_run',`
- gen_require(`
- type quota_t;
- ')
-
- quota_domtrans($1)
- role $2 types quota_t;
- allow quota_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of filesystem quota data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`quota_dontaudit_getattr_db',`
- gen_require(`
- type quota_db_t;
- ')
-
- dontaudit $1 quota_db_t:file getattr;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete quota
-## flag files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`quota_manage_flags',`
- gen_require(`
- type quota_flag_t;
- ')
-
- files_search_var_lib($1)
- allow $1 quota_flag_t:dir rw_dir_perms;
- allow $1 quota_flag_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
deleted file mode 100644
index 4f188d2..0000000
--- a/refpolicy/policy/modules/admin/quota.te
+++ /dev/null
@@ -1,85 +0,0 @@
-
-policy_module(quota,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type quota_t;
-type quota_exec_t;
-init_system_domain(quota_t,quota_exec_t)
-
-type quota_db_t;
-files_type(quota_db_t)
-
-type quota_flag_t;
-files_type(quota_flag_t)
-
-allow quota_t self:capability { sys_admin dac_override };
-dontaudit quota_t self:capability sys_tty_config;
-allow quota_t self:process signal_perms;
-
-# for /quota.*
-allow quota_t quota_db_t:file { read write quotaon };
-
-kernel_list_proc(quota_t)
-kernel_read_proc_symlinks(quota_t)
-kernel_read_kernel_sysctls(quota_t)
-
-dev_read_sysfs(quota_t)
-dev_getattr_all_blk_files(quota_t)
-dev_getattr_all_chr_files(quota_t)
-
-fs_get_xattr_fs_quotas(quota_t)
-fs_set_xattr_fs_quotas(quota_t)
-fs_getattr_xattr_fs(quota_t)
-fs_remount_xattr_fs(quota_t)
-fs_search_auto_mountpoints(quota_t)
-
-storage_raw_read_fixed_disk(quota_t)
-
-term_dontaudit_use_console(quota_t)
-
-domain_use_interactive_fds(quota_t)
-
-files_list_all(quota_t)
-files_read_all_files(quota_t)
-files_read_all_symlinks(quota_t)
-files_getattr_all_pipes(quota_t)
-files_getattr_all_sockets(quota_t)
-# Read /etc/mtab.
-files_read_etc_runtime_files(quota_t)
-
-init_use_fds(quota_t)
-init_use_script_ptys(quota_t)
-
-libs_use_ld_so(quota_t)
-libs_use_shared_libs(quota_t)
-
-logging_send_syslog_msg(quota_t)
-
-userdom_dontaudit_use_unpriv_user_fds(quota_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(quota_t)
- term_dontaudit_use_generic_ptys(quota_t)
- files_dontaudit_read_root_files(quota_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(quota_t)
-')
-
-optional_policy(`
- udev_read_db(quota_t)
-')
-
-ifdef(`TODO',`
-# quotacheck creates new quota_db_t files
-file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
-
-allow quota_t file_t:file quotaon;
-
-allow quota_t proc_t:file getattr;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/readahead.fc b/refpolicy/policy/modules/admin/readahead.fc
deleted file mode 100644
index 26c1128..0000000
--- a/refpolicy/policy/modules/admin/readahead.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/readahead.if b/refpolicy/policy/modules/admin/readahead.if
deleted file mode 100644
index 47c4723..0000000
--- a/refpolicy/policy/modules/admin/readahead.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Readahead, read files into page cache for improved performance</summary>
diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te
deleted file mode 100644
index 7f91460..0000000
--- a/refpolicy/policy/modules/admin/readahead.te
+++ /dev/null
@@ -1,81 +0,0 @@
-
-policy_module(readahead,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type readahead_t;
-type readahead_exec_t;
-init_daemon_domain(readahead_t,readahead_exec_t)
-
-type readahead_var_run_t;
-files_pid_file(readahead_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
-allow readahead_t self:process signal_perms;
-
-allow readahead_t readahead_var_run_t:file create_file_perms;
-allow readahead_t readahead_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(readahead_t,readahead_var_run_t,file)
-
-kernel_read_kernel_sysctls(readahead_t)
-kernel_read_system_state(readahead_t)
-kernel_dontaudit_getattr_core_if(readahead_t)
-
-dev_read_sysfs(readahead_t)
-dev_getattr_generic_chr_files(readahead_t)
-dev_getattr_generic_blk_files(readahead_t)
-dev_getattr_all_chr_files(readahead_t)
-dev_getattr_all_blk_files(readahead_t)
-dev_dontaudit_read_all_blk_files(readahead_t)
-dev_dontaudit_getattr_memory_dev(readahead_t)
-
-domain_use_interactive_fds(readahead_t)
-
-files_dontaudit_getattr_all_sockets(readahead_t)
-files_list_non_security(readahead_t)
-files_read_non_security_files(readahead_t)
-
-fs_getattr_all_fs(readahead_t)
-fs_search_auto_mountpoints(readahead_t)
-fs_getattr_all_pipes(readahead_t)
-fs_getattr_all_files(readahead_t)
-fs_dontaudit_search_ramfs(readahead_t)
-fs_dontaudit_read_ramfs_pipes(readahead_t)
-fs_dontaudit_read_ramfs_files(readahead_t)
-fs_read_tmpfs_symlinks(readahead_t)
-
-term_dontaudit_use_console(readahead_t)
-
-auth_dontaudit_read_shadow(readahead_t)
-
-init_use_fds(readahead_t)
-init_use_script_ptys(readahead_t)
-init_getattr_initctl(readahead_t)
-
-libs_use_ld_so(readahead_t)
-libs_use_shared_libs(readahead_t)
-
-logging_send_syslog_msg(readahead_t)
-
-miscfiles_read_localization(readahead_t)
-
-userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
-
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(readahead_t)
- term_dontaudit_use_unallocated_ttys(readahead_t)
- term_dontaudit_use_generic_ptys(readahead_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(readahead_t)
-')
diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc
deleted file mode 100644
index 384715c..0000000
--- a/refpolicy/policy/modules/admin/rpm.fc
+++ /dev/null
@@ -1,41 +0,0 @@
-
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-ifdef(`distro_redhat', `
-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
-')
-
-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-
-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-
-# SuSE
-ifdef(`distro_suse', `
-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
-')
-
-ifdef(`enable_mls',`
-/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
-')
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
deleted file mode 100644
index 00f1b98..0000000
--- a/refpolicy/policy/modules/admin/rpm.if
+++ /dev/null
@@ -1,258 +0,0 @@
-## <summary>Policy for the RPM package manager.</summary>
-
-########################################
-## <summary>
-## Execute rpm programs in the rpm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_domtrans',`
- gen_require(`
- type rpm_t, rpm_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,rpm_exec_t,rpm_t)
-
- allow $1 rpm_t:fd use;
- allow rpm_t $1:fd use;
- allow rpm_t $1:fifo_file rw_file_perms;
- allow rpm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute rpm_script programs in the rpm_script domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpm_domtrans_script',`
- gen_require(`
- type rpm_script_t;
- ')
-
- # transition to rpm script:
- corecmd_shell_domtrans($1,rpm_script_t)
-
- allow $1 rpm_script_t:fd use;
- allow rpm_script_t $1:fd use;
- allow rpm_script_t $1:fifo_file rw_file_perms;
- allow rpm_script_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute RPM programs in the RPM domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the RPM domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the RPM domain to use.
-## </summary>
-## </param>
-#
-interface(`rpm_run',`
- gen_require(`
- type rpm_t, rpm_script_t;
- ')
-
- rpm_domtrans($1)
- role $2 types rpm_t;
- role $2 types rpm_script_t;
- seutil_run_loadpolicy(rpm_script_t,$2,$3)
- seutil_run_semanage(rpm_script_t,$2,$3)
- seutil_run_setfiles(rpm_script_t,$2,$3)
- seutil_run_restorecon(rpm_script_t,$2,$3)
- allow rpm_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute the rpm client in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpm_exec',`
- gen_require(`
- type rpm_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1,rpm_exec_t)
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from RPM.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_use_fds',`
- gen_require(`
- type rpm_t;
- ')
-
- allow $1 rpm_t:fd use;
-')
-
-########################################
-## <summary>
-## Read from an unnamed RPM pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_read_pipes',`
- gen_require(`
- type rpm_t;
- ')
-
- allow $1 rpm_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write an unnamed RPM pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_rw_pipes',`
- gen_require(`
- type rpm_t;
- ')
-
- allow $1 rpm_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the RPM log.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_manage_log',`
- gen_require(`
- type rpm_log_t;
- ')
-
- logging_rw_generic_log_dirs($1)
- allow $1 rpm_log_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from RPM scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_use_script_fds',`
- gen_require(`
- type rpm_script_t;
- ')
-
- allow $1 rpm_script_t:fd use;
-')
-
-########################################
-## <summary>
-## Read the RPM package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_read_db',`
- gen_require(`
- type rpm_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 rpm_var_lib_t:dir r_dir_perms;
- allow $1 rpm_var_lib_t:file { getattr read };
- allow $1 rpm_var_lib_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the RPM package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpm_manage_db',`
- gen_require(`
- type rpm_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 rpm_var_lib_t:dir rw_dir_perms;
- allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
- allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete the RPM package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`rpm_dontaudit_manage_db',`
- gen_require(`
- type rpm_var_lib_t;
- ')
-
- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
- dontaudit $1 rpm_var_lib_t:file create_file_perms;
- dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
deleted file mode 100644
index a12a0d4..0000000
--- a/refpolicy/policy/modules/admin/rpm.te
+++ /dev/null
@@ -1,396 +0,0 @@
-
-policy_module(rpm,1.3.9)
-
-########################################
-#
-# Declarations
-#
-
-type rpm_t;
-type rpm_exec_t;
-init_system_domain(rpm_t,rpm_exec_t)
-domain_obj_id_change_exemption(rpm_t)
-domain_role_change_exemption(rpm_t)
-domain_system_change_exemption(rpm_t)
-domain_interactive_fd(rpm_t)
-role system_r types rpm_t;
-
-type rpm_file_t;
-files_type(rpm_file_t)
-
-type rpm_tmp_t;
-files_tmp_file(rpm_tmp_t)
-
-type rpm_tmpfs_t;
-files_tmpfs_file(rpm_tmpfs_t)
-
-type rpm_log_t;
-logging_log_file(rpm_log_t)
-
-type rpm_var_lib_t;
-files_type(rpm_var_lib_t)
-typealias rpm_var_lib_t alias var_lib_rpm_t;
-
-type rpm_script_t;
-type rpm_script_exec_t;
-domain_obj_id_change_exemption(rpm_script_t)
-domain_system_change_exemption(rpm_script_t)
-corecmd_shell_entry_type(rpm_script_t)
-domain_type(rpm_script_t)
-domain_entry_file(rpm_t,rpm_script_exec_t)
-domain_interactive_fd(rpm_script_t)
-role system_r types rpm_script_t;
-
-type rpm_script_tmp_t;
-files_tmp_file(rpm_script_tmp_t)
-
-type rpm_script_tmpfs_t;
-files_tmpfs_file(rpm_script_tmpfs_t)
-
-########################################
-#
-# rpm Local policy
-#
-
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow rpm_t self:process { getattr setexec setfscreate setrlimit };
-allow rpm_t self:fd use;
-allow rpm_t self:fifo_file rw_file_perms;
-allow rpm_t self:unix_dgram_socket create_socket_perms;
-allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
-allow rpm_t self:unix_dgram_socket sendto;
-allow rpm_t self:unix_stream_socket connectto;
-allow rpm_t self:udp_socket { connect };
-allow rpm_t self:udp_socket create_socket_perms;
-allow rpm_t self:tcp_socket create_stream_socket_perms;
-allow rpm_t self:shm create_shm_perms;
-allow rpm_t self:sem create_sem_perms;
-allow rpm_t self:msgq create_msgq_perms;
-allow rpm_t self:msg { send receive };
-allow rpm_t self:dir search;
-allow rpm_t self:file rw_file_perms;;
-
-allow rpm_t rpm_tmp_t:dir create_dir_perms;
-allow rpm_t rpm_tmp_t:file create_file_perms;
-files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
-
-allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
-allow rpm_t rpm_tmpfs_t:file create_file_perms;
-allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
-allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
-allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
-fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-# Access /var/lib/rpm files
-allow rpm_t rpm_var_lib_t:file create_file_perms;
-allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
-
-kernel_read_system_state(rpm_t)
-kernel_read_kernel_sysctls(rpm_t)
-
-corecmd_exec_all_executables(rpm_t)
-
-corenet_non_ipsec_sendrecv(rpm_t)
-corenet_tcp_sendrecv_all_if(rpm_t)
-corenet_raw_sendrecv_all_if(rpm_t)
-corenet_udp_sendrecv_all_if(rpm_t)
-corenet_tcp_sendrecv_all_nodes(rpm_t)
-corenet_raw_sendrecv_all_nodes(rpm_t)
-corenet_udp_sendrecv_all_nodes(rpm_t)
-corenet_tcp_sendrecv_all_ports(rpm_t)
-corenet_udp_sendrecv_all_ports(rpm_t)
-corenet_tcp_connect_all_ports(rpm_t)
-corenet_sendrecv_all_client_packets(rpm_t)
-
-dev_list_sysfs(rpm_t)
-dev_list_usbfs(rpm_t)
-dev_read_urand(rpm_t)
-#devices_manage_all_device_types(rpm_t)
-
-fs_manage_nfs_dirs(rpm_t)
-fs_manage_nfs_files(rpm_t)
-fs_manage_nfs_symlinks(rpm_t)
-fs_getattr_all_fs(rpm_t)
-fs_search_auto_mountpoints(rpm_t)
-
-mls_file_read_up(rpm_t)
-mls_file_write_down(rpm_t)
-mls_file_upgrade(rpm_t)
-mls_file_downgrade(rpm_t)
-
-selinux_get_fs_mount(rpm_t)
-selinux_validate_context(rpm_t)
-selinux_compute_access_vector(rpm_t)
-selinux_compute_create_context(rpm_t)
-selinux_compute_relabel_context(rpm_t)
-selinux_compute_user_contexts(rpm_t)
-
-storage_raw_write_fixed_disk(rpm_t)
-# for installing kernel packages
-storage_raw_read_fixed_disk(rpm_t)
-
-term_list_ptys(rpm_t)
-
-auth_relabel_all_files_except_shadow(rpm_t)
-auth_manage_all_files_except_shadow(rpm_t)
-auth_dontaudit_read_shadow(rpm_t)
-
-# transition to rpm script:
-rpm_domtrans_script(rpm_t)
-
-domain_read_all_domains_state(rpm_t)
-domain_getattr_all_domains(rpm_t)
-domain_dontaudit_ptrace_all_domains(rpm_t)
-domain_use_interactive_fds(rpm_t)
-domain_dontaudit_getattr_all_pipes(rpm_t)
-domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-domain_dontaudit_getattr_all_udp_sockets(rpm_t)
-domain_dontaudit_getattr_all_packet_sockets(rpm_t)
-domain_dontaudit_getattr_all_raw_sockets(rpm_t)
-domain_dontaudit_getattr_all_stream_sockets(rpm_t)
-domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
-
-files_exec_etc_files(rpm_t)
-
-init_domtrans_script(rpm_t)
-
-libs_use_ld_so(rpm_t)
-libs_use_shared_libs(rpm_t)
-libs_exec_ld_so(rpm_t)
-libs_exec_lib_files(rpm_t)
-libs_domtrans_ldconfig(rpm_t)
-
-logging_send_syslog_msg(rpm_t)
-
-# allow compiling and loading new policy
-seutil_manage_src_policy(rpm_t)
-seutil_manage_bin_policy(rpm_t)
-
-sysnet_read_config(rpm_t)
-
-userdom_use_unpriv_users_fds(rpm_t)
-
-ifdef(`distro_redhat',`
- unconfined_domain(rpm_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(rpm_t)
-',`
- # cjp: these are here to stop type_transition
- # conflicts since rpm_t is an alias of
- # unconfined in the targeted policy
- allow rpm_t rpm_log_t:file create_file_perms;
- logging_log_filetrans(rpm_t,rpm_log_t,file)
-')
-
-optional_policy(`
- cron_system_entry(rpm_t,rpm_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(rpm_t)
-')
-
-ifdef(`TODO',`
-# read/write/create any files in the system
-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow rpm_t ttyfile:chr_file unlink;
-
-# needs rw permission to the directory for an rpm package that includes a mount
-# point
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-
-allow rpm_t mount_t:tcp_socket write;
-
-allow rpm_t rpc_pipefs_t:dir search;
-
-optional_policy(`
-allow rpm_t sysadm_gph_t:fd use;
-')
-') dnl endif TODO
-
-########################################
-#
-# rpm-script Local policy
-#
-
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow rpm_script_t self:fd use;
-allow rpm_script_t self:fifo_file rw_file_perms;
-allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
-allow rpm_script_t self:unix_dgram_socket sendto;
-allow rpm_script_t self:unix_stream_socket connectto;
-allow rpm_script_t self:shm create_shm_perms;
-allow rpm_script_t self:sem create_sem_perms;
-allow rpm_script_t self:msgq create_msgq_perms;
-allow rpm_script_t self:msg { send receive };
-
-allow rpm_script_t rpm_tmp_t:file r_file_perms;
-
-allow rpm_script_t rpm_script_tmp_t:dir mounton;
-allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
-allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
-files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-
-allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
-allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
-allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
-allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
-allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
-fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-allow rpm_t rpm_script_t:fd use;
-allow rpm_script_t rpm_t:fd use;
-allow rpm_script_t rpm_t:fifo_file rw_file_perms;
-allow rpm_script_t rpm_t:process sigchld;
-
-kernel_read_kernel_sysctls(rpm_script_t)
-kernel_read_system_state(rpm_script_t)
-
-dev_list_sysfs(rpm_script_t)
-
-# ideally we would not need this
-dev_manage_generic_blk_files(rpm_script_t)
-dev_manage_generic_chr_files(rpm_script_t)
-dev_manage_all_blk_files(rpm_script_t)
-dev_manage_all_chr_files(rpm_script_t)
-
-fs_manage_nfs_files(rpm_script_t)
-fs_getattr_nfs(rpm_script_t)
-# why is this not using mount?
-fs_getattr_xattr_fs(rpm_script_t)
-fs_mount_xattr_fs(rpm_script_t)
-fs_unmount_xattr_fs(rpm_script_t)
-fs_search_auto_mountpoints(rpm_script_t)
-
-mls_file_read_up(rpm_script_t)
-mls_file_write_down(rpm_script_t)
-
-selinux_get_fs_mount(rpm_script_t)
-selinux_validate_context(rpm_script_t)
-selinux_compute_access_vector(rpm_script_t)
-selinux_compute_create_context(rpm_script_t)
-selinux_compute_relabel_context(rpm_script_t)
-selinux_compute_user_contexts(rpm_script_t)
-
-storage_raw_read_fixed_disk(rpm_script_t)
-storage_raw_write_fixed_disk(rpm_script_t)
-
-term_getattr_unallocated_ttys(rpm_script_t)
-term_list_ptys(rpm_script_t)
-term_use_all_terms(rpm_script_t)
-
-auth_dontaudit_getattr_shadow(rpm_script_t)
-# ideally we would not need this
-auth_manage_all_files_except_shadow(rpm_script_t)
-
-corecmd_exec_all_executables(rpm_script_t)
-
-domain_read_all_domains_state(rpm_script_t)
-domain_getattr_all_domains(rpm_script_t)
-domain_dontaudit_ptrace_all_domains(rpm_script_t)
-domain_use_interactive_fds(rpm_script_t)
-domain_signal_all_domains(rpm_script_t)
-domain_signull_all_domains(rpm_script_t)
-
-files_exec_etc_files(rpm_script_t)
-files_read_etc_runtime_files(rpm_script_t)
-files_exec_usr_files(rpm_script_t)
-
-init_domtrans_script(rpm_script_t)
-
-libs_use_ld_so(rpm_script_t)
-libs_use_shared_libs(rpm_script_t)
-libs_exec_ld_so(rpm_script_t)
-libs_exec_lib_files(rpm_script_t)
-libs_domtrans_ldconfig(rpm_script_t)
-
-logging_send_syslog_msg(rpm_script_t)
-
-miscfiles_read_localization(rpm_script_t)
-
-modutils_domtrans_depmod(rpm_script_t)
-modutils_domtrans_insmod(rpm_script_t)
-
-seutil_domtrans_loadpolicy(rpm_script_t)
-seutil_domtrans_restorecon(rpm_script_t)
-seutil_domtrans_semanage(rpm_script_t)
-
-userdom_use_all_users_fds(rpm_script_t)
-
-ifdef(`distro_redhat',`
- unconfined_domain(rpm_script_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(rpm_script_t)
-
- optional_policy(`
- java_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
- mono_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
- unconfined_domtrans(rpm_script_t)
- ')
-')
-
-ifdef(`distro_redhat',`
- optional_policy(`
- mta_send_mail(rpm_script_t)
- ')
-')
-
-tunable_policy(`allow_execmem',`
- allow rpm_script_t self:process execmem;
-')
-
-optional_policy(`
- bootloader_domtrans(rpm_script_t)
-')
-
-optional_policy(`
- nis_use_ypbind(rpm_script_t)
-')
-
-optional_policy(`
- usermanage_domtrans_groupadd(rpm_script_t)
- usermanage_domtrans_useradd(rpm_script_t)
-')
-
-ifdef(`TODO',`
-optional_policy(`
-can_exec(rpm_script_t,printconf_t)
-')
-
-optional_policy(`
-allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
-allow cupsd_t rpm_var_lib_t:file r_file_perms;
-allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
-allow cupsd_t initrc_exec_t:file r_file_perms;
-domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
-')
-
-optional_policy(`
-domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-
-optional_policy(`
-domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
-')
-
-ifdef(`hide_broken_symptoms', `
- optional_policy(`
- domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
- ')
-')
-
-') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc
deleted file mode 100644
index 688abc2..0000000
--- a/refpolicy/policy/modules/admin/su.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
-/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
-/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
deleted file mode 100644
index 5fb85ce..0000000
--- a/refpolicy/policy/modules/admin/su.if
+++ /dev/null
@@ -1,342 +0,0 @@
-## <summary>Run shells with substitute user and group</summary>
-
-#######################################
-## <summary>
-## Restricted su domain template.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is allowed
-## to change the linux user id, to run shells as a different
-## user.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`su_restricted_domain_template', `
- gen_require(`
- type su_exec_t;
- ')
-
- type $1_su_t;
- domain_entry_file($1_su_t,su_exec_t)
- domain_type($1_su_t)
- domain_interactive_fd($1_su_t)
- role $3 types $1_su_t;
-
- allow $2 $1_su_t:process signal;
-
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
- dontaudit $1_su_t self:capability sys_tty_config;
- allow $1_su_t self:process { setexec setsched setrlimit };
- allow $1_su_t self:fifo_file rw_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
- allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
-
- # Transition from the user domain to this domain.
- domain_auto_trans($2, su_exec_t, $1_su_t)
- allow $1_su_t $2:fd use;
- allow $1_su_t $2:fifo_file rw_file_perms;
- allow $1_su_t $2:process sigchld;
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_su_t,$2)
- allow $2 $1_su_t:fd use;
- allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
-
- kernel_read_system_state($1_su_t)
- kernel_read_kernel_sysctls($1_su_t)
-
- # for SSP
- dev_read_urand($1_su_t)
-
- files_read_etc_files($1_su_t)
- files_read_etc_runtime_files($1_su_t)
- files_search_var_lib($1_su_t)
- files_dontaudit_getattr_tmp_dirs($1_su_t)
-
- # for the rootok check
- selinux_compute_access_vector($1_su_t)
-
- auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
-
- domain_use_interactive_fds($1_su_t)
-
- init_dontaudit_use_fds($1_su_t)
- init_dontaudit_use_script_ptys($1_su_t)
- # Write to utmp.
- init_rw_utmp($1_su_t)
-
- libs_use_ld_so($1_su_t)
- libs_use_shared_libs($1_su_t)
-
- logging_send_syslog_msg($1_su_t)
-
- miscfiles_read_localization($1_su_t)
-
- ifdef(`distro_rhel4',`
- domain_role_change_exemption($1_su_t)
- domain_subj_id_change_exemption($1_su_t)
- domain_obj_id_change_exemption($1_su_t)
-
- selinux_get_fs_mount($1_su_t)
- selinux_validate_context($1_su_t)
- selinux_compute_access_vector($1_su_t)
- selinux_compute_create_context($1_su_t)
- selinux_compute_relabel_context($1_su_t)
- selinux_compute_user_contexts($1_su_t)
-
- seutil_read_config($1_su_t)
- seutil_read_default_contexts($1_su_t)
-
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- ')
-
- optional_policy(`
- cron_read_pipes($1_su_t)
- ')
-
- optional_policy(`
- kerberos_use($1_su_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_su_t)
- ')
-
- ifdef(`TODO',`
- # Caused by su - init scripts
- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
- ') dnl end TODO
-')
-
-#######################################
-## <summary>
-## The per user domain template for the su module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is allowed
-## to change the linux user id, to run shells as a different
-## user.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`su_per_userdomain_template',`
- gen_require(`
- type su_exec_t;
- bool secure_mode;
- ')
-
- type $1_su_t;
- domain_entry_file($1_su_t,su_exec_t)
- domain_type($1_su_t)
- domain_interactive_fd($1_su_t)
- role $3 types $1_su_t;
-
- allow $2 $1_su_t:process signal;
-
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
- dontaudit $1_su_t self:capability sys_tty_config;
- allow $1_su_t self:process { setexec setsched setrlimit };
- allow $1_su_t self:fifo_file rw_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-
- # Transition from the user domain to this domain.
- domain_auto_trans($2, su_exec_t, $1_su_t)
- allow $1_su_t $2:fd use;
- allow $1_su_t $2:fifo_file rw_file_perms;
- allow $1_su_t $2:process sigchld;
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_su_t,$2)
- allow $2 $1_su_t:fd use;
- allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
-
- kernel_read_system_state($1_su_t)
- kernel_read_kernel_sysctls($1_su_t)
-
- # for SSP
- dev_read_urand($1_su_t)
-
- fs_search_auto_mountpoints($1_su_t)
-
- auth_domtrans_user_chk_passwd($1,$1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
-
- corecmd_search_bin($1_su_t)
- corecmd_search_sbin($1_su_t)
-
- domain_use_interactive_fds($1_su_t)
-
- files_read_etc_files($1_su_t)
- files_read_etc_runtime_files($1_su_t)
- files_search_var_lib($1_su_t)
- files_dontaudit_getattr_tmp_dirs($1_su_t)
-
- init_dontaudit_use_fds($1_su_t)
- # Write to utmp.
- init_rw_utmp($1_su_t)
-
- libs_use_ld_so($1_su_t)
- libs_use_shared_libs($1_su_t)
-
- logging_send_syslog_msg($1_su_t)
-
- miscfiles_read_localization($1_su_t)
-
- userdom_use_user_terminals($1,$1_su_t)
- userdom_search_user_home_dirs($1,$1_su_t)
-
- ifdef(`distro_rhel4',`
- domain_role_change_exemption($1_su_t)
- domain_subj_id_change_exemption($1_su_t)
- domain_obj_id_change_exemption($1_su_t)
-
- selinux_get_fs_mount($1_su_t)
- selinux_validate_context($1_su_t)
- selinux_compute_access_vector($1_su_t)
- selinux_compute_create_context($1_su_t)
- selinux_compute_relabel_context($1_su_t)
- selinux_compute_user_contexts($1_su_t)
-
- # Relabel ttys and ptys.
- term_relabel_all_user_ttys($1_su_t)
- term_relabel_all_user_ptys($1_su_t)
- # Close and re-open ttys and ptys to get the fd into the correct domain.
- term_use_all_user_ttys($1_su_t)
- term_use_all_user_ptys($1_su_t)
-
- seutil_read_config($1_su_t)
- seutil_read_default_contexts($1_su_t)
-
- ifdef(`strict_policy',`
- if(secure_mode) {
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- } else {
- # Allow transitions to all user domains
- userdom_spec_domtrans_all_users($1_su_t)
- }
- ')
-
- ifdef(`targeted_policy',`
- unconfined_domtrans($1_su_t)
- unconfined_signal($1_su_t)
- ')
- ')
-
- ifdef(`enable_polyinstantiation',`
- fs_mount_xattr_fs($1_su_t)
- fs_unmount_xattr_fs($1_su_t)
- ')
-
- ifdef(`targeted_policy',`
- # allow user to suspend terminal.
- # does not work in strict since the
- # parent may not be able to use
- # the terminal if we newrole,
- # which relabels the terminal.
- allow $1_su_t self:process sigstop;
-
- corecmd_exec_bin($1_su_t)
- userdom_manage_all_users_home_content_files($1_su_t)
- userdom_manage_all_users_home_content_symlinks($1_su_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_search_nfs($1_su_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_search_cifs($1_su_t)
- ')
-
- optional_policy(`
- cron_read_pipes($1_su_t)
- ')
-
- optional_policy(`
- kerberos_use($1_su_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_su_t)
- ')
-
- # Modify .Xauthority file (via xauth program).
- optional_policy(`
-# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
- xserver_domtrans_user_xauth($1, $1_su_t)
- ')
-
- ifdef(`TODO',`
- allow $1_su_t $1_home_t:file create_file_perms;
-
- # Access sshd cookie files.
- allow $1_su_t sshd_tmp_t:file rw_file_perms;
- file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
- ') dnl end TODO
-')
-
-#######################################
-## <summary>
-## Execute su in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`su_exec',`
- gen_require(`
- type su_exec_t;
- ')
-
- can_exec($1,su_exec_t)
-')
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
deleted file mode 100644
index d9ef86a..0000000
--- a/refpolicy/policy/modules/admin/su.te
+++ /dev/null
@@ -1,10 +0,0 @@
-
-policy_module(su,1.3.3)
-
-########################################
-#
-# Declarations
-#
-
-type su_exec_t;
-corecmd_executable_file(su_exec_t)
diff --git a/refpolicy/policy/modules/admin/sudo.fc b/refpolicy/policy/modules/admin/sudo.fc
deleted file mode 100644
index 7bddc02..0000000
--- a/refpolicy/policy/modules/admin/sudo.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
deleted file mode 100644
index e0ff588..0000000
--- a/refpolicy/policy/modules/admin/sudo.if
+++ /dev/null
@@ -1,153 +0,0 @@
-## <summary>Execute a command with a substitute user</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the sudo module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is allowed
-## to change the linux user id, to run commands as a different
-## user.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`sudo_per_userdomain_template',`
-
- gen_require(`
- type sudo_exec_t;
- bool secure_mode;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- type $1_sudo_t;
- domain_type($1_sudo_t)
- domain_entry_file($1_sudo_t,sudo_exec_t)
- domain_interactive_fd($1_sudo_t)
- role $3 types $1_sudo_t;
-
- ##############################
- #
- # Local Policy
- #
-
- # Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
- allow $1_sudo_t self:fifo_file rw_file_perms;
- allow $1_sudo_t self:shm create_shm_perms;
- allow $1_sudo_t self:sem create_sem_perms;
- allow $1_sudo_t self:msgq create_msgq_perms;
- allow $1_sudo_t self:msg { send receive };
- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-
- # Enter this derived domain from the user domain
- domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
- allow $1_sudo_t $2:fd use;
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t,$2)
- allow $2 $1_sudo_t:fd use;
- allow $1_sudo_t $2:fd use;
- allow $1_sudo_t $2:fifo_file rw_file_perms;
- allow $1_sudo_t $2:process sigchld;
-
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-
- dev_read_urand($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
- auth_domtrans_chk_passwd($1_sudo_t)
-
- corecmd_getattr_bin_files($1_sudo_t)
- corecmd_read_sbin_symlinks($1_sudo_t)
- corecmd_getattr_sbin_files($1_sudo_t)
-
- domain_use_interactive_fds($1_sudo_t)
- domain_sigchld_interactive_fds($1_sudo_t)
- domain_getattr_all_entry_files($1_sudo_t)
-
- files_read_etc_files($1_sudo_t)
- files_read_var_files($1_sudo_t)
- files_read_usr_symlinks($1_sudo_t)
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
- libs_use_ld_so($1_sudo_t)
- libs_use_shared_libs($1_sudo_t)
-
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
- userdom_manage_user_home_content_files($1,$1_sudo_t)
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
- userdom_manage_user_tmp_files($1,$1_sudo_t)
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
- userdom_use_user_terminals($1,$1_sudo_t)
- userdom_use_unpriv_users_fds($1_sudo_t)
- # for some PAM modules and for cwd
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
- optional_policy(`
- nis_use_ypbind($1_sudo_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_sudo_t)
- ')
-
- ifdef(`TODO',`
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_sudo_t:process signal;
-
- ifdef(`mta.te', `
- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
- ')
-
- ifdef(`pam.te', `
- allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
- allow $1_sudo_t pam_var_run_t:file create_file_perms;
- ')
- ') dnl end TODO
-')
diff --git a/refpolicy/policy/modules/admin/sudo.te b/refpolicy/policy/modules/admin/sudo.te
deleted file mode 100644
index 54c1f3c..0000000
--- a/refpolicy/policy/modules/admin/sudo.te
+++ /dev/null
@@ -1,11 +0,0 @@
-
-policy_module(sudo,1.0.0)
-
-########################################
-#
-# Declarations
-
-type sudo_exec_t;
-files_type(sudo_exec_t)
-
-# Remaining policy in per user domain template.
diff --git a/refpolicy/policy/modules/admin/sxid.fc b/refpolicy/policy/modules/admin/sxid.fc
deleted file mode 100644
index bc3797b..0000000
--- a/refpolicy/policy/modules/admin/sxid.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
-/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
-
-/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0)
-/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0)
-/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/sxid.if b/refpolicy/policy/modules/admin/sxid.if
deleted file mode 100644
index 36c3a48..0000000
--- a/refpolicy/policy/modules/admin/sxid.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>SUID/SGID program monitoring</summary>
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## sxid log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sxid_read_log',`
- gen_require(`
- type sxid_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 sxid_log_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/sxid.te b/refpolicy/policy/modules/admin/sxid.te
deleted file mode 100644
index bf3ef84..0000000
--- a/refpolicy/policy/modules/admin/sxid.te
+++ /dev/null
@@ -1,107 +0,0 @@
-
-policy_module(sxid,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type sxid_t;
-type sxid_exec_t;
-domain_type(sxid_t)
-domain_entry_file(sxid_t,sxid_exec_t)
-
-type sxid_log_t;
-logging_log_file(sxid_log_t)
-
-type sxid_tmp_t;
-files_tmp_file(sxid_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow sxid_t self:capability { dac_override dac_read_search fsetid };
-dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
-allow sxid_t self:process signal_perms;
-allow sxid_t self:fifo_file rw_file_perms;
-allow sxid_t self:tcp_socket create_stream_socket_perms;
-allow sxid_t self:udp_socket create_socket_perms;
-
-allow sxid_t sxid_log_t:file create_file_perms;
-logging_log_filetrans(sxid_t,sxid_log_t,file)
-
-allow sxid_t sxid_tmp_t:dir create_dir_perms;
-allow sxid_t sxid_tmp_t:file create_file_perms;
-files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
-
-kernel_read_system_state(sxid_t)
-kernel_read_kernel_sysctls(sxid_t)
-
-corecmd_exec_bin(sxid_t)
-corecmd_exec_sbin(sxid_t)
-corecmd_exec_shell(sxid_t)
-
-corenet_non_ipsec_sendrecv(sxid_t)
-corenet_tcp_sendrecv_generic_if(sxid_t)
-corenet_udp_sendrecv_generic_if(sxid_t)
-corenet_tcp_sendrecv_all_nodes(sxid_t)
-corenet_udp_sendrecv_all_nodes(sxid_t)
-corenet_tcp_sendrecv_all_ports(sxid_t)
-corenet_udp_sendrecv_all_ports(sxid_t)
-
-dev_read_sysfs(sxid_t)
-dev_getattr_all_blk_files(sxid_t)
-dev_getattr_all_blk_files(sxid_t)
-
-domain_use_interactive_fds(sxid_t)
-
-files_list_all(sxid_t)
-files_getattr_all_symlinks(sxid_t)
-files_getattr_all_pipes(sxid_t)
-files_getattr_all_sockets(sxid_t)
-
-fs_getattr_xattr_fs(sxid_t)
-fs_search_auto_mountpoints(sxid_t)
-fs_list_all(sxid_t)
-
-term_dontaudit_use_console(sxid_t)
-
-auth_read_all_files_except_shadow(sxid_t)
-
-init_use_fds(sxid_t)
-init_use_script_ptys(sxid_t)
-
-libs_use_ld_so(sxid_t)
-libs_use_shared_libs(sxid_t)
-
-logging_send_syslog_msg(sxid_t)
-
-miscfiles_read_localization(sxid_t)
-
-mount_exec(sxid_t)
-
-sysnet_read_config(sxid_t)
-
-userdom_dontaudit_use_unpriv_user_fds(sxid_t)
-
-cron_system_entry(sxid_t,sxid_exec_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(sxid_t)
- term_dontaudit_use_generic_ptys(sxid_t)
- files_dontaudit_read_root_files(sxid_t)
-')
-
-optional_policy(`
- mta_send_mail(sxid_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(sxid_t)
-')
-
-optional_policy(`
- udev_read_db(sxid_t)
-')
diff --git a/refpolicy/policy/modules/admin/tmpreaper.fc b/refpolicy/policy/modules/admin/tmpreaper.fc
deleted file mode 100644
index 81077db..0000000
--- a/refpolicy/policy/modules/admin/tmpreaper.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/tmpreaper.if b/refpolicy/policy/modules/admin/tmpreaper.if
deleted file mode 100644
index d43b117..0000000
--- a/refpolicy/policy/modules/admin/tmpreaper.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Manage temporary directory sizes and file ages</summary>
-
-########################################
-## <summary>
-## Execute tmpreaper in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`tmpreaper_exec',`
- gen_require(`
- type tmpreaper_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- can_exec($1,tmpreaper_exec_t)
-')
diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te
deleted file mode 100644
index 8809daf..0000000
--- a/refpolicy/policy/modules/admin/tmpreaper.te
+++ /dev/null
@@ -1,49 +0,0 @@
-
-policy_module(tmpreaper,1.2.0)
-
-########################################
-#
-# Declarations
-#
-
-type tmpreaper_t;
-role system_r types tmpreaper_t;
-domain_type(tmpreaper_t)
-
-type tmpreaper_exec_t;
-domain_entry_file(tmpreaper_t,tmpreaper_exec_t)
-
-########################################
-#
-# Local Policy
-#
-
-allow tmpreaper_t self:process { fork sigchld };
-allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
-
-dev_read_urand(tmpreaper_t)
-
-fs_getattr_xattr_fs(tmpreaper_t)
-
-files_read_etc_files(tmpreaper_t)
-files_read_var_lib_files(tmpreaper_t)
-files_purge_tmp(tmpreaper_t)
-# why does it need setattr?
-files_setattr_all_tmp_dirs(tmpreaper_t)
-
-mls_file_read_up(tmpreaper_t)
-mls_file_write_down(tmpreaper_t)
-
-libs_use_ld_so(tmpreaper_t)
-libs_use_shared_libs(tmpreaper_t)
-
-logging_send_syslog_msg(tmpreaper_t)
-
-miscfiles_read_localization(tmpreaper_t)
-miscfiles_delete_man_pages(tmpreaper_t)
-
-cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
-
-optional_policy(`
- lpd_manage_spool(tmpreaper_t)
-')
diff --git a/refpolicy/policy/modules/admin/tripwire.fc b/refpolicy/policy/modules/admin/tripwire.fc
deleted file mode 100644
index 962662f..0000000
--- a/refpolicy/policy/modules/admin/tripwire.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
-
-/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
-/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
-/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
-/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
-
-/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0)
-/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0)
diff --git a/refpolicy/policy/modules/admin/tripwire.if b/refpolicy/policy/modules/admin/tripwire.if
deleted file mode 100644
index a8b38c0..0000000
--- a/refpolicy/policy/modules/admin/tripwire.if
+++ /dev/null
@@ -1,222 +0,0 @@
-## <summary>Tripwire file integrity checker.</summary>
-## <desc>
-## <p>
-## Tripwire file integrity checker.
-## </p>
-## <p>
-## NOTE: Tripwire creates temp file in its current working directory.
-## This policy does not allow write access to home directories, so
-## users will need to either cd to a directory where they have write
-## permission, or set the TEMPDIRECTORY variable in the tripwire config
-## file. The latter is preferable, as then the file_type_auto_trans
-## rules will kick in and label the files as private to tripwire.
-## </p>
-## </desc>
-
-########################################
-## <summary>
-## Execute tripwire in the tripwire domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`tripwire_domtrans_tripwire',`
- gen_require(`
- type tripwire_t, tripwire_exec_t;
- ')
-
- domain_auto_trans($1,tripwire_exec_t,tripwire_t)
- allow tripwire_t $1:fd use;
- allow tripwire_t $1:fifo_file rw_file_perms;
- allow tripwire_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute tripwire in the tripwire domain, and
-## allow the specified role the tripwire domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the tripwire domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the tripwire domain to use.
-## </summary>
-## </param>
-#
-interface(`tripwire_run_tripwire',`
- gen_require(`
- type tripwire_t;
- ')
-
- tripwire_domtrans_tripwire($1)
- role $2 types tripwire_t;
- allow tripwire_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute twadmin in the twadmin domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`tripwire_domtrans_twadmin',`
- gen_require(`
- type twadmin_t, twadmin_exec_t;
- ')
-
- domain_auto_trans($1,twadmin_exec_t,twadmin_t)
- allow twadmin_t $1:fd use;
- allow twadmin_t $1:fifo_file rw_file_perms;
- allow twadmin_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute twadmin in the twadmin domain, and
-## allow the specified role the twadmin domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the twadmin domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the twadmin domain to use.
-## </summary>
-## </param>
-#
-interface(`tripwire_run_twadmin',`
- gen_require(`
- type twadmin_t;
- ')
-
- tripwire_domtrans_twadmin($1)
- role $2 types twadmin_t;
- allow twadmin_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute twprint in the twprint domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`tripwire_domtrans_twprint',`
- gen_require(`
- type twprint_t, twprint_exec_t;
- ')
-
- domain_auto_trans($1,twprint_exec_t,twprint_t)
- allow twprint_t $1:fd use;
- allow twprint_t $1:fifo_file rw_file_perms;
- allow twprint_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute twprint in the twprint domain, and
-## allow the specified role the twprint domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the twprint domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the twprint domain to use.
-## </summary>
-## </param>
-#
-interface(`tripwire_run_twprint',`
- gen_require(`
- type twprint_t;
- ')
-
- tripwire_domtrans_twprint($1)
- role $2 types twprint_t;
- allow twprint_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute siggen in the siggen domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`tripwire_domtrans_siggen',`
- gen_require(`
- type siggen_t, siggen_exec_t;
- ')
-
- domain_auto_trans($1,siggen_exec_t,siggen_t)
- allow siggen_t $1:fd use;
- allow siggen_t $1:fifo_file rw_file_perms;
- allow siggen_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute siggen in the siggen domain, and
-## allow the specified role the siggen domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the siggen domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the siggen domain to use.
-## </summary>
-## </param>
-#
-interface(`tripwire_run_siggen',`
- gen_require(`
- type siggen_t;
- ')
-
- tripwire_domtrans_siggen($1)
- role $2 types siggen_t;
- allow siggen_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/tripwire.te b/refpolicy/policy/modules/admin/tripwire.te
deleted file mode 100644
index cb6a7c5..0000000
--- a/refpolicy/policy/modules/admin/tripwire.te
+++ /dev/null
@@ -1,160 +0,0 @@
-
-policy_module(tripwire,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type siggen_t;
-type siggen_exec_t;
-domain_type(siggen_t)
-domain_entry_file(siggen_t,siggen_exec_t)
-
-type tripwire_t;
-type tripwire_exec_t;
-domain_type(tripwire_t)
-domain_entry_file(tripwire_t,tripwire_exec_t)
-role system_r types tripwire_t;
-
-type tripwire_etc_t;
-files_config_file(tripwire_etc_t)
-
-type tripwire_report_t;
-files_type(tripwire_report_t)
-
-type tripwire_tmp_t;
-files_tmp_file(tripwire_tmp_t)
-
-type tripwire_var_lib_t;
-files_type(tripwire_var_lib_t)
-
-type twadmin_t;
-type twadmin_exec_t;
-domain_type(twadmin_t)
-domain_entry_file(twadmin_t,twadmin_exec_t)
-
-type twprint_t;
-type twprint_exec_t;
-domain_type(twprint_t)
-domain_entry_file(twprint_t,twprint_exec_t)
-
-########################################
-#
-# Tripwire local policy
-#
-
-allow tripwire_t self:capability { setgid setuid dac_override };
-
-allow tripwire_t tripwire_etc_t:file r_file_perms;
-allow tripwire_t tripwire_etc_t:dir r_dir_perms;
-allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
-files_search_etc(tripwire_t)
-
-allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
-allow tripwire_t tripwire_tmp_t:file manage_file_perms;
-files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
-
-# Tripwire report files
-allow tripwire_t tripwire_report_t:dir manage_dir_perms;
-allow tripwire_t tripwire_report_t:file manage_file_perms;
-allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
-
-allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
-allow tripwire_t tripwire_tmp_t:file manage_file_perms;
-allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
-allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
-allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
-files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
-
-allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
-allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
-
-kernel_read_system_state(tripwire_t)
-kernel_read_network_state(tripwire_t)
-kernel_read_software_raid_state(tripwire_t)
-kernel_getattr_core_if(tripwire_t)
-kernel_getattr_message_if(tripwire_t)
-kernel_read_kernel_sysctls(tripwire_t)
-
-corecmd_exec_shell(tripwire_t)
-corecmd_exec_sbin(tripwire_t)
-
-domain_use_interactive_fds(tripwire_t)
-
-files_read_all_files(tripwire_t)
-files_read_all_symlinks(tripwire_t)
-files_getattr_all_pipes(tripwire_t)
-files_getattr_all_sockets(tripwire_t)
-
-libs_use_ld_so(tripwire_t)
-libs_use_shared_libs(tripwire_t)
-
-logging_send_syslog_msg(tripwire_t)
-
-optional_policy(`
- cron_system_entry(tripwire_t,tripwire_exec_t)
-')
-
-########################################
-#
-# Twadmin local policy
-#
-
-allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
-allow twadmin_t tripwire_etc_t:file manage_file_perms;
-allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
-
-domain_use_interactive_fds(twadmin_t)
-
-libs_use_ld_so(twadmin_t)
-libs_use_shared_libs(twadmin_t)
-
-logging_send_syslog_msg(twadmin_t)
-
-miscfiles_read_localization(twadmin_t)
-
-########################################
-#
-# Twprint local policy
-#
-
-allow twprint_t tripwire_etc_t:dir r_dir_perms;
-allow twprint_t tripwire_etc_t:file r_file_perms;
-allow twprint_t tripwire_etc_t:lnk_file { getattr read };
-
-allow twprint_t tripwire_report_t:dir r_dir_perms;
-allow twprint_t tripwire_report_t:file r_file_perms;
-allow twprint_t tripwire_report_t:lnk_file { getattr read };
-
-allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
-allow twprint_t tripwire_var_lib_t:file r_file_perms;
-allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
-files_search_var_lib(twprint_t)
-
-domain_use_interactive_fds(twprint_t)
-
-libs_use_ld_so(twprint_t)
-libs_use_shared_libs(twprint_t)
-
-logging_send_syslog_msg(twprint_t)
-
-miscfiles_read_localization(twprint_t)
-
-########################################
-#
-# Siggen local policy
-#
-
-domain_use_interactive_fds(siggen_t)
-
-# Need permission to read files
-files_read_all_files(siggen_t)
-
-libs_use_ld_so(siggen_t)
-libs_use_shared_libs(siggen_t)
-
-logging_send_syslog_msg(siggen_t)
-
-miscfiles_read_localization(siggen_t)
diff --git a/refpolicy/policy/modules/admin/updfstab.fc b/refpolicy/policy/modules/admin/updfstab.fc
deleted file mode 100644
index e534c88..0000000
--- a/refpolicy/policy/modules/admin/updfstab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-
-/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
-/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if
deleted file mode 100644
index dad4bef..0000000
--- a/refpolicy/policy/modules/admin/updfstab.if
+++ /dev/null
@@ -1,26 +0,0 @@
-## <summary>Red Hat utility to change /etc/fstab.</summary>
-
-########################################
-## <summary>
-## Execute updfstab in the updfstab domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`updfstab_domtrans',`
- gen_require(`
- type updfstab_t, updfstab_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- domain_auto_trans($1,updfstab_exec_t,updfstab_t)
-
- allow $1 updfstab_t:fd use;
- allow updfstab_t $1:fd use;
- allow updfstab_t $1:fifo_file rw_file_perms;
- allow updfstab_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
deleted file mode 100644
index 9bc2278..0000000
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ /dev/null
@@ -1,130 +0,0 @@
-
-policy_module(updfstab,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type updfstab_t;
-type updfstab_exec_t;
-init_system_domain(updfstab_t,updfstab_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow updfstab_t self:capability dac_override;
-dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
-allow updfstab_t self:process signal_perms;
-allow updfstab_t self:fifo_file { getattr read write ioctl };
-
-kernel_use_fds(updfstab_t)
-kernel_read_kernel_sysctls(updfstab_t)
-kernel_dontaudit_write_kernel_sysctl(updfstab_t)
-# for /proc/partitions
-kernel_read_system_state(updfstab_t)
-# cjp: why is this required
-kernel_change_ring_buffer_level(updfstab_t)
-
-dev_read_sysfs(updfstab_t)
-dev_manage_generic_symlinks(updfstab_t)
-
-fs_getattr_xattr_fs(updfstab_t)
-fs_getattr_tmpfs(updfstab_t)
-fs_getattr_tmpfs_dirs(updfstab_t)
-fs_search_auto_mountpoints(updfstab_t)
-
-selinux_get_fs_mount(updfstab_t)
-selinux_validate_context(updfstab_t)
-selinux_compute_access_vector(updfstab_t)
-selinux_compute_create_context(updfstab_t)
-selinux_compute_relabel_context(updfstab_t)
-selinux_compute_user_contexts(updfstab_t)
-
-storage_raw_read_fixed_disk(updfstab_t)
-storage_raw_write_fixed_disk(updfstab_t)
-storage_raw_read_removable_device(updfstab_t)
-storage_raw_write_removable_device(updfstab_t)
-storage_read_scsi_generic(updfstab_t)
-storage_write_scsi_generic(updfstab_t)
-
-term_dontaudit_use_console(updfstab_t)
-
-corecmd_exec_bin(updfstab_t)
-corecmd_exec_sbin(updfstab_t)
-corecmd_exec_ls(updfstab_t)
-
-domain_use_interactive_fds(updfstab_t)
-
-files_manage_mnt_files(updfstab_t)
-files_manage_mnt_dirs(updfstab_t)
-files_manage_mnt_symlinks(updfstab_t)
-files_manage_etc_files(updfstab_t)
-files_dontaudit_search_home(updfstab_t)
-# for /etc/mtab
-files_read_etc_runtime_files(updfstab_t)
-
-init_use_fds(updfstab_t)
-init_use_script_ptys(updfstab_t)
-
-libs_use_ld_so(updfstab_t)
-libs_use_shared_libs(updfstab_t)
-
-logging_send_syslog_msg(updfstab_t)
-logging_search_logs(updfstab_t)
-
-miscfiles_read_localization(updfstab_t)
-
-seutil_read_config(updfstab_t)
-seutil_read_default_contexts(updfstab_t)
-seutil_read_file_contexts(updfstab_t)
-
-userdom_use_sysadm_ttys(updfstab_t)
-userdom_dontaudit_search_all_users_home_content(updfstab_t)
-userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(updfstab_t)
- term_dontaudit_use_generic_ptys(updfstab_t)
- files_dontaudit_read_root_files(updfstab_t)
-')
-
-optional_policy(`
- auth_domtrans_pam_console(updfstab_t)
-')
-
-optional_policy(`
- init_dbus_chat_script(updfstab_t)
-
- dbus_system_bus_client_template(updfstab,updfstab_t)
- dbus_send_system_bus(updfstab_t)
-')
-
-optional_policy(`
- fstools_getattr_swap_files(updfstab_t)
-')
-
-optional_policy(`
- hal_stream_connect(updfstab_t)
- hal_dbus_chat(updfstab_t)
-')
-
-optional_policy(`
- modutils_read_module_config(updfstab_t)
- modutils_exec_insmod(updfstab_t)
- modutils_read_module_deps(updfstab_t)
-')
-
-optional_policy(`
- nscd_socket_use(updfstab_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(updfstab_t)
-')
-
-optional_policy(`
- udev_read_db(updfstab_t)
-')
diff --git a/refpolicy/policy/modules/admin/usbmodules.fc b/refpolicy/policy/modules/admin/usbmodules.fc
deleted file mode 100644
index a008efb..0000000
--- a/refpolicy/policy/modules/admin/usbmodules.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /sbin
-#
-/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/usbmodules.if b/refpolicy/policy/modules/admin/usbmodules.if
deleted file mode 100644
index b27fb16..0000000
--- a/refpolicy/policy/modules/admin/usbmodules.if
+++ /dev/null
@@ -1,57 +0,0 @@
-## <summary>List kernel modules of USB devices</summary>
-
-########################################
-## <summary>
-## Execute usbmodules in the usbmodules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`usbmodules_domtrans',`
- gen_require(`
- type usbmodules_t, usbmodules_exec_t;
- ')
-
- domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
-
- allow $1 usbmodules_t:fd use;
- allow usbmodules_t $1:fd use;
- allow usbmodules_t $1:fifo_file rw_file_perms;
- allow usbmodules_t $1:process sigchld;
-
-')
-
-########################################
-## <summary>
-## Execute usbmodules in the usbmodules domain, and
-## allow the specified role the usbmodules domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the usbmodules domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the usbmodules domain to use.
-## </summary>
-## </param>
-#
-interface(`usbmodules_run',`
- gen_require(`
- type usbmodules_t;
- ')
-
- usbmodules_domtrans($1)
- role $2 types usbmodules_t;
- allow usbmodules_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te
deleted file mode 100644
index 76d5c5b..0000000
--- a/refpolicy/policy/modules/admin/usbmodules.te
+++ /dev/null
@@ -1,48 +0,0 @@
-
-policy_module(usbmodules,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type usbmodules_t;
-type usbmodules_exec_t;
-init_system_domain(usbmodules_t,usbmodules_exec_t)
-role system_r types usbmodules_t;
-
-########################################
-#
-# Local policy
-#
-
-
-kernel_list_proc(usbmodules_t)
-
-files_list_kernel_modules(usbmodules_t)
-
-dev_list_usbfs(usbmodules_t)
-# allow usb device access
-dev_rw_usbfs(usbmodules_t)
-
-files_list_etc(usbmodules_t)
-# needs etc_t read access for the hotplug config, maybe should have a new type
-files_read_etc_files(usbmodules_t)
-
-term_read_console(usbmodules_t)
-term_write_console(usbmodules_t)
-
-init_use_fds(usbmodules_t)
-
-libs_use_ld_so(usbmodules_t)
-libs_use_shared_libs(usbmodules_t)
-
-modutils_read_module_deps(usbmodules_t)
-
-optional_policy(`
- hotplug_read_config(usbmodules_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(usbmodules_t)
-')
diff --git a/refpolicy/policy/modules/admin/usermanage.fc b/refpolicy/policy/modules/admin/usermanage.fc
deleted file mode 100644
index c467144..0000000
--- a/refpolicy/policy/modules/admin/usermanage.fc
+++ /dev/null
@@ -1,33 +0,0 @@
-ifdef(`distro_gentoo',`
-/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-')
-
-/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
-/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
-/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
-/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
-/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
-
-/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
-/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
-/usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-/usr/sbin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-/usr/sbin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
-/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
-/usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
-/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
-/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-
-/usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
-
-/var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
deleted file mode 100644
index 9a1c41e..0000000
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ /dev/null
@@ -1,301 +0,0 @@
-## <summary>Policy for managing user accounts.</summary>
-
-########################################
-## <summary>
-## Execute chfn in the chfn domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`usermanage_domtrans_chfn',`
- gen_require(`
- type chfn_t, chfn_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,chfn_exec_t,chfn_t)
-
- allow $1 chfn_t:fd use;
- allow chfn_t $1:fd use;
- allow chfn_t $1:fifo_file rw_file_perms;
- allow chfn_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute chfn in the chfn domain, and
-## allow the specified role the chfn domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the chfn domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the chfn domain to use.
-## </summary>
-## </param>
-#
-interface(`usermanage_run_chfn',`
- gen_require(`
- type chfn_t;
- ')
-
- usermanage_domtrans_chfn($1)
- role $2 types chfn_t;
- allow chfn_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute groupadd in the groupadd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`usermanage_domtrans_groupadd',`
- gen_require(`
- type groupadd_t, groupadd_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- domain_auto_trans($1,groupadd_exec_t,groupadd_t)
-
- allow $1 groupadd_t:fd use;
- allow groupadd_t $1:fd use;
- allow groupadd_t $1:fifo_file rw_file_perms;
- allow groupadd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute groupadd in the groupadd domain, and
-## allow the specified role the groupadd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the groupadd domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the groupadd domain to use.
-## </summary>
-## </param>
-#
-interface(`usermanage_run_groupadd',`
- gen_require(`
- type groupadd_t;
- ')
-
- usermanage_domtrans_groupadd($1)
- role $2 types groupadd_t;
- allow groupadd_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute passwd in the passwd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`usermanage_domtrans_passwd',`
- gen_require(`
- type passwd_t, passwd_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,passwd_exec_t,passwd_t)
-
- allow $1 passwd_t:fd use;
- allow passwd_t $1:fd use;
- allow passwd_t $1:fifo_file rw_file_perms;
- allow passwd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute passwd in the passwd domain, and
-## allow the specified role the passwd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the passwd domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the passwd domain to use.
-## </summary>
-## </param>
-#
-interface(`usermanage_run_passwd',`
- gen_require(`
- type passwd_t;
- ')
-
- usermanage_domtrans_passwd($1)
- role $2 types passwd_t;
- allow passwd_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute password admin functions in
-## the admin passwd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`usermanage_domtrans_admin_passwd',`
- gen_require(`
- type sysadm_passwd_t, admin_passwd_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t)
-
- allow $1 sysadm_passwd_t:fd use;
- allow sysadm_passwd_t $1:fd use;
- allow sysadm_passwd_t $1:fifo_file rw_file_perms;
- allow sysadm_passwd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute passwd admin functions in the admin
-## passwd domain, and allow the specified role
-## the admin passwd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the admin passwd domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the admin passwd domain to use.
-## </summary>
-## </param>
-#
-interface(`usermanage_run_admin_passwd',`
- gen_require(`
- type sysadm_passwd_t;
- ')
-
- usermanage_domtrans_admin_passwd($1)
- role $2 types sysadm_passwd_t;
- allow sysadm_passwd_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute useradd in the useradd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`usermanage_domtrans_useradd',`
- gen_require(`
- type useradd_t, useradd_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- domain_auto_trans($1,useradd_exec_t,useradd_t)
-
- allow $1 useradd_t:fd use;
- allow useradd_t $1:fd use;
- allow useradd_t $1:fifo_file rw_file_perms;
- allow useradd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute useradd in the useradd domain, and
-## allow the specified role the useradd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the useradd domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the useradd domain to use.
-## </summary>
-## </param>
-#
-interface(`usermanage_run_useradd',`
- gen_require(`
- type useradd_t;
- ')
-
- usermanage_domtrans_useradd($1)
- role $2 types useradd_t;
- allow useradd_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Read the crack database.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`usermanage_read_crack_db',`
- gen_require(`
- type crack_db_t;
- ')
-
- allow $1 crack_db_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
deleted file mode 100644
index 446197e..0000000
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ /dev/null
@@ -1,543 +0,0 @@
-
-policy_module(usermanage,1.3.6)
-
-########################################
-#
-# Declarations
-#
-
-type admin_passwd_exec_t;
-files_type(admin_passwd_exec_t)
-
-type chfn_t;
-domain_obj_id_change_exemption(chfn_t)
-domain_type(chfn_t)
-role system_r types chfn_t;
-
-type chfn_exec_t;
-domain_entry_file(chfn_t,chfn_exec_t)
-
-type crack_t;
-domain_type(crack_t)
-role system_r types crack_t;
-
-type crack_exec_t;
-domain_entry_file(crack_t,crack_exec_t)
-
-type crack_db_t;
-files_type(crack_db_t)
-
-type crack_tmp_t;
-files_tmp_file(crack_tmp_t)
-
-type groupadd_t;
-type groupadd_exec_t;
-domain_obj_id_change_exemption(groupadd_t)
-init_system_domain(groupadd_t,groupadd_exec_t)
-role system_r types groupadd_t;
-
-type passwd_t;
-domain_obj_id_change_exemption(passwd_t)
-domain_type(passwd_t)
-role system_r types passwd_t;
-
-type passwd_exec_t;
-domain_entry_file(passwd_t,passwd_exec_t)
-
-type sysadm_passwd_t;
-domain_obj_id_change_exemption(sysadm_passwd_t)
-domain_type(sysadm_passwd_t)
-domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
-role system_r types sysadm_passwd_t;
-
-type sysadm_passwd_tmp_t;
-files_tmp_file(sysadm_passwd_tmp_t)
-
-type useradd_t;
-type useradd_exec_t;
-domain_obj_id_change_exemption(useradd_t)
-init_system_domain(useradd_t,useradd_exec_t)
-role system_r types useradd_t;
-
-########################################
-#
-# Chfn local policy
-#
-
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow chfn_t self:process { setrlimit setfscreate };
-allow chfn_t self:fd use;
-allow chfn_t self:fifo_file rw_file_perms;
-allow chfn_t self:sock_file r_file_perms;
-allow chfn_t self:shm create_shm_perms;
-allow chfn_t self:sem create_sem_perms;
-allow chfn_t self:msgq create_msgq_perms;
-allow chfn_t self:msg { send receive };
-allow chfn_t self:unix_dgram_socket create_socket_perms;
-allow chfn_t self:unix_stream_socket create_stream_socket_perms;
-allow chfn_t self:unix_dgram_socket sendto;
-allow chfn_t self:unix_stream_socket connectto;
-
-kernel_read_system_state(chfn_t)
-kernel_read_kernel_sysctls(chfn_t)
-
-selinux_get_fs_mount(chfn_t)
-selinux_validate_context(chfn_t)
-selinux_compute_access_vector(chfn_t)
-selinux_compute_create_context(chfn_t)
-selinux_compute_relabel_context(chfn_t)
-selinux_compute_user_contexts(chfn_t)
-
-term_use_all_user_ttys(chfn_t)
-term_use_all_user_ptys(chfn_t)
-
-fs_getattr_xattr_fs(chfn_t)
-fs_search_auto_mountpoints(chfn_t)
-
-# for SSP
-dev_read_urand(chfn_t)
-
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-
-# can exec /sbin/unix_chkpwd
-corecmd_search_bin(chfn_t)
-corecmd_search_sbin(chfn_t)
-# allow checking if a shell is executable
-corecmd_check_exec_shell(chfn_t)
-
-domain_use_interactive_fds(chfn_t)
-
-files_manage_etc_files(chfn_t)
-files_read_etc_runtime_files(chfn_t)
-files_dontaudit_search_var(chfn_t)
-
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-init_dontaudit_rw_utmp(chfn_t)
-
-libs_use_ld_so(chfn_t)
-libs_use_shared_libs(chfn_t)
-
-miscfiles_read_localization(chfn_t)
-
-logging_send_syslog_msg(chfn_t)
-
-# uses unix_chkpwd for checking passwords
-seutil_dontaudit_search_config(chfn_t)
-
-userdom_use_unpriv_users_fds(chfn_t)
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-userdom_dontaudit_search_all_users_home_content(chfn_t)
-
-optional_policy(`
- nis_use_ypbind(chfn_t)
-')
-
-optional_policy(`
- nscd_socket_use(chfn_t)
-')
-
-########################################
-#
-# Crack local policy
-#
-
-allow crack_t self:process { sigkill sigstop signull signal };
-allow crack_t self:fifo_file rw_file_perms;
-
-allow crack_t crack_db_t:dir rw_dir_perms;
-allow crack_t crack_db_t:file create_file_perms;
-allow crack_t crack_db_t:lnk_file create_file_perms;
-files_search_var(crack_t)
-
-allow crack_t crack_tmp_t:dir create_dir_perms;
-allow crack_t crack_tmp_t:file create_file_perms;
-files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
-
-kernel_read_system_state(crack_t)
-
-# for SSP
-dev_read_urand(crack_t)
-
-fs_getattr_xattr_fs(crack_t)
-
-files_read_etc_files(crack_t)
-files_read_etc_runtime_files(crack_t)
-# for dictionaries
-files_read_usr_files(crack_t)
-
-corecmd_exec_bin(crack_t)
-
-libs_use_ld_so(crack_t)
-libs_use_shared_libs(crack_t)
-
-logging_send_syslog_msg(crack_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(crack_t)
-
-optional_policy(`
- cron_system_entry(crack_t,crack_exec_t)
-')
-
-########################################
-#
-# Groupadd local policy
-#
-
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
-dontaudit groupadd_t self:capability fsetid;
-allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow groupadd_t self:process { setrlimit setfscreate };
-allow groupadd_t self:fd use;
-allow groupadd_t self:fifo_file rw_file_perms;
-allow groupadd_t self:shm create_shm_perms;
-allow groupadd_t self:sem create_sem_perms;
-allow groupadd_t self:msgq create_msgq_perms;
-allow groupadd_t self:msg { send receive };
-allow groupadd_t self:unix_dgram_socket create_socket_perms;
-allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
-allow groupadd_t self:unix_dgram_socket sendto;
-allow groupadd_t self:unix_stream_socket connectto;
-allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-fs_getattr_xattr_fs(groupadd_t)
-fs_search_auto_mountpoints(groupadd_t)
-
-# Allow access to context for shadow file
-selinux_get_fs_mount(groupadd_t)
-selinux_validate_context(groupadd_t)
-selinux_compute_access_vector(groupadd_t)
-selinux_compute_create_context(groupadd_t)
-selinux_compute_relabel_context(groupadd_t)
-selinux_compute_user_contexts(groupadd_t)
-
-term_use_all_user_ttys(groupadd_t)
-term_use_all_user_ptys(groupadd_t)
-
-init_use_fds(groupadd_t)
-init_read_utmp(groupadd_t)
-init_dontaudit_write_utmp(groupadd_t)
-
-domain_use_interactive_fds(groupadd_t)
-
-files_manage_etc_files(groupadd_t)
-files_relabel_etc_files(groupadd_t)
-files_read_etc_runtime_files(groupadd_t)
-
-libs_use_ld_so(groupadd_t)
-libs_use_shared_libs(groupadd_t)
-
-# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-corecmd_exec_bin(groupadd_t)
-corecmd_exec_sbin(groupadd_t)
-
-logging_send_syslog_msg(groupadd_t)
-
-miscfiles_read_localization(groupadd_t)
-
-auth_manage_shadow(groupadd_t)
-auth_relabel_shadow(groupadd_t)
-auth_etc_filetrans_shadow(groupadd_t)
-auth_rw_lastlog(groupadd_t)
-auth_use_nsswitch(groupadd_t)
-
-seutil_read_config(groupadd_t)
-
-userdom_use_unpriv_users_fds(groupadd_t)
-# for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
-
-optional_policy(`
- dpkg_use_fds(groupadd_t)
- dpkg_rw_pipes(groupadd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(groupadd_t)
-')
-
-optional_policy(`
- nscd_socket_use(groupadd_t)
-')
-
-optional_policy(`
- rpm_use_fds(groupadd_t)
- rpm_rw_pipes(groupadd_t)
-')
-
-########################################
-#
-# Passwd local policy
-#
-
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
-allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow passwd_t self:process { setrlimit setfscreate };
-allow passwd_t self:fd use;
-allow passwd_t self:fifo_file rw_file_perms;
-allow passwd_t self:sock_file r_file_perms;
-allow passwd_t self:unix_dgram_socket create_socket_perms;
-allow passwd_t self:unix_stream_socket create_stream_socket_perms;
-allow passwd_t self:unix_dgram_socket sendto;
-allow passwd_t self:unix_stream_socket connectto;
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow passwd_t self:shm create_shm_perms;
-allow passwd_t self:sem create_sem_perms;
-allow passwd_t self:msgq create_msgq_perms;
-allow passwd_t self:msg { send receive };
-
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
-
-kernel_read_kernel_sysctls(passwd_t)
-
-# for SSP
-dev_read_urand(passwd_t)
-
-fs_getattr_xattr_fs(passwd_t)
-fs_search_auto_mountpoints(passwd_t)
-
-mls_file_write_down(passwd_t)
-mls_file_downgrade(passwd_t)
-
-selinux_get_fs_mount(passwd_t)
-selinux_validate_context(passwd_t)
-selinux_compute_access_vector(passwd_t)
-selinux_compute_create_context(passwd_t)
-selinux_compute_relabel_context(passwd_t)
-selinux_compute_user_contexts(passwd_t)
-
-term_use_all_user_ttys(passwd_t)
-term_use_all_user_ptys(passwd_t)
-
-auth_manage_shadow(passwd_t)
-auth_relabel_shadow(passwd_t)
-auth_etc_filetrans_shadow(passwd_t)
-
-# allow checking if a shell is executable
-corecmd_check_exec_shell(passwd_t)
-
-domain_use_interactive_fds(passwd_t)
-
-files_read_etc_runtime_files(passwd_t)
-files_manage_etc_files(passwd_t)
-files_search_var(passwd_t)
-files_dontaudit_search_pids(passwd_t)
-files_relabel_etc_files(passwd_t)
-
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-init_dontaudit_rw_utmp(passwd_t)
-
-libs_use_ld_so(passwd_t)
-libs_use_shared_libs(passwd_t)
-
-logging_send_syslog_msg(passwd_t)
-
-miscfiles_read_localization(passwd_t)
-
-seutil_dontaudit_search_config(passwd_t)
-
-userdom_use_unpriv_users_fds(passwd_t)
-# make sure that getcon succeeds
-userdom_getattr_all_users(passwd_t)
-userdom_read_all_users_state(passwd_t)
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-userdom_dontaudit_search_all_users_home_content(passwd_t)
-
-optional_policy(`
- nis_use_ypbind(passwd_t)
-')
-
-optional_policy(`
- nscd_socket_use(passwd_t)
-')
-
-########################################
-#
-# Password admin local policy
-#
-
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow sysadm_passwd_t self:process { setrlimit setfscreate };
-allow sysadm_passwd_t self:fd use;
-allow sysadm_passwd_t self:fifo_file rw_file_perms;
-allow sysadm_passwd_t self:sock_file r_file_perms;
-allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
-allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
-allow sysadm_passwd_t self:unix_dgram_socket sendto;
-allow sysadm_passwd_t self:unix_stream_socket connectto;
-allow sysadm_passwd_t self:shm create_shm_perms;
-allow sysadm_passwd_t self:sem create_sem_perms;
-allow sysadm_passwd_t self:msgq create_msgq_perms;
-allow sysadm_passwd_t self:msg { send receive };
-
-# allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
-allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
-files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
-files_search_var(sysadm_passwd_t)
-
-kernel_read_kernel_sysctls(sysadm_passwd_t)
-# for /proc/meminfo
-kernel_read_system_state(sysadm_passwd_t)
-
-selinux_get_fs_mount(sysadm_passwd_t)
-selinux_validate_context(sysadm_passwd_t)
-selinux_compute_access_vector(sysadm_passwd_t)
-selinux_compute_create_context(sysadm_passwd_t)
-selinux_compute_relabel_context(sysadm_passwd_t)
-selinux_compute_user_contexts(sysadm_passwd_t)
-
-# for SSP
-dev_read_urand(sysadm_passwd_t)
-
-fs_getattr_xattr_fs(sysadm_passwd_t)
-fs_search_auto_mountpoints(sysadm_passwd_t)
-
-term_use_all_user_ttys(sysadm_passwd_t)
-term_use_all_user_ptys(sysadm_passwd_t)
-
-auth_manage_shadow(sysadm_passwd_t)
-auth_relabel_shadow(sysadm_passwd_t)
-auth_etc_filetrans_shadow(sysadm_passwd_t)
-
-# allow checking if a shell is executable
-corecmd_check_exec_shell(sysadm_passwd_t)
-# allow vipw to exec the editor
-corecmd_search_sbin(sysadm_passwd_t)
-corecmd_exec_bin(sysadm_passwd_t)
-corecmd_exec_shell(sysadm_passwd_t)
-files_read_usr_files(sysadm_passwd_t)
-
-domain_use_interactive_fds(sysadm_passwd_t)
-
-files_manage_etc_files(sysadm_passwd_t)
-files_relabel_etc_files(sysadm_passwd_t)
-files_read_etc_runtime_files(sysadm_passwd_t)
-# for nscd lookups
-files_dontaudit_search_pids(sysadm_passwd_t)
-
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-init_dontaudit_rw_utmp(sysadm_passwd_t)
-
-libs_use_ld_so(sysadm_passwd_t)
-libs_use_shared_libs(sysadm_passwd_t)
-
-miscfiles_read_localization(sysadm_passwd_t)
-
-logging_send_syslog_msg(sysadm_passwd_t)
-
-seutil_dontaudit_search_config(sysadm_passwd_t)
-
-userdom_use_unpriv_users_fds(sysadm_passwd_t)
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
-
-optional_policy(`
- nis_use_ypbind(sysadm_passwd_t)
-')
-
-########################################
-#
-# Useradd local policy
-#
-
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow useradd_t self:process setfscreate;
-allow useradd_t self:fd use;
-allow useradd_t self:fifo_file rw_file_perms;
-allow useradd_t self:shm create_shm_perms;
-allow useradd_t self:sem create_sem_perms;
-allow useradd_t self:msgq create_msgq_perms;
-allow useradd_t self:msg { send receive };
-allow useradd_t self:unix_dgram_socket create_socket_perms;
-allow useradd_t self:unix_stream_socket create_stream_socket_perms;
-allow useradd_t self:unix_dgram_socket sendto;
-allow useradd_t self:unix_stream_socket connectto;
-allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-# Allow access to context for shadow file
-selinux_get_fs_mount(useradd_t)
-selinux_validate_context(useradd_t)
-selinux_compute_access_vector(useradd_t)
-selinux_compute_create_context(useradd_t)
-selinux_compute_relabel_context(useradd_t)
-selinux_compute_user_contexts(useradd_t)
-# for getting the number of groups
-kernel_read_kernel_sysctls(useradd_t)
-
-fs_search_auto_mountpoints(useradd_t)
-fs_getattr_xattr_fs(useradd_t)
-
-term_use_all_user_ttys(useradd_t)
-term_use_all_user_ptys(useradd_t)
-
-auth_manage_shadow(useradd_t)
-auth_relabel_shadow(useradd_t)
-auth_etc_filetrans_shadow(useradd_t)
-auth_rw_lastlog(useradd_t)
-auth_use_nsswitch(useradd_t)
-
-corecmd_exec_shell(useradd_t)
-# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-corecmd_exec_bin(useradd_t)
-corecmd_exec_sbin(useradd_t)
-
-domain_use_interactive_fds(useradd_t)
-
-files_manage_etc_files(useradd_t)
-files_search_var_lib(useradd_t)
-files_relabel_etc_files(useradd_t)
-files_read_etc_runtime_files(useradd_t)
-
-init_use_fds(useradd_t)
-init_rw_utmp(useradd_t)
-
-libs_use_ld_so(useradd_t)
-libs_use_shared_libs(useradd_t)
-
-logging_send_syslog_msg(useradd_t)
-
-miscfiles_read_localization(useradd_t)
-
-seutil_read_config(useradd_t)
-seutil_read_file_contexts(useradd_t)
-
-userdom_use_unpriv_users_fds(useradd_t)
-# for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
-# Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(useradd_t)
-userdom_manage_generic_user_home_content_dirs(useradd_t)
-userdom_manage_generic_user_home_content_files(useradd_t)
-userdom_manage_staff_home_dirs(useradd_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
-
-mta_manage_spool(useradd_t)
-
-optional_policy(`
- dpkg_use_fds(useradd_t)
- dpkg_rw_pipes(useradd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(useradd_t)
-')
-
-optional_policy(`
- nscd_socket_use(useradd_t)
-')
-
-optional_policy(`
- rpm_use_fds(useradd_t)
- rpm_rw_pipes(useradd_t)
-')
diff --git a/refpolicy/policy/modules/admin/vbetool.fc b/refpolicy/policy/modules/admin/vbetool.fc
deleted file mode 100644
index d00970f..0000000
--- a/refpolicy/policy/modules/admin/vbetool.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/vbetool.if b/refpolicy/policy/modules/admin/vbetool.if
deleted file mode 100644
index 729e9a0..0000000
--- a/refpolicy/policy/modules/admin/vbetool.if
+++ /dev/null
@@ -1,26 +0,0 @@
-## <summary>run real-mode video BIOS code to alter hardware state</summary>
-
-########################################
-## <summary>
-## Execute vbetool application in the vbetool domain.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`vbetool_domtrans',`
- gen_require(`
- type vbetool_t, vbetool_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,vbetool_exec_t,vbetool_t)
-
- allow $1 vbetool_t:fd use;
- allow vbetool_t $1:fd use;
- allow vbetool_t $1:fifo_file rw_file_perms;
- allow vbetool_t $1:process sigchld;
-
-')
diff --git a/refpolicy/policy/modules/admin/vbetool.te b/refpolicy/policy/modules/admin/vbetool.te
deleted file mode 100644
index bdeef88..0000000
--- a/refpolicy/policy/modules/admin/vbetool.te
+++ /dev/null
@@ -1,35 +0,0 @@
-
-policy_module(vbetool,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type vbetool_t;
-type vbetool_exec_t;
-init_system_domain(vbetool_t,vbetool_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow vbetool_t self:capability { sys_tty_config sys_admin };
-allow vbetool_t self:process execmem;
-
-dev_wx_raw_memory(vbetool_t)
-dev_read_raw_memory(vbetool_t)
-dev_rwx_zero(vbetool_t)
-dev_read_sysfs(vbetool_t)
-
-term_use_unallocated_ttys(vbetool_t)
-
-libs_use_ld_so(vbetool_t)
-libs_use_shared_libs(vbetool_t)
-
-miscfiles_read_localization(vbetool_t)
-
-optional_policy(`
- hal_rw_pid_files(vbetool_t)
-')
diff --git a/refpolicy/policy/modules/admin/vpn.fc b/refpolicy/policy/modules/admin/vpn.fc
deleted file mode 100644
index e323978..0000000
--- a/refpolicy/policy/modules/admin/vpn.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
-
-#
-# sbin
-#
-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/vpn.if b/refpolicy/policy/modules/admin/vpn.if
deleted file mode 100644
index eb9b4eb..0000000
--- a/refpolicy/policy/modules/admin/vpn.if
+++ /dev/null
@@ -1,73 +0,0 @@
-## <summary>Virtual Private Networking client</summary>
-
-########################################
-## <summary>
-## Execute VPN clients in the vpnc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vpn_domtrans',`
- gen_require(`
- type vpnc_t, vpnc_exec_t;
- ')
-
- domain_auto_trans($1,vpnc_exec_t,vpnc_t)
-
- allow $1 vpnc_t:fd use;
- allow vpnc_t $1:fd use;
- allow vpnc_t $1:fifo_file rw_file_perms;
- allow vpnc_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute VPN clients in the vpnc domain, and
-## allow the specified role the vpnc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the vpnc domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the vpnc domain to use.
-## </summary>
-## </param>
-#
-interface(`vpn_run',`
- gen_require(`
- type vpnc_t;
- ')
-
- vpn_domtrans($1)
- role $2 types vpnc_t;
- allow vpnc_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Send generic signals to VPN clients.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vpn_signal',`
- gen_require(`
- type vpnc_t;
- ')
-
- allow $1 vpnc_t:process signal;
-')
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
deleted file mode 100644
index 0c6b877..0000000
--- a/refpolicy/policy/modules/admin/vpn.te
+++ /dev/null
@@ -1,121 +0,0 @@
-
-policy_module(vpn,1.2.3)
-
-########################################
-#
-# Declarations
-#
-
-type vpnc_t;
-domain_type(vpnc_t)
-
-type vpnc_exec_t;
-domain_entry_file(vpnc_t,vpnc_exec_t)
-role system_r types vpnc_t;
-
-type vpnc_tmp_t;
-files_tmp_file(vpnc_tmp_t)
-
-type vpnc_var_run_t;
-files_pid_file(vpnc_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow vpnc_t self:capability { net_admin ipc_lock net_raw };
-allow vpnc_t self:process getsched;
-allow vpnc_t self:fifo_file { getattr ioctl read write };
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-allow vpnc_t self:tcp_socket create_stream_socket_perms;
-allow vpnc_t self:udp_socket create_socket_perms;
-allow vpnc_t self:rawip_socket create_socket_perms;
-allow vpnc_t self:unix_dgram_socket create_socket_perms;
-allow vpnc_t self:unix_stream_socket create_socket_perms;
-# cjp: this needs to be fixed
-allow vpnc_t self:socket create_socket_perms;
-
-allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
-allow vpnc_t vpnc_tmp_t:file create_file_perms;
-files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
-
-allow vpnc_t vpnc_var_run_t:file create_file_perms;
-allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
-
-kernel_read_system_state(vpnc_t)
-kernel_read_network_state(vpnc_t)
-kernel_read_kernel_sysctls(vpnc_t)
-kernel_rw_net_sysctls(vpnc_t)
-
-corenet_non_ipsec_sendrecv(vpnc_t)
-corenet_tcp_sendrecv_all_if(vpnc_t)
-corenet_udp_sendrecv_all_if(vpnc_t)
-corenet_raw_sendrecv_all_if(vpnc_t)
-corenet_tcp_sendrecv_all_nodes(vpnc_t)
-corenet_udp_sendrecv_all_nodes(vpnc_t)
-corenet_raw_sendrecv_all_nodes(vpnc_t)
-corenet_tcp_sendrecv_all_ports(vpnc_t)
-corenet_udp_sendrecv_all_ports(vpnc_t)
-corenet_udp_bind_all_nodes(vpnc_t)
-corenet_udp_bind_generic_port(vpnc_t)
-corenet_udp_bind_isakmp_port(vpnc_t)
-corenet_tcp_connect_all_ports(vpnc_t)
-corenet_sendrecv_all_client_packets(vpnc_t)
-corenet_sendrecv_isakmp_server_packets(vpnc_t)
-corenet_sendrecv_generic_server_packets(vpnc_t)
-corenet_rw_tun_tap_dev(vpnc_t)
-
-dev_read_rand(vpnc_t)
-dev_read_urand(vpnc_t)
-dev_read_sysfs(vpnc_t)
-
-fs_getattr_xattr_fs(vpnc_t)
-fs_getattr_tmpfs(vpnc_t)
-
-term_use_all_user_ptys(vpnc_t)
-term_use_all_user_ttys(vpnc_t)
-
-corecmd_exec_all_executables(vpnc_t)
-
-files_exec_etc_files(vpnc_t)
-files_read_etc_runtime_files(vpnc_t)
-files_read_etc_files(vpnc_t)
-files_dontaudit_search_home(vpnc_t)
-
-libs_exec_ld_so(vpnc_t)
-libs_exec_lib_files(vpnc_t)
-libs_use_ld_so(vpnc_t)
-libs_use_shared_libs(vpnc_t)
-
-locallogin_use_fds(vpnc_t)
-
-logging_send_syslog_msg(vpnc_t)
-
-miscfiles_read_localization(vpnc_t)
-
-seutil_dontaudit_search_config(vpnc_t)
-
-sysnet_exec_ifconfig(vpnc_t)
-sysnet_etc_filetrans_config(vpnc_t)
-sysnet_manage_config(vpnc_t)
-
-userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_all_users_home_content(vpnc_t)
-
-optional_policy(`
- dbus_system_bus_client_template(vpnc,vpnc_t)
- dbus_send_system_bus(vpnc_t)
- optional_policy(`
- networkmanager_dbus_chat(vpnc_t)
- ')
-')
-
-optional_policy(`
- nis_use_ypbind(vpnc_t)
-')
-
-optional_policy(`
- nscd_socket_use(vpnc_t)
-')
diff --git a/refpolicy/policy/modules/apps/ada.fc b/refpolicy/policy/modules/apps/ada.fc
deleted file mode 100644
index 01a8572..0000000
--- a/refpolicy/policy/modules/apps/ada.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /usr
-#
-ifdef(`targeted_policy',`
-/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
-/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
-/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
-/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/ada.if b/refpolicy/policy/modules/apps/ada.if
deleted file mode 100644
index 6d8950f..0000000
--- a/refpolicy/policy/modules/apps/ada.if
+++ /dev/null
@@ -1,29 +0,0 @@
-## <summary>GNAT Ada95 compiler</summary>
-
-########################################
-## <summary>
-## Execute the ada program in the ada domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ada_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type ada_t, ada_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, ada_exec_t, ada_t)
-
- allow $1 ada_t:fd use;
- allow ada_t $1:fd use;
- allow ada_t $1:fifo_file rw_file_perms;
- allow ada_t $1:process sigchld;
- ',`
- errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/ada.te b/refpolicy/policy/modules/apps/ada.te
deleted file mode 100644
index f8167b8..0000000
--- a/refpolicy/policy/modules/apps/ada.te
+++ /dev/null
@@ -1,23 +0,0 @@
-
-policy_module(ada,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type ada_t;
-type ada_exec_t;
-domain_type(ada_t)
-domain_entry_file(ada_t,ada_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-ifdef(`targeted_policy',`
- allow ada_t self:process { execstack execmem };
- unconfined_domain_noaudit(ada_t)
- role system_r types ada_t;
-')
diff --git a/refpolicy/policy/modules/apps/authbind.fc b/refpolicy/policy/modules/apps/authbind.fc
deleted file mode 100644
index 48cf11b..0000000
--- a/refpolicy/policy/modules/apps/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
-
-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/authbind.if b/refpolicy/policy/modules/apps/authbind.if
deleted file mode 100644
index 84134d0..0000000
--- a/refpolicy/policy/modules/apps/authbind.if
+++ /dev/null
@@ -1,23 +0,0 @@
-## <summary>Tool for non-root processes to bind to reserved ports</summary>
-
-########################################
-## <summary>
-## Use authbind to bind to a reserved port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`authbind_domtrans',`
- gen_require(`
- type authbind_t, authbind_exec_t;
- ')
-
- domain_auto_trans($1,authbind_exec_t,authbind_t)
- allow authbind_t $1:fd use;
- allow authbind_t $1:fifo_file rw_file_perms;
- allow authbind_t $1:process sigchld;
- allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
-')
diff --git a/refpolicy/policy/modules/apps/authbind.te b/refpolicy/policy/modules/apps/authbind.te
deleted file mode 100644
index 292dda2..0000000
--- a/refpolicy/policy/modules/apps/authbind.te
+++ /dev/null
@@ -1,36 +0,0 @@
-
-policy_module(authbind,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type authbind_t;
-type authbind_exec_t;
-domain_type(authbind_t)
-domain_entry_file(authbind_t,authbind_exec_t)
-role system_r types authbind_t;
-
-type authbind_etc_t;
-files_config_file(authbind_etc_t)
-
-########################################
-#
-# Local policy
-#
-
-allow authbind_t self:capability net_bind_service;
-
-can_exec(authbind_t, authbind_etc_t)
-allow authbind_t authbind_etc_t:file r_file_perms;
-allow authbind_t authbind_etc_t:dir r_dir_perms;
-allow authbind_t authbind_etc_t:lnk_file { getattr read };
-files_list_etc(authbind_t)
-
-term_use_console(authbind_t)
-
-logging_send_syslog_msg(authbind_t)
-
-libs_use_ld_so(authbind_t)
-libs_use_shared_libs(authbind_t)
diff --git a/refpolicy/policy/modules/apps/calamaris.fc b/refpolicy/policy/modules/apps/calamaris.fc
deleted file mode 100644
index 9cbd0a0..0000000
--- a/refpolicy/policy/modules/apps/calamaris.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# /etc
-#
-/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0)
-
-#
-# /var
-#
-/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0)
-/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0)
diff --git a/refpolicy/policy/modules/apps/calamaris.if b/refpolicy/policy/modules/apps/calamaris.if
deleted file mode 100644
index e180a59..0000000
--- a/refpolicy/policy/modules/apps/calamaris.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Squid log analysis</summary>
-
-#######################################
-## <summary>
-## Allow domain to read calamaris www files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`calamaris_read_www_files',`
- gen_require(`
- type calamaris_www_t;
- ')
-
- allow $1 calamaris_www_t:dir r_dir_perms;
- allow $1 calamaris_www_t:file r_file_perms;
- allow $1 calamaris_www_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/apps/calamaris.te b/refpolicy/policy/modules/apps/calamaris.te
deleted file mode 100644
index a680581..0000000
--- a/refpolicy/policy/modules/apps/calamaris.te
+++ /dev/null
@@ -1,93 +0,0 @@
-
-policy_module(calamaris,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type calamaris_t;
-type calamaris_exec_t;
-init_system_domain(calamaris_t,calamaris_exec_t)
-
-type calamaris_www_t;
-files_type(calamaris_www_t)
-
-type calamaris_log_t;
-logging_log_file(calamaris_log_t)
-
-########################################
-#
-# Local policy
-#
-
-# for when squid has a different UID
-allow calamaris_t self:capability dac_override;
-allow calamaris_t self:process { fork signal_perms setsched };
-allow calamaris_t self:fifo_file { getattr read write ioctl };
-allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
-allow calamaris_t self:tcp_socket create_stream_socket_perms;
-allow calamaris_t self:udp_socket create_socket_perms;
-
-allow calamaris_t calamaris_www_t:dir rw_dir_perms;
-allow calamaris_t calamaris_www_t:file manage_file_perms;
-allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms;
-
-allow calamaris_t calamaris_log_t:file create_file_perms;
-allow calamaris_t calamaris_log_t:dir rw_dir_perms;
-logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
-
-kernel_read_all_sysctls(calamaris_t)
-kernel_read_system_state(calamaris_t)
-
-corecmd_exec_bin(calamaris_t)
-
-corenet_non_ipsec_sendrecv(calamaris_t)
-corenet_tcp_sendrecv_generic_if(calamaris_t)
-corenet_udp_sendrecv_generic_if(calamaris_t)
-corenet_tcp_sendrecv_all_nodes(calamaris_t)
-corenet_udp_sendrecv_all_nodes(calamaris_t)
-corenet_tcp_sendrecv_all_ports(calamaris_t)
-corenet_udp_sendrecv_all_ports(calamaris_t)
-
-dev_read_urand(calamaris_t)
-
-files_search_pids(calamaris_t)
-files_read_etc_files(calamaris_t)
-files_read_usr_files(calamaris_t)
-files_read_var_files(calamaris_t)
-files_read_etc_runtime_files(calamaris_t)
-
-libs_read_lib_files(calamaris_t)
-libs_use_ld_so(calamaris_t)
-libs_use_shared_libs(calamaris_t)
-
-logging_send_syslog_msg(calamaris_t)
-
-miscfiles_read_localization(calamaris_t)
-
-sysnet_read_config(calamaris_t)
-
-userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
-
-squid_read_log(calamaris_t)
-
-optional_policy(`
- apache_search_sys_content(calamaris_t)
-')
-
-optional_policy(`
- bind_udp_chat_named(calamaris_t)
-')
-
-optional_policy(`
- cron_system_entry(calamaris_t,calamaris_exec_t)
-')
-
-optional_policy(`
- mta_send_mail(calamaris_t)
-')
-
-optional_policy(`
- nis_use_ypbind(calamaris_t)
-')
diff --git a/refpolicy/policy/modules/apps/cdrecord.fc b/refpolicy/policy/modules/apps/cdrecord.fc
deleted file mode 100644
index 12deb68..0000000
--- a/refpolicy/policy/modules/apps/cdrecord.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# /usr
-#
-/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
-
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
deleted file mode 100644
index f756bc4..0000000
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ /dev/null
@@ -1,203 +0,0 @@
-## <summary>Policy for cdrecord</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the cdrecord module.
-## </summary>
-## <desc>
-## <p>
-## This template creates derived domains which are used
-## for cdrecord.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`cdrecord_per_userdomain_template', `
-
- gen_require(`
- type cdrecord_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_cdrecord_t;
- domain_type($1_cdrecord_t)
- domain_entry_file($1_cdrecord_t,cdrecord_exec_t)
- role $3 types $1_cdrecord_t;
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
- allow $1_cdrecord_t self:process { getsched setsched sigkill };
- allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
- allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
-
- # allow ps to show cdrecord and allow the user to kill it
- allow $2 $1_cdrecord_t:dir { search getattr read };
- allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
- allow $2 $1_cdrecord_t:process getattr;
- #We need to suppress this denial because procps
- #tries to access /proc/pid/environ and this now
- #triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps
- #to not do this, or only if running in a privileged domain.
- dontaudit $2 $1_cdrecord_t:process ptrace;
- allow $2 $1_cdrecord_t:process signal;
-
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
- allow $2 $1_cdrecord_t:fd use;
- allow $1_cdrecord_t $2:fd use;
- allow $1_cdrecord_t $2:fifo_file rw_file_perms;
- allow $1_cdrecord_t $2:process sigchld;
-
- # allow searching for cdrom-drive
- dev_list_all_dev_nodes($1_cdrecord_t)
-
- domain_interactive_fd($1_cdrecord_t)
- domain_use_interactive_fds($1_cdrecord_t)
-
- files_read_etc_files($1_cdrecord_t)
-
- term_use_controlling_term($1_cdrecord_t)
- term_list_ptys($1_cdrecord_t)
-
- # allow cdrecord to write the CD
- storage_raw_write_removable_device($1_cdrecord_t)
- storage_write_scsi_generic($1_cdrecord_t)
-
- libs_use_ld_so($1_cdrecord_t)
- libs_use_shared_libs($1_cdrecord_t)
-
- logging_send_syslog_msg($1_cdrecord_t)
-
- miscfiles_read_localization($1_cdrecord_t)
-
- # write to the user domain tty.
- userdom_use_user_terminals($1,$1_cdrecord_t)
- userdom_use_user_terminals($1,$2)
-
- userdom_read_user_home_content_files($1,$1_cdrecord_t)
-
- # Handle nfs home dirs
- tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_cdrecord_t)
- files_list_home($1_cdrecord_t)
- fs_read_nfs_files($1_cdrecord_t)
- fs_read_nfs_symlinks($1_cdrecord_t)
-
- ',`
- files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
- fs_dontaudit_read_nfs_files($1_cdrecord_t)
- fs_dontaudit_list_nfs($1_cdrecord_t)
- ')
- # Handle samba home dirs
- tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_cdrecord_t)
- files_list_home($1_cdrecord_t)
- fs_read_cifs_files($1_cdrecord_t)
- fs_read_cifs_symlinks($1_cdrecord_t)
- ',`
- files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
- fs_dontaudit_read_cifs_files($1_cdrecord_t)
- fs_dontaudit_list_cifs($1_cdrecord_t)
- ')
-
- # Handle removable media, /tmp, and /home
- tunable_policy(`cdrecord_read_content',`
- userdom_list_user_tmp($1,$1_cdrecord_t)
- userdom_read_user_tmp_files($1,$1_cdrecord_t)
- userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
- userdom_search_user_home_dirs($1,$1_cdrecord_t)
- userdom_read_user_home_content_files($1,$1_cdrecord_t)
- userdom_read_user_home_content_symlinks($1,$1_cdrecord_t)
-
- ifdef(`enable_mls',`
- ',`
- fs_search_removable($1_cdrecord_t)
- fs_read_removable_files($1_cdrecord_t)
- fs_read_removable_symlinks($1_cdrecord_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_cdrecord_t)
- files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_removable($1_cdrecord_t)
- fs_dontaudit_read_removable_files($1_cdrecord_t)
- userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t)
- ')
-
- # Handle default_t content
- tunable_policy(`cdrecord_read_content && read_default_t',`
- files_list_default($1_cdrecord_t)
- files_read_default_files($1_cdrecord_t)
- files_read_default_symlinks($1_cdrecord_t)
- ',`
- files_dontaudit_read_default_files($1_cdrecord_t)
- files_dontaudit_list_default($1_cdrecord_t)
- ')
-
- # Handle untrusted content
- tunable_policy(`cdrecord_read_content && read_untrusted_content',`
- files_list_tmp($1_cdrecord_t)
- files_list_home($1_cdrecord_t)
- userdom_search_user_home_dirs($1,$1_cdrecord_t)
-
- userdom_list_user_untrusted_content($1,$1_cdrecord_t)
- userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)
- userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)
- ',`
- files_dontaudit_list_tmp($1_cdrecord_t)
- files_dontaudit_list_home($1_cdrecord_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt($1_cdrecord_t)
- fs_read_nfs_files($1_cdrecord_t)
- fs_read_nfs_symlinks($1_cdrecord_t)
- ')
-
- optional_policy(`
- resmgr_stream_connect($1_cdrecord_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/cdrecord.te b/refpolicy/policy/modules/apps/cdrecord.te
deleted file mode 100644
index 8785b3c..0000000
--- a/refpolicy/policy/modules/apps/cdrecord.te
+++ /dev/null
@@ -1,10 +0,0 @@
-
-policy_module(cdrecord,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type cdrecord_exec_t;
-corecmd_executable_file(cdrecord_exec_t)
diff --git a/refpolicy/policy/modules/apps/ethereal.fc b/refpolicy/policy/modules/apps/ethereal.fc
deleted file mode 100644
index 12ae276..0000000
--- a/refpolicy/policy/modules/apps/ethereal.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
-/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/ethereal.if b/refpolicy/policy/modules/apps/ethereal.if
deleted file mode 100644
index 6215059..0000000
--- a/refpolicy/policy/modules/apps/ethereal.if
+++ /dev/null
@@ -1,303 +0,0 @@
-## <summary>Ethereal packet capture tool.</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the ethereal module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for ethereal packet capture tool.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`ethereal_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- # Type for program
- type $1_ethereal_t;
- domain_type($1_ethereal_t)
- domain_entry_file($1_ethereal_t,ethereal_exec_t)
- role $3 types $1_ethereal_t;
-
- type $1_ethereal_home_t alias $1_ethereal_rw_t;
- files_poly_member($1_ethereal_home_t)
- userdom_user_home_content($1,$1_ethereal_home_t)
-
- type $1_ethereal_tmp_t;
- files_tmp_file($1_ethereal_tmp_t)
-
- type $1_ethereal_tmpfs_t;
- files_tmpfs_file($1_ethereal_tmpfs_t)
-
- ##############################
- #
- # Local Policy
- #
-
- allow $1_ethereal_t self:capability { net_admin net_raw setgid };
- allow $1_ethereal_t self:process { signal getsched };
- allow $1_ethereal_t self:fifo_file { getattr read write };
- allow $1_ethereal_t self:shm destroy;
- allow $1_ethereal_t self:shm create_shm_perms;
- allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
- allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
- allow $1_ethereal_t self:tcp_socket create_socket_perms;
- allow $1_ethereal_t self:udp_socket create_socket_perms;
-
- # Store temporary files
- allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
- allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
-
- # Re-execute itself (why?)
- can_exec($1_ethereal_t, ethereal_exec_t)
- corecmd_search_sbin($1_ethereal_t)
-
- # /home/.ethereal
- allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
- allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
- allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
- userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
-
- allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
- allow $1_ethereal_t $2:fd use;
- allow $1_ethereal_t $2:process sigchld;
-
- allow $2 $1_ethereal_home_t:dir manage_dir_perms;
- allow $2 $1_ethereal_home_t:file manage_file_perms;
- allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
- allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- kernel_read_kernel_sysctls($1_ethereal_t)
- kernel_read_system_state($1_ethereal_t)
- kernel_read_sysctl($1_ethereal_t)
-
- corecmd_search_bin($1_ethereal_t)
-
- corenet_tcp_connect_generic_port($1_ethereal_t)
- corenet_tcp_sendrecv_generic_if($1_ethereal_t)
-
- dev_read_urand($1_ethereal_t)
-
- files_read_etc_files($1_ethereal_t)
- files_read_usr_files($1_ethereal_t)
-
- fs_list_inotifyfs($1_ethereal_t)
- fs_search_auto_mountpoints($1_ethereal_t)
-
- libs_read_lib_files($1_ethereal_t)
- libs_use_ld_so($1_ethereal_t)
- libs_use_shared_libs($1_ethereal_t)
-
- miscfiles_read_fonts($1_ethereal_t)
- miscfiles_read_localization($1_ethereal_t)
-
- seutil_use_newrole_fds($1_ethereal_t)
-
- sysnet_read_config($1_ethereal_t)
-
- userdom_manage_user_home_content_files($1,$1_ethereal_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_ethereal_t)
- fs_manage_nfs_files($1_ethereal_t)
- fs_manage_nfs_symlinks($1_ethereal_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_ethereal_t)
- fs_manage_cifs_files($1_ethereal_t)
- fs_manage_cifs_symlinks($1_ethereal_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_ethereal_t)
- ')
-
- # Manual transition from userhelper
- optional_policy(`
- userhelper_use_user_fd($1,$1_ethereal_t)
- userhelper_sigchld_user($1,$1_ethereal_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
- xserver_create_xdm_tmp_sockets($1_ethereal_t)
- ')
-
- ifdef(`TODO',`
- # Why does it write this?
- optional_policy(`
- dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
- ')
- #TODO
- gnome_application($1_ethereal, $1)
- gnome_file_dialog($1_ethereal, $1)
- # FIXME: policy is incomplete
- ')
-
-')
-
-#######################################
-## <summary>
-## The administrative functions template for the ethereal module.
-## </summary>
-## <desc>
-## <p>
-## This template creates rules for administrating ethereal,
-## allowing the specified user to manage ethereal files.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-template(`ethereal_admin_template',`
- gen_require(`
- type $1_ethereal_t;
- ')
-
- # Create various types of sockets
- allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
- allow $1_ethereal_t self:udp_socket create_socket_perms;
- allow $1_ethereal_t self:packet_socket create_socket_perms;
- allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_ethereal_t self:tcp_socket create_socket_perms;
-
- userdom_use_user_terminals($1,$1_ethereal_t)
- # Ethereal tries to write to user terminal
- userdom_dontaudit_use_user_terminals($1,$1_ethereal_t)
-')
-
-########################################
-## <summary>
-## Run ethereal in ethereal domain.
-## </summary>
-## <desc>
-## <p>
-## Run ethereal in ethereal domain.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`ethereal_domtrans_user_ethereal',`
- gen_require(`
- type $1_ethereal_t, ethereal_exec_t;
- ')
-
- domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
-
- allow $2 $1_ethereal_t:fd use;
- allow $1_ethereal_t $2:fd use;
- allow $1_ethereal_t $2:fifo_file rw_file_perms;
- allow $1_ethereal_t $2:process sigchld;
-')
-
-########################################
-## <summary>
-## Run tethereal in the tethereal domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`ethereal_domtrans_tethereal',`
- gen_require(`
- type tethereal_t, tethereal_exec_t;
- ')
-
- domain_auto_trans($1,tethereal_exec_t,tethereal_t)
-
- allow $1 tethereal_t:fd use;
- allow tethereal_t $1:fd use;
- allow tethereal_t $1:fifo_file rw_file_perms;
- allow tethereal_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute tethereal in the tethereal domain, and
-## allow the specified role the tethereal domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the tethereal domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the tethereal domain to use.
-## </summary>
-## </param>
-#
-interface(`ethereal_run_tethereal',`
- gen_require(`
- type tethereal_t;
- ')
-
- ethereal_domtrans_tethereal($1)
- role $2 types tethereal_t;
- allow tethereal_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/apps/ethereal.te b/refpolicy/policy/modules/apps/ethereal.te
deleted file mode 100644
index 6b8b6dd..0000000
--- a/refpolicy/policy/modules/apps/ethereal.te
+++ /dev/null
@@ -1,57 +0,0 @@
-
-policy_module(ethereal,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type ethereal_exec_t;
-corecmd_executable_file(ethereal_exec_t)
-
-type tethereal_t;
-type tethereal_exec_t;
-domain_type(tethereal_t)
-domain_entry_file(tethereal_t,tethereal_exec_t)
-
-type tethereal_tmp_t;
-files_tmp_file(tethereal_tmp_t)
-
-########################################
-#
-# Tethereal policy
-#
-
-allow tethereal_t tethereal_t : capability { dac_override dac_read_search setgid setuid net_raw };
-allow tethereal_t self:unix_stream_socket create_stream_socket_perms;
-allow tethereal_t self:netlink_route_socket create_netlink_socket_perms;
-allow tethereal_t self:packet_socket create_socket_perms;
-allow tethereal_t self:tcp_socket create_socket_perms;
-allow tethereal_t self:udp_socket create_socket_perms;
-
-# Store temporary files
-allow tethereal_t tethereal_tmp_t:dir create_dir_perms;
-allow tethereal_t tethereal_tmp_t:file create_file_perms;
-files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
-
-# /proc
-kernel_read_all_sysctls(tethereal_t)
-kernel_read_system_state(tethereal_t)
-
-# Read ethereal files in /usr
-files_read_usr_files(tethereal_t)
-# /etc/nsswitch.conf
-files_read_etc_files(tethereal_t)
-
-libs_use_ld_so(tethereal_t)
-libs_use_shared_libs(tethereal_t)
-
-miscfiles_read_localization(tethereal_t)
-
-seutil_use_newrole_fds(tethereal_t)
-
-sysnet_dns_name_resolve(tethereal_t)
-
-optional_policy(`
- nscd_socket_use(tethereal_t)
-')
diff --git a/refpolicy/policy/modules/apps/evolution.fc b/refpolicy/policy/modules/apps/evolution.fc
deleted file mode 100644
index c3ded67..0000000
--- a/refpolicy/policy/modules/apps/evolution.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-
-#
-# /tmp
-#
-/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
-
-#
-# /usr
-#
-/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0)
-
-/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
-/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
-/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
-/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/evolution.if b/refpolicy/policy/modules/apps/evolution.if
deleted file mode 100644
index 946a9fb..0000000
--- a/refpolicy/policy/modules/apps/evolution.if
+++ /dev/null
@@ -1,820 +0,0 @@
-## <summary>Evolution email client</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the evolution module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for evolution email client and other related evolution applications such as webcal and alarm
-## type is also created to protect the user evolution keys.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`evolution_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_evolution_t;
- domain_type($1_evolution_t)
- domain_entry_file($1_evolution_t,evolution_exec_t)
- role $3 types $1_evolution_t;
-
- type $1_evolution_tmpfs_t;
- files_tmpfs_file($1_evolution_tmpfs_t)
-
- type $1_evolution_home_t alias $1_evolution_rw_t;
- files_poly_member($1_evolution_home_t)
- userdom_user_home_content($1,$1_evolution_home_t)
-
- type $1_evolution_orbit_tmp_t;
- files_type($1_evolution_orbit_tmp_t)
-
- type $1_evolution_alarm_t;
- domain_type($1_evolution_alarm_t)
- domain_entry_file($1_evolution_alarm_t,evolution_alarm_exec_t)
- role $3 types $1_evolution_alarm_t;
-
- type $1_evolution_alarm_tmpfs_t;
- files_tmpfs_file($1_evolution_alarm_tmpfs_t)
-
- type $1_evolution_alarm_orbit_tmp_t;
- files_type($1_evolution_alarm_orbit_tmp_t)
-
- type $1_evolution_exchange_t;
- domain_type($1_evolution_exchange_t)
- domain_entry_file($1_evolution_exchange_t,evolution_exchange_exec_t)
- role $3 types $1_evolution_exchange_t;
-
- type $1_evolution_exchange_tmpfs_t;
- files_tmpfs_file($1_evolution_exchange_tmpfs_t)
-
- type $1_evolution_exchange_tmp_t;
- files_tmp_file($1_evolution_exchange_tmp_t)
-
- type $1_evolution_exchange_orbit_tmp_t;
- files_type($1_evolution_exchange_orbit_tmp_t)
-
- type $1_evolution_server_t;
- domain_type($1_evolution_server_t)
- domain_entry_file($1_evolution_server_t,evolution_server_exec_t)
- role $3 types $1_evolution_server_t;
-
- type $1_evolution_server_orbit_tmp_t;
- files_type($1_evolution_server_orbit_tmp_t)
-
- type $1_evolution_webcal_t;
- domain_type($1_evolution_webcal_t)
- domain_entry_file($1_evolution_webcal_t,evolution_webcal_exec_t)
- role $3 types $1_evolution_webcal_t;
-
- type $1_evolution_webcal_tmpfs_t;
- files_tmpfs_file($1_evolution_webcal_tmpfs_t)
-
- type $1_orbit_tmp_t;
- files_type($1_orbit_tmp_t)
-
- ########################################
- #
- # Evolution local policy
- #
-
- allow $1_evolution_t self:capability { setuid setgid sys_nice };
- allow $1_evolution_t self:process { signal getsched setsched };
- allow $1_evolution_t self:fifo_file rw_file_perms;
- allow $1_evolution_t self:tcp_socket create_socket_perms;
- allow $1_evolution_t self:udp_socket create_socket_perms;
-
- allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
- allow $1_evolution_t $1_evolution_alarm_t:file read;
-
- allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
- allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
- can_exec($1_evolution_t,evolution_alarm_exec_t)
-
- allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
- allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
- allow $1_evolution_t $1_evolution_home_t:lnk_file create_lnk_perms;
-
- allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
- allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
-
- allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
- allow $1_evolution_t $1_evolution_server_t:file read;
-
- allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
- allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
- can_exec($1_evolution_t,evolution_server_exec_t)
-
- allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_file_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_evolution_t $2:dir search;
- allow $1_evolution_t $2:fd use;
- allow $1_evolution_t $2:file read;
- allow $1_evolution_t $2:lnk_file read;
- allow $1_evolution_t $2:process sigchld;
- allow $1_evolution_t $2:unix_stream_socket connectto;
- allow $1_evolution_t $2:dir search;
- allow $1_evolution_t $2:file read;
-
- domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
-
- allow $2 $1_evolution_t:unix_stream_socket connectto;
- allow $2 $1_evolution_t:process noatsecure;
- allow $2 $1_evolution_t:process signal_perms;
-
- # Access .evolution
- allow $2 $1_evolution_home_t:dir manage_dir_perms;
- allow $2 $1_evolution_home_t:file manage_file_perms;
- allow $2 $1_evolution_home_t:lnk_file create_lnk_perms;
- allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
- userdom_search_user_home_dirs($1,$1_evolution_t)
-
- # Allow the user domain to signal/ps.
- allow $2 $1_evolution_t:dir { search getattr read };
- allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
- allow $2 $1_evolution_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_evolution_t:process ptrace;
-
- #FIXME check to see if really needed
- kernel_read_kernel_sysctls($1_evolution_t)
- kernel_read_system_state($1_evolution_t)
- # Allow netstat
- kernel_read_network_state($1_evolution_t)
- kernel_read_net_sysctls($1_evolution_t)
-
- corecmd_exec_shell($1_evolution_t)
- # Run various programs
- corecmd_exec_bin($1_evolution_t)
- corecmd_exec_sbin($1_evolution_t)
-
- corenet_non_ipsec_sendrecv($1_evolution_t)
- corenet_tcp_sendrecv_generic_if($1_evolution_t)
- corenet_udp_sendrecv_generic_if($1_evolution_t)
- corenet_raw_sendrecv_generic_if($1_evolution_t)
- corenet_tcp_sendrecv_all_nodes($1_evolution_t)
- corenet_udp_sendrecv_all_nodes($1_evolution_t)
- corenet_tcp_sendrecv_pop_port($1_evolution_t)
- corenet_udp_sendrecv_pop_port($1_evolution_t)
- corenet_tcp_sendrecv_smtp_port($1_evolution_t)
- corenet_udp_sendrecv_smtp_port($1_evolution_t)
- corenet_tcp_sendrecv_innd_port($1_evolution_t)
- corenet_udp_sendrecv_innd_port($1_evolution_t)
- corenet_tcp_sendrecv_ldap_port($1_evolution_t)
- corenet_udp_sendrecv_ldap_port($1_evolution_t)
- corenet_tcp_sendrecv_ipp_port($1_evolution_t)
- corenet_udp_sendrecv_ipp_port($1_evolution_t)
- corenet_tcp_connect_pop_port($1_evolution_t)
- corenet_tcp_connect_smtp_port($1_evolution_t)
- corenet_tcp_connect_innd_port($1_evolution_t)
- corenet_tcp_connect_ldap_port($1_evolution_t)
- corenet_tcp_connect_ipp_port($1_evolution_t)
- corenet_sendrecv_pop_client_packets($1_evolution_t)
- corenet_sendrecv_smtp_client_packets($1_evolution_t)
- corenet_sendrecv_innd_client_packets($1_evolution_t)
- corenet_sendrecv_ldap_client_packets($1_evolution_t)
- corenet_sendrecv_ipp_client_packets($1_evolution_t)
- # not sure about this bind
- corenet_udp_bind_all_nodes($1_evolution_t)
- corenet_udp_bind_generic_port($1_evolution_t)
-
- dev_read_urand($1_evolution_t)
-
- files_read_etc_files($1_evolution_t)
- files_read_usr_files($1_evolution_t)
- files_read_usr_symlinks($1_evolution_t)
- files_read_var_files($1_evolution_t)
-
- fs_search_auto_mountpoints($1_evolution_t)
-
- libs_use_ld_so($1_evolution_t)
- libs_use_shared_libs($1_evolution_t)
-
- logging_send_syslog_msg($1_evolution_t)
-
- miscfiles_read_localization($1_evolution_t)
-
- sysnet_read_config($1_evolution_t)
- sysnet_dns_name_resolve($1_evolution_t)
-
- udev_read_state($1_evolution_t)
-
- userdom_rw_user_tmp_files($1,$1_evolution_t)
- userdom_manage_user_tmp_dirs($1,$1_evolution_t)
- userdom_manage_user_tmp_sockets($1,$1_evolution_t)
- userdom_manage_user_tmp_files($1,$1_evolution_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
-
- mta_read_config($1_evolution_t)
-
- xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_evolution_t)
- fs_manage_nfs_files($1_evolution_t)
- fs_manage_nfs_symlinks($1_evolution_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_evolution_t)
- fs_manage_cifs_files($1_evolution_t)
- fs_manage_cifs_symlinks($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_evolution_t)
- files_list_home($1_evolution_t)
- fs_read_nfs_files($1_evolution_t)
- fs_read_nfs_symlinks($1_evolution_t)
-
- ',`
- files_dontaudit_list_home($1_evolution_t)
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_read_nfs_files($1_evolution_t)
- fs_dontaudit_list_nfs($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_evolution_t)
- files_list_home($1_evolution_t)
- fs_read_cifs_files($1_evolution_t)
- fs_read_cifs_symlinks($1_evolution_t)
- ',`
- files_dontaudit_list_home($1_evolution_t)
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_read_cifs_files($1_evolution_t)
- fs_dontaudit_list_cifs($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content',`
- userdom_list_user_tmp($1,$1_evolution_t)
- userdom_read_user_tmp_files($1,$1_evolution_t)
- userdom_read_user_tmp_symlinks($1,$1_evolution_t)
- userdom_search_user_home_dirs($1,$1_evolution_t)
- userdom_read_user_home_content_files($1,$1_evolution_t)
- userdom_read_user_home_content_symlinks($1,$1_evolution_t)
-
- ifndef(`enable_mls',`
- fs_search_removable($1_evolution_t)
- fs_read_removable_files($1_evolution_t)
- fs_read_removable_symlinks($1_evolution_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_evolution_t)
- files_dontaudit_list_home($1_evolution_t)
- fs_dontaudit_list_removable($1_evolution_t)
- fs_dontaudit_read_removable_files($1_evolution_t)
- userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && read_default_t',`
- files_list_default($1_evolution_t)
- files_read_default_files($1_evolution_t)
- files_read_default_symlinks($1_evolution_t)
- ',`
- files_dontaudit_read_default_files($1_evolution_t)
- files_dontaudit_list_default($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && read_untrusted_content',`
- files_list_tmp($1_evolution_t)
- files_list_home($1_evolution_t)
- userdom_search_user_home_dirs($1,$1_evolution_t)
-
- userdom_list_user_untrusted_content($1,$1_evolution_t)
- userdom_read_user_untrusted_content_files($1,$1_evolution_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_evolution_t)
- userdom_list_user_tmp_untrusted_content($1,$1_evolution_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_evolution_t)
- ',`
- files_dontaudit_list_tmp($1_evolution_t)
- files_dontaudit_list_home($1_evolution_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_evolution_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_evolution_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_evolution_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_evolution_t)
-
- fs_search_auto_mountpoints($1_evolution_t)
- fs_manage_nfs_dirs($1_evolution_t)
- fs_manage_nfs_files($1_evolution_t)
- fs_manage_nfs_symlinks($1_evolution_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_manage_nfs_dirs($1_evolution_t)
- fs_dontaudit_manage_nfs_files($1_evolution_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_evolution_t)
-
- fs_search_auto_mountpoints($1_evolution_t)
- fs_manage_cifs_dirs($1_evolution_t)
- fs_manage_cifs_files($1_evolution_t)
- fs_manage_cifs_symlinks($1_evolution_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_manage_cifs_dirs($1_evolution_t)
- fs_dontaudit_manage_cifs_files($1_evolution_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_evolution_t)
-
- userdom_manage_user_untrusted_content_files($1,$1_evolution_t,{ dir file })
- ',`
- files_dontaudit_list_home($1_evolution_t)
- files_dontaudit_list_tmp($1_evolution_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
- #userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
- #userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
- #userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
- ')
-
- optional_policy(`
- automount_read_state($1_evolution_t)
- ')
-
- # Allow printing the mail
- optional_policy(`
- cups_read_rw_config($1_evolution_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1_evolution,$1_evolution_t)
- dbus_send_system_bus($1_evolution_t)
- dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
- dbus_send_user_bus($1,$1_evolution_t)
- ')
-
- # Encrypt mail
- optional_policy(`
- gpg_domtrans_user_gpg($1,$1_evolution_t)
- gpg_signal_user_gpg($1,$1_evolution_t)
- ')
-
- optional_policy(`
- lpd_domtrans_user_lpr($1,$1_evolution_t)
- ')
-
- # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
- optional_policy(`
- nis_use_ypbind($1_evolution_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_exchange_t)
- ')
-
- ### Junk mail filtering (start spamd)
- optional_policy(`
- spamassassin_exec_spamd($1_evolution_t)
- spamassassin_domtrans_user_client($1,$1_evolution_t)
- spamassassin_domtrans_user_local_client($1,$1_evolution_t)
- # Allow evolution to signal the daemon
- # FIXME: Now evolution can read spamd temp files
- spamassassin_read_spamd_tmp_files($1_evolution_t)
- spamassassin_signal_spamd($1_evolution_t)
- spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
- ')
-
- ifdef(`TODO',`
-
- #dbus connect to
- allow $1_evolution_t $1_dbusd_t:unix_stream_socket connectto;
-
- # Gnome common stuff
- gnome_application($1_evolution, $1)
-
- #TODO gnome stuff
- # Store passwords in .gnome2_private
- # Type for storing secret data
- # (different from home, not directly accessible from ROLE_t)
- type $1_evolutioin_secret_t;
- userdom_user_home_content($1,$1_evolutioin_secret_t)
-
- # Put secret files in .gnome2_private
- allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
- allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms;
- type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
-
- allow $2 $1_evolution_secret_t:file unlink;
-
- ifdef(`TODO',`
- gnome_file_dialog($1_evolution, $1)
- ')
- # Start links in web browser
- ifdef(`mozilla', `
- corecmd_exec_shell($1_evolution_t)
- domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
- ')
-
- ')
-
- ########################################
- #
- # Evolution alarm local policy
- #
-
- allow $1_evolution_alarm_t self:fifo_file { read write };
-
- allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
- allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_file_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- # Access evolution home
- allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
- allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
- allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file create_lnk_perms;
-
- allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
- allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
- domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
- allow $1_evolution_alarm_t $2:fd use;
-
- fs_search_auto_mountpoints($1_evolution_alarm_t)
-
- miscfiles_read_localization($1_evolution_alarm_t)
-
- # Access evolution home
- userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_alarm_t)
-
- xserver_user_client_template($1,$1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t)
-
- # Access evolution home
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_evolution_alarm_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_evolution_alarm_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_alarm_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_alarm,$1)
- ')
-
- ########################################
- #
- # Evolution exchange connector local policy
- #
-
- allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
- allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
-
- allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
- allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
- allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
- # Access evolution home
- allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms;
- allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
-
- allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
- allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
- # /tmp/.exchange-$USER
- allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
-
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_file_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
- #FIXME, who should own this. I dont think this module should
- allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
-
- # Clock applet talks to exchange (FIXME: Needs policy)
- allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- # Transition from user domain
- domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
-
- kernel_read_network_state($1_evolution_exchange_t)
- kernel_read_net_sysctls($1_evolution_exchange_t)
-
- # Allow netstat
- corecmd_exec_bin($1_evolution_exchange_t)
-
- # Access evolution home
- fs_search_auto_mountpoints($1_evolution_exchange_t)
-
- # Access evolution home
- userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_exchange_t)
-
- xserver_user_client_template($1,$1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t)
-
- # Access evolution home
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_evolution_exchange_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_evolution_exchange_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_exchange_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_exchange, $1)
- ')
-
- ########################################
- #
- # Evolution data server local policy
- #
-
- allow $1_evolution_server_t self:fifo_file { read write };
- allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
- # Talk to ldap (address book),
- # Obtain weather data via http (read server name from xml file in /usr)
- allow $1_evolution_server_t self:tcp_socket create_socket_perms;
-
- allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
- allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- # Access evolution home
- allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms;
- allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms;
- allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
-
- allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
- allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_server_t $2:fd use;
-
- kernel_read_system_state($1_evolution_server_t)
-
- corecmd_exec_shell($1_evolution_server_t)
-
- # Obtain weather data via http (read server name from xml file in /usr)
- corenet_non_ipsec_sendrecv($1_evolution_server_t)
- corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
- corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
- corenet_tcp_sendrecv_http_port($1_evolution_server_t)
- corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
- corenet_tcp_connect_http_cache_port($1_evolution_server_t)
- corenet_tcp_connect_http_port($1_evolution_server_t)
- corenet_sendrecv_http_client_packets($1_evolution_server_t)
- corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
-
- files_read_etc_files($1_evolution_server_t)
- # Obtain weather data via http (read server name from xml file in /usr)
- files_read_usr_files($1_evolution_server_t)
-
- fs_search_auto_mountpoints($1_evolution_server_t)
-
- libs_use_ld_so($1_evolution_server_t)
- libs_use_shared_libs($1_evolution_server_t)
-
- # Look in /etc/pki
- miscfiles_read_certs($1_evolution_server_t)
-
- # Talk to ldap (address book)
- sysnet_read_config($1_evolution_server_t)
- sysnet_dns_name_resolve($1_evolution_server_t)
- sysnet_use_ldap($1_evolution_server_t)
-
- # Access evolution home
- userdom_search_user_home_dirs($1,$1_evolution_server_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
-
- # Transition from user type
- tunable_policy(`!disable_evolution_trans',`
- domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
- ')
-
- # Access evolution home
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_evolution_server_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_evolution_server_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_server_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_server, $1)
- ')
-
- ########################################
- #
- # Evolution webcal local policy
- #
-
- allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
-
- # X/evolution common stuff
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_file_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # Transition from user type
- domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
-
- corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
- corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
- corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
- corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
- corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
- corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
- corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
- corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
- corenet_tcp_connect_http_port($1_evolution_webcal_t)
- corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
- corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
-
- # Networking capability - connect to website and handle ics link
- sysnet_read_config($1_evolution_webcal_t)
- sysnet_dns_name_resolve($1_evolution_webcal_t)
-
- # Search home directory (?)
- userdom_search_user_home_dirs($1,$1_evolution_webcal_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_webcal_t)
-
- xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
-
- optional_policy(`
- nscd_socket_use($1_evolution_webcal_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_webcal, $1)
- ')
-')
-
-########################################
-## <summary>
-## Create objects in users evolution home folders.
-## </summary>
-## <desc>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created. If
-## no class is specified, dir will be used.
-## </summary>
-## </param>
-#
-template(`evolution_home_filetrans',`
- gen_require(`
- type $1_evolution_home_t;
- ')
-
- allow $2 $1_evolution_home_t:dir rw_dir_perms;
- type_transition $2 $1_evolution_home_t:$4 $3;
-')
-
-########################################
-## <summary>
-## Connect to user evolution unix stream socket.
-## </summary>
-## <desc>
-## <p>
-## Connect to user evolution unix stream socket.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`evolution_stream_connect',`
- gen_require(`
- type $1_evolution_t, $1_evolution_home_t;
- ')
-
- allow $2 $1_evolution_t:unix_stream_socket connectto;
- allow $2 $1_evolution_home_t:dir search;
-')
diff --git a/refpolicy/policy/modules/apps/evolution.te b/refpolicy/policy/modules/apps/evolution.te
deleted file mode 100644
index 727b694..0000000
--- a/refpolicy/policy/modules/apps/evolution.te
+++ /dev/null
@@ -1,22 +0,0 @@
-
-policy_module(evolution,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type evolution_exec_t;
-corecmd_executable_file(evolution_exec_t)
-
-type evolution_alarm_exec_t;
-corecmd_executable_file(evolution_alarm_exec_t)
-
-type evolution_exchange_exec_t;
-corecmd_executable_file(evolution_exchange_exec_t)
-
-type evolution_server_exec_t;
-corecmd_executable_file(evolution_server_exec_t)
-
-type evolution_webcal_exec_t;
-corecmd_executable_file(evolution_webcal_exec_t)
diff --git a/refpolicy/policy/modules/apps/games.fc b/refpolicy/policy/modules/apps/games.fc
deleted file mode 100644
index e35e2b5..0000000
--- a/refpolicy/policy/modules/apps/games.fc
+++ /dev/null
@@ -1,67 +0,0 @@
-#
-# /usr
-#
-/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
-
-ifdef(`distro_debian', `
-/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
-/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
-', `
-/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
-/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
-')dnl end non-Debian section
diff --git a/refpolicy/policy/modules/apps/games.if b/refpolicy/policy/modules/apps/games.if
deleted file mode 100644
index 6270276..0000000
--- a/refpolicy/policy/modules/apps/games.if
+++ /dev/null
@@ -1,174 +0,0 @@
-## <summary>Games</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the games module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for games.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`games_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_games_t;
- domain_type($1_games_t)
- domain_entry_file($1_games_t,games_exec_t)
- role $3 types $1_games_t;
-
- type $1_games_devpts_t;
- term_pty($1_games_devpts_t)
-
- type $1_games_tmpfs_t;
- files_tmpfs_file($1_games_tmpfs_t)
-
- type $1_games_tmp_t;
- files_tmp_file($1_games_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_games_t self:sem create_sem_perms;
- allow $1_games_t self:tcp_socket create_stream_socket_perms;
- allow $1_games_t self:udp_socket create_socket_perms;
- allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
- allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
-
- allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
- allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
- allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
- allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
- allow $1_games_t $1_games_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
-
- allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
- term_create_pty($1_games_t,$1_games_devpts_t)
-
- allow $1_games_t games_data_t:dir rw_dir_perms;
- allow $1_games_t games_data_t:file manage_file_perms;
- allow $1_games_t games_data_t:lnk_file create_lnk_perms;
-
- can_exec($1_games_t, games_exec_t)
-
- allow $2 $1_games_t:unix_stream_socket connectto;
- allow $1_games_t $2:unix_stream_socket connectto;
-
- kernel_tcp_recvfrom($1_games_t)
- kernel_tcp_recvfrom($1_games_t)
- kernel_read_system_state($1_games_t)
-
- corecmd_exec_bin($1_games_t)
- corecmd_exec_sbin($1_games_t)
-
- corenet_non_ipsec_sendrecv($1_games_t)
- corenet_tcp_sendrecv_generic_if($1_games_t)
- corenet_udp_sendrecv_generic_if($1_games_t)
- corenet_tcp_sendrecv_all_nodes($1_games_t)
- corenet_udp_sendrecv_all_nodes($1_games_t)
- corenet_tcp_sendrecv_all_ports($1_games_t)
- corenet_udp_sendrecv_all_ports($1_games_t)
- corenet_tcp_bind_all_nodes($1_games_t)
- corenet_tcp_bind_generic_port($1_games_t)
- corenet_tcp_connect_generic_port($1_games_t)
- corenet_sendrecv_generic_client_packets($1_games_t)
- corenet_sendrecv_generic_server_packets($1_games_t)
-
- dev_read_sound($1_games_t)
- dev_write_sound($1_games_t)
- dev_read_input($1_games_t)
- dev_read_mouse($1_games_t)
- dev_read_urand($1_games_t)
-
- files_list_var($1_games_t)
- files_search_var_lib($1_games_t)
- files_dontaudit_search_var($1_games_t)
- files_read_etc_files($1_games_t)
- files_read_usr_files($1_games_t)
- files_read_var_files($1_games_t)
-
- init_dontaudit_rw_utmp($1_games_t)
-
- logging_dontaudit_search_logs($1_games_t)
-
- libs_use_shared_libs($1_games_t)
- libs_use_ld_so($1_games_t)
-
- miscfiles_read_man_pages($1_games_t)
- miscfiles_read_localization($1_games_t)
-
- sysnet_read_config($1_games_t)
-
- userdom_manage_user_tmp_dirs($1,$1_games_t)
- userdom_manage_user_tmp_files($1,$1_games_t)
- userdom_manage_user_tmp_symlinks($1,$1_games_t)
- userdom_manage_user_tmp_sockets($1,$1_games_t)
- # Suppress .icons denial until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
-
- # Type transition
- tunable_policy(`!disable_games_trans',`
- domain_auto_trans($2, games_exec_t, $1_games_t)
- ')
-
- tunable_policy(`allow_execmem',`
- allow $1_games_t self:process execmem;
- ')
-
- optional_policy(`
- nscd_socket_use($1_games_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
- xserver_create_xdm_tmp_sockets($1_games_t)
- xserver_read_xdm_lib_files($1_games_t)
- ')
-
- ifdef(`TODO',`
- gnome_application($1_games, $1)
- gnome_file_dialog($1_games, $1)
- # Access /home/user/.gnome2
- # FIXME: Change to use per app types
- allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
- allow $1_games_t $1_gnome_settings_t:file create_file_perms;
- allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
- #missing policy
- optional_policy(`
- dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
- ')
- ')
-')
diff --git a/refpolicy/policy/modules/apps/games.te b/refpolicy/policy/modules/apps/games.te
deleted file mode 100644
index e0b6974..0000000
--- a/refpolicy/policy/modules/apps/games.te
+++ /dev/null
@@ -1,77 +0,0 @@
-
-policy_module(games,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type games_data_t;
-files_type(games_data_t)
-
-# games_t is for system operation of games, generic games daemons and
-# games recovery scripts
-type games_t;
-type games_exec_t;
-init_system_domain(games_t,games_exec_t)
-
-type games_var_run_t;
-files_pid_file(games_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit games_t self:capability sys_tty_config;
-allow games_t self:process signal_perms;
-
-allow games_t games_data_t:dir rw_dir_perms;
-allow games_t games_data_t:file manage_file_perms;
-allow games_t games_data_t:lnk_file create_lnk_perms;
-
-allow games_t games_var_run_t:file manage_file_perms;
-allow games_t games_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(games_t,games_var_run_t,file)
-
-can_exec(games_t,games_exec_t)
-
-kernel_read_kernel_sysctls(games_t)
-kernel_list_proc(games_t)
-kernel_read_proc_symlinks(games_t)
-
-dev_read_sysfs(games_t)
-
-fs_getattr_all_fs(games_t)
-fs_search_auto_mountpoints(games_t)
-
-term_dontaudit_use_console(games_t)
-
-domain_use_interactive_fds(games_t)
-
-init_use_fds(games_t)
-init_use_script_ptys(games_t)
-
-libs_use_ld_so(games_t)
-libs_use_shared_libs(games_t)
-
-logging_send_syslog_msg(games_t)
-
-miscfiles_read_localization(games_t)
-
-userdom_dontaudit_use_unpriv_user_fds(games_t)
-userdom_dontaudit_search_sysadm_home_dirs(games_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(games_t)
- term_dontaudit_use_generic_ptys(games_t)
- files_dontaudit_read_root_files(games_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(games_t)
-')
-
-optional_policy(`
- udev_read_db(games_t)
-')
diff --git a/refpolicy/policy/modules/apps/gift.fc b/refpolicy/policy/modules/apps/gift.fc
deleted file mode 100644
index 09d6a60..0000000
--- a/refpolicy/policy/modules/apps/gift.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
-/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
-/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
-/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/gift.if b/refpolicy/policy/modules/apps/gift.if
deleted file mode 100644
index 8ddc30c..0000000
--- a/refpolicy/policy/modules/apps/gift.if
+++ /dev/null
@@ -1,205 +0,0 @@
-## <summary>giFT peer to peer file sharing tool</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the gift module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for gift client sessions and gift daemons.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`gift_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type $1_gift_t;
- domain_type($1_gift_t)
- domain_entry_file($1_gift_t,gift_exec_t)
- role $3 types $1_gift_t;
-
- type $1_gift_home_t alias $1_gift_rw_t;
- files_poly_member($1_gift_home_t)
- userdom_user_home_content($1,$1_gift_home_t)
-
- type $1_gift_tmpfs_t;
- files_tmpfs_file($1_gift_tmpfs_t)
-
- type $1_giftd_t;
- domain_type($1_giftd_t)
- domain_entry_file($1_giftd_t,giftd_exec_t)
- role $3 types $1_giftd_t;
-
- ##############################
- #
- # giFT user interface local policy
- #
-
- allow $1_gift_t self:tcp_socket create_socket_perms;
-
- allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms;
- allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms;
- allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms;
- allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_gift_t $1_gift_home_t:dir manage_dir_perms;
- allow $1_gift_t $1_gift_home_t:file manage_file_perms;
- allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms;
- userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
-
- # Launch gift daemon
- domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
- allow $1_giftd_t $1_gift_t:fd use;
- allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms;
- allow $1_giftd_t $1_gift_t:process sigchld;
-
- # transition from user domain
- domain_auto_trans($2, gift_exec_t, $1_gift_t)
- allow $1_gift_t $2:fd use;
- allow $1_gift_t $2:fifo_file rw_file_perms;
- allow $1_gift_t $2:process sigchld;
-
- # user managed content
- allow $2 $1_gift_home_t:dir manage_dir_perms;
- allow $2 $1_gift_home_t:file manage_file_perms;
- allow $2 $1_gift_home_t:lnk_file create_lnk_perms;
- allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- # Allow the user domain to signal/ps.
- allow $2 $1_gift_t:dir { search getattr read };
- allow $2 $1_gift_t:{ file lnk_file } { read getattr };
- allow $2 $1_gift_t:process { getattr signal_perms };
-
- # Read /proc/meminfo
- kernel_read_system_state($1_giftd_t)
-
- # Connect to gift daemon
- corenet_non_ipsec_sendrecv($1_gift_t)
- corenet_tcp_sendrecv_generic_if($1_gift_t)
- corenet_tcp_sendrecv_all_nodes($1_gift_t)
- corenet_tcp_sendrecv_giftd_port($1_gift_t)
- corenet_tcp_connect_giftd_port($1_gift_t)
- corenet_sendrecv_giftd_client_packets($1_gift_t)
-
- fs_search_auto_mountpoints($1_gift_t)
-
- sysnet_read_config($1_gift_t)
-
- # giftui looks in .icons, .themes.
- userdom_dontaudit_read_user_home_content_files($1,$1_gift_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gift_t)
- fs_manage_nfs_files($1_gift_t)
- fs_manage_nfs_symlinks($1_gift_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gift_t)
- fs_manage_cifs_files($1_gift_t)
- fs_manage_cifs_symlinks($1_gift_t)
- ')
-
-# optional_policy(`
-# gnome_user_application($1,$1_gift,$1_gift_t)
-# ')
-
- optional_policy(`
- nscd_socket_use($1_gift_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1,$1_gift_t,$1_gift_tmpfs_t)
- ')
-
- ##############################
- #
- # giFT server local policy
- #
-
- allow $1_giftd_t self:process { signal setsched };
- allow $1_giftd_t self:unix_stream_socket create_socket_perms;
- allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
- allow $1_giftd_t self:udp_socket create_socket_perms;
-
- allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms;
- allow $1_giftd_t $1_gift_home_t:file manage_file_perms;
- allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms;
- userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
-
- domain_auto_trans($2, giftd_exec_t, $1_giftd_t)
- allow $1_giftd_t $2:fd use;
- allow $1_giftd_t $2:fifo_file rw_file_perms;
- allow $1_giftd_t $2:process sigchld;
-
- kernel_read_system_state($1_giftd_t)
- kernel_read_kernel_sysctls($1_giftd_t)
-
- # Serve content on various p2p networks. Ports can be random.
- corenet_non_ipsec_sendrecv($1_giftd_t)
- corenet_tcp_sendrecv_generic_if($1_giftd_t)
- corenet_udp_sendrecv_generic_if($1_giftd_t)
- corenet_tcp_sendrecv_all_nodes($1_giftd_t)
- corenet_udp_sendrecv_all_nodes($1_giftd_t)
- corenet_tcp_sendrecv_all_ports($1_giftd_t)
- corenet_udp_sendrecv_all_ports($1_giftd_t)
- corenet_tcp_bind_all_nodes($1_giftd_t)
- corenet_udp_bind_all_nodes($1_giftd_t)
- corenet_tcp_bind_all_ports($1_giftd_t)
- corenet_udp_bind_all_ports($1_giftd_t)
- corenet_tcp_connect_all_ports($1_giftd_t)
- corenet_sendrecv_all_client_packets($1_giftd_t)
-
- files_read_usr_files($1_giftd_t)
- # Read /etc/mtab
- files_read_etc_runtime_files($1_giftd_t)
-
- libs_use_ld_so($1_giftd_t)
- libs_use_shared_libs($1_giftd_t)
-
- miscfiles_read_localization($1_giftd_t)
-
- sysnet_read_config($1_giftd_t)
-
- userdom_use_user_terminals($1,$1_giftd_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_giftd_t)
- fs_manage_nfs_files($1_giftd_t)
- fs_manage_nfs_symlinks($1_giftd_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_giftd_t)
- fs_manage_cifs_files($1_giftd_t)
- fs_manage_cifs_symlinks($1_giftd_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/gift.te b/refpolicy/policy/modules/apps/gift.te
deleted file mode 100644
index 55e3bca..0000000
--- a/refpolicy/policy/modules/apps/gift.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-policy_module(gift,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type gift_exec_t;
-corecmd_executable_file(gift_exec_t)
-
-type giftd_exec_t;
-corecmd_executable_file(giftd_exec_t)
diff --git a/refpolicy/policy/modules/apps/gpg.fc b/refpolicy/policy/modules/apps/gpg.fc
deleted file mode 100644
index 78f8a10..0000000
--- a/refpolicy/policy/modules/apps/gpg.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
-
-/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-
-ifdef(`targeted_policy',`',`
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
deleted file mode 100644
index 9d49603..0000000
--- a/refpolicy/policy/modules/apps/gpg.if
+++ /dev/null
@@ -1,404 +0,0 @@
-## <summary>Policy for GNU Privacy Guard and related programs.</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the gpg module.
-## </summary>
-## <desc>
-## <p>
-## This template creates the types and rules for GPG,
-## GPG-agent, and GPG helper programs. This protects
-## the user keys and secrets, and runs the programs
-## in domains specific to the user type.
-## </p>
-## <p>
-## This is invoked automatically for each user and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="userdomain">
-## <summary>
-## The user domain.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role associated with the user.
-## </summary>
-## </param>
-#
-template(`gpg_per_userdomain_template',`
- gen_require(`
- type gpg_exec_t, gpg_helper_exec_t;
- type gpg_agent_exec_t, pinentry_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_gpg_t;
- domain_type($1_gpg_t)
- domain_entry_file($1_gpg_t,gpg_exec_t)
- role $3 types $1_gpg_t;
-
- type $1_gpg_agent_t;
- domain_type($1_gpg_agent_t)
- domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
- role $3 types $1_gpg_agent_t;
-
- type $1_gpg_agent_tmp_t;
- files_tmp_file($1_gpg_agent_tmp_t)
-
- type $1_gpg_secret_t;
- userdom_user_home_content($1,$1_gpg_secret_t)
-
- type $1_gpg_helper_t;
- domain_type($1_gpg_helper_t)
- domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t)
- role $3 types $1_gpg_helper_t;
-
- type $1_gpg_pinentry_t;
- domain_type($1_gpg_pinentry_t)
- domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t)
- role $3 types $1_gpg_pinentry_t;
-
- ########################################
- #
- # GPG local policy
- #
-
- allow $1_gpg_t self:capability { ipc_lock setuid };
- allow { $2 $1_gpg_t } $1_gpg_t:process signal;
- # setrlimit is for ulimit -c 0
- allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
- allow $1_gpg_t self:fifo_file rw_file_perms;
- allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
- allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
- allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
- allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
-
- # transition from the userdomain to the derived domain
- domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
- allow $1_gpg_t $2:fd use;
- allow $1_gpg_t $2:fifo_file rw_file_perms;
- allow $1_gpg_t $2:process sigchld;
-
- # allow ps to show gpg
- allow $2 $1_gpg_t:dir { search getattr read };
- allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
- allow $2 $1_gpg_t:process getattr;
-
- corenet_non_ipsec_sendrecv($1_gpg_t)
- corenet_tcp_sendrecv_all_if($1_gpg_t)
- corenet_udp_sendrecv_all_if($1_gpg_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_t)
- corenet_udp_sendrecv_all_ports($1_gpg_t)
- corenet_tcp_connect_all_ports($1_gpg_t)
- corenet_sendrecv_all_client_packets($1_gpg_t)
-
- dev_read_rand($1_gpg_t)
- dev_read_urand($1_gpg_t)
-
- fs_getattr_xattr_fs($1_gpg_t)
-
- domain_use_interactive_fds($1_gpg_t)
-
- files_read_etc_files($1_gpg_t)
- files_read_usr_files($1_gpg_t)
- files_dontaudit_search_var($1_gpg_t)
-
- libs_use_shared_libs($1_gpg_t)
- libs_use_ld_so($1_gpg_t)
-
- miscfiles_read_localization($1_gpg_t)
-
- logging_send_syslog_msg($1_gpg_t)
-
- sysnet_read_config($1_gpg_t)
-
- userdom_use_user_terminals($1,$1_gpg_t)
-
- optional_policy(`
- nis_use_ypbind($1_gpg_t)
- ')
-
- ifdef(`TODO',`
- # Read content to encrypt/decrypt/sign
- read_content($1_gpg_t, $1)
-
- # Write content to encrypt/decrypt/sign
- write_trusted($1_gpg_t, $1)
- ') dnl end TODO
-
- ########################################
- #
- # GPG helper local policy
- #
-
- # for helper programs (which automatically fetch keys)
- # Note: this is only tested with the hkp interface. If you use eg the
- # mail interface you will likely need additional permissions.
-
- # communicate with the user
- allow $1_gpg_helper_t $2:fd use;
- allow $1_gpg_helper_t $2:fifo_file write;
-
- # transition from the gpg domain to the helper domain
- domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
- allow $1_gpg_helper_t $1_gpg_t:fd use;
- allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
- allow $1_gpg_helper_t $1_gpg_t:process sigchld;
-
- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-
- corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
- corenet_raw_sendrecv_all_if($1_gpg_helper_t)
- corenet_udp_sendrecv_all_if($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_non_ipsec_sendrecv($1_gpg_helper_t)
- corenet_tcp_bind_all_nodes($1_gpg_helper_t)
- corenet_udp_bind_all_nodes($1_gpg_helper_t)
- corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
- dev_read_urand($1_gpg_helper_t)
-
- files_read_etc_files($1_gpg_helper_t)
- # for nscd
- files_dontaudit_search_var($1_gpg_helper_t)
-
- libs_use_ld_so($1_gpg_helper_t)
- libs_use_shared_libs($1_gpg_helper_t)
-
- sysnet_read_config($1_gpg_helper_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_gpg_t)
- xserver_rw_xdm_pipes($1_gpg_t)
- ')
-
- ########################################
- #
- # GPG agent local policy
- #
-
- # rlimit: gpg-agent wants to prevent coredumps
- allow $1_gpg_agent_t self:process setrlimit;
-
- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
- allow $1_gpg_agent_t self:fifo_file rw_file_perms;
-
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
- allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
- allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
-
- # allow gpg to connect to the gpg agent
- allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
- allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
- allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
-
- # allow ps to show gpg-agent
- allow $2 $1_gpg_agent_t:dir { search getattr read };
- allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
- allow $2 $1_gpg_agent_t:process getattr;
-
- # Allow the user shell to signal the gpg-agent program.
- allow $2 $1_gpg_agent_t:process { signal sigkill };
-
- allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
- allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
- allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
- allow $1_gpg_agent_t $2:fd use;
- allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
- allow $1_gpg_agent_t $2:process sigchld;
-
- corecmd_search_bin($1_gpg_agent_t)
-
- domain_use_interactive_fds($1_gpg_agent_t)
-
- libs_use_ld_so($1_gpg_agent_t)
- libs_use_shared_libs($1_gpg_agent_t)
-
- miscfiles_read_localization($1_gpg_agent_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- userdom_search_user_home_dirs($1,$1_gpg_agent_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gpg_agent_t)
- fs_manage_nfs_files($1_gpg_agent_t)
- fs_manage_nfs_symlinks($1_gpg_agent_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gpg_agent_t)
- fs_manage_cifs_files($1_gpg_agent_t)
- fs_manage_cifs_symlinks($1_gpg_agent_t)
- ')
-
- ##############################
- #
- # Pinentry local policy
- #
-
- # we need to allow gpg-agent to call pinentry so it can get the passphrase
- # from the user.
- domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
- allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
- allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
- allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
-
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
-
- # read /proc/meminfo
- kernel_read_system_state($1_gpg_pinentry_t)
-
- files_read_usr_files($1_gpg_pinentry_t)
- # read /etc/X11/qtrc
- files_read_etc_files($1_gpg_pinentry_t)
-
- libs_use_ld_so($1_gpg_pinentry_t)
- libs_use_shared_libs($1_gpg_pinentry_t)
-
- miscfiles_read_fonts($1_gpg_pinentry_t)
- miscfiles_read_localization($1_gpg_pinentry_t)
-
- # for .Xauthority
- userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_gpg_pinentry_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files($1_gpg_pinentry_t)
- ')
-
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
- ')
-
- ifdef(`TODO',`
- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
- # wants to put some lock files into the user home dir, seems to work fine without
- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
- dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
- tunable_policy(`use_nfs_home_dirs',`
- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
- dontaudit $1_gpg_pinentry_t nfs_t:file write;
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
-
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
- ') dnl end TODO
-')
-
-########################################
-## <summary>
-## Transition to a user gpg domain.
-## </summary>
-## <desc>
-## <p>
-## Transition to a user gpg domain.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`gpg_domtrans_user_gpg',`
- gen_require(`
- type $1_gpg_t, gpg_exec_t;
- ')
-
- domain_auto_trans($2, gpg_exec_t, $1_gpg_t)
- allow $2 $1_gpg_t:fd use;
- allow $1_gpg_t $2:fd use;
- allow $1_gpg_t $2:fifo_file rw_file_perms;
- allow $1_gpg_t $2:process sigchld;
-')
-
-########################################
-## <summary>
-## Send generic signals to user gpg processes.
-## </summary>
-## <desc>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`gpg_signal_user_gpg',`
- gen_require(`
- type $1_gpg_t;
- ')
-
- allow $2 $1_gpg_t:process signal;
-')
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
deleted file mode 100644
index 07760d0..0000000
--- a/refpolicy/policy/modules/apps/gpg.te
+++ /dev/null
@@ -1,21 +0,0 @@
-
-policy_module(gpg, 1.0.4)
-
-########################################
-#
-# Declarations
-#
-
-# Type for gpg or pgp executables.
-type gpg_exec_t;
-type gpg_helper_exec_t;
-corecmd_executable_file(gpg_exec_t)
-corecmd_executable_file(gpg_helper_exec_t)
-
-# Type for the gpg-agent executable.
-type gpg_agent_exec_t;
-corecmd_executable_file(gpg_agent_exec_t)
-
-# type for the pinentry executable
-type pinentry_exec_t;
-corecmd_executable_file(pinentry_exec_t)
diff --git a/refpolicy/policy/modules/apps/irc.fc b/refpolicy/policy/modules/apps/irc.fc
deleted file mode 100644
index 4a2c7c7..0000000
--- a/refpolicy/policy/modules/apps/irc.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# /home
-#
-ifdef(`strict_policy',`
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
-')
-
-#
-# /usr
-#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if
deleted file mode 100644
index 1cd0fbf..0000000
--- a/refpolicy/policy/modules/apps/irc.if
+++ /dev/null
@@ -1,173 +0,0 @@
-## <summary>IRC client policy</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the irc module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for an irc client sessions.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`irc_per_userdomain_template',`
- gen_require(`
- type irc_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_irc_t;
- domain_type($1_irc_t)
- domain_entry_file($1_irc_t,irc_exec_t)
- role $3 types $1_irc_t;
-
- type $1_irc_exec_t;
- userdom_user_home_content($1,$1_irc_exec_t)
- domain_entry_file($1_irc_t,$1_irc_exec_t)
-
- type $1_irc_home_t;
- userdom_user_home_content($1,$1_irc_home_t)
-
- type $1_irc_tmp_t;
- userdom_user_home_content($1,$1_irc_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_irc_t self:dir search;
- allow $1_irc_t self:lnk_file read;
- allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_irc_t self:tcp_socket create_socket_perms;
- allow $1_irc_t self:udp_socket create_socket_perms;
-
- allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
- allow $1_irc_t $1_irc_home_t:file create_file_perms;
- allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
- userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
-
- # access files under /tmp
- allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
- allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
- allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
- allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
- allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
- files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
-
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2,irc_exec_t,$1_irc_t)
- allow $2 $1_irc_t:fd use;
- allow $1_irc_t $2:fd use;
- allow $1_irc_t $2:fifo_file rw_file_perms;
- allow $1_irc_t $2:process sigchld;
-
- allow $2 $1_irc_t:process signal;
-
- allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
-
- # allow ps to show irc
- allow $2 $1_irc_t:dir { search getattr read };
- allow $2 $1_irc_t:{ file lnk_file } { read getattr };
- allow $2 $1_irc_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_irc_t:process ptrace;
-
- kernel_read_proc_symlinks($1_irc_t)
-
- corenet_non_ipsec_sendrecv($1_irc_t)
- corenet_tcp_sendrecv_generic_if($1_irc_t)
- corenet_udp_sendrecv_generic_if($1_irc_t)
- corenet_tcp_sendrecv_all_nodes($1_irc_t)
- corenet_udp_sendrecv_all_nodes($1_irc_t)
- corenet_tcp_sendrecv_all_ports($1_irc_t)
- corenet_udp_sendrecv_all_ports($1_irc_t)
- corenet_sendrecv_ircd_client_packets($1_irc_t)
- # cjp: this seems excessive:
- corenet_tcp_connect_all_ports($1_irc_t)
- corenet_sendrecv_all_client_packets($1_irc_t)
-
- domain_use_interactive_fds($1_irc_t)
-
- files_dontaudit_search_pids($1_irc_t)
- files_search_var($1_irc_t)
- files_read_etc_files($1_irc_t)
- files_read_usr_files($1_irc_t)
-
- fs_getattr_xattr_fs($1_irc_t)
- fs_search_auto_mountpoints($1_irc_t)
-
- term_use_controlling_term($1_irc_t)
- term_list_ptys($1_irc_t)
-
- # allow utmp access
- init_read_utmp($1_irc_t)
- init_dontaudit_lock_utmp($1_irc_t)
-
- libs_use_ld_so($1_irc_t)
- libs_use_shared_libs($1_irc_t)
-
- miscfiles_read_localization($1_irc_t)
-
- # Inherit and use descriptors from newrole.
- seutil_use_newrole_fds($1_irc_t)
-
- sysnet_read_config($1_irc_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_irc_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_irc_t)
- fs_manage_nfs_files($1_irc_t)
- fs_manage_nfs_symlinks($1_irc_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_irc_t)
- fs_manage_cifs_files($1_irc_t)
- fs_manage_cifs_symlinks($1_irc_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_irc_t)
- ')
-
- ifdef(`TODO',`
- optional_policy(`
- allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
- allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1_irc_t)
- kernel_tcp_recvfrom(ircd_t)
- ')
- ')
-')
diff --git a/refpolicy/policy/modules/apps/irc.te b/refpolicy/policy/modules/apps/irc.te
deleted file mode 100644
index 90753c0..0000000
--- a/refpolicy/policy/modules/apps/irc.te
+++ /dev/null
@@ -1,10 +0,0 @@
-
-policy_module(irc,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type irc_exec_t;
-corecmd_executable_file(irc_exec_t)
diff --git a/refpolicy/policy/modules/apps/java.fc b/refpolicy/policy/modules/apps/java.fc
deleted file mode 100644
index 918774e..0000000
--- a/refpolicy/policy/modules/apps/java.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# /opt
-#
-/opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-
-#
-# /usr
-#
-/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
deleted file mode 100644
index c35bff5..0000000
--- a/refpolicy/policy/modules/apps/java.if
+++ /dev/null
@@ -1,201 +0,0 @@
-## <summary>Java virtual machine</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the java module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for java plugins that are executed by a browser.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`java_per_userdomain_template',`
- gen_require(`
- type java_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_javaplugin_t;
- domain_type($1_javaplugin_t)
- domain_entry_file($1_javaplugin_t,java_exec_t)
- role $3 types $1_javaplugin_t;
-
- type $1_javaplugin_tmp_t;
- files_tmp_file($1_javaplugin_tmp_t)
-
- type $1_javaplugin_tmpfs_t;
- files_tmpfs_file($1_javaplugin_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
- allow $1_javaplugin_t self:fifo_file rw_file_perms;
- allow $1_javaplugin_t self:tcp_socket create_socket_perms;
- allow $1_javaplugin_t self:udp_socket create_socket_perms;
-
- allow $1_javaplugin_t $2:unix_stream_socket connectto;
- allow $1_javaplugin_t $2:unix_stream_socket { read write };
- userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
-
- allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
- allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
-
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # cjp: rw_dir_perms here doesnt make sense
- allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
- allow $1_javaplugin_t $1_home_t:file rw_file_perms;
- allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
-
- can_exec($1_javaplugin_t, java_exec_t)
-
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
- allow $1_javaplugin_t $2:fd use;
- # Unrestricted inheritance from the caller.
- allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
- allow $1_javaplugin_t $2:process signull;
-
- kernel_read_all_sysctls($1_javaplugin_t)
- kernel_search_vm_sysctl($1_javaplugin_t)
- kernel_read_network_state($1_javaplugin_t)
- kernel_read_system_state($1_javaplugin_t)
-
- # Search bin directory under javaplugin for javaplugin executable
- corecmd_search_bin($1_javaplugin_t)
-
- corenet_non_ipsec_sendrecv($1_javaplugin_t)
- corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
- corenet_udp_sendrecv_generic_if($1_javaplugin_t)
- corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
- corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
- corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
- corenet_udp_sendrecv_all_ports($1_javaplugin_t)
- corenet_tcp_connect_all_ports($1_javaplugin_t)
- corenet_sendrecv_all_client_packets($1_javaplugin_t)
-
- dev_read_sound($1_javaplugin_t)
- dev_write_sound($1_javaplugin_t)
- dev_read_urand($1_javaplugin_t)
- dev_read_rand($1_javaplugin_t)
-
- files_read_etc_files($1_javaplugin_t)
- files_read_usr_files($1_javaplugin_t)
- files_search_home($1_javaplugin_t)
- files_search_var_lib($1_javaplugin_t)
- files_read_etc_runtime_files($1_javaplugin_t)
- # Read global fonts and font config
- files_read_etc_files($1_javaplugin_t)
-
- fs_getattr_xattr_fs($1_javaplugin_t)
- fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
-
- libs_use_ld_so($1_javaplugin_t)
- libs_use_shared_libs($1_javaplugin_t)
-
- logging_send_syslog_msg($1_javaplugin_t)
-
- miscfiles_read_localization($1_javaplugin_t)
- # Read global fonts and font config
- miscfiles_read_fonts($1_javaplugin_t)
-
- sysnet_read_config($1_javaplugin_t)
-
- userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
- userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
- userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
- userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
- userdom_manage_user_home_content_files($1,$1_javaplugin_t)
- userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
- userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
- userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
- userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
-
- tunable_policy(`allow_java_execstack',`
- allow $1_javaplugin_t self:process execstack;
-
- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
- libs_legacy_use_shared_libs($1_javaplugin_t)
- libs_legacy_use_ld_so($1_javaplugin_t)
- libs_use_lib_files($1_javaplugin_t)
-
- miscfiles_legacy_read_localization($1_javaplugin_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_javaplugin_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_javaplugin_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute the java program in the java domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`java_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type java_t, java_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, java_exec_t, java_t)
-
- allow $1 java_t:fd use;
- allow java_t $1:fd use;
- allow java_t $1:fifo_file rw_file_perms;
- allow java_t $1:process sigchld;
- ',`
- errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te
deleted file mode 100644
index 0c6045d..0000000
--- a/refpolicy/policy/modules/apps/java.te
+++ /dev/null
@@ -1,22 +0,0 @@
-
-policy_module(java,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type java_t;
-type java_exec_t;
-init_system_domain(java_t,java_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-ifdef(`targeted_policy',`
- allow java_t self:process { execstack execmem };
- unconfined_domain_noaudit(java_t)
- role system_r types java_t;
-')
diff --git a/refpolicy/policy/modules/apps/loadkeys.fc b/refpolicy/policy/modules/apps/loadkeys.fc
deleted file mode 100644
index 8549f9f..0000000
--- a/refpolicy/policy/modules/apps/loadkeys.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-
-/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/loadkeys.if b/refpolicy/policy/modules/apps/loadkeys.if
deleted file mode 100644
index 3d96369..0000000
--- a/refpolicy/policy/modules/apps/loadkeys.if
+++ /dev/null
@@ -1,89 +0,0 @@
-## <summary>Load keyboard mappings.</summary>
-
-########################################
-## <summary>
-## Execute the loadkeys program in the loadkeys domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`loadkeys_domtrans',`
- ifdef(`targeted_policy',`
- # $0(): disabled in targeted policy as there
- # is no loadkeys domain.
- ',`
- gen_require(`
- type loadkeys_t, loadkeys_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
-
- allow $1 loadkeys_t:fd use;
- allow loadkeys_t $1:fd use;
- allow loadkeys_t $1:fifo_file rw_file_perms;
- allow loadkeys_t $1:process sigchld;
- ')
-')
-
-########################################
-## <summary>
-## Execute the loadkeys program in the loadkeys domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the loadkeys domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the loadkeys domain to use.
-## </summary>
-## </param>
-#
-interface(`loadkeys_run',`
- ifdef(`targeted_policy',`
- # $0(): disabled in targeted policy as there
- # is no loadkeys domain.
- ',`
- gen_require(`
- type loadkeys_t;
- ')
-
- loadkeys_domtrans($1)
- role $2 types loadkeys_t;
- allow loadkeys_t $3:chr_file rw_term_perms;
- ')
-')
-
-########################################
-## <summary>
-## Execute the loadkeys program in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`loadkeys_exec',`
- ifdef(`targeted_policy',`
- # $0(): the loadkeys program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type loadkeys_exec_t;
- ')
-
- can_exec($1,loadkeys_exec_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te
deleted file mode 100644
index 8e7daf3..0000000
--- a/refpolicy/policy/modules/apps/loadkeys.te
+++ /dev/null
@@ -1,48 +0,0 @@
-
-policy_module(loadkeys,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-ifdef(`targeted_policy',`
- # for compatibility with strict:
- corecmd_bin_alias(loadkeys_exec_t)
-',`
- # cjp: this should probably be rewritten
- # per user domain, since it can rw
- # all user domain ttys
-
- type loadkeys_t;
- domain_type(loadkeys_t)
-
- type loadkeys_exec_t;
- domain_entry_file(loadkeys_t,loadkeys_exec_t)
-')
-
-########################################
-#
-# Local policy
-#
-
-ifdef(`targeted_policy',`
- # loadkeys domain disabled in targeted policy
-',`
- allow loadkeys_t self:capability { setuid sys_tty_config };
- allow loadkeys_t self:fifo_file rw_file_perms;
-
- kernel_read_system_state(loadkeys_t)
-
- corecmd_exec_bin(loadkeys_t)
- corecmd_exec_shell(loadkeys_t)
-
- files_dontaudit_read_etc_runtime_files(loadkeys_t)
-
- libs_use_ld_so(loadkeys_t)
- libs_use_shared_libs(loadkeys_t)
-
- locallogin_use_fds(loadkeys_t)
-
- miscfiles_read_localization(loadkeys_t)
-')
diff --git a/refpolicy/policy/modules/apps/lockdev.fc b/refpolicy/policy/modules/apps/lockdev.fc
deleted file mode 100644
index 8b5ce03..0000000
--- a/refpolicy/policy/modules/apps/lockdev.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if
deleted file mode 100644
index ddf08c4..0000000
--- a/refpolicy/policy/modules/apps/lockdev.if
+++ /dev/null
@@ -1,87 +0,0 @@
-## <summary>device locking policy for lockdev</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the lockdev module.
-## </summary>
-## <desc>
-## <p>
-## This template creates derived domains which are used
-## for lockdev. A derived type is also created to protect
-## the user's device locks.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`lockdev_per_userdomain_template',`
- gen_require(`
- type lockdev_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_lockdev_t;
- domain_type($1_lockdev_t)
- domain_entry_file($1_lockdev_t,lockdev_exec_t)
- role $3 types $1_lockdev_t;
-
- type $1_lockdev_lock_t;
- files_lock_file($1_lockdev_lock_t)
-
- ########################################
- #
- # Local policy
- #
-
- # Use capabilities.
- allow $1_lockdev_t self:capability setgid;
- allow $1_lockdev_t $2:process signull;
-
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
- allow $2 $1_lockdev_t:fd use;
- allow $1_lockdev_t $2:fd use;
- allow $1_lockdev_t $2:fifo_file rw_file_perms;
- allow $1_lockdev_t $2:process sigchld;
-
- allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
- files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
-
- files_read_all_locks($1_lockdev_t)
-
- fs_getattr_xattr_fs($1_lockdev_t)
-
- libs_use_ld_so($1_lockdev_t)
- libs_use_shared_libs($1_lockdev_t)
-
- logging_send_syslog_msg($1_lockdev_t)
-
- userdom_use_user_terminals($1, $1_lockdev_t)
-
- optional_policy(`
- logging_send_syslog_msg($1_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/lockdev.te b/refpolicy/policy/modules/apps/lockdev.te
deleted file mode 100644
index 7c08bba..0000000
--- a/refpolicy/policy/modules/apps/lockdev.te
+++ /dev/null
@@ -1,10 +0,0 @@
-
-policy_module(lockdev,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type lockdev_exec_t;
-corecmd_executable_file(lockdev_exec_t)
diff --git a/refpolicy/policy/modules/apps/metadata.xml b/refpolicy/policy/modules/apps/metadata.xml
deleted file mode 100644
index a5ad4c0..0000000
--- a/refpolicy/policy/modules/apps/metadata.xml
+++ /dev/null
@@ -1 +0,0 @@
-<summary>Policy modules for applications</summary>
diff --git a/refpolicy/policy/modules/apps/mono.fc b/refpolicy/policy/modules/apps/mono.fc
deleted file mode 100644
index bc1c679..0000000
--- a/refpolicy/policy/modules/apps/mono.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/mono.if b/refpolicy/policy/modules/apps/mono.if
deleted file mode 100644
index 257fa43..0000000
--- a/refpolicy/policy/modules/apps/mono.if
+++ /dev/null
@@ -1,25 +0,0 @@
-## <summary>Run .NET server and client applications on Linux.</summary>
-
-########################################
-## <summary>
-## Execute the mono program in the mono domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mono_domtrans',`
- gen_require(`
- type mono_t, mono_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, mono_exec_t, mono_t)
-
- allow $1 mono_t:fd use;
- allow mono_t $1:fd use;
- allow mono_t $1:fifo_file rw_file_perms;
- allow mono_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
deleted file mode 100644
index 5769ceb..0000000
--- a/refpolicy/policy/modules/apps/mono.te
+++ /dev/null
@@ -1,42 +0,0 @@
-
-policy_module(mono,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-type mono_t;
-domain_type(mono_t)
-
-type mono_exec_t;
-domain_entry_file(mono_t,mono_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-ifdef(`targeted_policy',`
- allow mono_t self:process { execheap execmem };
- unconfined_domain_noaudit(mono_t)
- unconfined_dbus_chat(mono_t)
-
- init_dbus_chat_script(mono_t)
-
- optional_policy(`
- avahi_dbus_chat(mono_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(mono_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(mono_t)
- ')
-
- optional_policy(`
- unconfined_dbus_connect(mono_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/mozilla.fc b/refpolicy/policy/modules/apps/mozilla.fc
deleted file mode 100644
index 7218f9f..0000000
--- a/refpolicy/policy/modules/apps/mozilla.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# /bin
-#
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-
-#
-# /etc
-#
-/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0)
-
-#
-# /lib
-#
-/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-
-# netscape/mozilla
-ifdef(`strict_policy',`
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/mozilla.if b/refpolicy/policy/modules/apps/mozilla.if
deleted file mode 100644
index 26e7bad..0000000
--- a/refpolicy/policy/modules/apps/mozilla.if
+++ /dev/null
@@ -1,416 +0,0 @@
-## <summary>Policy for Mozilla and related web browsers</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the mozilla module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for mozilla web browser.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`mozilla_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
- type $1_mozilla_t;
- domain_type($1_mozilla_t)
- domain_entry_file($1_mozilla_t,mozilla_exec_t)
- role $3 types $1_mozilla_t;
-
- type $1_mozilla_home_t alias $1_mozilla_rw_t;
- files_poly_member($1_mozilla_home_t)
- userdom_user_home_content($1,$1_mozilla_home_t)
-
- type $1_mozilla_tmpfs_t;
- files_tmpfs_file($1_mozilla_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
- allow $1_mozilla_t self:capability { sys_nice setgid setuid };
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
- allow $1_mozilla_t self:fifo_file { getattr read write };
- allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
- allow $1_mozilla_t self:sem create_sem_perms;
- allow $1_mozilla_t self:socket create_socket_perms;
- allow $1_mozilla_t self:unix_stream_socket { listen accept };
- # Browse the web, connect to printer
- allow $1_mozilla_t self:tcp_socket create_socket_perms;
-
- # for bash - old mozilla binary
- can_exec($1_mozilla_t, mozilla_exec_t)
-
- # X access, Home files
- allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms;
- allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms;
- allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms;
- fs_search_auto_mountpoints($1_mozilla_t)
-
- # Mozpluggerrc
- allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-
- allow $1_mozilla_t $2:fd use;
- allow $1_mozilla_t $2:process sigchld;
- allow $1_mozilla_t $2:unix_stream_socket connectto;
- allow $2 $1_mozilla_t:fd use;
- allow $2 $1_mozilla_t:shm { associate getattr };
- allow $2 $1_mozilla_t:shm { unix_read unix_write };
- allow $2 $1_mozilla_t:unix_stream_socket connectto;
-
- # X access, Home files
- allow $2 $1_mozilla_home_t:dir manage_dir_perms;
- allow $2 $1_mozilla_home_t:file manage_file_perms;
- allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
- allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
- userdom_search_user_home_dirs($1,$1_mozilla_t)
-
- allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # Unrestricted inheritance from the caller.
- allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
- allow $1_mozilla_t $2:process signull;
-
- # Allow the user domain to signal/ps.
- allow $2 $1_mozilla_t:dir { search getattr read };
- allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
- allow $2 $1_mozilla_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_mozilla_t:process ptrace;
-
- allow $2 $1_mozilla_t:process signal_perms;
-
- kernel_read_kernel_sysctls($1_mozilla_t)
- kernel_read_network_state($1_mozilla_t)
- # Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
- kernel_read_net_sysctls($1_mozilla_t)
-
- corecmd_search_sbin($1_mozilla_t)
- # Look for plugins
- corecmd_list_bin($1_mozilla_t)
- # for bash - old mozilla binary
- corecmd_exec_shell($1_mozilla_t)
- corecmd_exec_bin($1_mozilla_t)
-
- # Browse the web, connect to printer
- corenet_non_ipsec_sendrecv($1_mozilla_t)
- corenet_tcp_sendrecv_generic_if($1_mozilla_t)
- corenet_raw_sendrecv_generic_if($1_mozilla_t)
- corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
- corenet_raw_sendrecv_all_nodes($1_mozilla_t)
- corenet_tcp_sendrecv_http_port($1_mozilla_t)
- corenet_tcp_sendrecv_http_cache_port($1_mozilla_t)
- corenet_tcp_sendrecv_ftp_port($1_mozilla_t)
- corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
- corenet_tcp_connect_http_port($1_mozilla_t)
- corenet_tcp_connect_http_cache_port($1_mozilla_t)
- corenet_tcp_connect_ftp_port($1_mozilla_t)
- corenet_tcp_connect_ipp_port($1_mozilla_t)
- corenet_tcp_connect_generic_port($1_mozilla_t)
- corenet_sendrecv_http_client_packets($1_mozilla_t)
- corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
- corenet_sendrecv_ftp_client_packets($1_mozilla_t)
- corenet_sendrecv_ipp_client_packets($1_mozilla_t)
- corenet_sendrecv_generic_client_packets($1_mozilla_t)
- # Should not need other ports
- corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
- corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
-
- dev_read_urand($1_mozilla_t)
- dev_write_sound($1_mozilla_t)
- dev_read_sound($1_mozilla_t)
- dev_dontaudit_rw_dri($1_mozilla_t)
-
- files_read_etc_runtime_files($1_mozilla_t)
- files_read_usr_files($1_mozilla_t)
- files_read_etc_files($1_mozilla_t)
- # /var/lib
- files_read_var_lib_files($1_mozilla_t)
- # interacting with gstreamer
- files_read_var_files($1_mozilla_t)
- files_read_var_symlinks($1_mozilla_t)
-
- fs_search_inotifyfs($1_mozilla_t)
- fs_rw_tmpfs_files($1_mozilla_t)
-
- libs_use_ld_so($1_mozilla_t)
- libs_use_lib_files($1_mozilla_t)
- libs_use_shared_libs($1_mozilla_t)
-
- logging_send_syslog_msg($1_mozilla_t)
-
- miscfiles_read_fonts($1_mozilla_t)
-
- # Browse the web, connect to printer
- sysnet_dns_name_resolve($1_mozilla_t)
- sysnet_read_config($1_mozilla_t)
-
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
- userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
-
- xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
-
- tunable_policy(`allow_execmem',`
- allow $1_mozilla_t self:process { execmem execstack };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ')
-
- # Type transition
- tunable_policy(`! disable_mozilla_trans',`
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
- ')
-
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1,$1_mozilla_t)
- userdom_read_user_tmp_files($1,$1_mozilla_t)
- userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
- userdom_read_user_home_content_files($1,$1_mozilla_t)
- userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
-
- userdom_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,file)
- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,dir)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
-
- ')
-
- optional_policy(`
- apache_read_user_scripts($1,$1_mozilla_t)
- apache_read_user_content($1,$1_mozilla_t)
- ')
-
- optional_policy(`
- cups_read_rw_config($1_mozilla_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
- dbus_send_system_bus($1_mozilla_t)
- ifdef(`TODO',`
- optional_policy(`
- allow cupsd_t $1_mozilla_t:dbus send_msg;
- ')
- ')
- ')
-
- optional_policy(`
- nscd_socket_use($1_mozilla_t)
- ')
-
- optional_policy(`
- squid_use($1_mozilla_t)
- ')
-
- optional_policy(`
- lpd_domtrans_user_lpr($1,$1_mozilla_t)
- ')
-
- ifdef(`TODO',`
- # Java plugin
- optional_policy(`
- #reh, these are hacked in types due to the use of the java_per_userdomain_template
- type $1_mozilla_tmp_t;
- files_tmp_file($1_mozilla_tmp_t)
-
- #this looks even more ugly.
- type $1_mozilla_tty_device_t;
- term_tty($1_mozilla_t,$1_mozilla_tty_device_t)
- type $1_mozilla_devpts_t;
- term_pty($1_mozilla_devpts_t)
- type $1_mozilla_home_dir_t;
- userdom_user_home_content($1,$1_mozilla_home_dir_t)
-
- java_per_userdomain_template($1_mozilla,$2,$3)
- ')
-
- ######### Launch mplayer
- optional_policy(`
- domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
- dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
- dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
- dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
- ')
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
- #NOTE commented out in strict
- #ifdef(`thunderbird.te', `
- #domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
- optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
- ')
-')
diff --git a/refpolicy/policy/modules/apps/mozilla.te b/refpolicy/policy/modules/apps/mozilla.te
deleted file mode 100644
index 7565167..0000000
--- a/refpolicy/policy/modules/apps/mozilla.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-policy_module(mozilla,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type mozilla_conf_t;
-files_config_file(mozilla_conf_t)
-
-type mozilla_exec_t;
-corecmd_executable_file(mozilla_exec_t)
diff --git a/refpolicy/policy/modules/apps/mplayer.fc b/refpolicy/policy/modules/apps/mplayer.fc
deleted file mode 100644
index 60db2e9..0000000
--- a/refpolicy/policy/modules/apps/mplayer.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# /etc
-#
-/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
-
-#
-# /usr
-#
-/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/mplayer.if b/refpolicy/policy/modules/apps/mplayer.if
deleted file mode 100644
index 12e9260..0000000
--- a/refpolicy/policy/modules/apps/mplayer.if
+++ /dev/null
@@ -1,458 +0,0 @@
-## <summary>Mplayer media player and encoder</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the mplayer module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for mplayer media player.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`mplayer_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_mencoder_t;
- domain_type($1_mencoder_t)
- domain_entry_file($1_mencoder_t,mencoder_exec_t)
- role $3 types $1_mencoder_t;
-
- type $1_mplayer_t;
- domain_type($1_mplayer_t)
- domain_entry_file($1_mplayer_t,mplayer_exec_t)
- role $3 types $1_mplayer_t;
-
- type $1_mplayer_home_t alias $1_mplayer_rw_t;
- files_poly_member($1_mplayer_home_t)
- userdom_user_home_content($1,$1_mplayer_home_t)
-
- type $1_mplayer_tmpfs_t;
- files_tmpfs_file($1_mplayer_tmpfs_t)
-
- ########################################
- #
- # mencoder local policy
- #
-
- allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms;
- allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms;
- allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms;
-
- # Read global config
- allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms;
- allow $1_mencoder_t mplayer_etc_t:file r_file_perms;
- allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read };
-
- # domain transition
- domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t)
- allow $2 $1_mencoder_t:fd use;
- allow $1_mencoder_t $2:fd use;
- allow $1_mencoder_t $2:fifo_file rw_file_perms;
- allow $1_mencoder_t $2:process sigchld;
-
- # Allow the user domain to signal/ps.
- allow $2 $1_mencoder_t:dir { search getattr read };
- allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
- allow $2 $1_mencoder_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_mencoder_t:process ptrace;
- allow $2 $1_mencoder_t:process signal_perms;
-
- # Read /proc files and directories
- # Necessary for /proc/meminfo, /proc/cpuinfo, etc..
- kernel_read_system_state($1_mencoder_t)
- # Sysctl on kernel version
- kernel_read_kernel_sysctls($1_mencoder_t)
-
- # Required for win32 binary loader
- dev_rwx_zero($1_mencoder_t)
- # Access to DVD/CD/V4L
- dev_read_video_dev($1_mencoder_t)
-
- # Read data in /usr/share (fonts, icons..)
- files_read_usr_files($1_mencoder_t)
- files_read_usr_symlinks($1_mencoder_t)
-
- fs_search_auto_mountpoints($1_mencoder_t)
-
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device($1_mencoder_t)
-
- libs_use_ld_so($1_mencoder_t)
- libs_use_shared_libs($1_mencoder_t)
-
- miscfiles_read_localization($1_mencoder_t)
-
- userdom_use_user_terminals($1,$1_mencoder_t)
- # Handle removable media, /tmp, and /home
- userdom_list_user_tmp($1,$1_mencoder_t)
- userdom_read_user_tmp_files($1,$1_mencoder_t)
- userdom_read_user_tmp_symlinks($1,$1_mencoder_t)
- userdom_read_user_home_content_files($1,$1_mencoder_t)
- userdom_read_user_home_content_symlinks($1,$1_mencoder_t)
-
- # Read content to encode
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mencoder_t)
- fs_read_removable_files($1_mencoder_t)
- fs_read_removable_symlinks($1_mencoder_t)
- ')
-
- tunable_policy(`allow_execmem',`
- allow $1_mencoder_t self:process execmem;
- ')
-
- tunable_policy(`allow_execmod',`
- dev_execmod_zero($1_mencoder_t)
- ')
-
- tunable_policy(`allow_mplayer_execstack',`
- allow $1_mencoder_t self:process { execmem execstack };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_mencoder_t)
- fs_manage_nfs_files($1_mencoder_t)
- fs_manage_nfs_symlinks($1_mencoder_t)
-
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_mencoder_t)
- fs_manage_cifs_files($1_mencoder_t)
- fs_manage_cifs_symlinks($1_mencoder_t)
-
- ')
-
- # Read content to encode
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mencoder_t)
- files_list_home($1_mencoder_t)
- fs_read_nfs_files($1_mencoder_t)
- fs_read_nfs_symlinks($1_mencoder_t)
-
- ',`
- files_dontaudit_list_home($1_mencoder_t)
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_read_nfs_files($1_mencoder_t)
- fs_dontaudit_list_nfs($1_mencoder_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mencoder_t)
- files_list_home($1_mencoder_t)
- fs_read_cifs_files($1_mencoder_t)
- fs_read_cifs_symlinks($1_mencoder_t)
- ',`
- files_dontaudit_list_home($1_mencoder_t)
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_read_cifs_files($1_mencoder_t)
- fs_dontaudit_list_cifs($1_mencoder_t)
- ')
-
- tunable_policy(`read_default_t',`
- files_list_default($1_mencoder_t)
- files_read_default_files($1_mencoder_t)
- files_read_default_symlinks($1_mencoder_t)
- ',`
- files_dontaudit_read_default_files($1_mencoder_t)
- files_dontaudit_list_default($1_mencoder_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- files_list_tmp($1_mencoder_t)
- files_list_home($1_mencoder_t)
-
- userdom_list_user_untrusted_content($1,$1_mencoder_t)
- userdom_read_user_untrusted_content_files($1,$1_mencoder_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mencoder_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mencoder_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mencoder_t)
- ',`
- files_dontaudit_list_tmp($1_mencoder_t)
- files_dontaudit_list_home($1_mencoder_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mencoder_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mencoder_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mencoder_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
- ')
-
- # Save encoded files
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mencoder_t)
-
- fs_search_auto_mountpoints($1_mencoder_t)
- fs_manage_nfs_dirs($1_mencoder_t)
- fs_manage_nfs_files($1_mencoder_t)
- fs_manage_nfs_symlinks($1_mencoder_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_manage_nfs_dirs($1_mencoder_t)
- fs_dontaudit_manage_nfs_files($1_mencoder_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mencoder_t)
-
- fs_search_auto_mountpoints($1_mencoder_t)
- fs_manage_cifs_dirs($1_mencoder_t)
- fs_manage_cifs_files($1_mencoder_t)
- fs_manage_cifs_symlinks($1_mencoder_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_manage_cifs_dirs($1_mencoder_t)
- fs_dontaudit_manage_cifs_files($1_mencoder_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mencoder_t)
- files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file)
- userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir)
-
- ',`
- files_dontaudit_list_home($1_mencoder_t)
- files_dontaudit_list_tmp($1_mencoder_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_mencoder_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mencoder_t)
- ')
-
- ########################################
- #
- # mplayer local policy
- #
-
- allow $1_mplayer_t self:process { signal_perms getsched };
- allow $1_mplayer_t self:fifo_file rw_file_perms;
-
- allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
- allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
- allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms;
- userdom_search_user_home_dirs($1,$1_mplayer_t)
-
- allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # Read global config
- allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms;
- allow $1_mplayer_t mplayer_etc_t:file r_file_perms;
- allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read };
-
- # Home access
- allow $2 $1_mplayer_home_t:dir manage_dir_perms;
- allow $2 $1_mplayer_home_t:file manage_file_perms;
- allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms;
- allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- # domain transition
- domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t)
- allow $2 $1_mplayer_t:fd use;
- allow $1_mplayer_t $2:fd use;
- allow $1_mplayer_t $2:fifo_file rw_file_perms;
- allow $1_mplayer_t $2:process sigchld;
-
- # Allow the user domain to signal/ps.
- allow $2 $1_mplayer_t:dir { search getattr read };
- allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
- allow $2 $1_mplayer_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_mplayer_t:process ptrace;
- allow $2 $1_mplayer_t:process signal_perms;
-
- kernel_dontaudit_list_unlabeled($1_mplayer_t)
- kernel_dontaudit_getattr_unlabeled_files($1_mplayer_t)
- kernel_dontaudit_read_unlabeled_files($1_mplayer_t)
- # Necessary for /proc/meminfo, /proc/cpuinfo, etc..
- kernel_read_system_state($1_mplayer_t)
- # Sysctl on kernel version
- kernel_read_kernel_sysctls($1_mplayer_t)
-
- # Run bash/sed (??)
- corecmd_exec_bin($1_mplayer_t)
- corecmd_exec_shell($1_mplayer_t)
-
- # Required for win32 binary loader
- dev_rwx_zero($1_mplayer_t)
- # Access to DVD/CD/V4L
- dev_read_video_dev($1_mplayer_t)
- # Audio, alsa.conf
- dev_read_sound_mixer($1_mplayer_t)
- dev_write_sound_mixer($1_mplayer_t)
- # RTC clock
- dev_read_realtime_clock($1_mplayer_t)
-
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device($1_mplayer_t)
-
- files_read_etc_files($1_mplayer_t)
- files_dontaudit_list_non_security($1_mplayer_t)
- files_dontaudit_getattr_non_security_files($1_mplayer_t)
- files_read_non_security_files($1_mplayer_t)
- # Unfortunately the ancient file dialog starts in /
- files_list_home($1_mplayer_t)
- # Read /etc/mtab
- files_read_etc_runtime_files($1_mplayer_t)
- # Read data in /usr/share (fonts, icons..)
- files_read_usr_files($1_mplayer_t)
- files_read_usr_symlinks($1_mplayer_t)
-
- fs_dontaudit_getattr_all_fs($1_mplayer_t)
- fs_search_auto_mountpoints($1_mplayer_t)
-
- libs_use_ld_so($1_mplayer_t)
- libs_use_shared_libs($1_mplayer_t)
-
- miscfiles_read_localization($1_mplayer_t)
- miscfiles_read_fonts($1_mplayer_t)
-
- userdom_use_user_terminals($1,$1_mplayer_t)
- # Read media files
- userdom_list_user_tmp($1,$1_mplayer_t)
- userdom_read_user_tmp_files($1,$1_mplayer_t)
- userdom_read_user_tmp_symlinks($1,$1_mplayer_t)
- userdom_read_user_home_content_files($1,$1_mplayer_t)
- userdom_read_user_home_content_symlinks($1,$1_mplayer_t)
-
- xserver_user_client_template($1,$1_mplayer_t,$1_mplayer_tmpfs_t)
-
- # Read songs
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mplayer_t)
- fs_read_removable_files($1_mplayer_t)
- fs_read_removable_symlinks($1_mplayer_t)
- ')
-
- tunable_policy(`allow_execmem',`
- allow $1_mplayer_t self:process execmem;
- ')
-
- tunable_policy(`allow_execmod',`
- dev_execmod_zero($1_mplayer_t)
- ')
-
- tunable_policy(`allow_mplayer_execstack',`
- allow $1_mplayer_t self:process { execmem execstack };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_mplayer_t)
- fs_manage_nfs_files($1_mplayer_t)
- fs_manage_nfs_symlinks($1_mplayer_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_mplayer_t)
- fs_manage_cifs_files($1_mplayer_t)
- fs_manage_cifs_symlinks($1_mplayer_t)
- ')
-
- # Legacy domain issues
- tunable_policy(`allow_mplayer_execstack',`
- allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
- ')
-
- # Read songs
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mplayer_t)
- files_list_home($1_mplayer_t)
- fs_read_nfs_files($1_mplayer_t)
- fs_read_nfs_symlinks($1_mplayer_t)
-
- ',`
- files_dontaudit_list_home($1_mplayer_t)
- fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
- fs_dontaudit_read_nfs_files($1_mplayer_t)
- fs_dontaudit_list_nfs($1_mplayer_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mplayer_t)
- files_list_home($1_mplayer_t)
- fs_read_cifs_files($1_mplayer_t)
- fs_read_cifs_symlinks($1_mplayer_t)
- ',`
- files_dontaudit_list_home($1_mplayer_t)
- fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
- fs_dontaudit_read_cifs_files($1_mplayer_t)
- fs_dontaudit_list_cifs($1_mplayer_t)
- ')
-
- tunable_policy(`read_default_t',`
- files_list_default($1_mplayer_t)
- files_read_default_files($1_mplayer_t)
- files_read_default_symlinks($1_mplayer_t)
- ',`
- files_dontaudit_read_default_files($1_mplayer_t)
- files_dontaudit_list_default($1_mplayer_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- files_list_tmp($1_mplayer_t)
- files_list_home($1_mplayer_t)
-
- userdom_list_user_untrusted_content($1,$1_mplayer_t)
- userdom_read_user_untrusted_content_files($1,$1_mplayer_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mplayer_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mplayer_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mplayer_t)
- ',`
- files_dontaudit_list_tmp($1_mplayer_t)
- files_dontaudit_list_home($1_mplayer_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mplayer_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mplayer_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mplayer_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mplayer_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
- ')
-
- optional_policy(`
- alsa_read_rw_config($1_mplayer_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_mplayer_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/mplayer.te b/refpolicy/policy/modules/apps/mplayer.te
deleted file mode 100644
index adbb176..0000000
--- a/refpolicy/policy/modules/apps/mplayer.te
+++ /dev/null
@@ -1,16 +0,0 @@
-
-policy_module(mplayer,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type mplayer_exec_t;
-corecmd_executable_file(mplayer_exec_t)
-
-type mencoder_exec_t;
-corecmd_executable_file(mencoder_exec_t)
-
-type mplayer_etc_t;
-files_config_file(mplayer_etc_t)
diff --git a/refpolicy/policy/modules/apps/rssh.fc b/refpolicy/policy/modules/apps/rssh.fc
deleted file mode 100644
index 4c091ca..0000000
--- a/refpolicy/policy/modules/apps/rssh.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/rssh.if b/refpolicy/policy/modules/apps/rssh.if
deleted file mode 100644
index 2a84766..0000000
--- a/refpolicy/policy/modules/apps/rssh.if
+++ /dev/null
@@ -1,143 +0,0 @@
-## <summary>Restricted (scp/sftp) only shell</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the rssh module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for rssh client sessions. Derived types are also created
-## for read-only and read-write file access.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`rssh_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
- domain_type($1_rssh_t)
- domain_entry_file($1_rssh_t,rssh_exec_t)
- domain_user_exemption_target($1_t)
- domain_interactive_fd($1_rssh_t)
- role system_r types $1_rssh_t;
-
- type $1_rssh_devpts_t alias rssh_$1_devpts_t;
- term_user_pty($1_rssh_t,$1_rssh_devpts_t)
-
- type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
- userdom_user_home_content($1,$1_rssh_ro_t)
-
- type $1_rssh_rw_t alias rssh_$1_rw_t;
- userdom_user_home_content($1,$1_rssh_rw_t)
-
- ##############################
- #
- # Local policy
- #
-
- allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_rssh_t self:fd use;
- allow $1_rssh_t self:fifo_file rw_file_perms;
- allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
- allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_rssh_t self:unix_dgram_socket sendto;
- allow $1_rssh_t self:unix_stream_socket connectto;
- allow $1_rssh_t self:shm create_shm_perms;
- allow $1_rssh_t self:sem create_sem_perms;
- allow $1_rssh_t self:msgq create_msgq_perms;
- allow $1_rssh_t self:msg { send receive };
-
- allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
- term_create_pty($1_rssh_t,$1_rssh_devpts_t)
-
- allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
- allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
-
- allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
- allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
-
- kernel_read_system_state($1_rssh_t)
- kernel_read_kernel_sysctls($1_rssh_t)
-
- files_read_etc_files($1_rssh_t)
- files_read_etc_runtime_files($1_rssh_t)
- files_list_home($1_rssh_t)
- files_read_usr_files($1_rssh_t)
- files_list_var($1_rssh_t)
-
- fs_search_auto_mountpoints($1_rssh_t)
-
- libs_use_ld_so($1_rssh_t)
- libs_use_shared_libs($1_rssh_t)
-
- logging_send_syslog_msg($1_rssh_t)
-
- miscfiles_read_localization($1_rssh_t)
-
- userdom_use_unpriv_users_fds($1_rssh_t)
-
- ssh_rw_tcp_sockets($1_rssh_t)
- ssh_rw_stream_sockets($1_rssh_t)
-
- optional_policy(`
- nis_use_ypbind($1_rssh_t)
- ')
-')
-
-########################################
-## <summary>
-## Transition to all user rssh domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rssh_spec_domtrans_all_users',`
- gen_require(`
- attribute rssh_domain_type;
- type rssh_exec_t;
- ')
-
- domain_trans($1,rssh_exec_t,rssh_domain_type)
- allow rssh_domain_type $1:fd use;
- allow rssh_domain_type $1:fifo_file rw_file_perms;
- allow rssh_domain_type $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Read all users rssh read-only content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rssh_read_all_users_ro_content',`
- gen_require(`
- attribute rssh_ro_content_type;
- ')
-
- allow $1 rssh_ro_content_type:dir r_dir_perms;
- allow $1 rssh_ro_content_type:file r_file_perms;
- allow $1 rssh_ro_content_type:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/apps/rssh.te b/refpolicy/policy/modules/apps/rssh.te
deleted file mode 100644
index 8419801..0000000
--- a/refpolicy/policy/modules/apps/rssh.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-policy_module(rssh,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute rssh_domain_type;
-attribute rssh_ro_content_type;
-
-type rssh_exec_t;
-corecmd_executable_file(rssh_exec_t)
diff --git a/refpolicy/policy/modules/apps/screen.fc b/refpolicy/policy/modules/apps/screen.fc
deleted file mode 100644
index fa622bc..0000000
--- a/refpolicy/policy/modules/apps/screen.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# /home
-#
-ifdef(`strict_policy',`
-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
-')
-
-#
-# /usr
-#
-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-
-#
-# /var
-#
-/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0)
-/var/run/screens?/S-[^/]+/.* <<none>>
diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if
deleted file mode 100644
index fa61d05..0000000
--- a/refpolicy/policy/modules/apps/screen.if
+++ /dev/null
@@ -1,200 +0,0 @@
-## <summary>GNU terminal multiplexer</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the screen module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for screen sessions.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`screen_per_userdomain_template',`
- gen_require(`
- type screen_dir_t, screen_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_screen_t;
- domain_type($1_screen_t)
- domain_entry_file($1_screen_t,screen_exec_t)
- domain_interactive_fd($1_screen_t)
- role $3 types $1_screen_t;
-
- type $1_screen_tmp_t;
- files_tmp_file($1_screen_tmp_t)
-
- type $1_screen_ro_home_t;
- files_type($1_screen_ro_home_t)
-
- type $1_screen_var_run_t;;
- files_pid_file($1_screen_var_run_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_screen_t self:capability { setuid setgid fsetid };
- allow $1_screen_t self:process signal_perms;
- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
- allow $1_screen_t self:udp_socket create_socket_perms;
- # Internal screen networking
- allow $1_screen_t self:fd use;
- allow $1_screen_t self:unix_stream_socket create_socket_perms;
- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-
- allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
- allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
- allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
- files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
-
- # Create fifo
- allow $1_screen_t screen_dir_t:dir rw_dir_perms;
- allow $1_screen_t screen_dir_t:dir create_dir_perms;
- allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
- type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
- files_pid_filetrans($1_screen_t,screen_dir_t,dir)
-
- allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
- allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
- allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
-
- domain_auto_trans($2, screen_exec_t, $1_screen_t)
- allow $2 $1_screen_t:process signal;
- allow $1_screen_t $2:process { signal sigchld };
- allow $1_screen_t $2:fd use;
- allow $1_screen_t $2:fifo_file rw_file_perms;
- allow $1_screen_t $1_home_dir_t:dir { search getattr };
-
- allow $2 $1_screen_ro_home_t:dir create_dir_perms;
- allow $2 $1_screen_ro_home_t:file create_file_perms;
- allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
- allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- kernel_read_system_state($1_screen_t)
- kernel_read_kernel_sysctls($1_screen_t)
-
- corecmd_list_bin($1_screen_t)
- corecmd_read_bin_files($1_screen_t)
- corecmd_read_bin_symlinks($1_screen_t)
- corecmd_read_bin_pipes($1_screen_t)
- corecmd_read_bin_sockets($1_screen_t)
- corecmd_list_sbin($1_screen_t)
- corecmd_read_sbin_symlinks($1_screen_t)
- corecmd_read_sbin_files($1_screen_t)
- corecmd_read_sbin_pipes($1_screen_t)
- corecmd_read_sbin_sockets($1_screen_t)
- # Revert to the user domain when a shell is executed.
- corecmd_shell_domtrans($1_screen_t,$2)
- corecmd_bin_domtrans($1_screen_t,$2)
-
- corenet_non_ipsec_sendrecv($1_screen_t)
- corenet_tcp_sendrecv_generic_if($1_screen_t)
- corenet_udp_sendrecv_generic_if($1_screen_t)
- corenet_tcp_sendrecv_all_nodes($1_screen_t)
- corenet_udp_sendrecv_all_nodes($1_screen_t)
- corenet_tcp_sendrecv_all_ports($1_screen_t)
- corenet_udp_sendrecv_all_ports($1_screen_t)
- corenet_tcp_connect_all_ports($1_screen_t)
-
- dev_dontaudit_getattr_all_chr_files($1_screen_t)
- dev_dontaudit_getattr_all_blk_files($1_screen_t)
- # for SSP
- dev_read_urand($1_screen_t)
-
- domain_use_interactive_fds($1_screen_t)
-
- files_search_tmp($1_screen_t)
- files_search_home($1_screen_t)
- files_list_home($1_screen_t)
- files_read_usr_files($1_screen_t)
- files_read_etc_files($1_screen_t)
-
- fs_search_auto_mountpoints($1_screen_t)
- fs_getattr_xattr_fs($1_screen_t)
-
- auth_dontaudit_read_shadow($1_screen_t)
- auth_dontaudit_exec_utempter($1_screen_t)
-
- # Write to utmp.
- init_rw_utmp($1_screen_t)
-
- libs_use_ld_so($1_screen_t)
- libs_use_shared_libs($1_screen_t)
-
- logging_send_syslog_msg($1_screen_t)
-
- miscfiles_read_localization($1_screen_t)
-
- seutil_read_config($1_screen_t)
-
- sysnet_read_config($1_screen_t)
-
- userdom_use_user_terminals($1,$1_screen_t)
- userdom_create_user_pty($1,$1_screen_t)
- userdom_user_home_domtrans($1,$1_screen_t,$2)
- userdom_setattr_user_ptys($1,$1_screen_t)
-
- tunable_policy(`read_default_t',`
- files_list_default($1_screen_t)
- files_read_default_files($1_screen_t)
- files_read_default_symlinks($1_screen_t)
- files_read_default_sockets($1_screen_t)
- files_read_default_pipes($1_screen_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_cifs_domtrans($1_screen_t,$2)
- fs_read_cifs_symlinks($1_screen_t)
- fs_list_cifs($1_screen_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_nfs_domtrans($1_screen_t,$2)
- fs_list_nfs($1_screen_t)
- fs_read_nfs_symlinks($1_screen_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_screen_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_screen_t)
- ')
-
- ifdef(`TODO',`
- # Inherit and use descriptors from gnome-pty-helper.
- optional_policy(`
- allow $1_screen_t $1_gph_t:fd use;
- ')
- ') dnl TODO
-')
diff --git a/refpolicy/policy/modules/apps/screen.te b/refpolicy/policy/modules/apps/screen.te
deleted file mode 100644
index ffec7ab..0000000
--- a/refpolicy/policy/modules/apps/screen.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-policy_module(screen,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type screen_dir_t;
-files_pid_file(screen_dir_t)
-
-type screen_exec_t;
-corecmd_executable_file(screen_exec_t)
diff --git a/refpolicy/policy/modules/apps/slocate.fc b/refpolicy/policy/modules/apps/slocate.fc
deleted file mode 100644
index 1951c4b..0000000
--- a/refpolicy/policy/modules/apps/slocate.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
-/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/apps/slocate.if b/refpolicy/policy/modules/apps/slocate.if
deleted file mode 100644
index 4abc8b2..0000000
--- a/refpolicy/policy/modules/apps/slocate.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Update database for mlocate</summary>
-
-########################################
-## <summary>
-## Create the locate log with append mode.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`slocate_create_append_log',`
- gen_require(`
- type locate_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 locate_log_t:dir ra_dir_perms;
- allow $1 locate_log_t:file { create append getattr };
-')
diff --git a/refpolicy/policy/modules/apps/slocate.te b/refpolicy/policy/modules/apps/slocate.te
deleted file mode 100644
index f5f337d..0000000
--- a/refpolicy/policy/modules/apps/slocate.te
+++ /dev/null
@@ -1,56 +0,0 @@
-
-policy_module(slocate,1.1.0)
-
-#################################
-#
-# Declarations
-#
-
-type locate_t;
-type locate_exec_t;
-init_system_domain(locate_t,locate_exec_t)
-
-type locate_log_t;
-logging_log_file(locate_log_t)
-
-type locate_var_lib_t;
-files_type(locate_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
-allow locate_t self:process { execmem execheap execstack };
-allow locate_t self:fifo_file rw_file_perms;
-allow locate_t self:unix_stream_socket create_socket_perms;
-
-allow locate_t locate_var_lib_t:dir create_dir_perms;
-allow locate_t locate_var_lib_t:file create_file_perms;
-
-kernel_read_system_state(locate_t)
-kernel_dontaudit_search_sysctl(locate_t)
-
-corecmd_exec_bin(locate_t)
-
-dev_getattr_all_blk_files(locate_t)
-dev_getattr_all_chr_files(locate_t)
-
-files_list_all(locate_t)
-files_getattr_all_files(locate_t)
-files_read_etc_runtime_files(locate_t)
-files_read_etc_files(locate_t)
-# mls Higher level directories will be refused, so dontaudit
-files_dontaudit_getattr_all_dirs(locate_t)
-
-fs_getattr_xattr_fs(locate_t)
-
-libs_use_shared_libs(locate_t)
-libs_use_ld_so(locate_t)
-
-miscfiles_read_localization(locate_t)
-
-optional_policy(`
- cron_system_entry(locate_t, locate_exec_t)
-')
diff --git a/refpolicy/policy/modules/apps/thunderbird.fc b/refpolicy/policy/modules/apps/thunderbird.fc
deleted file mode 100644
index cd80a95..0000000
--- a/refpolicy/policy/modules/apps/thunderbird.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# /usr
-#
-/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/thunderbird.if b/refpolicy/policy/modules/apps/thunderbird.if
deleted file mode 100644
index 2e197eb..0000000
--- a/refpolicy/policy/modules/apps/thunderbird.if
+++ /dev/null
@@ -1,361 +0,0 @@
-## <summary>Thunderbird email client</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the thunderbird module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is used
-## for the thunderbird email client.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`thunderbird_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_thunderbird_t;
- domain_type($1_thunderbird_t)
- domain_entry_file($1_thunderbird_t,thunderbird_exec_t)
- role $3 types $1_thunderbird_t;
-
- type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
- files_poly_member($1_thunderbird_home_t)
-
- type $1_thunderbird_tmpfs_t;
- files_tmpfs_file($1_thunderbird_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_thunderbird_t self:capability sys_nice;
- allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
- allow $1_thunderbird_t self:fifo_file { ioctl read write getattr };
- allow $1_thunderbird_t self:unix_dgram_socket { create connect };
- allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
- allow $1_thunderbird_t self:tcp_socket create_socket_perms;
- allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
-
- # Access ~/.thunderbird
- allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
- allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
- allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
- userdom_search_user_home_dirs($1,$1_thunderbird_t)
-
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $2 $1_thunderbird_t:fd use;
- allow $2 $1_thunderbird_t:shm { associate getattr };
- allow $2 $1_thunderbird_t:unix_stream_socket connectto;
- allow $1_thunderbird_t $2:fd use;
- allow $1_thunderbird_t $2:process sigchld;
- allow $1_thunderbird_t $2:unix_stream_socket connectto;
-
- # Allow the user domain to signal/ps.
- allow $2 $1_thunderbird_t:dir { search getattr read };
- allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
- allow $2 $1_thunderbird_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_thunderbird_t:process ptrace;
-
- # Access ~/.thunderbird
- allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
- allow $2 $1_thunderbird_home_t:file manage_file_perms;
- allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms;
- allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- # Allow netstat
- kernel_read_network_state($1_thunderbird_t)
-
- corecmd_exec_shell($1_thunderbird_t)
- # Startup shellscript
- corecmd_exec_bin($1_thunderbird_t)
-
- corenet_non_ipsec_sendrecv($1_thunderbird_t)
- corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
- corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
- corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
- corenet_tcp_sendrecv_ldap_port($1_thunderbird_t)
- corenet_tcp_sendrecv_innd_port($1_thunderbird_t)
- corenet_tcp_sendrecv_smtp_port($1_thunderbird_t)
- corenet_tcp_sendrecv_pop_port($1_thunderbird_t)
- corenet_tcp_sendrecv_http_port($1_thunderbird_t)
- corenet_tcp_connect_ipp_port($1_thunderbird_t)
- corenet_tcp_connect_ldap_port($1_thunderbird_t)
- corenet_tcp_connect_innd_port($1_thunderbird_t)
- corenet_tcp_connect_smtp_port($1_thunderbird_t)
- corenet_tcp_connect_pop_port($1_thunderbird_t)
- corenet_tcp_connect_http_port($1_thunderbird_t)
- corenet_sendrecv_ipp_client_packets($1_thunderbird_t)
- corenet_sendrecv_ldap_client_packets($1_thunderbird_t)
- corenet_sendrecv_innd_client_packets($1_thunderbird_t)
- corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
- corenet_sendrecv_pop_client_packets($1_thunderbird_t)
- corenet_sendrecv_http_client_packets($1_thunderbird_t)
-
- files_list_tmp($1_thunderbird_t)
- files_read_usr_files($1_thunderbird_t)
- files_read_etc_files($1_thunderbird_t)
-
- fs_getattr_xattr_fs($1_thunderbird_t)
- # Access ~/.thunderbird
- fs_search_auto_mountpoints($1_thunderbird_t)
-
- libs_use_shared_libs($1_thunderbird_t)
- libs_use_ld_so($1_thunderbird_t)
-
- miscfiles_read_fonts($1_thunderbird_t)
-
- sysnet_read_config($1_thunderbird_t)
- # Allow DNS
- sysnet_dns_name_resolve($1_thunderbird_t)
-
- userdom_manage_user_tmp_dirs($1,$1_thunderbird_t)
- userdom_read_user_tmp_files($1,$1_thunderbird_t)
- userdom_write_user_tmp_sockets($1,$1_thunderbird_t)
- userdom_manage_user_tmp_sockets($1,$1_thunderbird_t)
- # .kde/....gtkrc
- userdom_read_user_home_content_files($1,$1_thunderbird_t)
-
- xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
-
- # Transition from user type
- tunable_policy(`! disable_thunderbird_trans',`
- domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
- ')
-
- # Access ~/.thunderbird
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_thunderbird_t)
- fs_manage_nfs_files($1_thunderbird_t)
- fs_manage_nfs_symlinks($1_thunderbird_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_thunderbird_t)
- fs_manage_cifs_files($1_thunderbird_t)
- fs_manage_cifs_symlinks($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && use_nfs_home_dirs',`
- files_list_home($1_thunderbird_t)
-
- fs_list_auto_mountpoints($1_thunderbird_t)
- fs_read_nfs_files($1_thunderbird_t)
- fs_read_nfs_symlinks($1_thunderbird_t)
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
-
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_list_nfs($1_thunderbird_t)
- fs_dontaudit_read_nfs_files($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && use_samba_home_dirs',`
- files_list_home($1_thunderbird_t)
-
- fs_list_auto_mountpoints($1_thunderbird_t)
- fs_read_cifs_files($1_thunderbird_t)
- fs_read_cifs_symlinks($1_thunderbird_t)
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
-
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_read_cifs_files($1_thunderbird_t)
- fs_dontaudit_list_cifs($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content',`
- userdom_list_user_tmp($1,$1_thunderbird_t)
- userdom_read_user_tmp_files($1,$1_thunderbird_t)
- userdom_read_user_tmp_symlinks($1,$1_thunderbird_t)
- userdom_search_user_home_dirs($1,$1_thunderbird_t)
- userdom_read_user_home_content_files($1,$1_thunderbird_t)
- userdom_read_user_home_content_symlinks($1,$1_thunderbird_t)
-
- ifndef(`enable_mls',`
- fs_search_removable($1_thunderbird_t)
- fs_read_removable_files($1_thunderbird_t)
- fs_read_removable_symlinks($1_thunderbird_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_thunderbird_t)
- files_dontaudit_list_home($1_thunderbird_t)
-
- fs_dontaudit_list_removable($1_thunderbird_t)
- fs_dontaudit_read_removable_files($1_thunderbird_t)
-
- userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && read_default_t',`
- files_list_default($1_thunderbird_t)
- files_read_default_files($1_thunderbird_t)
- files_read_default_symlinks($1_thunderbird_t)
- ',`
- files_dontaudit_read_default_files($1_thunderbird_t)
- files_dontaudit_list_default($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && read_untrusted_content',`
- files_list_tmp($1_thunderbird_t)
- files_list_home($1_thunderbird_t)
-
- userdom_search_user_home_dirs($1,$1_thunderbird_t)
- userdom_list_user_untrusted_content($1,$1_thunderbird_t)
- userdom_read_user_untrusted_content_files($1,$1_thunderbird_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_thunderbird_t)
- userdom_list_user_tmp_untrusted_content($1,$1_thunderbird_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_thunderbird_t)
- ',`
- files_dontaudit_list_tmp($1_thunderbird_t)
- files_dontaudit_list_home($1_thunderbird_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_thunderbird_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_thunderbird_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_thunderbird_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t)
- ')
-
- # Manage nfs homedirs
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_thunderbird_t)
-
- fs_search_auto_mountpoints($1_thunderbird_t)
- fs_manage_nfs_dirs($1_thunderbird_t)
- fs_manage_nfs_files($1_thunderbird_t)
- fs_manage_nfs_symlinks($1_thunderbird_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
- fs_dontaudit_manage_nfs_files($1_thunderbird_t)
- ')
-
- # Manage samba homedirs
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_thunderbird_t)
-
- fs_search_auto_mountpoints($1_thunderbird_t)
- fs_manage_cifs_dirs($1_thunderbird_t)
- fs_manage_cifs_files($1_thunderbird_t)
- fs_manage_cifs_symlinks($1_thunderbird_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
- fs_dontaudit_manage_cifs_files($1_thunderbird_t)
- ')
-
- # Manage /tmp and /home
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_thunderbird_t)
- files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file)
- userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir)
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
- files_dontaudit_list_tmp($1_thunderbird_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
- userdom_dontaudit_manage_user_tmp_dirs($1,$1_thunderbird_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_thunderbird_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
- dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
- dbus_send_system_bus($1_thunderbird_t)
- dbus_send_user_bus($1,$1_thunderbird_t)
- ')
-
- optional_policy(`
- lpd_domtrans_user_lpr($1,$1_thunderbird_t)
- ')
-
- optional_policy(`
- cups_read_rw_config($1_thunderbird_t)
- ')
-
- optional_policy(`
- gpg_domtrans_user_gpg($1,$1_thunderbird_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_thunderbird_t)
- ')
-
- ifdef(`TODO',`
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # FIXME: Why does it try to do that?
- #dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
-
- # Why is thunderbird looking in .mozilla ?
- # FIXME: there are legitimate uses of invoking the browser - about -> release notes
- dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
-
- # Start links in web browser
- ifdef(`mozilla.te', `
- can_exec($1_thunderbird_t, shell_exec_t)
- domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t)
- ')
-
- # GNOME support
- optional_policy(`
- gnome_application($1_thunderbird, $1)
- gnome_file_dialog($1_thunderbird, $1)
- allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
- ')
- optinal_policy(`dbus',`
- allow $1_t $2_dbusd_t:dbus send_msg;
- ifdef(`cups.te', `
- allow cupsd_t $1_t:dbus send_msg;
- ')
- ')
-
- ')
-')
diff --git a/refpolicy/policy/modules/apps/thunderbird.te b/refpolicy/policy/modules/apps/thunderbird.te
deleted file mode 100644
index d224cd8..0000000
--- a/refpolicy/policy/modules/apps/thunderbird.te
+++ /dev/null
@@ -1,10 +0,0 @@
-
-policy_module(thunderbird,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type thunderbird_exec_t;
-corecmd_executable_file(thunderbird_exec_t)
diff --git a/refpolicy/policy/modules/apps/tvtime.fc b/refpolicy/policy/modules/apps/tvtime.fc
deleted file mode 100644
index 8698a61..0000000
--- a/refpolicy/policy/modules/apps/tvtime.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# /usr
-#
-/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
-
diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if
deleted file mode 100644
index 4a6899b..0000000
--- a/refpolicy/policy/modules/apps/tvtime.if
+++ /dev/null
@@ -1,148 +0,0 @@
-## <summary> tvtime - a high quality television application </summary>
-
-#######################################
-## <summary>
-## The per user domain template for the tvtime module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for tvtime.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`tvtime_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_tvtime_t;
- domain_type($1_tvtime_t)
- domain_entry_file($1_tvtime_t,tvtime_exec_t)
- role $3 types $1_tvtime_t;
-
- type $1_tvtime_home_t alias $1_tvtime_rw_t;
- userdom_user_home_content($1,$1_tvtime_home_t)
- files_poly_member($1_tvtime_home_t)
-
- type $1_tvtime_tmp_t;
- files_tmp_file($1_tvtime_tmp_t)
-
- type $1_tvtime_tmpfs_t;
- files_tmpfs_file($1_tvtime_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
- allow $1_tvtime_t self:process setsched;
- allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
- allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
-
- # X access, Home files
- allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
- allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
- allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
- type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
- userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
-
- allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
- allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
-
- allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # Type transition
- domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
- allow $2 $1_tvtime_t:fd use;
- allow $1_tvtime_t $2:fd use;
- allow $1_tvtime_t $2:fifo_file rw_file_perms;
- allow $1_tvtime_t $2:process sigchld;
-
- # X access, Home files
- allow $2 $1_tvtime_home_t:dir manage_dir_perms;
- allow $2 $1_tvtime_home_t:file manage_file_perms;
- allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
- allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- # Allow the user domain to signal/ps.
- allow $2 $1_tvtime_t:dir { search getattr read };
- allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
- allow $2 $1_tvtime_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_tvtime_t:process ptrace;
- allow $2 $1_tvtime_t:process signal_perms;
-
- kernel_read_all_sysctls($1_tvtime_t)
- kernel_get_sysvipc_info($1_tvtime_t)
-
- dev_read_urand($1_tvtime_t)
- dev_read_realtime_clock($1_tvtime_t)
- dev_read_sound($1_tvtime_t)
-
- files_read_usr_files($1_tvtime_t)
- files_search_pids($1_tvtime_t)
- # Read /etc/tvtime
- files_read_etc_files($1_tvtime_t)
-
- # X access, Home files
- fs_search_auto_mountpoints($1_tvtime_t)
-
- libs_use_ld_so($1_tvtime_t)
- libs_use_shared_libs($1_tvtime_t)
-
- miscfiles_read_localization($1_tvtime_t)
- miscfiles_read_fonts($1_tvtime_t)
-
- userdom_use_user_terminals($1,$1_tvtime_t)
- userdom_read_user_home_content_files($1,$1_tvtime_t)
-
- # X access, Home files
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_tvtime_t)
- fs_manage_nfs_files($1_tvtime_t)
- fs_manage_nfs_symlinks($1_tvtime_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_tvtime_t)
- fs_manage_cifs_files($1_tvtime_t)
- fs_manage_cifs_symlinks($1_tvtime_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/tvtime.te b/refpolicy/policy/modules/apps/tvtime.te
deleted file mode 100644
index 407a6a5..0000000
--- a/refpolicy/policy/modules/apps/tvtime.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-policy_module(tvtime,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type tvtime_exec_t;
-corecmd_executable_file(tvtime_exec_t)
-
-type tvtime_dir_t;
-files_pid_file(tvtime_dir_t)
diff --git a/refpolicy/policy/modules/apps/uml.fc b/refpolicy/policy/modules/apps/uml.fc
deleted file mode 100644
index 2a4afa0..0000000
--- a/refpolicy/policy/modules/apps/uml.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# /usr
-#
-/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
-
-#
-# /var
-#
-/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
-
-ifdef(`strict_policy',`
- HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/uml.if b/refpolicy/policy/modules/apps/uml.if
deleted file mode 100644
index abc568f..0000000
--- a/refpolicy/policy/modules/apps/uml.if
+++ /dev/null
@@ -1,260 +0,0 @@
-## <summary>Policy for UML</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the uml module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for uml program.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`uml_per_userdomain_template',`
-
- ########################################
- #
- # Declarations
- #
- type $1_uml_t;
- domain_type($1_uml_t)
- role $3 types $1_uml_t;
-
- type $1_uml_exec_t;
- domain_entry_file($1_uml_t,$1_uml_exec_t)
-
- type $1_uml_ro_t;
- files_type($1_uml_ro_t)
-
- type $1_uml_rw_t;
- files_type($1_uml_rw_t)
-
- type $1_uml_tmp_t;
- files_tmp_file($1_uml_tmp_t)
-
- type $1_uml_tmpfs_t;
- files_tmpfs_file($1_uml_tmpfs_t)
-
- type $1_uml_devpts_t;
- term_pty($1_uml_devpts_t)
-
- ########################################
- #
- # Local policy
- #
- allow $1_uml_t self:fifo_file rw_file_perms;
- allow $1_uml_t self:process { signal_perms ptrace };
- allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_uml_t self:unix_dgram_socket create_socket_perms;
- # Use the network.
- allow $1_uml_t self:tcp_socket create_stream_socket_perms;
- allow $1_uml_t self:udp_socket create_socket_perms;
-
- allow $1_uml_t $2:process sigchld;
- allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
-
- # allow the UML thing to happen
- allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
- term_create_pty($1_uml_t,$1_uml_devpts_t)
-
- allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
- allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
- can_exec($1_uml_t, $1_uml_tmp_t)
-
- allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- can_exec($1_uml_t, $1_uml_tmpfs_t)
-
- # access config files
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms;
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms;
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read };
-
- allow $1_uml_t $1_uml_rw_t:dir create_dir_perms;
- allow $1_uml_t $1_uml_rw_t:file create_file_perms;
- allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
- allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
- allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
- userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
-
- allow $2 uml_ro_t:dir r_dir_perms;
- allow $2 uml_ro_t:file r_file_perms;
- allow $2 uml_ro_t:lnk_file { getattr read };
-
- allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
- allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
- allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
- allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
-
- allow $2 $1_uml_t:process ptrace;
- allow $2 $1_uml_t:process signal_perms;
-
- # allow ps, ptrace, signal
- allow $2 $1_uml_t:dir { search getattr read };
- allow $2 $1_uml_t:{ file lnk_file } { read getattr };
- allow $2 $1_uml_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_uml_t:process ptrace;
-
- allow $2 $1_uml_tmp_t:dir create_dir_perms;
- allow $2 $1_uml_tmp_t:file create_file_perms;
- allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms;
- allow $2 $1_uml_tmp_t:sock_file create_file_perms;
-
- # Transition from the user domain to this domain.
- domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
- can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
-
- # for mconsole
- allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
- allow $1_uml_t $2:unix_dgram_socket sendto;
-
- kernel_read_system_state($1_uml_t)
- # for SKAS - need something better
- kernel_write_proc_files($1_uml_t)
-
- # for xterm
- corecmd_exec_bin($1_uml_t)
- corecmd_exec_sbin($1_uml_t)
-
- corenet_non_ipsec_sendrecv($1_uml_t)
- corenet_tcp_sendrecv_generic_if($1_uml_t)
- corenet_udp_sendrecv_generic_if($1_uml_t)
- corenet_tcp_sendrecv_all_nodes($1_uml_t)
- corenet_udp_sendrecv_all_nodes($1_uml_t)
- corenet_tcp_sendrecv_all_ports($1_uml_t)
- corenet_udp_sendrecv_all_ports($1_uml_t)
- corenet_tcp_connect_all_ports($1_uml_t)
- corenet_sendrecv_all_client_packets($1_uml_t)
- corenet_rw_tun_tap_dev($1_uml_t)
-
- domain_use_interactive_fds($1_uml_t)
-
- # for xterm
- files_read_etc_files($1_uml_t)
- files_dontaudit_read_etc_runtime_files($1_uml_t)
- # putting uml data under /var is usual...
- files_search_var($1_uml_t)
-
- fs_getattr_xattr_fs($1_uml_t)
-
- init_read_utmp($1_uml_t)
- init_dontaudit_write_utmp($1_uml_t)
-
- # for xterm
- libs_use_ld_so($1_uml_t)
- libs_use_shared_libs($1_uml_t)
- libs_exec_lib_files($1_uml_t)
-
- # Inherit and use descriptors from newrole.
- seutil_use_newrole_fds($1_uml_t)
-
- # Use the network.
- sysnet_read_config($1_uml_t)
-
- userdom_use_user_terminals($1,$1_uml_t)
-
- optional_policy(`
- nis_use_ypbind($1_uml_t)
- ')
-
- optional_policy(`
- ssh_tcp_connect($1_uml_t)
- ')
-
- ifdef(`TODO',`
- # for X
- optional_policy(`
- ifelse($1, sysadm,`
- ',`
- optional_policy(`
- allow $1_uml_t xdm_xserver_tmp_t:dir search;
- ')
- allow $1_uml_t $1_xserver_tmp_t:sock_file write;
- allow $1_uml_t $1_xserver_t:unix_stream_socket connectto;
- ')
- ')
-
- optional_policy(`
- # for uml_net
- domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
- allow uml_net_t $1_uml_t:unix_stream_socket { read write };
- allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
- dontaudit uml_net_t privfd:fd use;
- can_access_pty(uml_net_t, $1_uml)
- dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
- ')
- #TODO
- optional_policy(`
- allow $1_uml_t $1_xauth_home_t:file { getattr read };
- ')
- ')
-')
-
-########################################
-## <summary>
-## Set attributes on uml utility socket files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`uml_setattr_util_sockets',`
- gen_require(`
- type uml_switch_var_run_t;
- ')
-
- allow $1 uml_switch_var_run_t:sock_file setattr;
-')
-
-########################################
-## <summary>
-## Manage uml utility files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`uml_manage_util_files',`
- gen_require(`
- type uml_switch_var_run_t;
- ')
-
- allow $1 uml_switch_var_run_t:dir rw_dir_perms;
- allow $1 uml_switch_var_run_t:file create_file_perms;
- allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te
deleted file mode 100644
index 4b63b59..0000000
--- a/refpolicy/policy/modules/apps/uml.te
+++ /dev/null
@@ -1,76 +0,0 @@
-
-policy_module(uml,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type uml_exec_t;
-corecmd_executable_file(uml_exec_t)
-
-type uml_ro_t;
-files_type(uml_ro_t)
-
-type uml_switch_t;
-type uml_switch_exec_t;
-init_daemon_domain(uml_switch_t,uml_switch_exec_t)
-
-type uml_switch_var_run_t;
-files_pid_file(uml_switch_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit uml_switch_t self:capability sys_tty_config;
-allow uml_switch_t self:process signal_perms;
-allow uml_switch_t self:unix_dgram_socket create_socket_perms;
-allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
-
-allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
-allow uml_switch_t uml_switch_var_run_t:file create_file_perms;
-allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file)
-
-kernel_read_kernel_sysctls(uml_switch_t)
-kernel_list_proc(uml_switch_t)
-kernel_read_proc_symlinks(uml_switch_t)
-
-dev_read_sysfs(uml_switch_t)
-
-domain_use_interactive_fds(uml_switch_t)
-
-fs_getattr_all_fs(uml_switch_t)
-fs_search_auto_mountpoints(uml_switch_t)
-
-term_dontaudit_use_console(uml_switch_t)
-
-init_use_fds(uml_switch_t)
-init_use_script_ptys(uml_switch_t)
-
-libs_use_ld_so(uml_switch_t)
-libs_use_shared_libs(uml_switch_t)
-
-logging_send_syslog_msg(uml_switch_t)
-
-miscfiles_read_localization(uml_switch_t)
-
-userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
-userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
-
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(uml_switch_t)
-
- term_dontaudit_use_unallocated_ttys(uml_switch_t)
- term_dontaudit_use_generic_ptys(uml_switch_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(uml_switch_t)
-')
-
-optional_policy(`
- udev_read_db(uml_switch_t)
-')
diff --git a/refpolicy/policy/modules/apps/userhelper.fc b/refpolicy/policy/modules/apps/userhelper.fc
deleted file mode 100644
index 0cd9dc4..0000000
--- a/refpolicy/policy/modules/apps/userhelper.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /etc
-#
-/etc/security/console.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
deleted file mode 100644
index 7447019..0000000
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ /dev/null
@@ -1,293 +0,0 @@
-## <summary>SELinux utility to run a shell with a new role</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the userhelper module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for userhelper.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`userhelper_per_userdomain_template',`
- gen_require(`
- type userhelper_exec_t, userhelper_conf_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_userhelper_t;
- domain_type($1_userhelper_t)
- domain_entry_file($1_userhelper_t,userhelper_exec_t)
- domain_role_change_exemption($1_userhelper_t)
- domain_obj_id_change_exemption($1_userhelper_t)
- domain_interactive_fd($1_userhelper_t)
- domain_subj_id_change_exemption($1_userhelper_t)
- role system_r types $1_userhelper_t;
-
- ########################################
- #
- # Local policy
- #
- allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
- allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_userhelper_t self:fd use;
- allow $1_userhelper_t self:fifo_file rw_file_perms;
- allow $1_userhelper_t self:shm create_shm_perms;
- allow $1_userhelper_t self:sem create_sem_perms;
- allow $1_userhelper_t self:msgq create_msgq_perms;
- allow $1_userhelper_t self:msg { send receive };
- allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
- allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_userhelper_t self:unix_dgram_socket sendto;
- allow $1_userhelper_t self:unix_stream_socket connectto;
- allow $1_userhelper_t self:sock_file r_file_perms;
-
- #Transition to the derived domain.
- domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
- allow $2 $1_userhelper_t:fd use;
- allow $1_userhelper_t $2:fd use;
- allow $1_userhelper_t $2:fifo_file rw_file_perms;
- allow $1_userhelper_t $2:process sigchld;
-
- allow $1_userhelper_t self:process setexec;
-
- allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
- allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
-
- can_exec($1_userhelper_t, userhelper_exec_t)
-
- dontaudit $2 $1_userhelper_t:process signal;
-
- kernel_read_all_sysctls($1_userhelper_t)
- kernel_getattr_debugfs($1_userhelper_t)
- kernel_read_system_state($1_userhelper_t)
-
- # Execute shells
- corecmd_exec_shell($1_userhelper_t)
- # By default, revert to the calling domain when a program is executed
- corecmd_bin_domtrans($1_userhelper_t,$2)
- corecmd_sbin_domtrans($1_userhelper_t,$2)
-
- # Inherit descriptors from the current session.
- domain_use_interactive_fds($1_userhelper_t)
- # for when the user types "exec userhelper" at the command line
- domain_sigchld_interactive_fds($1_userhelper_t)
-
- dev_read_urand($1_userhelper_t)
- # Read /dev directories and any symbolic links.
- dev_list_all_dev_nodes($1_userhelper_t)
-
- files_list_var_lib($1_userhelper_t)
- # Write to utmp.
- files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
- # Read the /etc/security/default_type file
- files_read_etc_files($1_userhelper_t)
- # Read /var.
- files_read_var_files($1_userhelper_t)
- files_read_var_symlinks($1_userhelper_t)
- # for some PAM modules and for cwd
- files_search_home($1_userhelper_t)
-
- fs_search_auto_mountpoints($1_userhelper_t)
- fs_read_nfs_files($1_userhelper_t)
- fs_read_nfs_symlinks($1_userhelper_t)
-
- # Allow $1_userhelper to obtain contexts to relabel TTYs
- selinux_get_fs_mount($1_userhelper_t)
- selinux_validate_context($1_userhelper_t)
- selinux_compute_access_vector($1_userhelper_t)
- selinux_compute_create_context($1_userhelper_t)
- selinux_compute_relabel_context($1_userhelper_t)
- selinux_compute_user_contexts($1_userhelper_t)
-
- # Read the devpts root directory.
- term_list_ptys($1_userhelper_t)
- # Relabel terminals.
- term_relabel_all_user_ttys($1_userhelper_t)
- term_relabel_all_user_ptys($1_userhelper_t)
- # Access terminals.
- term_use_all_user_ttys($1_userhelper_t)
- term_use_all_user_ptys($1_userhelper_t)
-
- auth_domtrans_chk_passwd($1_userhelper_t)
- auth_manage_pam_pid($1_userhelper_t)
- auth_manage_var_auth($1_userhelper_t)
- auth_search_pam_console_data($1_userhelper_t)
-
- # Inherit descriptors from the current session.
- init_use_fds($1_userhelper_t)
- # Write to utmp.
- init_manage_utmp($1_userhelper_t)
-
- libs_use_ld_so($1_userhelper_t)
- libs_use_shared_libs($1_userhelper_t)
-
- miscfiles_read_localization($1_userhelper_t)
-
- seutil_read_config($1_userhelper_t)
- seutil_read_default_contexts($1_userhelper_t)
-
- userdom_use_unpriv_users_fds($1_userhelper_t)
- # Allow $1_userhelper_t to transition to user domains.
- userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
- userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
- userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- # Allow transitioning to rpm_t, for up2date
- rpm_domtrans($1_userhelper_t)
- ')
- ')
-
- tunable_policy(`! secure_mode',`
- #if we are not in secure mode then we can transition to sysadm_t
- userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
- userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
- userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
- ')
-
- optional_policy(`
- ethereal_domtrans_user_ethereal($1,$1_userhelper_t)
- ')
-
- optional_policy(`
- logging_send_syslog_msg($1_userhelper_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_userhelper_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_userhelper_t)
- ')
-
- ifdef(`TODO',`
- allow $1_userhelper_t xdm_t:fd use;
- allow $1_userhelper_t xdm_var_run_t:dir search;
- allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
-
- optional_policy(`
- allow $1_userhelper_t gphdomain:fd use;
- ')
- optional_policy(`
- domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
- allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
- ')
- optional_policy(`
- domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
- ')
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_userhelper_t:process signal;
- ')
-')
-
-########################################
-## <summary>
-## Search the userhelper configuration directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userhelper_search_config',`
- gen_require(`
- type userhelper_conf_t;
- ')
-
- allow $1 userhelper_conf_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## the userhelper configuration directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userhelper_dontaudit_search_config',`
- gen_require(`
- type userhelper_conf_t;
- ')
-
- dontaudit $1 userhelper_conf_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow domain to use userhelper file descriptor.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain, example user is the prefix of user_t.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userhelper_use_user_fd',`
- gen_require(`
- type $1_userhelper_t;
- ')
-
- allow $2 $1_userhelper_t:fd use;
-')
-########################################
-## <summary>
-## Allow domain to send sigchld to userhelper.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain, example user is the prefix of user_t.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userhelper_sigchld_user',`
- gen_require(`
- type $1_userhelper_t;
- ')
-
- allow $2 $1_userhelper_t:process sigchld;
-')
diff --git a/refpolicy/policy/modules/apps/userhelper.te b/refpolicy/policy/modules/apps/userhelper.te
deleted file mode 100644
index 140e6f1..0000000
--- a/refpolicy/policy/modules/apps/userhelper.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-policy_module(userhelper,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type userhelper_conf_t;
-files_type(userhelper_conf_t)
-
-type userhelper_exec_t;
-corecmd_executable_file(userhelper_exec_t)
diff --git a/refpolicy/policy/modules/apps/usernetctl.fc b/refpolicy/policy/modules/apps/usernetctl.fc
deleted file mode 100644
index aa07e1e..0000000
--- a/refpolicy/policy/modules/apps/usernetctl.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/usernetctl.if b/refpolicy/policy/modules/apps/usernetctl.if
deleted file mode 100644
index 06d73e3..0000000
--- a/refpolicy/policy/modules/apps/usernetctl.if
+++ /dev/null
@@ -1,74 +0,0 @@
-## <summary>User network interface configuration helper</summary>
-
-########################################
-## <summary>
-## Execute usernetctl in the usernetctl domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`usernetctl_domtrans',`
- gen_require(`
- type usernetctl_t, usernetctl_exec_t;
- ')
-
- tunable_policy(`user_net_control',`
- domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
-
- allow $1 usernetctl_t:fd use;
- allow usernetctl_t $1:fd use;
- allow usernetctl_t $1:fifo_file rw_file_perms;
- allow usernetctl_t $1:process sigchld;
- ',`
- can_exec($1,usernetctl_exec_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute usernetctl in the usernetctl domain, and
-## allow the specified role the usernetctl domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the usernetctl domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the usernetctl domain to use.
-## </summary>
-## </param>
-#
-interface(`usernetctl_run',`
- gen_require(`
- type usernetctl_t;
- ')
-
- usernetctl_domtrans($1)
- role $2 types usernetctl_t;
- allow usernetctl_t $3:chr_file rw_term_perms;
-
- sysnet_run_ifconfig(usernetctl_t,$2,$3)
- sysnet_run_dhcpc(usernetctl_t,$2,$3)
-
- optional_policy(`
- consoletype_run(usernetctl_t,$2,$3)
- ')
-
- optional_policy(`
- iptables_run(usernetctl_t,$2,$3)
- ')
-
- optional_policy(`
- modutils_run_insmod(usernetctl_t,$2,$3)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te
deleted file mode 100644
index 8a51e3f..0000000
--- a/refpolicy/policy/modules/apps/usernetctl.te
+++ /dev/null
@@ -1,70 +0,0 @@
-
-policy_module(usernetctl,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type usernetctl_t;
-type usernetctl_exec_t;
-domain_type(usernetctl_t)
-domain_entry_file(usernetctl_t,usernetctl_exec_t)
-domain_interactive_fd(usernetctl_t)
-
-########################################
-#
-# Local policy
-#
-
-allow usernetctl_t self:capability { setuid setgid dac_override };
-allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow usernetctl_t self:fd use;
-allow usernetctl_t self:fifo_file rw_file_perms;
-allow usernetctl_t self:shm create_shm_perms;
-allow usernetctl_t self:sem create_sem_perms;
-allow usernetctl_t self:msgq create_msgq_perms;
-allow usernetctl_t self:msg { send receive };
-allow usernetctl_t self:unix_dgram_socket create_socket_perms;
-allow usernetctl_t self:unix_stream_socket create_stream_socket_perms;
-allow usernetctl_t self:unix_dgram_socket sendto;
-allow usernetctl_t self:unix_stream_socket connectto;
-
-can_exec(usernetctl_t,usernetctl_exec_t)
-
-kernel_read_system_state(usernetctl_t)
-kernel_read_kernel_sysctls(usernetctl_t)
-
-corecmd_list_bin(usernetctl_t)
-corecmd_exec_bin(usernetctl_t)
-corecmd_list_sbin(usernetctl_t)
-corecmd_exec_sbin(usernetctl_t)
-corecmd_exec_shell(usernetctl_t)
-
-domain_dontaudit_read_all_domains_state(usernetctl_t)
-
-files_read_etc_files(usernetctl_t)
-files_exec_etc_files(usernetctl_t)
-files_read_etc_runtime_files(usernetctl_t)
-files_list_pids(usernetctl_t)
-files_list_home(usernetctl_t)
-files_read_usr_files(usernetctl_t)
-
-fs_search_auto_mountpoints(usernetctl_t)
-
-libs_use_ld_so(usernetctl_t)
-libs_use_shared_libs(usernetctl_t)
-
-miscfiles_read_localization(usernetctl_t)
-
-seutil_read_config(usernetctl_t)
-
-sysnet_read_config(usernetctl_t)
-
-optional_policy(`
- hostname_exec(usernetctl_t)
-')
-
-optional_policy(`
- nis_use_ypbind(usernetctl_t)
-')
diff --git a/refpolicy/policy/modules/apps/vmware.fc b/refpolicy/policy/modules/apps/vmware.fc
deleted file mode 100644
index ab5d266..0000000
--- a/refpolicy/policy/modules/apps/vmware.fc
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# HOME_DIR/
-#
-ifdef(`strict_policy',`
-HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-')
-
-#
-# /etc
-#
-/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
-
-#
-# /usr
-#
-/usr/bin/vmnet-bridg -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
-
-/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
-/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
-
-/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
-/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
-/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
-')
diff --git a/refpolicy/policy/modules/apps/vmware.if b/refpolicy/policy/modules/apps/vmware.if
deleted file mode 100644
index 1f63d96..0000000
--- a/refpolicy/policy/modules/apps/vmware.if
+++ /dev/null
@@ -1,205 +0,0 @@
-## <summary>VMWare Workstation virtual machines</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the vmware module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is used
-## for vmware sessions.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`vmware_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type $1_vmware_t;
- domain_type($1_vmware_t)
- domain_entry_file($1_vmware_t,vmware_exec_t)
- role $3 types $1_vmware_t;
-
- type $1_vmware_conf_t;
- userdom_user_home_content($1,$1_vmware_conf_t)
-
- type $1_vmware_file_t;
- userdom_user_home_content($1,$1_vmware_file_t)
-
- type $1_vmware_tmp_t;
- files_tmp_file($1_vmware_tmp_t)
-
- type $1_vmware_tmpfs_t;
- files_tmpfs_file($1_vmware_tmpfs_t)
-
- type $1_vmware_var_run_t;
- files_pid_file($1_vmware_var_run_t)
-
- ##############################
- #
- # Local policy
- #
-
- domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
- allow $1_vmware_t $2:fd use;
- allow $1_vmware_t $2:fifo_file rw_file_perms;
- allow $1_vmware_t $2:process sigchld;
-
- allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
- dontaudit $1_vmware_t self:capability sys_tty_config;
- allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_vmware_t self:process { execmem execstack };
- allow $1_vmware_t self:fd use;
- allow $1_vmware_t self:fifo_file rw_file_perms;
- allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
- allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_vmware_t self:unix_dgram_socket sendto;
- allow $1_vmware_t self:unix_stream_socket connectto;
- allow $1_vmware_t self:shm create_shm_perms;
- allow $1_vmware_t self:sem create_sem_perms;
- allow $1_vmware_t self:msgq create_msgq_perms;
- allow $1_vmware_t self:msg { send receive };
-
- can_exec($1_vmware_t, vmware_exec_t)
-
- # User configuration files
- allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
-
- # VMWare disks
- allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
- allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
-
- allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
- allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
- allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
- files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
-
- allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # Read clobal configuration files
- allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
- allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
- allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
-
- allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
- allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
- allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
- files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
-
- kernel_read_system_state($1_vmware_t)
- kernel_read_network_state($1_vmware_t)
- kernel_read_kernel_sysctls($1_vmware_t)
-
- # startup scripts
- corecmd_exec_bin($1_vmware_t)
- corecmd_exec_shell($1_vmware_t)
-
- dev_read_raw_memory($1_vmware_t)
- dev_write_raw_memory($1_vmware_t)
- dev_read_mouse($1_vmware_t)
- dev_write_sound($1_vmware_t)
- dev_read_realtime_clock($1_vmware_t)
- dev_rwx_vmware($1_vmware_t)
- dev_rw_usbfs($1_vmware_t)
- dev_search_sysfs($1_vmware_t)
-
- domain_use_interactive_fds($1_vmware_t)
-
- files_read_etc_files($1_vmware_t)
- files_read_etc_runtime_files($1_vmware_t)
- files_read_usr_files($1_vmware_t)
- files_list_home($1_vmware_t)
-
- fs_getattr_xattr_fs($1_vmware_t)
- fs_search_auto_mountpoints($1_vmware_t)
-
- storage_raw_read_removable_device($1_vmware_t)
- storage_raw_write_removable_device($1_vmware_t)
-
- libs_use_ld_so($1_vmware_t)
- libs_use_shared_libs($1_vmware_t)
- # startup scripts run ldd
- libs_exec_ld_so($1_vmware_t)
- # Access X11 config files
- libs_read_lib_files($1_vmware_t)
-
- miscfiles_read_localization($1_vmware_t)
-
- userdom_use_user_terminals($1,$1_vmware_t)
- userdom_use_unpriv_users_fds($1_vmware_t)
- userdom_list_user_home_dirs($1,$1_vmware_t)
- # cjp: why?
- userdom_read_user_home_content_files($1,$1_vmware_t)
-
- sysnet_dns_name_resolve($1_vmware_t)
- sysnet_read_config($1_vmware_t)
-
- xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
-')
-
-########################################
-## <summary>
-## Read VMWare system configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vmware_read_system_config',`
- gen_require(`
- type vmware_sys_conf_t;
- ')
-
- allow $1 vmware_sys_conf_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Append to VMWare system configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vmware_append_system_config',`
- gen_require(`
- type vmware_sys_conf_t;
- ')
-
- allow $1 vmware_sys_conf_t:file append;
-')
diff --git a/refpolicy/policy/modules/apps/vmware.te b/refpolicy/policy/modules/apps/vmware.te
deleted file mode 100644
index e41d16c..0000000
--- a/refpolicy/policy/modules/apps/vmware.te
+++ /dev/null
@@ -1,117 +0,0 @@
-
-policy_module(vmware,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-# VMWare user program
-type vmware_exec_t;
-corecmd_executable_file(vmware_exec_t)
-
-# VMWare host programs
-type vmware_host_t;
-type vmware_host_exec_t;
-init_daemon_domain(vmware_host_t,vmware_host_exec_t)
-
-# Systemwide configuration files
-type vmware_sys_conf_t;
-files_type(vmware_sys_conf_t)
-
-type vmware_var_run_t;
-files_pid_file(vmware_var_run_t)
-
-########################################
-#
-# VMWare host local policy
-#
-
-allow vmware_host_t self:capability { setuid net_raw };
-dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
-allow vmware_host_t self:fifo_file rw_file_perms;
-allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
-allow vmware_host_t self:rawip_socket create_socket_perms;
-
-# cjp: the ro and rw files should be split up
-allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
-allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
-
-allow vmware_host_t vmware_var_run_t:file manage_file_perms;
-allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
-allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
-
-kernel_read_kernel_sysctls(vmware_host_t)
-kernel_list_proc(vmware_host_t)
-kernel_read_proc_symlinks(vmware_host_t)
-
-corenet_non_ipsec_sendrecv(vmware_host_t)
-corenet_tcp_sendrecv_generic_if(vmware_host_t)
-corenet_udp_sendrecv_generic_if(vmware_host_t)
-corenet_raw_sendrecv_generic_if(vmware_host_t)
-corenet_tcp_sendrecv_all_nodes(vmware_host_t)
-corenet_udp_sendrecv_all_nodes(vmware_host_t)
-corenet_raw_sendrecv_all_nodes(vmware_host_t)
-corenet_tcp_sendrecv_all_ports(vmware_host_t)
-corenet_udp_sendrecv_all_ports(vmware_host_t)
-corenet_raw_bind_all_nodes(vmware_host_t)
-corenet_tcp_connect_all_ports(vmware_host_t)
-corenet_sendrecv_all_client_packets(vmware_host_t)
-corenet_sendrecv_all_server_packets(vmware_host_t)
-
-dev_read_sysfs(vmware_host_t)
-dev_rw_vmware(vmware_host_t)
-
-domain_use_interactive_fds(vmware_host_t)
-
-files_read_etc_files(vmware_host_t)
-
-fs_getattr_all_fs(vmware_host_t)
-fs_search_auto_mountpoints(vmware_host_t)
-
-term_dontaudit_use_console(vmware_host_t)
-
-init_use_fds(vmware_host_t)
-init_use_script_ptys(vmware_host_t)
-
-libs_use_ld_so(vmware_host_t)
-libs_use_shared_libs(vmware_host_t)
-
-logging_send_syslog_msg(vmware_host_t)
-
-miscfiles_read_localization(vmware_host_t)
-
-sysnet_dns_name_resolve(vmware_host_t)
-
-userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
-userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(vmware_host_t)
- term_dontaudit_use_generic_ptys(vmware_host_t)
- files_dontaudit_read_root_files(vmware_host_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(vmware_host_t)
-
-')
-
-optional_policy(`
- udev_read_db(vmware_host_t)
-')
-netutils_domtrans_ping(vmware_host_t)
-
-ifdef(`TODO',`
-# VMWare need access to pcmcia devices for network
-optional_policy(`
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
-')
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
-')
diff --git a/refpolicy/policy/modules/apps/webalizer.fc b/refpolicy/policy/modules/apps/webalizer.fc
deleted file mode 100644
index e4f7d30..0000000
--- a/refpolicy/policy/modules/apps/webalizer.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-#
-# /usr
-#
-/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/apps/webalizer.if b/refpolicy/policy/modules/apps/webalizer.if
deleted file mode 100644
index 642ba83..0000000
--- a/refpolicy/policy/modules/apps/webalizer.if
+++ /dev/null
@@ -1,55 +0,0 @@
-## <summary>Web server log analysis</summary>
-
-########################################
-## <summary>
-## Execute webalizer in the webalizer domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`webalizer_domtrans',`
- gen_require(`
- type webalizer_t, webalizer_exec_t;
- ')
-
- domain_auto_trans($1,webalizer_exec_t,webalizer_t)
-
- allow $1 webalizer_t:fd use;
- allow webalizer_t $1:fd use;
- allow webalizer_t $1:fifo_file rw_file_perms;
- allow webalizer_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute webalizer in the webalizer domain, and
-## allow the specified role the webalizer domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the webalizer domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the webalizer domain to use.
-## </summary>
-## </param>
-#
-interface(`webalizer_run',`
- gen_require(`
- type webalizer_t;
- ')
-
- webalizer_domtrans($1)
- role $2 types webalizer_t;
- allow webalizer_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
deleted file mode 100644
index 4b309ea..0000000
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ /dev/null
@@ -1,109 +0,0 @@
-
-policy_module(webalizer,1.2.2)
-
-########################################
-#
-# Declarations
-#
-type webalizer_t;
-type webalizer_exec_t;
-domain_type(webalizer_t)
-domain_entry_file(webalizer_t,webalizer_exec_t)
-role system_r types webalizer_t;
-
-type webalizer_etc_t;
-files_config_file(webalizer_etc_t)
-
-type webalizer_usage_t;
-files_type(webalizer_usage_t)
-
-type webalizer_tmp_t;
-files_tmp_file(webalizer_tmp_t)
-
-type webalizer_var_lib_t;
-files_type(webalizer_var_lib_t)
-
-type webalizer_write_t;
-files_type(webalizer_write_t)
-
-########################################
-#
-# Local policy
-#
-allow webalizer_t self:capability dac_override;
-allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow webalizer_t self:fd use;
-allow webalizer_t self:fifo_file rw_file_perms;
-allow webalizer_t self:sock_file r_file_perms;
-allow webalizer_t self:shm create_shm_perms;
-allow webalizer_t self:sem create_sem_perms;
-allow webalizer_t self:msgq create_msgq_perms;
-allow webalizer_t self:msg { send receive };
-allow webalizer_t self:unix_dgram_socket create_socket_perms;
-allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
-allow webalizer_t self:unix_dgram_socket sendto;
-allow webalizer_t self:unix_stream_socket connectto;
-allow webalizer_t self:tcp_socket connected_stream_socket_perms;
-allow webalizer_t self:udp_socket { connect connected_socket_perms };
-allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow webalizer_t webalizer_etc_t:file { getattr read };
-
-allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
-allow webalizer_t webalizer_tmp_t:file create_file_perms;
-files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
-
-allow webalizer_t webalizer_var_lib_t:file create_file_perms;
-allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
-
-kernel_read_kernel_sysctls(webalizer_t)
-kernel_read_system_state(webalizer_t)
-
-corenet_non_ipsec_sendrecv(webalizer_t)
-corenet_tcp_sendrecv_all_if(webalizer_t)
-corenet_tcp_sendrecv_all_nodes(webalizer_t)
-corenet_tcp_sendrecv_all_ports(webalizer_t)
-
-fs_search_auto_mountpoints(webalizer_t)
-
-files_read_etc_files(webalizer_t)
-files_read_etc_runtime_files(webalizer_t)
-
-libs_use_ld_so(webalizer_t)
-libs_use_shared_libs(webalizer_t)
-
-logging_list_logs(webalizer_t)
-logging_send_syslog_msg(webalizer_t)
-
-miscfiles_read_localization(webalizer_t)
-
-sysnet_dns_name_resolve(webalizer_t)
-sysnet_read_config(webalizer_t)
-
-userdom_use_unpriv_users_fds(webalizer_t)
-userdom_dontaudit_search_all_users_home_content(webalizer_t)
-
-apache_read_log(webalizer_t)
-apache_manage_sys_content(webalizer_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(webalizer_t)
- term_use_unallocated_ttys(webalizer_t)
-')
-
-optional_policy(`
- ftp_read_log(webalizer_t)
-')
-
-optional_policy(`
- nis_use_ypbind(webalizer_t)
-')
-
-optional_policy(`
- nscd_socket_use(webalizer_t)
-')
-
-optional_policy(`
- cron_system_entry(webalizer_t,webalizer_exec_t)
-')
diff --git a/refpolicy/policy/modules/apps/wine.fc b/refpolicy/policy/modules/apps/wine.fc
deleted file mode 100644
index aa0daf7..0000000
--- a/refpolicy/policy/modules/apps/wine.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/wine.if b/refpolicy/policy/modules/apps/wine.if
deleted file mode 100644
index 00b468e..0000000
--- a/refpolicy/policy/modules/apps/wine.if
+++ /dev/null
@@ -1,25 +0,0 @@
-## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
-
-########################################
-## <summary>
-## Execute the wine program in the wine domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`wine_domtrans',`
- gen_require(`
- type wine_t, wine_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, wine_exec_t, wine_t)
-
- allow $1 wine_t:fd use;
- allow wine_t $1:fd use;
- allow wine_t $1:fifo_file rw_file_perms;
- allow wine_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te
deleted file mode 100644
index 60aa4cf..0000000
--- a/refpolicy/policy/modules/apps/wine.te
+++ /dev/null
@@ -1,28 +0,0 @@
-
-policy_module(wine,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type wine_t;
-domain_type(wine_t)
-
-type wine_exec_t;
-domain_entry_file(wine_t,wine_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-ifdef(`targeted_policy',`
- allow wine_t self:process { execstack execmem };
- unconfined_domain_noaudit(wine_t)
- files_execmod_all_files(wine_t)
-
- optional_policy(`
- hal_dbus_chat(wine_t)
- ')
-')
diff --git a/refpolicy/policy/modules/apps/yam.fc b/refpolicy/policy/modules/apps/yam.fc
deleted file mode 100644
index 2875fb6..0000000
--- a/refpolicy/policy/modules/apps/yam.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/etc/yam.conf -- gen_context(system_u:object_r:yam_etc_t,s0)
-
-/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0)
-
-/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
-/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/refpolicy/policy/modules/apps/yam.if b/refpolicy/policy/modules/apps/yam.if
deleted file mode 100644
index 450fb4e..0000000
--- a/refpolicy/policy/modules/apps/yam.if
+++ /dev/null
@@ -1,76 +0,0 @@
-## <summary>Yum/Apt Mirroring</summary>
-
-########################################
-## <summary>
-## Execute yam in the yam domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`yam_domtrans',`
- gen_require(`
- type yam_t, yam_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,yam_exec_t,yam_t)
-
- allow $1 yam_t:fd use;
- allow yam_t $1:fd use;
- allow yam_t $1:fifo_file rw_file_perms;
- allow yam_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute yam in the yam domain, and
-## allow the specified role the yam domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the yam domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the yam domain to use.
-## </summary>
-## </param>
-#
-interface(`yam_run',`
- gen_require(`
- type yam_t;
- ')
-
- yam_domtrans($1)
- role $2 types yam_t;
- allow yam_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Read yam content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`yam_read_content',`
- gen_require(`
- type yam_content_t;
- ')
-
- allow $1 yam_content_t:dir list_dir_perms;
- allow $1 yam_content_t:file read_file_perms;
- allow $1 yam_content_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/apps/yam.te b/refpolicy/policy/modules/apps/yam.te
deleted file mode 100644
index 9181eba..0000000
--- a/refpolicy/policy/modules/apps/yam.te
+++ /dev/null
@@ -1,129 +0,0 @@
-
-policy_module(yam,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type yam_t alias yam_crond_t;
-type yam_exec_t;
-domain_type(yam_t)
-domain_entry_file(yam_t,yam_exec_t)
-
-type yam_content_t;
-files_mountpoint(yam_content_t)
-
-type yam_etc_t;
-files_config_file(yam_etc_t)
-
-type yam_tmp_t;
-files_tmp_file(yam_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow yam_t self:capability { chown fowner fsetid dac_override };
-allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow yam_t self:process execmem;
-allow yam_t self:fd use;
-allow yam_t self:fifo_file rw_file_perms;
-allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
-allow yam_t self:shm create_shm_perms;
-allow yam_t self:sem create_sem_perms;
-allow yam_t self:msgq create_msgq_perms;
-allow yam_t self:msg { send receive };
-allow yam_t self:tcp_socket create_socket_perms;
-
-# Update the content being managed by yam.
-allow yam_t yam_content_t:dir create_dir_perms;
-allow yam_t yam_content_t:file create_file_perms;
-allow yam_t yam_content_t:lnk_file create_lnk_perms;
-
-allow yam_t yam_etc_t:file { getattr read };
-files_search_etc(yam_t)
-
-allow yam_t yam_tmp_t:dir create_dir_perms;
-allow yam_t yam_tmp_t:file create_file_perms;
-files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(yam_t)
-kernel_read_proc_symlinks(yam_t)
-# Python works fine without reading /proc/meminfo
-kernel_dontaudit_read_system_state(yam_t)
-
-corecmd_exec_shell(yam_t)
-corecmd_exec_bin(yam_t)
-
-# Rsync and lftp need to network. They also set files attributes to
-# match whats on the remote server.
-corenet_non_ipsec_sendrecv(yam_t)
-corenet_tcp_sendrecv_generic_if(yam_t)
-corenet_tcp_sendrecv_all_nodes(yam_t)
-corenet_tcp_sendrecv_all_ports(yam_t)
-corenet_tcp_connect_http_port(yam_t)
-corenet_tcp_connect_rsync_port(yam_t)
-corenet_sendrecv_http_client_packets(yam_t)
-corenet_sendrecv_rsync_client_packets(yam_t)
-
-# mktemp
-dev_read_urand(yam_t)
-
-files_read_etc_files(yam_t)
-files_read_etc_runtime_files(yam_t)
-# /usr/share/createrepo/genpkgmetadata.py:
-files_exec_usr_files(yam_t)
-# Programs invoked to build package lists need various permissions.
-# genpkglist creates tmp files in /var/cache/apt/genpkglist
-files_rw_var_files(yam_t)
-
-fs_search_auto_mountpoints(yam_t)
-# Content can also be on ISO image files.
-fs_read_iso9660_files(yam_t)
-
-term_search_ptys(yam_t)
-
-libs_use_ld_so(yam_t)
-libs_use_shared_libs(yam_t)
-
-logging_send_syslog_msg(yam_t)
-
-miscfiles_read_localization(yam_t)
-
-seutil_read_config(yam_t)
-
-sysnet_dns_name_resolve(yam_t)
-sysnet_read_config(yam_t)
-
-userdom_use_unpriv_users_fds(yam_t)
-# Reading dotfiles...
-# cjp: ?
-userdom_search_all_users_home_dirs(yam_t)
-
-# The whole point of this program is to make updates available on a
-# local web server. Need to go through /var to get to /var/yam
-# Go through /var/www to get to /var/www/yam
-apache_search_sys_content(yam_t)
-
-optional_policy(`
- cron_system_entry(yam_t,yam_exec_t)
-')
-
-optional_policy(`
- mount_domtrans(yam_t)
-')
-
-optional_policy(`
- nis_use_ypbind(yam_t)
-')
-
-optional_policy(`
- nscd_socket_use(yam_t)
-')
-
-optional_policy(`
- rsync_exec(yam_t)
-')
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
deleted file mode 100644
index e1308e2..0000000
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ /dev/null
@@ -1,242 +0,0 @@
-
-#
-# /bin
-#
-/bin -d gen_context(system_u:object_r:bin_t,s0)
-/bin/.* gen_context(system_u:object_r:bin_t,s0)
-/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
-/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-
-#
-# /dev
-#
-/dev/MAKEDEV -- gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /emul
-#
-ifdef(`distro_redhat',`
-/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /etc
-#
-
-/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
-
-/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_debian',`
-/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`targeted_policy',`
-/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /lib
-#
-
-/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0)
-
-ifdef(`distro_gentoo',`
-/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/lib/rcscripts/net.modules.d/helpers.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
-/lib/rcscripts/net.modules.d/helpers.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /sbin
-#
-/sbin -d gen_context(system_u:object_r:sbin_t,s0)
-/sbin/.* gen_context(system_u:object_r:sbin_t,s0)
-/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
-/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /opt
-#
-/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-ifdef(`distro_gentoo',`
-/opt/vmware/workstation/lib/lib/wrapper-gtk24.sh -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /usr
-#
-/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-
-/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`distro_redhat', `
-/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-lvm/system-config-lvm.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`distro_suse', `
-/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /var
-#
-/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
-
-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-
-/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
deleted file mode 100644
index 58d5983..0000000
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ /dev/null
@@ -1,989 +0,0 @@
-## <summary>
-## Core policy for shells, and generic programs
-## in /bin, /sbin, /usr/bin, and /usr/sbin.
-## </summary>
-## <required val="true">
-## Contains the base bin and sbin directory types
-## which need to be searched for the kernel to
-## run init.
-## </required>
-
-########################################
-## <summary>
-## Make the specified type usable for files
-## that are exectuables, such as binary programs.
-## This does not include shared libraries.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used for files.
-## </summary>
-## </param>
-#
-interface(`corecmd_executable_file',`
- gen_require(`
- attribute exec_type;
- ')
-
- typeattribute $1 exec_type;
-
- files_type($1)
-')
-
-########################################
-## <summary>
-## Create a aliased type to generic bin files.
-## </summary>
-## <desc>
-## <p>
-## Create a aliased type to generic bin files.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Alias type for bin_t.
-## </summary>
-## </param>
-#
-interface(`corecmd_bin_alias',`
- ifdef(`targeted_policy',`
- gen_require(`
- type bin_t;
- ')
-
- typealias bin_t alias $1;
- ',`
- errprint(__file__:__line__:` $0($*) has no effect in strict policy.'__endline__)
- ')
-')
-
-########################################
-## <summary>
-## Make general progams in bin an entrypoint for
-## the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which bin_t is an entrypoint.
-## </summary>
-## </param>
-#
-interface(`corecmd_bin_entry_type',`
- gen_require(`
- type bin_t;
- ')
-
- domain_entry_file($1,bin_t)
-')
-
-########################################
-## <summary>
-## Make general progams in sbin an entrypoint for
-## the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which sbin programs are an entrypoint.
-## </summary>
-## </param>
-#
-interface(`corecmd_sbin_entry_type',`
- gen_require(`
- type sbin_t;
- ')
-
- domain_entry_file($1,sbin_t)
-')
-
-########################################
-## <summary>
-## Make the shell an entrypoint for the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which the shell is an entrypoint.
-## </summary>
-## </param>
-#
-interface(`corecmd_shell_entry_type',`
- gen_require(`
- type shell_exec_t;
- ')
-
- domain_entry_file($1,shell_exec_t)
-')
-
-########################################
-## <summary>
-## Search the contents of bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_search_bin',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_list_bin',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of files in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_getattr_bin_files',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read files in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_files',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_symlinks',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read pipes in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_pipes',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named sockets in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_sockets',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute generic programs in bin directories,
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_exec_bin',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- can_exec($1,bin_t)
-
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete bin files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_manage_bin_files',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir rw_dir_perms;
- allow $1 bin_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel to and from the bin type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_relabel_bin_files',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Mmap a bin file as executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_mmap_bin_files',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:file { getattr read execute };
-')
-
-########################################
-## <summary>
-## Execute a file in a bin directory
-## in the specified domain but do not
-## do it automatically. This is an explicit
-## transition, requiring the caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Execute a file in a bin directory
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the userhelper policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`corecmd_bin_spec_domtrans',`
- gen_require(`
- type bin_t;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:lnk_file { getattr read };
-
- domain_trans($1,bin_t,$2)
-')
-
-########################################
-## <summary>
-## Execute a file in a bin directory
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a file in a bin directory
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`corecmd_bin_domtrans',`
- gen_require(`
- type bin_t;
- ')
-
- corecmd_bin_spec_domtrans($1,$2)
- type_transition $1 bin_t:process $2;
-')
-
-########################################
-## <summary>
-## Search the contents of sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_search_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corecmd_dontaudit_search_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- dontaudit $1 sbin_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_list_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of sbin files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_getattr_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attibutes
-## of sbin files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corecmd_dontaudit_getattr_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- dontaudit $1 sbin_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read files in sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_sbin_symlinks',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named pipes in sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_sbin_pipes',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named sockets in sbin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_sbin_sockets',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute generic programs in sbin directories,
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_exec_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir r_dir_perms;
- allow $1 sbin_t:lnk_file r_file_perms;
- can_exec($1,sbin_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete sbin files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`corecmd_manage_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir rw_dir_perms;
- allow $1 sbin_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel to and from the sbin type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`corecmd_relabel_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Mmap a sbin file as executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`corecmd_mmap_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:file { getattr read execute };
-')
-
-########################################
-## <summary>
-## Execute a file in a sbin directory
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a file in a sbin directory
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`corecmd_sbin_domtrans',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:lnk_file { getattr read };
-
- domain_auto_trans($1,sbin_t,$2)
-')
-
-########################################
-## <summary>
-## Execute a file in a sbin directory
-## in the specified domain but do not
-## do it automatically. This is an explicit
-## transition, requiring the caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Execute a file in a sbin directory
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the userhelper policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`corecmd_sbin_spec_domtrans',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:lnk_file { getattr read };
-
- domain_trans($1,sbin_t,$2)
-')
-
-########################################
-## <summary>
-## Check if a shell is executable (DAC-wise).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_check_exec_shell',`
- gen_require(`
- type bin_t, shell_exec_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- allow $1 shell_exec_t:file execute;
-')
-
-########################################
-## <summary>
-## Execute a shell in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_exec_shell',`
- gen_require(`
- type bin_t, shell_exec_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- can_exec($1,shell_exec_t)
-')
-
-########################################
-## <summary>
-## Execute ls in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_exec_ls',`
- gen_require(`
- type bin_t, ls_exec_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- can_exec($1,ls_exec_t)
-')
-
-########################################
-## <summary>
-## Execute a shell in the target domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Execute a shell in the target domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the shell process.
-## </summary>
-## </param>
-#
-interface(`corecmd_shell_spec_domtrans',`
- gen_require(`
- type bin_t, shell_exec_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
-
- domain_trans($1,shell_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Execute a shell in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a shell in the specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the shell process.
-## </summary>
-## </param>
-#
-interface(`corecmd_shell_domtrans',`
- gen_require(`
- type shell_exec_t;
- ')
-
- corecmd_shell_spec_domtrans($1,$2)
- type_transition $1 shell_exec_t:process $2;
-')
-
-########################################
-## <summary>
-## Execute chroot in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_exec_chroot',`
- gen_require(`
- type chroot_exec_t;
- ')
-
- can_exec($1,chroot_exec_t)
- allow $1 self:capability sys_chroot;
-')
-
-########################################
-## <summary>
-## Execute all executable files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_exec_all_executables',`
- gen_require(`
- attribute exec_type;
- type bin_t, sbin_t;
- ')
-
- can_exec($1,exec_type)
- allow $1 { bin_t sbin_t }:dir list_dir_perms;
- allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and all executable files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_manage_all_executables',`
- gen_require(`
- attribute exec_type;
- type bin_t, sbin_t;
- ')
-
- allow $1 exec_type:file manage_file_perms;
- allow $1 { bin_t sbin_t }:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Relabel to and from the bin type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_relabel_all_executables',`
- gen_require(`
- attribute exec_type;
- ')
-
- allow $1 exec_type:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Mmap all executables as executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_mmap_all_executables',`
- gen_require(`
- attribute exec_type;
- ')
-
- allow $1 exec_type:file { getattr read execute };
-')
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
deleted file mode 100644
index 854ca0e..0000000
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ /dev/null
@@ -1,39 +0,0 @@
-
-policy_module(corecommands,1.3.11)
-
-########################################
-#
-# Declarations
-#
-
-#
-# Types with the exec_type attribute are executable files.
-#
-attribute exec_type;
-
-#
-# bin_t is the type of files in the system bin directories.
-#
-type bin_t;
-corecmd_executable_file(bin_t)
-
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t;
-corecmd_executable_file(sbin_t)
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t;
-corecmd_executable_file(ls_exec_t)
-
-#
-# shell_exec_t is the type of user shells such as /bin/bash.
-#
-type shell_exec_t;
-corecmd_executable_file(shell_exec_t)
-
-type chroot_exec_t;
-corecmd_executable_file(chroot_exec_t)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.fc b/refpolicy/policy/modules/kernel/corenetwork.fc
deleted file mode 100644
index 9e5c83e..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/dev/ippp.* -c gen_context(system_u:object_r:ppp_device_t,s0)
-/dev/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
-/dev/pppox.* -c gen_context(system_u:object_r:ppp_device_t,s0)
-/dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-
-/dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
deleted file mode 100644
index 65fbe15..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ /dev/null
@@ -1,1695 +0,0 @@
-## <summary>Policy controlling access to network objects</summary>
-## <required val="true">
-## Contains the initial SIDs for network objects.
-## </required>
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on the generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_tcp_sendrecv_generic_if',`
- gen_require(`
- type netif_t;
- ')
-
- allow $1 netif_t:netif { tcp_send tcp_recv };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_generic_if',`
- gen_require(`
- type netif_t;
- ')
-
- allow $1 netif_t:netif udp_send;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_generic_if',`
- gen_require(`
- type netif_t;
- ')
-
- allow $1 netif_t:netif udp_recv;
-')
-
-########################################
-## <summary>
-## Send and Receive UDP network traffic on generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_generic_if',`
- corenet_udp_send_generic_if($1)
- corenet_udp_receive_generic_if($1)
-')
-
-########################################
-## <summary>
-## Send raw IP packets on generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_send_generic_if',`
- gen_require(`
- type netif_t;
- ')
-
- allow $1 netif_t:netif rawip_send;
-')
-
-########################################
-## <summary>
-## Receive raw IP packets on generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_receive_generic_if',`
- gen_require(`
- type netif_t;
- ')
-
- allow $1 netif_t:netif rawip_recv;
-')
-
-########################################
-## <summary>
-## Send and receive raw IP packets on generic interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_sendrecv_generic_if',`
- corenet_raw_send_generic_if($1)
- corenet_raw_receive_generic_if($1)
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_all_if',`
- gen_require(`
- attribute netif_type;
- ')
-
- allow $1 netif_type:netif { tcp_send tcp_recv };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_all_if',`
- gen_require(`
- attribute netif_type;
- ')
-
- allow $1 netif_type:netif udp_send;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_all_if',`
- gen_require(`
- attribute netif_type;
- ')
-
- allow $1 netif_type:netif udp_recv;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_all_if',`
- corenet_udp_send_all_if($1)
- corenet_udp_receive_all_if($1)
-')
-
-########################################
-## <summary>
-## Send raw IP packets on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_send_all_if',`
- gen_require(`
- attribute netif_type;
- ')
-
- allow $1 netif_type:netif rawip_send;
-')
-
-########################################
-## <summary>
-## Receive raw IP packets on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_receive_all_if',`
- gen_require(`
- attribute netif_type;
- ')
-
- allow $1 netif_type:netif rawip_recv;
-')
-
-########################################
-## <summary>
-## Send and receive raw IP packets on all interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_sendrecv_all_if',`
- corenet_raw_send_all_if($1)
- corenet_raw_receive_all_if($1)
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:node { tcp_send tcp_recv };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:node udp_send;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:node udp_recv;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_generic_node',`
- corenet_udp_send_generic_node($1)
- corenet_udp_receive_generic_node($1)
-')
-
-########################################
-## <summary>
-## Send raw IP packets on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_send_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:node rawip_send;
-')
-
-########################################
-## <summary>
-## Receive raw IP packets on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_receive_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:node rawip_recv;
-')
-
-########################################
-## <summary>
-## Send and receive raw IP packets on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_sendrecv_generic_node',`
- corenet_raw_send_generic_node($1)
- corenet_raw_receive_generic_node($1)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:tcp_socket node_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:udp_socket node_bind;
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:node { tcp_send tcp_recv };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:node udp_send;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:node udp_recv;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_all_nodes',`
- corenet_udp_send_all_nodes($1)
- corenet_udp_receive_all_nodes($1)
-')
-
-########################################
-## <summary>
-## Send raw IP packets on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_send_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:node rawip_send;
-')
-
-########################################
-## <summary>
-## Receive raw IP packets on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_receive_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:node rawip_recv;
-')
-
-########################################
-## <summary>
-## Send and receive raw IP packets on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_sendrecv_all_nodes',`
- corenet_raw_send_all_nodes($1)
- corenet_raw_receive_all_nodes($1)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:tcp_socket node_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:udp_socket node_bind;
-')
-
-########################################
-## <summary>
-## Bind raw sockets to all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-# rawip_socket node_bind does not make much sense.
-# cjp: vmware hits this too
-interface(`corenet_raw_bind_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:rawip_socket node_bind;
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:tcp_socket { send_msg recv_msg };
-')
-
-########################################
-## <summary>
-## Do not audit send and receive TCP network traffic on generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:tcp_socket { send_msg recv_msg };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:udp_socket send_msg;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:udp_socket recv_msg;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_generic_port',`
- corenet_udp_send_generic_port($1)
- corenet_udp_receive_generic_port($1)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:tcp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Do not audit bind TCP sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_tcp_bind_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- dontaudit $1 port_t:tcp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:udp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Connect TCP sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_connect_generic_port',`
- gen_require(`
- type port_t;
- ')
-
- allow $1 port_t:tcp_socket name_connect;
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:tcp_socket { send_msg recv_msg };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:udp_socket send_msg;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:udp_socket recv_msg;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_all_ports',`
- corenet_udp_send_all_ports($1)
- corenet_udp_receive_all_ports($1)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Do not audit attepts to bind TCP sockets to any ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_tcp_bind_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- dontaudit $1 port_type:tcp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Connect TCP sockets to all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_connect_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:tcp_socket name_connect;
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:udp_socket send_msg;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:udp_socket recv_msg;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_reserved_port',`
- corenet_udp_send_reserved_port($1)
- corenet_udp_receive_reserved_port($1)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Connect TCP sockets to generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_connect_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:tcp_socket name_connect;
-')
-
-########################################
-## <summary>
-## Send and receive TCP network traffic on all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_sendrecv_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_send_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:udp_socket send_msg;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_receive_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:udp_socket recv_msg;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_sendrecv_all_reserved_ports',`
- corenet_udp_send_all_reserved_ports($1)
- corenet_udp_receive_all_reserved_ports($1)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to bind TCP sockets to all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- dontaudit $1 reserved_port_type:tcp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to bind UDP sockets to all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- dontaudit $1 reserved_port_type:udp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Connect TCP sockets to reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:tcp_socket name_connect;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to connect TCP sockets
-## all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- dontaudit $1 reserved_port_type:tcp_socket name_connect;
-')
-
-########################################
-## <summary>
-## Read and write the TUN/TAP virtual network device.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_rw_tun_tap_dev',`
- gen_require(`
- type tun_tap_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
-')
-
-########################################
-## <summary>
-## Read and write the point-to-point device.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_rw_ppp_dev',`
- gen_require(`
- type ppp_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ppp_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to all RPC ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_bind_all_rpc_ports',`
- gen_require(`
- attribute rpc_port_type;
- ')
-
- allow $1 rpc_port_type:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to bind TCP sockets to all RPC ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
- gen_require(`
- attribute rpc_port_type;
- ')
-
- dontaudit $1 rpc_port_type:tcp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to all RPC ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_bind_all_rpc_ports',`
- gen_require(`
- attribute rpc_port_type;
- ')
-
- allow $1 rpc_port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to bind UDP sockets to all RPC ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
- gen_require(`
- attribute rpc_port_type;
- ')
-
- dontaudit $1 rpc_port_type:udp_socket name_bind;
-')
-
-########################################
-## <summary>
-## Send and receive messages on a
-## non-encrypted (no IPSEC) network
-## session.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_non_ipsec_sendrecv',`
- kernel_sendrecv_unlabeled_association($1)
-')
-
-########################################
-## <summary>
-## Send generic client packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_send_generic_client_packets',`
- gen_require(`
- type client_packet_t;
- ')
-
- allow $1 client_packet_t:packet send;
-')
-
-########################################
-## <summary>
-## Receive generic client packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_receive_generic_client_packets',`
- gen_require(`
- type client_packet_t;
- ')
-
- allow $1 client_packet_t:packet recv;
-')
-
-########################################
-## <summary>
-## Send and receive generic client packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sendrecv_generic_client_packets',`
- corenet_send_generic_client_packets($1)
- corenet_receive_generic_client_packets($1)
-')
-
-########################################
-## <summary>
-## Relabel packets to the generic client packet type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_relabelto_generic_client_packets',`
- gen_require(`
- type client_packet_t;
- ')
-
- allow $1 client_packet_t:packet relabelto;
-')
-
-########################################
-## <summary>
-## Send generic server packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_send_generic_server_packets',`
- gen_require(`
- type server_packet_t;
- ')
-
- allow $1 server_packet_t:packet send;
-')
-
-########################################
-## <summary>
-## Receive generic server packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_receive_generic_server_packets',`
- gen_require(`
- type server_packet_t;
- ')
-
- allow $1 server_packet_t:packet recv;
-')
-
-########################################
-## <summary>
-## Send and receive generic server packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sendrecv_generic_server_packets',`
- corenet_send_generic_server_packets($1)
- corenet_receive_generic_server_packets($1)
-')
-
-########################################
-## <summary>
-## Relabel packets to the generic server packet type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_relabelto_generic_server_packets',`
- gen_require(`
- type server_packet_t;
- ')
-
- allow $1 server_packet_t:packet relabelto;
-')
-
-########################################
-## <summary>
-## Send and receive unlabeled packets.
-## </summary>
-## <desc>
-## <p>
-## Send and receive unlabeled packets.
-## These packets do not match any netfilter
-## SECMARK rules.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sendrecv_unlabeled_packets',`
- kernel_sendrecv_unlabeled_packets($1)
-')
-
-########################################
-## <summary>
-## Send all client packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_send_all_client_packets',`
- gen_require(`
- attribute client_packet_type;
- ')
-
- allow $1 client_packet_type:packet send;
-')
-
-########################################
-## <summary>
-## Receive all client packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_receive_all_client_packets',`
- gen_require(`
- attribute client_packet_type;
- ')
-
- allow $1 client_packet_type:packet recv;
-')
-
-########################################
-## <summary>
-## Send and receive all client packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sendrecv_all_client_packets',`
- corenet_send_all_client_packets($1)
- corenet_receive_all_client_packets($1)
-')
-
-########################################
-## <summary>
-## Relabel packets to any client packet type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_relabelto_all_client_packets',`
- gen_require(`
- attribute client_packet_type;
- ')
-
- allow $1 client_packet_type:packet relabelto;
-')
-
-########################################
-## <summary>
-## Send all server packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_send_all_server_packets',`
- gen_require(`
- attribute server_packet_type;
- ')
-
- allow $1 server_packet_type:packet send;
-')
-
-########################################
-## <summary>
-## Receive all server packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_receive_all_server_packets',`
- gen_require(`
- attribute server_packet_type;
- ')
-
- allow $1 server_packet_type:packet recv;
-')
-
-########################################
-## <summary>
-## Send and receive all server packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sendrecv_all_server_packets',`
- corenet_send_all_server_packets($1)
- corenet_receive_all_server_packets($1)
-')
-
-########################################
-## <summary>
-## Relabel packets to any server packet type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_relabelto_all_server_packets',`
- gen_require(`
- attribute server_packet_type;
- ')
-
- allow $1 server_packet_type:packet relabelto;
-')
-
-########################################
-## <summary>
-## Send all packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_send_all_packets',`
- gen_require(`
- attribute packet_type;
- ')
-
- allow $1 packet_type:packet send;
-')
-
-########################################
-## <summary>
-## Receive all packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_receive_all_packets',`
- gen_require(`
- attribute packet_type;
- ')
-
- allow $1 packet_type:packet recv;
-')
-
-########################################
-## <summary>
-## Send and receive all packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sendrecv_all_packets',`
- corenet_send_all_packets($1)
- corenet_receive_all_packets($1)
-')
-
-########################################
-## <summary>
-## Relabel packets to any packet type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_relabelto_all_packets',`
- gen_require(`
- attribute packet_type;
- ')
-
- allow $1 packet_type:packet relabelto;
-')
-
-########################################
-## <summary>
-## Unconfined access to network objects.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_unconfined',`
- gen_require(`
- attribute corenet_unconfined_type;
- ')
-
- typeattribute $1 corenet_unconfined_type;
-')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4
deleted file mode 100644
index 51908e2..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ /dev/null
@@ -1,593 +0,0 @@
-#
-# shiftn(num,list...)
-#
-# shift the list num times
-#
-define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
-
-########################################
-#
-# Network Interface generated macros
-#
-########################################
-
-define(`create_netif_interfaces',``
-########################################
-## <summary>
-## Send and receive TCP network traffic on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_tcp_sendrecv_$1_if',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:netif { tcp_send tcp_recv };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_udp_send_$1_if',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:netif udp_send;
-')
-
-########################################
-## <summary>
-## Receive UDP network traffic on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_udp_receive_$1_if',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:netif udp_recv;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_udp_sendrecv_$1_if',`
- corenet_udp_send_$1_if(dollarsone)
- corenet_udp_receive_$1_if(dollarsone)
-')
-
-########################################
-## <summary>
-## Send raw IP packets on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_raw_send_$1_if',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:netif rawip_send;
-')
-
-########################################
-## <summary>
-## Receive raw IP packets on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_raw_receive_$1_if',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:netif rawip_recv;
-')
-
-########################################
-## <summary>
-## Send and receive raw IP packets on the $1 interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_raw_sendrecv_$1_if',`
- corenet_raw_send_$1_if(dollarsone)
- corenet_raw_receive_$1_if(dollarsone)
-')
-'') dnl end create_netif_interfaces
-
-########################################
-#
-# Network node generated macros
-#
-########################################
-
-define(`create_node_interfaces',``
-########################################
-## <summary>
-## Send and receive TCP traffic on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_tcp_sendrecv_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:node { tcp_send tcp_recv };
-')
-
-########################################
-## <summary>
-## Send UDP traffic on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_udp_send_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:node udp_send;
-')
-
-########################################
-## <summary>
-## Receive UDP traffic on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_udp_receive_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:node udp_recv;
-')
-
-########################################
-## <summary>
-## Send and receive UDP traffic on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_udp_sendrecv_$1_node',`
- corenet_udp_send_$1_node(dollarsone)
- corenet_udp_receive_$1_node(dollarsone)
-')
-
-########################################
-## <summary>
-## Send raw IP packets on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_raw_send_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:node rawip_send;
-')
-
-########################################
-## <summary>
-## Receive raw IP packets on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_raw_receive_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:node rawip_recv;
-')
-
-########################################
-## <summary>
-## Send and receive raw IP packets on the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_raw_sendrecv_$1_node',`
- corenet_raw_send_$1_node(dollarsone)
- corenet_raw_receive_$1_node(dollarsone)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to node $1.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_tcp_bind_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:tcp_socket node_bind;
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to the $1 node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_udp_bind_$1_node',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:udp_socket node_bind;
-')
-'') dnl end create_node_interfaces
-
-########################################
-#
-# Network port generated macros
-#
-########################################
-
-define(`create_port_interfaces',``
-########################################
-## <summary>
-## Send and receive TCP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_tcp_sendrecv_$1_port',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:tcp_socket { send_msg recv_msg };
-')
-
-########################################
-## <summary>
-## Send UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_udp_send_$1_port',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:udp_socket send_msg;
-')
-
-########################################
-## <summary>
-## Receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_udp_receive_$1_port',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:udp_socket recv_msg;
-')
-
-########################################
-## <summary>
-## Send and receive UDP traffic on the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_udp_sendrecv_$1_port',`
- corenet_udp_send_$1_port(dollarsone)
- corenet_udp_receive_$1_port(dollarsone)
-')
-
-########################################
-## <summary>
-## Bind TCP sockets to the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_tcp_bind_$1_port',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:tcp_socket name_bind;
- $4
-')
-
-########################################
-## <summary>
-## Bind UDP sockets to the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="none"/>
-#
-interface(`corenet_udp_bind_$1_port',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:udp_socket name_bind;
- $4
-')
-
-########################################
-## <summary>
-## Make a TCP connection to the $1 port.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_connect_$1_port',`
- gen_require(`
- $3 $1_$2;
- ')
-
- allow dollarsone $1_$2:tcp_socket name_connect;
-')
-'') dnl end create_port_interfaces
-
-define(`create_packet_interfaces',``
-########################################
-## <summary>
-## Send $1 packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`corenet_send_$1_packets',`
- gen_require(`
- type $1_packet_t;
- ')
-
- allow dollarsone $1_packet_t:packet send;
-')
-
-########################################
-## <summary>
-## Receive $1 packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="read" weight="10"/>
-#
-interface(`corenet_receive_$1_packets',`
- gen_require(`
- type $1_packet_t;
- ')
-
- allow dollarsone $1_packet_t:packet recv;
-')
-
-########################################
-## <summary>
-## Send and receive $1 packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <infoflow type="both" weight="10"/>
-#
-interface(`corenet_sendrecv_$1_packets',`
- corenet_send_$1_packets(dollarsone)
- corenet_receive_$1_packets(dollarsone)
-')
-
-########################################
-## <summary>
-## Relabel packets to $1 the packet type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_relabelto_$1_packets',`
- gen_require(`
- type $1_packet_t;
- ')
-
- allow dollarsone $1_packet_t:packet relabelto;
-')
-'') dnl end create_port_interfaces
-
-#
-# create_netif_*_interfaces(linux_interfacename)
-#
-define(`create_netif_type_interfaces',`
-create_netif_interfaces($1,netif_t,type)
-')
-define(`create_netif_attrib_interfaces',`
-create_netif_interfaces($1,netif,attribute)
-')
-
-#
-# network_interface(linux_interfacename,mls_sensitivity)
-#
-define(`network_interface',`
-create_netif_type_interfaces($1)
-')
-
-#
-# create_node_*_interfaces(node_name)
-#
-define(`create_node_type_interfaces',`
-create_node_interfaces($1,node_t,type)
-')
-define(`create_node_attrib_interfaces',`
-create_node_interfaces($1,node,attribute)
-')
-
-#
-# network_node(node_name,mls_sensitivity,address,netmask)
-#
-define(`network_node',`
-create_node_type_interfaces($1)
-')
-
-# These next three macros have formatting, and should not me indented
-define(`determine_reserved_capability',`dnl
-ifelse($2,`',`',`dnl
-ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
-determine_reserved_capability(shiftn(3,$*))dnl
-')dnl end inner ifelse
-')dnl end outer ifelse
-') dnl end determine reserved capability
-
-#
-# create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
-# (these wrap create_port_interfaces to handle attributes and types)
-define(`create_port_type_interfaces',`create_port_interfaces($1,port_t,type,determine_reserved_capability(shift($*)))')
-define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute,determine_reserved_capability(shift($*)))')
-
-#
-# network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]])
-#
-define(`network_port',`
-create_port_type_interfaces($*)
-create_packet_interfaces($1_client)
-create_packet_interfaces($1_server)
-')
-
-#
-# network_packet(packet_name)
-#
-define(`network_packet',`
-create_packet_interfaces($1_client)
-create_packet_interfaces($1_server)
-')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
deleted file mode 100644
index e809365..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ /dev/null
@@ -1,207 +0,0 @@
-
-policy_module(corenetwork,1.1.12)
-
-########################################
-#
-# Declarations
-#
-
-attribute client_packet_type;
-attribute netif_type;
-attribute node_type;
-attribute packet_type;
-attribute port_type;
-attribute reserved_port_type;
-attribute rpc_port_type;
-attribute server_packet_type;
-
-attribute corenet_unconfined_type;
-
-type ppp_device_t;
-dev_node(ppp_device_t)
-
-#
-# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
-#
-type tun_tap_device_t;
-dev_node(tun_tap_device_t)
-
-########################################
-#
-# Ports and packets
-#
-
-#
-# client_packet_t is the default type of IPv4 and IPv6 client packets.
-#
-type client_packet_t, packet_type, client_packet_type;
-
-#
-# port_t is the default type of INET port numbers.
-#
-type port_t, port_type;
-sid port gen_context(system_u:object_r:port_t,s0)
-
-#
-# reserved_port_t is the type of INET port numbers below 1024.
-#
-type reserved_port_t, port_type, reserved_port_type;
-
-#
-# server_packet_t is the default type of IPv4 and IPv6 server packets.
-#
-type server_packet_t, packet_type, server_packet_type;
-
-network_port(afs_bos, udp,7007,s0)
-network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
-network_port(afs_ka, udp,7004,s0)
-network_port(afs_pt, udp,7002,s0)
-network_port(afs_vl, udp,7003,s0)
-network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
-network_port(amavisd_recv, tcp,10024,s0)
-network_port(amavisd_send, tcp,10025,s0)
-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
-network_port(auth, tcp,113,s0)
-network_port(bgp, tcp,179,s0, udp,179,s0)
-type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
-network_port(clamd, tcp,3310,s0)
-network_port(clockspeed, udp,4041,s0)
-network_port(comsat, udp,512,s0)
-network_port(cvs, tcp,2401,s0, udp,2401,s0)
-network_port(dcc, udp,6276,s0, udp,6277,s0)
-network_port(dbskkd, tcp,1178,s0)
-network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
-network_port(dict, tcp,2628,s0)
-network_port(distccd, tcp,3632,s0)
-network_port(dns, udp,53,s0, tcp,53,s0)
-network_port(fingerd, tcp,79,s0)
-network_port(ftp_data, tcp,20,s0)
-network_port(ftp, tcp,21,s0)
-network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-network_port(giftd, tcp,1213,s0)
-network_port(gopher, tcp,70,s0, udp,70,s0)
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
-network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-network_port(i18n_input, tcp,9010,s0)
-network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-network_port(innd, tcp,119,s0)
-network_port(ipp, tcp,631,s0, udp,631,s0)
-network_port(ircd, tcp,6667,s0)
-network_port(isakmp, udp,500,s0)
-network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
-network_port(jabber_interserver, tcp,5269,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
-type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-network_port(mail, tcp,2000,s0)
-network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
-network_port(nessus, tcp,1241,s0)
-network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
-network_port(ntp, udp,123,s0)
-network_port(openvpn, udp,1194,s0)
-network_port(pegasus_http, tcp,5988,s0)
-network_port(pegasus_https, tcp,5989,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
-network_port(portmap, udp,111,s0, tcp,111,s0)
-network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
-network_port(printer, tcp,515,s0)
-network_port(ptal, tcp,5703,s0)
-network_port(pxe, udp,4011,s0)
-network_port(pyzor, udp,24441,s0)
-network_port(radacct, udp,1646,s0, udp,1813,s0)
-network_port(radius, udp,1645,s0, udp,1812,s0)
-network_port(razor, tcp,2703,s0)
-network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0)
-network_port(rsh, tcp,514,s0)
-network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(smbd, tcp,137-139,s0, tcp,445,s0)
-network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
-network_port(spamd, tcp,783,s0)
-network_port(ssh, tcp,22,s0)
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
-type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
-type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-network_port(swat, tcp,901,s0)
-network_port(syslogd, udp,514,s0)
-network_port(telnetd, tcp,23,s0)
-network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
-network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
-network_port(transproxy, tcp,8081,s0)
-type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
-network_port(uucpd, tcp,540,s0)
-network_port(vnc, tcp,5900,s0)
-network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
-network_port(zebra, tcp,2601,s0)
-network_port(zope, tcp,8021,s0)
-
-# Defaults for reserved ports. Earlier portcon entries take precedence;
-# these entries just cover any remaining reserved ports not otherwise declared.
-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-
-########################################
-#
-# Network nodes
-#
-
-#
-# node_t is the default type of network nodes.
-# The node_*_t types are used for specific network
-# nodes in net_contexts or net_contexts.mls.
-#
-type node_t, node_type;
-sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
-
-network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
-network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
-type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
-network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
-network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
-network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
-network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
-network_node(site_local, s0, fec0::, ffc0::)
-network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-
-########################################
-#
-# Network Interfaces
-#
-
-#
-# netif_t is the default type of network interfaces.
-#
-type netif_t, netif_type;
-sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
-
-ifdef(`enable_mls',`
-network_interface(lo, lo,s0 - s15:c0.c255)
-')
-
-########################################
-#
-# Unconfined access to this module
-#
-
-allow corenet_unconfined_type node_type:node *;
-allow corenet_unconfined_type netif_type:netif *;
-allow corenet_unconfined_type packet_type:packet *;
-allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
-allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
-
-# Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.m4 b/refpolicy/policy/modules/kernel/corenetwork.te.m4
deleted file mode 100644
index ecae862..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.te.m4
+++ /dev/null
@@ -1,74 +0,0 @@
-#
-# shiftn(num,list...)
-#
-# shift the list num times
-#
-define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
-
-define(`declare_netifs',`dnl
-netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3)
-ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
-')
-
-#
-# network_interface(if_name,linux_interface,mls_sensitivity)
-#
-define(`network_interface',`
-gen_require(`type unlabeled_t')
-type $1_netif_t alias netif_$1_t, netif_type;
-declare_netifs($1_netif_t,shift($*))
-')
-
-define(`declare_nodes',`dnl
-nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
-ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
-')
-
-#
-# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])
-#
-define(`network_node',`
-type $1_node_t alias node_$1_t, node_type;
-declare_nodes($1_node_t,shift($*))
-')
-
-# These next three macros have formatting, and should not me indented
-define(`determine_reserved_capability',`dnl
-ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
-ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
-')dnl end outer ifelse
-') dnl end determine reserved capability
-
-define(`determine_reserved_capability_depend',`dnl
-ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
-ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse
-')dnl end outer ifelse
-') dnl end determine reserved capability depend
-
-define(`declare_ports',`dnl
-ifelse(eval($3 < 1024),1,`
-typeattribute $1 reserved_port_type;
-#bindresvport in glibc starts searching for reserved ports at 600
-ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
-',`dnl')
-portcon $2 $3 gen_context(system_u:object_r:$1,$4)
-ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
-')
-
-#
-# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
-#
-define(`network_port',`
-type $1_port_t, port_type;
-type $1_client_packet_t, packet_type, client_packet_type;
-type $1_server_packet_t, packet_type, server_packet_type;
-declare_ports($1_port_t,shift($*))
-')
-
-#
-# network_packet(packet_name)
-#
-define(`network_packet',`
-type $1_client_packet_t, packet_type, client_packet_type;
-type $1_server_packet_t, packet_type, server_packet_type;
-')
diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc
deleted file mode 100644
index f83f36f..0000000
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ /dev/null
@@ -1,104 +0,0 @@
-
-/dev -d gen_context(system_u:object_r:device_t,s0)
-/dev/.* gen_context(system_u:object_r:device_t,s0)
-
-/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/adsp -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
-/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
-/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
-/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
-/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
-/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
-/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
-/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
-/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
-/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
-/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
-/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
-/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
-/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
-/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
-/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
-/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
-/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
-/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
-/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
-/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
-/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
-/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
-/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
-/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-ifdef(`distro_suse', `
-/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-')
-/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
-/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
-/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
-/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
-/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-
-/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-
-/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
-/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
-
-/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
-
-/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-
-/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
-/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
-
-/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
-
-/dev/pts(/.*)? <<none>>
-
-/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-
-/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-
-/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
-
-ifdef(`distro_redhat',`
-# originally from named.fc
-/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
-/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
-/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
deleted file mode 100644
index 5449c4d..0000000
--- a/refpolicy/policy/modules/kernel/devices.if
+++ /dev/null
@@ -1,2971 +0,0 @@
-## <summary>
-## Device nodes and interfaces for many basic system devices.
-## </summary>
-## <desc>
-## <p>
-## This module creates the device node concept and provides
-## the policy for many of the device files. Notable exceptions are
-## the mass storage and terminal devices that are covered by other
-## modules.
-## </p>
-## <p>
-## This module creates the concept of a device node. That is a
-## char or block device file, usually in /dev. All types that
-## are used to label device nodes should use the dev_node macro.
-## </p>
-## <p>
-## Additionally, this module controls access to three things:
-## <ul>
-## <li>the device directories containing device nodes</li>
-## <li>device nodes as a group</li>
-## <li>individual access to specific device nodes covered by
-## this module.</li>
-## </ul>
-## </p>
-## </desc>
-## <required val="true">
-## Depended on by other required modules.
-## </required>
-
-########################################
-## <summary>
-## Make the passed in type a type appropriate for
-## use on device nodes (usually files in /dev).
-## </summary>
-## <param name="object_type">
-## <summary>
-## The object type that will be used on device nodes.
-## </summary>
-## </param>
-#
-interface(`dev_node',`
- gen_require(`
- attribute device_node;
- ')
-
- typeattribute $1 device_node;
-')
-
-########################################
-## <summary>
-## Allow full relabeling (to and from) of all device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to relabel.
-## </summary>
-## </param>
-#
-interface(`dev_relabel_all_dev_nodes',`
- gen_require(`
- attribute device_node;
- type device_t;
- ')
-
- allow $1 device_node:dir { getattr relabelfrom };
- allow $1 device_node:file { getattr relabelfrom };
- allow $1 device_node:lnk_file { getattr relabelfrom };
- allow $1 device_node:fifo_file { getattr relabelfrom };
- allow $1 device_node:sock_file { getattr relabelfrom };
- allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto };
- allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## List all of the device nodes in a device directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to list device nodes.
-## </summary>
-## </param>
-#
-interface(`dev_list_all_dev_nodes',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Set the attributes of /dev directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_generic_dirs',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir setattr;
-')
-
-########################################
-## <summary>
-## Dontaudit attempts to list all device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit listing of device nodes.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_list_all_dev_nodes',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create a directory in the device directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to create the directory.
-## </summary>
-## </param>
-#
-interface(`dev_create_generic_dirs',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir { ra_dir_perms create };
-')
-
-########################################
-## <summary>
-## Allow full relabeling (to and from) of directories in /dev.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to relabel.
-## </summary>
-## </param>
-#
-interface(`dev_relabel_generic_dev_dirs',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Read and write generic files in /dev.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_generic_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir search;
- allow $1 device_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Delete generic files in /dev.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_delete_generic_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir { search write remove_name };
- allow $1 device_t:file unlink;
-')
-
-########################################
-## <summary>
-## Create a file in the device directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to create the files.
-## </summary>
-## </param>
-#
-interface(`dev_manage_generic_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Dontaudit getattr on generic pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_generic_pipes',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Allow getattr on generic block devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_generic_blk_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Dontaudit getattr on generic block devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_generic_blk_files',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Dontaudit setattr on generic block devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_generic_blk_files',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:blk_file setattr;
-')
-
-########################################
-## <summary>
-## Allow read, write, and create for generic character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_create_generic_chr_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir ra_dir_perms;
- allow $1 device_t:chr_file create;
-
- allow $1 self:capability mknod;
-')
-
-########################################
-## <summary>
-## Allow getattr for generic character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_generic_chr_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Dontaudit getattr for generic character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_generic_chr_files',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Dontaudit setattr for generic character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_generic_chr_files',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the attributes
-## of symbolic links in device directories (/dev).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:lnk_file setattr;
-')
-
-########################################
-## <summary>
-## Delete symbolic links in device directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_delete_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir { getattr read write remove_name };
- allow $1 device_t:lnk_file unlink;
-')
-
-########################################
-## <summary>
-## Create, delete, read, and write symbolic links in device directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Relabel symbolic links in device directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_relabel_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Create, delete, read, and write device nodes in device directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_all_dev_nodes',`
- gen_require(`
- attribute device_node, memory_raw_read, memory_raw_write;
- type device_t;
- ')
-
- allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-
- # these next rules are to satisfy assertions broken by the above lines.
- # the permissions hopefully can be cut back a lot
- storage_raw_read_fixed_disk($1)
- storage_raw_write_fixed_disk($1)
- storage_read_scsi_generic($1)
- storage_write_scsi_generic($1)
-
- typeattribute $1 memory_raw_read;
- typeattribute $1 memory_raw_write;
-')
-
-########################################
-## <summary>
-## Dontaudit getattr for generic device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_rw_generic_dev_nodes',`
- gen_require(`
- type device_t;
- ')
-
- dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Create, delete, read, and write block device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_generic_blk_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, delete, read, and write character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_generic_chr_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:chr_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, and write device nodes. The node
-## will be transitioned to the type provided.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file">
-## <summary>
-## Type to which the created node will be transitioned.
-## </summary>
-## </param>
-## <param name="objectclass(es)">
-## <summary>
-## Object class(es) (single or set including {}) for which this
-## the transition will occur.
-## </summary>
-## </param>
-#
-interface(`dev_filetrans',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- type_transition $1 device_t:$3 $2;
-
- fs_associate_tmpfs($2)
- files_associate_tmp($2)
-')
-
-########################################
-## <summary>
-## Getattr on all block file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_all_blk_files',`
- gen_require(`
- attribute device_node;
- ')
-
- allow $1 device_node:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Dontaudit getattr on all block file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_all_blk_files',`
- gen_require(`
- attribute device_node;
- ')
-
- dontaudit $1 device_node:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Getattr on all character file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_all_chr_files',`
- gen_require(`
- attribute device_node;
- ')
-
- allow $1 device_node:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Dontaudit getattr on all character file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_all_chr_files',`
- gen_require(`
- attribute device_node;
- ')
-
- dontaudit $1 device_node:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Setattr on all block file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_all_blk_files',`
- gen_require(`
- attribute device_node;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_node:blk_file setattr;
-')
-
-########################################
-## <summary>
-## Setattr on all character file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_all_chr_files',`
- gen_require(`
- attribute device_node;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_node:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Dontaudit read on all block file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_read_all_blk_files',`
- gen_require(`
- attribute device_node;
- ')
-
- dontaudit $1 device_node:blk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Dontaudit read on all character file device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_read_all_chr_files',`
- gen_require(`
- attribute device_node;
- ')
-
- dontaudit $1 device_node:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read, write, create, and delete all block device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_all_blk_files',`
- gen_require(`
- attribute device_node;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_node:blk_file create_file_perms;
-
- # these next rules are to satisfy assertions broken by the above lines.
- storage_raw_read_fixed_disk($1)
- storage_raw_write_fixed_disk($1)
- storage_read_scsi_generic($1)
- storage_write_scsi_generic($1)
-')
-
-########################################
-## <summary>
-## Read, write, create, and delete all character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_all_chr_files',`
- gen_require(`
- attribute device_node, memory_raw_read, memory_raw_write;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_node:chr_file create_file_perms;
-
- typeattribute $1 memory_raw_read, memory_raw_write;
-')
-
-########################################
-## <summary>
-## Getattr the agp devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_agp_dev',`
- gen_require(`
- type device_t, agp_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 agp_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Read and write the agp devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_agp',`
- gen_require(`
- type device_t, agp_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 agp_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the apm bios device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_apm_bios_dev',`
- gen_require(`
- type device_t, apm_bios_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 apm_bios_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## the apm bios device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_apm_bios_dev',`
- gen_require(`
- type apm_bios_t;
- ')
-
- dontaudit $1 apm_bios_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the apm bios device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_apm_bios_dev',`
- gen_require(`
- type device_t, apm_bios_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 apm_bios_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the attributes of
-## the apm bios device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_apm_bios_dev',`
- gen_require(`
- type apm_bios_t;
- ')
-
- dontaudit $1 apm_bios_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write the apm bios.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_apm_bios',`
- gen_require(`
- type device_t, apm_bios_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 apm_bios_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the PCMCIA card manager device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_cardmgr',`
- gen_require(`
- type cardmgr_dev_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 cardmgr_dev_t:chr_file { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write the PCMCIA card manager device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_rw_cardmgr',`
- gen_require(`
- type cardmgr_dev_t;
- ')
-
- dontaudit $1 cardmgr_dev_t:chr_file { read write };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## the PCMCIA card manager device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_cardmgr_dev',`
- gen_require(`
- type device_t, cardmgr_dev_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## the PCMCIA card manager device
-## with the correct type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_create_cardmgr_dev',`
- gen_require(`
- type device_t, cardmgr_dev_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
- type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
-')
-
-########################################
-## <summary>
-## Get the attributes of the CPU
-## microcode and id interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_cpu_dev',`
- gen_require(`
- type device_t, cpu_device_t;
- ')
-
- allow $1 device_t:dir search;
- allow $1 cpu_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Read the CPU identity.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_cpuid',`
- gen_require(`
- type device_t, cpu_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 cpu_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the the CPU microcode device. This
-## is required to load CPU microcode.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_cpu_microcode',`
- gen_require(`
- type device_t, cpu_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 cpu_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the the hardware SSL accelerator.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_crypto',`
- gen_require(`
- type device_t, crypt_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 crypt_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## getattr the dri devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_dri_dev',`
- gen_require(`
- type device_t, dri_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Setattr the dri devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_dri_dev',`
- gen_require(`
- type device_t, dri_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write the dri devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_dri',`
- gen_require(`
- type device_t, dri_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Dontaudit read and write on the dri devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_rw_dri',`
- gen_require(`
- type dri_device_t;
- ')
-
- dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the dri devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_dri_dev',`
- gen_require(`
- type device_t, dri_device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 dri_device_t:chr_file manage_file_perms;
- type_transition $1 device_t:chr_file dri_device_t;
-')
-
-########################################
-## <summary>
-## Read input event devices (/dev/input).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_input',`
- gen_require(`
- type device_t, event_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 event_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read input event devices (/dev/input).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_input_dev',`
- gen_require(`
- type device_t, event_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 event_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the framebuffer device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_framebuffer_dev',`
- gen_require(`
- type device_t, framebuf_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the framebuffer device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_framebuffer_dev',`
- gen_require(`
- type device_t, framebuf_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Dot not audit attempts to set the attributes
-## of the framebuffer device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_framebuffer_dev',`
- gen_require(`
- type framebuf_device_t;
- ')
-
- dontaudit $1 framebuf_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read the framebuffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_framebuffer',`
- gen_require(`
- type framebuf_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the framebuffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_read_framebuffer',`
- gen_require(`
- type framebuf_device_t;
- ')
-
- dontaudit $1 framebuf_device_t:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-## Write the framebuffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_framebuffer',`
- gen_require(`
- type device_t, framebuf_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Read and write the framebuffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_framebuffer',`
- gen_require(`
- type device_t, framebuf_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read the lvm comtrol device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_lvm_control',`
- gen_require(`
- type device_t, lvm_control_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 lvm_control_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the lvm control device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_lvm_control',`
- gen_require(`
- type device_t, lvm_control_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 lvm_control_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Delete the lvm control device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_delete_lvm_control_dev',`
- gen_require(`
- type device_t, lvm_control_t;
- ')
-
- allow $1 device_t:dir { getattr search read write remove_name };
- allow $1 lvm_control_t:chr_file unlink;
-')
-
-########################################
-## <summary>
-## dontaudit getattr raw memory devices (e.g. /dev/mem).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_memory_dev',`
- gen_require(`
- type memory_device_t;
- ')
-
- dontaudit $1 memory_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Read raw memory devices (e.g. /dev/mem).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- attribute memory_raw_read;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 memory_device_t:chr_file r_file_perms;
-
- allow $1 self:capability sys_rawio;
- typeattribute $1 memory_raw_read;
-')
-
-########################################
-## <summary>
-## Write raw memory devices (e.g. /dev/mem).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- attribute memory_raw_write;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 memory_device_t:chr_file write;
-
- allow $1 self:capability sys_rawio;
- typeattribute $1 memory_raw_write;
-')
-
-########################################
-## <summary>
-## Read and execute raw memory devices (e.g. /dev/mem).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rx_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- ')
-
- dev_read_raw_memory($1)
- allow $1 memory_device_t:chr_file execute;
-')
-
-########################################
-## <summary>
-## Write and execute raw memory devices (e.g. /dev/mem).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_wx_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- ')
-
- dev_write_raw_memory($1)
- allow $1 memory_device_t:chr_file execute;
-')
-
-########################################
-## <summary>
-## Get the attributes of miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_misc_dev',`
- gen_require(`
- type device_t, misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_misc_dev',`
- gen_require(`
- type misc_device_t;
- ')
-
- dontaudit $1 misc_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_misc_dev',`
- gen_require(`
- type device_t, misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the attributes
-## of miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_misc_dev',`
- gen_require(`
- type misc_device_t;
- ')
-
- dontaudit $1 misc_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_misc',`
- gen_require(`
- type device_t, misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Write miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_misc',`
- gen_require(`
- type device_t, misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_rw_misc',`
- gen_require(`
- type misc_device_t;
- ')
-
- dontaudit $1 misc_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the mouse devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_mouse_dev',`
- gen_require(`
- type device_t, mouse_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the mouse devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_mouse_dev',`
- gen_require(`
- type device_t, mouse_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read the mouse devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_mouse',`
- gen_require(`
- type device_t, mouse_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write to mouse devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_mouse',`
- gen_require(`
- type device_t, mouse_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the mtrr device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_mtrr_dev',`
- gen_require(`
- type device_t, mtrr_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
-
- # proc entry is a file. added for nmbd_t
- allow $1 mtrr_device_t:{ file chr_file } getattr;
-')
-
-########################################
-## <summary>
-## Read the mtrr device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_mtrr',`
- gen_require(`
- type device_t, mtrr_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Write the mtrr device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_mtrr',`
- gen_require(`
- type device_t, mtrr_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Read and write the mtrr device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_mtrr',`
- dev_read_mtrr($1)
- dev_write_mtrr($1)
-')
-
-########################################
-## <summary>
-## Read and write to the null device (/dev/null).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_null',`
- gen_require(`
- type device_t, null_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 null_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the printer device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_printer_dev',`
- gen_require(`
- type device_t, printer_device_t;
- ')
-
- allow $1 device_t:dir search_dir_perms;
- allow $1 printer_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the printer device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_printer_dev',`
- gen_require(`
- type device_t, printer_device_t;
- ')
-
- allow $1 device_t:dir search_dir_perms;
- allow $1 printer_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Append the printer device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for lpd/checkpc_t
-interface(`dev_append_printer',`
- gen_require(`
- type device_t, printer_device_t;
- ')
-
- allow $1 device_t:dir search;
- allow $1 printer_device_t:chr_file { getattr append };
-')
-
-########################################
-## <summary>
-## Read and write the printer device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_printer',`
- gen_require(`
- type device_t, printer_device_t;
- ')
-
- allow $1 device_t:dir search;
- allow $1 printer_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read from random number generator
-## devices (e.g., /dev/random)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_rand',`
- gen_require(`
- type device_t, random_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 random_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read from random
-## number generator devices (e.g., /dev/random)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_read_rand',`
- gen_require(`
- type random_device_t;
- ')
-
- dontaudit $1 random_device_t:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-## Write to the random device (e.g., /dev/random). This adds
-## entropy used to generate the random data read from the
-## random device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_rand',`
- gen_require(`
- type device_t, random_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 random_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Read the realtime clock (/dev/rtc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_realtime_clock',`
- gen_require(`
- type device_t, clock_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 clock_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Set the realtime clock (/dev/rtc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_realtime_clock',`
- gen_require(`
- type device_t, clock_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
-')
-
-########################################
-## <summary>
-## Read and set the realtime clock (/dev/rtc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_realtime_clock',`
- dev_read_realtime_clock($1)
- dev_write_realtime_clock($1)
-')
-
-########################################
-## <summary>
-## Get the attributes of the scanner device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_scanner_dev',`
- gen_require(`
- type device_t, scanner_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 scanner_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## the scanner device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_scanner_dev',`
- gen_require(`
- type scanner_device_t;
- ')
-
- dontaudit $1 scanner_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the scanner device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_scanner_dev',`
- gen_require(`
- type device_t, scanner_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 scanner_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the attributes of
-## the scanner device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_scanner_dev',`
- gen_require(`
- type scanner_device_t;
- ')
-
- dontaudit $1 scanner_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write the scanner device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_scanner',`
- gen_require(`
- type device_t, scanner_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 scanner_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the sound devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_sound_dev',`
- gen_require(`
- type device_t, sound_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the sound devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_sound_dev',`
- gen_require(`
- type device_t, sound_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read the sound devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_sound',`
- gen_require(`
- type device_t, sound_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Write the sound devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_sound',`
- gen_require(`
- type device_t, sound_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Read the sound mixer devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_sound_mixer',`
- gen_require(`
- type device_t, sound_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr read ioctl };
-')
-
-########################################
-## <summary>
-## Write the sound mixer devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_sound_mixer',`
- gen_require(`
- type device_t, sound_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Get the attributes of the the power management device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_power_mgmt_dev',`
- gen_require(`
- type device_t, power_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 power_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the the power management device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_power_mgmt_dev',`
- gen_require(`
- type device_t, power_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 power_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write the the power management device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_power_management',`
- gen_require(`
- type device_t, power_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 power_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of sysfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_sysfs_dirs',`
- gen_require(`
- type sysfs_t;
- ')
-
- allow $1 sysfs_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the sysfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
- allow $1 sysfs_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search sysfs.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
- dontaudit $1 sysfs_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of the sysfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_list_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
- allow $1 sysfs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to read hardware state information.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading hardware state information.
-## </summary>
-## </param>
-#
-interface(`dev_read_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
- allow $1 sysfs_t:dir r_dir_perms;
- allow $1 sysfs_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to modify hardware state information.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type modifying hardware state information.
-## </summary>
-## </param>
-#
-interface(`dev_rw_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
- allow $1 sysfs_t:dir r_dir_perms;
- allow $1 sysfs_t:lnk_file r_file_perms;
- allow $1 sysfs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read from pseudo random devices (e.g., /dev/urandom)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_urand',`
- gen_require(`
- type device_t, urandom_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 urandom_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read from pseudo
-## random devices (e.g., /dev/urandom)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_read_urand',`
- gen_require(`
- type urandom_device_t;
- ')
-
- dontaudit $1 urandom_device_t:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-## Write to the pseudo random device (e.g., /dev/urandom). This
-## sets the random number generator seed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_urand',`
- gen_require(`
- type device_t, urandom_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 urandom_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Getattr generic the USB devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_generic_usb_dev',`
- gen_require(`
- type usb_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Setattr generic the USB devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_generic_usb_dev',`
- gen_require(`
- type usb_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write generic the USB devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_generic_usb_dev',`
- gen_require(`
- type usb_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Mount a usbfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_mount_usbfs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Associate a file to a usbfs filesystem.
-## </summary>
-## <param name="file_type">
-## <summary>
-## The type of the file to be associated to usbfs.
-## </summary>
-## </param>
-#
-interface(`dev_associate_usbfs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:filesystem associate;
-')
-
-########################################
-## <summary>
-## Get the attributes of a directory in the usb filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_usbfs_dirs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of a directory in the usb filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_usbfs_dirs',`
- gen_require(`
- type usbfs_t;
- ')
-
- dontaudit $1 usbfs_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the directory containing USB hardware information.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_search_usbfs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow caller to get a list of usb hardware.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type getting the list.
-## </summary>
-## </param>
-#
-interface(`dev_list_usbfs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:lnk_file r_file_perms;
- allow $1 usbfs_t:file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of usbfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_usbfs_files',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:file setattr;
-')
-
-########################################
-## <summary>
-## Read USB hardware information using
-## the usbfs filesystem interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`dev_read_usbfs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to modify usb hardware configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type modifying the options.
-## </summary>
-## </param>
-#
-interface(`dev_rw_usbfs',`
- gen_require(`
- type usbfs_t;
- ')
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:lnk_file r_file_perms;
- allow $1 usbfs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of video4linux devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_video_dev',`
- gen_require(`
- type device_t, v4l_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 v4l_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of video4linux device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_video_dev',`
- gen_require(`
- type v4l_device_t;
- ')
-
- dontaudit $1 v4l_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of video4linux device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_video_dev',`
- gen_require(`
- type device_t, v4l_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 v4l_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the attributes
-## of video4linux device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_setattr_video_dev',`
- gen_require(`
- type v4l_device_t;
- ')
-
- dontaudit $1 v4l_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read the video4linux devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_video_dev',`
- gen_require(`
- type device_t, v4l_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { getattr read };
- allow $1 v4l_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write VMWare devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_vmware',`
- gen_require(`
- type device_t, vmware_device_t;
- ')
-
- allow $1 device_t:dir list_dir_perms;
- allow $1 vmware_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read, write, and mmap VMWare devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rwx_vmware',`
- gen_require(`
- type device_t, vmware_device_t;
- ')
-
- allow $1 device_t:dir list_dir_perms;
- allow $1 vmware_device_t:chr_file { rw_file_perms execute };
-')
-
-########################################
-## <summary>
-## Write to watchdog devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_write_watchdog',`
- gen_require(`
- type device_t, watchdog_device_t;
- ')
-
- allow $1 device_t:dir list_dir_perms;
- allow $1 watchdog_device_t:chr_file { getattr write };
-')
-
-########################################
-## <summary>
-## Read and write Xen devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_xen',`
- gen_require(`
- type device_t, xen_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete Xen devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_manage_xen',`
- gen_require(`
- type device_t, xen_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Automatic type transition to the type
-## for xen device nodes when created in /dev.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_filetrans_xen',`
- gen_require(`
- type device_t, xen_device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- type_transition $1 device_t:chr_file xen_device_t;
-')
-
-########################################
-## <summary>
-## Get the attributes of X server miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_xserver_misc_dev',`
- gen_require(`
- type device_t, xserver_misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 xserver_misc_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of X server miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_setattr_xserver_misc_dev',`
- gen_require(`
- type device_t, xserver_misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 xserver_misc_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write X server miscellaneous devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_xserver_misc',`
- gen_require(`
- type device_t, xserver_misc_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 xserver_misc_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write to the zero device (/dev/zero).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_zero',`
- gen_require(`
- type device_t, zero_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 zero_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read, write, and execute the zero device (/dev/zero).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rwx_zero',`
- gen_require(`
- type zero_device_t;
- ')
-
- dev_rw_zero($1)
- allow $1 zero_device_t:chr_file execute;
-')
-
-########################################
-## <summary>
-## Execmod the zero device (/dev/zero).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_execmod_zero',`
- gen_require(`
- type zero_device_t;
- ')
-
- dev_rw_zero($1)
- allow $1 zero_device_t:chr_file execmod;
-')
-
-########################################
-## <summary>
-## Unconfined access to devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_unconfined',`
- gen_require(`
- attribute devices_unconfined_type;
- ')
-
- typeattribute $1 devices_unconfined_type;
-')
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
deleted file mode 100644
index 8edb0f5..0000000
--- a/refpolicy/policy/modules/kernel/devices.te
+++ /dev/null
@@ -1,209 +0,0 @@
-
-policy_module(devices,1.1.14)
-
-########################################
-#
-# Declarations
-#
-
-attribute device_node;
-attribute memory_raw_read;
-attribute memory_raw_write;
-attribute devices_unconfined_type;
-
-#
-# device_t is the type of /dev.
-#
-type device_t;
-fs_associate_tmpfs(device_t)
-files_type(device_t)
-files_mountpoint(device_t)
-files_associate_tmp(device_t)
-
-# Only directories and symlinks should be labeled device_t.
-# If there are other files with this type, it is wrong.
-# Relabelto is allowed for setfiles to function, in case
-# a device node has no specific type yet, but is for some
-# reason labeled with a specific type
-#cjp: want this, but udev policy breaks this
-#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
-
-#
-# Type for /dev/agpgart
-#
-type agp_device_t;
-dev_node(agp_device_t)
-
-#
-# Type for /dev/apm_bios
-#
-type apm_bios_t;
-dev_node(apm_bios_t)
-
-type cardmgr_dev_t;
-dev_node(cardmgr_dev_t)
-files_tmp_file(cardmgr_dev_t)
-
-#
-# clock_device_t is the type of
-# /dev/rtc.
-#
-type clock_device_t;
-dev_node(clock_device_t)
-
-#
-# cpu control devices /dev/cpu/0/*
-#
-type cpu_device_t;
-dev_node(cpu_device_t)
-
-# for the IBM zSeries z90crypt hardware ssl accelorator
-type crypt_device_t;
-dev_node(crypt_device_t)
-
-type dri_device_t;
-dev_node(dri_device_t)
-
-type event_device_t;
-dev_node(event_device_t)
-
-#
-# Type for framebuffer /dev/fb/*
-#
-type framebuf_device_t;
-dev_node(framebuf_device_t)
-
-#
-# Type for /dev/mapper/control
-#
-type lvm_control_t;
-dev_node(lvm_control_t)
-
-#
-# memory_device_t is the type of /dev/kmem,
-# /dev/mem and /dev/port.
-#
-type memory_device_t;
-dev_node(memory_device_t)
-
-neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
-neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
-
-type misc_device_t;
-dev_node(misc_device_t)
-
-#
-# A more general type for mouse devices.
-#
-type mouse_device_t;
-dev_node(mouse_device_t)
-
-#
-# Type for /dev/cpu/mtrr and /proc/mtrr
-#
-type mtrr_device_t;
-dev_node(mtrr_device_t)
-genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
-
-#
-# null_device_t is the type of /dev/null.
-#
-type null_device_t;
-dev_node(null_device_t)
-mls_trusted_object(null_device_t)
-sid devnull gen_context(system_u:object_r:null_device_t,s0)
-
-#
-# Type for /dev/pmu
-#
-type power_device_t;
-dev_node(power_device_t)
-
-type printer_device_t;
-dev_node(printer_device_t)
-
-#
-# random_device_t is the type of /dev/random
-#
-type random_device_t;
-dev_node(random_device_t)
-
-type scanner_device_t;
-dev_node(scanner_device_t)
-
-#
-# Type for sound devices and mixers
-#
-type sound_device_t;
-dev_node(sound_device_t)
-
-#
-# sysfs_t is the type for the /sys pseudofs
-#
-type sysfs_t;
-files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
-genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
-
-#
-# urandom_device_t is the type of /dev/urandom
-#
-type urandom_device_t;
-dev_node(urandom_device_t)
-
-#
-# usbfs_t is the type for the /proc/bus/usb pseudofs
-#
-type usbfs_t alias usbdevfs_t;
-files_mountpoint(usbfs_t)
-fs_noxattr_type(usbfs_t)
-genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
-genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
-
-#
-# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
-#
-type usb_device_t;
-dev_node(usb_device_t)
-
-type v4l_device_t;
-dev_node(v4l_device_t)
-
-# Type for vmware devices.
-type vmware_device_t;
-dev_node(vmware_device_t)
-
-type watchdog_device_t;
-dev_node(vmware_device_t)
-
-type xen_device_t;
-dev_node(xen_device_t)
-
-type xserver_misc_device_t;
-dev_node(xserver_misc_device_t)
-
-#
-# zero_device_t is the type of /dev/zero.
-#
-type zero_device_t;
-dev_node(zero_device_t)
-mls_trusted_object(zero_device_t)
-
-########################################
-#
-# Rules for all device nodes
-#
-
-fs_associate(device_node)
-fs_associate_tmpfs(device_node)
-
-files_associate_tmp(device_node)
-
-########################################
-#
-# Unconfined access to this module
-#
-
-allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
-allow devices_unconfined_type mtrr_device_t:{ dir file } *;
diff --git a/refpolicy/policy/modules/kernel/domain.fc b/refpolicy/policy/modules/kernel/domain.fc
deleted file mode 100644
index 7be4ddf..0000000
--- a/refpolicy/policy/modules/kernel/domain.fc
+++ /dev/null
@@ -1 +0,0 @@
-# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
deleted file mode 100644
index 3de6530..0000000
--- a/refpolicy/policy/modules/kernel/domain.if
+++ /dev/null
@@ -1,1265 +0,0 @@
-## <summary>Core policy for domains.</summary>
-## <required val="true">
-## Contains the concept of a domain.
-## </required>
-
-########################################
-## <summary>
-## Make the specified type usable as a basic domain.
-## </summary>
-## <desc>
-## <p>
-## Make the specified type usable as a basic domain.
-## </p>
-## <p>
-## This is primarily used for kernel threads;
-## generally the domain_type() interface is
-## more appropriate for userland processes.
-## </p>
-## </desc>
-## <param name="type">
-## <summary>
-## Type to be used as a basic domain type.
-## </summary>
-## </param>
-#
-interface(`domain_base_type',`
- gen_require(`
- attribute domain;
- ')
-
- typeattribute $1 domain;
-')
-
-########################################
-## <summary>
-## Make the specified type usable as a domain.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used as a domain type.
-## </summary>
-## </param>
-#
-interface(`domain_type',`
- # start with basic domain
- domain_base_type($1)
-
- ifdef(`targeted_policy',`
- unconfined_use_fds($1)
- unconfined_sigchld($1)
- ')
-
- # send init a sigchld and signull
- optional_policy(`
- init_sigchld($1)
- init_signull($1)
- ')
-
- # these seem questionable:
-
- optional_policy(`
- rpm_use_fds($1)
- rpm_read_pipes($1)
- ')
-
- optional_policy(`
- selinux_dontaudit_read_fs($1)
- ')
-
- optional_policy(`
- seutil_dontaudit_read_config($1)
- ')
-')
-
-########################################
-## <summary>
-## Make the specified type usable as
-## an entry point for the domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to be entered.
-## </summary>
-## </param>
-## <param name="type">
-## <summary>
-## Type of program used for entering
-## the domain.
-## </summary>
-## </param>
-#
-interface(`domain_entry_file',`
- gen_require(`
- attribute entry_type;
- ')
-
- allow $1 $2:file entrypoint;
- allow $1 $2:file rx_file_perms;
-
- typeattribute $2 entry_type;
-
- corecmd_executable_file($2)
-')
-
-########################################
-## <summary>
-## Make the file descriptors of the specified
-## domain for interactive use (widely inheritable)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_interactive_fd',`
- gen_require(`
- attribute privfd;
- ')
-
- typeattribute $1 privfd;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to perform
-## dynamic transitions.
-## </summary>
-## <desc>
-## <p>
-## Allow the specified domain to perform
-## dynamic transitions.
-## </p>
-## <p>
-## This violates process tranquility, and it
-## is strongly suggested that this not be used.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dyntrans_type',`
- gen_require(`
- attribute set_curr_context;
- ')
-
- typeattribute $1 set_curr_context;
-')
-
-########################################
-## <summary>
-## Makes caller and execption to the constraint
-## preventing changing to the system user
-## identity and system role.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_system_change_exemption',`
- gen_require(`
- attribute can_system_change;
- ')
-
- typeattribute $1 can_system_change;
-')
-
-########################################
-## <summary>
-## Makes caller an exception to the constraint preventing
-## changing of user identity.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to make an exception to the constraint.
-## </summary>
-## </param>
-#
-interface(`domain_subj_id_change_exemption',`
- gen_require(`
- attribute can_change_process_identity;
- ')
-
- typeattribute $1 can_change_process_identity;
-')
-
-########################################
-## <summary>
-## Makes caller an exception to the constraint preventing
-## changing of role.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to make an exception to the constraint.
-## </summary>
-## </param>
-#
-interface(`domain_role_change_exemption',`
- gen_require(`
- attribute can_change_process_role;
- ')
-
- typeattribute $1 can_change_process_role;
-')
-
-########################################
-## <summary>
-## Makes caller an exception to the constraint preventing
-## changing the user identity in object contexts.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to make an exception to the constraint.
-## </summary>
-## </param>
-#
-interface(`domain_obj_id_change_exemption',`
- gen_require(`
- attribute can_change_object_identity;
- ')
-
- typeattribute $1 can_change_object_identity;
-')
-
-########################################
-## <summary>
-## Make the specified domain the target of
-## the user domain exception of the
-## SELinux role and identity change
-## constraints.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain the target of
-## the user domain exception of the
-## SELinux role and identity change
-## constraints.
-## </p>
-## <p>
-## This interface is needed to decouple
-## the user domains from the base module.
-## It should not be used other than on
-## user domains.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain target for user exemption.
-## </summary>
-## </param>
-#
-interface(`domain_user_exemption_target',`
- gen_require(`
- attribute process_user_target;
- ')
-
- typeattribute $1 process_user_target;
-')
-
-########################################
-## <summary>
-## Make the specified domain the source of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain the source of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </p>
-## <p>
-## This interface is needed to decouple
-## the cron domains from the base module.
-## It should not be used other than on
-## cron domains.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain target for user exemption.
-## </summary>
-## </param>
-#
-interface(`domain_cron_exemption_source',`
- gen_require(`
- attribute cron_source_domain;
- ')
-
- typeattribute $1 cron_source_domain;
-')
-
-########################################
-## <summary>
-## Make the specified domain the target of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain the target of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </p>
-## <p>
-## This interface is needed to decouple
-## the cron domains from the base module.
-## It should not be used other than on
-## user cron jobs.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain target for user exemption.
-## </summary>
-## </param>
-#
-interface(`domain_cron_exemption_target',`
- gen_require(`
- attribute cron_job_domain;
- ')
-
- typeattribute $1 cron_job_domain;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from
-## domains with interactive programs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_use_interactive_fds',`
- gen_require(`
- attribute privfd;
- ')
-
- allow $1 privfd:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit file
-## descriptors from domains with interactive
-## programs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_use_interactive_fds',`
- gen_require(`
- attribute privfd;
- ')
-
- dontaudit $1 privfd:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to domains whose file
-## discriptors are widely inheritable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: this was added because of newrole
-interface(`domain_sigchld_interactive_fds',`
- gen_require(`
- attribute privfd;
- ')
-
- allow $1 privfd:process sigchld;
-')
-
-########################################
-## <summary>
-## Set the nice level of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_setpriority_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process setsched;
-')
-
-########################################
-## <summary>
-## Send general signals to all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_signal_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process signal;
-')
-
-########################################
-## <summary>
-## Send a null signal to all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_signull_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process signull;
-')
-
-########################################
-## <summary>
-## Send a stop signal to all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_sigstop_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process sigstop;
-')
-
-########################################
-## <summary>
-## Send a child terminated signal to all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_sigchld_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a kill signal to all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_kill_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process sigkill;
- allow $1 self:capability kill;
-')
-
-########################################
-## <summary>
-## Search the process state directory (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_search_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- kernel_search_proc($1)
- allow $1 domain:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the process
-## state directory (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_search_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read the process state (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_read_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- kernel_search_proc($1)
- allow $1 domain:dir r_dir_perms;
- allow $1 domain:lnk_file r_file_perms;
- allow $1 domain:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of all domains of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_getattr_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all domains of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:process getattr;
-')
-
-########################################
-## <summary>
-## Read the process state (/proc/pid) of all confined domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_read_confined_domains_state',`
- gen_require(`
- attribute domain, unconfined_domain_type;
- ')
-
- kernel_search_proc($1)
- allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
- allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
- allow $1 { domain -unconfined_domain_type }:file r_file_perms;
-
- dontaudit $1 unconfined_domain_type:dir search;
- dontaudit $1 unconfined_domain_type:file { getattr read };
-')
-
-########################################
-## <summary>
-## Get the attributes of all confined domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_getattr_confined_domains',`
- gen_require(`
- attribute domain, unconfined_domain_type;
- ')
-
- allow $1 { domain -unconfined_domain_type }:process getattr;
-')
-
-########################################
-## <summary>
-## Ptrace all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_ptrace_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process ptrace;
- allow domain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ptrace all domains.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to ptrace all domains.
-## </p>
-## <p>
-## Generally this needs to be suppressed because procps tries to access
-## /proc/pid/environ and this now triggers a ptrace check in recent kernels
-## (2.4 and 2.6).
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_ptrace_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:process ptrace;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ptrace confined domains.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to ptrace confined domains.
-## </p>
-## <p>
-## Generally this needs to be suppressed because procps tries to access
-## /proc/pid/environ and this now triggers a ptrace check in recent kernels
-## (2.4 and 2.6).
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_ptrace_confined_domains',`
- gen_require(`
- attribute domain, unconfined_domain_type;
- ')
-
- dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the process
-## state (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_read_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:dir r_dir_perms;
- dontaudit $1 domain:lnk_file r_file_perms;
- dontaudit $1 domain:file r_file_perms;
-
- # cjp: these should be removed:
- dontaudit $1 domain:sock_file r_file_perms;
- dontaudit $1 domain:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the process state
-## directories of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_list_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the session ID of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_getsession_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process getsession;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## session ID of all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getsession_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:process getsession;
-')
-
-########################################
-## <summary>
-## Get the attributes of all domains
-## sockets, for all socket types.
-## </summary>
-## <desc>
-## <p>
-## Get the attributes of all domains
-## sockets, for all socket types.
-## </p>
-## <p>
-## This is commonly used for domains
-## that can use lsof on all domains.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_getattr_all_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains sockets, for all socket types.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to get the attributes
-## of all domains sockets, for all socket types.
-## </p>
-## <p>
-## This interface was added for PCMCIA cardmgr
-## and is probably excessive.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_tcp_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:tcp_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains UDP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_udp_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:udp_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## all domains UDP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_rw_all_udp_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:udp_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attribues of
-## all domains IPSEC key management sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_key_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:key_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attribues of
-## all domains packet sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_packet_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:packet_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attribues of
-## all domains raw sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_raw_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:rawip_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## all domains key sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_rw_all_key_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:key_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains unix datagram sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_dgram_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:unix_dgram_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains unix datagram sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_stream_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:unix_stream_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_pipes',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of entry point
-## files for all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_getattr_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- allow $1 entry_type:lnk_file getattr;
- allow $1 entry_type:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read the entry point files for all domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_read_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- allow $1 entry_type:lnk_file r_file_perms;
- allow $1 entry_type:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute the entry point files for all
-## domains in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_exec_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- can_exec($1,entry_type)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all
-## entrypoint files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`domain_manage_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- allow $1 entry_type:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel to and from all entry point
-## file types.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`domain_relabel_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- allow $1 entry_type:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Mmap all entry point files as executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`domain_mmap_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- allow $1 entry_type:file { getattr read execute };
-')
-
-########################################
-## <summary>
-## Execute an entry_type in the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for userhelper
-interface(`domain_entry_file_spec_domtrans',`
- gen_require(`
- attribute entry_type;
- ')
-
- domain_trans($1,entry_type,$2)
-')
-
-########################################
-## <summary>
-## Unconfined access to domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`domain_unconfined',`
- gen_require(`
- attribute set_curr_context;
- attribute can_change_process_identity;
- attribute can_change_process_role;
- attribute can_change_object_identity;
- attribute unconfined_domain_type;
- ')
-
- typeattribute $1 unconfined_domain_type;
-
- # pass constraints
- typeattribute $1 can_change_process_identity;
- typeattribute $1 can_change_process_role;
- typeattribute $1 can_change_object_identity;
- typeattribute $1 set_curr_context;
-')
-
-#
-# These next macros are not templates, but actually are
-# support macros. Due to the domain_ prefix, they
-# are placed in this module, to try to prevent confusion.
-# They are called templates since regular m4 defines
-# wont work here.
-#
-
-########################################
-## <summary>
-## Specified domain transition requiring setexeccon.
-## </summary>
-## <param name="source_domain">
-## <summary>
-## Domain to transition from.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Type of program to execute.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-#
-template(`domain_trans',`
- allow $1 $2:file { getattr read execute };
- allow $1 $3:process transition;
- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-')
-
-########################################
-## <summary>
-## Automatic domain transition by type_transition.
-## </summary>
-## <param name="source_domain">
-## <summary>
-## Domain to transition from.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Type of program to execute.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-#
-template(`domain_auto_trans',`
- domain_trans($1,$2,$3)
- type_transition $1 $2:process $3;
-')
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
deleted file mode 100644
index f0e07f2..0000000
--- a/refpolicy/policy/modules/kernel/domain.te
+++ /dev/null
@@ -1,143 +0,0 @@
-
-policy_module(domain,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-# Mark process types as domains
-attribute domain;
-
-# Transitions only allowed from domains to other domains
-neverallow domain ~domain:process { transition dyntransition };
-
-# Domains that are unconfined
-attribute unconfined_domain_type;
-
-# Domains that can set their current context
-# (perform dynamic transitions)
-attribute set_curr_context;
-
-# enabling setcurrent breaks process tranquility. If you do not
-# know what this means or do not understand the implications of a
-# dynamic transition, you should not be using it!!!
-neverallow { domain -set_curr_context } self:process setcurrent;
-
-# entrypoint executables
-attribute entry_type;
-
-# widely-inheritable file descriptors
-attribute privfd;
-
-#
-# constraint related attributes
-#
-
-# [1] types that can change SELinux identity on transition
-attribute can_change_process_identity;
-
-# [2] types that can change SELinux role on transition
-attribute can_change_process_role;
-
-# [3] types that can change the SELinux identity on a filesystem
-# object or a socket object on a create or relabel
-attribute can_change_object_identity;
-
-# [3] types that can change to system_u:system_r
-attribute can_system_change;
-
-# [4] types that have attribute 1 can change the SELinux
-# identity only if the target domain has this attribute.
-# Types that have attribute 2 can change the SELinux role
-# only if the target domain has this attribute.
-attribute process_user_target;
-
-# For cron jobs
-# [5] types used for cron daemons
-attribute cron_source_domain;
-# [6] types used for cron jobs
-attribute cron_job_domain;
-
-# [7] types that are unconditionally exempt from
-# SELinux identity and role change constraints
-attribute process_uncond_exempt; # add userhelperdomain to this one
-
-neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
-neverallow ~{ domain unlabeled_t } *:process *;
-
-########################################
-#
-# Rules applied to all domains
-#
-
-# read /proc/(pid|self) entries
-allow domain self:dir r_dir_perms;
-allow domain self:lnk_file r_file_perms;
-allow domain self:file rw_file_perms;
-kernel_read_proc_symlinks(domain)
-
-# create child processes in the domain
-allow domain self:process { fork sigchld };
-
-# Use trusted objects in /dev
-dev_rw_null(domain)
-dev_rw_zero(domain)
-term_use_controlling_term(domain)
-
-# list the root directory
-files_list_root(domain)
-
-ifdef(`targeted_policy',`
- # RBAC is disabled in the targeted policy,
- # as only one role is used, system_r.
- role system_r types domain;
-
- # FIXME:
- # workaround until role dominance is fixed in
- # the module compiler
- role secadm_r types domain;
- role sysadm_r types domain;
- role user_r types domain;
- role staff_r types domain;
-')
-
-tunable_policy(`global_ssp',`
- # enable reading of urandom for all domains:
- # this should be enabled when all programs
- # are compiled with ProPolice/SSP
- # stack smashing protection.
- dev_read_urand(domain)
-')
-
-optional_policy(`
- setrans_translate_context(domain)
-')
-
-########################################
-#
-# Unconfined access to this module
-#
-
-# unconfined access also allows constraints, but this
-# is handled in the interface as typeattribute cannot
-# be used on an attribute.
-
-# Use/sendto/connectto sockets created by any domain.
-allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
-
-# Use descriptors and pipes created by any domain.
-allow unconfined_domain_type domain:fd use;
-allow unconfined_domain_type domain:fifo_file rw_file_perms;
-
-# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-
-# Create/access any System V IPC objects.
-allow unconfined_domain_type domain:{ sem msgq shm } *;
-allow unconfined_domain_type domain:msg { send receive };
-
-# For /proc/pid
-allow unconfined_domain_type domain:dir r_dir_perms;
-allow unconfined_domain_type domain:file r_file_perms;
-allow unconfined_domain_type domain:lnk_file r_file_perms;
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
deleted file mode 100644
index b3a21ea..0000000
--- a/refpolicy/policy/modules/kernel/files.fc
+++ /dev/null
@@ -1,246 +0,0 @@
-
-#
-# /
-#
-/.* gen_context(system_u:object_r:default_t,s0)
-/ -d gen_context(system_u:object_r:root_t,s0)
-/\.journal <<none>>
-/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
-/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
-
-ifdef(`distro_redhat',`
-/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_suse',`
-/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
-# /boot
-#
-/boot -d gen_context(system_u:object_r:boot_t,s0)
-/boot/.* gen_context(system_u:object_r:boot_t,s0)
-/boot/\.journal <<none>>
-/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/boot/lost\+found/.* <<none>>
-/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-
-#
-# /emul
-#
-/emul -d gen_context(system_u:object_r:usr_t,s0)
-/emul/.* gen_context(system_u:object_r:usr_t,s0)
-
-#
-# /etc
-#
-/etc -d gen_context(system_u:object_r:etc_t,s0)
-/etc/.* gen_context(system_u:object_r:etc_t,s0)
-/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-
-
-/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-ifdef(`distro_gentoo', `
-/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_redhat',`
-/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
-')
-
-ifdef(`distro_suse',`
-/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
-# HOME_ROOT
-# expanded by genhomedircon
-#
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
-HOME_ROOT/\.journal <<none>>
-HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-HOME_ROOT/lost\+found/.* <<none>>
-
-#
-# /initrd
-#
-# initrd mount point, only used during boot
-/initrd -d gen_context(system_u:object_r:root_t,s0)
-
-#
-# /lib(64)?
-#
-/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
-#
-# /lost+found
-#
-/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/lost\+found/.* <<none>>
-
-#
-# /media
-#
-# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
-/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-/media/[^/]*/.* <<none>>
-
-#
-# /misc
-#
-/misc -d gen_context(system_u:object_r:mnt_t,s0)
-
-#
-# /mnt
-#
-/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-/mnt/[^/]*/.* <<none>>
-
-#
-# /net
-#
-/net -d gen_context(system_u:object_r:mnt_t,s0)
-
-#
-# /opt
-#
-/opt -d gen_context(system_u:object_r:usr_t,s0)
-/opt/.* gen_context(system_u:object_r:usr_t,s0)
-
-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
-#
-# /proc
-#
-/proc -d <<none>>
-/proc/.* <<none>>
-
-#
-# /selinux
-#
-/selinux -d <<none>>
-/selinux/.* <<none>>
-
-#
-# /srv
-#
-/srv -d gen_context(system_u:object_r:var_t,s0)
-/srv/.* gen_context(system_u:object_r:var_t,s0)
-
-#
-# /sys
-#
-/sys -d <<none>>
-/sys/.* <<none>>
-
-#
-# /tmp
-#
-/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
-/tmp/.* <<none>>
-/tmp/\.journal <<none>>
-
-/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/tmp/lost\+found/.* <<none>>
-
-#
-# /usr
-#
-/usr -d gen_context(system_u:object_r:usr_t,s0)
-/usr/.* gen_context(system_u:object_r:usr_t,s0)
-/usr/\.journal <<none>>
-
-/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/usr/local/\.journal <<none>>
-
-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/usr/local/lost\+found/.* <<none>>
-
-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
-/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/usr/lost\+found/.* <<none>>
-
-/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
-/usr/tmp/.* <<none>>
-
-#
-# /var
-#
-/var -d gen_context(system_u:object_r:var_t,s0)
-/var/.* gen_context(system_u:object_r:var_t,s0)
-/var/\.journal <<none>>
-
-/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
-
-/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
-/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-
-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-
-/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/var/lost\+found/.* <<none>>
-
-/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
-/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
-/var/run/.*\.*pid <<none>>
-
-/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
-/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
-/var/tmp/.* <<none>>
-/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
-/var/tmp/lost\+found/.* <<none>>
-/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
deleted file mode 100644
index 4ee35d7..0000000
--- a/refpolicy/policy/modules/kernel/files.if
+++ /dev/null
@@ -1,4401 +0,0 @@
-## <summary>
-## Basic filesystem types and interfaces.
-## </summary>
-## <desc>
-## <p>
-## This module contains basic filesystem types and interfaces. This
-## includes:
-## <ul>
-## <li>The concept of different file types including basic
-## files, mount points, tmp files, etc.</li>
-## <li>Access to groups of files and all files.</li>
-## <li>Types and interfaces for the basic filesystem layout
-## (/, /etc, /tmp, /usr, etc.).</li>
-## </ul>
-## </p>
-## </desc>
-## <required val="true">
-## Contains the concept of a file.
-## Comains the file initial SID.
-## </required>
-
-########################################
-## <summary>
-## Make the specified type usable for files
-## in a filesystem.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used for files.
-## </summary>
-## </param>
-#
-interface(`files_type',`
- gen_require(`
- attribute file_type;
- ')
-
- typeattribute $1 file_type;
-')
-
-########################################
-## <summary>
-## Make the specified type usable for
-## lock files.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used for lock files.
-## </summary>
-## </param>
-#
-interface(`files_lock_file',`
- gen_require(`
- attribute lockfile;
- ')
-
- files_type($1)
- typeattribute $1 lockfile;
-')
-
-########################################
-## <summary>
-## Make the specified type usable for
-## filesystem mount points.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used for mount points.
-## </summary>
-## </param>
-#
-interface(`files_mountpoint',`
- gen_require(`
- attribute mountpoint;
- ')
-
- files_type($1)
- typeattribute $1 mountpoint;
-')
-
-########################################
-## <summary>
-## Make the specified type usable for
-## runtime process ID files.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used for PID files.
-## </summary>
-## </param>
-#
-interface(`files_pid_file',`
- gen_require(`
- attribute pidfile;
- ')
-
- files_type($1)
- typeattribute $1 pidfile;
-')
-
-########################################
-## <summary>
-## Make the specified type a
-## configuration file.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type to be used as a configuration file.
-## </summary>
-## </param>
-#
-interface(`files_config_file',`
- gen_require(`
- attribute usercanread;
- ')
-
- files_type($1)
-
- # this is a hack and should be removed.
- typeattribute $1 usercanread;
-')
-
-########################################
-## <summary>
-## Make the specified type a
-## polyinstantiated directory.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a
-## polyinstantiated directory.
-## </summary>
-## </param>
-#
-interface(`files_poly',`
- gen_require(`
- attribute polydir;
- ')
-
- files_type($1)
- typeattribute $1 polydir;
-')
-
-########################################
-## <summary>
-## Make the specified type a parent
-## of a polyinstantiated directory.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a
-## parent directory.
-## </summary>
-## </param>
-#
-interface(`files_poly_parent',`
- gen_require(`
- attribute polyparent;
- ')
-
- files_type($1)
- typeattribute $1 polyparent;
-')
-
-########################################
-## <summary>
-## Make the specified type a
-## polyinstantiation member directory.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a
-## member directory.
-## </summary>
-## </param>
-#
-interface(`files_poly_member',`
- gen_require(`
- attribute polymember;
- ')
-
- files_type($1)
- typeattribute $1 polymember;
-')
-
-########################################
-## <summary>
-## Make the domain use the specified
-## type of polyinstantiated directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain using the polyinstantiated
-## directory.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a
-## member directory.
-## </summary>
-## </param>
-#
-interface(`files_poly_member_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- type_member $1 tmp_t:dir $2;
-')
-
-########################################
-## <summary>
-## Make the specified type a file that
-## should not be dontaudited from
-## browsing from user domains.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a
-## member directory.
-## </summary>
-## </param>
-#
-interface(`files_security_file',`
- gen_require(`
- attribute security_file_type;
- ')
-
- files_type($1)
- typeattribute $1 security_file_type;
-')
-
-########################################
-## <summary>
-## Make the specified type a file
-## used for temporary files.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a
-## temporary file.
-## </summary>
-## </param>
-#
-interface(`files_tmp_file',`
- gen_require(`
- attribute tmpfile;
- type tmp_t;
- ')
-
- files_type($1)
- files_poly_member($1)
- typeattribute $1 tmpfile;
-')
-
-########################################
-## <summary>
-## Transform the type into a file, for use on a
-## virtual memory filesystem (tmpfs).
-## </summary>
-## <param name="type">
-## <summary>
-## The type to be transformed.
-## </summary>
-## </param>
-#
-interface(`files_tmpfs_file',`
- gen_require(`
- attribute tmpfsfile;
- ')
-
- files_type($1)
- typeattribute $1 tmpfsfile;
-')
-
-########################################
-## <summary>
-## Get the attributes of all directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: this is an odd interface, because to getattr
-# all dirs, you need to search all the parent directories
-#
-interface(`files_getattr_all_dirs',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir { getattr search };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_dirs',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:dir getattr;
-')
-
-########################################
-## <summary>
-## List all non-security directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_non_security',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- allow $1 { file_type -security_file_type }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list all
-## non-security directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_list_non_security',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on all non-security
-## directories and files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mounton_non_security',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- allow $1 { file_type -security_file_type }:dir mounton;
- allow $1 { file_type -security_file_type }:file mounton;
-')
-
-########################################
-## <summary>
-## Allow attempts to modify any directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to allow
-## </summary>
-## </param>
-#
-interface(`files_write_non_security_dirs',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- allow $1 file_type:dir write;
-')
-
-########################################
-## <summary>
-## Get the attributes of all files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_all_files',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:file getattr;
- allow $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_files',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:file getattr;
-')
-
-########################################
-## <summary>
-## Read all files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_all_files',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:file read_file_perms;
-
- optional_policy(`
- auth_read_shadow($1)
- ')
-')
-
-########################################
-## <summary>
-## Allow shared library text relocations in all files.
-## </summary>
-## <desc>
-## <p>
-## Allow shared library text relocations in all files.
-## </p>
-## <p>
-## This is added to support WINE in the targeted
-## policy. It has no effect on the strict policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_execmod_all_files',`
- ifdef(`targeted_policy',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:file execmod;
- ',`
- errprint(__file__:__line__:` $0($1) has no effect in strict policy.'__endline__)
- ')
-')
-
-########################################
-## <summary>
-## Read all non-security files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_non_security_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- allow $1 { file_type -security_file_type }:dir search_dir_perms;
- allow $1 { file_type -security_file_type }:file r_file_perms;
- allow $1 { file_type -security_file_type }:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read all directories on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`files_read_all_dirs_except',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read all files on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`files_read_all_files_except',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir search;
- allow $1 { file_type $2 }:file r_file_perms;
-
-')
-
-########################################
-## <summary>
-## Read all symbolic links on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`files_read_all_symlinks_except',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir search;
- allow $1 { file_type $2 }:lnk_file r_file_perms;
-
-')
-
-########################################
-## <summary>
-## Get the attributes of all symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_all_symlinks',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_symlinks',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_symlinks',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security block devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_blk_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security character devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_chr_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Read all symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_all_symlinks',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Get the attributes of all named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_all_pipes',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_pipes',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_pipes',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all named sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_all_sockets',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all named sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_sockets',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security named sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_sockets',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Read all block nodes with file types.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_all_blk_files',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:blk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read all character nodes with file types.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_all_chr_files',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-## Relabel all files on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`files_relabel_all_files',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
- allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
- allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
-')
-
-########################################
-## <summary>
-## Manage all files on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`files_manage_all_files',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir create_dir_perms;
- allow $1 { file_type $2 }:file create_file_perms;
- allow $1 { file_type $2 }:lnk_file create_lnk_perms;
- allow $1 { file_type $2 }:fifo_file create_file_perms;
- allow $1 { file_type $2 }:sock_file create_file_perms;
-
- # satisfy the assertions:
- seutil_create_bin_policy($1)
- files_manage_kernel_modules($1)
-')
-
-########################################
-## <summary>
-## Search the contents of all directories on
-## extended attribute filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_all',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of all directories on
-## extended attribute filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_all',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the
-## contents of any directories on extended
-## attribute filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_all_dirs',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:dir search;
-')
-
-########################################
-## <summary>
-## Relabel a filesystem to the type of a file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_relabelto_all_file_type_fs',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:filesystem relabelto;
-')
-
-########################################
-## <summary>
-## Mount all filesystems with the type of a file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mount_all_file_type_fs',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:filesystem mount;
-')
-
-########################################
-## <summary>
-## Unmount all filesystems with the type of a file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_unmount_all_file_type_fs',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on all mount points.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mounton_all_mountpoints',`
- gen_require(`
- attribute mountpoint;
- ')
-
- allow $1 mountpoint:dir { getattr search mounton };
- allow $1 mountpoint:file { getattr mounton };
-')
-
-########################################
-## <summary>
-## Get the attributes of all mount points.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_all_mountpoints',`
- gen_require(`
- attribute mountpoint;
- ')
-
- allow $1 mountpoint:dir getattr;
-')
-
-########################################
-## <summary>
-## List the contents of the root directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_root',`
- gen_require(`
- type root_t;
- ')
-
- allow $1 root_t:dir r_dir_perms;
- allow $1 root_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create an object in the root directory, with a private
-## type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_root_filetrans',`
- gen_require(`
- type root_t;
- ')
-
- allow $1 root_t:dir rw_dir_perms;
- type_transition $1 root_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read files in
-## the root directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_read_root_files',`
- gen_require(`
- type root_t;
- ')
-
- dontaudit $1 root_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## files in the root directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_rw_root_files',`
- gen_require(`
- type root_t;
- ')
-
- dontaudit $1 root_t:file { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## character device nodes in the root directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_rw_root_chr_files',`
- gen_require(`
- type root_t;
- ')
-
- dontaudit $1 root_t:chr_file { read write };
-')
-
-########################################
-## <summary>
-## Remove entries from the root directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_root_dir_entry',`
- gen_require(`
- type root_t;
- ')
-
- allow $1 root_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Unmount a rootfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_unmount_rootfs',`
- gen_require(`
- type root_t;
- ')
-
- allow $1 root_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get attributes of the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_boot_dirs',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attributes
-## of the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_boot_dirs',`
- gen_require(`
- type boot_t;
- ')
-
- dontaudit $1 boot_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_boot',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_boot',`
- gen_require(`
- type boot_t;
- ')
-
- dontaudit $1 boot_t:dir search;
-')
-
-########################################
-## <summary>
-## Create directories in /boot
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_create_boot_dirs',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir { create rw_dir_perms };
-')
-
-########################################
-## <summary>
-## Create a private type object in boot
-## with an automatic type transition
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_boot_filetrans',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir rw_dir_perms;
- type_transition $1 boot_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_boot_files',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel from files in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_relabelfrom_boot_files',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:file relabelfrom;
-')
-
-########################################
-## <summary>
-## Read and write symbolic links
-## in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_boot_symlinks',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir r_dir_perms;
- allow $1 boot_t:lnk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links
-## in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_boot_symlinks',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_t:lnk_file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Read kernel files in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_kernel_img',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir list_dir_perms;
- allow $1 boot_t:file { getattr read };
- allow $1 boot_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Install a kernel into the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_create_kernel_img',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir ra_dir_perms;
- allow $1 boot_t:file { getattr read write create };
- allow $1 boot_t:lnk_file { getattr read create unlink };
-')
-
-########################################
-## <summary>
-## Delete a kernel from /boot.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_kernel',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir { r_dir_perms write remove_name };
- allow $1 boot_t:file { getattr unlink };
-')
-
-########################################
-## <summary>
-## Getattr of directories with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_default_dirs',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## directories with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_default_dirs',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the contents of directories with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_default',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir search;
-')
-
-########################################
-## <summary>
-## List contents of directories with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_default',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list contents of
-## directories with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_list_default',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on a directory with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mounton_default',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir { getattr search mounton };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## files with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_default_files',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read files with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_default_files',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read files
-## with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_read_default_files',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_default_symlinks',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read sockets with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_default_sockets',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named pipes with the default file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_default_pipes',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Search the contents of /etc directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_etc',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir search;
-')
-
-########################################
-## <summary>
-## Set the attributes of the /etc directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_setattr_etc_dirs',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir setattr;
-')
-
-########################################
-## <summary>
-## List the contents of /etc directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_etc',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read generic files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:file r_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write generic files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_write_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- dontaudit $1 etc_t:file write;
-')
-
-########################################
-## <summary>
-## Read and write generic files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:file rw_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete generic
-## files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_t:file create_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Delete system configuration files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_t:file unlink;
-')
-
-########################################
-## <summary>
-## Execute generic files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_exec_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:lnk_file r_file_perms;
- can_exec($1,etc_t)
-
-')
-
-#######################################
-## <summary>
-## Relabel from and to generic files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_relabel_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir list_dir_perms;
- allow $1 etc_t:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Create objects in /etc with a private
-## type using a type_transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Object classes to be created.
-## </summary>
-## </param>
-#
-interface(`files_etc_filetrans',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- type_transition $1 etc_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Create a boot flag.
-## </summary>
-## <desc>
-## <p>
-## Create a boot flag, such as
-## /.autorelabel and /.autofsck.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_create_boot_flag',`
- gen_require(`
- type root_t, etc_runtime_t;
- ')
-
- allow $1 root_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file { create read write setattr unlink };
- type_transition $1 root_t:file etc_runtime_t;
-')
-
-########################################
-## <summary>
-## Read files in /etc that are dynamically
-## created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file r_file_perms;
- allow $1 etc_runtime_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read files
-## in /etc that are dynamically
-## created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime_files',`
- gen_require(`
- type etc_runtime_t;
- ')
-
- dontaudit $1 etc_runtime_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read and write files in /etc that are dynamically
-## created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in
-## /etc that are dynamically created on boot,
-## such as mtab.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Create, etc runtime objects with an automatic
-## type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_etc_filetrans_etc_runtime',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- type_transition $1 etc_t:$2 etc_runtime_t;
-')
-
-########################################
-## <summary>
-## Getattr of directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- dontaudit $1 file_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read and write directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on a directory on new filesystems
-## that has not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mounton_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir { getattr search mounton };
-')
-
-########################################
-## <summary>
-## Read files on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir search;
- allow $1 file_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_isid_type_symlinks',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Read and write block device nodes on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_isid_type_blk_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir search;
- allow $1 file_t:blk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete block device nodes
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_isid_type_blk_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete character device nodes
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_isid_type_chr_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:chr_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the home directories root
-## (/home).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_home_dir',`
- gen_require(`
- type home_root_t;
- ')
-
- allow $1 home_root_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the home directories root
-## (/home).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_home_dir',`
- gen_require(`
- type home_root_t;
- ')
-
- dontaudit $1 home_root_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search home directories root (/home).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_home',`
- gen_require(`
- type home_root_t;
- ')
-
- allow $1 home_root_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## home directories root (/home).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_home',`
- gen_require(`
- type home_root_t;
- ')
-
- dontaudit $1 home_root_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list
-## home directories root (/home).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_list_home',`
- gen_require(`
- type home_root_t;
- ')
-
- dontaudit $1 home_root_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get listing of home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_home',`
- gen_require(`
- type home_root_t;
- ')
-
- allow $1 home_root_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create objects in /home.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="home_type">
-## <summary>
-## The private type.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_home_filetrans',`
- gen_require(`
- type home_root_t;
- ')
-
- allow $1 home_root_t:dir rw_dir_perms;
- type_transition $1 home_root_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete objects in
-## lost+found directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_lost_found',`
- gen_require(`
- type lost_found_t;
- ')
-
- allow $1 lost_found_t:dir create_dir_perms;
- allow $1 lost_found_t:file create_file_perms;
- allow $1 lost_found_t:sock_file create_file_perms;
- allow $1 lost_found_t:fifo_file create_file_perms;
- allow $1 lost_found_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Search the contents of /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_mnt',`
- gen_require(`
- type mnt_t;
- ')
-
- allow $1 mnt_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_mnt',`
- gen_require(`
- type mnt_t;
- ')
-
- dontaudit $1 mnt_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_mnt',`
- gen_require(`
- type mnt_t;
- ')
-
- allow $1 mnt_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mounton_mnt',`
- gen_require(`
- type mnt_t;
- ')
-
- allow $1 mnt_t:dir { search mounton };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories in /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_mnt_dirs',`
- gen_require(`
- type mnt_t;
- ')
-
- allow $1 mnt_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_mnt_files',`
- gen_require(`
- type mnt_t;
- ')
-
- allow $1 mnt_t:dir rw_dir_perms;
- allow $1 mnt_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links in /mnt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_mnt_symlinks',`
- gen_require(`
- type mnt_t;
- ')
-
- allow $1 mnt_t:dir rw_dir_perms;
- allow $1 mnt_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Search the contents of the kernel module directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of the kernel module directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of kernel module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir search;
- allow $1 modules_object_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Read kernel module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir r_dir_perms;
- allow $1 modules_object_t:lnk_file r_file_perms;
- allow $1 modules_object_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Write kernel module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_write_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir r_dir_perms;
- allow $1 modules_object_t:file { write append };
-')
-
-########################################
-## <summary>
-## Delete kernel module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir { list_dir_perms write remove_name };
- allow $1 modules_object_t:file unlink;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## kernel module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
- allow $1 modules_object_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Relabel from and to kernel module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_relabel_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:file { relabelfrom relabelto };
- allow $1 modules_object_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the kernel module directories
-## with a private type via an automatic type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_kernel_modules_filetrans',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir rw_dir_perms;
- type_transition $1 modules_object_t:$3 $2;
-')
-
-########################################
-## <summary>
-## List world-readable directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_world_readable',`
- gen_require(`
- type readable_t;
- ')
-
- allow $1 readable_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_world_readable_files',`
- gen_require(`
- type readable_t;
- ')
-
- allow $1 readable_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_world_readable_symlinks',`
- gen_require(`
- type readable_t;
- ')
-
- allow $1 readable_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_world_readable_pipes',`
- gen_require(`
- type readable_t;
- ')
-
- allow $1 readable_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_world_readable_sockets',`
- gen_require(`
- type readable_t;
- ')
-
- allow $1 readable_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified type to associate
-## to a filesystem with the type of the
-## temporary directory (/tmp).
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to associate.
-## </summary>
-## </param>
-#
-interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:filesystem associate;
-')
-
-########################################
-## <summary>
-## Get the attributes of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
- dontaudit $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit listing of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain not to audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_list_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- dontaudit $1 tmp_t:dir { read getattr search };
-')
-
-########################################
-## <summary>
-## Read files in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Manage temporary files and directories in /tmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir rw_dir_perms;
- allow $1 tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write generic named sockets in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:sock_file { read write };
-')
-
-########################################
-## <summary>
-## Set the attributes of all tmp directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
- ')
-
- allow $1 tmpfile:dir { search setattr };
-')
-
-########################################
-## <summary>
-## Create an object in the tmp directories, with a private
-## type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_tmp_filetrans',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir rw_dir_perms;
- type_transition $1 tmp_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Delete the contents of /tmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_purge_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
- allow $1 tmpfile:dir { rw_dir_perms rmdir };
- allow $1 tmpfile:notdevfile_class_set { getattr unlink };
-')
-
-########################################
-## <summary>
-## Search the content of /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_usr',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of generic
-## directories in /usr.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_usr',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of files in /usr.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_usr_files',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 usr_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read generic files in /usr.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_usr_files',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir r_dir_perms;
- allow $1 usr_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute generic programs in /usr in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_exec_usr_files',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir r_dir_perms;
- allow $1 usr_t:lnk_file r_file_perms;
- can_exec($1,usr_t)
-
-')
-
-########################################
-## <summary>
-## Relabel a file to the type used in /usr.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_relabelto_usr_files',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:file relabelto;
-')
-
-########################################
-## <summary>
-## Read symbolic links in /usr.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_usr_symlinks',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 usr_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the /usr directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-#
-interface(`files_usr_filetrans',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir rw_dir_perms;
- type_transition $1 usr_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Execute programs in /usr/src in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_exec_usr_src_files',`
- gen_require(`
- type usr_t, src_t;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:lnk_file r_file_perms;
- can_exec($1,src_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search /usr/src.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_src',`
- gen_require(`
- type src_t;
- ')
-
- dontaudit $1 src_t:dir search;
-')
-
-########################################
-## <summary>
-## Read files in /usr/src.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_usr_src_files',`
- gen_require(`
- type usr_t, src_t;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Install a system.map into the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_create_kernel_symbol_table',`
- gen_require(`
- type boot_t, system_map_t;
- ')
-
- allow $1 boot_t:dir ra_dir_perms;
- allow $1 system_map_t:file { rw_file_perms create };
-')
-
-########################################
-## <summary>
-## Read system.map in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_kernel_symbol_table',`
- gen_require(`
- type boot_t, system_map_t;
- ')
-
- allow $1 boot_t:dir r_dir_perms;
- allow $1 system_map_t:file r_file_perms;
-
- # cjp: this should be dropped:
- allow $1 boot_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Delete a system.map in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_kernel_symbol_table',`
- gen_require(`
- type boot_t, system_map_t;
- ')
-
- allow $1 boot_t:dir { r_dir_perms write remove_name };
- allow $1 system_map_t:file { getattr unlink };
-')
-
-########################################
-## <summary>
-## Search the contents of /var.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_var',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write to /var.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
- type var_t;
- ')
-
- dontaudit $1 var_t:dir write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## the contents of /var.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_var',`
- gen_require(`
- type var_t;
- ')
-
- dontaudit $1 var_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of /var.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_var',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## in the /var directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_var_dirs',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files in the /var directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_var_files',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write files in the /var directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_var_files',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in the /var directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_var_files',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in the /var directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_var_symlinks',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic
-## links in the /var directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_var_symlinks',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the /var directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-#
-interface(`files_var_filetrans',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
- type_transition $1 var_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Get the attributes of the /var/lib directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_var_lib_dirs',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the /var/lib directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_var_lib',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of the /var/lib directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_var_lib',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the /var/lib directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-#
-interface(`files_var_lib_filetrans',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- type_transition $1 var_lib_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Read generic files in /var/lib.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_var_lib_files',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
- allow $1 var_lib_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read generic symbolic links in /var/lib
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_var_lib_symlinks',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
- allow $1 var_lib_t:lnk_file { getattr read };
-')
-
-# cjp: the next two interfaces really need to be fixed
-# in some way. They really neeed their own types.
-
-########################################
-## <summary>
-## Create, read, write, and delete the
-## pseudorandom number generator seed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_urandom_seed',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- allow $1 var_lib_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Allow domain to manage mount tables
-## necessary for rpcd, nfsd, etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_mounttab',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- allow $1 var_lib_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Search the locks directory (/var/lock).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the
-## locks directory (/var/lock).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_locks',`
- gen_require(`
- type var_lock_t;
- ')
-
- dontaudit $1 var_lock_t:dir search;
-')
-
-########################################
-## <summary>
-## Add and remove entries in the /var/lock
-## directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_lock_dirs',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of generic lock files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_getattr_generic_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:dir r_dir_perms;
- allow $1 var_lock_t:file getattr;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete generic
-## lock files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_generic_locks',`
- gen_require(`
- type var_lock_t;
- ')
-
- allow $1 var_lock_t:dir rw_dir_perms;
- allow $1 var_lock_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Delete all lock files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_all_locks',`
- gen_require(`
- attribute lockfile;
- ')
-
- allow $1 lockfile:dir rw_dir_perms;
- allow $1 lockfile:file { getattr unlink };
-')
-
-########################################
-## <summary>
-## Read all lock files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_all_locks',`
- gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
- ')
-
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
- allow $1 lockfile:dir r_dir_perms;
- allow $1 lockfile:file r_file_perms;
- allow $1 lockfile:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create an object in the locks directory, with a private
-## type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_lock_filetrans',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_lock_t:dir rw_dir_perms;
- type_transition $1 var_lock_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of the /var/run directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_pid_dirs',`
- gen_require(`
- type var_run_t;
- ')
-
- dontaudit $1 var_run_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the contents of runtime process
-## ID directories (/var/run).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_pids',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## the /var/run directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_pids',`
- gen_require(`
- type var_run_t;
- ')
-
- dontaudit $1 var_run_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of the runtime process
-## ID directories (/var/run).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_pids',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create an object in the process ID directory, with a private
-## type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_pid_filetrans',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir rw_dir_perms;
- type_transition $1 var_run_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Read and write generic process ID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_generic_pids',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_run_t:dir r_dir_perms;
- allow $1 var_run_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write to daemon runtime data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_write_all_pids',`
- gen_require(`
- attribute pidfile;
- ')
-
- dontaudit $1 pidfile:file write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ioctl daemon runtime data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_ioctl_all_pids',`
- gen_require(`
- attribute pidfile;
- ')
-
- dontaudit $1 pidfile:file ioctl;
-')
-
-########################################
-## <summary>
-## Read all process ID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_all_pids',`
- gen_require(`
- attribute pidfile;
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 pidfile:dir r_dir_perms;
- allow $1 pidfile:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Mount filesystems on all polyinstantiation
-## member directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_mounton_all_poly_members',`
- gen_require(`
- attribute polymember;
- ')
-
- allow $1 polymember:dir mounton;
-')
-
-########################################
-## <summary>
-## Delete all process IDs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_all_pids',`
- gen_require(`
- attribute pidfile;
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
- allow $1 var_run_t:dir rmdir;
- allow $1 pidfile:dir rw_dir_perms;
- allow $1 pidfile:file { getattr unlink };
- allow $1 pidfile:sock_file { getattr unlink };
- allow $1 pidfile:fifo_file { getattr unlink };
-')
-
-########################################
-## <summary>
-## Delete all process ID directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_delete_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
- type var_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 pidfile:dir { rw_dir_perms rmdir };
-')
-
-########################################
-## <summary>
-## Search the contents of generic spool
-## directories (/var/spool).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_search_spool',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_spool_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search generic
-## spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_search_spool',`
- gen_require(`
- type var_spool_t;
- ')
-
- dontaudit $1 var_spool_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of generic spool
-## (/var/spool) directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_list_spool',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete generic
-## spool directories (/var/spool).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_generic_spool_dirs',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Read generic spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_read_generic_spool',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir r_dir_perms;
- allow $1 var_spool_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete generic
-## spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_manage_generic_spool',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir rw_dir_perms;
- allow $1 var_spool_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the spool directory
-## with a private type with a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_spool_filetrans',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_spool_t:dir rw_dir_perms;
- type_transition $1 var_spool_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Allow access to manage all polyinstantiated
-## directories on the system.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_polyinstantiate_all',`
- gen_require(`
- attribute polydir, polymember, polyparent;
- type poly_t;
- ')
-
- # Need to give access to /selinux/member
- selinux_compute_member($1)
-
- # Need sys_admin capability for mounting
- allow $1 self:capability sys_admin;
-
- # Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create getattr search write add_name setattr mounton };
-
- # Need to give access to the polyinstantiated subdirectories
- allow $1 polymember:dir search_dir_perms;
-
- # Need to give access to parent directories where original
- # is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
-
- # Need to give permission to create directories where applicable
- allow $1 self:process setfscreate;
- allow $1 polymember: dir { create setattr relabelto };
- allow $1 polydir: dir { write add_name };
- allow $1 polyparent:dir { write add_name relabelfrom relabelto };
-
- # Default type for mountpoints
- allow $1 poly_t:dir { create mounton };
- fs_unmount_xattr_fs($1)
-')
-
-########################################
-## <summary>
-## Unconfined access to files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_unconfined',`
- gen_require(`
- attribute files_unconfined_type;
- ')
-
- typeattribute $1 files_unconfined_type;
-')
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
deleted file mode 100644
index e3f7b8f..0000000
--- a/refpolicy/policy/modules/kernel/files.te
+++ /dev/null
@@ -1,220 +0,0 @@
-
-policy_module(files,1.2.12)
-
-########################################
-#
-# Declarations
-#
-
-attribute file_type;
-attribute files_unconfined_type;
-attribute lockfile;
-attribute mountpoint;
-attribute pidfile;
-
-# For labeling types that are to be polyinstantiated
-attribute polydir;
-
-# And for labeling the parent directories of those polyinstantiated directories
-# This is necessary for remounting the original in the parent to give
-# security aware apps access
-attribute polyparent;
-
-# And labeling for the member directories
-attribute polymember;
-
-# sensitive security files whose accesses should
-# not be dontaudited for uses
-attribute security_file_type;
-
-attribute tmpfile;
-attribute tmpfsfile;
-
-# this is a hack and should be changed
-attribute usercanread;
-
-#
-# boot_t is the type for files in /boot
-#
-type boot_t;
-files_mountpoint(boot_t)
-
-# default_t is the default type for files that do not
-# match any specification in the file_contexts configuration
-# other than the generic /.* specification.
-type default_t;
-files_mountpoint(default_t)
-
-#
-# etc_t is the type of the system etc directories.
-#
-type etc_t;
-files_type(etc_t)
-
-#
-# etc_runtime_t is the type of various
-# files in /etc that are automatically
-# generated during initialization.
-#
-type etc_runtime_t;
-files_type(etc_runtime_t)
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t;
-files_mountpoint(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
-
-#
-# home_root_t is the type for the directory where user home directories
-# are created
-#
-type home_root_t;
-files_mountpoint(home_root_t)
-files_poly_parent(home_root_t)
-
-#
-# lost_found_t is the type for the lost+found directories.
-#
-type lost_found_t;
-files_type(lost_found_t)
-
-#
-# mnt_t is the type for mount points such as /mnt/cdrom
-#
-type mnt_t;
-files_mountpoint(mnt_t)
-
-#
-# modules_object_t is the type for kernel modules
-#
-type modules_object_t;
-files_type(modules_object_t)
-
-type no_access_t;
-files_type(no_access_t)
-
-type poly_t;
-files_type(poly_t)
-
-type readable_t;
-files_type(readable_t)
-
-#
-# root_t is the type for rootfs and the root directory.
-#
-type root_t;
-files_mountpoint(root_t)
-files_poly_parent(root_t)
-kernel_rootfs_mountpoint(root_t)
-genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
-
-#
-# src_t is the type of files in the system src directories.
-#
-type src_t;
-files_mountpoint(src_t)
-
-#
-# system_map_t is for the system.map files in /boot
-#
-type system_map_t;
-files_type(system_map_t)
-
-#
-# tmp_t is the type of the temporary directories
-#
-type tmp_t;
-files_tmp_file(tmp_t)
-files_mountpoint(tmp_t)
-files_poly(tmp_t)
-files_poly_parent(tmp_t)
-
-#
-# usr_t is the type for /usr.
-#
-type usr_t;
-files_mountpoint(usr_t)
-
-#
-# var_t is the type of /var
-#
-type var_t;
-files_mountpoint(var_t)
-
-#
-# var_lib_t is the type of /var/lib
-#
-type var_lib_t;
-files_mountpoint(var_lib_t)
-
-#
-# var_lock_t is tye type of /var/lock
-#
-type var_lock_t;
-files_lock_file(var_lock_t)
-
-#
-# var_run_t is the type of /var/run, usually
-# used for pid and other runtime files.
-#
-type var_run_t;
-files_pid_file(var_run_t)
-
-#
-# var_spool_t is the type of /var/spool
-#
-type var_spool_t;
-files_tmp_file(var_spool_t)
-
-########################################
-#
-# Rules for all file types
-#
-
-allow file_type self:filesystem associate;
-
-fs_associate(file_type)
-fs_associate_noxattr(file_type)
-
-ifdef(`targeted_policy', `
- fs_associate_tmpfs(file_type)
-')
-
-########################################
-#
-# Rules for all tmp file types
-#
-
-allow tmpfile tmp_t:filesystem associate;
-
-fs_associate_tmpfs(tmpfile)
-
-########################################
-#
-# Rules for all tmpfs file types
-#
-
-fs_associate_tmpfs(tmpfsfile)
-
-########################################
-#
-# Unconfined access to this module
-#
-
-# Create/access any file in a labeled filesystem;
-allow files_unconfined_type file_type:{ file chr_file } ~execmod;
-allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-
-# Mount/unmount any filesystem with the context= option.
-allow files_unconfined_type file_type:filesystem *;
-
-ifdef(`targeted_policy',`
- tunable_policy(`allow_execmod',`
- allow files_unconfined_type file_type:file execmod;
- ')
-')
diff --git a/refpolicy/policy/modules/kernel/filesystem.fc b/refpolicy/policy/modules/kernel/filesystem.fc
deleted file mode 100644
index 7be4ddf..0000000
--- a/refpolicy/policy/modules/kernel/filesystem.fc
+++ /dev/null
@@ -1 +0,0 @@
-# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
deleted file mode 100644
index 6fea2a1..0000000
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ /dev/null
@@ -1,3266 +0,0 @@
-## <summary>Policy for filesystems.</summary>
-## <required val="true">
-## Contains the initial SID for the filesystems.
-## </required>
-
-########################################
-## <summary>
-## Transform specified type into a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_type',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- typeattribute $1 filesystem_type;
-')
-
-########################################
-## <summary>
-## Transform specified type into a filesystem
-## type which does not have extended attribute
-## support.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_noxattr_type',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- fs_type($1)
-
- typeattribute $1 noxattrfs;
-')
-
-########################################
-## <summary>
-## Associate the specified file type to persistent
-## filesystems with extended attributes. This
-## allows a file of this type to be created on
-## a filesystem such as ext3, JFS, and XFS.
-## </summary>
-## <param name="file_type">
-## <summary>
-## The type of the to be associated.
-## </summary>
-## </param>
-#
-interface(`fs_associate',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem associate;
-')
-
-########################################
-## <summary>
-## Associate the specified file type to
-## filesystems which lack extended attributes
-## support. This allows a file of this type
-## to be created on a filesystem such as
-## FAT32, and NFS.
-## </summary>
-## <param name="file_type">
-## <summary>
-## The type of the to be associated.
-## </summary>
-## </param>
-#
-interface(`fs_associate_noxattr',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- allow $1 noxattrfs:filesystem associate;
-')
-
-########################################
-## <summary>
-## Execute files on a filesystem that does
-## not support extended attributes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_exec_noxattr',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- can_exec($1,noxattrfs)
-')
-
-########################################
-## <summary>
-## Mount a persistent filesystem which
-## has extended attributes, such as
-## ext3, JFS, or XFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_xattr_fs',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a persistent filesystem which
-## has extended attributes, such as
-## ext3, JFS, or XFS. This allows
-## some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_xattr_fs',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a persistent filesystem which
-## has extended attributes, such as
-## ext3, JFS, or XFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_xattr_fs',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a persistent
-## filesystem which has extended
-## attributes, such as ext3, JFS, or XFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_xattr_fs',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to
-## get the attributes of a persistent
-## filesystem which has extended
-## attributes, such as ext3, JFS, or XFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_xattr_fs',`
- gen_require(`
- type fs_t;
- ')
-
- dontaudit $1 fs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Allow changing of the label of a
-## filesystem with extended attributes
-## using the context= mount option.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_relabelfrom_xattr_fs',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem relabelfrom;
-')
-
-########################################
-## <summary>
-## Get the filesystem quotas of a filesystem
-## with extended attributes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_get_xattr_fs_quotas',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem quotaget;
-')
-
-########################################
-## <summary>
-## Set the filesystem quotas of a filesystem
-## with extended attributes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_set_xattr_fs_quotas',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem quotamod;
-')
-
-########################################
-## <summary>
-## Mount an automount pseudo filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_autofs',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:filesystem mount;
-')
-
-
-########################################
-## <summary>
-## Remount an automount pseudo filesystem
-## This allows some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_autofs',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount an automount pseudo filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_autofs',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of an automount
-## pseudo filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_autofs',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Search automount filesystem to use automatically
-## mounted filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_auto_mountpoints',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:dir { getattr search };
-')
-
-########################################
-## <summary>
-## Read directories of automatically
-## mounted filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_auto_mountpoints',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list directories of automatically
-## mounted filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_list_auto_mountpoints',`
- gen_require(`
- type autofs_t;
- ')
-
- dontaudit $1 autofs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of directories on
-## binfmt_misc filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_binfmt_misc_dirs',`
- gen_require(`
- type binfmt_misc_t;
- ')
-
- allow $1 binfmt_misc_t:dir getattr;
-
-')
-
-########################################
-## <summary>
-## Register an interpreter for new binary
-## file types, using the kernel binfmt_misc
-## support.
-## </summary>
-## <desc>
-## <p>
-## Register an interpreter for new binary
-## file types, using the kernel binfmt_misc
-## support.
-## </p>
-## <p>
-## A common use for this is to
-## register a JVM as an interpreter for
-## Java byte code. Registered binaries
-## can be directly executed on a command line
-## without specifying the interpreter.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_register_binary_executable_type',`
- gen_require(`
- type binfmt_misc_fs_t;
- ')
-
- allow $1 binfmt_misc_fs_t:dir { getattr search };
- allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
-')
-
-########################################
-## <summary>
-## Mount a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a CIFS or SMB network filesystem.
-## This allows some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a CIFS or
-## SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Search directories on a CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of directories on a
-## CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list the contents
-## of directories on a CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_list_cifs',`
- gen_require(`
- type cifs_t;
- ')
-
- dontaudit $1 cifs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files on a CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_cifs_files',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir r_dir_perms;
- allow $1 cifs_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read all noxattrfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_noxattr_fs',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- allow $1 noxattrfs:dir r_dir_perms;
-
-')
-
-########################################
-## <summary>
-## Read all noxattrfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_noxattr_fs_files',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- allow $1 noxattrfs:dir search_dir_perms;
- allow $1 noxattrfs:file r_file_perms;
-
-')
-
-########################################
-## <summary>
-## Read all noxattrfs symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_noxattr_fs_symlinks',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- allow $1 noxattrfs:dir search_dir_perms;
- allow $1 noxattrfs:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read
-## files on a CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_read_cifs_files',`
- gen_require(`
- type cifs_t;
- ')
-
- dontaudit $1 cifs_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or
-## write files on a CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_rw_cifs_files',`
- gen_require(`
- type cifs_t;
- ')
-
- dontaudit $1 cifs_t:file { read write };
-')
-
-########################################
-## <summary>
-## Read symbolic links on a CIFS or SMB filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_cifs_symlinks',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir r_dir_perms;
- allow $1 cifs_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute files on a CIFS or SMB
-## network filesystem, in the caller
-## domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_exec_cifs_files',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir r_dir_perms;
- can_exec($1, cifs_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_cifs_dirs',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete directories
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_manage_cifs_dirs',`
- gen_require(`
- type cifs_t;
- ')
-
- dontaudit $1 cifs_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_cifs_files',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir rw_dir_perms;
- allow $1 cifs_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete files
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_manage_cifs_files',`
- gen_require(`
- type cifs_t;
- ')
-
- dontaudit $1 cifs_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_cifs_symlinks',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir rw_dir_perms;
- allow $1 cifs_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete named pipes
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_cifs_named_pipes',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir rw_dir_perms;
- allow $1 cifs_t:fifo_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete named sockets
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_cifs_named_sockets',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir rw_file_perms;
- allow $1 cifs_t:sock_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Execute a file on a CIFS or SMB filesystem
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a file on a CIFS or SMB filesystem
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## home directories on CIFS/SMB filesystems,
-## in particular used by the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`fs_cifs_domtrans',`
- gen_require(`
- type cifs_t;
- ')
-
- allow $1 cifs_t:dir search;
-
- domain_auto_trans($1,cifs_t,$2)
-')
-
-########################################
-## <summary>
-## Mount a DOS filesystem, such as
-## FAT32 or NTFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
- allow $1 dosfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a DOS filesystem, such as
-## FAT32 or NTFS. This allows
-## some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
- allow $1 dosfs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a DOS filesystem, such as
-## FAT32 or NTFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
- allow $1 dosfs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a DOS
-## filesystem, such as FAT32 or NTFS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
- allow $1 dosfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Allow changing of the label of a
-## DOS filesystem using the context= mount option.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_relabelfrom_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
- allow $1 dosfs_t:filesystem relabelfrom;
-')
-
-########################################
-## <summary>
-## Read eventpollfs files.
-## </summary>
-## <desc>
-## <p>
-## Read eventpollfs files
-## </p>
-## <p>
-## This interface has been deprecated, and will
-## be removed in the future.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_eventpollfs',`
- errprint(__file__:__line__:` $0($*) has been deprecated.'__endline__)
-')
-
-########################################
-## <summary>
-## Search inotifyfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_inotifyfs',`
- gen_require(`
- type inotifyfs_t;
- ')
-
- allow $1 inotifyfs_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List inotifyfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_inotifyfs',`
- gen_require(`
- type inotifyfs_t;
- ')
-
- allow $1 inotifyfs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount an iso9660 filesystem, which
-## is usually used on CDs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_iso9660_fs',`
- gen_require(`
- type iso9660_t;
- ')
-
- allow $1 iso9660_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount an iso9660 filesystem, which
-## is usually used on CDs. This allows
-## some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_iso9660_fs',`
- gen_require(`
- type iso9660_t;
- ')
-
- allow $1 iso9660_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount an iso9660 filesystem, which
-## is usually used on CDs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_iso9660_fs',`
- gen_require(`
- type iso9660_t;
- ')
-
- allow $1 iso9660_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_iso9660_fs',`
- gen_require(`
- type iso9660_t;
- ')
-
- allow $1 iso9660_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_iso9660_files',`
- gen_require(`
- type iso9660_t;
- ')
-
- allow $1 iso9660_t:dir list_dir_perms;
- allow $1 iso9660_t:file read_file_perms;
- allow $1 iso9660_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Mount a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a NFS filesystem. This allows
-## some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Search directories on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir search;
-')
-
-########################################
-## <summary>
-## List NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list the contents
-## of directories on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_list_nfs',`
- gen_require(`
- type nfs_t;
- ')
-
- dontaudit $1 nfs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read
-## files on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_read_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- dontaudit $1 nfs_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read files on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_write_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:file write;
-')
-
-########################################
-## <summary>
-## Execute files on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_exec_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir r_dir_perms;
- can_exec($1, nfs_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or
-## write files on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_rw_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- dontaudit $1 nfs_t:file { read write };
-')
-
-########################################
-## <summary>
-## Read symbolic links on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_nfs_symlinks',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read directories of RPC file system pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_rpc_dirs',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:dir getattr;
-
-')
-
-########################################
-## <summary>
-## Search directories of RPC file system pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_rpc',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Search removable storage directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_removable',`
- gen_require(`
- type removable_t;
- ')
-
- allow $1 removable_t:dir { getattr read search };
-
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list removable storage directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain not to audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_list_removable',`
- gen_require(`
- type removable_t;
- ')
- dontaudit $1 removable_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read removable storage files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_removable_files',`
- gen_require(`
- type removable_t;
- ')
-
- allow $1 removable_t:file { read getattr };
-
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read removable storage files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain not to audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_read_removable_files',`
- gen_require(`
- type removable_t;
- ')
- dontaudit $1 removable_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read removable storage symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_removable_symlinks',`
- gen_require(`
- type removable_t;
- ')
-
- allow $1 removable_t:lnk_file { getattr read };
-
-')
-
-########################################
-## <summary>
-## Read directories of RPC file system pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_rpc',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:dir { getattr read search };
-
-')
-
-########################################
-## <summary>
-## Read files of RPC file system pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_rpc_files',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:file { read getattr };
-
-')
-
-########################################
-## <summary>
-## Read symbolic links of RPC file system pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_rpc_symlinks',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:lnk_file { getattr read };
-
-')
-
-########################################
-## <summary>
-## Read sockets of RPC file system pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_rpc_sockets',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:sock_file { read write };
-
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_nfs_dirs',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete directories
-## on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_manage_nfs_dirs',`
- gen_require(`
- type nfs_t;
- ')
-
- dontaudit $1 nfs_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create,
-## read, write, and delete files
-## on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_manage_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
- dontaudit $1 nfs_t:file create_file_perms;
-')
-
-#########################################
-## <summary>
-## Create, read, write, and delete symbolic links
-## on a CIFS or SMB network filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_nfs_symlinks',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:lnk_file create_lnk_perms;
-')
-
-#########################################
-## <summary>
-## Create, read, write, and delete named pipes
-## on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_nfs_named_pipes',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:fifo_file create_file_perms;
-')
-
-#########################################
-## <summary>
-## Create, read, write, and delete named sockets
-## on a NFS filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_nfs_named_sockets',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:sock_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Execute a file on a NFS filesystem
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a file on a NFS filesystem
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on a NFS filesystem in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## home directories on NFS filesystems,
-## in particular used by the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`fs_nfs_domtrans',`
- gen_require(`
- type nfs_t;
- ')
-
- allow $1 nfs_t:dir search;
-
- domain_auto_trans($1,nfs_t,$2)
-')
-
-########################################
-## <summary>
-## Mount a NFS server pseudo filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
- allow $1 nfsd_fs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Mount a NFS server pseudo filesystem.
-## This allows some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
- allow $1 nfsd_fs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a NFS server pseudo filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
- allow $1 nfsd_fs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a NFS server
-## pseudo filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
- allow $1 nfsd_fs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Search NFS server directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
- allow $1 nfsd_fs_t:dir search;
-')
-
-########################################
-## <summary>
-## Read and write NFS server files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_rw_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
- allow $1 nfsd_fs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Mount a RAM filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_ramfs',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a RAM filesystem. This allows
-## some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_ramfs',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a RAM filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_ramfs',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a RAM filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_ramfs',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Search directories on a ramfs
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_ramfs',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Dontaudit Search directories on a ramfs
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_search_ramfs',`
- gen_require(`
- type ramfs_t;
- ')
-
- dontaudit $1 ramfs_t:dir search;
-')
-
-########################################
-## <summary>
-## Dontaudit read on a ramfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_read_ramfs_files',`
- gen_require(`
- type ramfs_t;
- ')
-
- dontaudit $1 ramfs_t:file read;
-')
-
-########################################
-## <summary>
-## Dontaudit read on a ramfs fifo_files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_read_ramfs_pipes',`
- gen_require(`
- type ramfs_t;
- ')
-
- dontaudit $1 ramfs_t:fifo_file read;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## files on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_ramfs_files',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:dir rw_dir_perms;
- allow $1 ramfs_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Write to named pipe on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_write_ramfs_pipes',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:dir search_dir_perms;
- allow $1 ramfs_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write to named
-## pipes on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_write_ramfs_pipes',`
- gen_require(`
- type ramfs_t;
- ')
-
- dontaudit $1 ramfs_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Read and write a named pipe on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_rw_ramfs_pipes',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:dir search_dir_perms;
- allow $1 ramfs_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## named pipes on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_ramfs_pipes',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:dir rw_dir_perms;
- allow $1 ramfs_t:fifo_file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Write to named socket on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_write_ramfs_sockets',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:sock_file write;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## named sockets on a ramfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_ramfs_sockets',`
- gen_require(`
- type ramfs_t;
- ')
-
- allow $1 ramfs_t:dir rw_dir_perms;
- allow $1 ramfs_t:sock_file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Mount a ROM filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_romfs',`
- gen_require(`
- type romfs_t;
- ')
-
- allow $1 romfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a ROM filesystem. This allows
-## some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_romfs',`
- gen_require(`
- type romfs_t;
- ')
-
- allow $1 romfs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a ROM filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_romfs',`
- gen_require(`
- type romfs_t;
- ')
-
- allow $1 romfs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a ROM
-## filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_romfs',`
- gen_require(`
- type romfs_t;
- ')
-
- allow $1 romfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Mount a RPC pipe filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_rpc_pipefs',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a RPC pipe filesystem. This
-## allows some mount option to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_rpc_pipefs',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a RPC pipe filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_rpc_pipefs',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a RPC pipe
-## filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_rpc_pipefs',`
- gen_require(`
- type rpc_pipefs_t;
- ')
-
- allow $1 rpc_pipefs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Mount a tmpfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount a tmpfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount a tmpfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of a tmpfs
-## filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Allow the type to associate to tmpfs filesystems.
-## </summary>
-## <param name="type">
-## <summary>
-## The type of the object to be associated.
-## </summary>
-## </param>
-#
-interface(`fs_associate_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:filesystem associate;
-')
-
-########################################
-## <summary>
-## Get the attributes of tmpfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of tmpfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- dontaudit $1 tmpfs_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of tmpfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_setattr_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir setattr;
-')
-
-########################################
-## <summary>
-## Search tmpfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of generic tmpfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list the
-## contents of generic tmpfs directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_list_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- dontaudit $1 tmpfs_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## tmpfs directories
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create an object in a tmpfs filesystem, with a private
-## type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`fs_tmpfs_filetrans',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $2 tmpfs_t:filesystem associate;
- allow $1 tmpfs_t:dir rw_dir_perms;
- type_transition $1 tmpfs_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## generic tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_rw_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- dontaudit $1 tmpfs_t:file { read write };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## auto moutpoints.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_auto_mountpoints',`
- gen_require(`
- type autofs_t;
- ')
-
- allow $1 autofs_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Read and write generic tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_rw_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- fs_search_tmpfs($1)
- allow $1 tmpfs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read tmpfs link files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_tmpfs_symlinks',`
- gen_require(`
- type tmpfs_t;
- ')
-
- fs_search_tmpfs($1)
- allow $1 tmpfs_t:lnk_file read;
-')
-
-########################################
-## <summary>
-## Read and write character nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_rw_tmpfs_chr_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## dontaudit Read and write character nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_use_tmpfs_chr_dev',`
- gen_require(`
- type tmpfs_t;
- ')
-
- dontaudit $1 tmpfs_t:dir r_dir_perms;
- dontaudit $1 tmpfs_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel character nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_relabel_tmpfs_chr_file',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Read and write block nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_rw_tmpfs_blk_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:blk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel block nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_relabel_tmpfs_blk_file',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Read and write, create and delete generic
-## files on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write, create and delete symbolic
-## links on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_tmpfs_symlinks',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Read and write, create and delete socket
-## files on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_tmpfs_sockets',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:sock_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write, create and delete character
-## nodes on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_tmpfs_chr_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:chr_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write, create and delete block nodes
-## on tmpfs filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_manage_tmpfs_blk_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Mount all filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_mount_all_fs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem mount;
-')
-
-########################################
-## <summary>
-## Remount all filesystems. This
-## allows some mount options to be changed.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_remount_all_fs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem remount;
-')
-
-########################################
-## <summary>
-## Unmount all filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unmount_all_fs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of all persistent
-## filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_all_fs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## all filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_fs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- dontaudit $1 filesystem_type:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Get the quotas of all filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain getting quotas.
-## </summary>
-## </param>
-#
-interface(`fs_get_all_fs_quotas',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem quotaget;
-')
-
-########################################
-## <summary>
-## Set the quotas of all filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain setting quotas.
-## </summary>
-## </param>
-#
-interface(`fs_set_all_quotas',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem quotamod;
-')
-
-########################################
-## <summary>
-## Relabelfrom all filesystems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_relabelfrom_all_fs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:filesystem relabelfrom;
-')
-
-########################################
-## <summary>
-## Get the attributes of all directories
-## with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_all_dirs',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir getattr;
-')
-
-########################################
-## <summary>
-## Search all directories with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_search_all',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List all directories with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_all',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of all files with
-## a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_all_files',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all symbolic links with
-## a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_all_symlinks',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all named pipes with
-## a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_all_pipes',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all named sockets with
-## a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_getattr_all_sockets',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all files with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_files',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- dontaudit $1 filesystem_type:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all symbolic links with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_symlinks',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- dontaudit $1 filesystem_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all named pipes with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_pipes',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- dontaudit $1 filesystem_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all named sockets with a filesystem type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_sockets',`
- gen_require(`
- attribute filesystem_type;
- ')
-
- dontaudit $1 filesystem_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Unconfined access to filesystems
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_unconfined',`
- gen_require(`
- attribute filesystem_unconfined_type;
- ')
-
- typeattribute $1 filesystem_unconfined_type;
-')
-
-########################################
-## <summary>
-## Relabel all objets from filesystems that
-## do not support extended attributes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_relabelfrom_noxattr_fs',`
- gen_require(`
- attribute noxattrfs;
- ')
-
- allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
- allow $1 noxattrfs:file { getattr relabelfrom };
- allow $1 noxattrfs:lnk_file { getattr relabelfrom };
- allow $1 noxattrfs:fifo_file { getattr relabelfrom };
- allow $1 noxattrfs:sock_file { getattr relabelfrom };
- allow $1 noxattrfs:blk_file { getattr relabelfrom };
- allow $1 noxattrfs:chr_file { getattr relabelfrom };
-')
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
deleted file mode 100644
index 104b56b..0000000
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ /dev/null
@@ -1,203 +0,0 @@
-
-policy_module(filesystem,1.3.12)
-
-########################################
-#
-# Declarations
-#
-
-attribute filesystem_type;
-attribute filesystem_unconfined_type;
-attribute noxattrfs;
-
-##############################
-#
-# fs_t is the default type for persistent
-# filesystems with extended attributes
-#
-type fs_t;
-fs_type(fs_t)
-sid fs gen_context(system_u:object_r:fs_t,s0)
-
-# Use xattrs for the following filesystem types.
-# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
-
-# Use the allocating task SID to label inodes in the following filesystem
-# types, and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems that represent objects
-# like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.
-fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
-fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
-fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
-
-##############################
-#
-# Non-persistent/pseudo filesystems
-#
-type bdev_t;
-fs_type(bdev_t)
-genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
-
-type binfmt_misc_fs_t;
-fs_type(binfmt_misc_fs_t)
-files_mountpoint(binfmt_misc_fs_t)
-genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
-
-type capifs_t;
-fs_type(capifs_t)
-genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-
-type configfs_t;
-fs_type(configfs_t)
-genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
-
-type eventpollfs_t;
-fs_type(eventpollfs_t)
-# change to task SID 20060628
-#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
-
-type futexfs_t;
-fs_type(futexfs_t)
-genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-
-type hugetlbfs_t;
-fs_type(hugetlbfs_t)
-files_mountpoint(hugetlbfs_t)
-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
-
-type ibmasmfs_t;
-fs_type(ibmasmfs_t)
-allow ibmasmfs_t self:filesystem associate;
-genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
-
-type inotifyfs_t;
-fs_type(inotifyfs_t)
-genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-
-type nfsd_fs_t;
-fs_type(nfsd_fs_t)
-genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-
-type oprofilefs_t;
-fs_type(oprofilefs_t)
-genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
-
-type ramfs_t;
-fs_type(ramfs_t)
-genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
-
-type romfs_t;
-fs_type(romfs_t)
-genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
-genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
-
-type rpc_pipefs_t;
-fs_type(rpc_pipefs_t)
-genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
-
-#
-# tmpfs_t is the type for tmpfs filesystems
-#
-type tmpfs_t;
-fs_type(tmpfs_t)
-files_type(tmpfs_t)
-files_mountpoint(tmpfs_t)
-
-# Use a transition SID based on the allocating task SID and the
-# filesystem SID to label inodes in the following filesystem types,
-# and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems like devpts and tmpfs
-# where we want to label objects with a derived type.
-fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
-fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
-fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
-
-allow tmpfs_t noxattrfs:filesystem associate;
-
-##############################
-#
-# Filesystems without extended attribute support
-#
-type autofs_t;
-fs_noxattr_type(autofs_t)
-files_mountpoint(autofs_t)
-genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
-genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
-
-#
-# cifs_t is the type for filesystems and their
-# files shared from Windows servers
-#
-type cifs_t alias sambafs_t;
-fs_noxattr_type(cifs_t)
-genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
-genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
-
-#
-# dosfs_t is the type for fat and vfat
-# filesystems and their files.
-#
-type dosfs_t;
-fs_noxattr_type(dosfs_t)
-allow dosfs_t fs_t:filesystem associate;
-genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
-genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
-genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
-genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
-
-#
-# iso9660_t is the type for CD filesystems
-# and their files.
-#
-type iso9660_t;
-fs_noxattr_type(iso9660_t)
-genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
-genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
-
-#
-# removable_t is the default type of all removable media
-#
-type removable_t;
-allow removable_t noxattrfs:filesystem associate;
-fs_noxattr_type(removable_t)
-files_type(removable_t)
-
-#
-# nfs_t is the default type for NFS file systems
-# and their files.
-#
-type nfs_t;
-fs_noxattr_type(nfs_t)
-files_mountpoint(nfs_t)
-genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
-genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
-genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
-
-########################################
-#
-# Rules for all filesystem types
-#
-
-allow filesystem_type self:filesystem associate;
-
-########################################
-#
-# Unconfined access to this module
-#
-
-allow filesystem_unconfined_type filesystem_type:filesystem *;
-
-# Create/access other files. fs_type is to pick up various
-# pseudo filesystem types that are applied to both the filesystem
-# and its files.
-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/refpolicy/policy/modules/kernel/kernel.fc b/refpolicy/policy/modules/kernel/kernel.fc
deleted file mode 100644
index 7be4ddf..0000000
--- a/refpolicy/policy/modules/kernel/kernel.fc
+++ /dev/null
@@ -1 +0,0 @@
-# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
deleted file mode 100644
index 230b601..0000000
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ /dev/null
@@ -1,2101 +0,0 @@
-## <summary>
-## Policy for kernel threads, proc filesystem,
-## and unlabeled processes and objects.
-## </summary>
-## <required val="true">
-## This module has initial SIDs.
-## </required>
-
-########################################
-## <summary>
-## Allows to start userland processes
-## by transitioning to the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type entered by kernel.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The executable type for the entrypoint.
-## </summary>
-## </param>
-#
-interface(`kernel_domtrans_to',`
- gen_require(`
- type kernel_t;
- ')
-
- domain_auto_trans(kernel_t, $2, $1)
-
- allow kernel_t $1:fd use;
- allow $1 kernel_t:fd use;
- allow $1 kernel_t:fifo_file rw_file_perms;
- allow $1 kernel_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Allows the kernel to mount filesystems on
-## the specified directory type.
-## </summary>
-## <param name="directory_type">
-## <summary>
-## The type of the directory to use as a mountpoint.
-## </summary>
-## </param>
-#
-interface(`kernel_rootfs_mountpoint',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:dir mounton;
-')
-
-########################################
-## <summary>
-## Set the process group of kernel threads.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_setpgid',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:process setpgid;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to kernel threads.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process sending the signal.
-## </summary>
-## </param>
-#
-interface(`kernel_sigchld',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a generic signal to kernel threads.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process sending the signal.
-## </summary>
-## </param>
-#
-interface(`kernel_signal',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:process signal;
-')
-
-########################################
-## <summary>
-## Allows the kernel to share state information with
-## the caller.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process with which to share state information.
-## </summary>
-## </param>
-#
-interface(`kernel_share_state',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:process share;
-')
-
-########################################
-## <summary>
-## Permits caller to use kernel file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process using the descriptors.
-## </summary>
-## </param>
-#
-interface(`kernel_use_fds',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use
-## kernel file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of process not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_use_fds',`
- gen_require(`
- type kernel_t;
- ')
-
- dontaudit $1 kernel_t:fd use;
-')
-
-########################################
-## <summary>
-## Read and write kernel unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_pipes',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:fifo_file { read write };
-')
-
-########################################
-## <summary>
-## Read and write kernel unix datagram sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_unix_dgram_sockets',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:unix_dgram_socket { read write ioctl };
-')
-
-########################################
-## <summary>
-## Send messages to kernel unix datagram sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_dgram_send',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:unix_dgram_socket sendto;
-')
-
-########################################
-## <summary>
-## Receive messages from kernel TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_tcp_recvfrom',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:tcp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to the kernel.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_udp_send',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:udp_socket sendto;
- allow kernel_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Receive messages from kernel UDP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_udp_recvfrom',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Allows caller to load kernel modules
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to allow to load kernel modules.
-## </summary>
-## </param>
-#
-interface(`kernel_load_module',`
- gen_require(`
- attribute can_load_kernmodule;
- ')
-
- allow $1 self:capability sys_module;
- typeattribute $1 can_load_kernmodule;
-')
-
-########################################
-## <summary>
-## Allows caller to read the ring buffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type allowed to read the ring buffer.
-## </summary>
-## </param>
-#
-interface(`kernel_read_ring_buffer',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:system syslog_read;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the ring buffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain to not audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_read_ring_buffer',`
- gen_require(`
- type kernel_t;
- ')
-
- dontaudit $1 kernel_t:system syslog_read;
-')
-
-########################################
-## <summary>
-## Change the level of kernel messages logged to the console.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_change_ring_buffer_level',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:system syslog_console;
-')
-
-########################################
-## <summary>
-## Allows the caller to clear the ring buffer.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type clearing the buffer.
-## </summary>
-## </param>
-#
-interface(`kernel_clear_ring_buffer',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:system syslog_mod;
-')
-
-########################################
-## <summary>
-## Get information on all System V IPC objects.
-## </summary>
-## <param name="domain">
-## <summary>
-##
-## </summary>
-## </param>
-#
-interface(`kernel_get_sysvipc_info',`
- gen_require(`
- type kernel_t;
- ')
-
- allow $1 kernel_t:system ipc_info;
-')
-
-########################################
-## <summary>
-## Get the attributes of a kernel debugging filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_getattr_debugfs',`
- gen_require(`
- type debugfs_t;
- ')
-
- allow $1 debugfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Mount a kernel debugging filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain mounting the filesystem.
-## </summary>
-## </param>
-#
-interface(`kernel_mount_debugfs',`
- gen_require(`
- type debugfs_t;
- ')
-
- allow $1 debugfs_t:filesystem mount;
-')
-
-########################################
-## <summary>
-## Unmount a kernel debugging filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain unmounting the filesystem.
-## </summary>
-## </param>
-#
-interface(`kernel_unmount_debugfs',`
- gen_require(`
- type debugfs_t;
- ')
-
- allow $1 debugfs_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Remount a kernel debugging filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain remounting the filesystem.
-## </summary>
-## </param>
-#
-interface(`kernel_remount_debugfs',`
- gen_require(`
- type debugfs_t;
- ')
-
- allow $1 debugfs_t:filesystem remount;
-')
-
-########################################
-## <summary>
-## Search the contents of a kernel debugging filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_search_debugfs',`
- gen_require(`
- type debugfs_t;
- ')
-
- allow $1 debugfs_t:dir search;
-')
-
-########################################
-## <summary>
-## Read information from the debugging filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_debugfs',`
- gen_require(`
- type debugfs_t;
- ')
-
- allow $1 debugfs_t:dir r_dir_perms;
- allow $1 debugfs_t:file r_file_perms;
- allow $1 debugfs_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Unmount the proc filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain unmounting the filesystem.
-## </summary>
-## </param>
-#
-interface(`kernel_unmount_proc',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Get the attributes of the proc filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_getattr_proc',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Search directories in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_search_proc',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of directories in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_list_proc',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list the
-## contents of directories in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_list_proc',`
- gen_require(`
- type proc_t;
- ')
-
- dontaudit $1 proc_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of files in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_getattr_proc_files',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read symbolic links in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_proc_symlinks',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allows caller to read system state information in proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the system state information.
-## </summary>
-## </param>
-#
-interface(`kernel_read_system_state',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_t:lnk_file { getattr read };
- allow $1 proc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Write to generic proc entries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: this should probably go away. any
-# file thats writable in proc should really
-# have its own label.
-#
-interface(`kernel_write_proc_files',`
- gen_require(`
- type proc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_t:file { append write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to
-## read system state information in proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_read_system_state',`
- gen_require(`
- type proc_t;
- ')
-
- dontaudit $1 proc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to
-## read system state information in proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_read_proc_symlinks',`
- gen_require(`
- type proc_t;
- ')
-
- dontaudit $1 proc_t:lnk_file read;
-')
-
-#######################################
-## <summary>
-## Allow caller to read the state information for software raid.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading software raid state.
-## </summary>
-## </param>
-#
-interface(`kernel_read_software_raid_state',`
- gen_require(`
- type proc_t, proc_mdstat_t;
- ')
-
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_mdstat_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Allow caller to read and set the state information for software raid.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading software raid state.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_software_raid_state',`
- gen_require(`
- type proc_t, proc_mdstat_t;
- ')
-
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_mdstat_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allows caller to get attribues of core kernel interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type getting the attibutes.
-## </summary>
-## </param>
-#
-interface(`kernel_getattr_core_if',`
- gen_require(`
- type proc_t, proc_kcore_t;
- ')
-
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_kcore_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## core kernel interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to not audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_core_if',`
- gen_require(`
- type proc_kcore_t;
- ')
-
- dontaudit $1 proc_kcore_t:file getattr;
-')
-
-########################################
-## <summary>
-## Allow caller to read kernel messages
-## using the /proc/kmsg interface.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the messages.
-## </summary>
-## </param>
-#
-interface(`kernel_read_messages',`
- gen_require(`
- attribute can_receive_kernel_messages;
- type proc_kmsg_t, proc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_kmsg_t:file r_file_perms;
- typeattribute $1 can_receive_kernel_messages;
-')
-
-########################################
-## <summary>
-## Allow caller to get the attributes of kernel message
-## interface (/proc/kmsg).
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type getting the attributes.
-## </summary>
-## </param>
-#
-interface(`kernel_getattr_message_if',`
- gen_require(`
- type proc_kmsg_t, proc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_kmsg_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get the attributes of kernel
-## message interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_message_if',`
- gen_require(`
- type proc_kmsg_t, proc_t;
- ')
-
- dontaudit $1 proc_kmsg_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the network
-## state directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_dontaudit_search_network_state',`
- gen_require(`
- type proc_net_t;
- ')
-
- dontaudit $1 proc_net_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow searching of network state directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_search_network_state',`
- gen_require(`
- type proc_net_t;
- ')
-
- allow $1 proc_net_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow caller to read the network state information.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_network_state',`
- gen_require(`
- type proc_t, proc_net_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir r_dir_perms;
- allow $1 proc_net_t:file r_file_perms;
- allow $1 proc_net_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow caller to read the network state symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_network_state_symlinks',`
- gen_require(`
- type proc_t, proc_net_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir r_dir_perms;
- allow $1 proc_net_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow searching of xen state directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_search_xen_state',`
- gen_require(`
- type proc_t, proc_xen_t;
- ')
-
- allow $1 proc_t:dir search_dir_perms;
- allow $1 proc_xen_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the xen
-## state directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_dontaudit_search_xen_state',`
- gen_require(`
- type proc_xen_t;
- ')
-
- dontaudit $1 proc_xen_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow caller to read the xen state information.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_xen_state',`
- gen_require(`
- type proc_t, proc_xen_t;
- ')
-
- allow $1 proc_t:dir search_dir_perms;
- allow $1 proc_xen_t:dir r_dir_perms;
- allow $1 proc_xen_t:file r_file_perms;
- allow $1 proc_xen_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow caller to read the xen state symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_xen_state_symlinks',`
- gen_require(`
- type proc_t, proc_xen_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_xen_t:dir r_dir_perms;
- allow $1 proc_xen_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to write xen state information.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type writing the state.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_write_xen_state',`
- gen_require(`
- type proc_t, proc_xen_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_xen_t:dir r_dir_perms;
- allow $1 proc_xen_t:file write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to search
-## the base directory of sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_dontaudit_search_sysctl',`
- gen_require(`
- type sysctl_t;
- ')
-
- dontaudit $1 sysctl_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow access to read sysctl directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to allow to read sysctl directories.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_sysctl',`
- gen_require(`
- type sysctl_t;
- ')
-
- allow $1 sysctl_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to read the device sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to allow to read the device sysctls.
-## </summary>
-## </param>
-#
-interface(`kernel_read_device_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_dev_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_dev_t:dir r_dir_perms;
- allow $1 sysctl_dev_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write device sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_device_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_dev_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_dev_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to search virtual memory sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_search_vm_sysctl',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_vm_t;
- ')
-
- allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to read virtual memory sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_vm_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_vm_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_vm_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write virtual memory sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_vm_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_vm_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_vm_t:dir list_dir_perms;
- allow $1 sysctl_vm_t:file rw_file_perms;
-
- # hal needs this
- allow $1 sysctl_vm_t:dir write;
-')
-
-########################################
-## <summary>
-## Search network sysctl directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_search_network_sysctl',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_net_t;
- ')
-
- allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to search network sysctl directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_search_network_sysctl',`
- gen_require(`
- type sysctl_net_t;
- ')
-
- dontaudit $1 sysctl_net_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow caller to read network sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_net_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_net_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to modiry contents of sysctl network files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_net_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_net_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to read unix domain
-## socket sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_unix_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_unix_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write unix domain
-## socket sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_unix_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_unix_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read the hotplug sysctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_hotplug_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_hotplug_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the hotplug sysctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_hotplug_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_hotplug_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read the modprobe sysctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_modprobe_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_modprobe_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the modprobe sysctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_modprobe_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_modprobe_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search generic kernel sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_search_kernel_sysctl',`
- gen_require(`
- type sysctl_kernel_t;
- ')
-
- dontaudit $1 sysctl_kernel_t:dir search;
-')
-
-########################################
-## <summary>
-## Read generic kernel sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_kernel_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_kernel_t;
- ')
-
- allow $1 proc_t:dir search_dir_perms;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write generic kernel sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_write_kernel_sysctl',`
- gen_require(`
- type sysctl_kernel_t;
- ')
-
- dontaudit $1 sysctl_kernel_t:file write;
-')
-
-########################################
-## <summary>
-## Read and write generic kernel sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_kernel_sysctl',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_kernel_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read filesystem sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_fs_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_fs_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write fileystem sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_fs_sysctls',`
- gen_require(`
- type proc_t, sysctl_t, sysctl_fs_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read IRQ sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_irq_sysctls',`
- gen_require(`
- type proc_t, sysctl_irq_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_irq_t:dir r_dir_perms;
- allow $1 sysctl_irq_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write IRQ sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_rw_irq_sysctls',`
- gen_require(`
- type proc_t, sysctl_irq_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_irq_t:dir r_dir_perms;
- allow $1 sysctl_irq_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read RPC sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_read_rpc_sysctls',`
- gen_require(`
- type proc_t, proc_net_t, sysctl_rpc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir search;
- allow $1 sysctl_rpc_t:dir r_dir_perms;
- allow $1 sysctl_rpc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write RPC sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-##
-#
-interface(`kernel_rw_rpc_sysctls',`
- gen_require(`
- type proc_t, proc_net_t, sysctl_rpc_t;
- ')
-
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir search;
- allow $1 sysctl_rpc_t:dir r_dir_perms;
- allow $1 sysctl_rpc_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow caller to read all sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_read_all_sysctls',`
- gen_require(`
- attribute sysctl_type;
- type proc_t, proc_net_t;
- ')
-
- # proc_net_t for /proc/net/rpc sysctls
- allow $1 { proc_t proc_net_t }:dir search;
-
- allow $1 sysctl_type:dir r_dir_perms;
- allow $1 sysctl_type:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write all sysctls.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_all_sysctls',`
- gen_require(`
- attribute sysctl_type;
- type proc_t, proc_net_t;
- ')
-
- # proc_net_t for /proc/net/rpc sysctls
- allow $1 { proc_t proc_net_t }:dir search;
-
- allow $1 sysctl_type:dir r_dir_perms;
- allow $1 sysctl_type:file { rw_file_perms setattr };
-')
-
-########################################
-## <summary>
-## Send a kill signal to unlabeled processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_kill_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:process sigkill;
-')
-
-########################################
-## <summary>
-## Send general signals to unlabeled processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_signal_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:process signal;
-')
-
-########################################
-## <summary>
-## Send a null signal to unlabeled processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_signull_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:process signull;
-')
-
-########################################
-## <summary>
-## Send a stop signal to unlabeled processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_sigstop_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:process sigstop;
-')
-
-########################################
-## <summary>
-## Send a child terminated signal to unlabeled processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_sigchld_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:process sigchld;
-')
-
-########################################
-## <summary>
-## List unlabeled directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_list_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list unlabeled directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_list_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Read and write unlabeled directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_unlabeled_dirs',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get the
-## attributes of an unlabeled file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_unlabeled_files',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to
-## read an unlabeled file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_read_unlabeled_files',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get the
-## attributes of unlabeled symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get the
-## attributes of unlabeled named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get the
-## attributes of unlabeled named sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get attributes for
-## unlabeled block devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Read and write unlabeled block device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_rw_unlabeled_blk_files',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts by caller to get attributes for
-## unlabeled character devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type not to audit.
-## </summary>
-## </param>
-#
-interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
- gen_require(`
- type unlabeled_t;
- ')
-
- dontaudit $1 unlabeled_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Allow caller to relabel unlabeled directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_relabelfrom_unlabeled_dirs',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:dir { getattr search read relabelfrom };
-')
-
-########################################
-## <summary>
-## Allow caller to relabel unlabeled files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_relabelfrom_unlabeled_files',`
- gen_require(`
- type unlabeled_t;
- ')
-
- kernel_list_unlabeled($1)
- allow $1 unlabeled_t:file { getattr relabelfrom };
-')
-
-########################################
-## <summary>
-## Allow caller to relabel unlabeled symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_relabelfrom_unlabeled_symlinks',`
- gen_require(`
- type unlabeled_t;
- ')
-
- kernel_list_unlabeled($1)
- allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
-')
-
-########################################
-## <summary>
-## Allow caller to relabel unlabeled named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_relabelfrom_unlabeled_pipes',`
- gen_require(`
- type unlabeled_t;
- ')
-
- kernel_list_unlabeled($1)
- allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
-')
-
-########################################
-## <summary>
-## Allow caller to relabel unlabeled named sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_relabelfrom_unlabeled_sockets',`
- gen_require(`
- type unlabeled_t;
- ')
-
- kernel_list_unlabeled($1)
- allow $1 unlabeled_t:sock_file { getattr relabelfrom };
-')
-
-########################################
-## <summary>
-## Send and receive messages from an
-## unlabeled IPSEC association.
-## </summary>
-## <desc>
-## <p>
-## Send and receive messages from an
-## unlabeled IPSEC association. Network
-## connections that are not protected
-## by IPSEC have use an unlabeled
-## assocation.
-## </p>
-## <p>
-## The corenetwork interface
-## corenet_non_ipsec_sendrecv() should
-## be used instead of this one.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_sendrecv_unlabeled_association',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:association { sendto recvfrom };
-
- # temporary hack until labeling on packets is supported
- allow $1 unlabeled_t:packet { send recv };
-')
-
-########################################
-## <summary>
-## Send and receive unlabeled packets.
-## </summary>
-## <desc>
-## <p>
-## Send and receive unlabeled packets.
-## These packets do not match any netfilter
-## SECMARK rules.
-## </p>
-## <p>
-## The corenetwork interface
-## corenet_sendrecv_unlabeled_packets() should
-## be used instead of this one.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_sendrecv_unlabeled_packets',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow $1 unlabeled_t:packet { send recv };
-')
-
-########################################
-## <summary>
-## Unconfined access to kernel module resources.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kernel_unconfined',`
- gen_require(`
- attribute kern_unconfined;
- ')
-
- typeattribute $1 kern_unconfined;
-')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
deleted file mode 100644
index 43a5333..0000000
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ /dev/null
@@ -1,360 +0,0 @@
-
-policy_module(kernel,1.3.13)
-
-########################################
-#
-# Declarations
-#
-
-# assertion related attributes
-attribute can_load_kernmodule;
-attribute can_receive_kernel_messages;
-
-neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
-
-# domains with unconfined access to kernel resources
-attribute kern_unconfined;
-
-# regular entries in proc
-attribute proc_type;
-
-# sysctls
-attribute sysctl_type;
-
-role system_r;
-role sysadm_r;
-role staff_r;
-role user_r;
-
-ifdef(`enable_mls',`
- role secadm_r;
- role auditadm_r;
-')
-
-#
-# kernel_t is the domain of kernel threads.
-# It is also the target type when checking permissions in the system class.
-#
-type kernel_t, can_load_kernmodule;
-domain_base_type(kernel_t)
-mls_rangetrans_source(kernel_t)
-role system_r types kernel_t;
-sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
-
-#
-# DebugFS
-#
-
-type debugfs_t;
-fs_type(debugfs_t)
-allow debugfs_t self:filesystem associate;
-genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-
-#
-# Procfs types
-#
-
-type proc_t, proc_type;
-files_mountpoint(proc_t)
-fs_type(proc_t)
-genfscon proc / gen_context(system_u:object_r:proc_t,s0)
-genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
-
-# kernel message interface
-type proc_kmsg_t, proc_type;
-genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
-neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
-
-# /proc kcore: inaccessible
-type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
-genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
-
-type proc_mdstat_t, proc_type;
-genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
-
-type proc_net_t, proc_type;
-genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
-
-type proc_xen_t, proc_type;
-genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-
-#
-# Sysctl types
-#
-
-# /proc/sys directory, base directory of sysctls
-type sysctl_t, sysctl_type;
-files_mountpoint(sysctl_t)
-sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
-genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
-
-# /proc/irq directory and files
-type sysctl_irq_t, sysctl_type;
-genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
-
-# /proc/net/rpc directory and files
-type sysctl_rpc_t, sysctl_type;
-genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
-
-# /proc/sys/fs directory and files
-type sysctl_fs_t, sysctl_type;
-files_mountpoint(sysctl_fs_t)
-genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
-
-# /proc/sys/kernel directory and files
-type sysctl_kernel_t, sysctl_type;
-genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
-
-# /proc/sys/kernel/modprobe file
-type sysctl_modprobe_t, sysctl_type;
-genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
-
-# /proc/sys/kernel/hotplug file
-type sysctl_hotplug_t, sysctl_type;
-genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
-
-# /proc/sys/net directory and files
-type sysctl_net_t, sysctl_type;
-genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-
-# /proc/sys/net/unix directory and files
-type sysctl_net_unix_t, sysctl_type;
-genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
-
-# /proc/sys/vm directory and files
-type sysctl_vm_t, sysctl_type;
-genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
-
-# /proc/sys/dev directory and files
-type sysctl_dev_t, sysctl_type;
-genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-
-#
-# unlabeled_t is the type of unlabeled objects.
-# Objects that have no known labeling information or that
-# have labels that are no longer valid are treated as having this type.
-#
-type unlabeled_t;
-sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-
-# These initial sids are no longer used, and can be removed:
-sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
-sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid init gen_context(system_u:object_r:unlabeled_t,s0)
-sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
-sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-
-########################################
-#
-# kernel local policy
-#
-
-allow kernel_t self:capability *;
-allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow kernel_t self:shm create_shm_perms;
-allow kernel_t self:sem create_sem_perms;
-allow kernel_t self:msg { send receive };
-allow kernel_t self:msgq create_msgq_perms;
-allow kernel_t self:unix_dgram_socket create_socket_perms;
-allow kernel_t self:unix_stream_socket create_stream_socket_perms;
-allow kernel_t self:unix_dgram_socket sendto;
-allow kernel_t self:unix_stream_socket connectto;
-allow kernel_t self:fifo_file rw_file_perms;
-allow kernel_t self:sock_file r_file_perms;
-allow kernel_t self:fd use;
-
-allow kernel_t proc_t:dir r_dir_perms;
-allow kernel_t proc_t:{ lnk_file file } r_file_perms;
-
-allow kernel_t proc_net_t:dir r_dir_perms;
-allow kernel_t proc_net_t:file r_file_perms;
-
-allow kernel_t proc_mdstat_t:file r_file_perms;
-
-allow kernel_t proc_kcore_t:file getattr;
-
-allow kernel_t proc_kmsg_t:file getattr;
-
-allow kernel_t sysctl_kernel_t:dir r_dir_perms;
-allow kernel_t sysctl_kernel_t:file r_file_perms;
-allow kernel_t sysctl_t:dir r_dir_perms;
-
-# Other possible mount points for the root fs are in files
-allow kernel_t unlabeled_t:dir mounton;
-# Kernel-generated traffic e.g., TCP resets on
-# connections with invalidated labels:
-allow kernel_t unlabeled_t:packet send;
-
-corenet_non_ipsec_sendrecv(kernel_t)
-# Kernel-generated traffic e.g., ICMP replies:
-corenet_raw_sendrecv_all_if(kernel_t)
-corenet_raw_sendrecv_all_nodes(kernel_t)
-corenet_raw_send_generic_if(kernel_t)
-# Kernel-generated traffic e.g., TCP resets:
-corenet_tcp_sendrecv_all_if(kernel_t)
-corenet_tcp_sendrecv_all_nodes(kernel_t)
-corenet_raw_send_generic_node(kernel_t)
-corenet_raw_send_multicast_node(kernel_t)
-corenet_send_all_packets(kernel_t)
-
-dev_read_sysfs(kernel_t)
-dev_search_usbfs(kernel_t)
-
-# Mount root file system. Used when loading a policy
-# from initrd, then mounting the root filesystem
-fs_mount_all_fs(kernel_t)
-
-selinux_load_policy(kernel_t)
-
-term_use_console(kernel_t)
-
-corecmd_exec_shell(kernel_t)
-corecmd_list_sbin(kernel_t)
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-corecmd_exec_bin(kernel_t)
-
-domain_signal_all_domains(kernel_t)
-domain_search_all_domains_state(kernel_t)
-
-files_list_root(kernel_t)
-files_list_etc(kernel_t)
-files_list_home(kernel_t)
-files_read_usr_files(kernel_t)
-
-mcs_process_set_categories(kernel_t)
-
-mls_process_read_up(kernel_t)
-mls_process_write_down(kernel_t)
-
-ifdef(`targeted_policy',`
- unconfined_domain(kernel_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(kernel_t)
- files_read_default_files(kernel_t)
- files_read_default_symlinks(kernel_t)
- files_read_default_sockets(kernel_t)
- files_read_default_pipes(kernel_t)
-')
-
-optional_policy(`
- hotplug_search_config(kernel_t)
-')
-
-optional_policy(`
- init_sigchld(kernel_t)
-')
-
-optional_policy(`
- libs_use_ld_so(kernel_t)
- libs_use_shared_libs(kernel_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(kernel_t)
-')
-
-optional_policy(`
- nis_use_ypbind(kernel_t)
-')
-
-optional_policy(`
- portmap_udp_chat(kernel_t)
-')
-
-optional_policy(`
- # nfs kernel server needs kernel UDP access. It is less risky and painful
- # to just give it everything.
- allow kernel_t self:tcp_socket create_stream_socket_perms;
- allow kernel_t self:udp_socket create_socket_perms;
-
- # nfs kernel server needs kernel UDP access. It is less risky and painful
- # to just give it everything.
- corenet_udp_sendrecv_all_if(kernel_t)
- corenet_udp_sendrecv_all_nodes(kernel_t)
- corenet_udp_sendrecv_all_ports(kernel_t)
- corenet_udp_bind_all_nodes(kernel_t)
- corenet_sendrecv_portmap_client_packets(kernel_t)
- corenet_sendrecv_generic_server_packets(kernel_t)
-
- auth_dontaudit_getattr_shadow(kernel_t)
-
- sysnet_read_config(kernel_t)
-
- rpc_manage_nfs_ro_content(kernel_t)
- rpc_manage_nfs_rw_content(kernel_t)
- rpc_udp_rw_nfs_sockets(kernel_t)
- rpc_udp_send_nfs(kernel_t)
-
- tunable_policy(`nfs_export_all_ro',`
- fs_list_noxattr_fs(kernel_t)
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
- auth_read_all_dirs_except_shadow(kernel_t)
- auth_read_all_files_except_shadow(kernel_t)
- auth_read_all_symlinks_except_shadow(kernel_t)
- ')
-
- tunable_policy(`nfs_export_all_rw',`
- fs_list_noxattr_fs(kernel_t)
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
- auth_manage_all_files_except_shadow(kernel_t)
- ')
-')
-
-optional_policy(`
- seutil_read_config(kernel_t)
- seutil_read_bin_policy(kernel_t)
-')
-
-########################################
-#
-# Unlabeled process local policy
-#
-
-ifdef(`targeted_policy',`
- allow unlabeled_t self:filesystem associate;
-')
-
-optional_policy(`
- # If you load a new policy that removes active domains, processes can
- # get stuck if you do not allow unlabeled processes to signal init.
- # If you load an incompatible policy, you should probably reboot,
- # since you may have compromised system security.
- init_sigchld(unlabeled_t)
-')
-
-########################################
-#
-# Rules for unconfined acccess to this module
-#
-
-allow kern_unconfined proc_type:{ dir file } *;
-
-allow kern_unconfined sysctl_t:{ dir file } *;
-
-allow kern_unconfined kernel_t:system *;
-
-allow kern_unconfined unlabeled_t:dir_file_class_set *;
-allow kern_unconfined unlabeled_t:filesystem *;
-allow kern_unconfined unlabeled_t:association *;
-allow kern_unconfined unlabeled_t:packet *;
-
-kernel_rw_all_sysctls(kern_unconfined)
diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc
deleted file mode 100644
index fa8a4b1..0000000
--- a/refpolicy/policy/modules/kernel/mcs.fc
+++ /dev/null
@@ -1 +0,0 @@
-# no MCS file contexts
diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if
deleted file mode 100644
index 3caa6f7..0000000
--- a/refpolicy/policy/modules/kernel/mcs.if
+++ /dev/null
@@ -1,43 +0,0 @@
-## <summary>Multicategory security policy</summary>
-## <required val="true">
-## Contains attributes used in MCS policy.
-## </required>
-
-########################################
-## <summary>
-## This domain is allowed to sigkill and sigstop
-## all domains regardless of their MCS level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain target for user exemption.
-## </summary>
-## </param>
-#
-interface(`mcs_killall',`
- gen_require(`
- attribute mcskillall;
- ')
-
- typeattribute $1 mcskillall;
-')
-
-########################################
-## <summary>
-## Make specified domain MCS trusted
-## for setting any category set for
-## the processes it executes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain target for user exemption.
-## </summary>
-## </param>
-#
-interface(`mcs_process_set_categories',`
- gen_require(`
- attribute mcssetcats;
- ')
-
- typeattribute $1 mcssetcats;
-')
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
deleted file mode 100644
index 88a6e98..0000000
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ /dev/null
@@ -1,50 +0,0 @@
-
-policy_module(mcs,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-attribute mcskillall;
-attribute mcssetcats;
-
-########################################
-#
-# THIS IS A HACK
-#
-# Only the base module can have range_transitions, so we
-# temporarily have to break encapsulation to work around this.
-#
-
-type auditd_exec_t;
-type crond_exec_t;
-type cupsd_exec_t;
-type getty_t;
-type init_t;
-type init_exec_t;
-type initrc_t;
-type initrc_exec_t;
-type login_exec_t;
-type sshd_exec_t;
-type udev_exec_t;
-type unconfined_t;
-type xdm_exec_t;
-
-ifdef(`enable_mcs',`
-# The eventual plan is to have a range_transition to s0 for the daemon by
-# default and have the daemons which need to run with all categories be
-# exceptions. But while range_transitions have to be in the base module
-# this is not possible.
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-
-# these might be targeted_policy only
-range_transition unconfined_t initrc_exec_t s0;
-')
diff --git a/refpolicy/policy/modules/kernel/metadata.xml b/refpolicy/policy/modules/kernel/metadata.xml
deleted file mode 100644
index d1da3a2..0000000
--- a/refpolicy/policy/modules/kernel/metadata.xml
+++ /dev/null
@@ -1 +0,0 @@
-<summary>Policy modules for kernel resources.</summary>
diff --git a/refpolicy/policy/modules/kernel/mls.fc b/refpolicy/policy/modules/kernel/mls.fc
deleted file mode 100644
index 13df19e..0000000
--- a/refpolicy/policy/modules/kernel/mls.fc
+++ /dev/null
@@ -1 +0,0 @@
-# No MLS file contexts.
diff --git a/refpolicy/policy/modules/kernel/mls.if b/refpolicy/policy/modules/kernel/mls.if
deleted file mode 100644
index 3b38c83..0000000
--- a/refpolicy/policy/modules/kernel/mls.if
+++ /dev/null
@@ -1,409 +0,0 @@
-## <summary>Multilevel security policy</summary>
-## <desc>
-## <p>
-## This module contains interfaces for handling multilevel
-## security. The interfaces allow the specified subjects
-## and objects to be allowed certain privileges in the
-## MLS rules.
-## </p>
-## </desc>
-## <required val="true">
-## Contains attributes used in MLS policy.
-## </required>
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from files at higher levels.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_file_read_up',`
- gen_require(`
- attribute mlsfileread;
- ')
-
- typeattribute $1 mlsfileread;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for writing to files at lower levels.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_file_write_down',`
- gen_require(`
- attribute mlsfilewrite;
- ')
-
- typeattribute $1 mlsfilewrite;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for raising the level of files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_file_upgrade',`
- gen_require(`
- attribute mlsfileupgrade;
- ')
-
- typeattribute $1 mlsfileupgrade;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for lowering the level of files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_file_downgrade',`
- gen_require(`
- attribute mlsfiledowngrade;
- ')
-
- typeattribute $1 mlsfiledowngrade;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from sockets at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_socket_read_all_levels',`
- gen_require(`
- attribute mlsnetread;
- ')
-
- typeattribute $1 mlsnetread;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from sockets at any level
-## that is dominated by the process clearance.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_socket_read_to_clearance',`
- gen_require(`
- attribute mlsnetreadtoclr;
- ')
-
- typeattribute $1 mlsnetreadtoclr;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for writing to sockets at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_socket_write_all_levels',`
- gen_require(`
- attribute mlsnetwrite;
- ')
-
- typeattribute $1 mlsnetwrite;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for receiving network data from
-## network interfaces or hosts at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_net_receive_all_levels',`
- gen_require(`
- attribute mlsnetrecvall;
- ')
-
- typeattribute $1 mlsnetrecvall;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from System V IPC objects
-## at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_sysvipc_read_all_levels',`
- gen_require(`
- attribute mlsipcread;
- ')
-
- typeattribute $1 mlsipcread;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for writing to System V IPC objects
-## at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_sysvipc_write_all_levels',`
- gen_require(`
- attribute mlsipcwrite;
- ')
-
- typeattribute $1 mlsipcwrite;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to do a MLS
-## range transition that changes
-## the current level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_rangetrans_source',`
- gen_require(`
- attribute privrangetrans;
- ')
-
- typeattribute $1 privrangetrans;
-')
-
-########################################
-## <summary>
-## Make specified domain a target domain
-## for MLS range transitions that change
-## the current level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_rangetrans_target',`
- gen_require(`
- attribute mlsrangetrans;
- ')
-
- typeattribute $1 mlsrangetrans;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from processes at higher levels.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_process_read_up',`
- gen_require(`
- attribute mlsprocread;
- ')
-
- typeattribute $1 mlsprocread;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for writing to processes at lower levels.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_process_write_down',`
- gen_require(`
- attribute mlsprocwrite;
- ')
-
- typeattribute $1 mlsprocwrite;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for setting the level of processes
-## it executes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_process_set_level',`
- gen_require(`
- attribute mlsprocsetsl;
- ')
-
- typeattribute $1 mlsprocsetsl;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from X objects at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_xwin_read_all_levels',`
- gen_require(`
- attribute mlsxwinread;
- ')
-
- typeattribute $1 mlsxwinread;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for writing to X objects at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_xwin_write_all_levels',`
- gen_require(`
- attribute mlsxwinwrite;
- ')
-
- typeattribute $1 mlsxwinwrite;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for reading from X colormaps at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_colormap_read_all_levels',`
- gen_require(`
- attribute mlsxwinreadcolormap;
- ')
-
- typeattribute $1 mlsxwinreadcolormap;
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
-## for writing to X colormaps at any level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mls_colormap_write_all_levels',`
- gen_require(`
- attribute mlsxwinwritecolormap;
- ')
-
- typeattribute $1 mlsxwinwritecolormap;
-')
-
-########################################
-## <summary>
-## Make specified object MLS trusted.
-## </summary>
-## <desc>
-## <p>
-## Make specified object MLS trusted. This
-## allows all levels to read and write the
-## object.
-## </p>
-## <p>
-## This currently only applies to filesystem
-## objects, for example, files and directories.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The type of the object.
-## </summary>
-## </param>
-#
-interface(`mls_trusted_object',`
- gen_require(`
- attribute mlstrustedobject;
- ')
-
- typeattribute $1 mlstrustedobject;
-')
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
deleted file mode 100644
index 819a2df..0000000
--- a/refpolicy/policy/modules/kernel/mls.te
+++ /dev/null
@@ -1,69 +0,0 @@
-
-policy_module(mls,1.3.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute mlsfileread;
-attribute mlsfilereadtoclr;
-attribute mlsfilewrite;
-attribute mlsfilewritetoclr;
-attribute mlsfileupgrade;
-attribute mlsfiledowngrade;
-
-attribute mlsnetread;
-attribute mlsnetreadtoclr;
-attribute mlsnetwrite;
-attribute mlsnetwritetoclr;
-attribute mlsnetupgrade;
-attribute mlsnetdowngrade;
-attribute mlsnetrecvall;
-
-attribute mlsipcread;
-attribute mlsipcreadtoclr;
-attribute mlsipcwrite;
-attribute mlsipcwritetoclr;
-
-attribute mlsprocread;
-attribute mlsprocreadtoclr;
-attribute mlsprocwrite;
-attribute mlsprocwritetoclr;
-attribute mlsprocsetsl;
-
-attribute mlsxwinread;
-attribute mlsxwinreadtoclr;
-attribute mlsxwinwrite;
-attribute mlsxwinwritetoclr;
-attribute mlsxwinreadproperty;
-attribute mlsxwinwriteproperty;
-attribute mlsxwinreadcolormap;
-attribute mlsxwinwritecolormap;
-attribute mlsxwinwritexinput;
-
-attribute mlstrustedobject;
-
-attribute privrangetrans;
-attribute mlsrangetrans;
-
-########################################
-#
-# THIS IS A HACK
-#
-# Only the base module can have range_transitions, so we
-# temporarily have to break encapsulation to work around this.
-# Other types are declared in the mcs module.
-#
-
-type lvm_exec_t;
-type run_init_t;
-type setrans_exec_t;
-
-ifdef(`enable_mls',`
-range_transition initrc_t auditd_exec_t s15:c0.c255;
-range_transition kernel_t init_exec_t s0 - s15:c0.c255;
-range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
-range_transition initrc_t setrans_exec_t s15:c0.c255;
-range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
-')
diff --git a/refpolicy/policy/modules/kernel/selinux.fc b/refpolicy/policy/modules/kernel/selinux.fc
deleted file mode 100644
index 7be4ddf..0000000
--- a/refpolicy/policy/modules/kernel/selinux.fc
+++ /dev/null
@@ -1 +0,0 @@
-# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
deleted file mode 100644
index 08c2907..0000000
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ /dev/null
@@ -1,401 +0,0 @@
-## <summary>
-## Policy for kernel security interface, in particular, selinuxfs.
-## </summary>
-## <required val="true">
-## Contains the policy for the kernel SELinux security interface.
-## </required>
-
-########################################
-## <summary>
-## Gets the caller the mountpoint of the selinuxfs filesystem.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type requesting the selinuxfs mountpoint.
-## </summary>
-## </param>
-#
-interface(`selinux_get_fs_mount',`
- # read /proc/filesystems to see if selinuxfs is supported
- # then read /proc/self/mount to see where selinuxfs is mounted
- kernel_read_system_state($1)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the selinuxfs directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`selinux_dontaudit_getattr_dir',`
- gen_require(`
- type security_t;
- ')
-
- dontaudit $1 security_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search selinuxfs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`selinux_search_fs',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search selinuxfs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`selinux_dontaudit_search_fs',`
- gen_require(`
- type security_t;
- ')
-
- dontaudit $1 security_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read
-## generic selinuxfs entries
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`selinux_dontaudit_read_fs',`
- gen_require(`
- type security_t;
- ')
-
- dontaudit $1 security_t:dir search;
- dontaudit $1 security_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allows the caller to get the mode of policy enforcement
-## (enforcing or permissive mode).
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type to allow to get the enforcing mode.
-## </summary>
-## </param>
-#
-interface(`selinux_get_enforce_mode',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow caller to set the mode of policy enforcement
-## (enforcing or permissive mode).
-## </summary>
-## <desc>
-## <p>
-## Allow caller to set the mode of policy enforcement
-## (enforcing or permissive mode).
-## </p>
-## <p>
-## Since this is a security event, this action is
-## always audited.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The process type to allow to set the enforcement mode.
-## </summary>
-## </param>
-#
-interface(`selinux_set_enforce_mode',`
- gen_require(`
- type security_t;
- attribute can_setenforce;
- bool secure_mode_policyload;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- typeattribute $1 can_setenforce;
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security setenforce;
- auditallow $1 security_t:security setenforce;
- }
-')
-
-########################################
-## <summary>
-## Allow caller to load the policy into the kernel.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type that will load the policy.
-## </summary>
-## </param>
-#
-interface(`selinux_load_policy',`
- gen_require(`
- type security_t;
- attribute can_load_policy;
- bool secure_mode_policyload;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- typeattribute $1 can_load_policy;
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security load_policy;
- auditallow $1 security_t:security load_policy;
- }
-')
-
-########################################
-## <summary>
-## Allow caller to set the state of Booleans to
-## enable or disable conditional portions of the policy.
-## </summary>
-## <desc>
-## <p>
-## Allow caller to set the state of Booleans to
-## enable or disable conditional portions of the policy.
-## </p>
-## <p>
-## Since this is a security event, this action is
-## always audited.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The process type allowed to set the Boolean.
-## </summary>
-## </param>
-#
-interface(`selinux_set_boolean',`
- gen_require(`
- type security_t;
- bool secure_mode_policyload;
- ')
-
- allow $1 security_t:dir search;
- allow $1 security_t:dir { getattr search read };
- allow $1 security_t:file { getattr read write };
-
- if(!secure_mode_policyload) {
- allow $1 security_t:security setbool;
- auditallow $1 security_t:security setbool;
- }
-')
-
-########################################
-## <summary>
-## Allow caller to set SELinux access vector cache parameters.
-## </summary>
-## <desc>
-## <p>
-## Allow caller to set SELinux access vector cache parameters.
-## The allows the domain to set performance related parameters
-## of the AVC, such as cache threshold.
-## </p>
-## <p>
-## Since this is a security event, this action is
-## always audited.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The process type to allow to set security parameters.
-## </summary>
-## </param>
-#
-interface(`selinux_set_parameters',`
- gen_require(`
- type security_t;
- attribute can_setsecparam;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security setsecparam;
- auditallow $1 security_t:security setsecparam;
- typeattribute $1 can_setsecparam;
-')
-
-########################################
-## <summary>
-## Allows caller to validate security contexts.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type permitted to validate contexts.
-## </summary>
-## </param>
-#
-interface(`selinux_validate_context',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security check_context;
-')
-
-########################################
-## <summary>
-## Allows caller to compute an access vector.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type allowed to compute an access vector.
-## </summary>
-## </param>
-#
-interface(`selinux_compute_access_vector',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security compute_av;
-')
-
-########################################
-## <summary>
-## Calculate the default type for object creation.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`selinux_compute_create_context',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security compute_create;
-')
-
-########################################
-## <summary>
-## Allows caller to compute polyinstatntiated
-## directory members.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`selinux_compute_member',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security compute_member;
-')
-
-########################################
-## <summary>
-## Calculate the context for relabeling objects.
-## </summary>
-## <desc>
-## <p>
-## Calculate the context for relabeling objects.
-## This is determined by using the type_change
-## rules in the policy, and is generally used
-## for determining the context for relabeling
-## a terminal when a user logs in.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`selinux_compute_relabel_context',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security compute_relabel;
-')
-
-########################################
-## <summary>
-## Allows caller to compute possible contexts for a user.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type allowed to compute user contexts.
-## </summary>
-## </param>
-#
-interface(`selinux_compute_user_contexts',`
- gen_require(`
- type security_t;
- ')
-
- allow $1 security_t:dir { read search getattr };
- allow $1 security_t:file { getattr read write };
- allow $1 security_t:security compute_user;
-')
-
-########################################
-## <summary>
-## Unconfined access to the SELinux kernel security server.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`selinux_unconfined',`
- gen_require(`
- attribute selinux_unconfined_type;
- ')
-
- typeattribute $1 selinux_unconfined_type;
-')
diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te
deleted file mode 100644
index 5d60938..0000000
--- a/refpolicy/policy/modules/kernel/selinux.te
+++ /dev/null
@@ -1,44 +0,0 @@
-
-policy_module(selinux,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute can_load_policy;
-attribute can_setenforce;
-attribute can_setsecparam;
-attribute selinux_unconfined_type;
-
-#
-# security_t is the target type when checking
-# the permissions in the security class. It is also
-# applied to selinuxfs inodes.
-#
-type security_t;
-fs_type(security_t)
-mls_trusted_object(security_t)
-sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
-genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
-
-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
-
-########################################
-#
-# Unconfined access to this module
-#
-
-# use SELinuxfs
-allow selinux_unconfined_type security_t:dir { getattr search read };
-allow selinux_unconfined_type security_t:file { getattr read write };
-
-# Access the security API.
-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
-
-if(!secure_mode_policyload) {
- allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
- auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
-}
diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc
deleted file mode 100644
index 30d7868..0000000
--- a/refpolicy/policy/modules/kernel/storage.fc
+++ /dev/null
@@ -1,65 +0,0 @@
-
-/dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
-/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
-/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-ifdef(`distro_redhat', `
-/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-')
-/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
-/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
-/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
-
-/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
-/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-
-/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
deleted file mode 100644
index 2fac4d0..0000000
--- a/refpolicy/policy/modules/kernel/storage.if
+++ /dev/null
@@ -1,671 +0,0 @@
-## <summary>Policy controlling access to storage devices</summary>
-
-########################################
-## <summary>
-## Allow the caller to get the attributes of fixed disk
-## device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_getattr_fixed_disk_dev',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to get
-## the attributes of fixed disk device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_getattr_fixed_disk_dev',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dontaudit $1 fixed_disk_device_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Allow the caller to set the attributes of fixed disk
-## device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_setattr_fixed_disk_dev',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to set
-## the attributes of fixed disk device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_setattr_fixed_disk_dev',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dontaudit $1 fixed_disk_device_t:blk_file setattr;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly read from a fixed disk.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_raw_read_fixed_disk',`
- gen_require(`
- attribute fixed_disk_raw_read;
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file r_file_perms;
- typeattribute $1 fixed_disk_raw_read;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to read
-## fixed disk device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_read_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
-
- ')
-
- dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
-')
-
-########################################
-## <summary>
-## Allow the caller to directly write to a fixed disk.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_raw_write_fixed_disk',`
- gen_require(`
- attribute fixed_disk_raw_write;
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
- typeattribute $1 fixed_disk_raw_write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to write
-## fixed disk device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_write_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
-
- ')
-
- dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete fixed disk device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_manage_fixed_disk',`
- gen_require(`
- attribute fixed_disk_raw_read, fixed_disk_raw_write;
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file create_file_perms;
- typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
-')
-
-########################################
-## <summary>
-## Create block devices in /dev with the fixed disk type
-## via an automatic type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_dev_filetrans_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dev_filetrans($1,fixed_disk_device_t,blk_file)
-')
-
-########################################
-## <summary>
-## Create block devices in on a tmpfs filesystem with the
-## fixed disk type via an automatic type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_tmpfs_filetrans_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
-')
-
-########################################
-## <summary>
-## Relabel fixed disk device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_relabel_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Enable a fixed disk device as swap space
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_swapon_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file { getattr swapon };
-')
-
-########################################
-## <summary>
-## Allow the caller to get the attributes of
-## the generic SCSI interface device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_getattr_scsi_generic_dev',`
- gen_require(`
- type scsi_generic_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Allow the caller to set the attributes of
-## the generic SCSI interface device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_setattr_scsi_generic_dev',`
- gen_require(`
- type scsi_generic_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly read, in a
-## generic fashion, from any SCSI device.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_read_scsi_generic',`
- gen_require(`
- attribute scsi_generic_read;
- type scsi_generic_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file r_file_perms;
- typeattribute $1 scsi_generic_read;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly write, in a
-## generic fashion, from any SCSI device.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_write_scsi_generic',`
- gen_require(`
- attribute scsi_generic_write;
- type scsi_generic_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
- typeattribute $1 scsi_generic_write;
-')
-
-########################################
-## <summary>
-## Set attributes of the device nodes
-## for the SCSI generic inerface.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_setattr_scsi_generic_dev_dev',`
- gen_require(`
- type scsi_generic_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## SCSI generic device interfaces.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_rw_scsi_generic',`
- gen_require(`
- type scsi_generic_device_t;
- ')
-
- dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the caller to get the attributes of removable
-## devices device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_getattr_removable_dev',`
- gen_require(`
- type removable_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 removable_device_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to get
-## the attributes of removable devices device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_getattr_removable_dev',`
- gen_require(`
- type removable_device_t;
- ')
-
- dontaudit $1 removable_device_t:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to read
-## removable devices device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_read_removable_device',`
- gen_require(`
- type removable_device_t;
-
- ')
-
- dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
-')
-
-########################################
-## <summary>
-## Allow the caller to set the attributes of removable
-## devices device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_setattr_removable_dev',`
- gen_require(`
- type removable_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 removable_device_t:blk_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts made by the caller to set
-## the attributes of removable devices device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_setattr_removable_dev',`
- gen_require(`
- type removable_device_t;
- ')
-
- dontaudit $1 removable_device_t:blk_file setattr;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly read from
-## a removable device.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_raw_read_removable_device',`
- gen_require(`
- type removable_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 removable_device_t:blk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to directly read removable devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_raw_read_removable_device',`
- gen_require(`
- type removable_device_t;
- ')
-
- dontaudit $1 removable_device_t:blk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly write to
-## a removable device.
-## This is extremly dangerous as it can bypass the
-## SELinux protections for filesystem objects, and
-## should only be used by trusted domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_raw_write_removable_device',`
- gen_require(`
- type removable_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 removable_device_t:blk_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to directly write removable devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`storage_dontaudit_raw_write_removable_device',`
- gen_require(`
- type removable_device_t;
- ')
-
- dontaudit $1 removable_device_t:blk_file { write append ioctl };
-')
-
-########################################
-## <summary>
-## Allow the caller to directly read
-## a tape device.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_read_tape',`
- gen_require(`
- type tape_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tape_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the caller to directly read
-## a tape device.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_write_tape',`
- gen_require(`
- type tape_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tape_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-## <summary>
-## Allow the caller to get the attributes
-## of device nodes of tape devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_getattr_tape_dev',`
- gen_require(`
- type tape_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tape_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Allow the caller to set the attributes
-## of device nodes of tape devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`storage_setattr_tape_dev',`
- gen_require(`
- type tape_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tape_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Unconfined access to storage devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`storage_unconfined',`
- gen_require(`
- attribute storage_unconfined_type;
- ')
-
- typeattribute $1 storage_unconfined_type;
-')
diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te
deleted file mode 100644
index e78c43c..0000000
--- a/refpolicy/policy/modules/kernel/storage.te
+++ /dev/null
@@ -1,54 +0,0 @@
-
-policy_module(storage,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute fixed_disk_raw_read;
-attribute fixed_disk_raw_write;
-attribute scsi_generic_read;
-attribute scsi_generic_write;
-attribute storage_unconfined_type;
-
-#
-# fixed_disk_device_t is the type of
-# /dev/hd* and /dev/sd*.
-#
-type fixed_disk_device_t;
-dev_node(fixed_disk_device_t)
-
-neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
-neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
-
-#
-# scsi_generic_device_t is the type of /dev/sg*
-# it gives access to ALL SCSI devices (both fixed and removable)
-#
-type scsi_generic_device_t;
-dev_node(scsi_generic_device_t)
-
-neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
-neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
-
-#
-# removable_device_t is the type of
-# /dev/scd* and /dev/fd*.
-#
-type removable_device_t;
-dev_node(removable_device_t)
-
-#
-# tape_device_t is the type of
-#
-type tape_device_t;
-dev_node(tape_device_t)
-
-########################################
-#
-# Unconfined access to this module
-#
-
-allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
-allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc
deleted file mode 100644
index df0d76c..0000000
--- a/refpolicy/policy/modules/kernel/terminal.fc
+++ /dev/null
@@ -1,32 +0,0 @@
-
-/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
-/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
-/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
-
-/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-
-/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
-
-/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-
-/dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0)
-
-/dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-
-/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
-
-ifdef(`distro_gentoo',`
-/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
-')
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
deleted file mode 100644
index 04b2dc2..0000000
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ /dev/null
@@ -1,951 +0,0 @@
-## <summary>Policy for terminals.</summary>
-## <required val="true">
-## Depended on by other required modules.
-## </required>
-
-########################################
-## <summary>
-## Transform specified type into a pty type.
-## </summary>
-## <param name="pty_type">
-## <summary>
-## An object type that will applied to a pty.
-## </summary>
-## </param>
-#
-interface(`term_pty',`
- gen_require(`
- attribute ptynode;
- type devpts_t;
- ')
-
- files_type($1)
- allow $1 devpts_t:filesystem associate;
- typeattribute $1 ptynode;
-')
-
-########################################
-## <summary>
-## Transform specified type into an user
-## pty type. This allows it to be relabeled via
-## type change by login programs such as ssh.
-## </summary>
-## <param name="userdomain">
-## <summary>
-## The type of the user domain associated with
-## this pty.
-## </summary>
-## </param>
-## <param name="object_type">
-## <summary>
-## An object type that will applied to a pty.
-## </summary>
-## </param>
-#
-interface(`term_user_pty',`
- gen_require(`
- attribute server_ptynode;
- ')
-
- term_pty($2)
- type_change $1 server_ptynode:chr_file $2;
-')
-
-########################################
-## <summary>
-## Transform specified type into a pty type
-## used by login programs, such as sshd.
-## </summary>
-## <param name="pty_type">
-## <summary>
-## An object type that will applied to a pty.
-## </summary>
-## </param>
-#
-interface(`term_login_pty',`
- gen_require(`
- attribute server_ptynode;
- ')
-
- term_pty($1)
- typeattribute $1 server_ptynode;
-')
-
-########################################
-## <summary>
-## Transform specified type into a tty type.
-## </summary>
-## <param name="tty_type">
-## <summary>
-## An object type that will applied to a tty.
-## </summary>
-## </param>
-#
-interface(`term_tty',`
- gen_require(`
- attribute ttynode, serial_device;
- type tty_device_t;
- ')
-
- typeattribute $2 ttynode, serial_device;
- type_change $1 tty_device_t:chr_file $2;
-
- files_associate_tmp($1)
-
- # Debian login is from shadow utils and does not allow resetting the perms.
- # have to fix this!
- ifdef(`distro_debian',`
- type_change $1 ttynode:chr_file $2;
- ')
-
- ifdef(`distro_gentoo',`
- fs_associate_tmpfs($2)
- ')
-
- ifdef(`distro_redhat',`
- fs_associate_tmpfs($2)
- ')
-')
-
-########################################
-## <summary>
-## Create a pty in the /dev/pts directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process creating the pty.
-## </summary>
-## </param>
-## <param name="pty_type">
-## <summary>
-## The type of the pty.
-## </summary>
-## </param>
-#
-interface(`term_create_pty',`
- gen_require(`
- type bsdpty_device_t, devpts_t, ptmx_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ptmx_t:chr_file rw_file_perms;
-
- allow $1 devpts_t:dir r_dir_perms;
- allow $1 devpts_t:filesystem getattr;
- dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
- type_transition $1 devpts_t:chr_file $2;
-')
-
-########################################
-## <summary>
-## Read and write the console, all
-## ttys and all ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_all_terms',`
- gen_require(`
- attribute ttynode, ptynode;
- type console_device_t, devpts_t, tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Write to the console.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_write_console',`
- gen_require(`
- type console_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file { getattr write append };
-')
-
-########################################
-## <summary>
-## Read from the console.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_read_console',`
- gen_require(`
- type console_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file read;
-')
-
-########################################
-## <summary>
-## Read from and write to the console.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_console',`
- gen_require(`
- type console_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attemtps to read from
-## or write to the console.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
- ')
-
- dontaudit $1 console_device_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Set the attributes of the console
-## device node.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_setattr_console',`
- gen_require(`
- type console_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the /dev/pts directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_getattr_pty_dirs',`
- gen_require(`
- type devpts_t;
- ')
-
- dontaudit $1 devpts_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the contents of the /dev/pts directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_search_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the
-## contents of the /dev/pts directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_search_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dev_dontaudit_list_all_dev_nodes($1)
- dontaudit $1 devpts_t:dir search;
-')
-
-########################################
-## <summary>
-## Read the /dev/pts directory to
-## list all ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_list_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the
-## /dev/pts directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_list_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dontaudit $1 devpts_t:dir { getattr search read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, or delete the /dev/pts directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_manage_pty_dirs',`
- gen_require(`
- type devpts_t;
- ')
-
- dontaudit $1 devpts_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## ioctl of generic pty types.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for ppp
-interface(`term_ioctl_generic_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
- allow $1 devpts_t:chr_file ioctl;
-')
-
-########################################
-## <summary>
-## Read and write the generic pty
-## type. This is generally only used in
-## the targeted policy.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_generic_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir list_dir_perms;
- allow $1 devpts_t:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Dot not audit attempts to read and
-## write the generic pty type. This is
-## generally only used in the targeted policy.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_use_generic_ptys',`
- gen_require(`
- type devpts_t;
- ')
-
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Read and write the controlling
-## terminal (/dev/tty).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_controlling_term',`
- gen_require(`
- type devtty_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Read and write the pty multiplexor (/dev/ptmx).
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to allow access.
-## </summary>
-## </param>
-#
-interface(`term_use_ptmx',`
- gen_require(`
- type ptmx_t;
- ')
-
- allow $1 ptmx_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write the pty multiplexor (/dev/ptmx).
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_use_ptmx',`
- gen_require(`
- type ptmx_t;
- ')
-
- dontaudit $1 ptmx_t:chr_file { getattr read write };
-')
-
-########################################
-## <summary>
-## Get the attributes of all user
-## pty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_getattr_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
- allow $1 ptynode:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of any user pty
-## device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_getattr_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
- dontaudit $1 ptynode:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of all user
-## pty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_setattr_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
- allow $1 ptynode:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Relabel to all user ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_relabelto_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- ')
-
- allow $1 ptynode:chr_file relabelto;
-')
-
-########################################
-## <summary>
-## Read and write all user ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- type devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
- allow $1 ptynode:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read any
-## user ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_use_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- ')
-
- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Relabel from and to all user
-## user pty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_relabel_all_user_ptys',`
- gen_require(`
- attribute ptynode;
- type devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
- allow $1 ptynode:chr_file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Get the attributes of all unallocated
-## tty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_getattr_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all unallocated tty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_getattr_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dontaudit $1 tty_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of all unallocated
-## tty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_setattr_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ioctl
-## unallocated tty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_ioctl_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dontaudit $1 tty_device_t:chr_file ioctl;
-')
-
-########################################
-## <summary>
-## Relabel from and to the unallocated
-## tty type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_relabel_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Relabel from all user tty types to
-## the unallocated tty type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_reset_tty_labels',`
- gen_require(`
- attribute ttynode;
- type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file relabelfrom;
- allow $1 tty_device_t:chr_file relabelto;
-')
-
-########################################
-## <summary>
-## Write to unallocated ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_write_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { getattr write };
-')
-
-########################################
-## <summary>
-## Read and write unallocated ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or
-## write unallocated ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to not audit.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_use_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dontaudit $1 tty_device_t:chr_file { read write };
-')
-
-########################################
-## <summary>
-## Get the attributes of all user tty
-## device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_getattr_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of any user tty
-## device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_getattr_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- dontaudit $1 ttynode:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of all user tty
-## device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_setattr_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Relabel from and to all user
-## user tty device nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_relabel_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Write to all user ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_write_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { getattr write };
-')
-
-########################################
-## <summary>
-## Read and write all user to all user ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_use_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## any user ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`term_dontaudit_use_all_user_ttys',`
- gen_require(`
- attribute ttynode;
- ')
-
- dontaudit $1 ttynode:chr_file { read write };
-')
-
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
deleted file mode 100644
index 9fa8156..0000000
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ /dev/null
@@ -1,68 +0,0 @@
-
-policy_module(terminal,1.1.2)
-
-########################################
-#
-# Declarations
-#
-attribute ttynode;
-attribute ptynode;
-attribute server_ptynode;
-attribute serial_device;
-
-#
-# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
-type bsdpty_device_t;
-dev_node(bsdpty_device_t)
-
-#
-# console_device_t is the type of /dev/console.
-#
-type console_device_t;
-dev_node(console_device_t)
-
-#
-# devpts_t is the type of the devpts file system and
-# the type of the root directory of the file system.
-#
-type devpts_t;
-files_mountpoint(devpts_t)
-fs_associate_tmpfs(devpts_t)
-files_associate_tmp(devpts_t)
-fs_type(devpts_t)
-fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-
-ifdef(`targeted_policy',`
- # cjp: the ttynode should probably be removed.
- typeattribute devpts_t ttynode, ptynode;
-')
-
-#
-# devtty_t is the type of /dev/tty.
-#
-type devtty_t;
-dev_node(devtty_t)
-mls_trusted_object(devtty_t)
-
-#
-# ptmx_t is the type for /dev/ptmx.
-#
-type ptmx_t;
-dev_node(ptmx_t)
-mls_trusted_object(ptmx_t)
-
-#
-# tty_device_t is the type of /dev/*tty*
-#
-type tty_device_t, serial_device;
-dev_node(tty_device_t)
-
-ifdef(`targeted_policy',`
- typeattribute tty_device_t ttynode;
-')
-
-#
-# usbtty_device_t is the type of /dev/usr/tty*
-#
-type usbtty_device_t, serial_device;
-dev_node(usbtty_device_t)
diff --git a/refpolicy/policy/modules/services/afs.fc b/refpolicy/policy/modules/services/afs.fc
deleted file mode 100644
index 1689223..0000000
--- a/refpolicy/policy/modules/services/afs.fc
+++ /dev/null
@@ -1,22 +0,0 @@
-/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
-/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
-/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
-/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
-
-/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
-/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
-/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0)
-/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0)
-
-/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
-
-/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
-
-/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
-
-/vicepa gen_context(system_u:object_r:afs_files_t,s0)
-/vicepb gen_context(system_u:object_r:afs_files_t,s0)
-/vicepc gen_context(system_u:object_r:afs_files_t,s0)
diff --git a/refpolicy/policy/modules/services/afs.if b/refpolicy/policy/modules/services/afs.if
deleted file mode 100644
index e84153f..0000000
--- a/refpolicy/policy/modules/services/afs.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Andrew Filesystem server</summary>
diff --git a/refpolicy/policy/modules/services/afs.te b/refpolicy/policy/modules/services/afs.te
deleted file mode 100644
index 1e748b0..0000000
--- a/refpolicy/policy/modules/services/afs.te
+++ /dev/null
@@ -1,343 +0,0 @@
-
-policy_module(afs,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type afs_bosserver_t;
-type afs_bosserver_exec_t;
-init_daemon_domain(afs_bosserver_t,afs_bosserver_exec_t)
-
-type afs_config_t;
-files_type(afs_config_t)
-
-type afs_dbdir_t;
-files_type(afs_dbdir_t)
-
-# exported files
-type afs_files_t;
-files_type(afs_files_t)
-
-type afs_fsserver_t;
-type afs_fsserver_exec_t;
-domain_type(afs_fsserver_t)
-domain_entry_file(afs_fsserver_t,afs_fsserver_exec_t)
-role system_r types afs_fsserver_t;
-
-type afs_ka_db_t;
-files_type(afs_ka_db_t)
-
-type afs_kaserver_t;
-type afs_kaserver_exec_t;
-domain_type(afs_kaserver_t)
-domain_entry_file(afs_kaserver_t,afs_kaserver_exec_t)
-role system_r types afs_kaserver_t;
-
-type afs_logfile_t;
-logging_log_file(afs_logfile_t)
-
-type afs_pt_db_t;
-files_type(afs_pt_db_t)
-
-type afs_ptserver_t;
-type afs_ptserver_exec_t;
-domain_type(afs_ptserver_t)
-domain_entry_file(afs_ptserver_t,afs_ptserver_exec_t)
-role system_r types afs_ptserver_t;
-
-type afs_vl_db_t;
-files_type(afs_vl_db_t)
-
-type afs_vlserver_t;
-type afs_vlserver_exec_t;
-domain_type(afs_vlserver_t)
-domain_entry_file(afs_vlserver_t,afs_vlserver_exec_t)
-role system_r types afs_vlserver_t;
-
-########################################
-#
-# AFS bossserver local policy
-#
-
-allow afs_bosserver_t self:process { setsched signal_perms };
-allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
-allow afs_bosserver_t self:udp_socket create_socket_perms;
-
-can_exec(afs_bosserver_t,afs_bosserver_exec_t)
-
-allow afs_bosserver_t afs_config_t:file manage_file_perms;
-allow afs_bosserver_t afs_config_t:dir manage_dir_perms;
-
-allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
-
-allow afs_bosserver_t afs_fsserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
-allow afs_fsserver_t afs_bosserver_t:fd use;
-allow afs_fsserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_fsserver_t afs_bosserver_t:process sigchld;
-
-allow afs_bosserver_t afs_kaserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
-allow afs_kaserver_t afs_bosserver_t:fd use;
-allow afs_kaserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_kaserver_t afs_bosserver_t:process sigchld;
-
-allow afs_bosserver_t afs_logfile_t:file create_file_perms;
-allow afs_bosserver_t afs_logfile_t:dir create_dir_perms;
-
-allow afs_bosserver_t afs_ptserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
-allow afs_ptserver_t afs_bosserver_t:fd use;
-allow afs_ptserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_ptserver_t afs_bosserver_t:process sigchld;
-
-allow afs_bosserver_t afs_vlserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
-allow afs_vlserver_t afs_bosserver_t:fd use;
-allow afs_vlserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_vlserver_t afs_bosserver_t:process sigchld;
-
-kernel_read_kernel_sysctls(afs_bosserver_t)
-
-corenet_non_ipsec_sendrecv(afs_bosserver_t)
-corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
-corenet_udp_sendrecv_generic_if(afs_bosserver_t)
-corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
-corenet_udp_sendrecv_all_nodes(afs_bosserver_t)
-corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
-corenet_udp_sendrecv_all_ports(afs_bosserver_t)
-corenet_udp_bind_all_nodes(afs_bosserver_t)
-corenet_udp_bind_afs_bos_port(afs_bosserver_t)
-corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
-
-files_read_etc_files(afs_bosserver_t)
-files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
-
-libs_use_ld_so(afs_bosserver_t)
-libs_use_shared_libs(afs_bosserver_t)
-
-miscfiles_read_localization(afs_bosserver_t)
-
-seutil_read_config(afs_bosserver_t)
-
-sysnet_read_config(afs_bosserver_t)
-
-########################################
-#
-# fileserver local policy
-#
-
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
-dontaudit afs_fsserver_t self:capability fsetid;
-allow afs_fsserver_t self:process { setsched signal_perms };
-allow afs_fsserver_t self:fifo_file rw_file_perms;
-allow afs_fsserver_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
-allow afs_fsserver_t self:udp_socket { create_socket_perms sendto recvfrom };
-
-allow afs_fsserver_t afs_config_t:file r_file_perms;
-allow afs_fsserver_t afs_config_t:dir r_dir_perms;
-
-allow afs_fsserver_t afs_config_t:file manage_file_perms;
-allow afs_fsserver_t afs_config_t:dir manage_dir_perms;
-
-allow afs_fsserver_t afs_files_t:filesystem getattr;
-allow afs_fsserver_t afs_files_t:dir manage_dir_perms;
-allow afs_fsserver_t afs_files_t:file manage_file_perms;
-allow afs_fsserver_t afs_files_t:lnk_file create_lnk_perms;
-allow afs_fsserver_t afs_files_t:sock_file manage_file_perms;
-allow afs_fsserver_t afs_files_t:fifo_file manage_file_perms;
-type_transition afs_fsserver_t afs_config_t:{ file lnk_file sock_file fifo_file } afs_files_t;
-allow afs_fsserver_t afs_config_t:dir rw_dir_perms;
-
-can_exec(afs_fsserver_t, afs_fsserver_exec_t)
-
-allow afs_fsserver_t afs_logfile_t:file create_file_perms;
-allow afs_fsserver_t afs_logfile_t:dir create_dir_perms;
-
-allow afs_fsserver_t afs_ptserver_t:udp_socket recvfrom;
-
-allow afs_fsserver_t afs_vlserver_t:udp_socket recvfrom;
-
-kernel_read_system_state(afs_fsserver_t)
-kernel_read_kernel_sysctls(afs_fsserver_t)
-
-corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
-corenet_udp_sendrecv_generic_if(afs_fsserver_t)
-corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
-corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
-corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
-corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-corenet_non_ipsec_sendrecv(afs_fsserver_t)
-corenet_tcp_bind_all_nodes(afs_fsserver_t)
-corenet_udp_bind_all_nodes(afs_fsserver_t)
-corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
-corenet_udp_bind_afs_fs_port(afs_fsserver_t)
-corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
-
-files_read_etc_files(afs_fsserver_t)
-files_read_etc_runtime_files(afs_fsserver_t)
-files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
-files_list_pids(afs_fsserver_t)
-files_dontaudit_search_mnt(afs_fsserver_t)
-
-fs_getattr_xattr_fs(afs_fsserver_t)
-
-term_dontaudit_use_console(afs_fsserver_t)
-
-init_dontaudit_use_script_fds(afs_fsserver_t)
-
-libs_use_ld_so(afs_fsserver_t)
-libs_use_shared_libs(afs_fsserver_t)
-
-logging_send_syslog_msg(afs_fsserver_t)
-
-miscfiles_read_localization(afs_fsserver_t)
-
-seutil_read_config(afs_fsserver_t)
-
-sysnet_read_config(afs_fsserver_t)
-
-userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
-
-########################################
-#
-# kaserver local policy
-#
-
-allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
-allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
-allow afs_kaserver_t self:udp_socket create_socket_perms;
-
-allow afs_kaserver_t afs_config_t:file manage_file_perms;
-allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
-
-allow afs_kaserver_t afs_ka_db_t:file manage_file_perms;
-allow afs_kaserver_t afs_dbdir_t:dir rw_dir_perms;
-type_transition afs_kaserver_t afs_dbdir_t:file afs_ka_db_t;
-
-allow afs_kaserver_t afs_logfile_t:file manage_file_perms;
-allow afs_kaserver_t afs_logfile_t:dir manage_dir_perms;
-
-kernel_read_kernel_sysctls(afs_kaserver_t)
-
-corenet_non_ipsec_sendrecv(afs_kaserver_t)
-corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
-corenet_udp_sendrecv_generic_if(afs_kaserver_t)
-corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
-corenet_udp_sendrecv_all_nodes(afs_kaserver_t)
-corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
-corenet_udp_sendrecv_all_ports(afs_kaserver_t)
-corenet_udp_bind_all_nodes(afs_kaserver_t)
-corenet_udp_bind_afs_ka_port(afs_kaserver_t)
-corenet_udp_bind_kerberos_port(afs_kaserver_t)
-corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
-corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
-
-files_read_etc_files(afs_kaserver_t)
-files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
-
-libs_use_ld_so(afs_kaserver_t)
-libs_use_shared_libs(afs_kaserver_t)
-
-miscfiles_read_localization(afs_kaserver_t)
-
-seutil_read_config(afs_kaserver_t)
-
-sysnet_read_config(afs_kaserver_t)
-
-userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
-
-########################################
-#
-# ptserver local policy
-#
-
-allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
-allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
-allow afs_ptserver_t self:udp_socket create_socket_perms;
-
-allow afs_ptserver_t afs_config_t:file r_file_perms;
-allow afs_ptserver_t afs_config_t:dir r_dir_perms;
-
-allow afs_ptserver_t afs_logfile_t:file create_file_perms;
-allow afs_ptserver_t afs_logfile_t:dir create_dir_perms;
-
-allow afs_ptserver_t afs_fsserver_t:udp_socket recvfrom;
-
-allow afs_ptserver_t afs_pt_db_t:file manage_file_perms;
-allow afs_ptserver_t afs_dbdir_t:dir rw_dir_perms;
-type_transition afs_ptserver_t afs_dbdir_t:file afs_pt_db_t;
-
-corenet_non_ipsec_sendrecv(afs_ptserver_t)
-corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
-corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
-corenet_udp_sendrecv_all_nodes(afs_ptserver_t)
-corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
-corenet_udp_sendrecv_all_ports(afs_ptserver_t)
-corenet_udp_bind_all_nodes(afs_ptserver_t)
-corenet_udp_bind_afs_pt_port(afs_ptserver_t)
-corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
-
-files_read_etc_files(afs_ptserver_t)
-
-libs_use_ld_so(afs_ptserver_t)
-libs_use_shared_libs(afs_ptserver_t)
-
-miscfiles_read_localization(afs_ptserver_t)
-
-sysnet_read_config(afs_ptserver_t)
-
-userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
-
-########################################
-#
-# vlserver local policy
-#
-
-allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
-allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
-allow afs_vlserver_t self:udp_socket create_socket_perms;
-
-allow afs_vlserver_t afs_config_t:file r_file_perms;
-allow afs_vlserver_t afs_config_t:dir r_dir_perms;
-
-allow afs_vlserver_t afs_fsserver_t:udp_socket recvfrom;
-
-allow afs_vlserver_t afs_logfile_t:file create_file_perms;
-allow afs_vlserver_t afs_logfile_t:dir create_dir_perms;
-
-allow afs_vlserver_t afs_vl_db_t:file manage_file_perms;
-allow afs_vlserver_t afs_dbdir_t:dir rw_dir_perms;
-type_transition afs_vlserver_t afs_dbdir_t:file afs_vl_db_t;
-
-corenet_non_ipsec_sendrecv(afs_vlserver_t)
-corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
-corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
-corenet_udp_sendrecv_all_nodes(afs_vlserver_t)
-corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
-corenet_udp_sendrecv_all_ports(afs_vlserver_t)
-corenet_udp_bind_all_nodes(afs_vlserver_t)
-corenet_udp_bind_afs_vl_port(afs_vlserver_t)
-corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
-
-files_read_etc_files(afs_vlserver_t)
-
-libs_use_ld_so(afs_vlserver_t)
-libs_use_shared_libs(afs_vlserver_t)
-
-miscfiles_read_localization(afs_vlserver_t)
-
-sysnet_read_config(afs_vlserver_t)
-
-userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)
diff --git a/refpolicy/policy/modules/services/amavis.fc b/refpolicy/policy/modules/services/amavis.fc
deleted file mode 100644
index 31b1ab7..0000000
--- a/refpolicy/policy/modules/services/amavis.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
-/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
-
-/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
-
-/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
-/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
-/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
-/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/refpolicy/policy/modules/services/amavis.if b/refpolicy/policy/modules/services/amavis.if
deleted file mode 100644
index f236899..0000000
--- a/refpolicy/policy/modules/services/amavis.if
+++ /dev/null
@@ -1,176 +0,0 @@
-## <summary>
-## Daemon that interfaces mail transfer agents and content
-## checkers, such as virus scanners.
-## </summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run amavis.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`amavis_domtrans',`
- gen_require(`
- type amavis_t, amavis_exec_t;
- ')
-
- domain_auto_trans($1,amavis_exec_t,amavis_t)
-
- allow $1 amavis_t:fd use;
- allow amavis_t $1:fd use;
- allow amavis_t $1:fifo_file rw_file_perms;
- allow amavis_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Read amavis spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`amavis_read_spool_files',`
- gen_require(`
- type amavis_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 amavis_spool_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Manage amavis spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`amavis_manage_spool_files',`
- gen_require(`
- type amavis_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 amavis_spool_t:dir manage_dir_perms;
- allow $1 amavis_spool_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the amavis spool directories
-## with a private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-#
-interface(`amavis_spool_filetrans',`
- gen_require(`
- type amavis_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 amavis_spool_t:dir rw_dir_perms;
- type_transition $1 amavis_spool_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Search amavis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`amavis_search_lib',`
- gen_require(`
- type amavis_var_lib_t;
- ')
-
- allow $1 amavis_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Read amavis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`amavis_read_lib_files',`
- gen_require(`
- type amavis_var_lib_t;
- ')
-
- allow $1 amavis_var_lib_t:file r_file_perms;
- allow $1 amavis_var_lib_t:dir list_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## amavis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`amavis_manage_lib_files',`
- gen_require(`
- type amavis_var_lib_t;
- ')
-
- allow $1 amavis_var_lib_t:file manage_file_perms;
- allow $1 amavis_var_lib_t:dir rw_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Set the attributes of amavis pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`amavis_setattr_pid_files',`
- gen_require(`
- type amavis_var_run_t;
- ')
-
- allow $1 amavis_var_run_t:file setattr;
- files_search_pids($1)
-')
diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te
deleted file mode 100644
index 55b4b6b..0000000
--- a/refpolicy/policy/modules/services/amavis.te
+++ /dev/null
@@ -1,182 +0,0 @@
-
-policy_module(amavis,1.0.5)
-
-########################################
-#
-# Declarations
-#
-
-type amavis_t;
-type amavis_exec_t;
-domain_type(amavis_t)
-init_daemon_domain(amavis_t, amavis_exec_t)
-
-# configuration files
-type amavis_etc_t;
-files_type(amavis_etc_t)
-
-# pid files
-type amavis_var_run_t;
-files_pid_file(amavis_var_run_t)
-
-# var/lib files
-type amavis_var_lib_t;
-files_type(amavis_var_lib_t)
-
-# log files
-type amavis_var_log_t;
-logging_log_file(amavis_var_log_t)
-
-# tmp files
-type amavis_tmp_t;
-files_tmp_file(amavis_tmp_t)
-
-# virus quarantine
-type amavis_quarantine_t;
-files_type(amavis_quarantine_t)
-
-type amavis_spool_t;
-files_type(amavis_spool_t)
-
-########################################
-#
-# amavis local policy
-#
-
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
-dontaudit amavis_t self:capability sys_tty_config;
-allow amavis_t self:process { signal sigchld signull };
-allow amavis_t self:fifo_file rw_file_perms;
-allow amavis_t self:unix_stream_socket create_stream_socket_perms;
-allow amavis_t self:unix_dgram_socket create_socket_perms;
-allow amavis_t self:tcp_socket { listen accept };
-
-# configuration files
-allow amavis_t amavis_etc_t:dir r_dir_perms;
-allow amavis_t amavis_etc_t:file r_file_perms;
-allow amavis_t amavis_etc_t:lnk_file { getattr read };
-
-# mail quarantine
-allow amavis_t amavis_quarantine_t:file create_file_perms;
-allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
-allow amavis_t amavis_quarantine_t:dir create_dir_perms;
-
-# Spool Files
-allow amavis_t amavis_spool_t:dir manage_dir_perms;
-allow amavis_t amavis_spool_t:file manage_file_perms;
-allow amavis_t amavis_spool_t:sock_file manage_file_perms;
-files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
-
-# tmp files
-allow amavis_t amavis_tmp_t:file create_file_perms;
-allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
-files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
-
-# var/lib files for amavis
-allow amavis_t amavis_var_lib_t:file create_file_perms;
-allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
-allow amavis_t amavis_var_lib_t:dir create_dir_perms;
-files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
-
-# log files
-allow amavis_t amavis_var_log_t:file create_file_perms;
-allow amavis_t amavis_var_log_t:sock_file create_file_perms;
-allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })
-
-# pid file
-allow amavis_t amavis_var_run_t:file manage_file_perms;
-allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
-allow amavis_t amavis_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
-
-kernel_read_kernel_sysctls(amavis_t)
-# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
-kernel_dontaudit_list_proc(amavis_t)
-kernel_dontaudit_read_proc_symlinks(amavis_t)
-kernel_dontaudit_read_system_state(amavis_t)
-
-# find perl
-corecmd_exec_bin(amavis_t)
-corecmd_search_sbin(amavis_t)
-
-corenet_non_ipsec_sendrecv(amavis_t)
-corenet_tcp_sendrecv_all_if(amavis_t)
-corenet_tcp_sendrecv_all_nodes(amavis_t)
-corenet_tcp_bind_all_nodes(amavis_t)
-corenet_udp_bind_all_nodes(amavis_t)
-# amavis uses well-defined ports
-corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
-corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
-# just the other side not. ;-)
-corenet_tcp_sendrecv_all_ports(amavis_t)
-# connect to backchannel port
-corenet_tcp_connect_amavisd_send_port(amavis_t)
-# bind to incoming port
-corenet_tcp_bind_amavisd_recv_port(amavis_t)
-corenet_udp_bind_generic_port(amavis_t)
-
-dev_read_rand(amavis_t)
-dev_read_urand(amavis_t)
-
-domain_use_interactive_fds(amavis_t)
-
-files_read_etc_files(amavis_t)
-files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
-
-auth_dontaudit_read_shadow(amavis_t)
-
-init_use_fds(amavis_t)
-init_use_script_ptys(amavis_t)
-init_stream_connect_script(amavis_t)
-
-libs_use_ld_so(amavis_t)
-libs_use_shared_libs(amavis_t)
-
-logging_send_syslog_msg(amavis_t)
-
-miscfiles_read_localization(amavis_t)
-
-sysnet_dns_name_resolve(amavis_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
-
-# Cron handling
-cron_use_fds(amavis_t)
-cron_use_system_job_fds(amavis_t)
-cron_rw_pipes(amavis_t)
-
-mta_read_config(amavis_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(amavis_t)
-')
-
-optional_policy(`
- clamav_stream_connect(amavis_t)
- clamav_domtrans_clamscan(amavis_t)
-')
-
-optional_policy(`
- dcc_domtrans_client(amavis_t)
- dcc_stream_connect_dccifd(amavis_t)
-')
-
-optional_policy(`
- ldap_use(amavis_t)
-')
-
-optional_policy(`
- pyzor_domtrans(amavis_t)
-')
-
-optional_policy(`
- razor_domtrans(amavis_t)
-')
-
-optional_policy(`
- spamassassin_exec(amavis_t)
- spamassassin_exec_client(amavis_t)
-')
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
deleted file mode 100644
index f6277c5..0000000
--- a/refpolicy/policy/modules/services/apache.fc
+++ /dev/null
@@ -1,82 +0,0 @@
-# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-',`
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-')
-
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse', `
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
-')
-
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-ifdef(`distro_debian', `
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-')
-
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-ifdef(`strict_policy',`
-/var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0)
-')
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
deleted file mode 100644
index d263fc3..0000000
--- a/refpolicy/policy/modules/services/apache.if
+++ /dev/null
@@ -1,1028 +0,0 @@
-## <summary>Apache web server</summary>
-
-########################################
-## <summary>
-## Create a set of derived types for apache
-## web content.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
-#
-template(`apache_content_template',`
- gen_require(`
- attribute httpdcontent;
- attribute httpd_exec_scripts;
- attribute httpd_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
- ')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
- #This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
- files_type(httpd_$1_content_t)
-
- # This type is used for .htaccess files
- type httpd_$1_htaccess_t; # customizable;
- files_type(httpd_$1_htaccess_t)
-
- # Type that CGI scripts run as
- type httpd_$1_script_t;
- domain_type(httpd_$1_script_t)
- role system_r types httpd_$1_script_t;
-
- # This type is used for executable scripts files
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
- domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
-
- # The following three are the only areas that
- # scripts can read, read/write, or append to
- type httpd_$1_script_ro_t, httpdcontent; # customizable
- files_type(httpd_$1_script_ro_t)
-
- type httpd_$1_script_rw_t, httpdcontent; # customizable
- files_type(httpd_$1_script_rw_t)
-
- type httpd_$1_script_ra_t, httpdcontent; # customizable
- files_type(httpd_$1_script_ra_t)
-
- allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
-
- domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_suexec_t httpd_$1_script_t:fd use;
- allow httpd_$1_script_t httpd_suexec_t:fd use;
- allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
- allow httpd_$1_script_t httpd_suexec_t:process sigchld;
-
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
-
- allow httpd_$1_script_t self:fifo_file rw_file_perms;
- allow httpd_$1_script_t self:unix_stream_socket connectto;
-
- allow httpd_$1_script_t httpd_t:fifo_file write;
- # apache should set close-on-exec
- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-
- # Allow the script process to search the cgi directory, and users directory
- allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
-
- allow httpd_$1_script_t httpd_log_t:file { getattr append };
- allow httpd_$1_script_t httpd_log_t:dir search;
- logging_search_logs(httpd_$1_script_t)
-
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
-
- allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
-
- allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
- allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
- allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
-
- allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-
- dev_read_rand(httpd_$1_script_t)
- dev_read_urand(httpd_$1_script_t)
-
- corecmd_exec_all_executables(httpd_$1_script_t)
-
- files_exec_etc_files(httpd_$1_script_t)
- files_read_etc_files(httpd_$1_script_t)
- files_search_home(httpd_$1_script_t)
-
- libs_use_ld_so(httpd_$1_script_t)
- libs_use_shared_libs(httpd_$1_script_t)
- libs_exec_ld_so(httpd_$1_script_t)
- libs_exec_lib_files(httpd_$1_script_t)
-
- miscfiles_read_fonts(httpd_$1_script_t)
- miscfiles_read_public_files(httpd_$1_script_t)
-
- seutil_dontaudit_search_config(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
- allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
- allow httpd_$1_script_t httpdcontent:file create_file_perms;
- allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
- can_exec(httpd_$1_script_t, httpdcontent)
- ')
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
- # Allow the web server to run scripts and serve pages
- tunable_policy(`httpd_builtin_scripting',`
- allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
- allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
- allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
- allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-
- allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
- allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
- allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
-
- allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
- allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
- allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
-
- allow httpd_t httpd_$1_content_t:dir r_dir_perms;
- allow httpd_t httpd_$1_content_t:file r_file_perms;
- allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
- ')
-
- tunable_policy(`httpd_enable_cgi',`
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
-
- # privileged users run the script:
- domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_exec_scripts httpd_$1_script_t:fd use;
- allow httpd_$1_script_t httpd_exec_scripts:fd use;
- allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
- allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
-
- # apache runs the script:
- domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_t httpd_$1_script_t:fd use;
- allow httpd_$1_script_t httpd_t:fd use;
- allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_$1_script_t httpd_t:process sigchld;
-
- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
- allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
-
- allow httpd_$1_script_t self:process signal_perms;
- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
-
- allow httpd_$1_script_t httpd_t:fd use;
- allow httpd_$1_script_t httpd_t:process sigchld;
-
- kernel_read_system_state(httpd_$1_script_t)
-
- dev_read_urand(httpd_$1_script_t)
-
- fs_getattr_xattr_fs(httpd_$1_script_t)
-
- files_read_etc_runtime_files(httpd_$1_script_t)
- files_read_usr_files(httpd_$1_script_t)
-
- libs_read_lib_files(httpd_$1_script_t)
-
- miscfiles_read_localization(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
- optional_policy(`
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
- nis_use_ypbind_uncond(httpd_$1_script_t)
- ')
- ')
-
- optional_policy(`
- nscd_socket_use(httpd_$1_script_t)
- ')
-')
-
-#######################################
-## <summary>
-## The per user domain template for the apache module.
-## </summary>
-## <desc>
-## <p>
-## This template creates types used for web pages
-## and web cgi to be used from the user home directory.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`apache_per_userdomain_template', `
- gen_require(`
- attribute httpdcontent, httpd_script_domains;
- attribute httpd_exec_scripts;
- type httpd_t, httpd_suexec_t, httpd_log_t;
- ')
-
- apache_content_template($1)
-
- typeattribute httpd_$1_content_t httpd_script_domains;
- userdom_user_home_content($1,httpd_$1_content_t)
-
- role $3 types httpd_$1_script_t;
-
- allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
- allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
-
- allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
-
- allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
-
- allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
-
- allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
- allow $2 httpd_$1_script_exec_t:file create_file_perms;
- allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
-
- allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
-
- tunable_policy(`httpd_enable_cgi',`
- # If a user starts a script by hand it gets the proper context
- domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow $2 httpd_$1_script_t:fd use;
- allow httpd_$1_script_t $2:fd use;
- allow httpd_$1_script_t $2:fifo_file rw_file_perms;
- allow httpd_$1_script_t $2:process sigchld;
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
- domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
- allow $2 httpd_$1_script_t:fd use;
- allow httpd_$1_script_t $2:fd use;
- allow httpd_$1_script_t $2:fifo_file rw_file_perms;
- allow httpd_$1_script_t $2:process sigchld;
- ')
-
- # allow accessing files/dirs below the users home dir
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs($1,httpd_t)
- userdom_search_user_home_dirs($1,httpd_suexec_t)
- userdom_search_user_home_dirs($1,httpd_$1_script_t)
- ')
-')
-
-########################################
-## <summary>
-## Read httpd user scripts executables.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`apache_read_user_scripts',`
- gen_require(`
- type httpd_$1_script_exec_t;
- ')
-
- allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
- allow $2 httpd_$1_script_exec_t:file r_file_perms;
- allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read user web content.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`apache_read_user_content',`
- gen_require(`
- type httpd_$1_content_t;
- ')
-
- allow $2 httpd_$1_content_t:dir r_dir_perms;
- allow $2 httpd_$1_content_t:file r_file_perms;
- allow $2 httpd_$1_content_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Transition to apache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans',`
- gen_require(`
- type httpd_t, httpd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,httpd_exec_t,httpd_t)
-
- allow $1 httpd_t:fd use;
- allow httpd_t $1:fd use;
- allow httpd_t $1:fifo_file rw_file_perms;
- allow httpd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a null signal to apache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_signull',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:process signull;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to apache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_sigchld',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from Apache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_use_fds',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write Apache
-## unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_stream_sockets',`
- gen_require(`
- type httpd_t;
- ')
-
- dontaudit $1 httpd_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write Apache
-## TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_tcp_sockets',`
- gen_require(`
- type httpd_t;
- ')
-
- dontaudit $1 httpd_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all web content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_manage_all_content',`
- gen_require(`
- attribute httpdcontent, httpd_script_exec_type;
- ')
-
- allow $1 httpdcontent:dir manage_dir_perms;
- allow $1 httpdcontent:file manage_file_perms;
- allow $1 httpdcontent:lnk_file create_lnk_perms;
-
- allow $1 httpd_script_exec_type:dir manage_dir_perms;
- allow $1 httpd_script_exec_type:file manage_file_perms;
- allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
-
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## and write Apache cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_rw_cache_files',`
- gen_require(`
- type httpd_cache_t;
- ')
-
- allow $1 httpd_cache_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## apache configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
- allow $1 httpd_config_t:dir r_dir_perms;
- allow $1 httpd_config_t:file r_file_perms;
- allow $1 httpd_config_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to manage
-## apache configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_manage_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
- allow $1 httpd_config_t:dir manage_dir_perms;
- allow $1 httpd_config_t:file manage_file_perms;
- allow $1 httpd_config_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Execute the Apache helper program with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_helper',`
- gen_require(`
- type httpd_helper_t, httpd_helper_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
-
- allow $1 httpd_helper_t:fd use;
- allow httpd_helper_t $1:fd use;
- allow httpd_helper_t $1:fifo_file rw_file_perms;
- allow httpd_helper_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute the Apache helper program with
-## a domain transition, and allow the
-## specified role the dmidecode domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the dmidecode domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the dmidecode domain to use.
-## </summary>
-## </param>
-#
-interface(`apache_run_helper',`
- gen_require(`
- type httpd_helper_t;
- ')
-
- apache_domtrans_helper($1)
- role $2 types httpd_helper_t;
- allow httpd_helper_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## apache log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 httpd_log_t:dir r_dir_perms;
- allow $1 httpd_log_t:file r_file_perms;
- allow $1 httpd_log_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to append
-## to apache log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_append_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 httpd_log_t:dir r_dir_perms;
- allow $1 httpd_log_t:file append;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to append to the
-## Apache logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_append_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- dontaudit $1 httpd_log_t:file { getattr append };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to manage
-## to apache log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_manage_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 httpd_log_t:dir manage_dir_perms;
- allow $1 httpd_log_t:file manage_file_perms;
- allow $1 httpd_log_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search Apache
-## module directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_search_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- allow $1 httpd_modules_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to list
-## the contents of the apache modules
-## directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_list_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- allow $1 httpd_modules_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to execute
-## apache modules.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_exec_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- allow $1 httpd_modules_t:dir r_dir_perms;
- allow $1 httpd_modules_t:lnk_file r_file_perms;
- can_exec($1,httpd_modules_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run httpd_rotatelogs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_rotatelogs',`
- gen_require(`
- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
- ')
-
- domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
-
- allow httpd_rotatelogs_t $1:fd use;
- allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
- allow httpd_rotatelogs_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to manage
-## apache system content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
-interface(`apache_manage_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- files_search_var($1)
- allow $1 httpd_sys_content_t:dir create_dir_perms;
- allow $1 httpd_sys_content_t:file create_file_perms;
- allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Execute all web scripts in the system
-## script domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: this interface specifically added to allow
-# sysadm_t to run scripts
-interface(`apache_domtrans_sys_script',`
- gen_require(`
- attribute httpdcontent;
- type httpd_sys_script_t;
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
-
- allow $1 httpd_sys_script_t:fd use;
- allow httpd_sys_script_t $1:fd use;
- allow httpd_sys_script_t $1:fifo_file rw_file_perms;
- allow httpd_sys_script_t $1:process sigchld;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write Apache
-## system script unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
- gen_require(`
- type httpd_sys_script_t;
- ')
-
- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Execute all user scripts in the user
-## script domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_all_scripts',`
- gen_require(`
- attribute httpd_exec_scripts;
- ')
-
- typeattribute $1 httpd_exec_scripts;
-')
-
-########################################
-## <summary>
-## Execute all user scripts in the user
-## script domain. Add user script domains
-## to the specified role.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the script domains.
-## </summary>
-## </param>
-#
-# cjp: this is missing the terminal since scripts
-# do not output to the terminal
-interface(`apache_run_all_scripts',`
- gen_require(`
- attribute httpd_exec_scripts, httpd_script_domains;
- ')
-
- role $2 types httpd_script_domains;
- apache_domtrans_all_scripts($1)
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## apache squirrelmail data.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_squirrelmail_data',`
- gen_require(`
- type httpd_squirrelmail_t;
- ')
-
- allow $1 httpd_squirrelmail_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to append
-## apache squirrelmail data.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_append_squirrelmail_data',`
- gen_require(`
- type httpd_squirrelmail_t;
- ')
-
- allow $1 httpd_squirrelmail_t:file { getattr append };
-')
-
-########################################
-## <summary>
-## Search apache system content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- allow $1 httpd_sys_content_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read apache system content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_read_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- allow $1 httpd_sys_content_t:dir r_dir_perms;
- allow $1 httpd_sys_content_t:file { getattr read };
- allow $1 httpd_sys_content_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Search system script state directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_search_sys_script_state',`
- gen_require(`
- type httpd_sys_script_t;
- ')
-
- allow $1 httpd_sys_script_t:dir search;
-')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
deleted file mode 100644
index e92d29d..0000000
--- a/refpolicy/policy/modules/services/apache.te
+++ /dev/null
@@ -1,723 +0,0 @@
-
-policy_module(apache,1.3.15)
-
-#
-# NOTES:
-# This policy will work with SUEXEC enabled as part of the Apache
-# configuration. However, the user CGI scripts will run under the
-# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
-# of the creating user.
-#
-# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
-# type, and the directory containing the scripts should also be labeled
-# with these types. This policy allows user_r role to perform that
-# relabeling. If it is desired that only sysadm_r should be able to relabel
-# the user CGI scripts, then relabel rule for user_r should be removed.
-#
-
-########################################
-#
-# Declarations
-#
-
-attribute httpdcontent;
-
-# domains that can exec all users scripts
-attribute httpd_exec_scripts;
-
-attribute httpd_script_exec_type;
-
-# user script domains
-attribute httpd_script_domains;
-
-type httpd_t;
-type httpd_exec_t;
-init_daemon_domain(httpd_t,httpd_exec_t)
-role system_r types httpd_t;
-
-# httpd_cache_t is the type given to the /var/cache/httpd
-# directory and the files under that directory
-type httpd_cache_t;
-files_type(httpd_cache_t)
-
-# httpd_config_t is the type given to the configuration files
-type httpd_config_t;
-files_type(httpd_config_t)
-
-type httpd_helper_t;
-type httpd_helper_exec_t;
-domain_type(httpd_helper_t)
-domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
-role system_r types httpd_helper_t;
-
-type httpd_lock_t;
-files_lock_file(httpd_lock_t)
-
-type httpd_log_t;
-logging_log_file(httpd_log_t)
-
-# httpd_modules_t is the type given to module files (libraries)
-# that come with Apache /etc/httpd/modules and /usr/lib/apache
-type httpd_modules_t;
-files_type(httpd_modules_t)
-
-type httpd_php_t;
-type httpd_php_exec_t;
-domain_type(httpd_php_t)
-domain_entry_file(httpd_php_t,httpd_php_exec_t)
-role system_r types httpd_php_t;
-
-type httpd_php_tmp_t;
-files_tmp_file(httpd_php_tmp_t)
-
-type httpd_rotatelogs_t;
-type httpd_rotatelogs_exec_t;
-init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-
-type httpd_squirrelmail_t;
-files_type(httpd_squirrelmail_t)
-
-# SUEXEC runs user scripts as their own user ID
-type httpd_suexec_t; #, daemon;
-type httpd_suexec_exec_t;
-domain_type(httpd_suexec_t)
-domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
-role system_r types httpd_suexec_t;
-
-type httpd_suexec_tmp_t;
-files_tmp_file(httpd_suexec_tmp_t)
-
-# setup the system domain for system CGI scripts
-apache_content_template(sys)
-
-type httpd_tmp_t;
-files_tmp_file(httpd_tmp_t)
-
-type httpd_tmpfs_t;
-files_tmpfs_file(httpd_tmpfs_t)
-
-# Unconfined domain for apache scripts.
-# Only to be used as a last resort
-type httpd_unconfined_script_t;
-type httpd_unconfined_script_exec_t; # customizable
-domain_type(httpd_unconfined_script_t)
-domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
-role system_r types httpd_unconfined_script_t;
-
-# for apache2 memory mapped files
-type httpd_var_lib_t;
-files_type(httpd_var_lib_t)
-
-type httpd_var_run_t;
-files_pid_file(httpd_var_run_t)
-
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-ifdef(`targeted_policy',`
- typealias httpd_sys_content_t alias httpd_user_content_t;
- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-')
-
-optional_policy(`
- prelink_object_file(httpd_modules_t)
-')
-
-########################################
-#
-# Apache server local policy
-#
-
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
-dontaudit httpd_t self:capability { net_admin sys_tty_config };
-allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow httpd_t self:fd use;
-allow httpd_t self:sock_file r_file_perms;
-allow httpd_t self:fifo_file rw_file_perms;
-allow httpd_t self:shm create_shm_perms;
-allow httpd_t self:sem create_sem_perms;
-allow httpd_t self:msgq create_msgq_perms;
-allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
-allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow httpd_t self:tcp_socket { create_stream_socket_perms acceptfrom connectto recvfrom };
-allow httpd_t self:udp_socket create_socket_perms;
-
-# Allow httpd_t to put files in /var/cache/httpd etc
-allow httpd_t httpd_cache_t:dir create_dir_perms;
-allow httpd_t httpd_cache_t:file create_file_perms;
-allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;
-
-# Allow the httpd_t to read the web servers config files
-allow httpd_t httpd_config_t:dir r_dir_perms;
-allow httpd_t httpd_config_t:file r_file_perms;
-allow httpd_t httpd_config_t:lnk_file { getattr read };
-
-can_exec(httpd_t, httpd_exec_t)
-
-allow httpd_t httpd_lock_t:file create_file_perms;
-files_lock_filetrans(httpd_t,httpd_lock_t,file)
-
-allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
-allow httpd_t httpd_log_t:file { create ra_file_perms };
-allow httpd_t httpd_log_t:lnk_file read;
-# cjp: need to refine create interfaces to
-# cut this back to add_name only
-logging_log_filetrans(httpd_t,httpd_log_t,file)
-
-allow httpd_t httpd_modules_t:file rx_file_perms;
-allow httpd_t httpd_modules_t:dir r_dir_perms;
-allow httpd_t httpd_modules_t:lnk_file r_file_perms;
-
-allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
-allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
-allow httpd_t httpd_squirrelmail_t:file create_file_perms;
-
-allow httpd_t httpd_suexec_exec_t:file { getattr read };
-
-allow httpd_t httpd_sys_content_t:dir r_dir_perms;
-allow httpd_t httpd_sys_content_t:file r_file_perms;
-allow httpd_t httpd_sys_content_t:lnk_file r_file_perms;
-
-allow httpd_t httpd_tmp_t:dir create_dir_perms;
-allow httpd_t httpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
-
-allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
-allow httpd_t httpd_tmpfs_t:file create_file_perms;
-allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
-allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
-allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
-fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-allow httpd_t httpd_var_lib_t:file create_file_perms;
-allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
-
-allow httpd_t httpd_var_run_t:file create_file_perms;
-allow httpd_t httpd_var_run_t:sock_file create_file_perms;
-allow httpd_t httpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
-
-allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
-allow httpd_t squirrelmail_spool_t:file create_file_perms;
-allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
-
-kernel_read_kernel_sysctls(httpd_t)
-kernel_tcp_recvfrom(httpd_t)
-# for modules that want to access /proc/meminfo
-kernel_read_system_state(httpd_t)
-
-corenet_non_ipsec_sendrecv(httpd_t)
-corenet_tcp_sendrecv_all_if(httpd_t)
-corenet_udp_sendrecv_all_if(httpd_t)
-corenet_tcp_sendrecv_all_nodes(httpd_t)
-corenet_udp_sendrecv_all_nodes(httpd_t)
-corenet_tcp_sendrecv_all_ports(httpd_t)
-corenet_udp_sendrecv_all_ports(httpd_t)
-corenet_tcp_bind_all_nodes(httpd_t)
-corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_sendrecv_http_server_packets(httpd_t)
-
-dev_read_sysfs(httpd_t)
-dev_read_rand(httpd_t)
-dev_read_urand(httpd_t)
-dev_rw_crypto(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
-
-term_dontaudit_use_console(httpd_t)
-
-auth_use_nsswitch(httpd_t)
-
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_sbin(httpd_t)
-
-domain_use_interactive_fds(httpd_t)
-
-files_read_usr_files(httpd_t)
-files_list_mnt(httpd_t)
-files_search_spool(httpd_t)
-files_read_var_lib_files(httpd_t)
-files_search_home(httpd_t)
-files_getattr_home_dir(httpd_t)
-# for modules that want to access /etc/mtab
-files_read_etc_runtime_files(httpd_t)
-# Allow httpd_t to have access to files such as nisswitch.conf
-files_read_etc_files(httpd_t)
-# for tomcat
-files_read_var_lib_symlinks(httpd_t)
-
-init_use_fds(httpd_t)
-init_use_script_ptys(httpd_t)
-
-libs_use_ld_so(httpd_t)
-libs_use_shared_libs(httpd_t)
-libs_read_lib_files(httpd_t)
-
-logging_send_syslog_msg(httpd_t)
-
-miscfiles_read_localization(httpd_t)
-miscfiles_read_fonts(httpd_t)
-miscfiles_read_public_files(httpd_t)
-miscfiles_read_certs(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
-
-sysnet_use_ldap(httpd_t)
-sysnet_read_config(httpd_t)
-
-userdom_use_unpriv_users_fds(httpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
-
-mta_send_mail(httpd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(httpd_t)
- term_dontaudit_use_generic_ptys(httpd_t)
- files_dontaudit_read_root_files(httpd_t)
-
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_t)
- ')
-')
-
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
-')
-
-ifdef(`TODO', `
-#
-# We need optionals to be able to be within booleans to make this work
-#
-tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
-')
-')
-
-tunable_policy(`httpd_can_network_connect',`
- corenet_tcp_connect_all_ports(httpd_t)
-')
-
-tunable_policy(`httpd_can_network_connect_db',`
- # allow httpd to connect to mysql/posgresql
- corenet_tcp_connect_postgresql_port(httpd_t)
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_postgresql_client_packets(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
-')
-
-tunable_policy(`httpd_can_network_relay',`
- # allow httpd to work as a relay
- corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_connect_http_cache_port(httpd_t)
- corenet_sendrecv_gopher_client_packets(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
-')
-
-tunable_policy(`httpd_enable_cgi',`
- domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
- allow httpd_t httpd_unconfined_script_t:fd use;
- allow httpd_unconfined_script_t httpd_t:fd use;
- allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_unconfined_script_t httpd_t:process sigchld;
-
- allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
-')
-
-tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
- allow httpd_t httpd_sys_script_t:fd use;
- allow httpd_sys_script_t httpd_t:fd use;
- allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_sys_script_t httpd_t:process sigchld;
-
- allow httpd_t httpdcontent:dir create_dir_perms;
- allow httpd_t httpdcontent:file create_file_perms;
- allow httpd_t httpdcontent:lnk_file create_lnk_perms;
-')
-
-tunable_policy(`httpd_enable_ftp_server',`
- corenet_tcp_bind_ftp_port(httpd_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(httpd_t)
- fs_read_nfs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_ssi_exec',`
- corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
- allow httpd_t httpd_sys_script_t:fd use;
- allow httpd_sys_script_t httpd_t:fd use;
- allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_sys_script_t httpd_t:process sigchld;
-')
-
-# When the admin starts the server, the server wants to access
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-tunable_policy(`httpd_tty_comm',`
- # cjp: this is redundant:
- term_use_controlling_term(httpd_t)
-
- userdom_use_sysadm_terms(httpd_t)
-',`
- userdom_dontaudit_use_sysadm_terms(httpd_t)
-')
-
-optional_policy(`
- calamaris_read_www_files(httpd_t)
-')
-
-optional_policy(`
- daemontools_service_domain(httpd_t, httpd_exec_t)
-')
-
-optional_policy(`
- kerberos_use(httpd_t)
-')
-
-optional_policy(`
- mailman_signal_cgi(httpd_t)
- mailman_domtrans_cgi(httpd_t)
- # should have separate types for public and private archives
- mailman_search_data(httpd_t)
- mailman_read_archive(httpd_t)
-')
-
-optional_policy(`
- mysql_stream_connect(httpd_t)
- mysql_rw_db_sockets(httpd_t)
-')
-
-optional_policy(`
- nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_t)
-')
-
-optional_policy(`
- openca_domtrans(httpd_t)
- openca_signal(httpd_t)
- openca_sigstop(httpd_t)
- openca_kill(httpd_t)
-')
-
-optional_policy(`
- # Allow httpd to work with postgresql
- postgresql_stream_connect(httpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(httpd_t)
-')
-
-optional_policy(`
- udev_read_db(httpd_t)
-')
-
-optional_policy(`
- yam_read_content(httpd_t)
-')
-
-########################################
-#
-# Apache helper local policy
-#
-
-domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_t httpd_helper_t:fd use;
-allow httpd_helper_t httpd_t:fd use;
-allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
-allow httpd_helper_t httpd_t:process sigchld;
-
-allow httpd_helper_t httpd_config_t:file { getattr read };
-
-allow httpd_helper_t httpd_log_t:file append;
-
-libs_use_ld_so(httpd_helper_t)
-libs_use_shared_libs(httpd_helper_t)
-
-logging_send_syslog_msg(httpd_helper_t)
-
-tunable_policy(`httpd_tty_comm',`
- # cjp: this is redundant:
- term_use_controlling_term(httpd_helper_t)
-
- userdom_use_sysadm_terms(httpd_helper_t)
-')
-
-########################################
-#
-# Apache PHP script local policy
-#
-
-allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow httpd_php_t self:fd use;
-allow httpd_php_t self:fifo_file rw_file_perms;
-allow httpd_php_t self:sock_file r_file_perms;
-allow httpd_php_t self:unix_dgram_socket create_socket_perms;
-allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
-allow httpd_php_t self:unix_dgram_socket sendto;
-allow httpd_php_t self:unix_stream_socket connectto;
-allow httpd_php_t self:shm create_shm_perms;
-allow httpd_php_t self:sem create_sem_perms;
-allow httpd_php_t self:msgq create_msgq_perms;
-allow httpd_php_t self:msg { send receive };
-
-domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
-allow httpd_t httpd_php_t:fd use;
-allow httpd_php_t httpd_t:fd use;
-allow httpd_php_t httpd_t:fifo_file rw_file_perms;
-allow httpd_php_t httpd_t:process sigchld;
-
-# allow php to read and append to apache logfiles
-allow httpd_php_t httpd_log_t:file ra_file_perms;
-
-allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
-allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
-files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
-
-fs_search_auto_mountpoints(httpd_php_t)
-
-libs_exec_lib_files(httpd_php_t)
-libs_use_ld_so(httpd_php_t)
-libs_use_shared_libs(httpd_php_t)
-
-userdom_use_unpriv_users_fds(httpd_php_t)
-
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
-')
-
-optional_policy(`
- nis_use_ypbind(httpd_php_t)
-')
-
-########################################
-#
-# Apache suexec local policy
-#
-
-allow httpd_suexec_t self:capability { setuid setgid };
-allow httpd_suexec_t self:process signal_perms;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-ifdef(`targeted_policy',`
- gen_tunable(httpd_suexec_disable_trans,false)
-
- tunable_policy(`httpd_suexec_disable_trans',`',`
- domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
- allow httpd_t httpd_suexec_t:fd use;
- allow httpd_suexec_t httpd_t:fd use;
- allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
- allow httpd_suexec_t httpd_t:process sigchld;
- ')
-')
-
-allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
-allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-
-allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
-allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
-files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(httpd_suexec_t)
-kernel_list_proc(httpd_suexec_t)
-kernel_read_proc_symlinks(httpd_suexec_t)
-
-dev_read_urand(httpd_suexec_t)
-
-fs_search_auto_mountpoints(httpd_suexec_t)
-
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
-files_read_etc_files(httpd_suexec_t)
-files_read_usr_files(httpd_suexec_t)
-files_dontaudit_search_pids(httpd_suexec_t)
-files_search_home(httpd_suexec_t)
-
-libs_use_ld_so(httpd_suexec_t)
-libs_use_shared_libs(httpd_suexec_t)
-
-logging_search_logs(httpd_suexec_t)
-logging_send_syslog_msg(httpd_suexec_t)
-
-miscfiles_read_localization(httpd_suexec_t)
-
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_suexec_t)
- ')
-')
-
-tunable_policy(`httpd_can_network_connect',`
- allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
- allow httpd_suexec_t self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv(httpd_suexec_t)
- corenet_tcp_sendrecv_all_if(httpd_suexec_t)
- corenet_udp_sendrecv_all_if(httpd_suexec_t)
- corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
- corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
- corenet_udp_sendrecv_all_ports(httpd_suexec_t)
- corenet_tcp_connect_all_ports(httpd_suexec_t)
- corenet_sendrecv_all_client_packets(httpd_suexec_t)
-
- sysnet_read_config(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_cgi',`
- domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
- allow httpd_suexec_t httpd_unconfined_script_t:fd use;
- allow httpd_unconfined_script_t httpd_suexec_t:fd use;
- allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
- allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
-')
-
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
- allow httpd_suexec_t httpd_sys_script_t:fd use;
- allow httpd_sys_script_t httpd_suexec_t:fd use;
- allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
- allow httpd_sys_script_t httpd_suexec_t:process sigchld;
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(httpd_suexec_t)
- fs_read_nfs_symlinks(httpd_suexec_t)
- fs_exec_nfs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_suexec_t)
- fs_read_cifs_symlinks(httpd_suexec_t)
- fs_exec_cifs_files(httpd_suexec_t)
-')
-
-optional_policy(`
- mailman_domtrans_cgi(httpd_suexec_t)
-')
-
-optional_policy(`
- mta_stub(httpd_suexec_t)
-
- # apache should set close-on-exec
- dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-')
-
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(httpd_suexec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_suexec_t)
-')
-
-########################################
-#
-# Apache system script local policy
-#
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read };
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-# Should we add a boolean?
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-ifdef(`distro_redhat',`
- allow httpd_sys_script_t httpd_log_t:file { getattr append };
-')
-
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_sys_script_t)
- ')
-')
-
-optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
-')
-
-optional_policy(`
- mysql_stream_connect(httpd_sys_script_t)
- mysql_rw_db_sockets(httpd_sys_script_t)
-')
-
-########################################
-#
-# Apache unconfined script local policy
-#
-
-unconfined_domain(httpd_unconfined_script_t)
-
-optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_unconfined_script_t)
-')
-
-########################################
-#
-# httpd_rotatelogs local policy
-#
-
-allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
-allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
-
-kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-
-files_read_etc_files(httpd_rotatelogs_t)
-
-libs_use_ld_so(httpd_rotatelogs_t)
-libs_use_shared_libs(httpd_rotatelogs_t)
-
-miscfiles_read_localization(httpd_rotatelogs_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
-')
diff --git a/refpolicy/policy/modules/services/apm.fc b/refpolicy/policy/modules/services/apm.fc
deleted file mode 100644
index 0123777..0000000
--- a/refpolicy/policy/modules/services/apm.fc
+++ /dev/null
@@ -1,23 +0,0 @@
-
-#
-# /usr
-#
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-#
-# /var
-#
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if
deleted file mode 100644
index 8fd6d54..0000000
--- a/refpolicy/policy/modules/services/apm.if
+++ /dev/null
@@ -1,118 +0,0 @@
-## <summary>Advanced power management daemon</summary>
-
-########################################
-## <summary>
-## Execute APM in the apm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_domtrans_client',`
- gen_require(`
- type apm_t, apm_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,apm_exec_t,apm_t)
-
- allow $1 apm_t:fd use;
- allow apm_t $1:fd use;
- allow apm_t $1:fifo_file rw_file_perms;
- allow apm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Use file descriptors for apmd.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apm_use_fds',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:fd use;
-')
-
-########################################
-## <summary>
-## Write to apmd unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`apm_write_pipes',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Read and write to an apm unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_rw_stream_sockets',`
- gen_require(`
- type apmd_t;
- ')
-
- allow $1 apmd_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Append to apm's log file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_append_log',`
- gen_require(`
- type apmd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 apmd_log_t:file append;
-')
-
-########################################
-## <summary>
-## Connect to apmd over an unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apm_stream_connect',`
- gen_require(`
- type apmd_t, apmd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 apmd_var_run_t:sock_file write;
- allow $1 apmd_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
deleted file mode 100644
index 5f47a78..0000000
--- a/refpolicy/policy/modules/services/apm.te
+++ /dev/null
@@ -1,238 +0,0 @@
-
-policy_module(apm,1.2.4)
-
-########################################
-#
-# Declarations
-#
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t,apmd_exec_t)
-
-type apm_t;
-domain_type(apm_t)
-role system_r types apm_t;
-
-type apm_exec_t;
-domain_entry_file(apm_t,apm_exec_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-ifdef(`distro_redhat',`
- type apmd_lock_t;
- files_lock_file(apmd_lock_t)
-')
-
-ifdef(`distro_suse',`
- type apmd_var_lib_t;
- files_type(apmd_var_lib_t)
-')
-
-########################################
-#
-# apm client Local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-libs_use_ld_so(apm_t)
-libs_use_shared_libs(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# apm daemon Local policy
-#
-
-# mknod: controlling an orderly resume of PCMCIA requires creating device
-# nodes 254,{0,1,2} for some reason.
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_file_perms;
-allow apmd_t self:unix_dgram_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-
-allow apmd_t apmd_log_t:file create_file_perms;
-logging_log_filetrans(apmd_t,apmd_log_t,file)
-
-allow apmd_t apmd_tmp_t:dir create_dir_perms;
-allow apmd_t apmd_tmp_t:file create_file_perms;
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-allow apmd_t apmd_var_run_t:dir rw_dir_perms;
-allow apmd_t apmd_var_run_t:file create_file_perms;
-allow apmd_t apmd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
-dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t); # Excessive?
-fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
-fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
-fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
-
-selinux_search_fs(apmd_t)
-
-term_dontaudit_use_console(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
-domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t) # Excessive?
-files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
-files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
-files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
-
-init_domtrans_script(apmd_t)
-init_use_fds(apmd_t)
-init_use_script_ptys(apmd_t)
-init_rw_utmp(apmd_t)
-init_write_initctl(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_use_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-libs_use_shared_libs(apmd_t)
-
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans_insmod(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
-userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
-
-ifdef(`distro_redhat',`
- allow apmd_t apmd_lock_t:file create_file_perms;
- files_lock_filetrans(apmd_t,apmd_lock_t,file)
-
- can_exec(apmd_t, apmd_var_run_t)
-
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
- optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
- ')
-
- optional_policy(`
- iptables_domtrans(apmd_t)
- ')
-
- optional_policy(`
- netutils_domtrans(apmd_t)
- ')
-
-',`
- # for ifconfig which is run all the time
- kernel_dontaudit_search_sysctl(apmd_t)
-')
-
-ifdef(`distro_suse',`
- allow apmd_t apmd_var_lib_t:file create_file_perms;
- allow apmd_t apmd_var_lib_t:dir create_dir_perms;
- files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(apmd_t)
- term_dontaudit_use_generic_ptys(apmd_t)
- files_dontaudit_read_root_files(apmd_t)
- unconfined_domain(apmd_t)
-')
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- dbus_stub(apmd_t)
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- nscd_socket_use(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t) #necessary?
-')
-
-# cjp: related to sleep/resume (?)
-optional_policy(`
- xserver_domtrans_xdm_xserver(apmd_t)
-')
diff --git a/refpolicy/policy/modules/services/arpwatch.fc b/refpolicy/policy/modules/services/arpwatch.fc
deleted file mode 100644
index 6318f23..0000000
--- a/refpolicy/policy/modules/services/arpwatch.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-
-#
-# /usr
-#
-/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
-
-#
-# /var
-#
-/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
-/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/refpolicy/policy/modules/services/arpwatch.if b/refpolicy/policy/modules/services/arpwatch.if
deleted file mode 100644
index f354902..0000000
--- a/refpolicy/policy/modules/services/arpwatch.if
+++ /dev/null
@@ -1,93 +0,0 @@
-## <summary>Ethernet activity monitor.</summary>
-
-########################################
-## <summary>
-## Search arpwatch's data file directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`arpwatch_search_data',`
- gen_require(`
- type arpwatch_data_t;
- ')
-
- allow $1 arpwatch_data_t:dir search;
-')
-
-########################################
-## <summary>
-## Create arpwatch data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`arpwatch_manage_data_files',`
- gen_require(`
- type arpwatch_data_t;
- ')
-
- allow $1 arpwatch_data_t:dir rw_dir_perms;
- allow $1 arpwatch_data_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write arpwatch temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`arpwatch_rw_tmp_files',`
- gen_require(`
- type arpwatch_tmp_t;
- ')
-
- allow $1 arpwatch_tmp_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write arpwatch temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`arpwatch_manage_tmp_files',`
- gen_require(`
- type arpwatch_tmp_t;
- ')
-
- allow $1 arpwatch_tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## arpwatch packet sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`arpwatch_dontaudit_rw_packet_sockets',`
- gen_require(`
- type arpwatch_t;
- ')
-
- dontaudit $1 arpwatch_t:packet_socket { read write };
-')
diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te
deleted file mode 100644
index b4173a2..0000000
--- a/refpolicy/policy/modules/services/arpwatch.te
+++ /dev/null
@@ -1,115 +0,0 @@
-
-policy_module(arpwatch,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type arpwatch_t;
-type arpwatch_exec_t;
-init_daemon_domain(arpwatch_t,arpwatch_exec_t)
-
-type arpwatch_data_t;
-files_type(arpwatch_data_t)
-
-type arpwatch_tmp_t;
-files_tmp_file(arpwatch_tmp_t)
-
-type arpwatch_var_run_t;
-files_pid_file(arpwatch_var_run_t)
-
-########################################
-#
-# Local policy
-#
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-dontaudit arpwatch_t self:capability sys_tty_config;
-allow arpwatch_t self:process signal_perms;
-allow arpwatch_t self:unix_dgram_socket create_socket_perms;
-allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
-allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
-allow arpwatch_t self:udp_socket create_socket_perms;
-allow arpwatch_t self:packet_socket create_socket_perms;
-
-allow arpwatch_t arpwatch_data_t:dir create_dir_perms;
-allow arpwatch_t arpwatch_data_t:file create_file_perms;
-allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms;
-
-allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms;
-allow arpwatch_t arpwatch_tmp_t:file create_file_perms;
-files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
-
-allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
-allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file)
-
-kernel_read_kernel_sysctls(arpwatch_t)
-kernel_list_proc(arpwatch_t)
-kernel_read_proc_symlinks(arpwatch_t)
-
-corenet_non_ipsec_sendrecv(arpwatch_t)
-corenet_tcp_sendrecv_all_if(arpwatch_t)
-corenet_udp_sendrecv_all_if(arpwatch_t)
-corenet_raw_sendrecv_all_if(arpwatch_t)
-corenet_tcp_sendrecv_all_nodes(arpwatch_t)
-corenet_udp_sendrecv_all_nodes(arpwatch_t)
-corenet_raw_sendrecv_all_nodes(arpwatch_t)
-corenet_tcp_sendrecv_all_ports(arpwatch_t)
-corenet_udp_sendrecv_all_ports(arpwatch_t)
-
-dev_read_sysfs(arpwatch_t)
-
-fs_getattr_all_fs(arpwatch_t)
-fs_search_auto_mountpoints(arpwatch_t)
-
-term_dontaudit_use_console(arpwatch_t)
-
-corecmd_read_sbin_symlinks(arpwatch_t)
-
-domain_use_interactive_fds(arpwatch_t)
-
-files_read_etc_files(arpwatch_t)
-files_read_usr_files(arpwatch_t)
-files_search_var_lib(arpwatch_t)
-
-init_use_fds(arpwatch_t)
-init_use_script_ptys(arpwatch_t)
-
-libs_use_ld_so(arpwatch_t)
-libs_use_shared_libs(arpwatch_t)
-
-logging_send_syslog_msg(arpwatch_t)
-
-miscfiles_read_localization(arpwatch_t)
-
-sysnet_read_config(arpwatch_t)
-
-userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
-
-mta_send_mail(arpwatch_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(arpwatch_t)
- term_dontaudit_use_generic_ptys(arpwatch_t)
- files_dontaudit_read_root_files(arpwatch_t)
-')
-
-optional_policy(`
- nis_use_ypbind(arpwatch_t)
-')
-
-optional_policy(`
- corecmd_search_bin(arpwatch_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(arpwatch_t)
-')
-
-optional_policy(`
- udev_read_db(arpwatch_t)
-')
-
diff --git a/refpolicy/policy/modules/services/asterisk.fc b/refpolicy/policy/modules/services/asterisk.fc
deleted file mode 100644
index fabece5..0000000
--- a/refpolicy/policy/modules/services/asterisk.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
-
-/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
-
-/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
-/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0)
-/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0)
-/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/asterisk.if b/refpolicy/policy/modules/services/asterisk.if
deleted file mode 100644
index 3ff41f2..0000000
--- a/refpolicy/policy/modules/services/asterisk.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Asterisk IP telephony server</summary>
diff --git a/refpolicy/policy/modules/services/asterisk.te b/refpolicy/policy/modules/services/asterisk.te
deleted file mode 100644
index 7c32504..0000000
--- a/refpolicy/policy/modules/services/asterisk.te
+++ /dev/null
@@ -1,160 +0,0 @@
-
-policy_module(asterisk,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type asterisk_t;
-type asterisk_exec_t;
-init_daemon_domain(asterisk_t,asterisk_exec_t)
-
-type asterisk_etc_t;
-files_config_file(asterisk_etc_t)
-
-type asterisk_log_t;
-logging_log_file(asterisk_log_t)
-
-type asterisk_spool_t;
-files_type(asterisk_spool_t)
-
-type asterisk_tmp_t;
-files_tmp_file(asterisk_tmp_t)
-
-type asterisk_tmpfs_t;
-files_tmpfs_file(asterisk_tmpfs_t)
-
-type asterisk_var_lib_t;
-files_type(asterisk_var_lib_t)
-
-type asterisk_var_run_t;
-files_pid_file(asterisk_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
-dontaudit asterisk_t self:capability sys_tty_config;
-allow asterisk_t self:process { setsched signal_perms };
-allow asterisk_t self:fifo_file rw_file_perms;
-allow asterisk_t self:sem create_sem_perms;
-allow asterisk_t self:shm create_shm_perms;
-allow asterisk_t self:tcp_socket create_stream_socket_perms;
-allow asterisk_t self:udp_socket create_socket_perms;
-
-allow asterisk_t asterisk_etc_t:file r_file_perms;
-allow asterisk_t asterisk_etc_t:dir r_dir_perms;
-allow asterisk_t asterisk_etc_t:lnk_file { getattr read };
-files_search_etc(asterisk_t)
-
-allow asterisk_t asterisk_log_t:file manage_file_perms;
-allow asterisk_t asterisk_log_t:dir rw_dir_perms;
-logging_log_filetrans(asterisk_t,asterisk_log_t,{ file dir })
-
-allow asterisk_t asterisk_spool_t:dir manage_dir_perms;
-allow asterisk_t asterisk_spool_t:file manage_file_perms;
-allow asterisk_t asterisk_spool_t:lnk_file create_lnk_perms;
-
-allow asterisk_t asterisk_tmp_t:dir create_dir_perms;
-allow asterisk_t asterisk_tmp_t:file create_file_perms;
-files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
-
-allow asterisk_t asterisk_tmpfs_t:dir rw_dir_perms;
-allow asterisk_t asterisk_tmpfs_t:file manage_file_perms;
-allow asterisk_t asterisk_tmpfs_t:lnk_file create_lnk_perms;
-allow asterisk_t asterisk_tmpfs_t:sock_file manage_file_perms;
-allow asterisk_t asterisk_tmpfs_t:fifo_file manage_file_perms;
-fs_tmpfs_filetrans(asterisk_t,asterisk_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-allow asterisk_t asterisk_var_lib_t:file manage_file_perms;
-allow asterisk_t asterisk_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(asterisk_t,asterisk_var_lib_t,file)
-
-allow asterisk_t asterisk_var_run_t:sock_file manage_file_perms;
-allow asterisk_t asterisk_var_run_t:fifo_file manage_file_perms;
-allow asterisk_t asterisk_var_run_t:file manage_file_perms;
-allow asterisk_t asterisk_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(asterisk_t,asterisk_var_run_t,file)
-
-kernel_read_system_state(asterisk_t)
-kernel_read_kernel_sysctls(asterisk_t)
-
-corecmd_exec_bin(asterisk_t)
-corecmd_search_sbin(asterisk_t)
-
-corenet_non_ipsec_sendrecv(asterisk_t)
-corenet_tcp_sendrecv_generic_if(asterisk_t)
-corenet_udp_sendrecv_generic_if(asterisk_t)
-corenet_tcp_sendrecv_all_nodes(asterisk_t)
-corenet_udp_sendrecv_all_nodes(asterisk_t)
-corenet_tcp_sendrecv_all_ports(asterisk_t)
-corenet_udp_sendrecv_all_ports(asterisk_t)
-corenet_tcp_bind_all_nodes(asterisk_t)
-corenet_udp_bind_all_nodes(asterisk_t)
-corenet_tcp_bind_asterisk_port(asterisk_t)
-corenet_udp_bind_asterisk_port(asterisk_t)
-corenet_sendrecv_asterisk_server_packets(asterisk_t)
-# for VOIP voice channels.
-corenet_tcp_bind_generic_port(asterisk_t)
-corenet_udp_bind_generic_port(asterisk_t)
-corenet_sendrecv_generic_server_packets(asterisk_t)
-
-dev_read_sysfs(asterisk_t)
-dev_read_sound(asterisk_t)
-dev_write_sound(asterisk_t)
-
-domain_use_interactive_fds(asterisk_t)
-
-files_read_etc_files(asterisk_t)
-files_search_spool(asterisk_t)
-# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
-# are labeled usr_t
-files_read_usr_files(asterisk_t)
-
-fs_getattr_all_fs(asterisk_t)
-fs_search_auto_mountpoints(asterisk_t)
-
-term_dontaudit_use_console(asterisk_t)
-
-init_use_fds(asterisk_t)
-init_use_script_ptys(asterisk_t)
-
-libs_use_ld_so(asterisk_t)
-libs_use_shared_libs(asterisk_t)
-
-logging_send_syslog_msg(asterisk_t)
-
-miscfiles_read_localization(asterisk_t)
-
-sysnet_read_config(asterisk_t)
-
-userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
-userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(asterisk_t)
- term_dontaudit_use_generic_ptys(asterisk_t)
- files_dontaudit_read_root_files(asterisk_t)
-')
-
-optional_policy(`
- nis_use_ypbind(asterisk_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(asterisk_t)
-')
-
-optional_policy(`
- udev_read_db(asterisk_t)
-')
-
-ifdef(`TODO',`
-allow initrc_t asterisk_var_run_t:fifo_file unlink;
-allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
-')
-
diff --git a/refpolicy/policy/modules/services/audioentropy.fc b/refpolicy/policy/modules/services/audioentropy.fc
deleted file mode 100644
index bcf3e1c..0000000
--- a/refpolicy/policy/modules/services/audioentropy.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/audioentropy.if b/refpolicy/policy/modules/services/audioentropy.if
deleted file mode 100644
index 67906f0..0000000
--- a/refpolicy/policy/modules/services/audioentropy.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Generate entropy from audio input</summary>
diff --git a/refpolicy/policy/modules/services/audioentropy.te b/refpolicy/policy/modules/services/audioentropy.te
deleted file mode 100644
index 17e3572..0000000
--- a/refpolicy/policy/modules/services/audioentropy.te
+++ /dev/null
@@ -1,72 +0,0 @@
-
-policy_module(audio_entropy,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type entropyd_t;
-type entropyd_exec_t;
-init_daemon_domain(entropyd_t,entropyd_exec_t)
-
-type entropyd_var_run_t;
-files_pid_file(entropyd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow entropyd_t self:capability { ipc_lock sys_admin };
-dontaudit entropyd_t self:capability sys_tty_config;
-allow entropyd_t self:process signal_perms;
-
-allow entropyd_t entropyd_var_run_t:file manage_file_perms;
-allow entropyd_t entropyd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(entropyd_t,entropyd_var_run_t,file)
-
-kernel_read_kernel_sysctls(entropyd_t)
-kernel_list_proc(entropyd_t)
-kernel_read_proc_symlinks(entropyd_t)
-
-dev_read_sysfs(entropyd_t)
-dev_read_urand(entropyd_t)
-dev_write_urand(entropyd_t)
-dev_read_sound(entropyd_t)
-
-fs_getattr_all_fs(entropyd_t)
-fs_search_auto_mountpoints(entropyd_t)
-
-term_dontaudit_use_console(entropyd_t)
-
-domain_use_interactive_fds(entropyd_t)
-
-init_use_fds(entropyd_t)
-init_use_script_ptys(entropyd_t)
-
-libs_use_ld_so(entropyd_t)
-libs_use_shared_libs(entropyd_t)
-
-logging_send_syslog_msg(entropyd_t)
-
-miscfiles_read_localization(entropyd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
-
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(entropyd_t)
-
- term_dontaudit_use_unallocated_ttys(entropyd_t)
- term_dontaudit_use_generic_ptys(entropyd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(entropyd_t)
-')
-
-optional_policy(`
- udev_read_db(entropyd_t)
-')
-
diff --git a/refpolicy/policy/modules/services/automount.fc b/refpolicy/policy/modules/services/automount.fc
deleted file mode 100644
index 746c120..0000000
--- a/refpolicy/policy/modules/services/automount.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# /etc
-#
-/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
-/etc/auto\..+ -- gen_context(system_u:object_r:automount_etc_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
-
-#
-# /var
-#
-
-/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/automount.if b/refpolicy/policy/modules/services/automount.if
deleted file mode 100644
index 5f97e34..0000000
--- a/refpolicy/policy/modules/services/automount.if
+++ /dev/null
@@ -1,83 +0,0 @@
-## <summary>Filesystem automounter service.</summary>
-
-########################################
-## <summary>
-## Execute automount in the automount domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`automount_domtrans',`
- gen_require(`
- type automount_t, automount_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, automount_exec_t, automount_t)
-
- allow $1 automount_t:fd use;
- allow automount_t $1:fd use;
- allow automount_t $1:fifo_file rw_file_perms;
- allow automount_t $1:process sigchld;
-
-')
-
-########################################
-## <summary>
-## Execute automount in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`automount_exec_config',`
- gen_require(`
- type automount_etc_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,automount_etc_t)
-')
-
-########################################
-## <summary>
-## Allow the domain to read state files in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to allow access.
-## </summary>
-## </param>
-#
-interface(`automount_read_state',`
- gen_require(`
- type automount_t;
- ')
-
- allow $1 automount_t:dir search_dir_perms;
- allow $1 automount_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of automount temporary directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`automount_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type automount_tmp_t;
- ')
-
- dontaudit $1 automount_tmp_t:dir getattr;
-')
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
deleted file mode 100644
index 67020c0..0000000
--- a/refpolicy/policy/modules/services/automount.te
+++ /dev/null
@@ -1,185 +0,0 @@
-
-policy_module(automount,1.2.7)
-
-########################################
-#
-# Declarations
-#
-
-type automount_t;
-type automount_exec_t;
-init_daemon_domain(automount_t,automount_exec_t)
-
-type automount_var_run_t;
-files_pid_file(automount_var_run_t)
-
-type automount_etc_t;
-files_config_file(automount_etc_t)
-
-type automount_lock_t;
-files_lock_file(automount_lock_t)
-
-type automount_tmp_t;
-files_tmp_file(automount_tmp_t)
-files_mountpoint(automount_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
-dontaudit automount_t self:capability sys_tty_config;
-allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
-allow automount_t self:fifo_file rw_file_perms;
-allow automount_t self:unix_stream_socket create_socket_perms;
-allow automount_t self:unix_dgram_socket create_socket_perms;
-allow automount_t self:tcp_socket create_stream_socket_perms;
-allow automount_t self:udp_socket create_socket_perms;
-
-allow automount_t automount_etc_t:file { getattr read };
-# because config files can be shell scripts
-can_exec(automount_t, automount_etc_t)
-
-allow automount_t automount_lock_t:file create_file_perms;
-files_lock_filetrans(automount_t,automount_lock_t,file)
-
-allow automount_t automount_tmp_t:dir create_dir_perms;
-allow automount_t automount_tmp_t:file create_file_perms;
-files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
-
-# Allow automount to create and delete directories in / and /home
-allow automount_t automount_tmp_t:dir create_dir_perms;
-files_home_filetrans(automount_t,automount_tmp_t,dir)
-files_root_filetrans(automount_t,automount_tmp_t,dir)
-
-allow automount_t automount_var_run_t:file create_file_perms;
-allow automount_t automount_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(automount_t,automount_var_run_t,file)
-
-kernel_read_kernel_sysctls(automount_t)
-kernel_read_irq_sysctls(automount_t)
-kernel_read_fs_sysctls(automount_t)
-kernel_read_proc_symlinks(automount_t)
-kernel_read_system_state(automount_t)
-kernel_read_network_state(automount_t)
-kernel_list_proc(automount_t)
-kernel_dontaudit_search_xen_state(automount_t)
-
-files_search_boot(automount_t)
-# Automount is slowly adding all mount functionality internally
-files_search_all(automount_t)
-files_mounton_all_mountpoints(automount_t)
-files_mount_all_file_type_fs(automount_t)
-files_unmount_all_file_type_fs(automount_t)
-
-fs_mount_all_fs(automount_t)
-fs_unmount_all_fs(automount_t)
-
-corecmd_exec_sbin(automount_t)
-corecmd_exec_bin(automount_t)
-corecmd_exec_shell(automount_t)
-
-corenet_non_ipsec_sendrecv(automount_t)
-corenet_tcp_sendrecv_generic_if(automount_t)
-corenet_udp_sendrecv_generic_if(automount_t)
-corenet_tcp_sendrecv_all_nodes(automount_t)
-corenet_udp_sendrecv_all_nodes(automount_t)
-corenet_tcp_sendrecv_all_ports(automount_t)
-corenet_udp_sendrecv_all_ports(automount_t)
-corenet_tcp_bind_all_nodes(automount_t)
-corenet_udp_bind_all_nodes(automount_t)
-corenet_tcp_connect_portmap_port(automount_t)
-corenet_tcp_connect_all_ports(automount_t)
-corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
-corenet_sendrecv_all_client_packets(automount_t)
-# Automount execs showmount when you browse /net. This is required until
-# Someone writes a showmount policy
-corenet_tcp_bind_reserved_port(automount_t)
-corenet_tcp_bind_all_rpc_ports(automount_t)
-
-dev_read_sysfs(automount_t)
-# for SSP
-dev_read_urand(automount_t)
-
-domain_use_interactive_fds(automount_t)
-domain_dontaudit_read_all_domains_state(automount_t)
-
-files_dontaudit_write_var_dirs(automount_t)
-files_getattr_all_dirs(automount_t)
-files_list_mnt(automount_t)
-files_getattr_home_dir(automount_t)
-files_read_etc_files(automount_t)
-files_read_etc_runtime_files(automount_t)
-# for if the mount point is not labelled
-files_getattr_isid_type_dirs(automount_t)
-files_getattr_default_dirs(automount_t)
-# because config files can be shell scripts
-files_exec_etc_files(automount_t)
-files_mounton_mnt(automount_t)
-
-fs_getattr_all_fs(automount_t)
-fs_getattr_all_dirs(automount_t)
-fs_search_auto_mountpoints(automount_t)
-fs_manage_auto_mountpoints(automount_t)
-fs_unmount_autofs(automount_t)
-fs_mount_autofs(automount_t)
-
-term_dontaudit_use_console(automount_t)
-term_dontaudit_getattr_pty_dirs(automount_t)
-
-init_use_fds(automount_t)
-init_use_script_ptys(automount_t)
-
-libs_use_ld_so(automount_t)
-libs_use_shared_libs(automount_t)
-
-logging_send_syslog_msg(automount_t)
-logging_search_logs(automount_t)
-
-miscfiles_read_localization(automount_t)
-miscfiles_read_certs(automount_t)
-
-# Run mount in the mount_t domain.
-mount_domtrans(automount_t)
-
-sysnet_dns_name_resolve(automount_t)
-sysnet_use_ldap(automount_t)
-sysnet_read_config(automount_t)
-
-userdom_dontaudit_use_unpriv_user_fds(automount_t)
-userdom_dontaudit_search_sysadm_home_dirs(automount_t)
-
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(automount_t)
- term_dontaudit_use_unallocated_ttys(automount_t)
- term_dontaudit_use_generic_ptys(automount_t)
-')
-
-optional_policy(`
- corecmd_exec_bin(automount_t)
-')
-
-optional_policy(`
- bind_search_cache(automount_t)
-')
-
-optional_policy(`
- fstools_domtrans(automount_t)
-')
-
-optional_policy(`
- nis_use_ypbind(automount_t)
-')
-
-optional_policy(`
- rpc_search_nfs_state_data(automount_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(automount_t)
-')
-
-optional_policy(`
- udev_read_db(automount_t)
-')
diff --git a/refpolicy/policy/modules/services/avahi.fc b/refpolicy/policy/modules/services/avahi.fc
deleted file mode 100644
index 49dcc5f..0000000
--- a/refpolicy/policy/modules/services/avahi.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
-/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
-
-/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/avahi.if b/refpolicy/policy/modules/services/avahi.if
deleted file mode 100644
index c82289b..0000000
--- a/refpolicy/policy/modules/services/avahi.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
-
-########################################
-## <summary>
-## Send and receive messages from
-## avahi over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`avahi_dbus_chat',`
- gen_require(`
- type avahi_t;
- class dbus send_msg;
- ')
-
- allow $1 avahi_t:dbus send_msg;
- allow avahi_t $1:dbus send_msg;
-')
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
deleted file mode 100644
index 86a2b04..0000000
--- a/refpolicy/policy/modules/services/avahi.te
+++ /dev/null
@@ -1,108 +0,0 @@
-
-policy_module(avahi,1.2.3)
-
-########################################
-#
-# Declarations
-#
-
-type avahi_t;
-type avahi_exec_t;
-init_daemon_domain(avahi_t,avahi_exec_t)
-
-type avahi_var_run_t;
-files_pid_file(avahi_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
-dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms setcap };
-allow avahi_t self:fifo_file { read write };
-allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow avahi_t self:unix_dgram_socket create_socket_perms;
-allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
-allow avahi_t self:tcp_socket create_stream_socket_perms;
-allow avahi_t self:udp_socket create_socket_perms;
-
-allow avahi_t avahi_var_run_t:sock_file create_file_perms;
-allow avahi_t avahi_var_run_t:file create_file_perms;
-allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
-files_pid_filetrans(avahi_t,avahi_var_run_t,file)
-
-kernel_read_kernel_sysctls(avahi_t)
-kernel_list_proc(avahi_t)
-kernel_read_proc_symlinks(avahi_t)
-kernel_read_network_state(avahi_t)
-
-corenet_non_ipsec_sendrecv(avahi_t)
-corenet_tcp_sendrecv_all_if(avahi_t)
-corenet_udp_sendrecv_all_if(avahi_t)
-corenet_tcp_sendrecv_all_nodes(avahi_t)
-corenet_udp_sendrecv_all_nodes(avahi_t)
-corenet_tcp_sendrecv_all_ports(avahi_t)
-corenet_udp_sendrecv_all_ports(avahi_t)
-corenet_tcp_bind_all_nodes(avahi_t)
-corenet_udp_bind_all_nodes(avahi_t)
-corenet_tcp_bind_howl_port(avahi_t)
-corenet_udp_bind_howl_port(avahi_t)
-corenet_send_howl_client_packets(avahi_t)
-corenet_receive_howl_server_packets(avahi_t)
-
-dev_read_sysfs(avahi_t)
-dev_read_urand(avahi_t)
-
-fs_getattr_all_fs(avahi_t)
-fs_search_auto_mountpoints(avahi_t)
-
-term_dontaudit_use_console(avahi_t)
-
-domain_use_interactive_fds(avahi_t)
-
-files_read_etc_files(avahi_t)
-files_read_etc_runtime_files(avahi_t)
-
-init_use_fds(avahi_t)
-init_use_script_ptys(avahi_t)
-init_signal_script(avahi_t)
-init_signull_script(avahi_t)
-
-libs_use_ld_so(avahi_t)
-libs_use_shared_libs(avahi_t)
-
-logging_send_syslog_msg(avahi_t)
-
-miscfiles_read_localization(avahi_t)
-
-sysnet_read_config(avahi_t)
-
-userdom_dontaudit_use_unpriv_user_fds(avahi_t)
-userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(avahi_t)
- term_dontaudit_use_generic_ptys(avahi_t)
- files_dontaudit_read_root_files(avahi_t)
-')
-
-optional_policy(`
- dbus_system_bus_client_template(avahi,avahi_t)
- dbus_connect_system_bus(avahi_t)
- dbus_send_system_bus(avahi_t)
- init_dbus_chat_script(avahi_t)
-')
-
-optional_policy(`
- nis_use_ypbind(avahi_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(avahi_t)
-')
-
-optional_policy(`
- udev_read_db(avahi_t)
-')
diff --git a/refpolicy/policy/modules/services/bind.fc b/refpolicy/policy/modules/services/bind.fc
deleted file mode 100644
index 3a1ba68..0000000
--- a/refpolicy/policy/modules/services/bind.fc
+++ /dev/null
@@ -1,46 +0,0 @@
-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-
-/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
-
-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-
-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-
-ifdef(`distro_debian',`
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-')
-
-ifdef(`distro_gentoo',`
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-')
-
-ifdef(`distro_redhat',`
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
deleted file mode 100644
index 6797a13..0000000
--- a/refpolicy/policy/modules/services/bind.if
+++ /dev/null
@@ -1,273 +0,0 @@
-## <summary>Berkeley internet name domain DNS server.</summary>
-
-########################################
-## <summary>
-## Execute ndc in the ndc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_domtrans_ndc',`
- gen_require(`
- type ndc_t, ndc_exec_t;
- ')
-
- domain_auto_trans($1,ndc_exec_t,ndc_t)
-
- allow $1 ndc_t:fd use;
- allow ndc_t $1:fd use;
- allow ndc_t $1:fifo_file rw_file_perms;
- allow ndc_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send generic signals to BIND.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_signal',`
- gen_require(`
- type named_t;
- ')
-
- allow $1 named_t:process signal;
-')
-
-########################################
-## <summary>
-## Execute ndc in the ndc domain, and
-## allow the specified role the ndc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the bind domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the bind domain to use.
-## </summary>
-## </param>
-#
-interface(`bind_run_ndc',`
- gen_require(`
- type ndc_t;
- ')
-
- bind_domtrans_ndc($1)
- role $2 types ndc_t;
- allow ndc_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute bind in the named domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_domtrans',`
- gen_require(`
- type named_t, named_exec_t;
- ')
-
- domain_auto_trans($1,named_exec_t,named_t)
-
- allow $1 named_t:fd use;
- allow named_t $1:fd use;
- allow named_t $1:fifo_file rw_file_perms;
- allow named_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Read DNSSEC keys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_read_dnssec_keys',`
- gen_require(`
- type named_conf_t, named_zone_t, dnssec_t;
- ')
-
- allow $1 { named_conf_t named_zone_t }:dir search;
- allow $1 dnssec_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read BIND named configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_read_config',`
- gen_require(`
- type named_conf_t;
- ')
-
- allow $1 named_conf_t:dir search;
- allow $1 named_conf_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Write BIND named configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_write_config',`
- gen_require(`
- type named_conf_t;
- ')
-
- allow $1 named_conf_t:dir search;
- allow $1 named_conf_t:file { write setattr };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## BIND configuration directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_manage_config_dirs',`
- gen_require(`
- type named_conf_t;
- ')
-
- allow $1 named_conf_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Search the BIND cache directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_search_cache',`
- gen_require(`
- type named_conf_t, named_cache_t, named_zone_t;
- ')
-
- files_search_var($1)
- allow $1 named_conf_t:dir search_dir_perms;
- allow $1 named_zone_t:dir search_dir_perms;
- allow $1 named_cache_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## BIND cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_manage_cache',`
- gen_require(`
- type named_cache_t, named_zone_t;
- ')
-
- files_search_var($1)
- allow $1 named_zone_t:dir search_dir_perms;
- allow $1 named_cache_t:dir rw_dir_perms;
- allow $1 named_cache_t:file create_file_perms;
- allow $1 named_cache_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the attributes
-## of the BIND pid directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_setattr_pid_dirs',`
- gen_require(`
- type named_var_run_t;
- ')
-
- allow $1 named_var_run_t:dir setattr;
-')
-
-########################################
-## <summary>
-## Read BIND zone files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_read_zone',`
- gen_require(`
- type named_zone_t;
- ')
-
- files_search_var($1)
- allow $1 named_zone_t:dir search_dir_perms;
- allow $1 named_zone_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Send and receive datagrams to and from named.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_udp_chat_named',`
- gen_require(`
- type named_t;
- ')
- allow $1 named_t:udp_socket sendto;
- allow named_t $1:udp_socket recvfrom;
-')
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
deleted file mode 100644
index e284ddf..0000000
--- a/refpolicy/policy/modules/services/bind.te
+++ /dev/null
@@ -1,291 +0,0 @@
-
-policy_module(bind,1.1.6)
-
-########################################
-#
-# Declarations
-#
-
-# for DNSSEC key files
-type dnssec_t;
-files_security_file(dnssec_t)
-
-type named_t;
-type named_exec_t;
-init_daemon_domain(named_t,named_exec_t)
-role system_r types named_t;
-
-type named_checkconf_exec_t;
-init_system_domain(named_t,named_checkconf_exec_t)
-
-# A type for configuration files of named.
-type named_conf_t;
-files_type(named_conf_t)
-files_mountpoint(named_conf_t)
-
-# for secondary zone files
-type named_cache_t;
-files_type(named_cache_t)
-
-type named_log_t;
-logging_log_file(named_log_t)
-
-type named_tmp_t;
-files_tmp_file(named_tmp_t)
-
-type named_var_run_t;
-files_pid_file(named_var_run_t)
-
-# for primary zone files
-type named_zone_t;
-files_type(named_zone_t)
-
-type ndc_t;
-type ndc_exec_t;
-init_system_domain(ndc_t,ndc_exec_t)
-role system_r types ndc_t;
-
-########################################
-#
-# Named local policy
-#
-
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
-dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched setcap setrlimit signal_perms };
-allow named_t self:fifo_file rw_file_perms;
-allow named_t self:unix_stream_socket create_stream_socket_perms;
-allow named_t self:unix_dgram_socket create_socket_perms;
-allow named_t self:tcp_socket create_stream_socket_perms;
-allow named_t self:udp_socket create_socket_perms;
-allow named_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow named_t dnssec_t:file { getattr read };
-
-# read configuration
-allow named_t named_conf_t:dir r_dir_perms;
-allow named_t named_conf_t:file r_file_perms;
-allow named_t named_conf_t:lnk_file r_file_perms;
-
-# write cache for secondary zones
-allow named_t named_cache_t:dir rw_dir_perms;
-allow named_t named_cache_t:file create_file_perms;
-allow named_t named_cache_t:lnk_file create_lnk_perms;
-
-can_exec(named_t, named_exec_t)
-
-allow named_t named_log_t:file create_file_perms;
-allow named_t named_log_t:dir rw_dir_perms;
-logging_log_filetrans(named_t,named_log_t,{ file dir })
-
-allow named_t named_tmp_t:dir create_dir_perms;
-allow named_t named_tmp_t:file create_file_perms;
-files_tmp_filetrans(named_t, named_tmp_t, { file dir })
-
-allow named_t named_var_run_t:dir rw_dir_perms;
-allow named_t named_var_run_t:file create_file_perms;
-allow named_t named_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(named_t,named_var_run_t,{ file sock_file })
-
-# read zone files
-allow named_t named_zone_t:dir r_dir_perms;
-allow named_t named_zone_t:file r_file_perms;
-allow named_t named_zone_t:lnk_file r_file_perms;
-
-allow named_t ndc_t:tcp_socket { acceptfrom recvfrom };
-
-kernel_read_kernel_sysctls(named_t)
-kernel_read_system_state(named_t)
-kernel_read_network_state(named_t)
-kernel_tcp_recvfrom(named_t)
-
-corenet_non_ipsec_sendrecv(named_t)
-corenet_tcp_sendrecv_all_if(named_t)
-corenet_udp_sendrecv_all_if(named_t)
-corenet_tcp_sendrecv_all_nodes(named_t)
-corenet_udp_sendrecv_all_nodes(named_t)
-corenet_tcp_sendrecv_all_ports(named_t)
-corenet_udp_sendrecv_all_ports(named_t)
-corenet_tcp_bind_all_nodes(named_t)
-corenet_udp_bind_all_nodes(named_t)
-corenet_tcp_bind_dns_port(named_t)
-corenet_udp_bind_dns_port(named_t)
-corenet_tcp_bind_rndc_port(named_t)
-corenet_tcp_connect_all_ports(named_t)
-corenet_sendrecv_dns_server_packets(named_t)
-corenet_sendrecv_dns_client_packets(named_t)
-corenet_sendrecv_rndc_server_packets(named_t)
-corenet_sendrecv_rndc_client_packets(named_t)
-
-dev_read_sysfs(named_t)
-dev_read_rand(named_t)
-
-fs_getattr_all_fs(named_t)
-fs_search_auto_mountpoints(named_t)
-
-term_dontaudit_use_console(named_t)
-
-corecmd_search_sbin(named_t)
-
-dev_read_urand(named_t)
-
-domain_use_interactive_fds(named_t)
-
-files_read_etc_files(named_t)
-files_read_etc_runtime_files(named_t)
-
-init_use_fds(named_t)
-init_use_script_ptys(named_t)
-
-libs_use_ld_so(named_t)
-libs_use_shared_libs(named_t)
-
-logging_send_syslog_msg(named_t)
-
-miscfiles_read_localization(named_t)
-miscfiles_read_certs(named_t)
-
-sysnet_read_config(named_t)
-
-userdom_dontaudit_use_unpriv_user_fds(named_t)
-userdom_dontaudit_search_sysadm_home_dirs(named_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(named_t)
- term_dontaudit_use_generic_ptys(named_t)
- files_dontaudit_read_root_files(named_t)
-')
-
-tunable_policy(`named_write_master_zones',`
- allow named_t named_zone_t:dir create_dir_perms;
- allow named_t named_zone_t:file create_file_perms;
- allow named_t named_zone_t:lnk_file create_lnk_perms;
-')
-
-optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow named_t self:dbus send_msg;
-
- init_dbus_chat_script(named_t)
-
- sysnet_dbus_chat_dhcpc(named_t)
-
- dbus_system_bus_client_template(named,named_t)
- dbus_connect_system_bus(named_t)
- dbus_send_system_bus(named_t)
-
- optional_policy(`
- networkmanager_dbus_chat(named_t)
- ')
-')
-
-optional_policy(`
- # this seems like fds that arent being
- # closed. these should probably be
- # dontaudits instead.
- networkmanager_rw_udp_sockets(named_t)
- networkmanager_rw_packet_sockets(named_t)
- networkmanager_rw_routing_sockets(named_t)
-')
-
-optional_policy(`
- nis_use_ypbind(named_t)
-')
-
-optional_policy(`
- nscd_socket_use(named_t)
-')
-
-optional_policy(`
- nsd_tcp_connect(named_t)
- nsd_udp_chat(named_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(named_t)
-')
-
-optional_policy(`
- udev_read_db(named_t)
-')
-
-########################################
-#
-# NDC local policy
-#
-
-# cjp: why net_admin?!
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process { fork signal_perms };
-allow ndc_t self:fifo_file { read write getattr ioctl };
-allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
-allow ndc_t self:tcp_socket create_socket_perms;
-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow ndc_t dnssec_t:file { getattr read };
-
-allow ndc_t named_t:tcp_socket { connectto recvfrom };
-allow ndc_t named_t:unix_stream_socket connectto;
-
-allow ndc_t named_conf_t:file { getattr read };
-
-allow ndc_t named_var_run_t:sock_file rw_file_perms;
-
-allow ndc_t named_zone_t:dir search;
-
-kernel_read_kernel_sysctls(ndc_t)
-kernel_tcp_recvfrom(ndc_t)
-
-corenet_non_ipsec_sendrecv(ndc_t)
-corenet_tcp_sendrecv_all_if(ndc_t)
-corenet_tcp_sendrecv_all_nodes(ndc_t)
-corenet_tcp_sendrecv_all_ports(ndc_t)
-corenet_tcp_connect_rndc_port(ndc_t)
-corenet_sendrecv_rndc_client_packets(ndc_t)
-
-fs_getattr_xattr_fs(ndc_t)
-
-domain_use_interactive_fds(ndc_t)
-
-files_read_etc_files(ndc_t)
-files_search_pids(ndc_t)
-
-init_use_fds(ndc_t)
-init_use_script_ptys(ndc_t)
-
-libs_use_ld_so(ndc_t)
-libs_use_shared_libs(ndc_t)
-
-logging_send_syslog_msg(ndc_t)
-
-miscfiles_read_localization(ndc_t)
-
-sysnet_read_config(ndc_t)
-sysnet_dns_name_resolve(ndc_t)
-
-# for /etc/rndc.key
-ifdef(`distro_redhat',`
- allow ndc_t named_conf_t:dir search;
-')
-
-ifdef(`targeted_policy',`
- kernel_dontaudit_read_unlabeled_files(ndc_t)
-
- term_use_unallocated_ttys(ndc_t)
- term_use_generic_ptys(ndc_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ndc_t)
-')
-
-optional_policy(`
- nscd_socket_use(ndc_t)
-')
-
-optional_policy(`
- ppp_dontaudit_use_fds(ndc_t)
-')
diff --git a/refpolicy/policy/modules/services/bluetooth.fc b/refpolicy/policy/modules/services/bluetooth.fc
deleted file mode 100644
index ad82661..0000000
--- a/refpolicy/policy/modules/services/bluetooth.fc
+++ /dev/null
@@ -1,23 +0,0 @@
-#
-# /etc
-#
-/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
-/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
-
-#
-# /usr
-#
-/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
-/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-
-/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
-/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/bluetooth.if b/refpolicy/policy/modules/services/bluetooth.if
deleted file mode 100644
index 0b67fac..0000000
--- a/refpolicy/policy/modules/services/bluetooth.if
+++ /dev/null
@@ -1,113 +0,0 @@
-## <summary>Bluetooth tools and system services.</summary>
-
-########################################
-## <summary>
-## Read bluetooth daemon configuration.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bluetooth_read_config',`
- gen_require(`
- type bluetooth_conf_t;
- ')
-
- allow $1 bluetooth_conf_t:file { getattr read ioctl };
-')
-
-########################################
-## <summary>
-## Execute bluetooth_helper in the bluetooth_helper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`bluetooth_domtrans_helper',`
- gen_require(`
- type bluetooth_helper_t, bluetooth_helper_exec_t;
- ')
-
- domain_auto_trans($1,bluetooth_helper_exec_t,bluetooth_helper_t)
-
- allow $1 bluetooth_helper_t:fd use;
- allow bluetooth_helper_t $1:fd use;
- allow bluetooth_helper_t $1:fifo_file rw_file_perms;
- allow bluetooth_helper_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## bluetooth over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bluetooth_dbus_chat',`
- gen_require(`
- type bluetooth_t;
- class dbus send_msg;
- ')
-
- allow $1 bluetooth_t:dbus send_msg;
- allow bluetooth_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Execute bluetooth_helper in the bluetooth_helper domain, and
-## allow the specified role the bluetooth_helper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the bluetooth_helper domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the bluetooth_helper domain to use.
-## </summary>
-## </param>
-#
-interface(`bluetooth_run_helper',`
- gen_require(`
- type bluetooth_helper_t;
- ')
-
- bluetooth_domtrans_helper($1)
- role $2 types bluetooth_helper_t;
- allow bluetooth_helper_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Read bluetooth helper files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bluetooth_dontaudit_read_helper_files',`
- gen_require(`
- type bluetooth_helper_t;
- ')
-
- dontaudit $1 bluetooth_helper_t:dir search;
- dontaudit $1 bluetooth_helper_t:file { read getattr };
-')
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
deleted file mode 100644
index 3a78044..0000000
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ /dev/null
@@ -1,246 +0,0 @@
-
-policy_module(bluetooth,1.2.8)
-
-########################################
-#
-# Declarations
-#
-type bluetooth_t;
-type bluetooth_exec_t;
-init_daemon_domain(bluetooth_t,bluetooth_exec_t)
-
-type bluetooth_conf_t;
-files_type(bluetooth_conf_t)
-
-type bluetooth_conf_rw_t;
-files_type(bluetooth_conf_rw_t)
-
-type bluetooth_helper_t;
-type bluetooth_helper_exec_t;
-domain_type(bluetooth_helper_t)
-domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
-role system_r types bluetooth_helper_t;
-
-type bluetooth_helper_tmp_t;
-files_tmp_file(bluetooth_helper_tmp_t)
-
-type bluetooth_lock_t;
-files_lock_file(bluetooth_lock_t)
-
-type bluetooth_tmp_t;
-files_tmp_file(bluetooth_tmp_t)
-
-type bluetooth_var_lib_t;
-files_type(bluetooth_var_lib_t)
-
-type bluetooth_var_run_t;
-files_pid_file(bluetooth_var_run_t)
-
-########################################
-#
-# Bluetooth services local policy
-#
-
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
-dontaudit bluetooth_t self:capability sys_tty_config;
-allow bluetooth_t self:process { getsched signal_perms };
-allow bluetooth_t self:fifo_file rw_file_perms;
-allow bluetooth_t self:shm create_shm_perms;
-allow bluetooth_t self:socket create_stream_socket_perms;
-allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
-allow bluetooth_t self:tcp_socket create_stream_socket_perms;
-allow bluetooth_t self:udp_socket create_socket_perms;
-
-allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
-allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
-
-allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
-allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
-allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
-allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
-allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
-type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
-
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
-allow bluetooth_t bluetooth_helper_t:fd use;
-allow bluetooth_helper_t bluetooth_t:fd use;
-allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
-allow bluetooth_helper_t bluetooth_t:process sigchld;
-
-allow bluetooth_t bluetooth_lock_t:file create_file_perms;
-files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
-
-allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
-allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
-
-allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
-allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
-
-allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
-allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
-allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
-
-kernel_read_kernel_sysctls(bluetooth_t)
-kernel_read_system_state(bluetooth_t)
-
-corenet_non_ipsec_sendrecv(bluetooth_t)
-corenet_tcp_sendrecv_all_if(bluetooth_t)
-corenet_udp_sendrecv_all_if(bluetooth_t)
-corenet_raw_sendrecv_all_if(bluetooth_t)
-corenet_tcp_sendrecv_all_nodes(bluetooth_t)
-corenet_udp_sendrecv_all_nodes(bluetooth_t)
-corenet_raw_sendrecv_all_nodes(bluetooth_t)
-corenet_tcp_sendrecv_all_ports(bluetooth_t)
-corenet_udp_sendrecv_all_ports(bluetooth_t)
-
-dev_read_sysfs(bluetooth_t)
-dev_rw_usbfs(bluetooth_t)
-dev_rw_generic_usb_dev(bluetooth_t)
-dev_read_urand(bluetooth_t)
-
-fs_getattr_all_fs(bluetooth_t)
-fs_search_auto_mountpoints(bluetooth_t)
-
-term_dontaudit_use_console(bluetooth_t)
-#Handle bluetooth serial devices
-term_use_unallocated_ttys(bluetooth_t)
-
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
-
-domain_use_interactive_fds(bluetooth_t)
-domain_dontaudit_search_all_domains_state(bluetooth_t)
-
-files_read_etc_files(bluetooth_t)
-files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
-
-init_use_fds(bluetooth_t)
-init_use_script_ptys(bluetooth_t)
-
-libs_use_ld_so(bluetooth_t)
-libs_use_shared_libs(bluetooth_t)
-
-locallogin_dontaudit_use_fds(bluetooth_helper_t)
-
-logging_send_syslog_msg(bluetooth_t)
-
-miscfiles_read_localization(bluetooth_t)
-miscfiles_read_fonts(bluetooth_t)
-
-sysnet_read_config(bluetooth_t)
-
-userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
-userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(bluetooth_t)
- term_dontaudit_use_generic_ptys(bluetooth_t)
- files_dontaudit_read_root_files(bluetooth_t)
-')
-
-optional_policy(`
- dbus_system_bus_client_template(bluetooth,bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
- dbus_send_system_bus(bluetooth_t)
-')
-
-optional_policy(`
- nis_use_ypbind(bluetooth_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(bluetooth_t)
-')
-
-optional_policy(`
- udev_read_db(bluetooth_t)
-')
-
-########################################
-#
-# Bluetooth helper local policy
-#
-
-allow bluetooth_helper_t self:capability sys_nice;
-allow bluetooth_helper_t self:process getsched;
-allow bluetooth_helper_t self:fifo_file rw_file_perms;
-allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow bluetooth_helper_t self:tcp_socket create_socket_perms;
-
-allow bluetooth_helper_t bluetooth_t:socket { read write };
-
-allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
-allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
-allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
-
-kernel_read_system_state(bluetooth_helper_t)
-kernel_read_kernel_sysctls(bluetooth_helper_t)
-
-dev_read_urand(bluetooth_helper_t)
-
-term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
-
-corecmd_exec_bin(bluetooth_helper_t)
-corecmd_exec_shell(bluetooth_helper_t)
-
-domain_read_all_domains_state(bluetooth_helper_t)
-
-files_read_etc_files(bluetooth_helper_t)
-files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
-files_search_tmp(bluetooth_helper_t)
-files_dontaudit_list_default(bluetooth_helper_t)
-
-libs_use_ld_so(bluetooth_helper_t)
-libs_use_shared_libs(bluetooth_helper_t)
-
-logging_send_syslog_msg(bluetooth_helper_t)
-
-miscfiles_read_localization(bluetooth_helper_t)
-miscfiles_read_fonts(bluetooth_helper_t)
-
-sysnet_read_config(bluetooth_helper_t)
-
-ifdef(`targeted_policy',`
- files_rw_generic_tmp_sockets(bluetooth_helper_t)
- files_manage_generic_tmp_files(bluetooth_helper_t)
-
- fs_rw_tmpfs_files(bluetooth_helper_t)
-
- term_dontaudit_use_generic_ptys(bluetooth_helper_t)
-
- unconfined_stream_connect(bluetooth_helper_t)
-
- userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
-
- optional_policy(`
- xserver_stream_connect_xdm(bluetooth_helper_t)
- xserver_use_xdm_fds(bluetooth_helper_t)
- xserver_rw_xdm_pipes(bluetooth_helper_t)
- # when started via startx
- xserver_stream_connect_xdm_xserver(bluetooth_helper_t)
- ')
-')
-
-optional_policy(`
- bluetooth_dbus_chat(bluetooth_helper_t)
- dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
- dbus_connect_system_bus(bluetooth_helper_t)
- dbus_send_system_bus(bluetooth_helper_t)
-')
-
-optional_policy(`
- nscd_socket_use(bluetooth_helper_t)
-')
-
-optional_policy(`
- xserver_stream_connect_xdm(bluetooth_helper_t)
-')
diff --git a/refpolicy/policy/modules/services/canna.fc b/refpolicy/policy/modules/services/canna.fc
deleted file mode 100644
index 14c323c..0000000
--- a/refpolicy/policy/modules/services/canna.fc
+++ /dev/null
@@ -1,22 +0,0 @@
-
-#
-# /usr
-#
-/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0)
-/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
-
-/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
-/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0)
-/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0)
-
-/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
-/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
-
-/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
-/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/canna.if b/refpolicy/policy/modules/services/canna.if
deleted file mode 100644
index c3f5b1d..0000000
--- a/refpolicy/policy/modules/services/canna.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>Canna - kana-kanji conversion server</summary>
-
-########################################
-## <summary>
-## Connect to Canna using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`canna_stream_connect',`
- gen_require(`
- type canna_t, canna_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 canna_var_run_t:dir search;
- allow $1 canna_var_run_t:sock_file write;
- allow $1 canna_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
deleted file mode 100644
index a7724ca..0000000
--- a/refpolicy/policy/modules/services/canna.te
+++ /dev/null
@@ -1,104 +0,0 @@
-
-policy_module(canna,1.2.2)
-
-########################################
-#
-# Declarations
-#
-
-type canna_t;
-type canna_exec_t;
-init_daemon_domain(canna_t,canna_exec_t)
-
-type canna_log_t;
-logging_log_file(canna_log_t)
-
-type canna_var_lib_t;
-files_type(canna_var_lib_t)
-
-type canna_var_run_t;
-files_pid_file(canna_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow canna_t self:capability { setgid setuid net_bind_service };
-dontaudit canna_t self:capability sys_tty_config;
-allow canna_t self:process signal_perms;
-allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
-allow canna_t self:unix_dgram_socket create_stream_socket_perms;
-allow canna_t self:tcp_socket create_stream_socket_perms;
-
-allow canna_t canna_log_t:file create_file_perms;
-allow canna_t canna_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(canna_t,canna_log_t,{ file dir })
-
-allow canna_t canna_var_lib_t:dir create_dir_perms;
-allow canna_t canna_var_lib_t:file create_file_perms;
-allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
-files_var_lib_filetrans(canna_t,canna_var_lib_t,file)
-
-allow canna_t canna_var_run_t:dir rw_dir_perms;
-allow canna_t canna_var_run_t:file create_file_perms;
-allow canna_t canna_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
-
-kernel_read_kernel_sysctls(canna_t)
-kernel_read_system_state(canna_t)
-
-corenet_non_ipsec_sendrecv(canna_t)
-corenet_tcp_sendrecv_all_if(canna_t)
-corenet_tcp_sendrecv_all_nodes(canna_t)
-corenet_tcp_sendrecv_all_ports(canna_t)
-corenet_tcp_connect_all_ports(canna_t)
-corenet_sendrecv_all_client_packets(canna_t)
-
-dev_read_sysfs(canna_t)
-
-fs_getattr_all_fs(canna_t)
-fs_search_auto_mountpoints(canna_t)
-
-term_dontaudit_use_console(canna_t)
-
-domain_use_interactive_fds(canna_t)
-
-files_read_etc_files(canna_t)
-files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
-files_search_tmp(canna_t)
-files_dontaudit_read_root_files(canna_t)
-
-init_use_fds(canna_t)
-init_use_script_ptys(canna_t)
-
-libs_use_ld_so(canna_t)
-libs_use_shared_libs(canna_t)
-
-logging_send_syslog_msg(canna_t)
-
-miscfiles_read_localization(canna_t)
-
-sysnet_read_config(canna_t)
-
-userdom_dontaudit_use_unpriv_user_fds(canna_t)
-userdom_dontaudit_search_sysadm_home_dirs(canna_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(canna_t)
- term_dontaudit_use_generic_ptys(canna_t)
- files_dontaudit_read_root_files(canna_t)
-')
-
-optional_policy(`
- nis_use_ypbind(canna_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(canna_t)
-')
-
-optional_policy(`
- udev_read_db(canna_t)
-')
diff --git a/refpolicy/policy/modules/services/cipe.fc b/refpolicy/policy/modules/services/cipe.fc
deleted file mode 100644
index afcdf02..0000000
--- a/refpolicy/policy/modules/services/cipe.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/cipe.if b/refpolicy/policy/modules/services/cipe.if
deleted file mode 100644
index b5fd668..0000000
--- a/refpolicy/policy/modules/services/cipe.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Encrypted tunnel daemon</summary>
diff --git a/refpolicy/policy/modules/services/cipe.te b/refpolicy/policy/modules/services/cipe.te
deleted file mode 100644
index 4c43de5..0000000
--- a/refpolicy/policy/modules/services/cipe.te
+++ /dev/null
@@ -1,87 +0,0 @@
-
-policy_module(cipe,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type ciped_t;
-type ciped_exec_t;
-init_daemon_domain(ciped_t,ciped_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
-dontaudit ciped_t self:capability sys_tty_config;
-allow ciped_t self:process signal_perms;
-allow ciped_t self:fifo_file rw_file_perms;
-allow ciped_t self:unix_dgram_socket create_socket_perms;
-allow ciped_t self:unix_stream_socket create_socket_perms;
-allow ciped_t self:udp_socket create_socket_perms;
-
-kernel_read_kernel_sysctls(ciped_t)
-kernel_read_system_state(ciped_t)
-
-corecmd_exec_shell(ciped_t)
-corecmd_exec_bin(ciped_t)
-corecmd_exec_sbin(ciped_t)
-
-corenet_non_ipsec_sendrecv(ciped_t)
-corenet_udp_sendrecv_generic_if(ciped_t)
-corenet_udp_sendrecv_all_nodes(ciped_t)
-corenet_udp_sendrecv_all_ports(ciped_t)
-corenet_udp_bind_all_nodes(ciped_t)
-# cipe uses the afs3-bos port (udp 7007)
-corenet_udp_bind_afs_bos_port(ciped_t)
-corenet_sendrecv_afs_bos_server_packets(ciped_t)
-
-dev_read_sysfs(ciped_t)
-dev_read_rand(ciped_t)
-# for SSP
-dev_read_urand(ciped_t)
-
-domain_use_interactive_fds(ciped_t)
-
-files_read_etc_files(ciped_t)
-files_read_etc_runtime_files(ciped_t)
-files_dontaudit_search_var(ciped_t)
-
-fs_search_auto_mountpoints(ciped_t)
-
-term_dontaudit_use_console(ciped_t)
-
-init_use_fds(ciped_t)
-init_use_script_ptys(ciped_t)
-
-libs_use_ld_so(ciped_t)
-libs_use_shared_libs(ciped_t)
-
-logging_send_syslog_msg(ciped_t)
-
-miscfiles_read_localization(ciped_t)
-
-sysnet_read_config(ciped_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ciped_t)
- term_dontaudit_use_generic_ptys(ciped_t)
- files_dontaudit_read_root_files(ciped_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ciped_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ciped_t)
-')
-
-optional_policy(`
- udev_read_db(ciped_t)
-')
diff --git a/refpolicy/policy/modules/services/clamav.fc b/refpolicy/policy/modules/services/clamav.fc
deleted file mode 100644
index 4640ac6..0000000
--- a/refpolicy/policy/modules/services/clamav.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
-
-
-/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
-/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
-/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
-
-/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
-
-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
-/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if
deleted file mode 100644
index 3263dbb..0000000
--- a/refpolicy/policy/modules/services/clamav.if
+++ /dev/null
@@ -1,104 +0,0 @@
-## <summary>ClamAV Virus Scanner</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run clamd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`clamav_domtrans',`
- gen_require(`
- type clamd_t, clamd_exec_t;
- ')
-
- domain_auto_trans($1,clamd_exec_t,clamd_t)
-
- allow $1 clamd_t:fd use;
- allow clamd_t $1:fd use;
- allow clamd_t $1:fifo_file rw_file_perms;
- allow clamd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Connect to run clamd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to connect.
-## </summary>
-## </param>
-#
-interface(`clamav_stream_connect',`
- gen_require(`
- type clamd_t, clamd_sock_t, clamd_var_run_t;
- ')
-
- allow $1 clamd_var_run_t:dir search;
- allow $1 clamd_sock_t:sock_file write;
- allow $1 clamd_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Read clamav configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clamav_read_config',`
- gen_require(`
- type clamd_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 clamd_etc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Search clamav libraries directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clamav_search_lib',`
- gen_require(`
- type clamd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 clamd_var_lib_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run clamscan.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clamav_domtrans_clamscan',`
- gen_require(`
- type clamscan_t, clamscan_exec_t;
- ')
-
- domain_auto_trans($1,clamscan_exec_t,clamscan_t)
-
- allow clamscan_t $1:fd use;
- allow clamscan_t $1:fifo_file rw_file_perms;
- allow clamscan_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te
deleted file mode 100644
index 14f06d6..0000000
--- a/refpolicy/policy/modules/services/clamav.te
+++ /dev/null
@@ -1,256 +0,0 @@
-
-policy_module(clamav,1.0.4)
-
-########################################
-#
-# Declarations
-#
-
-# Main clamd domain
-type clamd_t;
-type clamd_exec_t;
-init_daemon_domain(clamd_t, clamd_exec_t)
-
-# configuration files
-type clamd_etc_t;
-files_type(clamd_etc_t)
-
-# named socket type
-type clamd_sock_t;
-files_type(clamd_sock_t)
-
-# tmp files
-type clamd_tmp_t;
-files_tmp_file(clamd_tmp_t)
-
-# log files
-type clamd_var_log_t;
-logging_log_file(clamd_var_log_t)
-
-# var/lib files
-type clamd_var_lib_t;
-files_type(clamd_var_lib_t)
-
-# pid files
-type clamd_var_run_t;
-files_pid_file(clamd_var_run_t)
-
-type clamscan_t;
-type clamscan_exec_t;
-init_daemon_domain(clamscan_t, clamscan_exec_t)
-
-# tmp files
-type clamscan_tmp_t;
-files_tmp_file(clamscan_tmp_t)
-
-type freshclam_t;
-type freshclam_exec_t;
-init_daemon_domain(freshclam_t, freshclam_exec_t)
-
-# log files
-type freshclam_var_log_t;
-logging_log_file(freshclam_var_log_t)
-
-########################################
-#
-# clamd local policy
-#
-
-allow clamd_t self:capability { kill setgid setuid dac_override };
-allow clamd_t self:fifo_file rw_file_perms;
-allow clamd_t self:unix_stream_socket create_stream_socket_perms;
-allow clamd_t self:unix_dgram_socket create_socket_perms;
-allow clamd_t self:tcp_socket { listen accept };
-
-# configuration files
-allow clamd_t clamd_etc_t:dir r_dir_perms;
-allow clamd_t clamd_etc_t:file r_file_perms;
-allow clamd_t clamd_etc_t:lnk_file { getattr read };
-
-# socket file
-allow clamd_t clamd_sock_t:file manage_file_perms;
-allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-allow clamd_t clamd_sock_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
-
-# tmp files
-allow clamd_t clamd_tmp_t:file create_file_perms;
-allow clamd_t clamd_tmp_t:dir create_dir_perms;
-files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
-
-# var/lib files for clamd
-allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
-allow clamd_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
-
-# log files
-allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:sock_file create_file_perms;
-allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(clamd_t,clamd_var_log_t,file)
-
-# pid file
-allow clamd_t clamd_var_run_t:file manage_file_perms;
-allow clamd_t clamd_var_run_t:sock_file manage_file_perms;
-allow clamd_t clamd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_var_run_t,file)
-
-kernel_dontaudit_list_proc(clamd_t)
-
-corenet_non_ipsec_sendrecv(clamd_t)
-corenet_tcp_sendrecv_all_if(clamd_t)
-corenet_tcp_sendrecv_all_nodes(clamd_t)
-corenet_tcp_sendrecv_all_ports(clamd_t)
-corenet_tcp_sendrecv_clamd_port(clamd_t)
-corenet_tcp_bind_all_nodes(clamd_t)
-corenet_tcp_bind_clamd_port(clamd_t)
-corenet_sendrecv_clamd_server_packets(clamd_t)
-
-dev_read_rand(clamd_t)
-dev_read_urand(clamd_t)
-
-domain_use_interactive_fds(clamd_t)
-
-files_read_etc_files(clamd_t)
-files_read_etc_runtime_files(clamd_t)
-files_search_spool(clamd_t)
-
-init_use_fds(clamd_t)
-init_use_script_ptys(clamd_t)
-
-libs_use_ld_so(clamd_t)
-libs_use_shared_libs(clamd_t)
-
-logging_send_syslog_msg(clamd_t)
-
-miscfiles_read_localization(clamd_t)
-
-sysnet_dns_name_resolve(clamd_t)
-
-cron_use_fds(clamd_t)
-cron_use_system_job_fds(clamd_t)
-cron_rw_pipes(clamd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(clamd_t)
-')
-
-optional_policy(`
- amavis_read_lib_files(clamd_t)
- amavis_read_spool_files(clamd_t)
- amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
-')
-
-########################################
-#
-# Freshclam local policy
-#
-
-allow freshclam_t self:capability { setgid setuid dac_override };
-allow freshclam_t self:fifo_file rw_file_perms;
-allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
-allow freshclam_t self:unix_dgram_socket create_socket_perms;
-allow freshclam_t self:tcp_socket { listen accept };
-
-# configuration files
-allow freshclam_t clamd_etc_t:dir r_dir_perms;
-allow freshclam_t clamd_etc_t:file r_file_perms;
-allow freshclam_t clamd_etc_t:lnk_file { getattr read };
-
-# var/lib files together with clamd
-allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
-allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
-
-# pidfiles- var/run together with clamd
-allow freshclam_t clamd_var_run_t:file manage_file_perms;
-allow freshclam_t clamd_var_run_t:sock_file manage_file_perms;
-allow freshclam_t clamd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
-
-# log files (own logfiles only)
-allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
-allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
-allow freshclam_t clamd_var_log_t:dir search;
-logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
-
-corenet_non_ipsec_sendrecv(freshclam_t)
-corenet_tcp_sendrecv_all_if(freshclam_t)
-corenet_tcp_sendrecv_all_nodes(freshclam_t)
-corenet_tcp_sendrecv_all_ports(freshclam_t)
-corenet_tcp_sendrecv_clamd_port(freshclam_t)
-corenet_tcp_connect_http_port(freshclam_t)
-corenet_sendrecv_http_client_packets(freshclam_t)
-
-dev_read_rand(freshclam_t)
-dev_read_urand(freshclam_t)
-
-domain_use_interactive_fds(freshclam_t)
-
-files_read_etc_files(freshclam_t)
-files_read_etc_runtime_files(freshclam_t)
-
-init_use_fds(freshclam_t)
-init_use_script_ptys(freshclam_t)
-
-libs_use_ld_so(freshclam_t)
-libs_use_shared_libs(freshclam_t)
-
-miscfiles_read_localization(freshclam_t)
-
-sysnet_dns_name_resolve(freshclam_t)
-
-clamav_stream_connect(freshclam_t)
-
-cron_use_fds(freshclam_t)
-cron_use_system_job_fds(freshclam_t)
-cron_rw_pipes(freshclam_t)
-
-########################################
-#
-# clamscam local policy
-#
-
-allow clamscan_t self:capability { setgid setuid dac_override };
-allow clamscan_t self:fifo_file rw_file_perms;
-allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
-allow clamscan_t self:unix_dgram_socket create_socket_perms;
-allow clamscan_t self:tcp_socket { listen accept };
-
-# configuration files
-allow clamscan_t clamd_etc_t:dir r_dir_perms;
-allow clamscan_t clamd_etc_t:file r_file_perms;
-allow clamscan_t clamd_etc_t:lnk_file { getattr read };
-
-# tmp files
-allow clamscan_t clamscan_tmp_t:file manage_file_perms;
-allow clamscan_t clamscan_tmp_t:dir manage_dir_perms;
-files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
-
-# var/lib files together with clamd
-allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
-allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
-
-kernel_read_kernel_sysctls(clamscan_t)
-
-files_read_etc_files(clamscan_t)
-files_read_etc_runtime_files(clamscan_t)
-files_search_var_lib(clamscan_t)
-
-libs_use_ld_so(clamscan_t)
-libs_use_shared_libs(clamscan_t)
-
-miscfiles_read_localization(clamscan_t)
-miscfiles_read_public_files(clamscan_t)
-
-clamav_stream_connect(clamscan_t)
-
-optional_policy(`
- apache_read_sys_content(clamscan_t)
-')
diff --git a/refpolicy/policy/modules/services/clockspeed.fc b/refpolicy/policy/modules/services/clockspeed.fc
deleted file mode 100644
index a7aa385..0000000
--- a/refpolicy/policy/modules/services/clockspeed.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-
-#
-# /usr
-#
-/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
-/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
-/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/clockspeed.if b/refpolicy/policy/modules/services/clockspeed.if
deleted file mode 100644
index 9d4c892..0000000
--- a/refpolicy/policy/modules/services/clockspeed.if
+++ /dev/null
@@ -1,53 +0,0 @@
-## <summary>Clockspeed simple network time protocol client</summary>
-
-########################################
-## <summary>
-## Execute clockspeed utilities in the clockspeed_cli domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clockspeed_domtrans_cli',`
- gen_require(`
- type clockspeed_cli_t, clockspeed_cli_exec_t;
- ')
-
- domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t)
- allow clockspeed_cli_t $1:fd use;
- allow clockspeed_cli_t $1:fifo_file { read write };
- allow clockspeed_cli_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow the specified role the clockspeed_cli domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the clockspeed_cli domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the clockspeed_cli domain to use.
-## </summary>
-## </param>
-#
-template(`clockspeed_run_cli',`
- gen_require(`
- type clockspeed_cli_t;
- ')
-
- role $2 types clockspeed_cli_t;
- clockspeed_domtrans_cli($1)
- allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };
-
-')
diff --git a/refpolicy/policy/modules/services/clockspeed.te b/refpolicy/policy/modules/services/clockspeed.te
deleted file mode 100644
index 7866470..0000000
--- a/refpolicy/policy/modules/services/clockspeed.te
+++ /dev/null
@@ -1,77 +0,0 @@
-
-policy_module(clockspeed,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type clockspeed_cli_t;
-type clockspeed_cli_exec_t;
-domain_type(clockspeed_cli_t)
-domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t)
-
-type clockspeed_srv_t;
-type clockspeed_srv_exec_t;
-init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-
-type clockspeed_var_lib_t;
-files_type(clockspeed_var_lib_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow clockspeed_cli_t self:capability sys_time;
-allow clockspeed_cli_t self:udp_socket create_socket_perms;
-allow clockspeed_cli_t clockspeed_var_lib_t:dir search;
-allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read };
-
-corenet_non_ipsec_sendrecv(clockspeed_cli_t)
-corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
-corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
-corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
-
-files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-
-libs_use_ld_so(clockspeed_cli_t)
-libs_use_shared_libs(clockspeed_cli_t)
-
-miscfiles_read_localization(clockspeed_cli_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow clockspeed_srv_t self:capability { sys_time net_bind_service };
-allow clockspeed_srv_t self:udp_socket create_socket_perms;
-allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
-allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
-
-allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms;
-allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms;
-allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms;
-
-corenet_non_ipsec_sendrecv(clockspeed_srv_t)
-corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
-corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
-corenet_udp_bind_all_nodes(clockspeed_srv_t)
-corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
-corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
-
-files_read_etc_files(clockspeed_srv_t)
-files_list_var_lib(clockspeed_srv_t)
-
-libs_use_ld_so(clockspeed_srv_t)
-libs_use_shared_libs(clockspeed_srv_t)
-
-miscfiles_read_localization(clockspeed_srv_t)
-
-optional_policy(`
- daemontools_service_domain(clockspeed_srv_t,clockspeed_srv_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/comsat.fc b/refpolicy/policy/modules/services/comsat.fc
deleted file mode 100644
index e7633fa..0000000
--- a/refpolicy/policy/modules/services/comsat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/comsat.if b/refpolicy/policy/modules/services/comsat.if
deleted file mode 100644
index afc4dfe..0000000
--- a/refpolicy/policy/modules/services/comsat.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Comsat, a biff server.</summary>
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
deleted file mode 100644
index 9e2e9cb..0000000
--- a/refpolicy/policy/modules/services/comsat.te
+++ /dev/null
@@ -1,88 +0,0 @@
-
-policy_module(comsat,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type comsat_t;
-type comsat_exec_t;
-inetd_udp_service_domain(comsat_t,comsat_exec_t)
-role system_r types comsat_t;
-
-type comsat_tmp_t;
-files_tmp_file(comsat_tmp_t)
-
-type comsat_var_run_t;
-files_pid_file(comsat_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow comsat_t self:capability { setuid setgid };
-allow comsat_t self:process signal_perms;
-allow comsat_t self:dir search;
-allow comsat_t self:fifo_file rw_file_perms;
-allow comsat_t self:{ lnk_file file } { getattr read };
-allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow comsat_t self:tcp_socket connected_stream_socket_perms;
-allow comsat_t self:udp_socket create_socket_perms;
-
-allow comsat_t comsat_tmp_t:dir create_dir_perms;
-allow comsat_t comsat_tmp_t:file create_file_perms;
-files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
-
-allow comsat_t comsat_var_run_t:file create_file_perms;
-allow comsat_t comsat_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(comsat_t,comsat_var_run_t,file)
-
-kernel_read_kernel_sysctls(comsat_t)
-kernel_read_network_state(comsat_t)
-kernel_read_system_state(comsat_t)
-
-corenet_non_ipsec_sendrecv(comsat_t)
-corenet_tcp_sendrecv_all_if(comsat_t)
-corenet_udp_sendrecv_all_if(comsat_t)
-corenet_tcp_sendrecv_all_nodes(comsat_t)
-corenet_udp_sendrecv_all_nodes(comsat_t)
-corenet_udp_sendrecv_all_ports(comsat_t)
-
-dev_read_urand(comsat_t)
-
-fs_getattr_xattr_fs(comsat_t)
-
-files_read_etc_files(comsat_t)
-files_list_usr(comsat_t)
-files_search_spool(comsat_t)
-files_search_home(comsat_t)
-
-init_read_utmp(comsat_t)
-init_dontaudit_write_utmp(comsat_t)
-
-libs_use_ld_so(comsat_t)
-libs_use_shared_libs(comsat_t)
-
-logging_send_syslog_msg(comsat_t)
-
-miscfiles_read_localization(comsat_t)
-
-sysnet_read_config(comsat_t)
-
-userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
-
-mta_getattr_spool(comsat_t)
-
-optional_policy(`
- kerberos_use(comsat_t)
-')
-
-optional_policy(`
- nis_use_ypbind(comsat_t)
-')
-
-optional_policy(`
- nscd_socket_use(comsat_t)
-')
diff --git a/refpolicy/policy/modules/services/courier.fc b/refpolicy/policy/modules/services/courier.fc
deleted file mode 100644
index 3009c73..0000000
--- a/refpolicy/policy/modules/services/courier.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-
-/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-
-/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-
-/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-
-/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
-
-/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/courier.if b/refpolicy/policy/modules/services/courier.if
deleted file mode 100644
index d5866bb..0000000
--- a/refpolicy/policy/modules/services/courier.if
+++ /dev/null
@@ -1,142 +0,0 @@
-## <summary>Courier IMAP and POP3 email servers</summary>
-
-########################################
-## <summary>
-## Template for creating courier server processes.
-## </summary>
-## <param name="prefix">
-## <summary>
-## Prefix name of the server process.
-## </summary>
-## </param>
-#
-template(`courier_domain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type courier_$1_t;
- type courier_$1_exec_t;
- init_daemon_domain(courier_$1_t,courier_$1_exec_t)
-
- ##############################
- #
- # Declarations
- #
-
- allow courier_$1_t self:capability dac_override;
- dontaudit courier_$1_t self:capability sys_tty_config;
- allow courier_$1_t self:process { setpgid signal_perms };
- allow courier_$1_t self:fifo_file { read write getattr };
- allow courier_$1_t self:tcp_socket create_stream_socket_perms;
- allow courier_$1_t self:udp_socket create_socket_perms;
-
- can_exec(courier_$1_t, courier_$1_exec_t)
-
- allow courier_$1_t courier_etc_t:file r_file_perms;
- allow courier_$1_t courier_etc_t:dir r_dir_perms;
-
- allow courier_$1_t courier_var_run_t:dir rw_dir_perms;
- allow courier_$1_t courier_var_run_t:file create_file_perms;
- allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms;
- allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
- files_search_pids(courier_$1_t)
-
- kernel_read_system_state(courier_$1_t)
- kernel_read_kernel_sysctls(courier_$1_t)
-
- corecmd_exec_bin(courier_$1_t)
-
- corenet_non_ipsec_sendrecv(courier_$1_t)
- corenet_tcp_sendrecv_generic_if(courier_$1_t)
- corenet_udp_sendrecv_generic_if(courier_$1_t)
- corenet_tcp_sendrecv_all_nodes(courier_$1_t)
- corenet_udp_sendrecv_all_nodes(courier_$1_t)
- corenet_tcp_sendrecv_all_ports(courier_$1_t)
- corenet_udp_sendrecv_all_ports(courier_$1_t)
-
- dev_read_sysfs(courier_$1_t)
-
- domain_use_interactive_fds(courier_$1_t)
-
- files_read_etc_files(courier_$1_t)
- files_read_etc_runtime_files(courier_$1_t)
- files_read_usr_files(courier_$1_t)
-
- fs_getattr_xattr_fs(courier_$1_t)
- fs_search_auto_mountpoints(courier_$1_t)
-
- term_dontaudit_use_console(courier_$1_t)
-
- init_use_fds(courier_$1_t)
- init_use_script_ptys(courier_$1_t)
-
- libs_use_ld_so(courier_$1_t)
- libs_use_shared_libs(courier_$1_t)
-
- logging_send_syslog_msg(courier_$1_t)
-
- sysnet_read_config(courier_$1_t)
-
- userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
-
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(courier_$1_t)
- term_dontaudit_use_generic_ptys(courier_$1_t)
- files_dontaudit_read_root_files(courier_$1_t)
- ')
-
- optional_policy(`
- seutil_sigchld_newrole(courier_$1_t)
- ')
-
- optional_policy(`
- udev_read_db(courier_$1_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute the courier authentication daemon with
-## a domain transition.
-## </summary>
-## <param name="prefix">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`courier_domtrans_authdaemon',`
- gen_require(`
- type courier_authdaemon_t, courier_authdaemon_exec_t;
- ')
-
- domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t)
- allow courier_authdaemon_t $1:fd use;
- allow courier_authdaemon_t $1:fifo_file rw_file_perms;
- allow courier_authdaemon_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute the courier POP3 and IMAP server with
-## a domain transition.
-## </summary>
-## <param name="prefix">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`courier_domtrans_pop',`
- gen_require(`
- type courier_pop_t, courier_pop_exec_t;
- ')
-
- domain_auto_trans($1, courier_pop_exec_t, courier_pop_t)
- allow courier_pop_t $1:fd use;
- allow courier_pop_t $1:fifo_file rw_file_perms;
- allow courier_pop_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/courier.te b/refpolicy/policy/modules/services/courier.te
deleted file mode 100644
index 0c41a0f..0000000
--- a/refpolicy/policy/modules/services/courier.te
+++ /dev/null
@@ -1,143 +0,0 @@
-
-policy_module(courier,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-courier_domain_template(authdaemon)
-
-type courier_etc_t;
-files_type(courier_etc_t)
-
-courier_domain_template(pcp)
-
-courier_domain_template(pop)
-
-courier_domain_template(tcpd)
-
-type courier_var_lib_t;
-files_type(courier_var_lib_t)
-
-type courier_var_run_t;
-files_pid_file(courier_var_run_t)
-
-type courier_exec_t;
-files_type(courier_exec_t)
-
-courier_domain_template(sqwebmail)
-typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
-
-########################################
-#
-# Authdaemon local policy
-#
-
-allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
-allow courier_authdaemon_t self:unix_stream_socket connectto;
-
-can_exec(courier_authdaemon_t, courier_exec_t)
-
-allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
-
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:process sigchld;
-allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
-
-corecmd_search_sbin(courier_authdaemon_t)
-
-# for SSP
-dev_read_urand(courier_authdaemon_t)
-
-files_getattr_tmp_dirs(courier_authdaemon_t)
-
-auth_domtrans_chk_passwd(courier_authdaemon_t)
-
-libs_read_lib_files(courier_authdaemon_t)
-
-miscfiles_read_localization(courier_authdaemon_t)
-
-# should not be needed!
-userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
-
-courier_domtrans_pop(courier_authdaemon_t)
-
-########################################
-#
-# Calendar (PCP) local policy
-#
-
-allow courier_pcp_t self:capability { setuid setgid };
-
-dev_read_rand(courier_pcp_t)
-
-########################################
-#
-# POP3/IMAP local policy
-#
-
-allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
-allow courier_pop_t courier_authdaemon_t:process sigchld;
-
-allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-
-# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
-
-miscfiles_read_localization(courier_pop_t)
-
-courier_domtrans_authdaemon(courier_pop_t)
-
-# do the actual work (read the Maildir)
-userdom_manage_unpriv_users_home_content_files(courier_pop_t)
-# cjp: the fact that this is different for pop vs imap means that
-# there should probably be a courier_pop_t and courier_imap_t
-# this should also probably be a separate type too instead of
-# the regular home dir
-userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
-
-########################################
-#
-# TCPd local policy
-#
-
-allow courier_tcpd_t self:capability kill;
-
-can_exec(courier_tcpd_t, courier_exec_t)
-
-allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms;
-allow courier_tcpd_t courier_var_lib_t:file manage_file_perms;
-allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms;
-files_search_var_lib(courier_tcpd_t)
-
-corecmd_search_sbin(courier_tcpd_t)
-
-corenet_tcp_bind_all_nodes(courier_tcpd_t)
-corenet_tcp_bind_pop_port(courier_tcpd_t)
-corenet_sendrecv_pop_server_packets(courier_tcpd_t)
-
-# for TLS
-dev_read_rand(courier_tcpd_t)
-dev_read_urand(courier_tcpd_t)
-
-miscfiles_read_localization(courier_tcpd_t)
-
-courier_domtrans_pop(courier_tcpd_t)
-
-########################################
-#
-# Webmail local policy
-#
-
-kernel_read_kernel_sysctls(courier_sqwebmail_t)
-
-optional_policy(`
- cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/cpucontrol.fc b/refpolicy/policy/modules/services/cpucontrol.fc
deleted file mode 100644
index 6905f77..0000000
--- a/refpolicy/policy/modules/services/cpucontrol.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
-
-/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
-
-/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
-/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
-/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
-
-/var/run/cpufreqd.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/cpucontrol.if b/refpolicy/policy/modules/services/cpucontrol.if
deleted file mode 100644
index a827592..0000000
--- a/refpolicy/policy/modules/services/cpucontrol.if
+++ /dev/null
@@ -1,17 +0,0 @@
-## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
-
-########################################
-## <summary>
-## CPUcontrol stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`cpucontrol_stub',`
- gen_require(`
- type cpucontrol_t;
- ')
-')
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
deleted file mode 100644
index 256df78..0000000
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ /dev/null
@@ -1,136 +0,0 @@
-
-policy_module(cpucontrol,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type cpucontrol_t;
-type cpucontrol_exec_t;
-init_system_domain(cpucontrol_t,cpucontrol_exec_t)
-
-type cpucontrol_conf_t;
-files_type(cpucontrol_conf_t)
-
-type cpuspeed_t;
-type cpuspeed_exec_t;
-init_system_domain(cpuspeed_t,cpuspeed_exec_t)
-
-type cpuspeed_var_run_t;
-files_pid_file(cpuspeed_var_run_t)
-
-########################################
-#
-# CPU microcode loader local policy
-#
-
-allow cpucontrol_t self:capability sys_rawio;
-dontaudit cpucontrol_t self:capability sys_tty_config;
-allow cpucontrol_t self:process signal_perms;
-
-allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
-allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
-allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
-
-kernel_list_proc(cpucontrol_t)
-kernel_read_proc_symlinks(cpucontrol_t)
-kernel_read_kernel_sysctls(cpucontrol_t)
-
-dev_read_sysfs(cpucontrol_t)
-dev_rw_cpu_microcode(cpucontrol_t)
-
-fs_search_auto_mountpoints(cpucontrol_t)
-
-term_dontaudit_use_console(cpucontrol_t)
-
-domain_use_interactive_fds(cpucontrol_t)
-
-files_list_usr(cpucontrol_t)
-
-init_use_fds(cpucontrol_t)
-init_use_script_ptys(cpucontrol_t)
-
-libs_use_ld_so(cpucontrol_t)
-libs_use_shared_libs(cpucontrol_t)
-
-logging_send_syslog_msg(cpucontrol_t)
-
-userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cpucontrol_t)
- term_dontaudit_use_generic_ptys(cpucontrol_t)
- files_dontaudit_read_root_files(cpucontrol_t)
-')
-
-optional_policy(`
- nscd_socket_use(cpucontrol_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(cpucontrol_t)
-')
-
-optional_policy(`
- udev_read_db(cpucontrol_t)
-')
-
-########################################
-#
-# CPU frequency scaling daemons
-#
-
-dontaudit cpuspeed_t self:capability sys_tty_config;
-allow cpuspeed_t self:process { signal_perms setsched };
-allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
-
-allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
-files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
-
-kernel_read_system_state(cpuspeed_t)
-kernel_read_kernel_sysctls(cpuspeed_t)
-
-dev_rw_sysfs(cpuspeed_t)
-
-domain_use_interactive_fds(cpuspeed_t)
-# for demand/load-based scaling:
-domain_read_all_domains_state(cpuspeed_t)
-
-files_read_etc_files(cpuspeed_t)
-files_read_etc_runtime_files(cpuspeed_t)
-files_list_usr(cpuspeed_t)
-
-fs_search_auto_mountpoints(cpuspeed_t)
-
-term_dontaudit_use_console(cpuspeed_t)
-
-init_use_fds(cpuspeed_t)
-init_use_script_ptys(cpuspeed_t)
-
-libs_use_ld_so(cpuspeed_t)
-libs_use_shared_libs(cpuspeed_t)
-
-logging_send_syslog_msg(cpuspeed_t)
-
-miscfiles_read_localization(cpuspeed_t)
-
-userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cpuspeed_t)
- term_dontaudit_use_generic_ptys(cpuspeed_t)
- files_dontaudit_read_root_files(cpuspeed_t)
-')
-
-optional_policy(`
- nscd_socket_use(cpuspeed_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(cpuspeed_t)
-')
-
-optional_policy(`
- udev_read_db(cpuspeed_t)
-')
diff --git a/refpolicy/policy/modules/services/cron.fc b/refpolicy/policy/modules/services/cron.fc
deleted file mode 100644
index 00f919a..0000000
--- a/refpolicy/policy/modules/services/cron.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-
-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]* -- <<none>>
-
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]* -- <<none>>
-ifdef(`distro_suse', `
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-')
-
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/cron/crontabs/.* -- <<none>>
-#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.* <<none>>
-/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
deleted file mode 100644
index fb6b883..0000000
--- a/refpolicy/policy/modules/services/cron.if
+++ /dev/null
@@ -1,578 +0,0 @@
-## <summary>Periodic execution of scheduled commands.</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the cron module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for running programs on behalf of the user, from cron.
-## A type for the user crontab is also created.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`cron_per_userdomain_template',`
- gen_require(`
- attribute cron_spool_type;
- type crond_t, cron_spool_t, crontab_exec_t;
- ')
-
- # Type of user crontabs once moved to cron spool.
- type $1_cron_spool_t, cron_spool_type;
- files_type($1_cron_spool_t)
-
- type $1_crond_t;
- domain_type($1_crond_t)
- domain_cron_exemption_target($1_crond_t)
- corecmd_shell_entry_type($1_crond_t)
- role $3 types $1_crond_t;
-
- type $1_crontab_t;
- domain_type($1_crontab_t)
- domain_entry_file($1_crontab_t,crontab_exec_t)
- role $3 types $1_crontab_t;
-
- ##############################
- #
- # $1_crond_t local policy
- #
-
- allow $1_crond_t self:capability dac_override;
- allow $1_crond_t self:process { signal_perms setsched };
- allow $1_crond_t self:fifo_file rw_file_perms;
- allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
- # the crontab file has a type that is appropriate
- # for the domain of the user cron job. It
- # performs an entrypoint permission check
- # for this purpose.
- allow $1_crond_t $1_cron_spool_t:file entrypoint;
-
- # Permit a transition from the crond_t domain to this domain.
- # The transition is requested explicitly by the modified crond
- # via setexeccon. There is no way to set up an automatic
- # transition, since crontabs are configuration files, not executables.
- allow crond_t $1_crond_t:process transition;
- dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t $1_crond_t:fd use;
- allow $1_crond_t crond_t:fd use;
- allow $1_crond_t crond_t:fifo_file rw_file_perms;
- allow $1_crond_t crond_t:process sigchld;
-
- kernel_read_system_state($1_crond_t)
- kernel_read_kernel_sysctls($1_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot($1_crond_t)
-
- corenet_non_ipsec_sendrecv($1_crond_t)
- corenet_tcp_sendrecv_all_if($1_crond_t)
- corenet_udp_sendrecv_all_if($1_crond_t)
- corenet_tcp_sendrecv_all_nodes($1_crond_t)
- corenet_udp_sendrecv_all_nodes($1_crond_t)
- corenet_tcp_sendrecv_all_ports($1_crond_t)
- corenet_udp_sendrecv_all_ports($1_crond_t)
- corenet_tcp_connect_all_ports($1_crond_t)
- corenet_sendrecv_all_client_packets($1_crond_t)
-
- dev_read_urand($1_crond_t)
-
- fs_getattr_all_fs($1_crond_t)
-
- corecmd_exec_all_executables($1_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state($1_crond_t)
- domain_dontaudit_getattr_all_domains($1_crond_t)
-
- files_read_usr_files($1_crond_t)
- files_exec_etc_files($1_crond_t)
- # for nscd:
- files_dontaudit_search_pids($1_crond_t)
-
- libs_use_ld_so($1_crond_t)
- libs_use_shared_libs($1_crond_t)
- libs_exec_lib_files($1_crond_t)
- libs_exec_ld_so($1_crond_t)
-
- files_read_etc_runtime_files($1_crond_t)
- files_read_var_files($1_crond_t)
- files_search_spool($1_crond_t)
-
- logging_search_logs($1_crond_t)
-
- seutil_read_config($1_crond_t)
-
- miscfiles_read_localization($1_crond_t)
-
- userdom_manage_user_tmp_files($1,$1_crond_t)
- userdom_manage_user_tmp_symlinks($1,$1_crond_t)
- userdom_manage_user_tmp_pipes($1,$1_crond_t)
- userdom_manage_user_tmp_sockets($1,$1_crond_t)
- # Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_content_files($1,$1_crond_t)
- # Access user files and dirs.
-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
- userdom_manage_user_home_content_files($1,$1_crond_t)
- userdom_manage_user_home_content_symlinks($1,$1_crond_t)
- userdom_manage_user_home_content_pipes($1,$1_crond_t)
- userdom_manage_user_home_content_sockets($1,$1_crond_t)
-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
-
- tunable_policy(`fcron_crond', `
- allow crond_t $1_cron_spool_t:file create_file_perms;
- ')
-
- optional_policy(`
- nis_use_ypbind($1_crond_t)
- ')
-
- ifdef(`TODO',`
- optional_policy(`
- create_dir_file($1_crond_t, httpd_$1_content_t)
- ')
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
-
- ifdef(`mta.te', `
- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;
-
- # $1_mail_t should only be reading from the cron fifo not needing to write
- dontaudit $1_mail_t crond_t:fifo_file write;
- allow mta_user_agent $1_crond_t:fd use;
- ')
- ') dnl endif TODO
-
- ##############################
- #
- # $1_crontab_t local policy
- #
-
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
- allow $2 $1_crontab_t:fd use;
- allow $1_crontab_t $2:fd use;
- allow $1_crontab_t $2:fifo_file rw_file_perms;
- allow $1_crontab_t $2:process sigchld;
-
- # crontab shows up in user ps
- allow $2 $1_crontab_t:dir { search getattr read };
- allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
- allow $2 $1_crontab_t:process getattr;
- dontaudit $2 $1_crontab_t:process ptrace;
-
- # for ^Z
- allow $2 $1_crontab_t:process signal;
-
- # Allow crond to read those crontabs in cron spool.
- allow crond_t $1_cron_spool_t:file create_file_perms;
-
- # dac_override is to create the file in the directory under /tmp
- allow $1_crontab_t self:capability { setuid setgid chown dac_override };
- allow $1_crontab_t self:process signal_perms;
-
- # create files in /var/spool/cron
- allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
- allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
- type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
-
- # crontab signals crond by updating the mtime on the spooldir
- allow $1_crontab_t cron_spool_t:dir setattr;
-
- kernel_read_system_state($1_crontab_t)
-
- # for the checks used by crontab -u
- selinux_dontaudit_search_fs($1_crontab_t)
-
- fs_getattr_xattr_fs($1_crontab_t)
-
- # Run helper programs as the user domain
- corecmd_bin_domtrans($1_crontab_t,$2)
- corecmd_sbin_domtrans($1_crontab_t,$2)
- corecmd_shell_domtrans($1_crontab_t,$2)
-
- domain_use_interactive_fds($1_crontab_t)
-
- files_read_etc_files($1_crontab_t)
- files_dontaudit_search_pids($1_crontab_t)
-
- libs_use_ld_so($1_crontab_t)
- libs_use_shared_libs($1_crontab_t)
-
- logging_send_syslog_msg($1_crontab_t)
-
- miscfiles_read_localization($1_crontab_t)
-
- seutil_read_config($1_crontab_t)
-
- userdom_manage_user_tmp_dirs($1,$1_crontab_t)
- userdom_manage_user_tmp_files($1,$1_crontab_t)
- # Access terminals.
- userdom_use_user_terminals($1,$1_crontab_t)
- # Read user crontabs
- userdom_read_user_home_content_files($1,$1_crontab_t)
-
- tunable_policy(`fcron_crond', `
- # fcron wants an instant update of a crontab change for the administrator
- # also crontab does a security check for crontab -u
- dontaudit $1_crontab_t crond_t:process signal;
- ')
-
- ifdef(`TODO',`
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
-
- # Read user crontabs
- dontaudit $1_crontab_t $1_home_dir_t:dir write;
- ') dnl endif TODO
-')
-
-#######################################
-## <summary>
-## The administrative functions template for the cron module.
-## </summary>
-## <desc>
-## <p>
-## This template creates rules for administrating the cron service,
-## allowing the specified user to manage other user crontabs.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`cron_admin_template',`
- gen_require(`
- attribute cron_spool_type;
- type $1_crontab_t, $1_crond_t;
- ')
-
- # Allow our crontab domain to unlink a user cron spool file.
- allow $1_crontab_t cron_spool_type:file { getattr read unlink };
-
- logging_read_generic_logs($1_crond_t)
-
- # Manipulate other users crontab.
- selinux_get_fs_mount($1_crontab_t)
- selinux_validate_context($1_crontab_t)
- selinux_compute_access_vector($1_crontab_t)
- selinux_compute_create_context($1_crontab_t)
- selinux_compute_relabel_context($1_crontab_t)
- selinux_compute_user_contexts($1_crontab_t)
-
- tunable_policy(`fcron_crond', `
- # fcron wants an instant update of a crontab change for the administrator
- # also crontab does a security check for crontab -u
- allow $1_crontab_t self:process setfscreate;
- selinux_get_fs_mount($1_crontab_t)
- ')
-')
-
-########################################
-## <summary>
-## Make the specified program domain accessable
-## from the system cron jobs.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to transition to.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type of the file used as an entrypoint to this domain.
-## </summary>
-## </param>
-#
-interface(`cron_system_entry',`
- gen_require(`
- type crond_t, system_crond_t;
- ')
-
- domain_auto_trans(system_crond_t, $2, $1)
-
- # cjp: perhaps these four rules from the old
- # domain_auto_trans are not needed?
- allow system_crond_t $1:fd use;
- allow $1 system_crond_t:fd use;
- allow $1 system_crond_t:fifo_file rw_file_perms;
- allow $1 system_crond_t:process sigchld;
-
- allow $1 crond_t:fifo_file rw_file_perms;
- allow $1 crond_t:fd use;
- allow $1 crond_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use a file descriptor
-## from the cron daemon.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_use_fds',`
- gen_require(`
- type crond_t;
- ')
-
- allow $1 crond_t:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to the cron daemon.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_sigchld',`
- gen_require(`
- type crond_t;
- ')
-
- allow $1 crond_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Read a cron daemon unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_read_pipes',`
- gen_require(`
- type crond_t;
- ')
-
- allow $1 crond_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write cron daemon unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_dontaudit_write_pipes',`
- gen_require(`
- type crond_t;
- ')
-
- dontaudit $1 crond_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Read and write a cron daemon unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_rw_pipes',`
- gen_require(`
- type crond_t;
- ')
-
- allow $1 crond_t:fifo_file { getattr read write };
-')
-
-########################################
-## <summary>
-## Read, and write cron daemon TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_rw_tcp_sockets',`
- gen_require(`
- type crond_t;
- ')
-
- allow $1 crond_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Search the directory containing user cron tables.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process to performing this action.
-## </summary>
-## </param>
-#
-interface(`cron_search_spool',`
- gen_require(`
- type cron_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 cron_spool_t:dir search;
-')
-
-########################################
-## <summary>
-## Execute APM in the apm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_anacron_domtrans_system_job',`
- gen_require(`
- type system_crond_t, anacron_exec_t;
- ')
-
- domain_auto_trans($1,anacron_exec_t,system_crond_t)
-
- allow $1 system_crond_t:fd use;
- allow system_crond_t $1:fd use;
- allow system_crond_t $1:fifo_file rw_file_perms;
- allow system_crond_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use a file descriptor
-## from system cron jobs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_use_system_job_fds',`
- gen_require(`
- type system_crond_t;
- ')
-
- allow $1 system_crond_t:fd use;
-')
-
-########################################
-## <summary>
-## Write a system cron job unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_write_system_job_pipes',`
- gen_require(`
- type system_crond_t;
- ')
-
- allow $1 system_crond_t:file write;
-')
-
-########################################
-## <summary>
-## Read and write a system cron job unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_rw_system_job_pipes',`
- gen_require(`
- type system_crond_t;
- ')
-
- allow $1 system_crond_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read temporary files from the system cron jobs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cron_read_system_job_tmp_files',`
- gen_require(`
- type system_crond_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 system_crond_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to append temporary
-## files from the system cron jobs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`cron_dontaudit_append_system_job_tmp_files',`
- gen_require(`
- type system_crond_tmp_t;
- ')
-
- dontaudit $1 system_crond_tmp_t:file append;
-')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
deleted file mode 100644
index 3b48afb..0000000
--- a/refpolicy/policy/modules/services/cron.te
+++ /dev/null
@@ -1,446 +0,0 @@
-
-policy_module(cron,1.3.9)
-
-gen_require(`
- class passwd rootok;
-')
-
-########################################
-#
-# Declarations
-#
-attribute cron_spool_type;
-
-type anacron_exec_t;
-corecmd_executable_file(anacron_exec_t)
-
-type cron_spool_t;
-files_type(cron_spool_t)
-
-type crond_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type crond_exec_t;
-')
-init_daemon_domain(crond_t,crond_exec_t)
-domain_interactive_fd(crond_t)
-domain_cron_exemption_source(crond_t)
-
-type crond_tmp_t;
-files_tmp_file(crond_tmp_t)
-
-type crond_var_run_t;
-files_pid_file(crond_var_run_t)
-
-type crontab_exec_t;
-corecmd_executable_file(crontab_exec_t)
-
-type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-
-ifdef(`targeted_policy',`
- typealias crond_t alias system_crond_t;
-',`
- type system_crond_t;
-')
-init_daemon_domain(system_crond_t,anacron_exec_t)
-corecmd_shell_entry_type(system_crond_t)
-role system_r types system_crond_t;
-
-type system_crond_lock_t;
-files_lock_file(system_crond_lock_t)
-
-type system_crond_tmp_t;
-files_tmp_file(system_crond_tmp_t)
-
-ifdef(`targeted_policy',`
- type sysadm_cron_spool_t;
- files_type(sysadm_cron_spool_t)
-')
-
-########################################
-#
-# Cron Local policy
-#
-
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow crond_t self:process { setexec setfscreate };
-allow crond_t self:fd use;
-allow crond_t self:fifo_file rw_file_perms;
-allow crond_t self:unix_dgram_socket create_socket_perms;
-allow crond_t self:unix_stream_socket create_stream_socket_perms;
-allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket connectto;
-allow crond_t self:shm create_shm_perms;
-allow crond_t self:sem create_sem_perms;
-allow crond_t self:msgq create_msgq_perms;
-allow crond_t self:msg { send receive };
-
-allow crond_t crond_var_run_t:file create_file_perms;
-files_pid_filetrans(crond_t,crond_var_run_t,file)
-
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file r_file_perms;
-allow crond_t system_cron_spool_t:dir r_dir_perms;
-allow crond_t system_cron_spool_t:file r_file_perms;
-
-kernel_read_kernel_sysctls(crond_t)
-dev_read_sysfs(crond_t)
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
-
-dev_read_urand(crond_t)
-
-fs_getattr_all_fs(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-term_dontaudit_use_console(crond_t)
-
-# need auth_chkpwd to check for locked accounts.
-auth_domtrans_chk_passwd(crond_t)
-
-corecmd_exec_shell(crond_t)
-corecmd_list_sbin(crond_t)
-corecmd_read_sbin_symlinks(crond_t)
-
-domain_use_interactive_fds(crond_t)
-
-files_read_etc_files(crond_t)
-files_read_generic_spool(crond_t)
-files_list_usr(crond_t)
-# Read from /var/spool/cron.
-files_search_var_lib(crond_t)
-files_search_default(crond_t)
-
-init_use_fds(crond_t)
-init_use_script_ptys(crond_t)
-init_rw_utmp(crond_t)
-
-libs_use_ld_so(crond_t)
-libs_use_shared_libs(crond_t)
-
-logging_send_syslog_msg(crond_t)
-
-seutil_read_config(crond_t)
-seutil_read_default_contexts(crond_t)
-seutil_sigchld_newrole(crond_t)
-
-miscfiles_read_localization(crond_t)
-
-userdom_use_unpriv_users_fds(crond_t)
-# Not sure why this is needed
-userdom_list_all_users_home_dirs(crond_t)
-
-ifdef(`distro_redhat', `
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
- # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(crond_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- allow crond_t system_crond_tmp_t:dir create_dir_perms;
- allow crond_t system_crond_tmp_t:file create_file_perms;
- allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
- allow crond_t system_crond_tmp_t:sock_file create_file_perms;
- allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
- files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
-
- unconfined_domain(crond_t)
-
- userdom_manage_generic_user_home_content_dirs(crond_t)
- userdom_manage_generic_user_home_content_files(crond_t)
- userdom_manage_generic_user_home_content_symlinks(crond_t)
- userdom_manage_generic_user_home_content_sockets(crond_t)
- userdom_manage_generic_user_home_content_pipes(crond_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file })
-
- allow crond_t unconfined_t:dbus send_msg;
- allow crond_t initrc_t:dbus send_msg;
-
- optional_policy(`
- mono_domtrans(crond_t)
- ')
-',`
- allow crond_t crond_tmp_t:dir create_dir_perms;
- allow crond_t crond_tmp_t:file create_file_perms;
- files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-
- mta_send_mail(crond_t)
-')
-
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file create_file_perms;
-')
-
-optional_policy(`
- amavis_search_lib(crond_t)
-')
-
-optional_policy(`
- hal_dbus_send(crond_t)
-')
-
-optional_policy(`
- # cjp: why?
- munin_search_lib(crond_t)
-')
-
-optional_policy(`
- nis_use_ypbind(crond_t)
-')
-
-optional_policy(`
- nscd_socket_use(crond_t)
-')
-
-optional_policy(`
- # Commonly used from postinst scripts
- rpm_read_pipes(crond_t)
-')
-
-optional_policy(`
- # allow crond to find /usr/lib/postgresql/bin/do.maintenance
- postgresql_search_db(crond_t)
-')
-
-optional_policy(`
- udev_read_db(crond_t)
-')
-
-########################################
-#
-# System cron process domain
-#
-
-optional_policy(`
- # cjp: why?
- squid_domtrans(system_crond_t)
-')
-
-ifdef(`targeted_policy',`
- # cjp: FIXME
- allow crond_t unconfined_t:process transition;
-',`
- allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
- allow system_crond_t self:process { signal_perms setsched };
- allow system_crond_t self:fifo_file rw_file_perms;
- allow system_crond_t self:passwd rootok;
-
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
- # the crontab file has a type that is appropriate
- # for the domain of the user cron job. It
- # performs an entrypoint permission check
- # for this purpose.
- allow system_crond_t system_cron_spool_t:file entrypoint;
-
- allow system_crond_t system_cron_spool_t:file r_file_perms;
-
- # Permit a transition from the crond_t domain to this domain.
- # The transition is requested explicitly by the modified crond
- # via setexeccon. There is no way to set up an automatic
- # transition, since crontabs are configuration files, not executables.
- allow crond_t system_crond_t:process transition;
- dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t system_crond_t:fd use;
- allow system_crond_t crond_t:fd use;
- allow system_crond_t crond_t:fifo_file rw_file_perms;
- allow system_crond_t crond_t:process sigchld;
-
- # Write /var/lock/makewhatis.lock.
- allow system_crond_t system_crond_lock_t:file create_file_perms;
- files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
-
- # write temporary files
- allow system_crond_t system_crond_tmp_t:file create_file_perms;
- files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
-
- # write temporary files in crond tmp dir:
- allow system_crond_t crond_tmp_t:dir rw_dir_perms;
- type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
-
- # Read from /var/spool/cron.
- allow system_crond_t cron_spool_t:dir r_dir_perms;
- allow system_crond_t cron_spool_t:file r_file_perms;
-
- kernel_read_kernel_sysctls(system_crond_t)
- kernel_read_system_state(system_crond_t)
- kernel_read_software_raid_state(system_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(system_crond_t)
-
- corecmd_exec_all_executables(system_crond_t)
-
- corenet_non_ipsec_sendrecv(system_crond_t)
- corenet_tcp_sendrecv_all_if(system_crond_t)
- corenet_udp_sendrecv_all_if(system_crond_t)
- corenet_tcp_sendrecv_all_nodes(system_crond_t)
- corenet_udp_sendrecv_all_nodes(system_crond_t)
- corenet_tcp_sendrecv_all_ports(system_crond_t)
- corenet_udp_sendrecv_all_ports(system_crond_t)
-
- dev_getattr_all_blk_files(system_crond_t)
- dev_getattr_all_chr_files(system_crond_t)
- dev_read_urand(system_crond_t)
-
- fs_getattr_all_fs(system_crond_t)
- fs_getattr_all_files(system_crond_t)
- fs_getattr_all_symlinks(system_crond_t)
- fs_getattr_all_pipes(system_crond_t)
- fs_getattr_all_sockets(system_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state(system_crond_t)
-
- files_exec_etc_files(system_crond_t)
- files_read_etc_files(system_crond_t)
- files_read_etc_runtime_files(system_crond_t)
- files_list_all(system_crond_t)
- files_getattr_all_dirs(system_crond_t)
- files_getattr_all_files(system_crond_t)
- files_getattr_all_symlinks(system_crond_t)
- files_getattr_all_pipes(system_crond_t)
- files_getattr_all_sockets(system_crond_t)
- files_read_usr_files(system_crond_t)
- files_read_var_files(system_crond_t)
- # for nscd:
- files_dontaudit_search_pids(system_crond_t)
- # Access other spool directories like
- # /var/spool/anacron and /var/spool/slrnpull.
- files_manage_generic_spool(system_crond_t)
-
- init_use_fds(system_crond_t)
- init_use_script_fds(system_crond_t)
- init_use_script_ptys(system_crond_t)
- init_read_utmp(system_crond_t)
- init_dontaudit_rw_utmp(system_crond_t)
- # prelink tells init to restart it self, we either need to allow or dontaudit
- init_write_initctl(system_crond_t)
-
- libs_use_ld_so(system_crond_t)
- libs_use_shared_libs(system_crond_t)
- libs_exec_lib_files(system_crond_t)
- libs_exec_ld_so(system_crond_t)
-
- logging_read_generic_logs(system_crond_t)
- logging_send_syslog_msg(system_crond_t)
-
- miscfiles_read_localization(system_crond_t)
- miscfiles_manage_man_pages(system_crond_t)
-
- seutil_read_config(system_crond_t)
-
- mta_send_mail(system_crond_t)
-
- ifdef(`distro_redhat', `
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
- # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(system_crond_t)
- ')
- ')
-
- tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_crond_t)
- seutil_domtrans_restorecon(system_crond_t)
- ',`
- selinux_get_fs_mount(system_crond_t)
- selinux_validate_context(system_crond_t)
- selinux_compute_access_vector(system_crond_t)
- selinux_compute_create_context(system_crond_t)
- selinux_compute_relabel_context(system_crond_t)
- selinux_compute_user_contexts(system_crond_t)
- seutil_read_file_contexts(system_crond_t)
- ')
-
- optional_policy(`
- # Needed for certwatch
- apache_exec_modules(system_crond_t)
- apache_read_config(system_crond_t)
- apache_read_log(system_crond_t)
- apache_read_sys_content(system_crond_t)
- ')
-
- optional_policy(`
- cyrus_manage_data(system_crond_t)
- ')
-
- optional_policy(`
- ftp_read_log(system_crond_t)
- ')
-
- optional_policy(`
- inn_manage_log(system_crond_t)
- inn_manage_pid(system_crond_t)
- inn_read_config(system_crond_t)
- ')
-
- optional_policy(`
- mrtg_append_create_logs(system_crond_t)
- ')
-
- optional_policy(`
- mta_send_mail(system_crond_t)
- ')
-
- optional_policy(`
- mysql_read_config(system_crond_t)
- ')
-
- optional_policy(`
- nis_use_ypbind(system_crond_t)
- ')
-
- optional_policy(`
- nscd_socket_use(system_crond_t)
- ')
-
- optional_policy(`
- postfix_read_config(system_crond_t)
- ')
-
- optional_policy(`
- prelink_read_cache(system_crond_t)
- prelink_manage_log(system_crond_t)
- prelink_delete_cache(system_crond_t)
- ')
-
- optional_policy(`
- samba_read_config(system_crond_t)
- samba_read_log(system_crond_t)
- #samba_read_secrets(system_crond_t)
- ')
-
- optional_policy(`
- slocate_create_append_log(system_crond_t)
- ')
-
- optional_policy(`
- sysstat_manage_log(system_crond_t)
- ')
-
- ifdef(`TODO',`
- dontaudit userdomain system_crond_t:fd use;
-
- allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
-
- # for if /var/mail is a symlink
- allow system_crond_t mail_spool_t:lnk_file read;
-
- ifdef(`mta.te', `
- allow mta_user_agent system_crond_t:fd use;
- r_dir_file(system_mail_t, crond_tmp_t)
- ')
- ') dnl end TODO
-')
diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc
deleted file mode 100644
index 44831b1..0000000
--- a/refpolicy/policy/modules/services/cups.fc
+++ /dev/null
@@ -1,54 +0,0 @@
-
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
-
-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
-
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
-
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-
-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
deleted file mode 100644
index 5f3a5cb..0000000
--- a/refpolicy/policy/modules/services/cups.if
+++ /dev/null
@@ -1,249 +0,0 @@
-## <summary>Common UNIX printing system</summary>
-
-########################################
-## <summary>
-## Execute cups in the cups domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`cups_domtrans',`
- gen_require(`
- type cupsd_t, cupsd_exec_t;
- ')
-
- domain_auto_trans($1,cupsd_exec_t,cupsd_t)
-
- allow $1 cupsd_t:fd use;
- allow cupsd_t $1:fd use;
- allow cupsd_t $1:fifo_file rw_file_perms;
- allow cupsd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Connect to cupsd over an unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_stream_connect',`
- gen_require(`
- type cupsd_t, cupsd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cupsd_var_run_t:dir search;
- allow $1 cupsd_var_run_t:sock_file { getattr write };
- allow $1 cupsd_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Connect to cups over TCP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_tcp_connect',`
- gen_require(`
- type cupsd_t;
- ')
-
- allow $1 cupsd_t:tcp_socket { connectto recvfrom };
- allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## cups over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_dbus_chat',`
- gen_require(`
- type cupsd_t;
- class dbus send_msg;
- ')
-
- allow $1 cupsd_t:dbus send_msg;
- allow cupsd_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Execute cups_config in the cups_config domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`cups_domtrans_config',`
- gen_require(`
- type cupsd_config_t, cupsd_config_exec_t;
- ')
-
- domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t)
-
- allow $1 cupsd_config_t:fd use;
- allow cupsd_config_t $1:fd use;
- allow cupsd_config_t $1:fifo_file rw_file_perms;
- allow cupsd_config_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send generic signals to the cups
-## configuration daemon.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_signal_config',`
- gen_require(`
- type cupsd_config_t;
- ')
-
- allow $1 cupsd_config_t:process signal;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## cupsd_config over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_dbus_chat_config',`
- gen_require(`
- type cupsd_config_t;
- class dbus send_msg;
- ')
-
- allow $1 cupsd_config_t:dbus send_msg;
- allow cupsd_config_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Read cups configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_read_config',`
- gen_require(`
- type cupsd_etc_t, cupsd_rw_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 cupsd_etc_t:dir search_dir_perms;
- allow $1 cupsd_etc_t:file { getattr read };
- allow $1 cupsd_rw_etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read cups-writable configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_read_rw_config',`
- gen_require(`
- type cupsd_etc_t, cupsd_rw_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 cupsd_etc_t:dir search_dir_perms;
- allow $1 cupsd_rw_etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read cups log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_read_log',`
- gen_require(`
- type cupsd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 cupsd_log_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Write cups log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_write_log',`
- gen_require(`
- type cupsd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 cupsd_log_t:file write;
-')
-
-########################################
-## <summary>
-## Connect to ptal over an unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_stream_connect_ptal',`
- gen_require(`
- type ptal_t, ptal_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 ptal_var_run_t:dir search;
- allow $1 ptal_var_run_t:sock_file write;
- allow $1 ptal_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
deleted file mode 100644
index 48ed810..0000000
--- a/refpolicy/policy/modules/services/cups.te
+++ /dev/null
@@ -1,738 +0,0 @@
-
-policy_module(cups,1.3.10)
-
-########################################
-#
-# Declarations
-#
-
-type cupsd_config_t;
-type cupsd_config_exec_t;
-init_daemon_domain(cupsd_config_t,cupsd_config_exec_t)
-
-type cupsd_config_var_run_t;
-files_pid_file(cupsd_config_var_run_t)
-
-type cupsd_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type cupsd_exec_t;
-')
-init_daemon_domain(cupsd_t,cupsd_exec_t)
-
-type cupsd_etc_t;
-files_config_file(cupsd_etc_t)
-
-type cupsd_rw_etc_t;
-files_config_file(cupsd_rw_etc_t)
-
-type cupsd_log_t;
-logging_log_file(cupsd_log_t)
-
-type cupsd_lpd_t;
-type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
-
-type cupsd_lpd_tmp_t;
-files_tmp_file(cupsd_lpd_tmp_t)
-
-type cupsd_lpd_var_run_t;
-files_pid_file(cupsd_lpd_var_run_t)
-
-type cupsd_tmp_t;
-files_tmp_file(cupsd_tmp_t)
-
-type cupsd_var_run_t;
-files_pid_file(cupsd_var_run_t)
-
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t,hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
-
-type ptal_t;
-type ptal_exec_t;
-init_daemon_domain(ptal_t,ptal_exec_t)
-
-type ptal_etc_t;
-files_config_file(ptal_etc_t)
-
-type ptal_var_run_t;
-files_pid_file(ptal_var_run_t)
-
-########################################
-#
-# Cups local policy
-#
-
-# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
-allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow cupsd_t self:unix_dgram_socket create_socket_perms;
-allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
-allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
-allow cupsd_t self:udp_socket create_socket_perms;
-allow cupsd_t self:appletalk_socket create_socket_perms;
-# generic socket here until appletalk socket is available in kernels
-allow cupsd_t self:socket create_socket_perms;
-
-allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
-allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr };
-allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
-files_search_etc(cupsd_t)
-
-allow cupsd_t cupsd_rw_etc_t:file manage_file_perms;
-allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms;
-type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t;
-files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
-
-# allow cups to execute its backend scripts
-can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
-
-allow cupsd_t cupsd_log_t:file create_file_perms;
-allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
-logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
-
-allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
-allow cupsd_t cupsd_tmp_t:file create_file_perms;
-allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-
-allow cupsd_t cupsd_var_run_t:file create_file_perms;
-allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
-allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
-
-allow cupsd_t hplip_var_run_t:file { read getattr };
-
-allow cupsd_t ptal_var_run_t:dir search;
-allow cupsd_t ptal_var_run_t:sock_file { write setattr };
-allow cupsd_t ptal_t:unix_stream_socket connectto;
-
-kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
-kernel_read_all_sysctls(cupsd_t)
-kernel_tcp_recvfrom(cupsd_t)
-
-corenet_non_ipsec_sendrecv(cupsd_t)
-corenet_tcp_sendrecv_all_if(cupsd_t)
-corenet_udp_sendrecv_all_if(cupsd_t)
-corenet_raw_sendrecv_all_if(cupsd_t)
-corenet_tcp_sendrecv_all_nodes(cupsd_t)
-corenet_udp_sendrecv_all_nodes(cupsd_t)
-corenet_raw_sendrecv_all_nodes(cupsd_t)
-corenet_tcp_sendrecv_all_ports(cupsd_t)
-corenet_udp_sendrecv_all_ports(cupsd_t)
-corenet_tcp_bind_all_nodes(cupsd_t)
-corenet_udp_bind_all_nodes(cupsd_t)
-corenet_tcp_bind_ipp_port(cupsd_t)
-corenet_udp_bind_ipp_port(cupsd_t)
-corenet_tcp_bind_reserved_port(cupsd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
-corenet_tcp_connect_all_ports(cupsd_t)
-corenet_sendrecv_hplip_client_packets(cupsd_t)
-corenet_sendrecv_ipp_client_packets(cupsd_t)
-corenet_sendrecv_ipp_server_packets(cupsd_t)
-
-dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
-
-fs_getattr_all_fs(cupsd_t)
-fs_search_auto_mountpoints(cupsd_t)
-# from old usercanread attrib:
-fs_read_removable_files(cupsd_t)
-
-term_dontaudit_use_console(cupsd_t)
-term_write_unallocated_ttys(cupsd_t)
-term_search_ptys(cupsd_t)
-
-auth_domtrans_chk_passwd(cupsd_t)
-auth_dontaudit_read_pam_pid(cupsd_t)
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-corecmd_exec_shell(cupsd_t)
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_sbin(cupsd_t)
-
-domain_use_interactive_fds(cupsd_t)
-
-files_read_etc_files(cupsd_t)
-files_read_etc_runtime_files(cupsd_t)
-# read python modules
-files_read_usr_files(cupsd_t)
-# for /var/lib/defoma
-files_search_var_lib(cupsd_t)
-files_list_world_readable(cupsd_t)
-files_read_world_readable_files(cupsd_t)
-files_read_world_readable_symlinks(cupsd_t)
-# Satisfy readahead
-files_read_var_files(cupsd_t)
-files_read_var_symlinks(cupsd_t)
-# for /etc/printcap
-files_dontaudit_write_etc_files(cupsd_t)
-
-init_use_fds(cupsd_t)
-init_use_script_ptys(cupsd_t)
-init_exec_script_files(cupsd_t)
-
-libs_use_ld_so(cupsd_t)
-libs_use_shared_libs(cupsd_t)
-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-libs_read_lib_files(cupsd_t)
-
-logging_send_syslog_msg(cupsd_t)
-
-miscfiles_read_localization(cupsd_t)
-# invoking ghostscript needs to read fonts
-miscfiles_read_fonts(cupsd_t)
-
-seutil_dontaudit_read_config(cupsd_t)
-
-sysnet_read_config(cupsd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
-userdom_dontaudit_search_all_users_home_content(cupsd_t)
-
-# Write to /var/spool/cups.
-lpd_manage_spool(cupsd_t)
-
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(cupsd_t)
-
- term_dontaudit_use_unallocated_ttys(cupsd_t)
- term_dontaudit_use_generic_ptys(cupsd_t)
-
- init_stream_connect_script(cupsd_t)
-
- unconfined_read_pipes(cupsd_t)
-
- optional_policy(`
- init_dbus_chat_script(cupsd_t)
-
- unconfined_dbus_send(cupsd_t)
-
- dbus_stub(cupsd_t)
- ')
-')
-
-optional_policy(`
- cron_system_entry(cupsd_t, cupsd_exec_t)
-')
-
-optional_policy(`
- dbus_system_bus_client_template(cupsd,cupsd_t)
- dbus_send_system_bus(cupsd_t)
-
- userdom_dbus_send_all_users(cupsd_t)
-
- optional_policy(`
- hal_dbus_chat(cupsd_t)
- ')
-')
-
-optional_policy(`
- hostname_exec(cupsd_t)
-')
-
-optional_policy(`
- inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
-')
-
-optional_policy(`
- nscd_socket_use(cupsd_t)
-')
-
-optional_policy(`
- portmap_udp_chat(cupsd_t)
-')
-
-optional_policy(`
- # from old usercanread attrib:
- rpc_read_nfs_content(cupsd_t)
- rpc_read_nfs_state_data(cupsd_t)
-')
-
-optional_policy(`
- samba_rw_var_files(cupsd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(cupsd_t)
-')
-
-optional_policy(`
- udev_read_db(cupsd_t)
-')
-
-optional_policy(`
- # from old usercanread attrib:
- usermanage_read_crack_db(cupsd_t)
-')
-
-optional_policy(`
- # from old usercanread attrib:
- xserver_read_xkb_libs(cupsd_t)
-')
-
-ifdef(`TODO',`
-allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
-allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
-allow cupsd_t kernel_t:tcp_socket recvfrom;
-allow web_client_domain kernel_t:tcp_socket recvfrom;
-') dnl end TODO
-
-allow cupsd_t usercanread:dir r_dir_perms;
-allow cupsd_t usercanread:file r_file_perms;
-allow cupsd_t usercanread:lnk_file { getattr read };
-
-########################################
-#
-# Cups configuration daemon local policy
-#
-
-allow cupsd_config_t self:capability { chown sys_tty_config };
-dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process signal_perms;
-allow cupsd_config_t self:fifo_file rw_file_perms;
-allow cupsd_config_t self:unix_stream_socket create_socket_perms;
-allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
-allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
-allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
-
-# old can_ps() on cupsd_t:
-allow cupsd_config_t cupsd_t:process { signal };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-allow cupsd_config_t cupsd_t:dir { search getattr read };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr };
-allow cupsd_config_t cupsd_t:process getattr;
-
-allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
-allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
-
-can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-allow cupsd_config_t cupsd_etc_t:dir rw_dir_perms;
-allow cupsd_config_t cupsd_etc_t:file create_file_perms;
-allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
-type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
-
-allow cupsd_config_t cupsd_log_t:file rw_file_perms;
-
-allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
-allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
-allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
-files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
-
-allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
-
-allow cupsd_config_t cupsd_var_run_t:file { getattr read };
-
-kernel_read_system_state(cupsd_config_t)
-kernel_read_kernel_sysctls(cupsd_config_t)
-kernel_tcp_recvfrom(cupsd_config_t)
-
-corenet_non_ipsec_sendrecv(cupsd_config_t)
-corenet_tcp_sendrecv_all_if(cupsd_config_t)
-corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
-corenet_tcp_sendrecv_all_ports(cupsd_config_t)
-corenet_tcp_connect_all_ports(cupsd_config_t)
-corenet_sendrecv_all_client_packets(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
-
-fs_getattr_all_fs(cupsd_config_t)
-fs_search_auto_mountpoints(cupsd_config_t)
-
-term_dontaudit_use_console(cupsd_config_t)
-
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_sbin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-domain_use_interactive_fds(cupsd_config_t)
-# killall causes the following
-domain_dontaudit_search_all_domains_state(cupsd_config_t)
-
-files_read_usr_files(cupsd_config_t)
-files_read_etc_files(cupsd_config_t)
-files_read_etc_runtime_files(cupsd_config_t)
-files_read_var_symlinks(cupsd_config_t)
-
-init_use_fds(cupsd_config_t)
-init_use_script_ptys(cupsd_config_t)
-# Alternatives asks for this
-init_getattr_script_files(cupsd_config_t)
-
-libs_use_ld_so(cupsd_config_t)
-libs_use_shared_libs(cupsd_config_t)
-
-logging_send_syslog_msg(cupsd_config_t)
-
-miscfiles_read_localization(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
-sysnet_read_config(cupsd_config_t)
-
-userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
-userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
-
-lpd_read_config(cupsd_config_t)
-
-cups_stream_connect(cupsd_config_t)
-
-ifdef(`distro_redhat',`
- init_getattr_script_files(cupsd_config_t)
-
- optional_policy(`
- rpm_read_db(cupsd_config_t)
- ')
-')
-
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(cupsd_config_t)
-
- term_dontaudit_use_unallocated_ttys(cupsd_config_t)
- term_use_generic_ptys(cupsd_config_t)
-
- unconfined_rw_pipes(cupsd_config_t)
-')
-
-optional_policy(`
- cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
-')
-
-optional_policy(`
- dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
- dbus_connect_system_bus(cupsd_config_t)
- dbus_send_system_bus(cupsd_config_t)
-
- optional_policy(`
- hal_dbus_chat(cupsd_config_t)
- ')
-')
-
-optional_policy(`
- hal_domtrans(cupsd_config_t)
- hal_read_tmp_files(cupsd_config_t)
-')
-
-optional_policy(`
- hostname_exec(cupsd_config_t)
-')
-
-optional_policy(`
- logrotate_use_fds(cupsd_config_t)
-')
-
-optional_policy(`
- nis_use_ypbind(cupsd_config_t)
-')
-
-optional_policy(`
- nscd_socket_use(cupsd_config_t)
-')
-
-optional_policy(`
- rpm_read_db(cupsd_config_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(cupsd_config_t)
-')
-
-optional_policy(`
- udev_read_db(cupsd_config_t)
-')
-
-########################################
-#
-# Cups lpd support
-#
-
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_file_perms;
-allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
-allow cupsd_lpd_t self:udp_socket create_socket_perms;
-allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-# for identd
-# cjp: this should probably only be inetd_child rules?
-allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cupsd_lpd_t self:capability { setuid setgid };
-files_search_home(cupsd_lpd_t)
-optional_policy(`
- kerberos_use(cupsd_lpd_t)
-')
-#end for identd
-
-allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
-allow cupsd_lpd_t cupsd_etc_t:file r_file_perms;
-allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
-
-allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
-allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
-
-allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
-allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
-
-allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
-allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
-allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
-
-kernel_read_kernel_sysctls(cupsd_lpd_t)
-kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
-
-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
-corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
-corenet_udp_sendrecv_all_if(cupsd_lpd_t)
-corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
-corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
-corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
-corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
-corenet_tcp_bind_all_nodes(cupsd_lpd_t)
-corenet_udp_bind_all_nodes(cupsd_lpd_t)
-corenet_tcp_connect_ipp_port(cupsd_lpd_t)
-
-dev_read_urand(cupsd_lpd_t)
-
-fs_getattr_xattr_fs(cupsd_lpd_t)
-
-files_read_etc_files(cupsd_lpd_t)
-
-libs_use_ld_so(cupsd_lpd_t)
-libs_use_shared_libs(cupsd_lpd_t)
-
-logging_send_syslog_msg(cupsd_lpd_t)
-
-miscfiles_read_localization(cupsd_lpd_t)
-
-sysnet_read_config(cupsd_lpd_t)
-
-cups_stream_connect(cupsd_lpd_t)
-
-optional_policy(`
- inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(cupsd_lpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(cupsd_lpd_t)
-')
-
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability net_raw;
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:unix_dgram_socket create_socket_perms;
-allow hplip_t self:unix_stream_socket create_socket_perms;
-allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
-allow hplip_t self:tcp_socket create_stream_socket_perms;
-allow hplip_t self:udp_socket create_socket_perms;
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search;
-
-cups_stream_connect(hplip_t)
-
-allow hplip_t hplip_etc_t:file r_file_perms;
-allow hplip_t hplip_etc_t:dir r_dir_perms;
-allow hplip_t hplip_etc_t:lnk_file { getattr read };
-files_search_etc(hplip_t)
-
-allow hplip_t hplip_var_run_t:file create_file_perms;
-allow hplip_t hplip_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_non_ipsec_sendrecv(hplip_t)
-corenet_tcp_sendrecv_all_if(hplip_t)
-corenet_udp_sendrecv_all_if(hplip_t)
-corenet_raw_sendrecv_all_if(hplip_t)
-corenet_tcp_sendrecv_all_nodes(hplip_t)
-corenet_udp_sendrecv_all_nodes(hplip_t)
-corenet_raw_sendrecv_all_nodes(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_all_nodes(hplip_t)
-corenet_udp_bind_all_nodes(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-
-term_dontaudit_use_console(hplip_t)
-
-# for python
-corecmd_exec_bin(hplip_t)
-corecmd_search_sbin(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-init_use_fds(hplip_t)
-init_use_script_ptys(hplip_t)
-
-libs_use_ld_so(hplip_t)
-libs_use_shared_libs(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_read_config(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
-userdom_dontaudit_search_all_users_home_content(hplip_t)
-
-lpd_read_config(cupsd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(hplip_t)
- term_dontaudit_use_generic_ptys(hplip_t)
- files_dontaudit_read_root_files(hplip_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
- udev_read_db(hplip_t)
-')
-
-########################################
-#
-# PTAL local policy
-#
-
-allow ptal_t self:capability { chown sys_rawio };
-dontaudit ptal_t self:capability sys_tty_config;
-allow ptal_t self:fifo_file rw_file_perms;
-allow ptal_t self:unix_dgram_socket create_socket_perms;
-allow ptal_t self:unix_stream_socket create_stream_socket_perms;
-allow ptal_t self:tcp_socket create_stream_socket_perms;
-
-allow ptal_t ptal_etc_t:file r_file_perms;
-allow ptal_t ptal_etc_t:dir r_dir_perms;
-allow ptal_t ptal_etc_t:lnk_file { getattr read };
-files_search_etc(ptal_t)
-
-allow ptal_t ptal_var_run_t:dir create_dir_perms;
-allow ptal_t ptal_var_run_t:file create_file_perms;
-allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
-
-allow ptal_t ptal_var_run_t:file create_file_perms;
-allow ptal_t ptal_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ptal_t,ptal_var_run_t,file)
-
-kernel_read_kernel_sysctls(ptal_t)
-kernel_list_proc(ptal_t)
-kernel_read_proc_symlinks(ptal_t)
-
-corenet_non_ipsec_sendrecv(ptal_t)
-corenet_tcp_sendrecv_all_if(ptal_t)
-corenet_tcp_sendrecv_all_nodes(ptal_t)
-corenet_tcp_sendrecv_all_ports(ptal_t)
-corenet_tcp_bind_all_nodes(ptal_t)
-corenet_tcp_bind_ptal_port(ptal_t)
-
-dev_read_sysfs(ptal_t)
-dev_read_usbfs(ptal_t)
-dev_rw_printer(ptal_t)
-
-fs_getattr_all_fs(ptal_t)
-fs_search_auto_mountpoints(ptal_t)
-
-term_dontaudit_use_console(ptal_t)
-
-domain_use_interactive_fds(ptal_t)
-
-files_read_etc_files(ptal_t)
-files_read_etc_runtime_files(ptal_t)
-
-init_use_fds(ptal_t)
-init_use_script_ptys(ptal_t)
-
-libs_use_ld_so(ptal_t)
-libs_use_shared_libs(ptal_t)
-
-logging_send_syslog_msg(ptal_t)
-
-miscfiles_read_localization(ptal_t)
-
-sysnet_read_config(ptal_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-userdom_dontaudit_search_all_users_home_content(ptal_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ptal_t)
- term_dontaudit_use_generic_ptys(ptal_t)
- files_dontaudit_read_root_files(ptal_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ptal_t)
-')
-
-optional_policy(`
- udev_read_db(ptal_t)
-')
diff --git a/refpolicy/policy/modules/services/cvs.fc b/refpolicy/policy/modules/services/cvs.fc
deleted file mode 100644
index 689a960..0000000
--- a/refpolicy/policy/modules/services/cvs.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
-
-/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
-
-/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
-
diff --git a/refpolicy/policy/modules/services/cvs.if b/refpolicy/policy/modules/services/cvs.if
deleted file mode 100644
index 380a139..0000000
--- a/refpolicy/policy/modules/services/cvs.if
+++ /dev/null
@@ -1,39 +0,0 @@
-## <summary>Concurrent versions system</summary>
-
-########################################
-## <summary>
-## Read the CVS data and metadata.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cvs_read_data',`
- gen_require(`
- type cvs_data_t;
- ')
-
- allow $1 cvs_data_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to execute cvs
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cvs_exec',`
- gen_require(`
- type cvs_exec_t;
- ')
-
- can_exec($1,cvs_exec_t)
-')
-
diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te
deleted file mode 100644
index fe2e4b0..0000000
--- a/refpolicy/policy/modules/services/cvs.te
+++ /dev/null
@@ -1,104 +0,0 @@
-
-policy_module(cvs,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type cvs_t;
-type cvs_exec_t;
-inetd_tcp_service_domain(cvs_t,cvs_exec_t)
-role system_r types cvs_t;
-
-type cvs_data_t; # customizable
-files_type(cvs_data_t)
-
-type cvs_tmp_t;
-files_tmp_file(cvs_tmp_t)
-
-type cvs_var_run_t;
-files_pid_file(cvs_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow cvs_t self:process signal_perms;
-allow cvs_t self:fifo_file rw_file_perms;
-allow cvs_t self:tcp_socket connected_stream_socket_perms;
-# for identd; cjp: this should probably only be inetd_child rules?
-allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
-
-allow cvs_t cvs_data_t:dir create_dir_perms;
-allow cvs_t cvs_data_t:file create_file_perms;
-allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
-
-allow cvs_t cvs_tmp_t:dir create_dir_perms;
-allow cvs_t cvs_tmp_t:file create_file_perms;
-files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
-
-allow cvs_t cvs_var_run_t:file create_file_perms;
-allow cvs_t cvs_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cvs_t,cvs_var_run_t,file)
-
-kernel_read_kernel_sysctls(cvs_t)
-kernel_read_system_state(cvs_t)
-kernel_read_network_state(cvs_t)
-
-corenet_non_ipsec_sendrecv(cvs_t)
-corenet_tcp_sendrecv_all_if(cvs_t)
-corenet_udp_sendrecv_all_if(cvs_t)
-corenet_tcp_sendrecv_all_nodes(cvs_t)
-corenet_udp_sendrecv_all_nodes(cvs_t)
-corenet_tcp_sendrecv_all_ports(cvs_t)
-corenet_udp_sendrecv_all_ports(cvs_t)
-
-dev_read_urand(cvs_t)
-
-fs_getattr_xattr_fs(cvs_t)
-
-auth_domtrans_chk_passwd(cvs_t)
-
-corecmd_exec_bin(cvs_t)
-corecmd_exec_sbin(cvs_t)
-corecmd_exec_shell(cvs_t)
-
-files_read_etc_files(cvs_t)
-files_read_etc_runtime_files(cvs_t)
-# for identd; cjp: this should probably only be inetd_child rules?
-files_search_home(cvs_t)
-
-libs_use_ld_so(cvs_t)
-libs_use_shared_libs(cvs_t)
-
-logging_send_syslog_msg(cvs_t)
-
-miscfiles_read_localization(cvs_t)
-
-sysnet_read_config(cvs_t)
-
-mta_send_mail(cvs_t)
-
-# cjp: typeattribute doesnt work in conditionals yet
-auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
- auth_tunable_read_shadow(cvs_t)
-')
-
-optional_policy(`
- kerberos_use(cvs_t)
- kerberos_read_keytab(cvs_t)
- kerberos_read_config(cvs_t)
- kerberos_dontaudit_write_config(cvs_t)
-')
-
-optional_policy(`
- nis_use_ypbind(cvs_t)
-')
-
-optional_policy(`
- nscd_socket_use(cvs_t)
-')
diff --git a/refpolicy/policy/modules/services/cyrus.fc b/refpolicy/policy/modules/services/cyrus.fc
deleted file mode 100644
index 86a9d7e..0000000
--- a/refpolicy/policy/modules/services/cyrus.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
-
-/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/cyrus.if b/refpolicy/policy/modules/services/cyrus.if
deleted file mode 100644
index 30d552e..0000000
--- a/refpolicy/policy/modules/services/cyrus.if
+++ /dev/null
@@ -1,44 +0,0 @@
-## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
-
-########################################
-## <summary>
-## Allow caller to create, read, write,
-## and delete cyrus data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cyrus_manage_data',`
- gen_require(`
- type cyrus_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 cyrus_var_lib_t:dir rw_dir_perms;
- allow $1 cyrus_var_lib_t:file manage_file_perms;
-')
-
-
-########################################
-## <summary>
-## Connect to Cyrus using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cyrus_stream_connect',`
- gen_require(`
- type cyrus_t, cyrus_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 cyrus_var_lib_t:dir search;
- allow $1 cyrus_var_lib_t:sock_file write;
- allow $1 cyrus_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
deleted file mode 100644
index 21dc5da..0000000
--- a/refpolicy/policy/modules/services/cyrus.te
+++ /dev/null
@@ -1,139 +0,0 @@
-
-policy_module(cyrus,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-type cyrus_t;
-type cyrus_exec_t;
-init_daemon_domain(cyrus_t,cyrus_exec_t)
-
-type cyrus_tmp_t;
-files_tmp_file(cyrus_tmp_t)
-
-type cyrus_var_lib_t;
-files_type(cyrus_var_lib_t)
-
-type cyrus_var_run_t;
-files_pid_file(cyrus_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-dontaudit cyrus_t self:capability sys_tty_config;
-allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow cyrus_t self:process setrlimit;
-allow cyrus_t self:fd use;
-allow cyrus_t self:fifo_file rw_file_perms;
-allow cyrus_t self:sock_file r_file_perms;
-allow cyrus_t self:shm create_shm_perms;
-allow cyrus_t self:sem create_sem_perms;
-allow cyrus_t self:msgq create_msgq_perms;
-allow cyrus_t self:msg { send receive };
-allow cyrus_t self:unix_dgram_socket create_socket_perms;
-allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
-allow cyrus_t self:unix_dgram_socket sendto;
-allow cyrus_t self:unix_stream_socket connectto;
-allow cyrus_t self:tcp_socket create_stream_socket_perms;
-allow cyrus_t self:udp_socket create_socket_perms;
-
-allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
-allow cyrus_t cyrus_tmp_t:file create_file_perms;
-files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
-
-allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
-files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
-
-allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
-allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
-allow cyrus_t cyrus_var_run_t:file create_file_perms;
-files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file })
-
-kernel_read_kernel_sysctls(cyrus_t)
-kernel_read_system_state(cyrus_t)
-kernel_read_all_sysctls(cyrus_t)
-
-corenet_non_ipsec_sendrecv(cyrus_t)
-corenet_tcp_sendrecv_all_if(cyrus_t)
-corenet_udp_sendrecv_all_if(cyrus_t)
-corenet_tcp_sendrecv_all_nodes(cyrus_t)
-corenet_udp_sendrecv_all_nodes(cyrus_t)
-corenet_tcp_sendrecv_all_ports(cyrus_t)
-corenet_udp_sendrecv_all_ports(cyrus_t)
-corenet_tcp_bind_all_nodes(cyrus_t)
-corenet_tcp_bind_mail_port(cyrus_t)
-corenet_tcp_bind_pop_port(cyrus_t)
-corenet_tcp_connect_all_ports(cyrus_t)
-corenet_sendrecv_mail_server_packets(cyrus_t)
-corenet_sendrecv_pop_server_packets(cyrus_t)
-corenet_sendrecv_all_client_packets(cyrus_t)
-
-dev_read_rand(cyrus_t)
-dev_read_urand(cyrus_t)
-dev_read_sysfs(cyrus_t)
-
-fs_getattr_all_fs(cyrus_t)
-fs_search_auto_mountpoints(cyrus_t)
-
-term_dontaudit_use_console(cyrus_t)
-
-corecmd_exec_bin(cyrus_t)
-
-domain_use_interactive_fds(cyrus_t)
-
-files_list_var_lib(cyrus_t)
-files_read_etc_files(cyrus_t)
-files_read_etc_runtime_files(cyrus_t)
-
-init_use_fds(cyrus_t)
-init_use_script_ptys(cyrus_t)
-
-libs_use_ld_so(cyrus_t)
-libs_use_shared_libs(cyrus_t)
-libs_exec_lib_files(cyrus_t)
-
-logging_send_syslog_msg(cyrus_t)
-
-miscfiles_read_localization(cyrus_t)
-miscfiles_read_certs(cyrus_t)
-
-sysnet_read_config(cyrus_t)
-
-userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
-userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
-userdom_use_unpriv_users_fds(cyrus_t)
-userdom_use_sysadm_ptys(cyrus_t)
-
-mta_manage_spool(cyrus_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cyrus_t)
- term_dontaudit_use_generic_ptys(cyrus_t)
- files_dontaudit_read_root_files(cyrus_t)
-')
-
-optional_policy(`
- cron_system_entry(cyrus_t,cyrus_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(cyrus_t)
-')
-
-optional_policy(`
- sasl_connect(cyrus_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(cyrus_t)
-')
-
-optional_policy(`
- udev_read_db(cyrus_t)
-')
diff --git a/refpolicy/policy/modules/services/dante.fc b/refpolicy/policy/modules/services/dante.fc
deleted file mode 100644
index 5071bae..0000000
--- a/refpolicy/policy/modules/services/dante.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
-
-/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
-
-/var/run/sockd.pid -- gen_context(system_u:object_r:dante_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dante.if b/refpolicy/policy/modules/services/dante.if
deleted file mode 100644
index 704661c..0000000
--- a/refpolicy/policy/modules/services/dante.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Dante msproxy and socks4/5 proxy server</summary>
diff --git a/refpolicy/policy/modules/services/dante.te b/refpolicy/policy/modules/services/dante.te
deleted file mode 100644
index 149677d..0000000
--- a/refpolicy/policy/modules/services/dante.te
+++ /dev/null
@@ -1,93 +0,0 @@
-
-policy_module(dante,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type dante_t;
-type dante_exec_t;
-init_daemon_domain(dante_t,dante_exec_t)
-
-type dante_conf_t;
-files_type(dante_conf_t)
-
-type dante_var_run_t;
-files_pid_file(dante_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dante_t self:capability { setuid setgid };
-dontaudit dante_t self:capability sys_tty_config;
-allow dante_t self:process signal_perms;
-allow dante_t self:fifo_file { read write };
-allow dante_t self:tcp_socket create_stream_socket_perms;
-allow dante_t self:udp_socket create_socket_perms;
-
-allow dante_t dante_conf_t:dir r_dir_perms;
-allow dante_t dante_conf_t:file r_file_perms;
-
-allow dante_t dante_var_run_t:file create_file_perms;
-allow dante_t dante_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dante_t,dante_var_run_t,file)
-
-kernel_read_kernel_sysctls(dante_t)
-kernel_list_proc(dante_t)
-kernel_read_proc_symlinks(dante_t)
-
-corenet_non_ipsec_sendrecv(dante_t)
-corenet_tcp_sendrecv_generic_if(dante_t)
-corenet_udp_sendrecv_generic_if(dante_t)
-corenet_tcp_sendrecv_all_nodes(dante_t)
-corenet_udp_sendrecv_all_nodes(dante_t)
-corenet_tcp_sendrecv_all_ports(dante_t)
-corenet_udp_sendrecv_all_ports(dante_t)
-corenet_tcp_bind_all_nodes(dante_t)
-#TODO: no portcons for this type
-#allow dante_t socks_port_t:tcp_socket name_bind;
-
-dev_read_sysfs(dante_t)
-
-domain_use_interactive_fds(dante_t)
-
-files_read_etc_files(dante_t)
-files_read_etc_runtime_files(dante_t)
-
-fs_getattr_all_fs(dante_t)
-fs_search_auto_mountpoints(dante_t)
-
-term_dontaudit_use_console(dante_t)
-
-init_use_fds(dante_t)
-init_use_script_ptys(dante_t)
-init_write_utmp(dante_t)
-
-libs_use_ld_so(dante_t)
-libs_use_shared_libs(dante_t)
-
-logging_send_syslog_msg(dante_t)
-
-miscfiles_read_localization(dante_t)
-
-sysnet_read_config(dante_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dante_t)
-userdom_dontaudit_search_sysadm_home_dirs(dante_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dante_t)
- term_dontaudit_use_generic_ptys(dante_t)
- files_dontaudit_read_root_files(dante_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dante_t)
-')
-
-optional_policy(`
- udev_read_db(dante_t)
-')
diff --git a/refpolicy/policy/modules/services/dbskk.fc b/refpolicy/policy/modules/services/dbskk.fc
deleted file mode 100644
index 7af2590..0000000
--- a/refpolicy/policy/modules/services/dbskk.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/dbskk.if b/refpolicy/policy/modules/services/dbskk.if
deleted file mode 100644
index 9e71004..0000000
--- a/refpolicy/policy/modules/services/dbskk.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Dictionary server for the SKK Japanese input method system.</summary>
diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te
deleted file mode 100644
index 914627c..0000000
--- a/refpolicy/policy/modules/services/dbskk.te
+++ /dev/null
@@ -1,81 +0,0 @@
-
-policy_module(dbskk,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type dbskkd_t;
-type dbskkd_exec_t;
-inetd_service_domain(dbskkd_t,dbskkd_exec_t)
-role system_r types dbskkd_t;
-
-type dbskkd_tmp_t;
-files_tmp_file(dbskkd_tmp_t)
-
-type dbskkd_var_run_t;
-files_pid_file(dbskkd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dbskkd_t self:process signal_perms;
-allow dbskkd_t self:fifo_file rw_file_perms;
-allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
-allow dbskkd_t self:udp_socket create_socket_perms;
-
-# for identd
-# cjp: this should probably only be inetd_child rules?
-allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow dbskkd_t self:capability { setuid setgid };
-files_search_home(dbskkd_t)
-optional_policy(`
- kerberos_use(dbskkd_t)
-')
-#end for identd
-
-allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms;
-allow dbskkd_t dbskkd_tmp_t:file create_file_perms;
-files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
-
-allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
-allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file)
-
-kernel_read_kernel_sysctls(dbskkd_t)
-kernel_read_system_state(dbskkd_t)
-kernel_read_network_state(dbskkd_t)
-
-corenet_non_ipsec_sendrecv(dbskkd_t)
-corenet_tcp_sendrecv_all_if(dbskkd_t)
-corenet_udp_sendrecv_all_if(dbskkd_t)
-corenet_tcp_sendrecv_all_nodes(dbskkd_t)
-corenet_udp_sendrecv_all_nodes(dbskkd_t)
-corenet_tcp_sendrecv_all_ports(dbskkd_t)
-corenet_udp_sendrecv_all_ports(dbskkd_t)
-
-dev_read_urand(dbskkd_t)
-
-fs_getattr_xattr_fs(dbskkd_t)
-
-files_read_etc_files(dbskkd_t)
-
-libs_use_ld_so(dbskkd_t)
-libs_use_shared_libs(dbskkd_t)
-
-logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
-
-sysnet_read_config(dbskkd_t)
-
-optional_policy(`
- nis_use_ypbind(dbskkd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dbskkd_t)
-')
diff --git a/refpolicy/policy/modules/services/dbus.fc b/refpolicy/policy/modules/services/dbus.fc
deleted file mode 100644
index 8004713..0000000
--- a/refpolicy/policy/modules/services/dbus.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-
-# Sorting does not work correctly if I combine these next two roles
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
deleted file mode 100644
index dd77cfc..0000000
--- a/refpolicy/policy/modules/services/dbus.if
+++ /dev/null
@@ -1,351 +0,0 @@
-## <summary>Desktop messaging bus</summary>
-
-########################################
-## <summary>
-## DBUS stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`dbus_stub',`
- gen_require(`
- type system_dbusd_t;
- ')
-')
-
-#######################################
-## <summary>
-## The per user domain template for the dbus module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is
-## used for the user dbus.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`dbus_per_userdomain_template',`
-
- ##############################
- #
- # Delcarations
- #
- type $1_dbusd_t;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t,system_dbusd_exec_t)
- role $3 types $1_dbusd_t;
-
- type $1_dbusd_$1_t;
-
- type $1_dbusd_tmp_t;
- files_tmp_file($1_dbusd_tmp_t)
-
- ##############################
- #
- # Local policy
- #
-
- allow $1_dbusd_t self:process { getattr sigkill signal };
- allow $1_dbusd_t self:file { getattr read write };
- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
- allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
-
- # For connecting to the bus
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
-
- # SE-DBus specific permissions
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
- allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
-
- allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms;
- allow $1_dbusd_t dbusd_etc_t:file r_file_perms;
- allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read };
-
- allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms;
- allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
-
- domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t)
- allow $2 $1_dbusd_t:fd use;
- allow $1_dbusd_t $2:fd use;
- allow $1_dbusd_t $2:fifo_file rw_file_perms;
- allow $1_dbusd_t $2:process sigchld;
-
- allow $2 $1_dbusd_t:process { sigkill signal };
-
- kernel_read_system_state($1_dbusd_t)
- kernel_read_kernel_sysctls($1_dbusd_t)
-
- corenet_non_ipsec_sendrecv($1_dbusd_t)
- corenet_tcp_sendrecv_all_if($1_dbusd_t)
- corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
- corenet_tcp_bind_all_nodes($1_dbusd_t)
- corenet_tcp_bind_reserved_port($1_dbusd_t)
-
- dev_read_urand($1_dbusd_t)
-
- selinux_get_fs_mount($1_dbusd_t)
- selinux_validate_context($1_dbusd_t)
- selinux_compute_access_vector($1_dbusd_t)
- selinux_compute_create_context($1_dbusd_t)
- selinux_compute_relabel_context($1_dbusd_t)
- selinux_compute_user_contexts($1_dbusd_t)
-
- corecmd_list_bin($1_dbusd_t)
- corecmd_read_bin_symlinks($1_dbusd_t)
- corecmd_read_bin_files($1_dbusd_t)
- corecmd_read_bin_pipes($1_dbusd_t)
- corecmd_read_bin_sockets($1_dbusd_t)
- corecmd_list_sbin($1_dbusd_t)
- corecmd_read_sbin_symlinks($1_dbusd_t)
- corecmd_read_sbin_files($1_dbusd_t)
- corecmd_read_sbin_pipes($1_dbusd_t)
- corecmd_read_sbin_sockets($1_dbusd_t)
-
- files_read_etc_files($1_dbusd_t)
- files_list_home($1_dbusd_t)
- files_read_usr_files($1_dbusd_t)
- files_dontaudit_search_var($1_dbusd_t)
-
- libs_use_ld_so($1_dbusd_t)
- libs_use_shared_libs($1_dbusd_t)
-
- logging_send_syslog_msg($1_dbusd_t)
-
- miscfiles_read_localization($1_dbusd_t)
-
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
-
- sysnet_read_config($1_dbusd_t)
-
- tunable_policy(`read_default_t',`
- files_list_default($1_dbusd_t)
- files_read_default_files($1_dbusd_t)
- files_read_default_symlinks($1_dbusd_t)
- files_read_default_sockets($1_dbusd_t)
- files_read_default_pipes($1_dbusd_t)
- ')
-
- optional_policy(`
- auth_read_pam_console_data($1_dbusd_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_dbusd_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
- ')
-')
-
-#######################################
-## <summary>
-## Template for creating connections to
-## the system DBUS.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## The type of the domain.
-## </summary>
-## </param>
-#
-template(`dbus_system_bus_client_template',`
- gen_require(`
- type system_dbusd_t, system_dbusd_t;
- type system_dbusd_var_run_t;
- class dbus send_msg;
- ')
-
- type $1_dbusd_system_t;
- type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
-
- # SE-DBus specific permissions
- allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
-
- # For connecting to the bus
- files_search_pids($2)
- allow $2 system_dbusd_var_run_t:dir search;
- allow $2 system_dbusd_var_run_t:sock_file write;
- allow $2 system_dbusd_t:unix_stream_socket connectto;
-')
-
-#######################################
-## <summary>
-## Template for creating connections to
-## a user DBUS.
-## </summary>
-## <param name="user_prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain_prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## The type of the domain.
-## </summary>
-## </param>
-#
-template(`dbus_user_bus_client_template',`
- gen_require(`
- type $1_dbusd_t;
- class dbus send_msg;
- ')
-
- type $2_dbusd_$1_t;
- type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
-
- # SE-DBus specific permissions
- allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-
- # For connecting to the bus
- allow $3 $1_dbusd_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Send a message on user/application specific DBUS.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`dbus_send_user_bus',`
- gen_require(`
- type $1_dbusd_t;
- class dbus send_msg;
- ')
-
- allow $2 $1_dbusd_t:dbus send_msg;
-')
-
-
-########################################
-## <summary>
-## Read dbus configuration.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_read_config',`
- gen_require(`
- type dbusd_etc_t;
- ')
-
- allow $1 dbusd_etc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Connect to the the system DBUS
-## for service (acquire_svc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_connect_system_bus',`
- gen_require(`
- type system_dbusd_t;
- class dbus acquire_svc;
- ')
-
- allow $1 system_dbusd_t:dbus acquire_svc;
-')
-
-########################################
-## <summary>
-## Send a message on the system DBUS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_send_system_bus',`
- gen_require(`
- type system_dbusd_t;
- class dbus send_msg;
- ')
-
- allow $1 system_dbusd_t:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Allow unconfined access to the system DBUS.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_system_bus_unconfined',`
- gen_require(`
- type system_dbusd_t;
- class dbus all_dbus_perms;
- ')
-
- allow $1 system_dbusd_t:dbus *;
-')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
deleted file mode 100644
index 6fd0076..0000000
--- a/refpolicy/policy/modules/services/dbus.te
+++ /dev/null
@@ -1,143 +0,0 @@
-
-policy_module(dbus,1.2.6)
-
-gen_require(`
- class dbus { send_msg acquire_svc };
-')
-
-##############################
-#
-# Delcarations
-#
-
-type dbusd_etc_t alias etc_dbusd_t;
-files_type(dbusd_etc_t)
-
-type system_dbusd_t alias dbusd_t;
-type system_dbusd_exec_t;
-init_system_domain(system_dbusd_t,system_dbusd_exec_t)
-
-type system_dbusd_tmp_t;
-files_tmp_file(system_dbusd_tmp_t)
-
-type system_dbusd_var_run_t;
-files_pid_file(system_dbusd_var_run_t)
-
-##############################
-#
-# Local policy
-#
-
-# dac_override: /var/run/dbus is owned by messagebus on Debian
-# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
-dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
-allow system_dbusd_t self:fifo_file { read write };
-allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
-allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
-# Receive notifications of policy reloads and enforcing status changes.
-allow system_dbusd_t self:netlink_selinux_socket { create bind read };
-
-allow system_dbusd_t dbusd_etc_t:dir r_dir_perms;
-allow system_dbusd_t dbusd_etc_t:file r_file_perms;
-allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read };
-
-allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms;
-allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms;
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
-
-allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
-allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
-allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
-
-kernel_read_system_state(system_dbusd_t)
-kernel_read_kernel_sysctls(system_dbusd_t)
-
-dev_read_urand(system_dbusd_t)
-dev_read_sysfs(system_dbusd_t)
-
-fs_getattr_all_fs(system_dbusd_t)
-fs_search_auto_mountpoints(system_dbusd_t)
-
-selinux_get_fs_mount(system_dbusd_t)
-selinux_validate_context(system_dbusd_t)
-selinux_compute_access_vector(system_dbusd_t)
-selinux_compute_create_context(system_dbusd_t)
-selinux_compute_relabel_context(system_dbusd_t)
-selinux_compute_user_contexts(system_dbusd_t)
-
-term_dontaudit_use_console(system_dbusd_t)
-
-auth_use_nsswitch(system_dbusd_t)
-auth_read_pam_console_data(system_dbusd_t)
-
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_symlinks(system_dbusd_t)
-corecmd_read_bin_files(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_list_sbin(system_dbusd_t)
-corecmd_read_sbin_symlinks(system_dbusd_t)
-corecmd_read_sbin_files(system_dbusd_t)
-corecmd_read_sbin_pipes(system_dbusd_t)
-corecmd_read_sbin_sockets(system_dbusd_t)
-corecmd_exec_sbin(system_dbusd_t)
-
-domain_use_interactive_fds(system_dbusd_t)
-
-files_read_etc_files(system_dbusd_t)
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
-
-init_use_fds(system_dbusd_t)
-init_use_script_ptys(system_dbusd_t)
-
-libs_use_ld_so(system_dbusd_t)
-libs_use_shared_libs(system_dbusd_t)
-
-logging_send_syslog_msg(system_dbusd_t)
-
-miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_certs(system_dbusd_t)
-
-seutil_read_config(system_dbusd_t)
-seutil_read_default_contexts(system_dbusd_t)
-seutil_sigchld_newrole(system_dbusd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(system_dbusd_t)
- term_dontaudit_use_generic_ptys(system_dbusd_t)
- files_dontaudit_read_root_files(system_dbusd_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(system_dbusd_t)
- files_read_default_files(system_dbusd_t)
- files_read_default_symlinks(system_dbusd_t)
- files_read_default_sockets(system_dbusd_t)
- files_read_default_pipes(system_dbusd_t)
-')
-
-optional_policy(`
- bind_domtrans(system_dbusd_t)
-')
-
-optional_policy(`
- nscd_socket_use(system_dbusd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_dhcpc(system_dbusd_t)
-')
-
-optional_policy(`
- udev_read_db(system_dbusd_t)
-')
diff --git a/refpolicy/policy/modules/services/dcc.fc b/refpolicy/policy/modules/services/dcc.fc
deleted file mode 100644
index 45efbf1..0000000
--- a/refpolicy/policy/modules/services/dcc.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
-/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
-/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
-/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
-
-/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
-/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
-/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
-/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
-
-/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
-/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-
-/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
-/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dcc.if b/refpolicy/policy/modules/services/dcc.if
deleted file mode 100644
index ea9083f..0000000
--- a/refpolicy/policy/modules/services/dcc.if
+++ /dev/null
@@ -1,181 +0,0 @@
-## <summary>Distributed checksum clearinghouse spam filtering</summary>
-
-########################################
-## <summary>
-## Execute cdcc in the cdcc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dcc_domtrans_cdcc',`
- gen_require(`
- type cdcc_t, cdcc_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,cdcc_exec_t,cdcc_t)
- allow cdcc_t $1:fd use;
- allow cdcc_t $1:fifo_file rw_file_perms;
- allow cdcc_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute cdcc in the cdcc domain, and
-## allow the specified role the cdcc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the cdcc domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the cdcc domain to use.
-## </summary>
-## </param>
-#
-interface(`dcc_run_cdcc',`
- gen_require(`
- type cdcc_t;
- ')
-
- dcc_domtrans_cdcc($1)
- role $2 types cdcc_t;
- allow cdcc_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute dcc_client in the dcc_client domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dcc_domtrans_client',`
- gen_require(`
- type dcc_client_t, dcc_client_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
- allow dcc_client_t $1:fd use;
- allow dcc_client_t $1:fifo_file rw_file_perms;
- allow dcc_client_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute dcc_client in the dcc_client domain, and
-## allow the specified role the dcc_client domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the dcc_client domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the dcc_client domain to use.
-## </summary>
-## </param>
-#
-interface(`dcc_run_client',`
- gen_require(`
- type dcc_client_t;
- ')
-
- dcc_domtrans_client($1)
- role $2 types dcc_client_t;
- allow dcc_client_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute dbclean in the dcc_dbclean domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dcc_domtrans_dbclean',`
- gen_require(`
- type dcc_dbclean_t, dcc_dbclean_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
- allow dcc_dbclean_t $1:fd use;
- allow dcc_dbclean_t $1:fifo_file rw_file_perms;
- allow dcc_dbclean_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute dbclean in the dcc_dbclean domain, and
-## allow the specified role the dcc_dbclean domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the dcc_dbclean domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the dcc_dbclean domain to use.
-## </summary>
-## </param>
-#
-interface(`dcc_run_dbclean',`
- gen_require(`
- type dcc_dbclean_t;
- ')
-
- dcc_domtrans_dbclean($1)
- role $2 types dcc_dbclean_t;
- allow dcc_dbclean_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Connect to dccifd over a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dcc_stream_connect_dccifd',`
- gen_require(`
- type dcc_var_t, dccifd_var_run_t, dccifd_t;
- ')
-
- files_search_var($1)
- allow $1 dcc_var_t:dir search;
- allow $1 dccifd_var_run_t:sock_file { getattr write };
- allow $1 dccifd_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/dcc.te b/refpolicy/policy/modules/services/dcc.te
deleted file mode 100644
index 0214b5d..0000000
--- a/refpolicy/policy/modules/services/dcc.te
+++ /dev/null
@@ -1,471 +0,0 @@
-
-policy_module(dcc,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type cdcc_t;
-type cdcc_exec_t;
-domain_type(cdcc_t)
-domain_entry_file(cdcc_t,cdcc_exec_t)
-role system_r types cdcc_t;
-
-type cdcc_tmp_t;
-files_tmp_file(cdcc_tmp_t)
-
-type dcc_client_t;
-type dcc_client_exec_t;
-domain_type(dcc_client_t)
-domain_entry_file(dcc_client_t,dcc_client_exec_t)
-role system_r types dcc_client_t;
-
-type dcc_client_map_t;
-files_type(dcc_client_map_t)
-
-type dcc_client_tmp_t;
-files_tmp_file(dcc_client_tmp_t)
-
-type dcc_dbclean_t;
-type dcc_dbclean_exec_t;
-domain_type(dcc_dbclean_t)
-domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t)
-role system_r types dcc_dbclean_t;
-
-type dcc_dbclean_tmp_t;
-files_tmp_file(dcc_dbclean_tmp_t)
-
-type dcc_var_t;
-files_type(dcc_var_t)
-
-type dcc_var_run_t;
-files_type(dcc_var_run_t)
-
-type dccd_t;
-type dccd_exec_t;
-init_daemon_domain(dccd_t,dccd_exec_t)
-
-type dccd_tmp_t;
-files_tmp_file(dccd_tmp_t)
-
-type dccd_var_run_t;
-files_pid_file(dccd_var_run_t)
-
-type dccifd_t;
-type dccifd_exec_t;
-init_daemon_domain(dccifd_t,dccifd_exec_t)
-
-type dccifd_tmp_t;
-files_tmp_file(dccifd_tmp_t)
-
-type dccifd_var_run_t;
-files_pid_file(dccifd_var_run_t)
-
-type dccm_t;
-type dccm_exec_t;
-init_daemon_domain(dccm_t,dccm_exec_t)
-
-type dccm_tmp_t;
-files_tmp_file(dccm_tmp_t)
-
-type dccm_var_run_t;
-files_pid_file(dccm_var_run_t)
-
-# NOTE: DCC has writeable files in /etc/dcc that should probably be in
-# /var/lib/dcc. For now this policy supports both directories being
-# writable.
-
-# cjp: dccifd and dccm should be merged, as
-# they have the same rules.
-
-########################################
-#
-# dcc daemon controller local policy
-#
-
-allow cdcc_t self:capability setuid;
-allow cdcc_t self:unix_dgram_socket create_socket_perms;
-allow cdcc_t self:udp_socket create_socket_perms;
-
-allow cdcc_t cdcc_tmp_t:dir manage_dir_perms;
-allow cdcc_t cdcc_tmp_t:file create_file_perms;
-files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
-
-allow cdcc_t dcc_client_map_t:file rw_file_perms;
-
-# Access files in /var/dcc. The map file can be updated
-allow cdcc_t dcc_var_t:dir r_dir_perms;
-allow cdcc_t dcc_var_t:file r_file_perms;
-allow cdcc_t dcc_var_t:lnk_file { getattr read };
-
-corenet_non_ipsec_sendrecv(cdcc_t)
-corenet_udp_sendrecv_generic_if(cdcc_t)
-corenet_udp_sendrecv_all_nodes(cdcc_t)
-corenet_udp_sendrecv_all_ports(cdcc_t)
-
-files_read_etc_files(cdcc_t)
-files_read_etc_runtime_files(cdcc_t)
-
-libs_use_ld_so(cdcc_t)
-libs_use_shared_libs(cdcc_t)
-
-logging_send_syslog_msg(cdcc_t)
-
-miscfiles_read_localization(cdcc_t)
-
-sysnet_read_config(cdcc_t)
-sysnet_dns_name_resolve(cdcc_t)
-
-optional_policy(`
- nscd_socket_use(cdcc_t)
-')
-
-########################################
-#
-# dcc procmail interface local policy
-#
-
-allow dcc_client_t self:capability setuid;
-allow dcc_client_t self:unix_dgram_socket create_socket_perms;
-allow dcc_client_t self:udp_socket create_socket_perms;
-
-allow dcc_client_t dcc_client_map_t:file rw_file_perms;
-
-allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms;
-allow dcc_client_t dcc_client_tmp_t:file create_file_perms;
-files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
-
-# Access files in /var/dcc. The map file can be updated
-allow dcc_client_t dcc_var_t:dir r_dir_perms;
-allow dcc_client_t dcc_var_t:file r_file_perms;
-allow dcc_client_t dcc_var_t:lnk_file { getattr read };
-
-corenet_non_ipsec_sendrecv(dcc_client_t)
-corenet_udp_sendrecv_generic_if(dcc_client_t)
-corenet_udp_sendrecv_all_nodes(dcc_client_t)
-corenet_udp_sendrecv_all_ports(dcc_client_t)
-
-files_read_etc_files(dcc_client_t)
-files_read_etc_runtime_files(dcc_client_t)
-
-libs_use_ld_so(dcc_client_t)
-libs_use_shared_libs(dcc_client_t)
-
-logging_send_syslog_msg(dcc_client_t)
-
-miscfiles_read_localization(dcc_client_t)
-
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
-
-optional_policy(`
- nscd_socket_use(dcc_client_t)
-')
-
-########################################
-#
-# Database cleanup tool local policy
-#
-
-allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
-allow dcc_dbclean_t self:udp_socket create_socket_perms;
-
-allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
-
-allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms;
-allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms;
-files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
-
-allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms;
-allow dcc_dbclean_t dcc_var_t:file manage_file_perms;
-allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms;
-
-kernel_read_system_state(dcc_dbclean_t)
-
-corenet_non_ipsec_sendrecv(dcc_dbclean_t)
-corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
-corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
-corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
-
-files_read_etc_files(dcc_dbclean_t)
-files_read_etc_runtime_files(dcc_dbclean_t)
-
-libs_use_ld_so(dcc_dbclean_t)
-libs_use_shared_libs(dcc_dbclean_t)
-
-logging_send_syslog_msg(dcc_dbclean_t)
-
-miscfiles_read_localization(dcc_dbclean_t)
-
-sysnet_read_config(dcc_dbclean_t)
-sysnet_dns_name_resolve(dcc_dbclean_t)
-
-optional_policy(`
- nscd_socket_use(dcc_dbclean_t)
-')
-
-########################################
-#
-# Server daemon local policy
-#
-
-allow dccd_t self:capability net_admin;
-dontaudit dccd_t self:capability sys_tty_config;
-allow dccd_t self:process signal_perms;
-allow dccd_t self:unix_stream_socket create_socket_perms;
-allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow dccd_t self:udp_socket create_socket_perms;
-
-allow dccd_t dcc_client_map_t:file rw_file_perms;
-
-# Access files in /var/dcc. The map file can be updated
-allow dccd_t dcc_var_t:dir r_dir_perms;
-allow dccd_t dcc_var_t:file r_file_perms;
-allow dccd_t dcc_var_t:lnk_file { getattr read };
-
-# Runs the dbclean program
-domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
-corecmd_search_bin(dccd_t)
-allow dcc_dbclean_t dccd_t:fd use;
-allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms;
-allow dcc_dbclean_t dccd_t:process sigchld;
-
-# Updating dcc_db, flod, ...
-allow dccd_t dcc_var_t:dir manage_dir_perms;
-allow dccd_t dcc_var_t:file manage_file_perms;
-allow dccd_t dcc_var_t:lnk_file create_lnk_perms;
-
-allow dccd_t dccd_tmp_t:dir manage_dir_perms;
-allow dccd_t dccd_tmp_t:file create_file_perms;
-files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
-
-allow dccd_t dccd_var_run_t:file create_file_perms;
-allow dccd_t dccd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dccd_t,dccd_var_run_t,file)
-
-kernel_read_system_state(dccd_t)
-kernel_read_kernel_sysctls(dccd_t)
-
-corenet_non_ipsec_sendrecv(dccd_t)
-corenet_udp_sendrecv_generic_if(dccd_t)
-corenet_udp_sendrecv_all_nodes(dccd_t)
-corenet_udp_sendrecv_all_ports(dccd_t)
-corenet_udp_bind_all_nodes(dccd_t)
-corenet_udp_bind_dcc_port(dccd_t)
-corenet_sendrecv_dcc_server_packets(dccd_t)
-
-dev_read_sysfs(dccd_t)
-
-domain_use_interactive_fds(dccd_t)
-
-files_read_etc_files(dccd_t)
-files_read_etc_runtime_files(dccd_t)
-
-fs_getattr_all_fs(dccd_t)
-fs_search_auto_mountpoints(dccd_t)
-
-term_dontaudit_use_console(dccd_t)
-
-init_use_fds(dccd_t)
-init_use_script_ptys(dccd_t)
-
-libs_use_ld_so(dccd_t)
-libs_use_shared_libs(dccd_t)
-
-logging_send_syslog_msg(dccd_t)
-
-miscfiles_read_localization(dccd_t)
-
-sysnet_read_config(dccd_t)
-sysnet_dns_name_resolve(dccd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccd_t)
- term_dontaudit_use_generic_ptys(dccd_t)
- files_dontaudit_read_root_files(dccd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dccd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dccd_t)
-')
-
-optional_policy(`
- udev_read_db(dccd_t)
-')
-
-########################################
-#
-# Spamassassin and general MTA persistent client local policy
-#
-
-dontaudit dccifd_t self:capability sys_tty_config;
-allow dccifd_t self:process signal_perms;
-allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
-allow dccifd_t self:unix_dgram_socket create_socket_perms;
-allow dccifd_t self:udp_socket create_socket_perms;
-
-allow dccifd_t dcc_client_map_t:file rw_file_perms;
-
-# Updating dcc_db, flod, ...
-allow dccifd_t dcc_var_t:dir manage_dir_perms;
-allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms;
-allow dccifd_t dcc_var_t:lnk_file create_lnk_perms;
-
-allow dccifd_t dccifd_tmp_t:dir manage_dir_perms;
-allow dccifd_t dccifd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
-
-allow dccifd_t dccifd_var_run_t:file manage_file_perms;
-allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms;
-allow dccifd_t dcc_var_t:dir rw_dir_perms;
-type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t;
-
-allow dccifd_t dccifd_var_run_t:file manage_file_perms;
-allow dccifd_t dccifd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
-
-kernel_read_system_state(dccifd_t)
-kernel_read_kernel_sysctls(dccifd_t)
-
-corenet_non_ipsec_sendrecv(dccifd_t)
-corenet_udp_sendrecv_generic_if(dccifd_t)
-corenet_udp_sendrecv_all_nodes(dccifd_t)
-corenet_udp_sendrecv_all_ports(dccifd_t)
-
-dev_read_sysfs(dccifd_t)
-
-domain_use_interactive_fds(dccifd_t)
-
-files_read_etc_files(dccifd_t)
-files_read_etc_runtime_files(dccifd_t)
-
-fs_getattr_all_fs(dccifd_t)
-fs_search_auto_mountpoints(dccifd_t)
-
-term_dontaudit_use_console(dccifd_t)
-
-init_use_fds(dccifd_t)
-init_use_script_ptys(dccifd_t)
-
-libs_use_ld_so(dccifd_t)
-libs_use_shared_libs(dccifd_t)
-
-logging_send_syslog_msg(dccifd_t)
-
-miscfiles_read_localization(dccifd_t)
-
-sysnet_read_config(dccifd_t)
-sysnet_dns_name_resolve(dccifd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccifd_t)
- term_dontaudit_use_generic_ptys(dccifd_t)
- files_dontaudit_read_root_files(dccifd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dccifd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dccifd_t)
-')
-
-optional_policy(`
- udev_read_db(dccifd_t)
-')
-
-########################################
-#
-# sendmail milter client local policy
-#
-
-dontaudit dccm_t self:capability sys_tty_config;
-allow dccm_t self:process signal_perms;
-allow dccm_t self:unix_stream_socket create_stream_socket_perms;
-allow dccm_t self:unix_dgram_socket create_socket_perms;
-allow dccm_t self:udp_socket create_socket_perms;
-
-allow dccm_t dcc_client_map_t:file rw_file_perms;
-
-allow dccm_t dcc_var_t:dir manage_dir_perms;
-allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms;
-allow dccm_t dcc_var_t:lnk_file create_lnk_perms;
-
-allow dccm_t dccm_tmp_t:dir manage_dir_perms;
-allow dccm_t dccm_tmp_t:file manage_file_perms;
-files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
-
-allow dccm_t dccm_var_run_t:file manage_file_perms;
-allow dccm_t dccm_var_run_t:sock_file manage_file_perms;
-allow dccm_t dcc_var_run_t:dir rw_dir_perms;
-type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t;
-
-allow dccm_t dccm_var_run_t:file manage_file_perms;
-allow dccm_t dccm_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dccm_t,dccm_var_run_t,file)
-
-kernel_read_system_state(dccm_t)
-kernel_read_kernel_sysctls(dccm_t)
-
-corenet_non_ipsec_sendrecv(dccm_t)
-corenet_udp_sendrecv_generic_if(dccm_t)
-corenet_udp_sendrecv_all_nodes(dccm_t)
-corenet_udp_sendrecv_all_ports(dccm_t)
-
-dev_read_sysfs(dccm_t)
-
-domain_use_interactive_fds(dccm_t)
-
-files_read_etc_files(dccm_t)
-files_read_etc_runtime_files(dccm_t)
-
-fs_getattr_all_fs(dccm_t)
-fs_search_auto_mountpoints(dccm_t)
-
-term_dontaudit_use_console(dccm_t)
-
-init_use_fds(dccm_t)
-init_use_script_ptys(dccm_t)
-
-libs_use_ld_so(dccm_t)
-libs_use_shared_libs(dccm_t)
-
-logging_send_syslog_msg(dccm_t)
-
-miscfiles_read_localization(dccm_t)
-
-sysnet_read_config(dccm_t)
-sysnet_dns_name_resolve(dccm_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccm_t)
- term_dontaudit_use_generic_ptys(dccm_t)
- files_dontaudit_read_root_files(dccm_t)
-')
-
-optional_policy(`
- nscd_socket_use(dccm_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dccm_t)
-')
-
-optional_policy(`
- udev_read_db(dccm_t)
-')
diff --git a/refpolicy/policy/modules/services/ddclient.fc b/refpolicy/policy/modules/services/ddclient.fc
deleted file mode 100644
index 606d2d2..0000000
--- a/refpolicy/policy/modules/services/ddclient.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
-/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
-
-/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
-/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
-
-/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0)
-/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0)
-/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0)
-/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
-/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ddclient.if b/refpolicy/policy/modules/services/ddclient.if
deleted file mode 100644
index c1ddf99..0000000
--- a/refpolicy/policy/modules/services/ddclient.if
+++ /dev/null
@@ -1,25 +0,0 @@
-## <summary>Update dynamic IP address at DynDNS.org</summary>
-
-#######################################
-## <summary>
-## Execute ddclient in the ddclient domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ddclient_domtrans',`
- gen_require(`
- type ddclient_t, ddclient_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, ddclient_exec_t, ddclient_t)
-
- allow $1 ddclient_t:fd use;
- allow ddclient_t $1:fd use;
- allow ddclient_t $1:fifo_file rw_file_perms;
- allow ddclient_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/ddclient.te b/refpolicy/policy/modules/services/ddclient.te
deleted file mode 100644
index 633e49f..0000000
--- a/refpolicy/policy/modules/services/ddclient.te
+++ /dev/null
@@ -1,121 +0,0 @@
-
-policy_module(ddclient,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type ddclient_t;
-type ddclient_exec_t;
-init_daemon_domain(ddclient_t,ddclient_exec_t)
-
-type ddclient_etc_t;
-files_type(ddclient_etc_t)
-
-type ddclient_log_t;
-logging_log_file(ddclient_log_t)
-
-type ddclient_var_t;
-files_type(ddclient_var_t)
-
-type ddclient_var_lib_t;
-files_type(ddclient_var_lib_t)
-
-type ddclient_var_run_t;
-files_pid_file(ddclient_var_run_t)
-
-########################################
-#
-# Declarations
-#
-
-dontaudit ddclient_t self:capability sys_tty_config;
-allow ddclient_t self:process signal_perms;
-allow ddclient_t self:fifo_file rw_file_perms;
-allow ddclient_t self:tcp_socket create_socket_perms;
-allow ddclient_t self:udp_socket create_socket_perms;
-
-allow ddclient_t ddclient_etc_t:file r_file_perms;
-
-allow ddclient_t ddclient_log_t:file manage_file_perms;
-logging_log_filetrans(ddclient_t,ddclient_log_t,file)
-
-allow ddclient_t ddclient_var_t:dir manage_dir_perms;
-allow ddclient_t ddclient_var_t:file manage_file_perms;
-allow ddclient_t ddclient_var_t:lnk_file create_lnk_perms;
-allow ddclient_t ddclient_var_t:sock_file manage_file_perms;
-allow ddclient_t ddclient_var_t:fifo_file manage_file_perms;
-files_var_filetrans(ddclient_t,ddclient_var_t,{ file lnk_file sock_file fifo_file })
-
-allow ddclient_t ddclient_var_lib_t:file manage_file_perms;
-allow ddclient_t ddclient_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(ddclient_t,ddclient_var_lib_t,file)
-
-allow ddclient_t ddclient_var_run_t:file manage_file_perms;
-allow ddclient_t ddclient_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ddclient_t,ddclient_var_run_t,file)
-
-kernel_read_system_state(ddclient_t)
-kernel_read_network_state(ddclient_t)
-kernel_read_software_raid_state(ddclient_t)
-kernel_getattr_core_if(ddclient_t)
-kernel_getattr_message_if(ddclient_t)
-kernel_read_kernel_sysctls(ddclient_t)
-
-corecmd_exec_shell(ddclient_t)
-corecmd_exec_bin(ddclient_t)
-
-corenet_non_ipsec_sendrecv(ddclient_t)
-corenet_tcp_sendrecv_generic_if(ddclient_t)
-corenet_udp_sendrecv_generic_if(ddclient_t)
-corenet_tcp_sendrecv_all_nodes(ddclient_t)
-corenet_udp_sendrecv_all_nodes(ddclient_t)
-corenet_tcp_sendrecv_all_ports(ddclient_t)
-corenet_udp_sendrecv_all_ports(ddclient_t)
-corenet_tcp_connect_all_ports(ddclient_t)
-corenet_sendrecv_all_client_packets(ddclient_t)
-
-dev_read_sysfs(ddclient_t)
-dev_read_urand(ddclient_t)
-
-domain_use_interactive_fds(ddclient_t)
-
-files_read_etc_files(ddclient_t)
-files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
-
-fs_getattr_all_fs(ddclient_t)
-fs_search_auto_mountpoints(ddclient_t)
-
-term_dontaudit_use_console(ddclient_t)
-
-init_use_fds(ddclient_t)
-init_use_script_ptys(ddclient_t)
-
-libs_use_ld_so(ddclient_t)
-libs_use_shared_libs(ddclient_t)
-
-logging_send_syslog_msg(ddclient_t)
-
-miscfiles_read_localization(ddclient_t)
-
-sysnet_exec_ifconfig(ddclient_t)
-sysnet_read_config(ddclient_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
-userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ddclient_t)
- term_dontaudit_use_generic_ptys(ddclient_t)
- files_dontaudit_read_root_files(ddclient_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ddclient_t)
-')
-
-optional_policy(`
- udev_read_db(ddclient_t)
-')
diff --git a/refpolicy/policy/modules/services/dhcp.fc b/refpolicy/policy/modules/services/dhcp.fc
deleted file mode 100644
index 4d40b6b..0000000
--- a/refpolicy/policy/modules/services/dhcp.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
-
-/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
-/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
-
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dhcp.if b/refpolicy/policy/modules/services/dhcp.if
deleted file mode 100644
index 349b35d..0000000
--- a/refpolicy/policy/modules/services/dhcp.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Dynamic host configuration protocol (DHCP) server</summary>
-
-########################################
-## <summary>
-## Set the attributes of the DCHP
-## server state files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dhcpd_setattr_state_files',`
- gen_require(`
- type dhcpd_state_t;
- ')
-
- sysnet_search_dhcp_state($1)
- allow $1 dhcpd_state_t:file setattr;
-')
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
deleted file mode 100644
index eff134a..0000000
--- a/refpolicy/policy/modules/services/dhcp.te
+++ /dev/null
@@ -1,140 +0,0 @@
-
-policy_module(dhcp,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type dhcpd_t;
-type dhcpd_exec_t;
-init_daemon_domain(dhcpd_t,dhcpd_exec_t)
-
-type dhcpd_state_t;
-files_type(dhcpd_state_t)
-
-type dhcpd_tmp_t;
-files_tmp_file(dhcpd_tmp_t)
-
-type dhcpd_var_run_t;
-files_pid_file(dhcpd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dhcpd_t self:capability net_raw;
-dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process signal_perms;
-allow dhcpd_t self:fifo_file { read write getattr };
-allow dhcpd_t self:unix_dgram_socket create_socket_perms;
-allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
-allow dhcpd_t self:tcp_socket create_stream_socket_perms;
-allow dhcpd_t self:udp_socket create_socket_perms;
-# Allow dhcpd_t to use packet sockets
-allow dhcpd_t self:packet_socket create_socket_perms;
-allow dhcpd_t self:rawip_socket create_socket_perms;
-
-can_exec(dhcpd_t,dhcpd_exec_t)
-
-allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
-allow dhcpd_t dhcpd_state_t:file create_file_perms;
-sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file)
-
-allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
-allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
-
-allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
-allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
-
-kernel_read_system_state(dhcpd_t)
-kernel_read_kernel_sysctls(dhcpd_t)
-
-corenet_non_ipsec_sendrecv(dhcpd_t)
-corenet_tcp_sendrecv_all_if(dhcpd_t)
-corenet_udp_sendrecv_all_if(dhcpd_t)
-corenet_raw_sendrecv_all_if(dhcpd_t)
-corenet_tcp_sendrecv_all_nodes(dhcpd_t)
-corenet_udp_sendrecv_all_nodes(dhcpd_t)
-corenet_raw_sendrecv_all_nodes(dhcpd_t)
-corenet_tcp_sendrecv_all_ports(dhcpd_t)
-corenet_udp_sendrecv_all_ports(dhcpd_t)
-corenet_tcp_bind_all_nodes(dhcpd_t)
-corenet_udp_bind_all_nodes(dhcpd_t)
-corenet_tcp_bind_dhcpd_port(dhcpd_t)
-corenet_udp_bind_dhcpd_port(dhcpd_t)
-corenet_udp_bind_pxe_port(dhcpd_t)
-corenet_tcp_connect_all_ports(dhcpd_t)
-corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
-corenet_sendrecv_pxe_server_packets(dhcpd_t)
-corenet_sendrecv_all_client_packets(dhcpd_t)
-
-dev_read_sysfs(dhcpd_t)
-dev_read_rand(dhcpd_t)
-dev_read_urand(dhcpd_t)
-
-fs_getattr_all_fs(dhcpd_t)
-fs_search_auto_mountpoints(dhcpd_t)
-
-term_dontaudit_use_console(dhcpd_t)
-
-corecmd_exec_bin(dhcpd_t)
-corecmd_exec_sbin(dhcpd_t)
-
-domain_use_interactive_fds(dhcpd_t)
-
-files_read_etc_files(dhcpd_t)
-files_read_usr_files(dhcpd_t)
-files_read_etc_runtime_files(dhcpd_t)
-files_search_var_lib(dhcpd_t)
-
-init_use_fds(dhcpd_t)
-init_use_script_ptys(dhcpd_t)
-
-libs_use_ld_so(dhcpd_t)
-libs_use_shared_libs(dhcpd_t)
-
-logging_send_syslog_msg(dhcpd_t)
-
-miscfiles_read_localization(dhcpd_t)
-
-sysnet_read_config(dhcpd_t)
-sysnet_read_dhcp_config(dhcpd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t)
-
-ifdef(`distro_gentoo',`
- allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dhcpd_t)
- term_dontaudit_use_generic_ptys(dhcpd_t)
- files_dontaudit_read_root_files(dhcpd_t)
-')
-
-optional_policy(`
- # used for dynamic DNS
- bind_read_dnssec_keys(dhcpd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(dhcpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dhcpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dhcpd_t)
-')
-
-optional_policy(`
- udev_read_db(dhcpd_t)
-')
diff --git a/refpolicy/policy/modules/services/dictd.fc b/refpolicy/policy/modules/services/dictd.fc
deleted file mode 100644
index 1907af7..0000000
--- a/refpolicy/policy/modules/services/dictd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
-
-/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
-
-/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/dictd.if b/refpolicy/policy/modules/services/dictd.if
deleted file mode 100644
index 5addaa1..0000000
--- a/refpolicy/policy/modules/services/dictd.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>Dictionary daemon</summary>
-
-########################################
-## <summary>
-## Use dictionary services by connecting
-## over TCP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dictd_tcp_connect',`
- gen_require(`
- type dictd_t;
- ')
-
- allow $1 dictd_t:tcp_socket { connectto recvfrom };
- allow dictd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
deleted file mode 100644
index 1a8ae10..0000000
--- a/refpolicy/policy/modules/services/dictd.te
+++ /dev/null
@@ -1,104 +0,0 @@
-
-policy_module(dictd,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type dictd_t;
-type dictd_exec_t;
-init_system_domain(dictd_t,dictd_exec_t)
-
-type dictd_etc_t;
-files_config_file(dictd_etc_t)
-
-type dictd_var_lib_t alias var_lib_dictd_t;
-files_type(dictd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dictd_t self:capability { setuid setgid };
-dontaudit dictd_t self:capability sys_tty_config;
-allow dictd_t self:process { signal_perms setpgid };
-allow dictd_t self:unix_stream_socket create_stream_socket_perms;
-allow dictd_t self:tcp_socket create_stream_socket_perms;
-allow dictd_t self:udp_socket create_socket_perms;
-
-allow dictd_t dictd_etc_t:file r_file_perms;
-files_search_etc(dictd_t)
-
-allow dictd_t dictd_var_lib_t:dir r_dir_perms;
-allow dictd_t dictd_var_lib_t:file r_file_perms;
-
-kernel_read_system_state(dictd_t)
-kernel_read_kernel_sysctls(dictd_t)
-kernel_tcp_recvfrom(dictd_t)
-
-corenet_non_ipsec_sendrecv(dictd_t)
-corenet_tcp_sendrecv_all_if(dictd_t)
-corenet_raw_sendrecv_all_if(dictd_t)
-corenet_udp_sendrecv_all_if(dictd_t)
-corenet_tcp_sendrecv_all_nodes(dictd_t)
-corenet_udp_sendrecv_all_nodes(dictd_t)
-corenet_raw_sendrecv_all_nodes(dictd_t)
-corenet_tcp_sendrecv_all_ports(dictd_t)
-corenet_udp_sendrecv_all_ports(dictd_t)
-corenet_tcp_bind_all_nodes(dictd_t)
-corenet_tcp_bind_dict_port(dictd_t)
-corenet_sendrecv_dict_server_packets(dictd_t)
-
-dev_read_sysfs(dictd_t)
-
-fs_getattr_xattr_fs(dictd_t)
-fs_search_auto_mountpoints(dictd_t)
-
-term_dontaudit_use_console(dictd_t)
-
-domain_use_interactive_fds(dictd_t)
-
-files_read_etc_files(dictd_t)
-files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
-files_search_var_lib(dictd_t)
-# for checking for nscd
-files_dontaudit_search_pids(dictd_t)
-
-init_use_fds(dictd_t)
-init_use_script_ptys(dictd_t)
-
-libs_use_ld_so(dictd_t)
-libs_use_shared_libs(dictd_t)
-
-logging_send_syslog_msg(dictd_t)
-
-miscfiles_read_localization(dictd_t)
-
-sysnet_read_config(dictd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dictd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dictd_t)
- term_dontaudit_use_generic_ptys(dictd_t)
- files_dontaudit_read_root_files(dictd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(dictd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dictd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dictd_t)
-')
-
-optional_policy(`
- udev_read_db(dictd_t)
-')
diff --git a/refpolicy/policy/modules/services/distcc.fc b/refpolicy/policy/modules/services/distcc.fc
deleted file mode 100644
index 6ce6b00..0000000
--- a/refpolicy/policy/modules/services/distcc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/distcc.if b/refpolicy/policy/modules/services/distcc.if
deleted file mode 100644
index 926e959..0000000
--- a/refpolicy/policy/modules/services/distcc.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Distributed compiler daemon</summary>
diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te
deleted file mode 100644
index 69a89ff..0000000
--- a/refpolicy/policy/modules/services/distcc.te
+++ /dev/null
@@ -1,106 +0,0 @@
-
-policy_module(distcc,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type distccd_t;
-type distccd_exec_t;
-init_daemon_domain(distccd_t,distccd_exec_t)
-
-type distccd_log_t;
-logging_log_file(distccd_log_t)
-
-type distccd_tmp_t;
-files_tmp_file(distccd_tmp_t)
-
-type distccd_var_run_t;
-files_pid_file(distccd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow distccd_t self:capability { setgid setuid };
-dontaudit distccd_t self:capability sys_tty_config;
-allow distccd_t self:process { signal_perms setsched };
-allow distccd_t self:fifo_file { read write getattr };
-allow distccd_t self:tcp_socket create_stream_socket_perms;
-allow distccd_t self:udp_socket create_socket_perms;
-
-allow distccd_t distccd_log_t:file create_file_perms;
-logging_log_filetrans(distccd_t,distccd_log_t,file)
-
-allow distccd_t distccd_tmp_t:dir create_dir_perms;
-allow distccd_t distccd_tmp_t:file create_file_perms;
-files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
-
-allow distccd_t distccd_var_run_t:file create_file_perms;
-allow distccd_t distccd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(distccd_t,distccd_var_run_t,file)
-
-kernel_read_system_state(distccd_t)
-kernel_read_kernel_sysctls(distccd_t)
-
-corenet_non_ipsec_sendrecv(distccd_t)
-corenet_tcp_sendrecv_all_if(distccd_t)
-corenet_udp_sendrecv_all_if(distccd_t)
-corenet_tcp_sendrecv_all_nodes(distccd_t)
-corenet_udp_sendrecv_all_nodes(distccd_t)
-corenet_tcp_sendrecv_all_ports(distccd_t)
-corenet_udp_sendrecv_all_ports(distccd_t)
-corenet_tcp_bind_all_nodes(distccd_t)
-corenet_tcp_bind_distccd_port(distccd_t)
-corenet_sendrecv_distccd_server_packets(distccd_t)
-
-dev_read_sysfs(distccd_t)
-
-fs_getattr_all_fs(distccd_t)
-fs_search_auto_mountpoints(distccd_t)
-
-term_dontaudit_use_console(distccd_t)
-
-corecmd_exec_bin(distccd_t)
-corecmd_read_sbin_symlinks(distccd_t)
-
-domain_use_interactive_fds(distccd_t)
-
-files_read_etc_files(distccd_t)
-files_read_etc_runtime_files(distccd_t)
-
-init_use_fds(distccd_t)
-init_use_script_ptys(distccd_t)
-
-libs_use_ld_so(distccd_t)
-libs_use_shared_libs(distccd_t)
-libs_exec_lib_files(distccd_t)
-
-logging_send_syslog_msg(distccd_t)
-
-miscfiles_read_localization(distccd_t)
-
-sysnet_read_config(distccd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(distccd_t)
- term_dontaudit_use_generic_ptys(distccd_t)
- files_dontaudit_read_root_files(distccd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(distccd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(distccd_t)
-')
-
-optional_policy(`
- udev_read_db(distccd_t)
-')
diff --git a/refpolicy/policy/modules/services/djbdns.fc b/refpolicy/policy/modules/services/djbdns.fc
deleted file mode 100644
index fdb6652..0000000
--- a/refpolicy/policy/modules/services/djbdns.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
-/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
-/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
-
-/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
-/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
-/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
-
diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if
deleted file mode 100644
index e8baf77..0000000
--- a/refpolicy/policy/modules/services/djbdns.if
+++ /dev/null
@@ -1,54 +0,0 @@
-## <summary>small and secure DNS daemon</summary>
-
-########################################
-## <summary>
-## Create a set of derived types for djbdns
-## components that are directly supervised by daemontools.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
-#
-template(`djbdns_daemontools_domain_template',`
-
- type djbdns_$1_t;
- type djbdns_$1_exec_t;
- type djbdns_$1_conf_t;
- files_config_file(djbdns_$1_conf_t)
-
- domain_type(djbdns_$1_t)
- domain_entry_file(djbdns_$1_t,djbdns_$1_exec_t)
- role system_r types djbdns_$1_t;
-
- daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
- daemontools_read_svc(djbdns_$1_t)
-
- allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
- allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
- allow djbdns_$1_t self:udp_socket create_socket_perms;
-
- allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
- allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
-
- corenet_non_ipsec_sendrecv(djbdns_$1_t)
- corenet_tcp_sendrecv_all_if(djbdns_$1_t)
- corenet_udp_sendrecv_all_if(djbdns_$1_t)
- corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
- corenet_udp_sendrecv_all_nodes(djbdns_$1_t)
- corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
- corenet_udp_sendrecv_all_ports(djbdns_$1_t)
- corenet_tcp_bind_all_nodes(djbdns_$1_t)
- corenet_udp_bind_all_nodes(djbdns_$1_t)
- corenet_tcp_bind_dns_port(djbdns_$1_t)
- corenet_udp_bind_dns_port(djbdns_$1_t)
- corenet_udp_bind_generic_port(djbdns_$1_t)
- corenet_sendrecv_dns_server_packets(djbdns_$1_t)
- corenet_sendrecv_generic_server_packets(djbdns_$1_t)
-
- files_search_var(djbdns_$1_t)
-
- libs_use_ld_so(djbdns_$1_t)
- libs_use_shared_libs(djbdns_$1_t)
-')
diff --git a/refpolicy/policy/modules/services/djbdns.te b/refpolicy/policy/modules/services/djbdns.te
deleted file mode 100644
index 0ca3670..0000000
--- a/refpolicy/policy/modules/services/djbdns.te
+++ /dev/null
@@ -1,47 +0,0 @@
-
-policy_module(djbdns,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type djbdns_axfrdns_t;
-type djbdns_axfrdns_exec_t;
-type djbdns_axfrdns_conf_t;
-domain_type(djbdns_axfrdns_t)
-domain_entry_file(djbdns_axfrdns_t,djbdns_axfrdns_exec_t)
-role system_r types djbdns_axfrdns_t;
-files_config_file(djbdns_axfrdns_conf_t)
-
-djbdns_daemontools_domain_template(dnscache)
-
-djbdns_daemontools_domain_template(tinydns)
-
-########################################
-#
-# Local policy for axfrdns component
-#
-
-files_config_file(djbdns_axfrdns_conf_t)
-
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
-
-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms;
-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms;
-
-allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms;
-allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms;
-
-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms;
-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms;
-
-files_search_var(djbdns_axfrdns_t)
-
-libs_use_ld_so(djbdns_axfrdns_t)
-libs_use_shared_libs(djbdns_axfrdns_t)
-
-ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
diff --git a/refpolicy/policy/modules/services/dnsmasq.fc b/refpolicy/policy/modules/services/dnsmasq.fc
deleted file mode 100644
index aa52c2c..0000000
--- a/refpolicy/policy/modules/services/dnsmasq.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
-
-/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dnsmasq.if b/refpolicy/policy/modules/services/dnsmasq.if
deleted file mode 100644
index e5b0998..0000000
--- a/refpolicy/policy/modules/services/dnsmasq.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>dnsmasq DNS forwarder and DHCP server</summary>
diff --git a/refpolicy/policy/modules/services/dnsmasq.te b/refpolicy/policy/modules/services/dnsmasq.te
deleted file mode 100644
index 79063d1..0000000
--- a/refpolicy/policy/modules/services/dnsmasq.te
+++ /dev/null
@@ -1,105 +0,0 @@
-
-policy_module(dnsmasq,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type dnsmasq_t;
-type dnsmasq_exec_t;
-init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
-
-type dnsmasq_lease_t;
-files_type(dnsmasq_lease_t)
-
-type dnsmasq_var_run_t;
-files_pid_file(dnsmasq_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
-dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process signal_perms;
-allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
-allow dnsmasq_t self:udp_socket create_socket_perms;
-allow dnsmasq_t self:packet_socket create_socket_perms;
-allow dnsmasq_t self:rawip_socket create_socket_perms;
-
-# dhcp leases
-allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
-files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
-
-allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms;
-allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
-
-kernel_read_kernel_sysctls(dnsmasq_t)
-kernel_list_proc(dnsmasq_t)
-kernel_read_proc_symlinks(dnsmasq_t)
-
-corenet_non_ipsec_sendrecv(dnsmasq_t)
-corenet_tcp_sendrecv_generic_if(dnsmasq_t)
-corenet_udp_sendrecv_generic_if(dnsmasq_t)
-corenet_raw_sendrecv_generic_if(dnsmasq_t)
-corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
-corenet_udp_sendrecv_all_nodes(dnsmasq_t)
-corenet_raw_sendrecv_all_nodes(dnsmasq_t)
-corenet_tcp_sendrecv_all_ports(dnsmasq_t)
-corenet_udp_sendrecv_all_ports(dnsmasq_t)
-corenet_tcp_bind_all_nodes(dnsmasq_t)
-corenet_udp_bind_all_nodes(dnsmasq_t)
-corenet_tcp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dhcpd_port(dnsmasq_t)
-corenet_sendrecv_dns_server_packets(dnsmasq_t)
-corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
-
-dev_read_sysfs(dnsmasq_t)
-dev_read_urand(dnsmasq_t)
-
-domain_use_interactive_fds(dnsmasq_t)
-
-# allow access to dnsmasq.conf
-files_read_etc_files(dnsmasq_t)
-
-fs_getattr_all_fs(dnsmasq_t)
-fs_search_auto_mountpoints(dnsmasq_t)
-
-term_dontaudit_use_console(dnsmasq_t)
-
-init_use_fds(dnsmasq_t)
-init_use_script_ptys(dnsmasq_t)
-
-libs_use_ld_so(dnsmasq_t)
-libs_use_shared_libs(dnsmasq_t)
-
-logging_send_syslog_msg(dnsmasq_t)
-
-miscfiles_read_localization(dnsmasq_t)
-
-sysnet_read_config(dnsmasq_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
-userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dnsmasq_t)
- term_dontaudit_use_generic_ptys(dnsmasq_t)
- files_dontaudit_read_root_files(dnsmasq_t)
-')
-
-optional_policy(`
- nis_use_ypbind(dnsmasq_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dnsmasq_t)
-')
-
-optional_policy(`
- udev_read_db(dnsmasq_t)
-')
diff --git a/refpolicy/policy/modules/services/dovecot.fc b/refpolicy/policy/modules/services/dovecot.fc
deleted file mode 100644
index 0b5a513..0000000
--- a/refpolicy/policy/modules/services/dovecot.fc
+++ /dev/null
@@ -1,35 +0,0 @@
-
-#
-# /etc
-#
-/etc/dovecot.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
-
-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
-
-ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-')
-
-ifdef(`distro_redhat', `
-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-')
-
-#
-# /var
-#
-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-
-
-
-
diff --git a/refpolicy/policy/modules/services/dovecot.if b/refpolicy/policy/modules/services/dovecot.if
deleted file mode 100644
index ba714cc..0000000
--- a/refpolicy/policy/modules/services/dovecot.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Dovecot POP and IMAP mail server</summary>
-
-########################################
-## <summary>
-## Create, read, write, and delete the dovecot spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dovecot_manage_spool',`
- gen_require(`
- type dovecot_spool_t;
- ')
-
- allow $1 dovecot_spool_t:dir rw_dir_perms;
- allow $1 dovecot_spool_t:file create_file_perms;
- allow $1 dovecot_spool_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
deleted file mode 100644
index 166d4dc..0000000
--- a/refpolicy/policy/modules/services/dovecot.te
+++ /dev/null
@@ -1,203 +0,0 @@
-
-policy_module(dovecot,1.2.4)
-
-########################################
-#
-# Declarations
-#
-type dovecot_t;
-type dovecot_exec_t;
-init_daemon_domain(dovecot_t,dovecot_exec_t)
-
-type dovecot_cert_t;
-files_type(dovecot_cert_t)
-
-type dovecot_etc_t;
-files_config_file(dovecot_etc_t)
-
-type dovecot_passwd_t;
-files_type(dovecot_passwd_t)
-
-type dovecot_spool_t;
-files_type(dovecot_spool_t)
-
-type dovecot_var_run_t;
-files_pid_file(dovecot_var_run_t)
-
-type dovecot_auth_t;
-type dovecot_auth_exec_t;
-domain_type(dovecot_auth_t)
-domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
-role system_r types dovecot_auth_t;
-
-########################################
-#
-# dovecot local policy
-#
-
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
-dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms };
-allow dovecot_t self:fifo_file rw_file_perms;
-allow dovecot_t self:tcp_socket create_stream_socket_perms;
-allow dovecot_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
-
-domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-allow dovecot_t dovecot_auth_t:fd use;
-allow dovecot_auth_t dovecot_t:process sigchld;
-allow dovecot_auth_t dovecot_t:fd use;
-allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append };
-
-allow dovecot_t dovecot_cert_t:dir r_dir_perms;
-allow dovecot_t dovecot_cert_t:file r_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file { getattr read };
-
-allow dovecot_t dovecot_etc_t:file r_file_perms;
-files_search_etc(dovecot_t)
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_spool_t:dir create_dir_perms;
-allow dovecot_t dovecot_spool_t:file create_file_perms;
-allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
-
-allow dovecot_t dovecot_var_run_t:file create_file_perms;
-allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
-allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
-
-kernel_read_kernel_sysctls(dovecot_t)
-kernel_read_system_state(dovecot_t)
-
-corenet_non_ipsec_sendrecv(dovecot_t)
-corenet_tcp_sendrecv_all_if(dovecot_t)
-corenet_tcp_sendrecv_all_nodes(dovecot_t)
-corenet_tcp_sendrecv_all_ports(dovecot_t)
-corenet_tcp_bind_all_nodes(dovecot_t)
-corenet_tcp_bind_pop_port(dovecot_t)
-corenet_tcp_connect_all_ports(dovecot_t)
-corenet_tcp_connect_postgresql_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
-corenet_sendrecv_all_client_packets(dovecot_t)
-
-dev_read_sysfs(dovecot_t)
-dev_read_urand(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
-
-term_dontaudit_use_console(dovecot_t)
-
-corecmd_exec_bin(dovecot_t)
-
-domain_use_interactive_fds(dovecot_t)
-
-files_read_etc_files(dovecot_t)
-files_search_spool(dovecot_t)
-files_search_tmp(dovecot_t)
-files_dontaudit_list_default(dovecot_t)
-# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
-files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
-
-init_use_fds(dovecot_t)
-init_use_script_ptys(dovecot_t)
-init_getattr_utmp(dovecot_t)
-
-libs_use_ld_so(dovecot_t)
-libs_use_shared_libs(dovecot_t)
-
-logging_send_syslog_msg(dovecot_t)
-
-miscfiles_read_certs(dovecot_t)
-miscfiles_read_localization(dovecot_t)
-
-sysnet_read_config(dovecot_t)
-sysnet_use_ldap(dovecot_auth_t)
-
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
-userdom_priveleged_home_dir_manager(dovecot_t)
-
-mta_manage_spool(dovecot_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dovecot_t)
- term_dontaudit_use_generic_ptys(dovecot_t)
- files_dontaudit_read_root_files(dovecot_t)
-')
-
-optional_policy(`
- kerberos_use(dovecot_t)
-')
-
-optional_policy(`
- nis_use_ypbind(dovecot_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dovecot_t)
-')
-
-optional_policy(`
- udev_read_db(dovecot_t)
-')
-
-########################################
-#
-# dovecot auth local policy
-#
-
-allow dovecot_auth_t self:capability { setgid setuid };
-allow dovecot_auth_t self:process signal_perms;
-allow dovecot_auth_t self:fifo_file rw_file_perms;
-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
-
-allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
-
-allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
-
-kernel_read_all_sysctls(dovecot_auth_t)
-kernel_read_system_state(dovecot_auth_t)
-
-dev_read_urand(dovecot_auth_t)
-
-auth_domtrans_chk_passwd(dovecot_auth_t)
-auth_use_nsswitch(dovecot_auth_t)
-
-files_read_etc_files(dovecot_auth_t)
-files_read_etc_runtime_files(dovecot_auth_t)
-files_search_pids(dovecot_auth_t)
-files_read_usr_symlinks(dovecot_auth_t)
-files_search_tmp(dovecot_auth_t)
-
-libs_use_ld_so(dovecot_auth_t)
-libs_use_shared_libs(dovecot_auth_t)
-
-miscfiles_read_localization(dovecot_auth_t)
-
-seutil_dontaudit_search_config(dovecot_auth_t)
-
-sysnet_dns_name_resolve(dovecot_auth_t)
-
-optional_policy(`
- kerberos_use(dovecot_auth_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
-')
-
-optional_policy(`
- nis_use_ypbind(dovecot_auth_t)
-')
-
-optional_policy(`
- nscd_socket_use(dovecot_auth_t)
-')
diff --git a/refpolicy/policy/modules/services/fetchmail.fc b/refpolicy/policy/modules/services/fetchmail.fc
deleted file mode 100644
index 455c620..0000000
--- a/refpolicy/policy/modules/services/fetchmail.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-
-#
-# /etc
-#
-
-/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
-
-#
-# /usr
-#
-
-/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
-
-#
-# /var
-#
-
-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
-/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --git a/refpolicy/policy/modules/services/fetchmail.if b/refpolicy/policy/modules/services/fetchmail.if
deleted file mode 100644
index fde49b7..0000000
--- a/refpolicy/policy/modules/services/fetchmail.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Remote-mail retrieval and forwarding utility</summary>
diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
deleted file mode 100644
index bac61a5..0000000
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ /dev/null
@@ -1,105 +0,0 @@
-
-policy_module(fetchmail,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type fetchmail_t;
-type fetchmail_exec_t;
-init_daemon_domain(fetchmail_t,fetchmail_exec_t)
-
-type fetchmail_var_run_t;
-files_pid_file(fetchmail_var_run_t)
-
-type fetchmail_etc_t;
-files_type(fetchmail_etc_t)
-
-type fetchmail_uidl_cache_t;
-files_type(fetchmail_uidl_cache_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit fetchmail_t self:capability sys_tty_config;
-allow fetchmail_t self:process { signal_perms setrlimit };
-allow fetchmail_t self:unix_dgram_socket create_socket_perms;
-allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
-allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
-allow fetchmail_t self:tcp_socket create_socket_perms;
-allow fetchmail_t self:udp_socket create_socket_perms;
-
-allow fetchmail_t fetchmail_etc_t:file r_file_perms;
-
-allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
-mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file)
-
-allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
-allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file)
-
-kernel_read_kernel_sysctls(fetchmail_t)
-kernel_list_proc(fetchmail_t)
-kernel_getattr_proc_files(fetchmail_t)
-kernel_read_proc_symlinks(fetchmail_t)
-kernel_dontaudit_read_system_state(fetchmail_t)
-
-corenet_non_ipsec_sendrecv(fetchmail_t)
-corenet_tcp_sendrecv_generic_if(fetchmail_t)
-corenet_udp_sendrecv_generic_if(fetchmail_t)
-corenet_tcp_sendrecv_all_nodes(fetchmail_t)
-corenet_udp_sendrecv_all_nodes(fetchmail_t)
-corenet_tcp_sendrecv_dns_port(fetchmail_t)
-corenet_udp_sendrecv_dns_port(fetchmail_t)
-corenet_tcp_sendrecv_pop_port(fetchmail_t)
-corenet_tcp_sendrecv_smtp_port(fetchmail_t)
-corenet_tcp_connect_all_ports(fetchmail_t)
-corenet_sendrecv_all_client_packets(fetchmail_t)
-
-dev_read_sysfs(fetchmail_t)
-dev_read_rand(fetchmail_t)
-dev_read_urand(fetchmail_t)
-
-files_read_etc_files(fetchmail_t)
-files_read_etc_runtime_files(fetchmail_t)
-files_dontaudit_search_home(fetchmail_t)
-
-fs_getattr_all_fs(fetchmail_t)
-fs_search_auto_mountpoints(fetchmail_t)
-
-term_dontaudit_use_console(fetchmail_t)
-
-domain_use_interactive_fds(fetchmail_t)
-
-init_use_fds(fetchmail_t)
-init_use_script_ptys(fetchmail_t)
-
-libs_use_ld_so(fetchmail_t)
-libs_use_shared_libs(fetchmail_t)
-
-logging_send_syslog_msg(fetchmail_t)
-
-miscfiles_read_localization(fetchmail_t)
-miscfiles_read_certs(fetchmail_t)
-
-sysnet_read_config(fetchmail_t)
-
-userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fetchmail_t)
- term_dontaudit_use_generic_ptys(fetchmail_t)
- files_dontaudit_read_root_files(fetchmail_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(fetchmail_t)
-')
-
-optional_policy(`
- udev_read_db(fetchmail_t)
-')
diff --git a/refpolicy/policy/modules/services/finger.fc b/refpolicy/policy/modules/services/finger.fc
deleted file mode 100644
index c861192..0000000
--- a/refpolicy/policy/modules/services/finger.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-# fingerd
-
-#
-# /etc
-#
-/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
-
-/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
-/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
-
-#
-# /var
-#
-/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/refpolicy/policy/modules/services/finger.if b/refpolicy/policy/modules/services/finger.if
deleted file mode 100644
index 22d4824..0000000
--- a/refpolicy/policy/modules/services/finger.if
+++ /dev/null
@@ -1,44 +0,0 @@
-## <summary>Finger user information service.</summary>
-
-########################################
-## <summary>
-## Execute fingerd in the fingerd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`finger_domtrans',`
- gen_require(`
- type fingerd_t, fingerd_exec_t;
- ')
-
- domain_auto_trans($1,fingerd_exec_t,fingerd_t)
-
- allow $1 fingerd_t:fd use;
- allow fingerd_t $1:fd use;
- allow fingerd_t $1:fifo_file rw_file_perms;
- allow fingerd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to connect to fingerd with a tcp socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`finger_tcp_connect',`
- gen_require(`
- type fingerd_t;
- ')
-
- kernel_tcp_recvfrom($1)
- allow $1 fingerd_t:tcp_socket { connectto recvfrom };
- allow fingerd_t $1:tcp_socket { acceptfrom recvfrom };
-')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
deleted file mode 100644
index 1647e64..0000000
--- a/refpolicy/policy/modules/services/finger.te
+++ /dev/null
@@ -1,134 +0,0 @@
-
-policy_module(finger,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type fingerd_t;
-type fingerd_exec_t;
-init_daemon_domain(fingerd_t,fingerd_exec_t)
-inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
-
-type fingerd_etc_t;
-files_config_file(fingerd_etc_t)
-
-type fingerd_log_t;
-logging_log_file(fingerd_log_t)
-
-type fingerd_var_run_t;
-files_pid_file(fingerd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow fingerd_t self:capability { setgid setuid };
-dontaudit fingerd_t self:capability { sys_tty_config fsetid };
-allow fingerd_t self:process signal_perms;
-allow fingerd_t self:fifo_file { read write getattr };
-allow fingerd_t self:tcp_socket connected_stream_socket_perms;
-allow fingerd_t self:udp_socket create_socket_perms;
-allow fingerd_t self:unix_dgram_socket create_socket_perms;
-allow fingerd_t self:unix_stream_socket create_socket_perms;
-
-allow fingerd_t fingerd_var_run_t:file create_file_perms;
-allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
-
-allow fingerd_t fingerd_etc_t:file r_file_perms;
-allow fingerd_t fingerd_etc_t:dir r_dir_perms;
-allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
-
-allow fingerd_t fingerd_log_t:file create_file_perms;
-logging_log_filetrans(fingerd_t,fingerd_log_t,file)
-
-kernel_read_kernel_sysctls(fingerd_t)
-kernel_read_system_state(fingerd_t)
-kernel_tcp_recvfrom(fingerd_t)
-
-corenet_non_ipsec_sendrecv(fingerd_t)
-corenet_tcp_sendrecv_all_if(fingerd_t)
-corenet_udp_sendrecv_all_if(fingerd_t)
-corenet_tcp_sendrecv_all_nodes(fingerd_t)
-corenet_udp_sendrecv_all_nodes(fingerd_t)
-corenet_tcp_sendrecv_all_ports(fingerd_t)
-corenet_udp_sendrecv_all_ports(fingerd_t)
-corenet_tcp_bind_all_nodes(fingerd_t)
-corenet_tcp_bind_fingerd_port(fingerd_t)
-
-dev_read_sysfs(fingerd_t)
-
-fs_getattr_all_fs(fingerd_t)
-fs_search_auto_mountpoints(fingerd_t)
-
-term_dontaudit_use_console(fingerd_t)
-term_getattr_all_user_ttys(fingerd_t)
-term_getattr_all_user_ptys(fingerd_t)
-
-auth_read_lastlog(fingerd_t)
-
-corecmd_exec_bin(fingerd_t)
-corecmd_exec_sbin(fingerd_t)
-corecmd_exec_shell(fingerd_t)
-
-domain_use_interactive_fds(fingerd_t)
-
-files_search_home(fingerd_t)
-files_read_etc_files(fingerd_t)
-files_read_etc_runtime_files(fingerd_t)
-
-init_read_utmp(fingerd_t)
-init_dontaudit_write_utmp(fingerd_t)
-init_use_fds(fingerd_t)
-init_use_script_ptys(fingerd_t)
-
-libs_use_ld_so(fingerd_t)
-libs_use_shared_libs(fingerd_t)
-
-logging_send_syslog_msg(fingerd_t)
-
-mta_getattr_spool(fingerd_t)
-
-sysnet_read_config(fingerd_t)
-
-miscfiles_read_localization(fingerd_t)
-
-userdom_read_unpriv_users_home_content_files(fingerd_t)
-userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
-userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
-# have to change this when we create a type for Maildir
-userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fingerd_t)
- term_dontaudit_use_generic_ptys(fingerd_t)
- files_dontaudit_read_root_files(fingerd_t)
-')
-
-optional_policy(`
- cron_system_entry(fingerd_t,fingerd_exec_t)
-')
-
-optional_policy(`
- logrotate_exec(fingerd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(fingerd_t)
-')
-
-optional_policy(`
- nscd_socket_use(fingerd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(fingerd_t)
-')
-
-optional_policy(`
- udev_read_db(fingerd_t)
-')
diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc
deleted file mode 100644
index 5ea69a0..0000000
--- a/refpolicy/policy/modules/services/ftp.fc
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# /etc
-#
-/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
-/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
-#
-# /usr
-#
-/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
-
-/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-
-#
-# /var
-#
-/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0)
-
-/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
-/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
-/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
-/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
-/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if
deleted file mode 100644
index 113e56c..0000000
--- a/refpolicy/policy/modules/services/ftp.if
+++ /dev/null
@@ -1,134 +0,0 @@
-## <summary>File transfer protocol service</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the ftp module.
-## </summary>
-## <desc>
-## <p>
-## This template allows ftpd to manage files in
-## a user home directory, creating files with the
-## correct type.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`ftp_per_userdomain_template',`
- tunable_policy(`ftpd_is_daemon',`
- userdom_manage_user_home_content_files($1,ftpd_t)
- userdom_manage_user_home_content_symlinks($1,ftpd_t)
- userdom_manage_user_home_content_sockets($1,ftpd_t)
- userdom_manage_user_home_content_pipes($1,ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
- ')
-')
-
-########################################
-## <summary>
-## Use ftp by connecting over TCP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ftp_tcp_connect',`
- gen_require(`
- type ftpd_t;
- ')
-
- allow $1 ftpd_t:tcp_socket { connectto recvfrom };
- allow ftpd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-########################################
-## <summary>
-## Read ftpd etc files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ftp_read_config',`
- gen_require(`
- type ftpd_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 ftpd_etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Execute FTP daemon entry point programs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ftp_check_exec',`
- gen_require(`
- type ftpd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- allow $1 ftpd_exec_t:file x_file_perms;
-')
-
-########################################
-## <summary>
-## Read FTP transfer logs
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ftp_read_log',`
- gen_require(`
- type xferlog_t;
- ')
-
- logging_search_logs($1)
- allow $1 xferlog_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute the ftpdctl program in the ftpdctl domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ftp_domtrans_ftpdctl',`
- gen_require(`
- type ftpdctl_t, ftpdctl_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)
-
- allow ftpdctl_t $1:fd use;
- allow ftpdctl_t $1:fifo_file rw_file_perms;
- allow ftpdctl_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
deleted file mode 100644
index fb09648..0000000
--- a/refpolicy/policy/modules/services/ftp.te
+++ /dev/null
@@ -1,274 +0,0 @@
-
-policy_module(ftp,1.2.6)
-
-########################################
-#
-# Declarations
-#
-
-type ftpd_t;
-type ftpd_exec_t;
-init_daemon_domain(ftpd_t,ftpd_exec_t)
-
-type ftpd_etc_t;
-files_config_file(ftpd_etc_t)
-
-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
-type ftpd_lock_t;
-files_lock_file(ftpd_lock_t)
-
-type ftpd_tmp_t;
-files_tmp_file(ftpd_tmp_t)
-
-type ftpd_tmpfs_t;
-files_tmpfs_file(ftpd_tmpfs_t)
-
-type ftpd_var_run_t;
-files_pid_file(ftpd_var_run_t)
-
-type ftpdctl_t;
-type ftpdctl_exec_t;
-init_system_domain(ftpdctl_t,ftpdctl_exec_t)
-
-type ftpdctl_tmp_t;
-files_tmp_file(ftpdctl_tmp_t)
-
-type xferlog_t;
-logging_log_file(xferlog_t)
-
-########################################
-#
-# ftpd local policy
-#
-
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
-dontaudit ftpd_t self:capability sys_tty_config;
-allow ftpd_t self:process signal_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
-allow ftpd_t self:fifo_file rw_file_perms;
-allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
-allow ftpd_t self:tcp_socket create_stream_socket_perms;
-allow ftpd_t self:udp_socket create_socket_perms;
-
-allow ftpd_t ftpd_etc_t:file r_file_perms;
-
-allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
-allow ftpd_t ftpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
-
-allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
-allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
-allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
-allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
-allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
-fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-allow ftpd_t ftpd_var_run_t:file manage_file_perms;
-allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
-allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
-
-# proftpd requires the client side to bind a socket so that
-# it can stat the socket to perform access control decisions,
-# since getsockopt with SO_PEERCRED is not available on all
-# proftpd-supported OSs
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
-
-# Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file create_file_perms;
-logging_log_filetrans(ftpd_t,xferlog_t,file)
-
-kernel_read_kernel_sysctls(ftpd_t)
-kernel_read_system_state(ftpd_t)
-
-dev_read_sysfs(ftpd_t)
-dev_read_urand(ftpd_t)
-
-corecmd_exec_bin(ftpd_t)
-corecmd_exec_sbin(ftpd_t)
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-corecmd_exec_ls(ftpd_t)
-
-corenet_non_ipsec_sendrecv(ftpd_t)
-corenet_tcp_sendrecv_all_if(ftpd_t)
-corenet_udp_sendrecv_all_if(ftpd_t)
-corenet_tcp_sendrecv_all_nodes(ftpd_t)
-corenet_udp_sendrecv_all_nodes(ftpd_t)
-corenet_tcp_sendrecv_all_ports(ftpd_t)
-corenet_udp_sendrecv_all_ports(ftpd_t)
-corenet_tcp_bind_all_nodes(ftpd_t)
-corenet_tcp_bind_ftp_port(ftpd_t)
-corenet_tcp_bind_ftp_data_port(ftpd_t)
-corenet_tcp_bind_generic_port(ftpd_t)
-corenet_tcp_connect_all_ports(ftpd_t)
-corenet_sendrecv_ftp_server_packets(ftpd_t)
-
-domain_use_interactive_fds(ftpd_t)
-
-files_search_etc(ftpd_t)
-files_read_etc_files(ftpd_t)
-files_read_etc_runtime_files(ftpd_t)
-files_search_var_lib(ftpd_t)
-
-fs_search_auto_mountpoints(ftpd_t)
-fs_getattr_all_fs(ftpd_t)
-
-term_dontaudit_use_console(ftpd_t)
-
-auth_use_nsswitch(ftpd_t)
-auth_domtrans_chk_passwd(ftpd_t)
-# Append to /var/log/wtmp.
-auth_append_login_records(ftpd_t)
-#kerberized ftp requires the following
-auth_write_login_records(ftpd_t)
-
-init_use_fds(ftpd_t)
-init_use_script_ptys(ftpd_t)
-
-libs_use_ld_so(ftpd_t)
-libs_use_shared_libs(ftpd_t)
-
-logging_send_syslog_msg(ftpd_t)
-
-miscfiles_read_localization(ftpd_t)
-miscfiles_read_public_files(ftpd_t)
-
-seutil_dontaudit_search_config(ftpd_t)
-
-sysnet_read_config(ftpd_t)
-sysnet_use_ldap(ftpd_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
-userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(ftpd_t)
-
- term_dontaudit_use_generic_ptys(ftpd_t)
- term_dontaudit_use_unallocated_ttys(ftpd_t)
-')
-
-tunable_policy(`allow_ftpd_anon_write',`
- miscfiles_manage_public_files(ftpd_t)
-')
-
-tunable_policy(`allow_ftpd_use_cifs',`
- fs_read_cifs_files(ftpd_t)
- fs_read_cifs_symlinks(ftpd_t)
-')
-
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
- fs_manage_cifs_files(ftpd_t)
-')
-
-tunable_policy(`allow_ftpd_use_nfs',`
- fs_read_nfs_files(ftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
-
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
- fs_manage_nfs_files(ftpd_t)
-')
-
-tunable_policy(`ftp_home_dir',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-
- # allow access to /home
- files_list_home(ftpd_t)
- userdom_read_all_users_home_content_files(ftpd_t)
- userdom_manage_all_users_home_content_dirs(ftpd_t)
- userdom_manage_all_users_home_content_files(ftpd_t)
- userdom_manage_all_users_home_content_symlinks(ftpd_t)
-
- ifdef(`targeted_policy',`
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
- ')
-')
-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
- fs_manage_nfs_files(ftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
-
-tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
- fs_manage_cifs_files(ftpd_t)
- fs_read_cifs_symlinks(ftpd_t)
-')
-
-tunable_policy(`ftpd_is_daemon',`
- allow ftpd_t ftpd_lock_t:file create_file_perms;
- files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
-
- corenet_tcp_bind_ftp_port(ftpd_t)
-')
-
-optional_policy(`
- corecmd_exec_shell(ftpd_t)
-
- files_read_usr_files(ftpd_t)
-
- cron_system_entry(ftpd_t, ftpd_exec_t)
-
- optional_policy(`
- logrotate_exec(ftpd_t)
- ')
-')
-
-optional_policy(`
- daemontools_service_domain(ftpd_t, ftpd_exec_t)
-')
-
-optional_policy(`
- #reh: typeattributes not allowed in conditionals yet.
- #tunable_policy(`! ftpd_is_daemon',`
- # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
- #')
-
- inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
-
- optional_policy(`
- tunable_policy(`! ftpd_is_daemon',`
- tcpd_domtrans(tcpd_t)
- ')
- ')
-')
-
-optional_policy(`
- nscd_socket_use(ftpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ftpd_t)
-')
-
-optional_policy(`
- udev_read_db(ftpd_t)
-')
-
-########################################
-#
-# ftpdctl local policy
-#
-
-# Allow ftpdctl to talk to ftpd over a socket connection
-allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
-allow ftpdctl_t ftpd_var_run_t:dir search;
-allow ftpdctl_t ftpd_var_run_t:sock_file write;
-
-# ftpdctl creates a socket so that the daemon can perform
-# access control decisions (see comments in ftpd_t rules above)
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
-files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
-
-# Allow ftpdctl to read config files
-files_read_etc_files(ftpdctl_t)
-
-libs_use_ld_so(ftpdctl_t)
-libs_use_shared_libs(ftpdctl_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(ftpdctl_t)
-')
diff --git a/refpolicy/policy/modules/services/gatekeeper.fc b/refpolicy/policy/modules/services/gatekeeper.fc
deleted file mode 100644
index d6ef025..0000000
--- a/refpolicy/policy/modules/services/gatekeeper.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0)
-
-/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
-/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
-
-/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
-/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
-/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/gatekeeper.if b/refpolicy/policy/modules/services/gatekeeper.if
deleted file mode 100644
index 311cb06..0000000
--- a/refpolicy/policy/modules/services/gatekeeper.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
diff --git a/refpolicy/policy/modules/services/gatekeeper.te b/refpolicy/policy/modules/services/gatekeeper.te
deleted file mode 100644
index c33041d..0000000
--- a/refpolicy/policy/modules/services/gatekeeper.te
+++ /dev/null
@@ -1,128 +0,0 @@
-
-policy_module(gatekeeper,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type gatekeeper_t;
-type gatekeeper_exec_t;
-init_daemon_domain(gatekeeper_t,gatekeeper_exec_t)
-
-type gatekeeper_etc_t;
-files_config_file(gatekeeper_etc_t)
-
-type gatekeeper_log_t;
-logging_log_file(gatekeeper_log_t)
-
-# for stupid symlinks
-type gatekeeper_tmp_t;
-files_tmp_file(gatekeeper_tmp_t)
-
-type gatekeeper_var_run_t;
-files_pid_file(gatekeeper_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit gatekeeper_t self:capability sys_tty_config;
-allow gatekeeper_t self:process { setsched signal_perms };
-allow gatekeeper_t self:fifo_file rw_file_perms;
-allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
-allow gatekeeper_t self:udp_socket create_socket_perms;
-
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
-allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
-files_search_etc(gatekeeper_t)
-
-allow gatekeeper_t gatekeeper_log_t:file create_file_perms;
-allow gatekeeper_t gatekeeper_log_t:dir rw_dir_perms;
-logging_log_filetrans(gatekeeper_t,gatekeeper_log_t,{ file dir })
-
-allow gatekeeper_t gatekeeper_tmp_t:dir create_dir_perms;
-allow gatekeeper_t gatekeeper_tmp_t:file create_file_perms;
-files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
-
-allow gatekeeper_t gatekeeper_var_run_t:file create_file_perms;
-allow gatekeeper_t gatekeeper_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
-
-kernel_read_system_state(gatekeeper_t)
-kernel_read_kernel_sysctls(gatekeeper_t)
-
-corecmd_list_sbin(gatekeeper_t)
-
-corenet_non_ipsec_sendrecv(gatekeeper_t)
-corenet_tcp_sendrecv_generic_if(gatekeeper_t)
-corenet_udp_sendrecv_generic_if(gatekeeper_t)
-corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
-corenet_udp_sendrecv_all_nodes(gatekeeper_t)
-corenet_tcp_sendrecv_all_ports(gatekeeper_t)
-corenet_udp_sendrecv_all_ports(gatekeeper_t)
-corenet_tcp_bind_all_nodes(gatekeeper_t)
-corenet_udp_bind_all_nodes(gatekeeper_t)
-corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
-corenet_udp_bind_gatekeeper_port(gatekeeper_t)
-corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
-
-dev_read_sysfs(gatekeeper_t)
-# for SSP
-dev_read_urand(gatekeeper_t)
-
-domain_use_interactive_fds(gatekeeper_t)
-
-files_read_etc_files(gatekeeper_t)
-
-fs_getattr_all_fs(gatekeeper_t)
-fs_search_auto_mountpoints(gatekeeper_t)
-
-term_dontaudit_use_console(gatekeeper_t)
-
-init_use_fds(gatekeeper_t)
-init_use_script_ptys(gatekeeper_t)
-
-libs_use_ld_so(gatekeeper_t)
-libs_use_shared_libs(gatekeeper_t)
-
-logging_send_syslog_msg(gatekeeper_t)
-
-miscfiles_read_localization(gatekeeper_t)
-
-sysnet_read_config(gatekeeper_t)
-
-userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(gatekeeper_t)
- term_dontaudit_use_generic_ptys(gatekeeper_t)
- files_dontaudit_read_root_files(gatekeeper_t)
-')
-
-optional_policy(`
- nis_use_ypbind(gatekeeper_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(gatekeeper_t)
-')
-
-optional_policy(`
- udev_read_db(gatekeeper_t)
-')
-
-ifdef(`TODO',`
-# for local users to run VOIP software
-allow userdomain gatekeeper_t:udp_socket sendto;
-allow gatekeeper_t userdomain:udp_socket recvfrom;
-allow gatekeeper_t userdomain:udp_socket sendto;
-allow userdomain gatekeeper_t:udp_socket recvfrom;
-
-allow gatekeeper_t userdomain:tcp_socket { connectto recvfrom };
-allow userdomain gatekeeper_t:tcp_socket { acceptfrom recvfrom };
-kernel_tcp_recvfrom(gatekeeper_t)
-kernel_tcp_recvfrom(userdomain)
-')
diff --git a/refpolicy/policy/modules/services/gpm.fc b/refpolicy/policy/modules/services/gpm.fc
deleted file mode 100644
index 6fc9661..0000000
--- a/refpolicy/policy/modules/services/gpm.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0)
-/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0)
-
-/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0)
-
-/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/gpm.if b/refpolicy/policy/modules/services/gpm.if
deleted file mode 100644
index 2890beb..0000000
--- a/refpolicy/policy/modules/services/gpm.if
+++ /dev/null
@@ -1,81 +0,0 @@
-## <summary>General Purpose Mouse driver</summary>
-
-########################################
-## <summary>
-## Connect to GPM over a unix domain
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gpm_stream_connect',`
- gen_require(`
- type gpmctl_t, gpm_t;
- ')
-
- allow $1 gpmctl_t:sock_file { getattr write };
- allow $1 gpm_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Get the attributes of the GPM
-## control channel named socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gpm_getattr_gpmctl',`
- gen_require(`
- type gpmctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 gpmctl_t:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the GPM control channel
-## named socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gpm_dontaudit_getattr_gpmctl',`
- gen_require(`
- type gpmctl_t;
- ')
-
- dontaudit $1 gpmctl_t:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Set the attributes of the GPM
-## control channel named socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gpm_setattr_gpmctl',`
- gen_require(`
- type gpmctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 gpmctl_t:sock_file setattr;
-')
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
deleted file mode 100644
index c2b800a..0000000
--- a/refpolicy/policy/modules/services/gpm.te
+++ /dev/null
@@ -1,93 +0,0 @@
-
-policy_module(gpm,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type gpm_t;
-type gpm_exec_t;
-init_daemon_domain(gpm_t,gpm_exec_t)
-
-type gpm_conf_t;
-files_type(gpm_conf_t)
-
-type gpm_tmp_t;
-files_tmp_file(gpm_tmp_t)
-
-type gpm_var_run_t;
-files_pid_file(gpm_var_run_t)
-
-type gpmctl_t;
-files_type(gpmctl_t)
-
-########################################
-#
-# Local policy
-#
-
-allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
-allow gpm_t self:unix_stream_socket create_stream_socket_perms;
-
-allow gpm_t gpm_conf_t:dir r_dir_perms;
-allow gpm_t gpm_conf_t:file r_file_perms;
-allow gpm_t gpm_conf_t:lnk_file { getattr read };
-
-allow gpm_t gpm_tmp_t:dir create_dir_perms;
-allow gpm_t gpm_tmp_t:file create_file_perms;
-files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
-
-allow gpm_t gpm_var_run_t:file create_file_perms;
-files_pid_filetrans(gpm_t,gpm_var_run_t,file)
-
-allow gpm_t gpmctl_t:sock_file create_file_perms;
-allow gpm_t gpmctl_t:fifo_file create_file_perms;
-dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file })
-
-# cjp: this has no effect
-allow gpm_t gpmctl_t:unix_stream_socket name_bind;
-
-kernel_read_kernel_sysctls(gpm_t)
-kernel_list_proc(gpm_t)
-kernel_read_proc_symlinks(gpm_t)
-
-dev_read_sysfs(gpm_t)
-# Access the mouse.
-dev_rw_input_dev(gpm_t)
-dev_rw_mouse(gpm_t)
-
-fs_getattr_all_fs(gpm_t)
-fs_search_auto_mountpoints(gpm_t)
-
-term_use_unallocated_ttys(gpm_t)
-term_dontaudit_use_console(gpm_t)
-
-domain_use_interactive_fds(gpm_t)
-
-init_use_fds(gpm_t)
-init_use_script_ptys(gpm_t)
-
-libs_use_ld_so(gpm_t)
-libs_use_shared_libs(gpm_t)
-
-logging_send_syslog_msg(gpm_t)
-
-miscfiles_read_localization(gpm_t)
-
-userdom_dontaudit_use_unpriv_user_fds(gpm_t)
-userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(gpm_t)
- term_dontaudit_use_generic_ptys(gpm_t)
- files_dontaudit_read_root_files(gpm_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(gpm_t)
-')
-
-optional_policy(`
- udev_read_db(gpm_t)
-')
diff --git a/refpolicy/policy/modules/services/hal.fc b/refpolicy/policy/modules/services/hal.fc
deleted file mode 100644
index 93f50cb..0000000
--- a/refpolicy/policy/modules/services/hal.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
-/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
-
-/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
-
-/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
-
-/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
deleted file mode 100644
index 97e7830..0000000
--- a/refpolicy/policy/modules/services/hal.if
+++ /dev/null
@@ -1,159 +0,0 @@
-## <summary>Hardware abstraction layer</summary>
-
-########################################
-## <summary>
-## Execute hal in the hal domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_domtrans',`
- gen_require(`
- type hald_t, hald_exec_t;
- ')
-
- domain_auto_trans($1,hald_exec_t,hald_t)
-
- allow $1 hald_t:fd use;
- allow hald_t $1:fd use;
- allow hald_t $1:fifo_file rw_file_perms;
- allow hald_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send to hal over a unix domain
-## datagram socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_dgram_send',`
- gen_require(`
- type hald_t;
- ')
-
- allow $1 hald_t:unix_dgram_socket sendto;
-')
-
-########################################
-## <summary>
-## Send to hal over a unix domain
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_stream_connect',`
- gen_require(`
- type hald_t;
- ')
-
- allow $1 hald_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Send a dbus message to hal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_dbus_send',`
- gen_require(`
- type hald_t;
- class dbus send_msg;
- ')
-
- allow $1 hald_t:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## hal over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_dbus_chat',`
- gen_require(`
- type hald_t;
- class dbus send_msg;
- ')
-
- allow $1 hald_t:dbus send_msg;
- allow hald_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Read hald tmp files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_read_tmp_files',`
- gen_require(`
- type hald_tmp_t;
- ')
-
- allow $1 hald_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read hald PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_read_pid_files',`
- gen_require(`
- type hald_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 hald_var_run_t:file r_file_perms;
-')
-
-
-########################################
-## <summary>
-## Read/Write hald PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hal_rw_pid_files',`
- gen_require(`
- type hald_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 hald_var_run_t:file rw_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
deleted file mode 100644
index 47786ad..0000000
--- a/refpolicy/policy/modules/services/hal.te
+++ /dev/null
@@ -1,240 +0,0 @@
-
-policy_module(hal,1.3.10)
-
-########################################
-#
-# Declarations
-#
-
-type hald_t;
-type hald_exec_t;
-init_daemon_domain(hald_t,hald_exec_t)
-
-type hald_tmp_t;
-files_tmp_file(hald_tmp_t)
-
-type hald_var_run_t;
-files_pid_file(hald_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-# execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-dontaudit hald_t self:capability sys_tty_config;
-allow hald_t self:process signal_perms;
-allow hald_t self:fifo_file rw_file_perms;
-allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow hald_t self:unix_dgram_socket create_socket_perms;
-allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow hald_t self:tcp_socket create_stream_socket_perms;
-allow hald_t self:udp_socket create_socket_perms;
-# For backwards compatibility with older kernels
-allow hald_t self:netlink_socket create_socket_perms;
-
-allow hald_t hald_tmp_t:dir create_dir_perms;
-allow hald_t hald_tmp_t:file create_file_perms;
-files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
-
-allow hald_t hald_var_run_t:file create_file_perms;
-allow hald_t hald_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hald_t,hald_var_run_t,file)
-
-kernel_read_system_state(hald_t)
-kernel_read_network_state(hald_t)
-kernel_read_kernel_sysctls(hald_t)
-kernel_read_fs_sysctls(hald_t)
-kernel_rw_vm_sysctls(hald_t)
-kernel_write_proc_files(hald_t)
-
-auth_read_pam_console_data(hald_t)
-
-corecmd_exec_all_executables(hald_t)
-
-corenet_non_ipsec_sendrecv(hald_t)
-corenet_tcp_sendrecv_all_if(hald_t)
-corenet_udp_sendrecv_all_if(hald_t)
-corenet_tcp_sendrecv_all_nodes(hald_t)
-corenet_udp_sendrecv_all_nodes(hald_t)
-corenet_tcp_sendrecv_all_ports(hald_t)
-corenet_udp_sendrecv_all_ports(hald_t)
-
-dev_rw_usbfs(hald_t)
-dev_read_urand(hald_t)
-dev_read_input(hald_t)
-dev_read_mouse(hald_t)
-dev_rw_printer(hald_t)
-dev_read_lvm_control(hald_t)
-dev_getattr_all_chr_files(hald_t)
-dev_manage_generic_chr_files(hald_t)
-dev_rw_generic_usb_dev(hald_t)
-dev_setattr_generic_usb_dev(hald_t)
-dev_setattr_usbfs_files(hald_t)
-# hal is now execing pm-suspend
-dev_rw_sysfs(hald_t)
-
-domain_use_interactive_fds(hald_t)
-
-files_exec_etc_files(hald_t)
-files_read_etc_files(hald_t)
-files_rw_etc_runtime_files(hald_t)
-files_manage_mnt_dirs(hald_t)
-files_manage_mnt_files(hald_t)
-files_search_var_lib(hald_t)
-files_read_usr_files(hald_t)
-# hal is now execing pm-suspend
-files_create_boot_flag(hald_t)
-files_getattr_all_dirs(hald_t)
-files_read_kernel_img(hald_t)
-
-fs_getattr_all_fs(hald_t)
-fs_search_all(hald_t)
-fs_list_auto_mountpoints(hald_t)
-files_getattr_all_mountpoints(hald_t)
-
-mls_file_read_up(hald_t)
-
-selinux_get_fs_mount(hald_t)
-selinux_validate_context(hald_t)
-selinux_compute_access_vector(hald_t)
-selinux_compute_create_context(hald_t)
-selinux_compute_relabel_context(hald_t)
-selinux_compute_user_contexts(hald_t)
-
-storage_raw_read_removable_device(hald_t)
-storage_raw_write_removable_device(hald_t)
-storage_raw_read_fixed_disk(hald_t)
-storage_raw_write_fixed_disk(hald_t)
-
-term_dontaudit_use_console(hald_t)
-term_dontaudit_use_generic_ptys(hald_t)
-term_use_unallocated_ttys(hald_t)
-
-auth_use_nsswitch(hald_t)
-
-init_use_fds(hald_t)
-init_use_script_ptys(hald_t)
-init_domtrans_script(hald_t)
-init_write_initctl(hald_t)
-init_read_utmp(hald_t)
-#hal runs shutdown, probably need a shutdown domain
-init_rw_utmp(hald_t)
-
-libs_use_ld_so(hald_t)
-libs_use_shared_libs(hald_t)
-libs_exec_ld_so(hald_t)
-libs_exec_lib_files(hald_t)
-
-logging_send_syslog_msg(hald_t)
-logging_search_logs(hald_t)
-
-miscfiles_read_localization(hald_t)
-miscfiles_read_hwdata(hald_t)
-
-modutils_domtrans_insmod(hald_t)
-
-seutil_read_config(hald_t)
-seutil_read_default_contexts(hald_t)
-
-sysnet_read_config(hald_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hald_t)
-userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-
-ifdef(`targeted_policy', `
- term_setattr_unallocated_ttys(hald_t)
- term_dontaudit_use_unallocated_ttys(hald_t)
- term_dontaudit_use_generic_ptys(hald_t)
- files_dontaudit_read_root_files(hald_t)
-')
-
-optional_policy(`
- # For /usr/libexec/hald-addon-acpi
- # writes to /var/run/acpid.socket
- apm_stream_connect(hald_t)
-')
-
-optional_policy(`
- bind_search_cache(hald_t)
-')
-
-optional_policy(`
- clock_domtrans(hald_t)
-')
-
-optional_policy(`
- cups_domtrans_config(hald_t)
- cups_signal_config(hald_t)
-')
-
-optional_policy(`
- dbus_system_bus_client_template(hald,hald_t)
- dbus_send_system_bus(hald_t)
- dbus_connect_system_bus(hald_t)
- allow hald_t self:dbus send_msg;
-
- init_dbus_chat_script(hald_t)
-
- optional_policy(`
- networkmanager_dbus_chat(hald_t)
- ')
-')
-
-optional_policy(`
- # For /usr/libexec/hald-probe-smbios
- dmidecode_domtrans(hald_t)
-')
-
-optional_policy(`
- hotplug_read_config(hald_t)
-')
-
-optional_policy(`
- lvm_domtrans(hald_t)
-')
-
-optional_policy(`
- mount_domtrans(hald_t)
-')
-
-optional_policy(`
- nis_use_ypbind(hald_t)
-')
-
-optional_policy(`
- nscd_socket_use(hald_t)
-')
-
-optional_policy(`
- ntp_domtrans(hald_t)
-')
-
-optional_policy(`
- pcmcia_manage_pid(hald_t)
- pcmcia_manage_pid_chr_files(hald_t)
-')
-
-optional_policy(`
- rpc_search_nfs_state_data(hald_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hald_t)
-')
-
-optional_policy(`
- udev_domtrans(hald_t)
- udev_read_db(hald_t)
-')
-
-optional_policy(`
- updfstab_domtrans(hald_t)
-')
-
-optional_policy(`
- vbetool_domtrans(hald_t)
-')
diff --git a/refpolicy/policy/modules/services/howl.fc b/refpolicy/policy/modules/services/howl.fc
deleted file mode 100644
index faf9146..0000000
--- a/refpolicy/policy/modules/services/howl.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0)
-/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0)
-
-/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/howl.if b/refpolicy/policy/modules/services/howl.if
deleted file mode 100644
index 9164dd2..0000000
--- a/refpolicy/policy/modules/services/howl.if
+++ /dev/null
@@ -1,19 +0,0 @@
-## <summary>Port of Apple Rendezvous multicast DNS</summary>
-
-########################################
-## <summary>
-## Send generic signals to howl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`howl_signal',`
- gen_require(`
- type howl_t;
- ')
-
- allow $1 howl_t:process signal;
-')
diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te
deleted file mode 100644
index 061a23d..0000000
--- a/refpolicy/policy/modules/services/howl.te
+++ /dev/null
@@ -1,94 +0,0 @@
-
-policy_module(howl,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type howl_t;
-type howl_exec_t;
-init_daemon_domain(howl_t,howl_exec_t)
-
-type howl_var_run_t;
-files_pid_file(howl_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow howl_t self:capability { kill net_admin };
-dontaudit howl_t self:capability sys_tty_config;
-allow howl_t self:process signal_perms;
-allow howl_t self:fifo_file rw_file_perms;
-allow howl_t self:tcp_socket create_stream_socket_perms;
-allow howl_t self:udp_socket create_socket_perms;
-
-allow howl_t howl_var_run_t:file create_file_perms;
-allow howl_t howl_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(howl_t,howl_var_run_t,file)
-
-kernel_read_network_state(howl_t)
-kernel_read_kernel_sysctls(howl_t)
-kernel_load_module(howl_t)
-kernel_list_proc(howl_t)
-kernel_read_proc_symlinks(howl_t)
-
-corenet_non_ipsec_sendrecv(howl_t)
-corenet_tcp_sendrecv_all_if(howl_t)
-corenet_udp_sendrecv_all_if(howl_t)
-corenet_tcp_sendrecv_all_nodes(howl_t)
-corenet_udp_sendrecv_all_nodes(howl_t)
-corenet_tcp_sendrecv_all_ports(howl_t)
-corenet_udp_sendrecv_all_ports(howl_t)
-corenet_tcp_bind_all_nodes(howl_t)
-corenet_udp_bind_all_nodes(howl_t)
-corenet_tcp_bind_howl_port(howl_t)
-corenet_udp_bind_howl_port(howl_t)
-corenet_sendrecv_howl_server_packets(howl_t)
-
-dev_read_sysfs(howl_t)
-
-fs_getattr_all_fs(howl_t)
-fs_search_auto_mountpoints(howl_t)
-
-term_dontaudit_use_console(howl_t)
-
-domain_use_interactive_fds(howl_t)
-
-files_read_etc_files(howl_t)
-
-init_use_fds(howl_t)
-init_use_script_ptys(howl_t)
-init_rw_utmp(howl_t)
-
-libs_use_ld_so(howl_t)
-libs_use_shared_libs(howl_t)
-
-logging_send_syslog_msg(howl_t)
-
-miscfiles_read_localization(howl_t)
-
-sysnet_read_config(howl_t)
-
-userdom_dontaudit_use_unpriv_user_fds(howl_t)
-userdom_dontaudit_search_sysadm_home_dirs(howl_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(howl_t)
- term_dontaudit_use_generic_ptys(howl_t)
- files_dontaudit_read_root_files(howl_t)
-')
-
-optional_policy(`
- nis_use_ypbind(howl_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(howl_t)
-')
-
-optional_policy(`
- udev_read_db(howl_t)
-')
diff --git a/refpolicy/policy/modules/services/i18n_input.fc b/refpolicy/policy/modules/services/i18n_input.fc
deleted file mode 100644
index 024eb18..0000000
--- a/refpolicy/policy/modules/services/i18n_input.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-#
-# /usr
-#
-
-/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-
-/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-
-/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
-
-#
-# /var
-#
-
-/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/i18n_input.if b/refpolicy/policy/modules/services/i18n_input.if
deleted file mode 100644
index 9a9f0f7..0000000
--- a/refpolicy/policy/modules/services/i18n_input.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>IIIMF htt server</summary>
-
-########################################
-## <summary>
-## Use i18n_input over a TCP connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`i18n_use',`
- gen_require(`
- type i18n_input_t;
- ')
-
- allow $1 i18n_input_t:tcp_socket { connectto recvfrom };
- allow i18n_input_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te
deleted file mode 100644
index 9cabd74..0000000
--- a/refpolicy/policy/modules/services/i18n_input.te
+++ /dev/null
@@ -1,118 +0,0 @@
-
-policy_module(i18n_input,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-type i18n_input_t;
-type i18n_input_exec_t;
-init_daemon_domain(i18n_input_t,i18n_input_exec_t)
-
-type i18n_input_var_run_t;
-files_pid_file(i18n_input_var_run_t)
-
-########################################
-#
-# i18n_input local policy
-#
-
-allow i18n_input_t self:capability { kill setgid setuid };
-dontaudit i18n_input_t self:capability sys_tty_config;
-allow i18n_input_t self:process { signal_perms setsched setpgid };
-allow i18n_input_t self:fifo_file rw_file_perms;
-allow i18n_input_t self:unix_dgram_socket create_socket_perms;
-allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
-allow i18n_input_t self:tcp_socket create_stream_socket_perms;
-allow i18n_input_t self:udp_socket create_socket_perms;
-
-allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
-allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
-allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file)
-
-can_exec(i18n_input_t, i18n_input_exec_t)
-
-kernel_read_kernel_sysctls(i18n_input_t)
-kernel_read_system_state(i18n_input_t)
-kernel_tcp_recvfrom(i18n_input_t)
-
-corenet_non_ipsec_sendrecv(i18n_input_t)
-corenet_tcp_sendrecv_generic_if(i18n_input_t)
-corenet_udp_sendrecv_generic_if(i18n_input_t)
-corenet_tcp_sendrecv_all_nodes(i18n_input_t)
-corenet_udp_sendrecv_all_nodes(i18n_input_t)
-corenet_tcp_sendrecv_all_ports(i18n_input_t)
-corenet_udp_sendrecv_all_ports(i18n_input_t)
-corenet_tcp_bind_all_nodes(i18n_input_t)
-corenet_tcp_bind_i18n_input_port(i18n_input_t)
-corenet_tcp_connect_all_ports(i18n_input_t)
-corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
-corenet_sendrecv_all_client_packets(i18n_input_t)
-
-dev_read_sysfs(i18n_input_t)
-
-fs_getattr_all_fs(i18n_input_t)
-fs_search_auto_mountpoints(i18n_input_t)
-
-term_dontaudit_use_console(i18n_input_t)
-
-corecmd_search_sbin(i18n_input_t)
-corecmd_search_bin(i18n_input_t)
-corecmd_exec_bin(i18n_input_t)
-
-domain_use_interactive_fds(i18n_input_t)
-
-files_read_etc_files(i18n_input_t)
-files_read_etc_runtime_files(i18n_input_t)
-files_read_usr_files(i18n_input_t)
-
-init_use_fds(i18n_input_t)
-init_use_script_ptys(i18n_input_t)
-init_stream_connect_script(i18n_input_t)
-
-libs_use_ld_so(i18n_input_t)
-libs_use_shared_libs(i18n_input_t)
-
-logging_send_syslog_msg(i18n_input_t)
-
-miscfiles_read_localization(i18n_input_t)
-
-sysnet_read_config(i18n_input_t)
-
-userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
-userdom_read_unpriv_users_home_content_files(i18n_input_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(i18n_input_t)
- term_dontaudit_use_generic_ptys(i18n_input_t)
- files_dontaudit_read_root_files(i18n_input_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(i18n_input_t)
- fs_read_nfs_symlinks(i18n_input_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(i18n_input_t)
- fs_read_cifs_symlinks(i18n_input_t)
-')
-
-optional_policy(`
- canna_stream_connect(i18n_input_t)
-')
-
-optional_policy(`
- nis_use_ypbind(i18n_input_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(i18n_input_t)
-')
-
-optional_policy(`
- udev_read_db(i18n_input_t)
-')
diff --git a/refpolicy/policy/modules/services/imaze.fc b/refpolicy/policy/modules/services/imaze.fc
deleted file mode 100644
index 8d455ba..0000000
--- a/refpolicy/policy/modules/services/imaze.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
-/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
-
-/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
diff --git a/refpolicy/policy/modules/services/imaze.if b/refpolicy/policy/modules/services/imaze.if
deleted file mode 100644
index 8eb9ec3..0000000
--- a/refpolicy/policy/modules/services/imaze.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>iMaze game server</summary>
diff --git a/refpolicy/policy/modules/services/imaze.te b/refpolicy/policy/modules/services/imaze.te
deleted file mode 100644
index 97ddd5f..0000000
--- a/refpolicy/policy/modules/services/imaze.te
+++ /dev/null
@@ -1,114 +0,0 @@
-
-policy_module(imaze,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type imazesrv_t;
-type imazesrv_exec_t;
-init_daemon_domain(imazesrv_t,imazesrv_exec_t)
-
-type imazesrv_data_t;
-files_type(imazesrv_data_t)
-
-type imazesrv_data_labs_t;
-files_type(imazesrv_data_labs_t)
-
-type imazesrv_log_t;
-logging_log_file(imazesrv_log_t)
-
-type imazesrv_var_run_t;
-files_pid_file(imazesrv_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit imazesrv_t self:capability sys_tty_config;
-allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow imazesrv_t self:fd use;
-allow imazesrv_t self:fifo_file rw_file_perms;
-allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto };
-allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow imazesrv_t self:shm create_shm_perms;
-allow imazesrv_t self:sem create_sem_perms;
-allow imazesrv_t self:msgq create_msgq_perms;
-allow imazesrv_t self:msg { send receive };
-allow imazesrv_t self:tcp_socket create_stream_socket_perms;
-allow imazesrv_t self:udp_socket create_socket_perms;
-
-allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
-allow imazesrv_t imazesrv_data_t:file read_file_perms;
-allow imazesrv_t imazesrv_data_t:lnk_file { getattr read };
-
-allow imazesrv_t imazesrv_log_t:file manage_file_perms;
-allow imazesrv_t imazesrv_log_t:dir ra_dir_perms;
-logging_log_filetrans(imazesrv_t,imazesrv_log_t,file)
-
-allow imazesrv_t imazesrv_var_run_t:file manage_file_perms;
-allow imazesrv_t imazesrv_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(imazesrv_t,imazesrv_var_run_t,file)
-
-kernel_read_kernel_sysctls(imazesrv_t)
-kernel_list_proc(imazesrv_t)
-kernel_read_proc_symlinks(imazesrv_t)
-
-corenet_non_ipsec_sendrecv(imazesrv_t)
-corenet_tcp_sendrecv_generic_if(imazesrv_t)
-corenet_udp_sendrecv_generic_if(imazesrv_t)
-corenet_tcp_sendrecv_all_nodes(imazesrv_t)
-corenet_udp_sendrecv_all_nodes(imazesrv_t)
-corenet_tcp_sendrecv_all_ports(imazesrv_t)
-corenet_udp_sendrecv_all_ports(imazesrv_t)
-corenet_tcp_bind_all_nodes(imazesrv_t)
-corenet_udp_bind_all_nodes(imazesrv_t)
-corenet_tcp_bind_imaze_port(imazesrv_t)
-corenet_udp_bind_imaze_port(imazesrv_t)
-corenet_sendrecv_imaze_server_packets(imazesrv_t)
-
-dev_read_sysfs(imazesrv_t)
-
-domain_use_interactive_fds(imazesrv_t)
-
-files_read_etc_files(imazesrv_t)
-
-fs_getattr_all_fs(imazesrv_t)
-fs_search_auto_mountpoints(imazesrv_t)
-
-term_dontaudit_use_console(imazesrv_t)
-
-init_use_fds(imazesrv_t)
-init_use_script_ptys(imazesrv_t)
-
-libs_use_ld_so(imazesrv_t)
-libs_use_shared_libs(imazesrv_t)
-
-logging_send_syslog_msg(imazesrv_t)
-
-miscfiles_read_localization(imazesrv_t)
-
-sysnet_read_config(imazesrv_t)
-
-userdom_use_unpriv_users_fds(imazesrv_t)
-userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(imazesrv_t)
- term_dontaudit_use_generic_ptys(imazesrv_t)
- files_dontaudit_read_root_files(imazesrv_t)
-')
-
-optional_policy(`
- nis_use_ypbind(imazesrv_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(imazesrv_t)
-')
-
-optional_policy(`
- udev_read_db(imazesrv_t)
-')
diff --git a/refpolicy/policy/modules/services/inetd.fc b/refpolicy/policy/modules/services/inetd.fc
deleted file mode 100644
index b460519..0000000
--- a/refpolicy/policy/modules/services/inetd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-
-/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
-
-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
deleted file mode 100644
index eded403..0000000
--- a/refpolicy/policy/modules/services/inetd.if
+++ /dev/null
@@ -1,249 +0,0 @@
-## <summary>Internet services daemon.</summary>
-
-########################################
-## <summary>
-## Define the specified domain as a inetd service.
-## </summary>
-## <desc>
-## <p>
-## Define the specified domain as a inetd service. The
-## inetd_service_domain(), inetd_tcp_service_domain(),
-## or inetd_udp_service_domain() interfaces should be used
-## instead of this interface, as this interface only provides
-## the common rules to these three interfaces.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The type associated with the inetd service process.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`inetd_core_service_domain',`
- gen_require(`
- type inetd_t;
- role system_r;
- ')
-
- domain_type($1)
- domain_entry_file($1,$2)
-
- role system_r types $1;
-
- ifdef(`targeted_policy',`
- # this regex is a hack, since it assumes there is a
- # _t at the end of the domain type. If there is no _t
- # at the end of the type, it returns empty!
- ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
- bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
- define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
- ')
- if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
-# can_exec(inetd_t,$2)
- # cjp: this must be wrong
- gen_require(`
- type initrc_t, unconfined_t;
- ')
- can_exec({ unconfined_t initrc_t },$2)
- } else {
- domain_auto_trans(inetd_t,$2,$1)
- allow inetd_t $1:fd use;
- allow $1 inetd_t:fd use;
- allow $1 inetd_t:fifo_file rw_file_perms;
- allow $1 inetd_t:process sigchld;
- dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
-
- allow inetd_t $1:process sigkill;
- }
- ',`
- domain_auto_trans(inetd_t,$2,$1)
- allow inetd_t $1:fd use;
- allow $1 inetd_t:fd use;
- allow $1 inetd_t:fifo_file rw_file_perms;
- allow $1 inetd_t:process sigchld;
- dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
-
- allow inetd_t $1:process sigkill;
- ')
-')
-
-########################################
-## <summary>
-## Define the specified domain as a TCP inetd service.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type associated with the inetd service process.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`inetd_tcp_service_domain',`
-
- gen_require(`
- type inetd_t;
- ')
-
- inetd_core_service_domain($1,$2)
-
- allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
-')
-
-########################################
-## <summary>
-## Define the specified domain as a UDP inetd service.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type associated with the inetd service process.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`inetd_udp_service_domain',`
- gen_require(`
- type inetd_t;
- ')
-
- inetd_core_service_domain($1,$2)
-
- allow $1 inetd_t:udp_socket rw_socket_perms;
-')
-
-########################################
-## <summary>
-## Define the specified domain as a TCP and UDP inetd service.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type associated with the inetd service process.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`inetd_service_domain',`
- gen_require(`
- type inetd_t;
- ')
-
- inetd_core_service_domain($1,$2)
-
- allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
- allow $1 inetd_t:udp_socket rw_socket_perms;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from inetd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inetd_use_fds',`
- gen_require(`
- type inetd_t;
- ')
-
- allow $1 inetd_t:fd use;
-')
-
-########################################
-## <summary>
-## Connect to the inetd service using a TCP connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inetd_tcp_connect',`
- gen_require(`
- type inetd_t;
- ')
-
- allow $1 inetd_t:tcp_socket { connectto recvfrom };
- allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-########################################
-## <summary>
-## Run inetd child process in the inet child domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inetd_domtrans_child',`
- gen_require(`
- type inetd_child_t, inetd_child_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)
-
- allow $1 inetd_child_t:fd use;
- allow inetd_child_t $1:fd use;
- allow inetd_child_t $1:fifo_file rw_file_perms;
- allow inetd_child_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to inetd.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`inetd_udp_send',`
- gen_require(`
- type inetd_t;
- ')
-
- allow $1 inetd_t:udp_socket sendto;
- allow inetd_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Read and write inetd TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`inetd_rw_tcp_sockets',`
- gen_require(`
- type inetd_t;
- ')
-
- allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
-')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
deleted file mode 100644
index d4c0050..0000000
--- a/refpolicy/policy/modules/services/inetd.te
+++ /dev/null
@@ -1,242 +0,0 @@
-
-policy_module(inetd,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-type inetd_t;
-type inetd_exec_t;
-init_daemon_domain(inetd_t,inetd_exec_t)
-
-type inetd_log_t;
-logging_log_file(inetd_log_t)
-
-type inetd_tmp_t;
-files_tmp_file(inetd_tmp_t)
-
-type inetd_var_run_t;
-files_pid_file(inetd_var_run_t)
-
-type inetd_child_t;
-type inetd_child_exec_t;
-inetd_service_domain(inetd_child_t,inetd_child_exec_t)
-role system_r types inetd_child_t;
-
-type inetd_child_tmp_t;
-files_tmp_file(inetd_child_tmp_t)
-
-type inetd_child_var_run_t;
-files_pid_file(inetd_child_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow inetd_t self:capability { setuid setgid };
-dontaudit inetd_t self:capability sys_tty_config;
-allow inetd_t self:process setsched;
-allow inetd_t self:fifo_file rw_file_perms;
-allow inetd_t self:tcp_socket create_stream_socket_perms;
-allow inetd_t self:udp_socket create_socket_perms;
-
-allow inetd_t inetd_log_t:file create_file_perms;
-logging_log_filetrans(inetd_t,inetd_log_t,file)
-
-allow inetd_t inetd_tmp_t:dir create_dir_perms;
-allow inetd_t inetd_tmp_t:file create_file_perms;
-files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
-
-allow inetd_t inetd_var_run_t:file create_file_perms;
-files_pid_filetrans(inetd_t,inetd_var_run_t,file)
-
-kernel_read_kernel_sysctls(inetd_t)
-kernel_list_proc(inetd_t)
-kernel_read_proc_symlinks(inetd_t)
-kernel_tcp_recvfrom(inetd_t)
-
-# base networking:
-corenet_non_ipsec_sendrecv(inetd_t)
-corenet_tcp_sendrecv_all_if(inetd_t)
-corenet_udp_sendrecv_all_if(inetd_t)
-corenet_tcp_sendrecv_all_nodes(inetd_t)
-corenet_udp_sendrecv_all_nodes(inetd_t)
-corenet_tcp_sendrecv_all_ports(inetd_t)
-corenet_udp_sendrecv_all_ports(inetd_t)
-corenet_tcp_bind_all_nodes(inetd_t)
-corenet_udp_bind_all_nodes(inetd_t)
-corenet_tcp_connect_all_ports(inetd_t)
-corenet_sendrecv_all_client_packets(inetd_t)
-
-# listen on service ports:
-corenet_tcp_bind_amanda_port(inetd_t)
-corenet_udp_bind_amanda_port(inetd_t)
-corenet_tcp_bind_auth_port(inetd_t)
-corenet_udp_bind_comsat_port(inetd_t)
-corenet_tcp_bind_dbskkd_port(inetd_t)
-corenet_udp_bind_dbskkd_port(inetd_t)
-corenet_udp_bind_ftp_port(inetd_t)
-corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_udp_bind_ktalkd_port(inetd_t)
-corenet_tcp_bind_printer_port(inetd_t)
-corenet_udp_bind_rsh_port(inetd_t)
-corenet_tcp_bind_rsync_port(inetd_t)
-corenet_udp_bind_rsync_port(inetd_t)
-#corenet_tcp_bind_stunnel_port(inetd_t)
-corenet_tcp_bind_swat_port(inetd_t)
-corenet_udp_bind_swat_port(inetd_t)
-corenet_udp_bind_tftp_port(inetd_t)
-
-# service port packets:
-corenet_sendrecv_amanda_server_packets(inetd_t)
-corenet_sendrecv_auth_server_packets(inetd_t)
-corenet_sendrecv_comsat_server_packets(inetd_t)
-corenet_sendrecv_dbskkd_server_packets(inetd_t)
-corenet_sendrecv_ftp_server_packets(inetd_t)
-corenet_sendrecv_inetd_child_server_packets(inetd_t)
-corenet_sendrecv_ktalkd_server_packets(inetd_t)
-corenet_sendrecv_printer_server_packets(inetd_t)
-corenet_sendrecv_rsh_server_packets(inetd_t)
-corenet_sendrecv_rsync_server_packets(inetd_t)
-#corenet_sendrecv_stunnel_server_packets(inetd_t)
-corenet_sendrecv_swat_server_packets(inetd_t)
-corenet_sendrecv_tftp_server_packets(inetd_t)
-
-dev_read_sysfs(inetd_t)
-
-fs_getattr_all_fs(inetd_t)
-fs_search_auto_mountpoints(inetd_t)
-
-term_dontaudit_use_console(inetd_t)
-
-# Run other daemons in the inetd_child_t domain.
-corecmd_search_bin(inetd_t)
-corecmd_read_sbin_symlinks(inetd_t)
-
-domain_use_interactive_fds(inetd_t)
-
-files_read_etc_files(inetd_t)
-
-init_use_fds(inetd_t)
-init_use_script_ptys(inetd_t)
-
-libs_use_ld_so(inetd_t)
-libs_use_shared_libs(inetd_t)
-
-logging_send_syslog_msg(inetd_t)
-
-miscfiles_read_localization(inetd_t)
-
-sysnet_read_config(inetd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(inetd_t)
-userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(inetd_t)
- term_dontaudit_use_generic_ptys(inetd_t)
- files_dontaudit_read_root_files(inetd_t)
-')
-
-optional_policy(`
- amanda_search_lib(inetd_t)
-')
-
-# Communicate with the portmapper.
-optional_policy(`
- portmap_udp_send(inetd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(inetd_t)
-')
-
-optional_policy(`
- udev_read_db(inetd_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(inetd_t)
-',`
- optional_policy(`
- unconfined_domtrans(inetd_t)
- ')
-')
-
-########################################
-#
-# inetd child local_policy
-#
-
-allow inetd_child_t self:process signal_perms;
-allow inetd_child_t self:fifo_file rw_file_perms;
-allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
-allow inetd_child_t self:udp_socket create_socket_perms;
-
-# for identd
-allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow inetd_child_t self:capability { setuid setgid };
-allow inetd_child_t self:dir search;
-allow inetd_child_t self:{ lnk_file file } { getattr read };
-files_search_home(inetd_child_t)
-
-allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
-allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
-files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
-
-allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
-allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file)
-
-kernel_read_kernel_sysctls(inetd_child_t)
-kernel_read_system_state(inetd_child_t)
-kernel_read_network_state(inetd_child_t)
-
-corenet_non_ipsec_sendrecv(inetd_child_t)
-corenet_tcp_sendrecv_all_if(inetd_child_t)
-corenet_udp_sendrecv_all_if(inetd_child_t)
-corenet_tcp_sendrecv_all_nodes(inetd_child_t)
-corenet_udp_sendrecv_all_nodes(inetd_child_t)
-corenet_tcp_sendrecv_all_ports(inetd_child_t)
-corenet_udp_sendrecv_all_ports(inetd_child_t)
-
-dev_read_urand(inetd_child_t)
-
-fs_getattr_xattr_fs(inetd_child_t)
-
-files_read_etc_files(inetd_child_t)
-
-libs_use_ld_so(inetd_child_t)
-libs_use_shared_libs(inetd_child_t)
-
-logging_send_syslog_msg(inetd_child_t)
-
-miscfiles_read_localization(inetd_child_t)
-
-sysnet_read_config(inetd_child_t)
-
-tunable_policy(`run_ssh_inetd',`
- corenet_tcp_bind_ssh_port(inetd_t)
-')
-
-optional_policy(`
- tunable_policy(`ftpd_is_daemon',`
- # Allows it to check exec privs on daemon
- ftp_check_exec(inetd_t)
- ')
-')
-
-optional_policy(`
- kerberos_use(inetd_child_t)
-')
-
-optional_policy(`
- nis_use_ypbind(inetd_child_t)
-')
-
-optional_policy(`
- nscd_socket_use(inetd_child_t)
-')
diff --git a/refpolicy/policy/modules/services/inn.fc b/refpolicy/policy/modules/services/inn.fc
deleted file mode 100644
index 85dc7b3..0000000
--- a/refpolicy/policy/modules/services/inn.fc
+++ /dev/null
@@ -1,66 +0,0 @@
-
-#
-# /etc
-#
-/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
-/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-#
-# /usr
-#
-/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
-
-/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-# cjp: split these to fix an ordering
-# problem with a match in corecommands
-/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
-
-/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
-
-/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
-/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
-
-/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/inn.if b/refpolicy/policy/modules/services/inn.if
deleted file mode 100644
index 39ce526..0000000
--- a/refpolicy/policy/modules/services/inn.if
+++ /dev/null
@@ -1,183 +0,0 @@
-## <summary>Internet News NNTP server</summary>
-
-########################################
-## <summary>
-## Allow the specified domain to execute innd
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_exec',`
- gen_require(`
- type innd_t;
- ')
-
- can_exec($1,innd_exec_t)
-')
-
-########################################
-## <summary>
-## Allow the specified domain to execute
-## inn configuration files in /etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_exec_config',`
- gen_require(`
- type innd_etc_t;
- ')
-
- can_exec($1,innd_etc_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the innd log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_manage_log',`
- gen_require(`
- type innd_log_t;
- ')
-
- logging_rw_generic_log_dirs($1)
- allow $1 innd_log_t:dir search;
- allow $1 innd_log_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the innd pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_manage_pid',`
- gen_require(`
- type innd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 innd_var_run_t:dir rw_dir_perms;
- allow $1 innd_var_run_t:file create_file_perms;
- allow $1 innd_var_run_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Read innd configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_read_config',`
- gen_require(`
- type innd_etc_t;
- ')
-
- allow $1 innd_etc_t:dir { getattr read search };
- allow $1 innd_etc_t:file { read getattr };
- allow $1 innd_etc_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read innd news library files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_read_news_lib',`
- gen_require(`
- type innd_var_lib_t;
- ')
-
- allow $1 innd_var_lib_t:dir { getattr read search };
- allow $1 innd_var_lib_t:file { read getattr };
- allow $1 innd_var_lib_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read innd news library files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_read_news_spool',`
- gen_require(`
- type news_spool_t;
- ')
-
- allow $1 news_spool_t:dir { getattr read search };
- allow $1 news_spool_t:file { read getattr };
- allow $1 news_spool_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Send to a innd unix dgram socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_dgram_send',`
- gen_require(`
- type innd_t;
- ')
-
- allow $1 innd_t:unix_dgram_socket sendto;
-')
-
-
-########################################
-## <summary>
-## Execute inn in the inn domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inn_domtrans',`
- gen_require(`
- type innd_t, innd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,innd_exec_t,innd_t)
-
- allow innd_t $1:fd use;
- allow innd_t $1:fifo_file rw_file_perms;
- allow innd_t $1:process sigchld;
-')
-
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
deleted file mode 100644
index d531219..0000000
--- a/refpolicy/policy/modules/services/inn.te
+++ /dev/null
@@ -1,142 +0,0 @@
-
-policy_module(inn,1.1.3)
-
-########################################
-#
-# Declarations
-#
-type innd_t;
-type innd_exec_t;
-init_daemon_domain(innd_t,innd_exec_t)
-
-type innd_etc_t;
-files_config_file(innd_etc_t)
-
-type innd_log_t;
-logging_log_file(innd_log_t)
-
-type innd_var_lib_t;
-files_type(innd_var_lib_t)
-
-type innd_var_run_t;
-files_pid_file(innd_var_run_t)
-
-type news_spool_t;
-files_type(news_spool_t)
-
-########################################
-#
-# Local policy
-#
-allow innd_t self:capability { dac_override kill setgid setuid };
-dontaudit innd_t self:capability sys_tty_config;
-allow innd_t self:process { setsched signal_perms };
-allow innd_t self:fifo_file rw_file_perms;
-allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow innd_t self:tcp_socket create_stream_socket_perms;
-allow innd_t self:udp_socket create_socket_perms;
-
-allow innd_t innd_etc_t:file r_file_perms;
-allow innd_t innd_etc_t:dir r_dir_perms;
-allow innd_t innd_etc_t:lnk_file { getattr read };
-
-can_exec(innd_t, innd_exec_t)
-
-allow innd_t innd_log_t:file manage_file_perms;
-allow innd_t innd_log_t:dir { setattr rw_dir_perms };
-logging_log_filetrans(innd_t,innd_log_t,file)
-
-allow innd_t innd_var_lib_t:dir create_dir_perms;
-allow innd_t innd_var_lib_t:file create_file_perms;
-files_var_lib_filetrans(innd_t,innd_var_lib_t,file)
-
-allow innd_t innd_var_run_t:dir create_dir_perms;
-allow innd_t innd_var_run_t:file create_file_perms;
-allow innd_t innd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(innd_t,innd_var_run_t,file)
-
-allow innd_t news_spool_t:dir create_dir_perms;
-allow innd_t news_spool_t:file create_file_perms;
-allow innd_t news_spool_t:lnk_file create_lnk_perms;
-
-kernel_read_kernel_sysctls(innd_t)
-kernel_read_system_state(innd_t)
-
-corenet_non_ipsec_sendrecv(innd_t)
-corenet_tcp_sendrecv_all_if(innd_t)
-corenet_udp_sendrecv_all_if(innd_t)
-corenet_tcp_sendrecv_all_nodes(innd_t)
-corenet_udp_sendrecv_all_nodes(innd_t)
-corenet_tcp_sendrecv_all_ports(innd_t)
-corenet_udp_sendrecv_all_ports(innd_t)
-corenet_tcp_bind_all_nodes(innd_t)
-corenet_tcp_bind_innd_port(innd_t)
-corenet_tcp_connect_all_ports(innd_t)
-corenet_sendrecv_innd_server_packets(innd_t)
-corenet_sendrecv_all_client_packets(innd_t)
-
-dev_read_sysfs(innd_t)
-dev_read_urand(innd_t)
-
-fs_getattr_all_fs(innd_t)
-fs_search_auto_mountpoints(innd_t)
-
-term_dontaudit_use_console(innd_t)
-
-corecmd_exec_bin(innd_t)
-corecmd_exec_shell(innd_t)
-corecmd_search_sbin(innd_t)
-corecmd_read_sbin_symlinks(innd_t)
-
-domain_use_interactive_fds(innd_t)
-
-files_list_spool(innd_t)
-files_read_etc_files(innd_t)
-files_read_etc_runtime_files(innd_t)
-files_read_usr_files(innd_t)
-
-init_use_fds(innd_t)
-init_use_script_ptys(innd_t)
-
-libs_use_ld_so(innd_t)
-libs_use_shared_libs(innd_t)
-
-logging_send_syslog_msg(innd_t)
-
-miscfiles_read_localization(innd_t)
-
-seutil_dontaudit_search_config(innd_t)
-
-sysnet_read_config(innd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(innd_t)
-userdom_dontaudit_search_sysadm_home_dirs(innd_t)
-
-mta_send_mail(innd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(innd_t)
- term_dontaudit_use_generic_ptys(innd_t)
- files_dontaudit_read_root_files(innd_t)
-')
-
-optional_policy(`
- cron_system_entry(innd_t, innd_exec_t)
-')
-
-optional_policy(`
- hostname_exec(innd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(innd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(innd_t)
-')
-
-optional_policy(`
- udev_read_db(innd_t)
-')
diff --git a/refpolicy/policy/modules/services/ircd.fc b/refpolicy/policy/modules/services/ircd.fc
deleted file mode 100644
index d733fa8..0000000
--- a/refpolicy/policy/modules/services/ircd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0)
-
-/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
-
-/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
-/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0)
-/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ircd.if b/refpolicy/policy/modules/services/ircd.if
deleted file mode 100644
index 3f4de83..0000000
--- a/refpolicy/policy/modules/services/ircd.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>IRC server</summary>
diff --git a/refpolicy/policy/modules/services/ircd.te b/refpolicy/policy/modules/services/ircd.te
deleted file mode 100644
index fb4c356..0000000
--- a/refpolicy/policy/modules/services/ircd.te
+++ /dev/null
@@ -1,111 +0,0 @@
-
-policy_module(ircd,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type ircd_t;
-type ircd_exec_t;
-init_daemon_domain(ircd_t,ircd_exec_t)
-
-type ircd_etc_t;
-files_config_file(ircd_etc_t)
-
-type ircd_log_t;
-logging_log_file(ircd_log_t)
-
-type ircd_var_lib_t;
-files_type(ircd_var_lib_t)
-
-type ircd_var_run_t;
-files_pid_file(ircd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit ircd_t self:capability sys_tty_config;
-allow ircd_t self:process signal_perms;
-allow ircd_t self:tcp_socket create_stream_socket_perms;
-allow ircd_t self:udp_socket create_socket_perms;
-
-allow ircd_t ircd_etc_t:file r_file_perms;
-allow ircd_t ircd_etc_t:dir r_dir_perms;
-allow ircd_t ircd_etc_t:lnk_file { getattr read };
-files_search_etc(ircd_t)
-
-allow ircd_t ircd_log_t:file create_file_perms;
-allow ircd_t ircd_log_t:dir rw_dir_perms;
-logging_log_filetrans(ircd_t,ircd_log_t,{ file dir })
-
-allow ircd_t ircd_var_lib_t:file create_file_perms;
-allow ircd_t ircd_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(ircd_t,ircd_var_lib_t,file)
-
-allow ircd_t ircd_var_run_t:file create_file_perms;
-allow ircd_t ircd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ircd_t,ircd_var_run_t,file)
-
-kernel_read_system_state(ircd_t)
-kernel_read_kernel_sysctls(ircd_t)
-
-corecmd_search_sbin(ircd_t)
-
-corenet_non_ipsec_sendrecv(ircd_t)
-corenet_tcp_sendrecv_generic_if(ircd_t)
-corenet_udp_sendrecv_generic_if(ircd_t)
-corenet_tcp_sendrecv_all_nodes(ircd_t)
-corenet_udp_sendrecv_all_nodes(ircd_t)
-corenet_tcp_sendrecv_all_ports(ircd_t)
-corenet_udp_sendrecv_all_ports(ircd_t)
-corenet_tcp_bind_all_nodes(ircd_t)
-corenet_tcp_bind_ircd_port(ircd_t)
-corenet_sendrecv_ircd_server_packets(ircd_t)
-
-dev_read_sysfs(ircd_t)
-
-domain_use_interactive_fds(ircd_t)
-
-files_read_etc_files(ircd_t)
-files_read_etc_runtime_files(ircd_t)
-
-fs_getattr_all_fs(ircd_t)
-fs_search_auto_mountpoints(ircd_t)
-
-term_dontaudit_use_console(ircd_t)
-
-init_use_fds(ircd_t)
-init_use_script_ptys(ircd_t)
-
-libs_use_ld_so(ircd_t)
-libs_use_shared_libs(ircd_t)
-
-logging_send_syslog_msg(ircd_t)
-
-miscfiles_read_localization(ircd_t)
-
-sysnet_read_config(ircd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ircd_t)
- term_dontaudit_use_generic_ptys(ircd_t)
- files_dontaudit_read_root_files(ircd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ircd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ircd_t)
-')
-
-optional_policy(`
- udev_read_db(ircd_t)
-')
diff --git a/refpolicy/policy/modules/services/irqbalance.fc b/refpolicy/policy/modules/services/irqbalance.fc
deleted file mode 100644
index 3831075..0000000
--- a/refpolicy/policy/modules/services/irqbalance.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/irqbalance.if b/refpolicy/policy/modules/services/irqbalance.if
deleted file mode 100644
index 058fb75..0000000
--- a/refpolicy/policy/modules/services/irqbalance.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>IRQ balancing daemon</summary>
diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te
deleted file mode 100644
index 25368c0..0000000
--- a/refpolicy/policy/modules/services/irqbalance.te
+++ /dev/null
@@ -1,69 +0,0 @@
-
-policy_module(irqbalance,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type irqbalance_t;
-type irqbalance_exec_t;
-init_daemon_domain(irqbalance_t,irqbalance_exec_t)
-
-type irqbalance_var_run_t;
-files_pid_file(irqbalance_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit irqbalance_t self:capability sys_tty_config;
-allow irqbalance_t self:process signal_perms;
-
-allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
-allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
-
-kernel_read_system_state(irqbalance_t)
-kernel_read_kernel_sysctls(irqbalance_t)
-kernel_rw_irq_sysctls(irqbalance_t)
-
-dev_read_sysfs(irqbalance_t)
-
-files_read_etc_files(irqbalance_t)
-files_read_etc_runtime_files(irqbalance_t)
-
-fs_getattr_all_fs(irqbalance_t)
-fs_search_auto_mountpoints(irqbalance_t)
-
-term_dontaudit_use_console(irqbalance_t)
-
-domain_use_interactive_fds(irqbalance_t)
-
-init_use_fds(irqbalance_t)
-init_use_script_ptys(irqbalance_t)
-
-libs_use_ld_so(irqbalance_t)
-libs_use_shared_libs(irqbalance_t)
-
-logging_send_syslog_msg(irqbalance_t)
-
-miscfiles_read_localization(irqbalance_t)
-
-userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
-userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(irqbalance_t)
- term_dontaudit_use_generic_ptys(irqbalance_t)
- files_dontaudit_read_root_files(irqbalance_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(irqbalance_t)
-')
-
-optional_policy(`
- udev_read_db(irqbalance_t)
-')
diff --git a/refpolicy/policy/modules/services/jabber.fc b/refpolicy/policy/modules/services/jabber.fc
deleted file mode 100644
index 06ea746..0000000
--- a/refpolicy/policy/modules/services/jabber.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/refpolicy/policy/modules/services/jabber.if b/refpolicy/policy/modules/services/jabber.if
deleted file mode 100644
index ac0db06..0000000
--- a/refpolicy/policy/modules/services/jabber.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Jabber instant messaging server</summary>
-
-########################################
-## <summary>
-## Connect to jabber over a TCP socket
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`jabber_tcp_connect',`
- gen_require(`
- type jabberd_t;
- ')
-
- allow $1 jabberd_t:tcp_socket { connectto recvfrom };
- allow jabberd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/jabber.te b/refpolicy/policy/modules/services/jabber.te
deleted file mode 100644
index 01f85a7..0000000
--- a/refpolicy/policy/modules/services/jabber.te
+++ /dev/null
@@ -1,109 +0,0 @@
-
-policy_module(jabber,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type jabberd_t;
-type jabberd_exec_t;
-init_daemon_domain(jabberd_t,jabberd_exec_t)
-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
-type jabberd_var_lib_t;
-files_type(jabberd_var_lib_t)
-
-type jabberd_var_run_t;
-files_pid_file(jabberd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file { read write getattr };
-allow jabberd_t self:tcp_socket create_stream_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
-
-allow jabberd_t jabberd_var_lib_t:file create_file_perms;
-allow jabberd_t jabberd_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(jabberd_t,jabberd_var_lib_t,file)
-
-allow jabberd_t jabberd_log_t:file create_file_perms;
-allow jabberd_t jabberd_log_t:dir rw_dir_perms;
-logging_log_filetrans(jabberd_t,jabberd_log_t,{ file dir })
-
-allow jabberd_t jabberd_var_run_t:file create_file_perms;
-allow jabberd_t jabberd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(jabberd_t,jabberd_var_run_t,file)
-
-kernel_read_kernel_sysctls(jabberd_t)
-kernel_list_proc(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
-kernel_tcp_recvfrom(jabberd_t)
-
-corenet_non_ipsec_sendrecv(jabberd_t)
-corenet_tcp_sendrecv_generic_if(jabberd_t)
-corenet_udp_sendrecv_generic_if(jabberd_t)
-corenet_tcp_sendrecv_all_nodes(jabberd_t)
-corenet_udp_sendrecv_all_nodes(jabberd_t)
-corenet_tcp_sendrecv_all_ports(jabberd_t)
-corenet_udp_sendrecv_all_ports(jabberd_t)
-corenet_tcp_bind_all_nodes(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
-
-domain_use_interactive_fds(jabberd_t)
-
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
-
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
-
-term_dontaudit_use_console(jabberd_t)
-
-init_use_fds(jabberd_t)
-init_use_script_ptys(jabberd_t)
-
-libs_use_ld_so(jabberd_t)
-libs_use_shared_libs(jabberd_t)
-
-logging_send_syslog_msg(jabberd_t)
-
-miscfiles_read_localization(jabberd_t)
-
-sysnet_read_config(jabberd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(jabberd_t)
- term_dontaudit_use_generic_ptys(jabberd_t)
- files_dontaudit_read_root_files(jabberd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(jabberd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
-')
-
-optional_policy(`
- udev_read_db(jabberd_t)
-')
diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc
deleted file mode 100644
index 1990ad0..0000000
--- a/refpolicy/policy/modules/services/kerberos.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
-/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
-
-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/etc/krb5kdc/kadm5.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
-/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
deleted file mode 100644
index b700f65..0000000
--- a/refpolicy/policy/modules/services/kerberos.if
+++ /dev/null
@@ -1,138 +0,0 @@
-## <summary>MIT Kerberos admin and KDC</summary>
-## <desc>
-## <p>
-## This policy supports:
-## </p>
-## <p>
-## Servers:
-## <ul>
-## <li>kadmind</li>
-## <li>krb5kdc</li>
-## </ul>
-## </p>
-## <p>
-## Clients:
-## <ul>
-## <li>kinit</li>
-## <li>kdestroy</li>
-## <li>klist</li>
-## <li>ksu (incomplete)</li>
-## </ul>
-## </p>
-## </desc>
-
-########################################
-## <summary>
-## Use kerberos services
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kerberos_use',`
- gen_require(`
- type krb5_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_conf_t:file { getattr read };
- dontaudit $1 krb5_conf_t:file write;
-
- tunable_policy(`allow_kerberos',`
- allow $1 self:tcp_socket create_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_kerberos_port($1)
- corenet_udp_sendrecv_kerberos_port($1)
- corenet_tcp_bind_all_nodes($1)
- corenet_udp_bind_all_nodes($1)
- corenet_tcp_connect_kerberos_port($1)
- corenet_sendrecv_kerberos_client_packets($1)
-
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
- ')
-')
-
-########################################
-## <summary>
-## Read the kerberos configuration file (/etc/krb5.conf).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kerberos_read_config',`
- gen_require(`
- type krb5_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_conf_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write the kerberos
-## configuration file (/etc/krb5.conf).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`kerberos_dontaudit_write_config',`
- gen_require(`
- type krb5_conf_t;
- ')
-
- dontaudit $1 krb5_conf_t:file write;
-')
-
-########################################
-## <summary>
-## Read and write the kerberos configuration file (/etc/krb5.conf).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kerberos_rw_config',`
- gen_require(`
- type krb5_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_conf_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read the kerberos key table.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`kerberos_read_keytab',`
- gen_require(`
- type krb5_keytab_t;
- ')
-
- files_search_etc($1)
- allow $1 krb5_keytab_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
deleted file mode 100644
index 2a9c1dd..0000000
--- a/refpolicy/policy/modules/services/kerberos.te
+++ /dev/null
@@ -1,249 +0,0 @@
-
-policy_module(kerberos,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-type kadmind_t;
-type kadmind_exec_t;
-init_daemon_domain(kadmind_t,kadmind_exec_t)
-
-type kadmind_log_t;
-logging_log_file(kadmind_log_t)
-
-type kadmind_tmp_t;
-files_tmp_file(kadmind_tmp_t)
-
-type kadmind_var_run_t;
-files_pid_file(kadmind_var_run_t)
-
-type krb5_conf_t;
-files_type(krb5_conf_t)
-
-# types for general configuration files in /etc
-type krb5_keytab_t;
-files_security_file(krb5_keytab_t)
-
-# types for KDC configs and principal file(s)
-type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
-
-# types for KDC principal file(s)
-type krb5kdc_principal_t;
-files_type(krb5kdc_principal_t)
-
-type krb5kdc_t;
-type krb5kdc_exec_t;
-init_daemon_domain(krb5kdc_t,krb5kdc_exec_t)
-
-type krb5kdc_log_t;
-logging_log_file(krb5kdc_log_t)
-
-type krb5kdc_tmp_t;
-files_tmp_file(krb5kdc_tmp_t)
-
-type krb5kdc_var_run_t;
-files_pid_file(krb5kdc_var_run_t)
-
-########################################
-#
-# kadmind local policy
-#
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process signal_perms;
-allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:unix_dgram_socket { connect create write };
-allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-allow kadmind_t self:udp_socket create_socket_perms;
-
-allow kadmind_t kadmind_log_t:file create_file_perms;
-logging_log_filetrans(kadmind_t,kadmind_log_t,file)
-
-allow kadmind_t krb5_conf_t:file r_file_perms;
-dontaudit kadmind_t krb5_conf_t:file write;
-
-allow kadmind_t krb5kdc_conf_t:dir search;
-allow kadmind_t krb5kdc_conf_t:file r_file_perms;
-dontaudit kadmind_t krb5kdc_conf_t:file write;
-
-allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
-
-can_exec(kadmind_t, kadmind_exec_t)
-
-allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
-allow kadmind_t kadmind_tmp_t:file create_file_perms;
-files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-
-allow kadmind_t kadmind_var_run_t:file create_file_perms;
-allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
-
-kernel_read_kernel_sysctls(kadmind_t)
-kernel_list_proc(kadmind_t)
-kernel_read_proc_symlinks(kadmind_t)
-
-corenet_non_ipsec_sendrecv(kadmind_t)
-corenet_tcp_sendrecv_all_if(kadmind_t)
-corenet_udp_sendrecv_all_if(kadmind_t)
-corenet_tcp_sendrecv_all_nodes(kadmind_t)
-corenet_udp_sendrecv_all_nodes(kadmind_t)
-corenet_tcp_sendrecv_all_ports(kadmind_t)
-corenet_udp_sendrecv_all_ports(kadmind_t)
-corenet_tcp_bind_all_nodes(kadmind_t)
-corenet_udp_bind_all_nodes(kadmind_t)
-corenet_tcp_bind_kerberos_admin_port(kadmind_t)
-corenet_udp_bind_kerberos_admin_port(kadmind_t)
-corenet_tcp_bind_reserved_port(kadmind_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
-corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
-
-dev_read_sysfs(kadmind_t)
-dev_read_rand(kadmind_t)
-dev_read_urand(kadmind_t)
-
-fs_getattr_all_fs(kadmind_t)
-fs_search_auto_mountpoints(kadmind_t)
-
-term_dontaudit_use_console(kadmind_t)
-
-domain_use_interactive_fds(kadmind_t)
-
-files_read_etc_files(kadmind_t)
-
-init_use_fds(kadmind_t)
-init_use_script_ptys(kadmind_t)
-
-libs_use_ld_so(kadmind_t)
-libs_use_shared_libs(kadmind_t)
-
-logging_send_syslog_msg(kadmind_t)
-
-miscfiles_read_localization(kadmind_t)
-
-sysnet_read_config(kadmind_t)
-
-userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(kadmind_t)
- term_dontaudit_use_generic_ptys(kadmind_t)
- files_dontaudit_read_root_files(kadmind_t)
-')
-
-optional_policy(`
- nis_use_ypbind(kadmind_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(kadmind_t)
-')
-
-optional_policy(`
- udev_read_db(kadmind_t)
-')
-
-########################################
-#
-# Krb5kdc local policy
-#
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process signal_perms;
-allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
-allow krb5kdc_t self:udp_socket create_socket_perms;
-
-allow krb5kdc_t krb5_conf_t:file r_file_perms;
-dontaudit krb5kdc_t krb5_conf_t:file write;
-
-can_exec(krb5kdc_t, krb5kdc_exec_t)
-
-allow krb5kdc_t krb5kdc_conf_t:dir search;
-allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
-dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-
-allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
-logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
-
-allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-
-allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
-allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
-files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
-
-allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
-allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
-
-kernel_read_system_state(krb5kdc_t)
-kernel_read_kernel_sysctls(krb5kdc_t)
-kernel_list_proc(krb5kdc_t)
-kernel_read_proc_symlinks(krb5kdc_t)
-kernel_read_network_state(krb5kdc_t)
-
-corenet_non_ipsec_sendrecv(krb5kdc_t)
-corenet_tcp_sendrecv_all_if(krb5kdc_t)
-corenet_udp_sendrecv_all_if(krb5kdc_t)
-corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
-corenet_udp_sendrecv_all_nodes(krb5kdc_t)
-corenet_tcp_sendrecv_all_ports(krb5kdc_t)
-corenet_udp_sendrecv_all_ports(krb5kdc_t)
-corenet_tcp_bind_all_nodes(krb5kdc_t)
-corenet_udp_bind_all_nodes(krb5kdc_t)
-corenet_tcp_bind_kerberos_port(krb5kdc_t)
-corenet_udp_bind_kerberos_port(krb5kdc_t)
-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
-
-dev_read_sysfs(krb5kdc_t)
-dev_read_urand(krb5kdc_t)
-
-fs_getattr_all_fs(krb5kdc_t)
-fs_search_auto_mountpoints(krb5kdc_t)
-
-term_dontaudit_use_console(krb5kdc_t)
-
-domain_use_interactive_fds(krb5kdc_t)
-
-files_read_etc_files(krb5kdc_t)
-
-init_use_fds(krb5kdc_t)
-init_use_script_ptys(krb5kdc_t)
-
-libs_use_ld_so(krb5kdc_t)
-libs_use_shared_libs(krb5kdc_t)
-
-logging_send_syslog_msg(krb5kdc_t)
-
-miscfiles_read_localization(krb5kdc_t)
-
-sysnet_read_config(krb5kdc_t)
-
-userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(krb5kdc_t)
- term_dontaudit_use_generic_ptys(krb5kdc_t)
- files_dontaudit_read_root_files(krb5kdc_t)
-')
-
-optional_policy(`
- nis_use_ypbind(krb5kdc_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(krb5kdc_t)
-')
-
-optional_policy(`
- udev_read_db(krb5kdc_t)
-')
diff --git a/refpolicy/policy/modules/services/ktalk.fc b/refpolicy/policy/modules/services/ktalk.fc
deleted file mode 100644
index 6b30e26..0000000
--- a/refpolicy/policy/modules/services/ktalk.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
diff --git a/refpolicy/policy/modules/services/ktalk.if b/refpolicy/policy/modules/services/ktalk.if
deleted file mode 100644
index 5ba36db..0000000
--- a/refpolicy/policy/modules/services/ktalk.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>KDE Talk daemon</summary>
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
deleted file mode 100644
index d4139c9..0000000
--- a/refpolicy/policy/modules/services/ktalk.te
+++ /dev/null
@@ -1,89 +0,0 @@
-
-policy_module(ktalk,1.2.2)
-
-########################################
-#
-# Declarations
-#
-
-type ktalkd_t;
-type ktalkd_exec_t;
-inetd_udp_service_domain(ktalkd_t,ktalkd_exec_t)
-role system_r types ktalkd_t;
-
-type ktalkd_log_t;
-logging_log_file(ktalkd_log_t)
-
-type ktalkd_tmp_t;
-files_tmp_file(ktalkd_tmp_t)
-
-type ktalkd_var_run_t;
-files_pid_file(ktalkd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ktalkd_t self:process signal_perms;
-allow ktalkd_t self:fifo_file rw_file_perms;
-allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
-allow ktalkd_t self:udp_socket create_socket_perms;
-# for identd
-# cjp: this should probably only be inetd_child rules?
-allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow ktalkd_t self:capability { setuid setgid };
-allow ktalkd_t self:dir search;
-allow ktalkd_t self:{ lnk_file file } { getattr read };
-files_search_home(ktalkd_t)
-optional_policy(`
- kerberos_use(ktalkd_t)
-')
-#end for identd
-
-allow ktalkd_t ktalkd_log_t:file manage_file_perms;
-logging_log_filetrans(ktalkd_t,ktalkd_log_t,file)
-
-allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
-allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
-files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
-
-allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
-allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
-
-kernel_read_kernel_sysctls(ktalkd_t)
-kernel_read_system_state(ktalkd_t)
-kernel_read_network_state(ktalkd_t)
-
-corenet_non_ipsec_sendrecv(ktalkd_t)
-corenet_tcp_sendrecv_all_if(ktalkd_t)
-corenet_udp_sendrecv_all_if(ktalkd_t)
-corenet_tcp_sendrecv_all_nodes(ktalkd_t)
-corenet_udp_sendrecv_all_nodes(ktalkd_t)
-corenet_tcp_sendrecv_all_ports(ktalkd_t)
-corenet_udp_sendrecv_all_ports(ktalkd_t)
-
-dev_read_urand(ktalkd_t)
-
-fs_getattr_xattr_fs(ktalkd_t)
-
-files_read_etc_files(ktalkd_t)
-
-init_read_utmp(ktalkd_t)
-
-libs_use_ld_so(ktalkd_t)
-libs_use_shared_libs(ktalkd_t)
-logging_send_syslog_msg(ktalkd_t)
-
-miscfiles_read_localization(ktalkd_t)
-
-sysnet_read_config(ktalkd_t)
-
-optional_policy(`
- nis_use_ypbind(ktalkd_t)
-')
-
-optional_policy(`
- nscd_socket_use(ktalkd_t)
-')
diff --git a/refpolicy/policy/modules/services/ldap.fc b/refpolicy/policy/modules/services/ldap.fc
deleted file mode 100644
index 8ee84ac..0000000
--- a/refpolicy/policy/modules/services/ldap.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-
-/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-
-/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-
-/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
-
-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if
deleted file mode 100644
index 45b3bd9..0000000
--- a/refpolicy/policy/modules/services/ldap.if
+++ /dev/null
@@ -1,59 +0,0 @@
-## <summary>OpenLDAP directory server</summary>
-
-########################################
-## <summary>
-## Read the contents of the OpenLDAP
-## database directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ldap_list_db',`
- gen_require(`
- type slapd_db_t;
- ')
-
- allow $1 slapd_db_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read the OpenLDAP configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ldap_read_config',`
- gen_require(`
- type slapd_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 slapd_etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Use LDAP over TCP connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ldap_use',`
- gen_require(`
- type slapd_t;
- ')
-
- allow $1 slapd_t:tcp_socket { connectto recvfrom };
- allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
deleted file mode 100644
index 315dffb..0000000
--- a/refpolicy/policy/modules/services/ldap.te
+++ /dev/null
@@ -1,154 +0,0 @@
-
-policy_module(ldap,1.2.3)
-
-########################################
-#
-# Declarations
-#
-
-type slapd_t;
-type slapd_exec_t;
-init_daemon_domain(slapd_t,slapd_exec_t)
-
-type slapd_cert_t;
-files_type(slapd_cert_t)
-
-type slapd_db_t;
-files_type(slapd_db_t)
-
-type slapd_etc_t;
-files_config_file(slapd_etc_t)
-
-type slapd_lock_t;
-files_lock_file(slapd_lock_t)
-
-type slapd_replog_t;
-files_type(slapd_replog_t)
-
-type slapd_tmp_t;
-files_tmp_file(slapd_tmp_t)
-
-type slapd_var_run_t;
-files_pid_file(slapd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-# should not need kill
-# cjp: why net_raw?
-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
-dontaudit slapd_t self:capability sys_tty_config;
-allow slapd_t self:process setsched;
-allow slapd_t self:fifo_file { read write };
-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
-allow slapd_t self:udp_socket create_socket_perms;
-#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
-allow slapd_t self:tcp_socket create_stream_socket_perms;
-
-allow slapd_t slapd_cert_t:dir r_dir_perms;
-allow slapd_t slapd_cert_t:file r_file_perms;
-allow slapd_t slapd_cert_t:lnk_file { getattr read };
-
-# Allow access to the slapd databases
-allow slapd_t slapd_db_t:dir create_dir_perms;
-allow slapd_t slapd_db_t:file create_file_perms;
-allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
-
-allow slapd_t slapd_etc_t:file { getattr read };
-
-allow slapd_t slapd_lock_t:file create_file_perms;
-files_lock_filetrans(slapd_t,slapd_lock_t,file)
-
-# Allow access to write the replication log (should tighten this)
-allow slapd_t slapd_replog_t:dir create_dir_perms;
-allow slapd_t slapd_replog_t:file create_file_perms;
-allow slapd_t slapd_replog_t:lnk_file create_lnk_perms;
-
-allow slapd_t slapd_tmp_t:dir create_dir_perms;
-allow slapd_t slapd_tmp_t:file create_file_perms;
-files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-
-allow slapd_t slapd_var_run_t:file create_file_perms;
-allow slapd_t slapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slapd_t,slapd_var_run_t,file)
-
-kernel_read_system_state(slapd_t)
-kernel_read_kernel_sysctls(slapd_t)
-kernel_tcp_recvfrom(slapd_t)
-
-corenet_non_ipsec_sendrecv(slapd_t)
-corenet_tcp_sendrecv_all_if(slapd_t)
-corenet_udp_sendrecv_all_if(slapd_t)
-corenet_tcp_sendrecv_all_nodes(slapd_t)
-corenet_udp_sendrecv_all_nodes(slapd_t)
-corenet_tcp_sendrecv_all_ports(slapd_t)
-corenet_udp_sendrecv_all_ports(slapd_t)
-corenet_tcp_bind_all_nodes(slapd_t)
-corenet_tcp_bind_ldap_port(slapd_t)
-corenet_tcp_connect_all_ports(slapd_t)
-corenet_sendrecv_ldap_server_packets(slapd_t)
-corenet_sendrecv_all_client_packets(slapd_t)
-
-dev_read_urand(slapd_t)
-dev_read_sysfs(slapd_t)
-
-fs_getattr_all_fs(slapd_t)
-fs_search_auto_mountpoints(slapd_t)
-
-term_dontaudit_use_console(slapd_t)
-
-domain_use_interactive_fds(slapd_t)
-
-files_read_etc_files(slapd_t)
-files_read_etc_runtime_files(slapd_t)
-files_read_usr_files(slapd_t)
-files_list_var_lib(slapd_t)
-
-init_use_fds(slapd_t)
-init_use_script_ptys(slapd_t)
-
-libs_use_ld_so(slapd_t)
-libs_use_shared_libs(slapd_t)
-
-logging_send_syslog_msg(slapd_t)
-
-miscfiles_read_certs(slapd_t)
-miscfiles_read_localization(slapd_t)
-
-sysnet_read_config(slapd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(slapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
-
-ifdef(`targeted_policy',`
- #reh slapcat will want to talk to the terminal
- term_use_generic_ptys(slapd_t)
- term_use_unallocated_ttys(slapd_t)
-
- userdom_search_generic_user_home_dirs(slapd_t)
- #need to be able to read ldif files created by root
- # cjp: fix to not use templated interface:
- userdom_read_user_home_content_files(user,slapd_t)
-
- term_dontaudit_use_unallocated_ttys(slapd_t)
- term_dontaudit_use_generic_ptys(slapd_t)
- files_dontaudit_read_root_files(slapd_t)
-')
-
-optional_policy(`
- kerberos_use(slapd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(slapd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(slapd_t)
-')
-
-optional_policy(`
- udev_read_db(slapd_t)
-')
diff --git a/refpolicy/policy/modules/services/lpd.fc b/refpolicy/policy/modules/services/lpd.fc
deleted file mode 100644
index e97eb7a..0000000
--- a/refpolicy/policy/modules/services/lpd.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-#
-# /dev
-#
-/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
-/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
-/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
-/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-
-#
-# /var
-#
-/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
-/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if
deleted file mode 100644
index fd149e4..0000000
--- a/refpolicy/policy/modules/services/lpd.if
+++ /dev/null
@@ -1,393 +0,0 @@
-## <summary>Line printer daemon</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the lpd module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for lpr printing client.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`lpd_per_userdomain_template',`
- gen_require(`
- type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
- ')
-
- ##############################
- #
- # Declarations
- #
- # Derived domain based on the calling user domain and the program
- type $1_lpr_t;
- domain_type($1_lpr_t)
- domain_entry_file($1_lpr_t,lpr_exec_t)
- role $3 types $1_lpr_t;
-
- type $1_lpr_tmp_t;
- files_tmp_file($1_lpr_tmp_t)
-
- # Type for spool files.
- type $1_print_spool_t;
- files_type($1_print_spool_t)
-
- ##############################
- #
- # Local policy
- #
- allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
- allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_lpr_t self:tcp_socket create_socket_perms;
- allow $1_lpr_t self:udp_socket create_socket_perms;
-
- # lpr can run in lightweight mode, without a local print spooler.
- allow $1_lpr_t lpd_var_run_t:dir search;
- allow $1_lpr_t lpd_var_run_t:sock_file write;
- files_read_var_files($1_lpr_t)
-
- # Connect to lpd via a Unix domain socket.
- allow $1_lpr_t printer_t:sock_file rw_file_perms;
- allow $1_lpr_t lpd_t:unix_stream_socket connectto;
- # connecto to a network lpd
- allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
- allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
- # Send SIGHUP to lpd.
- allow $1_lpr_t lpd_t:process signal;
-
- can_exec($1_lpr_t,lpr_exec_t)
-
- allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
- allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
-
- allow $1_lpr_t $1_print_spool_t:file create_file_perms;
- allow $1_lpr_t print_spool_t:dir rw_dir_perms;
- type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
- # Read and write shared files in the spool directory.
- allow $1_lpr_t print_spool_t:file rw_file_perms;
-
- allow $1_lpr_t printconf_t:dir r_dir_perms;
- allow $1_lpr_t printconf_t:file r_file_perms;
- allow $1_lpr_t printconf_t:lnk_file { getattr read };
-
- dontaudit $1_lpr_t $2:unix_stream_socket { read write };
-
- # Transition from the user domain to the derived domain.
- allow $2 $1_lpr_t:fd use;
- allow $1_lpr_t $2:fd use;
- allow $1_lpr_t $2:fifo_file rw_file_perms;
- allow $1_lpr_t $2:process sigchld;
- domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
-
- allow $2 $1_lpr_t:process signull;
-
- # Allow lpd to read, rename, and unlink spool files.
- allow lpd_t $1_print_spool_t:file r_file_perms;
- allow lpd_t $1_print_spool_t:file link_file_perms;
-
- kernel_tcp_recvfrom($1_lpr_t)
-
- corenet_tcp_sendrecv_generic_if($1_lpr_t)
- corenet_udp_sendrecv_generic_if($1_lpr_t)
- corenet_tcp_sendrecv_all_nodes($1_lpr_t)
- corenet_udp_sendrecv_all_nodes($1_lpr_t)
- corenet_tcp_sendrecv_all_ports($1_lpr_t)
- corenet_udp_sendrecv_all_ports($1_lpr_t)
- corenet_tcp_connect_all_ports($1_lpr_t)
- corenet_sendrecv_all_client_packets($1_lpr_t)
-
- # for /dev/null
- dev_list_all_dev_nodes($1_lpr_t)
-
- domain_use_interactive_fds($1_lpr_t)
-
- files_search_spool($1_lpr_t)
- # for lpd config files (should have a new type)
- files_read_etc_files($1_lpr_t)
- # for test print
- files_read_usr_files($1_lpr_t)
- #Added to cover read_content macro
- files_list_home($1_lpr_t)
- files_read_generic_tmp_files($1_lpr_t)
-
- fs_getattr_xattr_fs($1_lpr_t)
-
- # Access the terminal.
- term_use_controlling_term($1_lpr_t)
- term_use_generic_ptys($1_lpr_t)
-
- libs_use_ld_so($1_lpr_t)
- libs_use_shared_libs($1_lpr_t)
-
- miscfiles_read_localization($1_lpr_t)
-
- sysnet_read_config($1_lpr_t)
-
- userdom_read_user_tmp_symlinks($1,$1_lpr_t)
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_lpr_t)
-
- tunable_policy(`read_default_t',`
- files_list_default($1_lpr_t)
- files_read_default_symlinks($1_lpr_t)
- files_read_default_files($1_lpr_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- #list and read user specific untrusted content
- files_list_home($1_lpr_t)
- userdom_list_user_home_dirs($1,$1_lpr_t)
- userdom_read_user_untrusted_content_files($1,$1_lpr_t)
-
- #list and read user specific temporary untrusted content
- files_list_tmp($1_lpr_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- files_list_home($1_lpr_t)
- fs_list_auto_mountpoints($1_lpr_t)
- fs_read_nfs_files($1_lpr_t)
- fs_read_nfs_symlinks($1_lpr_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- files_list_home($1_lpr_t)
- fs_list_auto_mountpoints($1_lpr_t)
- fs_read_cifs_files($1_lpr_t)
- fs_read_cifs_symlinks($1_lpr_t)
- ')
-
- optional_policy(`
- cups_read_config($1_lpr_t)
- cups_tcp_connect($1_lpr_t)
- cups_read_config($2)
- cups_tcp_connect($2)
- ')
-
- optional_policy(`
- logging_send_syslog_msg($1_lpr_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_lpr_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_lpr_t)
- ')
-
- ifdef(`TODO',`
- optional_policy(`
- allow $1_lpr_t xdm_t:fd use;
- allow $1_lpr_t xdm_var_run_t:dir search;
- allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
- ')
- ') dnl end TODO
-')
-
-#######################################
-## <summary>
-## The administrative functions template for the lpd module.
-## </summary>
-## <desc>
-## <p>
-## This template creates rules for administrating the ldp service,
-## allowing the specified user to manage lpr files.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`lpr_admin_template',`
- gen_require(`
- type $1_lpr_t;
- ')
-
- userdom_read_all_users_home_content_files($1_lpr_t)
-
- # Allow per user lpr domain read acces for specific user.
- tunable_policy(`read_untrusted_content',`
- userdom_read_all_untrusted_content($1_lpr_t)
- userdom_read_all_tmp_untrusted_content($1_lpr_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute lpd in the lpd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lpd_domtrans_checkpc',`
- gen_require(`
- type checkpc_t, checkpc_exec_t;
- ')
-
- domain_auto_trans($1,checkpc_exec_t,checkpc_t)
-
- allow $1 checkpc_t:fd use;
- allow checkpc_t $1:fd use;
- allow checkpc_t $1:fifo_file rw_file_perms;
- allow checkpc_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute amrecover in the lpd domain, and
-## allow the specified role the lpd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the lpd domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the lpd domain to use.
-## </summary>
-## </param>
-#
-interface(`lpd_run_checkpc',`
- gen_require(`
- type checkpc_t;
- ')
-
- lpd_domtrans_checkpc($1)
- role $2 types checkpc_t;
- allow checkpc_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## List the contents of the printer spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lpd_list_spool',`
- gen_require(`
- type print_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 print_spool_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete printer spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lpd_manage_spool',`
- gen_require(`
- type print_spool_t;
- ')
-
- files_search_spool($1)
-
- # cjp: cups wants setattr
- allow $1 print_spool_t:dir { rw_dir_perms setattr };
- allow $1 print_spool_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## List the contents of the printer spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lpd_read_config',`
- gen_require(`
- type printconf_t;
- ')
-
- allow $1 printconf_t:dir list_dir_perms;
- allow $1 printconf_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Transition to a user lpr domain.
-## </summary>
-## <desc>
-## <p>
-## Transition to a user lpr domain.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`lpd_domtrans_user_lpr',`
- gen_require(`
- type $1_lpr_t, lpr_exec_t;
- ')
-
- domain_auto_trans($2, lpr_exec_t, $1_lpr_t)
- allow $2 $1_lpr_t:fd use;
- allow $1_lpr_t $2:fd use;
- allow $1_lpr_t $2:fifo_file rw_file_perms;
- allow $1_lpr_t $2:process sigchld;
-')
-
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
deleted file mode 100644
index c2eedbd..0000000
--- a/refpolicy/policy/modules/services/lpd.te
+++ /dev/null
@@ -1,236 +0,0 @@
-
-policy_module(lpd,1.2.4)
-
-########################################
-#
-# Declarations
-#
-
-type checkpc_t;
-type checkpc_exec_t;
-init_system_domain(checkpc_t,checkpc_exec_t)
-role system_r types checkpc_t;
-
-type checkpc_log_t;
-logging_log_file(checkpc_log_t)
-
-type lpd_t;
-type lpd_exec_t;
-init_daemon_domain(lpd_t,lpd_exec_t)
-
-type lpd_tmp_t;
-files_tmp_file(lpd_tmp_t)
-
-type lpd_var_run_t;
-files_pid_file(lpd_var_run_t)
-
-type lpr_exec_t;
-corecmd_executable_file(lpr_exec_t)
-
-type print_spool_t;
-files_tmp_file(print_spool_t)
-
-type printer_t;
-files_type(printer_t)
-
-type printconf_t;
-files_type(printconf_t)
-
-########################################
-#
-# Checkpc local policy
-#
-
-# Allow checkpc to access the lpd spool so it can check & fix it.
-# This requires that /usr/sbin/checkpc have type checkpc_t.
-
-allow checkpc_t self:capability { setgid setuid dac_override };
-allow checkpc_t self:process signal_perms;
-allow checkpc_t self:unix_stream_socket create_socket_perms;
-allow checkpc_t self:tcp_socket create_socket_perms;
-allow checkpc_t self:udp_socket create_socket_perms;
-
-allow checkpc_t checkpc_log_t:file create_file_perms;
-logging_log_filetrans(checkpc_t,checkpc_log_t,file)
-
-allow checkpc_t lpd_var_run_t:dir { search getattr };
-files_search_pids(checkpc_t)
-
-allow checkpc_t print_spool_t:file { rw_file_perms unlink };
-allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
-files_search_spool(checkpc_t)
-
-allow checkpc_t printconf_t:file getattr;
-allow checkpc_t printconf_t:dir { getattr search read };
-
-kernel_read_system_state(checkpc_t)
-
-corenet_non_ipsec_sendrecv(checkpc_t)
-corenet_tcp_sendrecv_all_if(checkpc_t)
-corenet_udp_sendrecv_all_if(checkpc_t)
-corenet_tcp_sendrecv_all_nodes(checkpc_t)
-corenet_udp_sendrecv_all_nodes(checkpc_t)
-corenet_tcp_sendrecv_all_ports(checkpc_t)
-corenet_udp_sendrecv_all_ports(checkpc_t)
-corenet_tcp_connect_all_ports(checkpc_t)
-corenet_sendrecv_all_client_packets(checkpc_t)
-
-dev_append_printer(checkpc_t)
-
-# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
-corecmd_exec_shell(checkpc_t)
-corecmd_exec_bin(checkpc_t)
-corecmd_search_sbin(checkpc_t)
-
-domain_use_interactive_fds(checkpc_t)
-
-files_read_etc_files(checkpc_t)
-files_read_etc_runtime_files(checkpc_t)
-
-init_use_script_ptys(checkpc_t)
-# Allow access to /dev/console through the fd:
-init_use_fds(checkpc_t)
-
-libs_use_ld_so(checkpc_t)
-libs_use_shared_libs(checkpc_t)
-
-sysnet_read_config(checkpc_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(checkpc_t)
- term_use_unallocated_ttys(checkpc_t)
-')
-
-optional_policy(`
- cron_system_entry(checkpc_t,checkpc_exec_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(checkpc_t)
-')
-
-optional_policy(`
- nis_use_ypbind(checkpc_t)
-')
-
-########################################
-#
-# Lpd local policy
-#
-
-allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
-dontaudit lpd_t self:capability sys_tty_config;
-allow lpd_t self:process signal_perms;
-allow lpd_t self:fifo_file rw_file_perms;
-allow lpd_t self:unix_stream_socket create_stream_socket_perms;
-allow lpd_t self:unix_dgram_socket create_socket_perms;
-allow lpd_t self:tcp_socket create_stream_socket_perms;
-allow lpd_t self:udp_socket create_stream_socket_perms;
-
-allow lpd_t lpd_tmp_t:dir create_dir_perms;
-allow lpd_t lpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
-
-allow lpd_t lpd_var_run_t:dir rw_dir_perms;
-allow lpd_t lpd_var_run_t:file create_file_perms;
-allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(lpd_t,lpd_var_run_t,file)
-
-# Write to /var/spool/lpd.
-allow lpd_t print_spool_t:dir rw_dir_perms;
-allow lpd_t print_spool_t:file create_file_perms;
-allow lpd_t print_spool_t:file rw_file_perms;
-files_search_spool(lpd_t)
-
-# lpd must be able to execute the filter utilities in /usr/share/printconf.
-allow lpd_t printconf_t:dir { getattr search read };
-can_exec(lpd_t, printconf_t)
-
-# Create and bind to /dev/printer.
-allow lpd_t printer_t:lnk_file create_lnk_perms;
-dev_filetrans(lpd_t,printer_t,lnk_file)
-# cjp: I believe these have no effect:
-allow lpd_t printer_t:unix_stream_socket name_bind;
-allow lpd_t printer_t:unix_dgram_socket name_bind;
-
-kernel_read_kernel_sysctls(lpd_t)
-kernel_tcp_recvfrom(lpd_t)
-# bash wants access to /proc/meminfo
-kernel_read_system_state(lpd_t)
-
-corenet_non_ipsec_sendrecv(lpd_t)
-corenet_tcp_sendrecv_all_if(lpd_t)
-corenet_udp_sendrecv_all_if(lpd_t)
-corenet_tcp_sendrecv_all_nodes(lpd_t)
-corenet_udp_sendrecv_all_nodes(lpd_t)
-corenet_tcp_sendrecv_all_ports(lpd_t)
-corenet_udp_sendrecv_all_ports(lpd_t)
-corenet_tcp_bind_all_nodes(lpd_t)
-corenet_tcp_bind_printer_port(lpd_t)
-corenet_sendrecv_printer_server_packets(lpd_t)
-
-dev_read_sysfs(lpd_t)
-dev_rw_printer(lpd_t)
-
-fs_getattr_all_fs(lpd_t)
-fs_search_auto_mountpoints(lpd_t)
-
-term_dontaudit_use_console(lpd_t)
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-corecmd_exec_bin(lpd_t)
-corecmd_exec_sbin(lpd_t)
-corecmd_exec_shell(lpd_t)
-
-domain_use_interactive_fds(lpd_t)
-
-files_read_etc_runtime_files(lpd_t)
-files_read_usr_files(lpd_t)
-# for defoma
-files_list_world_readable(lpd_t)
-files_read_world_readable_files(lpd_t)
-files_read_world_readable_symlinks(lpd_t)
-files_list_var_lib(lpd_t)
-files_read_var_lib_files(lpd_t)
-files_read_var_lib_symlinks(lpd_t)
-# config files for lpd are of type etc_t, probably should change this
-files_read_etc_files(lpd_t)
-
-init_use_fds(lpd_t)
-init_use_script_ptys(lpd_t)
-
-libs_use_ld_so(lpd_t)
-libs_use_shared_libs(lpd_t)
-
-logging_send_syslog_msg(lpd_t)
-
-miscfiles_read_fonts(lpd_t)
-miscfiles_read_localization(lpd_t)
-
-sysnet_read_config(lpd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(lpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(lpd_t)
- term_dontaudit_use_generic_ptys(lpd_t)
- files_dontaudit_read_root_files(lpd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(lpd_t)
- nis_tcp_connect_ypbind(lpd_t)
-')
-
-optional_policy(`
- portmap_udp_send(lpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(lpd_t)
-')
-
-optional_policy(`
- udev_read_db(lpd_t)
-')
diff --git a/refpolicy/policy/modules/services/mailman.fc b/refpolicy/policy/modules/services/mailman.fc
deleted file mode 100644
index 839017f..0000000
--- a/refpolicy/policy/modules/services/mailman.fc
+++ /dev/null
@@ -1,33 +0,0 @@
-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-
-/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
-/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
-
-#
-# distro_debian
-#
-ifdef(`distro_debian', `
-/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-
-/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-')
-
-#
-# distro_redhat
-#
-ifdef(`distro_redhat', `
-/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-
-/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
-/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
deleted file mode 100644
index 68a2588..0000000
--- a/refpolicy/policy/modules/services/mailman.if
+++ /dev/null
@@ -1,335 +0,0 @@
-## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
-
-#######################################
-## <summary>
-## The template to define a mailmain domain.
-## </summary>
-## <desc>
-## <p>
-## This template creates a domain to be used for
-## a new mailman daemon.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The type of daemon to be used eg, cgi would give mailman_cgi_
-## </summary>
-## </param>
-#
-template(`mailman_domain_template', `
- type mailman_$1_t;
- domain_type(mailman_$1_t)
- role system_r types mailman_$1_t;
-
- type mailman_$1_exec_t;
- domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
-
- type mailman_$1_tmp_t;
- files_tmp_file(mailman_$1_tmp_t)
-
- allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
- allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
- allow mailman_$1_t self:udp_socket create_socket_perms;
-
- allow mailman_$1_t mailman_data_t:dir create_dir_perms;
- allow mailman_$1_t mailman_data_t:file create_file_perms;
- allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
-
- allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
- allow mailman_$1_t mailman_lock_t:file create_file_perms;
- files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
-
- allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
- allow mailman_$1_t mailman_log_t:file create_file_perms;
- logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
-
- allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
- allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
- files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
-
- kernel_read_kernel_sysctls(mailman_$1_t)
- kernel_read_system_state(mailman_$1_t)
-
- corenet_non_ipsec_sendrecv(mailman_$1_t)
- corenet_tcp_sendrecv_all_if(mailman_$1_t)
- corenet_udp_sendrecv_all_if(mailman_$1_t)
- corenet_raw_sendrecv_all_if(mailman_$1_t)
- corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
- corenet_udp_sendrecv_all_nodes(mailman_$1_t)
- corenet_raw_sendrecv_all_nodes(mailman_$1_t)
- corenet_tcp_sendrecv_all_ports(mailman_$1_t)
- corenet_udp_sendrecv_all_ports(mailman_$1_t)
- corenet_tcp_bind_all_nodes(mailman_$1_t)
- corenet_udp_bind_all_nodes(mailman_$1_t)
- corenet_tcp_connect_smtp_port(mailman_$1_t)
- corenet_sendrecv_smtp_client_packets(mailman_$1_t)
-
- fs_getattr_xattr_fs(mailman_$1_t)
-
- corecmd_exec_all_executables(mailman_$1_t)
-
- files_exec_etc_files(mailman_$1_t)
- files_list_usr(mailman_$1_t)
- files_list_var(mailman_$1_t)
- files_list_var_lib(mailman_$1_t)
- files_read_var_lib_symlinks(mailman_$1_t)
- files_read_etc_runtime_files(mailman_$1_t)
-
- libs_use_ld_so(mailman_$1_t)
- libs_use_shared_libs(mailman_$1_t)
- libs_exec_ld_so(mailman_$1_t)
- libs_exec_lib_files(mailman_$1_t)
-
- logging_send_syslog_msg(mailman_$1_t)
-
- miscfiles_read_localization(mailman_$1_t)
-
- sysnet_read_config(mailman_$1_t)
-
- optional_policy(`
- nis_use_ypbind(mailman_$1_t)
- ')
-')
-
-#######################################
-## <summary>
-## Execute mailman in the mailman domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_domtrans',`
- gen_require(`
- type mailman_mail_exec_t, mailman_mail_t;
- ')
-
- domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
-
- allow $1 mailman_mail_t:fd use;
- allow mailman_mail_t $1:fd use;
- allow mailman_mail_t $1:fifo_file rw_file_perms;
- allow mailman_mail_t $1:process sigchld;
-')
-
-#######################################
-## <summary>
-## Execute mailman CGI scripts in the
-## mailman CGI domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_domtrans_cgi',`
- gen_require(`
- type mailman_cgi_exec_t, mailman_cgi_t;
- ')
-
- domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
-
- allow $1 mailman_cgi_t:fd use;
- allow mailman_cgi_t $1:fd use;
- allow mailman_cgi_t $1:fifo_file rw_file_perms;
- allow mailman_cgi_t $1:process sigchld;
-')
-
-#######################################
-## <summary>
-## Execute mailman in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowd access.
-## </summary>
-## </param>
-#
-interface(`mailman_exec',`
- gen_require(`
- type mailman_mail_exec_t;
- ')
-
- can_exec($1,mailman_mail_exec_t)
-')
-
-#######################################
-## <summary>
-## Send generic signals to the mailman cgi domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_signal_cgi',`
- gen_require(`
- type mailman_cgi_t;
- ')
-
- allow $1 mailman_cgi_t:process signal;
-')
-
-#######################################
-## <summary>
-## Allow domain to search data directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_search_data',`
- gen_require(`
- type mailman_data_t;
- ')
-
- allow $1 mailman_data_t:dir search_dir_perms;
-')
-
-#######################################
-## <summary>
-## Allow domain to to read mailman data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_read_data_files',`
- gen_require(`
- type mailman_data_t;
- ')
-
- allow $1 mailman_data_t:dir search_dir_perms;
- allow $1 mailman_data_t:file read_file_perms;
-')
-
-#######################################
-## <summary>
-## Allow domain to to create mailman data files
-## and write the directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_manage_data_files',`
- gen_require(`
- type mailman_data_t;
- ')
-
- allow $1 mailman_data_t:dir rw_dir_perms;
- allow $1 mailman_data_t:file manage_file_perms;
-')
-
-#######################################
-## <summary>
-## List the contents of mailman data directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_list_data',`
- gen_require(`
- type mailman_data_t;
- ')
-
- allow $1 mailman_data_t:dir r_dir_perms;
-')
-
-#######################################
-## <summary>
-## Allow read acces to mailman data symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_read_data_symlinks',`
- gen_require(`
- type mailman_data_t;
- ')
-
- allow $1 mailman_data_t:dir search;
- allow $1 mailman_data_t:lnk_file read;
-')
-
-#######################################
-## <summary>
-## Create, read, write, and delete
-## mailman logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_manage_log',`
- gen_require(`
- type mailman_log_t;
- ')
-
- allow $1 mailman_log_t:dir rw_dir_perms;
- allow $1 mailman_log_t:file create_file_perms;
- allow $1 mailman_log_t:lnk_file create_lnk_perms;
-')
-
-#######################################
-## <summary>
-## Allow domain to read mailman archive files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_read_archive',`
- gen_require(`
- type mailman_archive_t;
- ')
-
- allow $1 mailman_archive_t:dir list_dir_perms;
- allow $1 mailman_archive_t:file r_file_perms;
- allow $1 mailman_archive_t:lnk_file { getattr read };
-')
-
-
-#######################################
-## <summary>
-## Execute mailman_queue in the mailman_queue domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mailman_domtrans_queue',`
- gen_require(`
- type mailman_queue_exec_t, mailman_queue_t;
- ')
-
- domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
-
- allow $1 mailman_queue_t:fd use;
- allow mailman_queue_t $1:fd use;
- allow mailman_queue_t $1:fifo_file rw_file_perms;
- allow mailman_queue_t $1:process sigchld;
-')
-
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
deleted file mode 100644
index f5ccc55..0000000
--- a/refpolicy/policy/modules/services/mailman.te
+++ /dev/null
@@ -1,114 +0,0 @@
-
-policy_module(mailman,1.1.5)
-
-########################################
-#
-# Declarations
-#
-
-mailman_domain_template(cgi)
-
-type mailman_data_t;
-files_type(mailman_data_t)
-
-type mailman_archive_t;
-files_type(mailman_archive_t)
-
-type mailman_log_t;
-logging_log_file(mailman_log_t)
-
-type mailman_lock_t;
-files_lock_file(mailman_lock_t)
-
-mailman_domain_template(mail)
-init_daemon_domain(mailman_mail_t,mailman_mail_exec_t)
-
-mailman_domain_template(queue)
-
-########################################
-#
-# Mailman CGI local policy
-#
-
-# cjp: the template invocation for queue should be
-# in the below optional policy; however, there are no
-# optionals for file contexts yet, so it is promoted
-# to global scope until such facilities exist.
-
-optional_policy(`
- allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
- allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
- allow mailman_cgi_t mailman_archive_t:file create_file_perms;
-
- kernel_tcp_recvfrom(mailman_cgi_t)
-
- term_use_controlling_term(mailman_cgi_t)
-
- files_search_spool(mailman_cgi_t)
-
- mta_tcp_connect_all_mailservers(mailman_cgi_t)
-
- apache_sigchld(mailman_cgi_t)
- apache_use_fds(mailman_cgi_t)
- apache_dontaudit_append_log(mailman_cgi_t)
- apache_search_sys_script_state(mailman_cgi_t)
-')
-
-########################################
-#
-# Mailman mail local policy
-#
-
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-
-mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
-
-ifdef(`TODO',`
-optional_policy(`
- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
- # do we really need this?
- allow mailman_mail_t qmail_lspawn_t:fifo_file write;
-')
-')
-
-########################################
-#
-# Mailman queue local policy
-#
-
-allow mailman_queue_t self:capability { setgid setuid };
-allow mailman_queue_t self:process signal;
-allow mailman_queue_t self:fifo_file rw_file_perms;
-allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
-allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
-allow mailman_queue_t mailman_archive_t:file create_file_perms;
-allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
-
-kernel_read_proc_symlinks(mailman_queue_t)
-kernel_tcp_recvfrom(mailman_queue_t)
-
-auth_domtrans_chk_passwd(mailman_queue_t)
-
-files_dontaudit_search_pids(mailman_queue_t)
-
-# for su
-seutil_dontaudit_search_config(mailman_queue_t)
-
-# some of the following could probably be changed to dontaudit, someone who
-# knows mailman well should test this out and send the changes
-userdom_search_sysadm_home_dirs(mailman_queue_t)
-userdom_getattr_sysadm_home_dirs(mailman_queue_t)
-
-mta_tcp_connect_all_mailservers(mailman_queue_t)
-
-su_exec(mailman_queue_t)
-
-optional_policy(`
- cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
-')
-
-optional_policy(`
- nscd_socket_use(mailman_queue_t)
-')
diff --git a/refpolicy/policy/modules/services/metadata.xml b/refpolicy/policy/modules/services/metadata.xml
deleted file mode 100644
index 4e6ec17..0000000
--- a/refpolicy/policy/modules/services/metadata.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-<summary>
- Policy modules for system services, like cron, and network services,
- like sshd.
-</summary>
diff --git a/refpolicy/policy/modules/services/monop.fc b/refpolicy/policy/modules/services/monop.fc
deleted file mode 100644
index 9ee4028..0000000
--- a/refpolicy/policy/modules/services/monop.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
-
-/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
-/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/refpolicy/policy/modules/services/monop.if b/refpolicy/policy/modules/services/monop.if
deleted file mode 100644
index 2611351..0000000
--- a/refpolicy/policy/modules/services/monop.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Monopoly daemon</summary>
diff --git a/refpolicy/policy/modules/services/monop.te b/refpolicy/policy/modules/services/monop.te
deleted file mode 100644
index dc24c3c..0000000
--- a/refpolicy/policy/modules/services/monop.te
+++ /dev/null
@@ -1,100 +0,0 @@
-
-policy_module(monop,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type monopd_t;
-type monopd_exec_t;
-init_daemon_domain(monopd_t,monopd_exec_t)
-
-type monopd_etc_t;
-files_config_file(monopd_etc_t)
-
-type monopd_share_t;
-files_type(monopd_share_t)
-
-type monopd_var_run_t;
-files_pid_file(monopd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit monopd_t self:capability sys_tty_config;
-allow monopd_t self:process signal_perms;
-allow monopd_t self:tcp_socket create_stream_socket_perms;
-allow monopd_t self:udp_socket create_socket_perms;
-
-allow monopd_t monopd_etc_t:file { getattr read };
-files_search_etc(monopd_t)
-
-allow monopd_t monopd_share_t:dir r_dir_perms;
-allow monopd_t monopd_share_t:file r_file_perms;
-allow monopd_t monopd_share_t:lnk_file { getattr read };
-
-allow monopd_t monopd_var_run_t:file create_file_perms;
-allow monopd_t monopd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(monopd_t,monopd_var_run_t,file)
-
-kernel_read_kernel_sysctls(monopd_t)
-kernel_list_proc(monopd_t)
-kernel_read_proc_symlinks(monopd_t)
-
-corenet_non_ipsec_sendrecv(monopd_t)
-corenet_tcp_sendrecv_generic_if(monopd_t)
-corenet_udp_sendrecv_generic_if(monopd_t)
-corenet_tcp_sendrecv_all_nodes(monopd_t)
-corenet_udp_sendrecv_all_nodes(monopd_t)
-corenet_tcp_sendrecv_all_ports(monopd_t)
-corenet_udp_sendrecv_all_ports(monopd_t)
-corenet_tcp_bind_all_nodes(monopd_t)
-corenet_tcp_bind_monopd_port(monopd_t)
-corenet_sendrecv_monopd_server_packets(monopd_t)
-
-dev_read_sysfs(monopd_t)
-
-domain_use_interactive_fds(monopd_t)
-
-files_read_etc_files(monopd_t)
-
-fs_getattr_all_fs(monopd_t)
-fs_search_auto_mountpoints(monopd_t)
-
-term_dontaudit_use_console(monopd_t)
-
-init_use_fds(monopd_t)
-init_use_script_ptys(monopd_t)
-
-libs_use_ld_so(monopd_t)
-libs_use_shared_libs(monopd_t)
-
-logging_send_syslog_msg(monopd_t)
-
-miscfiles_read_localization(monopd_t)
-
-sysnet_read_config(monopd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(monopd_t)
- term_dontaudit_use_generic_ptys(monopd_t)
- files_dontaudit_read_root_files(monopd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(monopd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(monopd_t)
-')
-
-optional_policy(`
- udev_read_db(monopd_t)
-')
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
deleted file mode 100644
index 14ff65c..0000000
--- a/refpolicy/policy/modules/services/mta.fc
+++ /dev/null
@@ -1,25 +0,0 @@
-
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
-ifdef(`distro_redhat',`
-/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
-')
-
-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/sendmail.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/sendmail(.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
-/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
-#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-#')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
deleted file mode 100644
index 0aeaf6e..0000000
--- a/refpolicy/policy/modules/services/mta.if
+++ /dev/null
@@ -1,898 +0,0 @@
-## <summary>Policy common to all email tranfer agents.</summary>
-
-########################################
-## <summary>
-## MTA stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`mta_stub',`
- gen_require(`
- type sendmail_exec_t;
- ')
-')
-
-#######################################
-## <summary>
-## Basic mail transfer agent domain template.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is
-## a email transfer agent, which sends mail on
-## behalf of the user.
-## </p>
-## <p>
-## This is the basic types and rules, common
-## to the system agent and user agents.
-## </p>
-## </desc>
-## <param name="domain_prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`mta_base_mail_template',`
-
- ##############################
- #
- # $1_mail_t declarations
- #
-
- type $1_mail_t, user_mail_domain;
- domain_type($1_mail_t)
- domain_entry_file($1_mail_t,sendmail_exec_t)
-
- type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
-
- ##############################
- #
- # $1_mail_t local policy
- #
-
- allow $1_mail_t self:capability { setuid setgid chown };
- allow $1_mail_t self:process { signal_perms setrlimit };
- allow $1_mail_t self:tcp_socket create_socket_perms;
-
- # re-exec itself
- can_exec($1_mail_t, sendmail_exec_t)
- allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
-
- kernel_read_kernel_sysctls($1_mail_t)
-
- corenet_non_ipsec_sendrecv($1_mail_t)
- corenet_tcp_sendrecv_all_if($1_mail_t)
- corenet_tcp_sendrecv_all_nodes($1_mail_t)
- corenet_tcp_sendrecv_all_ports($1_mail_t)
- corenet_tcp_connect_all_ports($1_mail_t)
- corenet_tcp_connect_smtp_port($1_mail_t)
- corenet_sendrecv_smtp_client_packets($1_mail_t)
-
- corecmd_exec_bin($1_mail_t)
- corecmd_search_sbin($1_mail_t)
-
- files_read_etc_files($1_mail_t)
- files_search_spool($1_mail_t)
- # It wants to check for nscd
- files_dontaudit_search_pids($1_mail_t)
-
- libs_use_ld_so($1_mail_t)
- libs_use_shared_libs($1_mail_t)
-
- logging_send_syslog_msg($1_mail_t)
-
- miscfiles_read_localization($1_mail_t)
-
- sysnet_read_config($1_mail_t)
- sysnet_dns_name_resolve($1_mail_t)
-
- optional_policy(`
- nis_use_ypbind($1_mail_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_mail_t)
- ')
-
- optional_policy(`
- postfix_domtrans_user_mail_handler($1_mail_t)
- ')
-
- optional_policy(`
- procmail_exec($1_mail_t)
- ')
-
- optional_policy(`
- qmail_domtrans_inject($1_mail_t)
- ')
-
- optional_policy(`
- gen_require(`
- type etc_mail_t, mail_spool_t, mqueue_spool_t;
- ')
-
- allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
- allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
-
- allow $1_mail_t etc_mail_t:dir { getattr search };
-
- # Write to /var/spool/mail and /var/spool/mqueue.
- allow $1_mail_t mail_spool_t:dir rw_dir_perms;
- allow $1_mail_t mail_spool_t:file create_file_perms;
- allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
- allow $1_mail_t mqueue_spool_t:file create_file_perms;
-
- # Check available space.
- fs_getattr_xattr_fs($1_mail_t)
-
- files_read_etc_runtime_files($1_mail_t)
-
- # Write to /var/log/sendmail.st
- sendmail_manage_log($1_mail_t)
- sendmail_create_log($1_mail_t)
- ')
-
-')
-
-#######################################
-## <summary>
-## The per user domain template for the mta module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is
-## a email transfer agent, which sends mail on
-## behalf of the user.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`mta_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- mta_base_mail_template($1)
- role $3 types $1_mail_t;
-
- ##############################
- #
- # $1_mail_t local policy
- #
-
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
- allow $2 sendmail_exec_t:lnk_file { getattr read };
-
- allow $2 $1_mail_t:fd use;
- allow $1_mail_t $2:fd use;
- allow $1_mail_t $2:fifo_file rw_file_perms;
- allow $1_mail_t $2:process sigchld;
-
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($2)
- allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
- allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
-
- domain_use_interactive_fds($1_mail_t)
-
- userdom_use_user_terminals($1,$1_mail_t)
- # Write to the user domain tty. cjp: why?
- userdom_use_user_terminals($1,mta_user_agent)
- # Create dead.letter in user home directories.
- userdom_manage_user_home_content_files($1,$1_mail_t)
- userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
- # for reading .forward - maybe we need a new type for it?
- # also for delivering mail to maildir
- userdom_manage_user_home_content_dirs($1,mailserver_delivery)
- userdom_manage_user_home_content_files($1,mailserver_delivery)
- userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
- userdom_manage_user_home_content_pipes($1,mailserver_delivery)
- userdom_manage_user_home_content_sockets($1,mailserver_delivery)
- userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
- # Read user temporary files.
- userdom_read_user_tmp_files($1,$1_mail_t)
- userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
- # cjp: this should probably be read all user tmp
- # files in an appropriate place for mta_user_agent
- userdom_read_user_tmp_files($1,mta_user_agent)
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_mail_t)
- fs_manage_cifs_symlinks($1_mail_t)
- ')
-
- optional_policy(`
- allow $1_mail_t self:capability dac_override;
-
- # Read user temporary files.
- # postfix seems to need write access if the file handle is opened read/write
- userdom_rw_user_tmp_files($1,$1_mail_t)
-
- postfix_read_config($1_mail_t)
- postfix_list_spool($1_mail_t)
- ')
-')
-
-########################################
-## <summary>
-## Provide extra permissions for admin users
-## mail domain.
-## </summary>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-template(`mta_admin_template',`
- gen_require(`
- type $1_mail_t;
- ')
-
- ifdef(`strict_policy',`
- # allow the sysadmin to do "mail someone < /home/user/whatever"
- userdom_read_unpriv_users_home_content_files($1_mail_t)
- ')
-
- optional_policy(`
- gen_require(`
- attribute mta_user_agent;
- type etc_aliases_t;
- ')
-
- allow mta_user_agent $2:fifo_file { read write };
-
- allow $1_mail_t etc_aliases_t:dir create_dir_perms;
- allow $1_mail_t etc_aliases_t:file create_file_perms;
- allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
- allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
- allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
- files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
-
- # postfix needs this for newaliases
- files_getattr_tmp_dirs($1_mail_t)
-
- postfix_exec_master($1_mail_t)
-
- ifdef(`distro_redhat',`
- # compatability for old default main.cf
- postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
- ')
- ')
-')
-
-########################################
-## <summary>
-## Make the specified domain usable for a mail server.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used as a mail server domain.
-## </summary>
-## </param>
-#
-interface(`mta_mailserver',`
- gen_require(`
- attribute mailserver_domain;
- ')
-
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($1)
-
- init_daemon_domain($1,$2)
- typeattribute $1 mailserver_domain;
-')
-
-########################################
-## <summary>
-## Modified mailserver interface for
-## sendmail daemon use.
-## </summary>
-## <desc>
-## <p>
-## A modified MTA mail server interface for
-## the sendmail program. It's design does
-## not fit well with policy, and using the
-## regular interface causes a type_transition
-## conflict if direct running of init scripts
-## is enabled.
-## </p>
-## <p>
-## This interface should most likely only be used
-## by the sendmail policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The type to be used for the mail server.
-## </summary>
-## </param>
-## <param name="entry_point">
-## <summary>
-## The type to be used for the domain entry point program.
-## </summary>
-## </param>
-interface(`mta_sendmail_mailserver',`
- gen_require(`
- attribute mailserver_domain;
- type sendmail_exec_t;
- ')
-
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($1)
-
- init_system_domain($1,sendmail_exec_t)
- typeattribute $1 mailserver_domain;
-')
-
-#######################################
-## <summary>
-## Make a type a mailserver type used
-## for sending mail.
-## </summary>
-## <param name="domain">
-## <summary>
-## Mail server domain type used for sending mail.
-## </summary>
-## </param>
-#
-interface(`mta_mailserver_sender',`
- gen_require(`
- attribute mailserver_sender;
- ')
-
- typeattribute $1 mailserver_sender;
-')
-
-#######################################
-## <summary>
-## Make a type a mailserver type used
-## for delivering mail to local users.
-## </summary>
-## <param name="domain">
-## <summary>
-## Mail server domain type used for delivering mail.
-## </summary>
-## </param>
-#
-interface(`mta_mailserver_delivery',`
- gen_require(`
- attribute mailserver_delivery;
- type mail_spool_t;
- ')
-
- typeattribute $1 mailserver_delivery;
-
- allow $1 mail_spool_t:dir ra_dir_perms;
- allow $1 mail_spool_t:file { create ioctl read getattr lock append };
- allow $1 mail_spool_t:lnk_file { create read getattr };
-
- optional_policy(`
- dovecot_manage_spool($1)
- ')
-
- optional_policy(`
- # so MTA can access /var/lib/mailman/mail/wrapper
- files_search_var_lib($1)
-
- mailman_domtrans($1)
- mailman_read_data_symlinks($1)
- ')
-')
-
-#######################################
-## <summary>
-## Make a type a mailserver type used
-## for sending mail on behalf of local
-## users to the local mail spool.
-## </summary>
-## <param name="domain">
-## <summary>
-## Mail server domain type used for sending local mail.
-## </summary>
-## </param>
-#
-interface(`mta_mailserver_user_agent',`
- gen_require(`
- attribute mta_user_agent;
- ')
-
- typeattribute $1 mta_user_agent;
-
- optional_policy(`
- # apache should set close-on-exec
- apache_dontaudit_rw_stream_sockets($1)
- apache_dontaudit_rw_sys_script_stream_sockets($1)
- ')
-')
-
-########################################
-## <summary>
-## Send mail from the system.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_send_mail',`
- gen_require(`
- attribute mta_user_agent;
- type system_mail_t, sendmail_exec_t;
- ')
-
- allow $1 sendmail_exec_t:lnk_file r_file_perms;
- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
- allow $1 system_mail_t:fd use;
- allow system_mail_t $1:fd use;
- allow system_mail_t $1:fifo_file rw_file_perms;
- allow system_mail_t $1:process sigchld;
-
- allow mta_user_agent $1:fd use;
- allow mta_user_agent $1:process sigchld;
- allow mta_user_agent $1:fifo_file { read write };
-')
-
-########################################
-## <summary>
-## Execute send mail in a specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute send mail in a specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="source_domain">
-## <summary>
-## Domain to transition from.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-#
-interface(`mta_sendmail_domtrans',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_read_sbin_symlinks($1)
- domain_auto_trans($1,sendmail_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Execute sendmail in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_sendmail_exec',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- can_exec($1, sendmail_exec_t)
- errprint(`bah $1'__endline__)
-')
-
-########################################
-## <summary>
-## Read mail server configuration.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_read_config',`
- gen_require(`
- type etc_mail_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file r_file_perms;
- allow $1 etc_mail_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read mail address aliases.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_read_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Type transition files created in /etc
-## to the mail address aliases type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_etc_filetrans_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_etc_filetrans($1,etc_aliases_t, file)
-')
-
-########################################
-## <summary>
-## Read and write mail aliases.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_rw_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file { rw_file_perms setattr };
-')
-
-#######################################
-## <summary>
-## Do not audit attempts to read and write TCP
-## sockets of mail delivery domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Mail server domain.
-## </summary>
-## </param>
-#
-interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
- gen_require(`
- attribute mailserver_delivery;
- ')
-
- dontaudit $1 mailserver_delivery:tcp_socket { read write };
-')
-
-#######################################
-## <summary>
-## Connect to all mail servers over TCP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Mail server domain.
-## </summary>
-## </param>
-#
-interface(`mta_tcp_connect_all_mailservers',`
- gen_require(`
- attribute mailserver_domain;
- ')
-
- allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
- allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-#######################################
-## <summary>
-## Do not audit attempts to read a symlink
-## in the mail spool.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_dontaudit_read_spool_symlinks',`
- gen_require(`
- type mail_spool_t;
- ')
-
- dontaudit $1 mail_spool_t:lnk_file read;
-')
-
-########################################
-## <summary>
-## Get the attributes of mail spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_getattr_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir r_dir_perms;
- allow $1 mail_spool_t:lnk_file read;
- allow $1 mail_spool_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of mail spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`mta_dontaudit_getattr_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search;
- dontaudit $1 mail_spool_t:lnk_file read;
- dontaudit $1 mail_spool_t:file getattr;
-')
-
-#######################################
-## <summary>
-## Create private objects in the
-## mail spool directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`mta_spool_filetrans',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir rw_dir_perms;
- type_transition $1 mail_spool_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Read and write the mail spool.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_rw_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir r_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file { rw_file_perms setattr };
-')
-
-#######################################
-## <summary>
-## Create, read, and write the mail spool.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_append_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir ra_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file create_file_perms;
-')
-
-#######################################
-## <summary>
-## Delete from the mail spool.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_delete_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
- allow $1 mail_spool_t:file unlink;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete mail spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_manage_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir manage_dir_perms;
- allow $1 mail_spool_t:lnk_file create_lnk_perms;
- allow $1 mail_spool_t:file manage_file_perms;
-')
-
-#######################################
-## <summary>
-## Do not audit attempts to read and
-## write the mail queue.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`mta_dontaudit_rw_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- dontaudit $1 mqueue_spool_t:file { getattr read write };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## mail queue files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_manage_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mqueue_spool_t:dir rw_dir_perms;
- allow $1 mqueue_spool_t:file create_file_perms;
-')
-
-#######################################
-## <summary>
-## Read sendmail binary.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for postfix
-interface(`mta_read_sendmail_bin',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- allow $1 sendmail_exec_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Read and write unix domain stream sockets
-## of user mail domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_rw_user_mail_stream_sockets',`
- gen_require(`
- attribute user_mail_domain;
- ')
-
- allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
-')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
deleted file mode 100644
index 2e9d8a7..0000000
--- a/refpolicy/policy/modules/services/mta.te
+++ /dev/null
@@ -1,194 +0,0 @@
-
-policy_module(mta,1.3.7)
-
-########################################
-#
-# Declarations
-#
-
-attribute mta_user_agent;
-attribute mailserver_delivery;
-attribute mailserver_domain;
-attribute mailserver_sender;
-
-attribute user_mail_domain;
-
-type etc_aliases_t;
-files_type(etc_aliases_t)
-
-type etc_mail_t;
-files_config_file(etc_mail_t)
-
-type mqueue_spool_t;
-files_type(mqueue_spool_t)
-
-type mail_spool_t;
-files_type(mail_spool_t)
-
-type sendmail_exec_t;
-files_type(sendmail_exec_t)
-
-mta_base_mail_template(system)
-role system_r types system_mail_t;
-
-# cjp: need to resolve this, but require{}
-# does not work in the else part of the optional
-#ifdef(`strict_policy',`
-# optional_policy(`',`
-# init_system_domain(system_mail_t,sendmail_exec_t)
-# ')
-#')
-
-########################################
-#
-# System mail local policy
-#
-
-# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
-
-allow system_mail_t etc_mail_t:dir { getattr search };
-allow system_mail_t etc_mail_t:file r_file_perms;
-
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-
-dev_read_rand(system_mail_t)
-dev_read_urand(system_mail_t)
-
-init_use_script_ptys(system_mail_t)
-
-userdom_use_sysadm_terms(system_mail_t)
-
-ifdef(`targeted_policy',`
- typealias system_mail_t alias sysadm_mail_t;
-
- allow system_mail_t mail_spool_t:dir create_dir_perms;
- allow system_mail_t mail_spool_t:file create_file_perms;
- allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
- allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-
- allow system_mail_t mqueue_spool_t:dir create_dir_perms;
- allow system_mail_t mqueue_spool_t:file create_file_perms;
- allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
-
- # for reading .forward - maybe we need a new type for it?
- # also for delivering mail to maildir
- userdom_manage_generic_user_home_content_dirs(mailserver_delivery)
- userdom_manage_generic_user_home_content_files(mailserver_delivery)
- userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
- userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
- userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
-
-# cjp: another require-in-else to resolve
-# optional_policy(`',`
- corecmd_exec_all_executables(system_mail_t)
-
- files_exec_etc_files(system_mail_t)
-
- libs_exec_ld_so(system_mail_t)
- libs_exec_lib_files(system_mail_t)
-# ')
-')
-
-optional_policy(`
- apache_read_squirrelmail_data(system_mail_t)
- apache_append_squirrelmail_data(system_mail_t)
-
- # apache should set close-on-exec
- apache_dontaudit_append_log(system_mail_t)
- apache_dontaudit_rw_stream_sockets(system_mail_t)
- apache_dontaudit_rw_tcp_sockets(system_mail_t)
- apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- arpwatch_manage_tmp_files(system_mail_t)
-
- ifdef(`hide_broken_symptoms', `
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
-')
-
-optional_policy(`
- cron_read_system_job_tmp_files(system_mail_t)
- cron_dontaudit_write_pipes(system_mail_t)
-')
-
-optional_policy(`
- cvs_read_data(system_mail_t)
-')
-
-optional_policy(`
- logrotate_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- logwatch_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- nagios_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- allow system_mail_t etc_aliases_t:dir create_dir_perms;
- allow system_mail_t etc_aliases_t:file create_file_perms;
- allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
- allow system_mail_t etc_aliases_t:sock_file create_file_perms;
- allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
- files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
-
- domain_use_interactive_fds(system_mail_t)
-
- # postfix needs this for newaliases
- files_getattr_tmp_dirs(system_mail_t)
-
- postfix_exec_master(system_mail_t)
- postfix_read_config(system_mail_t)
- postfix_search_spool(system_mail_t)
-
- ifdef(`distro_redhat',`
- # compatability for old default main.cf
- postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
- ')
-
- optional_policy(`
- cron_rw_tcp_sockets(system_mail_t)
- ')
-')
-
-optional_policy(`
- qmail_domtrans_inject(system_mail_t)
-')
-
-optional_policy(`
- sxid_read_log(system_mail_t)
-')
-
-optional_policy(`
- userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
-
- optional_policy(`
- cron_dontaudit_append_system_job_tmp_files(system_mail_t)
- ')
-')
-
-optional_policy(`
- smartmon_read_tmp_files(system_mail_t)
-')
-
-# should break this up among sections:
-
-optional_policy(`
- # why is mail delivered to a directory of type arpwatch_data_t?
- arpwatch_search_data(mailserver_delivery)
- arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms', `
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
- optional_policy(`
- cron_read_system_job_tmp_files(mta_user_agent)
- ')
-')
diff --git a/refpolicy/policy/modules/services/munin.fc b/refpolicy/policy/modules/services/munin.fc
deleted file mode 100644
index 54ca668..0000000
--- a/refpolicy/policy/modules/services/munin.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/lrrd(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
-
-/usr/bin/lrrd-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-/usr/sbin/lrrd-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-/usr/share/lrrd/lrrd-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-/usr/share/lrrd/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-
-/var/lib/lrrd(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/lrrd.* -- gen_context(system_u:object_r:munin_log_t,s0)
-/var/run/lrrd(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/lrrd(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/munin.if b/refpolicy/policy/modules/services/munin.if
deleted file mode 100644
index aca3c63..0000000
--- a/refpolicy/policy/modules/services/munin.if
+++ /dev/null
@@ -1,62 +0,0 @@
-## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
-
-########################################
-## <summary>
-## Connect to munin over a unix domain
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`munin_stream_connect',`
- gen_require(`
- type munin_var_run_t, munin_t;
- ')
-
- allow $1 munin_t:unix_stream_socket connectto;
- allow $1 munin_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-')
-
-#######################################
-## <summary>
-## Read munin configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`munin_read_config',`
- gen_require(`
- type munin_etc_t;
- ')
-
- allow $1 munin_etc_t:dir list_dir_perms;
- allow $1 munin_etc_t:file read_file_perms;
- allow $1 munin_etc_t:lnk_file { getattr read };
- files_search_etc($1)
-')
-
-#######################################
-## <summary>
-## Search munin library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`munin_search_lib',`
- gen_require(`
- type munin_var_lib_t;
- ')
-
- allow $1 munin_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
diff --git a/refpolicy/policy/modules/services/munin.te b/refpolicy/policy/modules/services/munin.te
deleted file mode 100644
index c77591e..0000000
--- a/refpolicy/policy/modules/services/munin.te
+++ /dev/null
@@ -1,131 +0,0 @@
-
-policy_module(munin,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type munin_t alias lrrd_t;
-type munin_exec_t alias lrrd_exec_t;
-init_daemon_domain(munin_t,munin_exec_t)
-
-type munin_etc_t alias lrrd_etc_t;
-files_config_file(munin_etc_t)
-
-type munin_log_t alias lrrd_log_t;
-logging_log_file(munin_log_t)
-
-type munin_tmp_t alias lrrd_tmp_t;
-files_tmp_file(munin_tmp_t)
-
-type munin_var_lib_t alias lrrd_var_lib_t;
-files_type(munin_var_lib_t)
-
-type munin_var_run_t alias lrrd_var_run_t;
-files_pid_file(munin_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow munin_t self:capability { setgid setuid };
-dontaudit munin_t self:capability sys_tty_config;
-allow munin_t self:process { getsched setsched signal_perms };
-allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
-allow munin_t self:tcp_socket create_stream_socket_perms;
-allow munin_t self:udp_socket create_socket_perms;
-
-allow munin_t munin_etc_t:file r_file_perms;
-allow munin_t munin_etc_t:dir r_dir_perms;
-allow munin_t munin_etc_t:lnk_file { getattr read };
-files_search_etc(munin_t)
-
-allow munin_t munin_log_t:file create_file_perms;
-logging_log_filetrans(munin_t,munin_log_t,file)
-
-allow munin_t munin_tmp_t:dir create_dir_perms;
-allow munin_t munin_tmp_t:file create_file_perms;
-files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
-
-# Allow access to the munin databases
-allow munin_t munin_var_lib_t:dir create_dir_perms;
-allow munin_t munin_var_lib_t:file create_file_perms;
-allow munin_t munin_var_lib_t:lnk_file create_lnk_perms;
-files_search_var_lib(munin_t)
-
-allow munin_t munin_var_run_t:sock_file manage_file_perms;
-allow munin_t munin_var_run_t:file manage_file_perms;
-allow munin_t munin_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(munin_t,munin_var_run_t,file)
-
-kernel_read_system_state(munin_t)
-kernel_read_kernel_sysctls(munin_t)
-
-corecmd_exec_bin(munin_t)
-
-corenet_non_ipsec_sendrecv(munin_t)
-corenet_tcp_sendrecv_generic_if(munin_t)
-corenet_udp_sendrecv_generic_if(munin_t)
-corenet_tcp_sendrecv_all_nodes(munin_t)
-corenet_udp_sendrecv_all_nodes(munin_t)
-corenet_tcp_sendrecv_all_ports(munin_t)
-corenet_udp_sendrecv_all_ports(munin_t)
-
-dev_read_sysfs(munin_t)
-dev_read_urand(munin_t)
-
-domain_use_interactive_fds(munin_t)
-
-files_read_etc_files(munin_t)
-files_read_etc_runtime_files(munin_t)
-files_read_usr_files(munin_t)
-
-fs_getattr_all_fs(munin_t)
-fs_search_auto_mountpoints(munin_t)
-
-term_dontaudit_use_console(munin_t)
-
-init_use_fds(munin_t)
-init_use_script_ptys(munin_t)
-
-libs_use_ld_so(munin_t)
-libs_use_shared_libs(munin_t)
-
-logging_send_syslog_msg(munin_t)
-
-miscfiles_read_localization(munin_t)
-
-sysnet_read_config(munin_t)
-
-userdom_dontaudit_use_unpriv_user_fds(munin_t)
-userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(munin_t)
- term_dontaudit_use_generic_ptys(munin_t)
- files_dontaudit_read_root_files(munin_t)
-')
-
-optional_policy(`
- # for accessing the output directory
- apache_search_sys_content(munin_t)
-')
-
-optional_policy(`
- cron_system_entry(munin_t,munin_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(munin_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(munin_t)
-')
-
-optional_policy(`
- udev_read_db(munin_t)
-')
diff --git a/refpolicy/policy/modules/services/mysql.fc b/refpolicy/policy/modules/services/mysql.fc
deleted file mode 100644
index 5c05c08..0000000
--- a/refpolicy/policy/modules/services/mysql.fc
+++ /dev/null
@@ -1,24 +0,0 @@
-# mysql database server
-
-#
-# /etc
-#
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-#
-# /usr
-#
-/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-
-/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
-/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
-
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
-
-/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if
deleted file mode 100644
index 9fe9237..0000000
--- a/refpolicy/policy/modules/services/mysql.if
+++ /dev/null
@@ -1,159 +0,0 @@
-## <summary>Policy for MySQL</summary>
-
-########################################
-## <summary>
-## Send a generic signal to MySQL.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_signal',`
- gen_require(`
- type mysqld_t;
- ')
-
- allow $1 mysqld_t:process signal;
-')
-
-########################################
-## <summary>
-## Connect to MySQL using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_stream_connect',`
- gen_require(`
- type mysqld_t, mysqld_var_run_t;
- ')
-
- allow $1 mysqld_var_run_t:dir search;
- allow $1 mysqld_var_run_t:sock_file write;
- allow $1 mysqld_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Read MySQL configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_read_config',`
- gen_require(`
- type mysqld_etc_t;
- ')
-
- allow $1 mysqld_etc_t:dir { getattr read search };
- allow $1 mysqld_etc_t:file { read getattr };
- allow $1 mysqld_etc_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Search the directories that contain MySQL
-## database storage.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: "_dir" in the name is added to clarify that this
-# is not searching the database itself.
-interface(`mysql_search_db',`
- gen_require(`
- type mysqld_db_t;
- ')
-
- files_search_var_lib($1)
- allow $1 mysqld_db_t:dir search;
-')
-
-########################################
-## <summary>
-## Read and write to the MySQL database directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_rw_db_dirs',`
- gen_require(`
- type mysqld_db_t;
- ')
-
- files_search_var_lib($1)
- allow $1 mysqld_db_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete MySQL database directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_manage_db_dirs',`
- gen_require(`
- type mysqld_db_t;
- ')
-
- files_search_var_lib($1)
- allow $1 mysqld_db_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Read and write to the MySQL database
-## named socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_rw_db_sockets',`
- gen_require(`
- type mysqld_db_t;
- ')
-
- files_search_var_lib($1)
- allow $1 mysqld_db_t:dir search;
- allow $1 mysqld_db_t:sock_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Write to the MySQL log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_write_log',`
- gen_require(`
- type mysqld_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 mysqld_log_t:file { write append setattr ioctl };
-')
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
deleted file mode 100644
index 052381d..0000000
--- a/refpolicy/policy/modules/services/mysql.te
+++ /dev/null
@@ -1,140 +0,0 @@
-
-policy_module(mysql,1.2.5)
-
-########################################
-#
-# Declarations
-#
-
-type mysqld_t;
-type mysqld_exec_t;
-init_daemon_domain(mysqld_t,mysqld_exec_t)
-
-type mysqld_var_run_t;
-files_pid_file(mysqld_var_run_t)
-
-type mysqld_db_t;
-files_type(mysqld_db_t)
-
-type mysqld_etc_t alias etc_mysqld_t;
-files_config_file(mysqld_etc_t)
-
-type mysqld_log_t;
-logging_log_file(mysqld_log_t)
-
-type mysqld_tmp_t;
-files_tmp_file(mysqld_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
-dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
-allow mysqld_t self:fifo_file { read write };
-allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
-allow mysqld_t self:tcp_socket create_stream_socket_perms;
-allow mysqld_t self:udp_socket create_socket_perms;
-
-allow mysqld_t mysqld_db_t:dir create_dir_perms;
-allow mysqld_t mysqld_db_t:file create_file_perms;
-allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
-files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })
-
-allow mysqld_t mysqld_etc_t:file { getattr read };
-allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-
-allow mysqld_t mysqld_log_t:file create_file_perms;
-logging_log_filetrans(mysqld_t,mysqld_log_t,file)
-
-allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
-allow mysqld_t mysqld_tmp_t:file create_file_perms;
-files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
-
-allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
-allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
-allow mysqld_t mysqld_var_run_t:file create_file_perms;
-files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
-
-kernel_read_system_state(mysqld_t)
-kernel_read_kernel_sysctls(mysqld_t)
-
-corenet_non_ipsec_sendrecv(mysqld_t)
-corenet_tcp_sendrecv_all_if(mysqld_t)
-corenet_udp_sendrecv_all_if(mysqld_t)
-corenet_tcp_sendrecv_all_nodes(mysqld_t)
-corenet_udp_sendrecv_all_nodes(mysqld_t)
-corenet_tcp_sendrecv_all_ports(mysqld_t)
-corenet_udp_sendrecv_all_ports(mysqld_t)
-corenet_tcp_bind_all_nodes(mysqld_t)
-corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
-
-dev_read_sysfs(mysqld_t)
-
-fs_getattr_all_fs(mysqld_t)
-fs_search_auto_mountpoints(mysqld_t)
-
-term_dontaudit_use_console(mysqld_t)
-
-domain_use_interactive_fds(mysqld_t)
-
-files_getattr_var_lib_dirs(mysqld_t)
-files_read_etc_runtime_files(mysqld_t)
-files_read_etc_files(mysqld_t)
-files_read_usr_files(mysqld_t)
-files_search_var_lib(mysqld_t)
-
-auth_use_nsswitch(mysqld_t)
-
-init_use_fds(mysqld_t)
-init_use_script_ptys(mysqld_t)
-
-libs_use_ld_so(mysqld_t)
-libs_use_shared_libs(mysqld_t)
-
-logging_send_syslog_msg(mysqld_t)
-
-miscfiles_read_localization(mysqld_t)
-
-sysnet_read_config(mysqld_t)
-
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
-# for /root/.my.cnf - should not be needed:
-userdom_read_sysadm_home_content_files(mysqld_t)
-
-ifdef(`distro_redhat',`
- # because Fedora has the sock_file in the database directory
- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mysqld_t)
- term_dontaudit_use_generic_ptys(mysqld_t)
- files_dontaudit_read_root_files(mysqld_t)
-')
-
-optional_policy(`
- daemontools_service_domain(mysqld_t, mysqld_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(mysqld_t)
-')
-
-optional_policy(`
- nscd_socket_use(mysqld_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(mysqld_t)
-')
-
-optional_policy(`
- udev_read_db(mysqld_t)
-')
diff --git a/refpolicy/policy/modules/services/nagios.fc b/refpolicy/policy/modules/services/nagios.fc
deleted file mode 100644
index 4f8477c..0000000
--- a/refpolicy/policy/modules/services/nagios.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
-
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-
-ifdef(`distro_debian',`
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/nagios.if b/refpolicy/policy/modules/services/nagios.if
deleted file mode 100644
index a8975bf..0000000
--- a/refpolicy/policy/modules/services/nagios.if
+++ /dev/null
@@ -1,86 +0,0 @@
-## <summary>Net Saint / NAGIOS - network monitoring server</summary>
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## nagios configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_read_config',`
- gen_require(`
- type nagios_etc_t;
- ')
-
- allow $1 nagios_etc_t:dir list_dir_perms;
- allow $1 nagios_etc_t:file r_file_perms;
- files_search_etc($1)
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## nagios temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_read_tmp_files',`
- gen_require(`
- type nagios_tmp_t;
- ')
-
- allow $1 nagios_tmp_t:file r_file_perms;
- files_search_tmp($1)
-')
-
-########################################
-## <summary>
-## Execute the nagios CGI with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_domtrans_cgi',`
- gen_require(`
- type nagios_cgi_t, nagios_cgi_exec_t;
- ')
-
- domain_auto_trans($1,nagios_cgi_exec_t,nagios_cgi_t)
- allow nagios_cgi_t $1:fd use;
- allow nagios_cgi_t $1:fifo_file rw_file_perms;
- allow nagios_cgi_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute the nagios NRPE with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_domtrans_nrpe',`
- gen_require(`
- type nrpe_t, nrpe_exec_t;
- ')
-
- domain_auto_trans($1,nrpe_exec_t,nrpe_t)
- allow nrpe_t $1:fd use;
- allow nrpe_t $1:fifo_file rw_file_perms;
- allow nrpe_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/nagios.te b/refpolicy/policy/modules/services/nagios.te
deleted file mode 100644
index 423c664..0000000
--- a/refpolicy/policy/modules/services/nagios.te
+++ /dev/null
@@ -1,246 +0,0 @@
-
-policy_module(nagios,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type nagios_t;
-type nagios_exec_t;
-init_daemon_domain(nagios_t,nagios_exec_t)
-
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
-
-type nagios_etc_t;
-files_config_file(nagios_etc_t)
-
-type nagios_log_t;
-logging_log_file(nagios_log_t)
-
-type nagios_tmp_t;
-files_tmp_file(nagios_tmp_t)
-
-type nagios_var_run_t;
-files_pid_file(nagios_var_run_t)
-
-type nrpe_t;
-type nrpe_exec_t;
-init_daemon_domain(nrpe_t,nrpe_exec_t)
-
-type nrpe_etc_t;
-files_config_file(nrpe_etc_t)
-
-########################################
-#
-# Nagios local policy
-#
-
-allow nagios_t self:capability { dac_override setgid setuid };
-dontaudit nagios_t self:capability sys_tty_config;
-allow nagios_t self:process { setpgid signal_perms };
-allow nagios_t self:fifo_file rw_file_perms;
-allow nagios_t self:tcp_socket create_stream_socket_perms;
-allow nagios_t self:udp_socket create_socket_perms;
-
-allow nagios_t nagios_etc_t:file r_file_perms;
-allow nagios_t nagios_etc_t:dir r_dir_perms;
-allow nagios_t nagios_etc_t:lnk_file { getattr read };
-
-allow nagios_t nagios_log_t:file manage_file_perms;
-allow nagios_t nagios_log_t:fifo_file manage_file_perms;
-allow nagios_t nagios_log_t:dir rw_dir_perms;
-logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
-
-allow nagios_t nagios_tmp_t:dir create_dir_perms;
-allow nagios_t nagios_tmp_t:file create_file_perms;
-files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
-
-allow nagios_t nagios_var_run_t:file create_file_perms;
-allow nagios_t nagios_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nagios_t,nagios_var_run_t,file)
-
-kernel_read_system_state(nagios_t)
-kernel_read_kernel_sysctls(nagios_t)
-
-corecmd_exec_bin(nagios_t)
-corecmd_exec_shell(nagios_t)
-
-corenet_non_ipsec_sendrecv(nagios_t)
-corenet_tcp_sendrecv_generic_if(nagios_t)
-corenet_udp_sendrecv_generic_if(nagios_t)
-corenet_tcp_sendrecv_all_nodes(nagios_t)
-corenet_udp_sendrecv_all_nodes(nagios_t)
-corenet_tcp_sendrecv_all_ports(nagios_t)
-corenet_udp_sendrecv_all_ports(nagios_t)
-
-dev_read_sysfs(nagios_t)
-
-domain_use_interactive_fds(nagios_t)
-# for ps
-domain_read_all_domains_state(nagios_t)
-
-files_read_etc_files(nagios_t)
-files_read_etc_runtime_files(nagios_t)
-files_read_kernel_symbol_table(nagios_t)
-
-fs_getattr_all_fs(nagios_t)
-fs_search_auto_mountpoints(nagios_t)
-
-term_dontaudit_use_console(nagios_t)
-
-init_use_fds(nagios_t)
-init_use_script_ptys(nagios_t)
-# for who
-init_read_utmp(nagios_t)
-
-libs_use_ld_so(nagios_t)
-libs_use_shared_libs(nagios_t)
-
-logging_send_syslog_msg(nagios_t)
-
-miscfiles_read_localization(nagios_t)
-
-sysnet_read_config(nagios_t)
-
-userdom_dontaudit_use_unpriv_user_fds(nagios_t)
-userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
-
-mta_send_mail(nagios_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nagios_t)
- term_dontaudit_use_generic_ptys(nagios_t)
- files_dontaudit_read_root_files(nagios_t)
-')
-
-optional_policy(`
- netutils_domtrans_ping(nagios_t)
- netutils_signal_ping(nagios_t)
- netutils_kill_ping(nagios_t)
-
- # cjp: leaked file descriptors:
- #dontaudit ping_t nagios_etc_t:file read;
- #dontaudit ping_t nagios_log_t:fifo_file read;
-')
-
-optional_policy(`
- nis_use_ypbind(nagios_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(nagios_t)
-')
-
-optional_policy(`
- udev_read_db(nagios_t)
-')
-
-# cjp: leaked file descriptors:
-# for open file handles
-#dontaudit system_mail_t nagios_etc_t:file read;
-#dontaudit system_mail_t nagios_log_t:fifo_file read;
-
-########################################
-#
-# Nagios CGI local policy
-#
-
-allow nagios_cgi_t self:process { fork signal_perms };
-allow nagios_cgi_t self:fifo_file rw_file_perms;
-
-allow nagios_cgi_t nagios_t:dir r_dir_perms;
-allow nagios_cgi_t nagios_t:file r_file_perms;
-allow nagios_cgi_t nagios_t:lnk_file { getattr read };
-
-allow nagios_cgi_t nagios_etc_t:dir r_dir_perms;
-allow nagios_cgi_t nagios_etc_t:file r_file_perms;
-allow nagios_cgi_t nagios_etc_t:lnk_file { getattr read };
-
-allow nagios_cgi_t nagios_log_t:dir r_dir_perms;
-allow nagios_cgi_t nagios_log_t:file r_file_perms;
-allow nagios_cgi_t nagios_log_t:lnk_file { getattr read };
-
-kernel_read_system_state(nagios_cgi_t)
-
-corecmd_exec_bin(nagios_cgi_t)
-
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
-
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
-
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
-
-########################################
-#
-# Nagios remote plugin executor local policy
-#
-
-dontaudit nrpe_t self:capability sys_tty_config;
-allow nrpe_t self:process { setpgid signal_perms };
-allow nrpe_t self:fifo_file rw_file_perms;
-
-allow nrpe_t nrpe_etc_t:file { getattr read };
-files_search_etc(nrpe_t)
-
-kernel_read_system_state(nrpe_t)
-kernel_read_kernel_sysctls(nrpe_t)
-
-corecmd_exec_bin(nrpe_t)
-corecmd_exec_shell(nrpe_t)
-corecmd_exec_ls(nrpe_t)
-
-dev_read_sysfs(nrpe_t)
-dev_read_urand(nrpe_t)
-
-domain_use_interactive_fds(nrpe_t)
-
-files_read_etc_runtime_files(nrpe_t)
-
-fs_search_auto_mountpoints(nrpe_t)
-
-term_dontaudit_use_console(nrpe_t)
-
-init_use_fds(nrpe_t)
-init_use_script_ptys(nrpe_t)
-
-libs_use_ld_so(nrpe_t)
-libs_use_shared_libs(nrpe_t)
-
-logging_send_syslog_msg(nrpe_t)
-
-miscfiles_read_localization(nrpe_t)
-
-userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nrpe_t)
- term_dontaudit_use_generic_ptys(nrpe_t)
- files_dontaudit_read_root_files(nrpe_t)
-')
-
-optional_policy(`
- inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(nrpe_t)
-')
-
-optional_policy(`
- udev_read_db(nrpe_t)
-')
diff --git a/refpolicy/policy/modules/services/nessus.fc b/refpolicy/policy/modules/services/nessus.fc
deleted file mode 100644
index 74da57f..0000000
--- a/refpolicy/policy/modules/services/nessus.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0)
-
-/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
-
-/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
-
-/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0)
-
-/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0)
diff --git a/refpolicy/policy/modules/services/nessus.if b/refpolicy/policy/modules/services/nessus.if
deleted file mode 100644
index 425c29b..0000000
--- a/refpolicy/policy/modules/services/nessus.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Nessus network scanning daemon</summary>
-
-########################################
-## <summary>
-## Connect to nessus over a TCP socket
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nessus_tcp_connect',`
- gen_require(`
- type nessusd_t;
- ')
-
- allow $1 nessusd_t:tcp_socket { connectto recvfrom };
- allow nessusd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/nessus.te b/refpolicy/policy/modules/services/nessus.te
deleted file mode 100644
index b049bf5..0000000
--- a/refpolicy/policy/modules/services/nessus.te
+++ /dev/null
@@ -1,122 +0,0 @@
-
-policy_module(nessus,1.0.1)
-
-########################################
-#
-# Local policy
-#
-
-type nessusd_t;
-type nessusd_exec_t;
-init_daemon_domain(nessusd_t,nessusd_exec_t)
-
-type nessusd_db_t;
-files_type(nessusd_db_t)
-
-type nessusd_etc_t;
-files_config_file(nessusd_etc_t)
-
-type nessusd_log_t;
-logging_log_file(nessusd_log_t)
-
-type nessusd_var_run_t;
-files_pid_file(nessusd_var_run_t)
-
-########################################
-#
-# Declarations
-#
-
-allow nessusd_t self:capability net_raw;
-dontaudit nessusd_t self:capability sys_tty_config;
-allow nessusd_t self:process { setsched signal_perms };
-allow nessusd_t self:fifo_file { getattr read write };
-allow nessusd_t self:tcp_socket create_stream_socket_perms;
-allow nessusd_t self:udp_socket create_socket_perms;
-allow nessusd_t self:rawip_socket create_socket_perms;
-allow nessusd_t self:packet_socket create_socket_perms;
-
-# Allow access to the nessusd authentication database
-allow nessusd_t nessusd_db_t:dir create_dir_perms;
-allow nessusd_t nessusd_db_t:file create_file_perms;
-allow nessusd_t nessusd_db_t:lnk_file create_lnk_perms;
-files_list_var_lib(nessusd_t)
-
-allow nessusd_t nessusd_etc_t:file { getattr read };
-files_search_etc(nessusd_t)
-
-allow nessusd_t nessusd_log_t:file create_file_perms;
-allow nessusd_t nessusd_log_t:dir rw_dir_perms;
-logging_log_filetrans(nessusd_t,nessusd_log_t,{ file dir })
-
-allow nessusd_t nessusd_var_run_t:file create_file_perms;
-allow nessusd_t nessusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nessusd_t,nessusd_var_run_t,file)
-
-kernel_read_system_state(nessusd_t)
-kernel_read_kernel_sysctls(nessusd_t)
-kernel_tcp_recvfrom(nessusd_t)
-
-# for nmap etc
-corecmd_exec_bin(nessusd_t)
-
-corenet_non_ipsec_sendrecv(nessusd_t)
-corenet_tcp_sendrecv_generic_if(nessusd_t)
-corenet_udp_sendrecv_generic_if(nessusd_t)
-corenet_raw_sendrecv_generic_if(nessusd_t)
-corenet_tcp_sendrecv_all_nodes(nessusd_t)
-corenet_udp_sendrecv_all_nodes(nessusd_t)
-corenet_raw_sendrecv_all_nodes(nessusd_t)
-corenet_tcp_sendrecv_all_ports(nessusd_t)
-corenet_udp_sendrecv_all_ports(nessusd_t)
-corenet_tcp_bind_all_nodes(nessusd_t)
-corenet_tcp_bind_nessus_port(nessusd_t)
-corenet_tcp_connect_all_ports(nessusd_t)
-corenet_sendrecv_all_client_packets(nessusd_t)
-corenet_sendrecv_nessus_server_packets(nessusd_t)
-
-dev_read_sysfs(nessusd_t)
-dev_read_urand(nessusd_t)
-
-domain_use_interactive_fds(nessusd_t)
-
-files_read_etc_files(nessusd_t)
-files_read_etc_runtime_files(nessusd_t)
-
-fs_getattr_all_fs(nessusd_t)
-fs_search_auto_mountpoints(nessusd_t)
-
-term_dontaudit_use_console(nessusd_t)
-
-init_use_fds(nessusd_t)
-init_use_script_ptys(nessusd_t)
-
-libs_use_ld_so(nessusd_t)
-libs_use_shared_libs(nessusd_t)
-
-logging_send_syslog_msg(nessusd_t)
-
-miscfiles_read_localization(nessusd_t)
-
-sysnet_read_config(nessusd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nessusd_t)
- term_dontaudit_use_generic_ptys(nessusd_t)
- files_dontaudit_read_root_files(nessusd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(nessusd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(nessusd_t)
-')
-
-optional_policy(`
- udev_read_db(nessusd_t)
-')
diff --git a/refpolicy/policy/modules/services/networkmanager.fc b/refpolicy/policy/modules/services/networkmanager.fc
deleted file mode 100644
index e198e69..0000000
--- a/refpolicy/policy/modules/services/networkmanager.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/var/run/NetworkManager.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/networkmanager.if b/refpolicy/policy/modules/services/networkmanager.if
deleted file mode 100644
index 5aa9107..0000000
--- a/refpolicy/policy/modules/services/networkmanager.if
+++ /dev/null
@@ -1,80 +0,0 @@
-## <summary>Manager for dynamically switching between networks.</summary>
-
-########################################
-## <summary>
-## Read and write NetworkManager UDP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for named.
-interface(`networkmanager_rw_udp_sockets',`
- gen_require(`
- type NetworkManager_t;
- ')
-
- allow $1 NetworkManager_t:udp_socket { read write };
-')
-
-########################################
-## <summary>
-## Read and write NetworkManager packet sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for named.
-interface(`networkmanager_rw_packet_sockets',`
- gen_require(`
- type NetworkManager_t;
- ')
-
- allow $1 NetworkManager_t:packet_socket { read write };
-')
-
-########################################
-## <summary>
-## Read and write NetworkManager netlink
-## routing sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for named.
-interface(`networkmanager_rw_routing_sockets',`
- gen_require(`
- type NetworkManager_t;
- ')
-
- allow $1 NetworkManager_t:netlink_route_socket { read write };
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## NetworkManager over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`networkmanager_dbus_chat',`
- gen_require(`
- type NetworkManager_t;
- class dbus send_msg;
- ')
-
- allow $1 NetworkManager_t:dbus send_msg;
- allow NetworkManager_t $1:dbus send_msg;
-')
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
deleted file mode 100644
index 418ba83..0000000
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ /dev/null
@@ -1,175 +0,0 @@
-
-policy_module(networkmanager,1.3.6)
-
-########################################
-#
-# Declarations
-#
-
-type NetworkManager_t;
-type NetworkManager_exec_t;
-init_daemon_domain(NetworkManager_t,NetworkManager_exec_t)
-
-type NetworkManager_var_run_t;
-files_pid_file(NetworkManager_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
-dontaudit NetworkManager_t self:capability sys_tty_config;
-allow NetworkManager_t self:process { setcap getsched signal_perms };
-allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
-allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
-allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
-allow NetworkManager_t self:udp_socket create_socket_perms;
-allow NetworkManager_t self:packet_socket create_socket_perms;
-
-allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
-allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
-allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
-
-kernel_read_system_state(NetworkManager_t)
-kernel_read_network_state(NetworkManager_t)
-kernel_read_kernel_sysctls(NetworkManager_t)
-kernel_load_module(NetworkManager_t)
-
-corenet_non_ipsec_sendrecv(NetworkManager_t)
-corenet_tcp_sendrecv_all_if(NetworkManager_t)
-corenet_udp_sendrecv_all_if(NetworkManager_t)
-corenet_raw_sendrecv_all_if(NetworkManager_t)
-corenet_tcp_sendrecv_all_nodes(NetworkManager_t)
-corenet_udp_sendrecv_all_nodes(NetworkManager_t)
-corenet_raw_sendrecv_all_nodes(NetworkManager_t)
-corenet_tcp_sendrecv_all_ports(NetworkManager_t)
-corenet_udp_sendrecv_all_ports(NetworkManager_t)
-corenet_udp_bind_all_nodes(NetworkManager_t)
-corenet_udp_bind_isakmp_port(NetworkManager_t)
-corenet_udp_bind_dhcpc_port(NetworkManager_t)
-corenet_tcp_connect_all_ports(NetworkManager_t)
-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
-corenet_sendrecv_all_client_packets(NetworkManager_t)
-
-dev_read_sysfs(NetworkManager_t)
-dev_read_rand(NetworkManager_t)
-dev_read_urand(NetworkManager_t)
-
-fs_getattr_all_fs(NetworkManager_t)
-fs_search_auto_mountpoints(NetworkManager_t)
-
-mls_file_read_up(NetworkManager_t)
-
-selinux_dontaudit_search_fs(NetworkManager_t)
-
-term_dontaudit_use_console(NetworkManager_t)
-
-corecmd_exec_shell(NetworkManager_t)
-corecmd_exec_bin(NetworkManager_t)
-corecmd_exec_sbin(NetworkManager_t)
-corecmd_exec_ls(NetworkManager_t)
-
-domain_use_interactive_fds(NetworkManager_t)
-domain_read_confined_domains_state(NetworkManager_t)
-
-files_read_etc_files(NetworkManager_t)
-files_read_etc_runtime_files(NetworkManager_t)
-files_read_usr_files(NetworkManager_t)
-
-init_use_fds(NetworkManager_t)
-init_use_script_ptys(NetworkManager_t)
-init_read_utmp(NetworkManager_t)
-init_domtrans_script(NetworkManager_t)
-
-libs_use_ld_so(NetworkManager_t)
-libs_use_shared_libs(NetworkManager_t)
-
-logging_send_syslog_msg(NetworkManager_t)
-
-miscfiles_read_localization(NetworkManager_t)
-miscfiles_read_certs(NetworkManager_t)
-
-modutils_domtrans_insmod(NetworkManager_t)
-
-seutil_read_config(NetworkManager_t)
-
-sysnet_domtrans_ifconfig(NetworkManager_t)
-sysnet_domtrans_dhcpc(NetworkManager_t)
-sysnet_signal_dhcpc(NetworkManager_t)
-sysnet_read_dhcpc_pid(NetworkManager_t)
-sysnet_delete_dhcpc_pid(NetworkManager_t)
-sysnet_search_dhcp_state(NetworkManager_t)
-# in /etc created by NetworkManager will be labelled net_conf_t.
-sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
-
-userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
-userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(NetworkManager_t)
- term_dontaudit_use_generic_ptys(NetworkManager_t)
- files_dontaudit_read_root_files(NetworkManager_t)
-')
-
-optional_policy(`
- bind_domtrans(NetworkManager_t)
- bind_manage_cache(NetworkManager_t)
- bind_signal(NetworkManager_t)
-')
-
-optional_policy(`
- bluetooth_dontaudit_read_helper_files(NetworkManager_t)
-')
-
-optional_policy(`
- consoletype_exec(NetworkManager_t)
-')
-
-optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow NetworkManager_t self:dbus send_msg;
-
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
- dbus_send_system_bus(NetworkManager_t)
-')
-
-optional_policy(`
- howl_signal(NetworkManager_t)
-')
-
-optional_policy(`
- nis_use_ypbind(NetworkManager_t)
-')
-
-optional_policy(`
- nscd_socket_use(NetworkManager_t)
- nscd_signal(NetworkManager_t)
-')
-
-optional_policy(`
- ppp_domtrans(NetworkManager_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(NetworkManager_t)
-')
-
-optional_policy(`
- udev_read_db(NetworkManager_t)
-')
-
-optional_policy(`
- vpn_domtrans(NetworkManager_t)
- vpn_signal(NetworkManager_t)
-')
diff --git a/refpolicy/policy/modules/services/nis.fc b/refpolicy/policy/modules/services/nis.fc
deleted file mode 100644
index 0128ee0..0000000
--- a/refpolicy/policy/modules/services/nis.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-
-/usr/sbin/rpc.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
-/usr/sbin/rpc.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
-
-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
deleted file mode 100644
index 99ba6cb..0000000
--- a/refpolicy/policy/modules/services/nis.if
+++ /dev/null
@@ -1,267 +0,0 @@
-## <summary>Policy for NIS (YP) servers and clients</summary>
-
-########################################
-## <summary>
-## Use the ypbind service to access NIS services
-## unconditionally.
-## </summary>
-## <desc>
-## <p>
-## Use the ypbind service to access NIS services
-## unconditionally.
-## </p>
-## <p>
-## This interface was added because of apache and
-## spamassassin, to fix a nested conditionals problem.
-## When that support is added, this should be removed,
-## and the regular interface should be used.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`nis_use_ypbind_uncond',`
- gen_require(`
- type var_yp_t;
- ')
-
- dontaudit $1 self:capability net_bind_service;
-
- allow $1 self:tcp_socket create_stream_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
- allow $1 var_yp_t:dir r_dir_perms;
- allow $1 var_yp_t:lnk_file { getattr read };
- allow $1 var_yp_t:file r_file_perms;
-
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_all_ports($1)
- corenet_udp_sendrecv_all_ports($1)
- corenet_tcp_bind_all_nodes($1)
- corenet_udp_bind_all_nodes($1)
- corenet_tcp_bind_generic_port($1)
- corenet_udp_bind_generic_port($1)
- corenet_tcp_bind_reserved_port($1)
- corenet_udp_bind_reserved_port($1)
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
- corenet_tcp_connect_portmap_port($1)
- corenet_tcp_connect_reserved_port($1)
- corenet_tcp_connect_generic_port($1)
- corenet_dontaudit_tcp_connect_all_reserved_ports($1)
- corenet_sendrecv_portmap_client_packets($1)
- corenet_sendrecv_generic_client_packets($1)
- corenet_sendrecv_generic_server_packets($1)
-
- sysnet_read_config($1)
-')
-
-########################################
-## <summary>
-## Use the ypbind service to access NIS services.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`nis_use_ypbind',`
- gen_require(`
- type var_yp_t;
- ')
-
- tunable_policy(`allow_ypbind',`
- nis_use_ypbind_uncond($1)
- ',`
- dontaudit $1 var_yp_t:dir search;
- ')
-')
-
-########################################
-## <summary>
-## Execute ypbind in the ypbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_domtrans_ypbind',`
- gen_require(`
- type ypbind_t, ypbind_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,ypbind_exec_t,ypbind_t)
-
- allow $1 ypbind_t:fd use;
- allow ypbind_t $1:fd use;
- allow ypbind_t $1:fifo_file rw_file_perms;
- allow ypbind_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send generic signals to ypbind.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`nis_signal_ypbind',`
- gen_require(`
- type ypbind_t;
- ')
-
- allow $1 ypbind_t:process signal;
-')
-
-########################################
-## <summary>
-## List the contents of the NIS data directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`nis_list_var_yp',`
- gen_require(`
- type var_yp_t;
- ')
-
- files_search_var($1)
- allow $1 var_yp_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to NIS clients.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`nis_udp_send_ypbind',`
- gen_require(`
- type ypbind_t;
- ')
-
- allow $1 ypbind_t:udp_socket sendto;
- allow ypbind_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Connect to ypbind over TCP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_tcp_connect_ypbind',`
- gen_require(`
- type ypbind_t;
- ')
-
- allow $1 ypbind_t:tcp_socket { connectto recvfrom };
- allow ypbind_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-########################################
-## <summary>
-## Read ypbind pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_read_ypbind_pid',`
- gen_require(`
- type ypbind_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 ypbind_var_run_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Delete ypbind pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_delete_ypbind_pid',`
- gen_require(`
- type ypbind_t;
- ')
-
- # TODO: add delete pid from dir call to files
- allow $1 ypbind_t:file unlink;
-')
-
-########################################
-## <summary>
-## Read ypserv configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_read_ypserv_config',`
- gen_require(`
- type ypserv_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 ypserv_conf_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Execute ypxfr in the ypxfr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_domtrans_ypxfr',`
- gen_require(`
- type ypxfr_t, ypxfr_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
-
- allow $1 ypxfr_t:fd use;
- allow ypxfr_t $1:fd use;
- allow ypxfr_t $1:fifo_file rw_file_perms;
- allow ypxfr_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
deleted file mode 100644
index a5fd29b..0000000
--- a/refpolicy/policy/modules/services/nis.te
+++ /dev/null
@@ -1,357 +0,0 @@
-
-policy_module(nis,1.1.5)
-
-########################################
-#
-# Declarations
-#
-
-type var_yp_t;
-files_type(var_yp_t)
-
-type ypbind_t;
-type ypbind_exec_t;
-init_daemon_domain(ypbind_t,ypbind_exec_t)
-
-type ypbind_tmp_t;
-files_tmp_file(ypbind_tmp_t)
-
-type ypbind_var_run_t;
-files_pid_file(ypbind_var_run_t)
-
-type yppasswdd_t;
-type yppasswdd_exec_t;
-init_daemon_domain(yppasswdd_t,yppasswdd_exec_t)
-domain_obj_id_change_exemption(yppasswdd_t)
-
-type yppasswdd_var_run_t;
-files_pid_file(yppasswdd_var_run_t)
-
-type ypserv_t;
-type ypserv_exec_t;
-init_daemon_domain(ypserv_t,ypserv_exec_t)
-
-type ypserv_conf_t;
-files_type(ypserv_conf_t)
-
-type ypserv_tmp_t;
-files_tmp_file(ypserv_tmp_t)
-
-type ypserv_var_run_t;
-files_pid_file(ypserv_var_run_t)
-
-type ypxfr_t;
-type ypxfr_exec_t;
-init_daemon_domain(ypxfr_t,ypxfr_exec_t)
-
-########################################
-#
-# ypbind local policy
-
-dontaudit ypbind_t self:capability { net_admin sys_tty_config };
-allow ypbind_t self:fifo_file rw_file_perms;
-allow ypbind_t self:process signal_perms;
-allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t self:tcp_socket create_stream_socket_perms;
-allow ypbind_t self:udp_socket create_socket_perms;
-
-allow ypbind_t ypbind_tmp_t:dir create_dir_perms;
-allow ypbind_t ypbind_tmp_t:file create_file_perms;
-files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
-
-allow ypbind_t ypbind_var_run_t:file manage_file_perms;
-allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ypbind_t,ypbind_var_run_t,file)
-
-allow ypbind_t var_yp_t:dir rw_dir_perms;
-allow ypbind_t var_yp_t:file create_file_perms;
-
-kernel_read_kernel_sysctls(ypbind_t)
-kernel_list_proc(ypbind_t)
-kernel_read_proc_symlinks(ypbind_t)
-kernel_tcp_recvfrom(ypbind_t)
-
-corenet_non_ipsec_sendrecv(ypbind_t)
-corenet_tcp_sendrecv_all_if(ypbind_t)
-corenet_udp_sendrecv_all_if(ypbind_t)
-corenet_tcp_sendrecv_all_nodes(ypbind_t)
-corenet_udp_sendrecv_all_nodes(ypbind_t)
-corenet_tcp_sendrecv_all_ports(ypbind_t)
-corenet_udp_sendrecv_all_ports(ypbind_t)
-corenet_tcp_bind_all_nodes(ypbind_t)
-corenet_udp_bind_all_nodes(ypbind_t)
-corenet_tcp_bind_generic_port(ypbind_t)
-corenet_udp_bind_generic_port(ypbind_t)
-corenet_tcp_bind_reserved_port(ypbind_t)
-corenet_udp_bind_reserved_port(ypbind_t)
-corenet_tcp_bind_all_rpc_ports(ypbind_t)
-corenet_tcp_connect_all_ports(ypbind_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
-corenet_sendrecv_all_client_packets(ypbind_t)
-corenet_sendrecv_generic_server_packets(ypbind_t)
-
-dev_read_sysfs(ypbind_t)
-
-fs_getattr_all_fs(ypbind_t)
-fs_search_auto_mountpoints(ypbind_t)
-
-term_dontaudit_use_console(ypbind_t)
-
-domain_use_interactive_fds(ypbind_t)
-
-files_read_etc_files(ypbind_t)
-files_list_var(ypbind_t)
-
-init_use_fds(ypbind_t)
-init_use_script_ptys(ypbind_t)
-init_udp_send_script(ypbind_t)
-
-libs_use_ld_so(ypbind_t)
-libs_use_shared_libs(ypbind_t)
-
-logging_send_syslog_msg(ypbind_t)
-
-miscfiles_read_localization(ypbind_t)
-
-sysnet_read_config(ypbind_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-
-portmap_udp_send(ypbind_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ypbind_t)
- term_dontaudit_use_generic_ptys(ypbind_t)
- files_dontaudit_read_root_files(ypbind_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ypbind_t)
-')
-
-optional_policy(`
- udev_read_db(ypbind_t)
-')
-
-########################################
-#
-# yppasswdd local policy
-#
-
-dontaudit yppasswdd_t self:capability sys_tty_config;
-allow yppasswdd_t self:fifo_file rw_file_perms;
-allow yppasswdd_t self:process { setfscreate signal_perms };
-allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
-allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
-allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
-allow yppasswdd_t self:udp_socket create_socket_perms;
-
-allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
-allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file)
-
-allow yppasswdd_t var_yp_t:dir rw_dir_perms;
-allow yppasswdd_t var_yp_t:file create_file_perms;
-allow yppasswdd_t var_yp_t:lnk_file create_lnk_perms;
-
-kernel_list_proc(yppasswdd_t)
-kernel_read_proc_symlinks(yppasswdd_t)
-kernel_getattr_proc_files(yppasswdd_t)
-kernel_read_kernel_sysctls(yppasswdd_t)
-
-corenet_non_ipsec_sendrecv(yppasswdd_t)
-corenet_tcp_sendrecv_generic_if(yppasswdd_t)
-corenet_udp_sendrecv_generic_if(yppasswdd_t)
-corenet_tcp_sendrecv_all_nodes(yppasswdd_t)
-corenet_udp_sendrecv_all_nodes(yppasswdd_t)
-corenet_tcp_sendrecv_all_ports(yppasswdd_t)
-corenet_udp_sendrecv_all_ports(yppasswdd_t)
-corenet_tcp_bind_all_nodes(yppasswdd_t)
-corenet_udp_bind_all_nodes(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
-corenet_sendrecv_generic_server_packets(yppasswdd_t)
-
-dev_read_sysfs(yppasswdd_t)
-
-fs_getattr_all_fs(yppasswdd_t)
-fs_search_auto_mountpoints(yppasswdd_t)
-
-selinux_get_fs_mount(yppasswdd_t)
-
-term_dontaudit_use_console(yppasswdd_t)
-
-auth_manage_shadow(yppasswdd_t)
-auth_relabel_shadow(yppasswdd_t)
-auth_etc_filetrans_shadow(yppasswdd_t)
-
-corecmd_exec_bin(yppasswdd_t)
-corecmd_exec_shell(yppasswdd_t)
-corecmd_search_sbin(yppasswdd_t)
-
-domain_use_interactive_fds(yppasswdd_t)
-
-files_read_etc_files(yppasswdd_t)
-files_read_etc_runtime_files(yppasswdd_t)
-files_relabel_etc_files(yppasswdd_t)
-
-init_use_fds(yppasswdd_t)
-init_use_script_ptys(yppasswdd_t)
-init_udp_send_script(yppasswdd_t)
-
-libs_use_ld_so(yppasswdd_t)
-libs_use_shared_libs(yppasswdd_t)
-
-logging_send_syslog_msg(yppasswdd_t)
-
-miscfiles_read_localization(yppasswdd_t)
-
-sysnet_read_config(yppasswdd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
-userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-
-portmap_udp_send(yppasswdd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(yppasswdd_t)
- term_dontaudit_use_generic_ptys(yppasswdd_t)
- files_dontaudit_read_root_files(yppasswdd_t)
-')
-
-optional_policy(`
- hostname_exec(yppasswdd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(yppasswdd_t)
-')
-
-optional_policy(`
- udev_read_db(yppasswdd_t)
-')
-
-########################################
-#
-# ypserv local policy
-#
-
-dontaudit ypserv_t self:capability sys_tty_config;
-allow ypserv_t self:fifo_file rw_file_perms;
-allow ypserv_t self:process signal_perms;
-allow ypserv_t self:unix_dgram_socket create_socket_perms;
-allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
-allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypserv_t self:tcp_socket connected_stream_socket_perms;
-allow ypserv_t self:udp_socket create_socket_perms;
-
-allow ypserv_t var_yp_t:dir rw_dir_perms;
-allow ypserv_t var_yp_t:file create_file_perms;
-
-allow ypserv_t ypserv_conf_t:file { getattr read };
-
-allow ypserv_t ypserv_tmp_t:dir create_dir_perms;
-allow ypserv_t ypserv_tmp_t:file create_file_perms;
-files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
-
-allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
-allow ypserv_t ypserv_var_run_t:file manage_file_perms;
-files_pid_filetrans(ypserv_t,ypserv_var_run_t,file)
-
-kernel_read_kernel_sysctls(ypserv_t)
-kernel_list_proc(ypserv_t)
-kernel_read_proc_symlinks(ypserv_t)
-
-corenet_non_ipsec_sendrecv(ypserv_t)
-corenet_tcp_sendrecv_all_if(ypserv_t)
-corenet_udp_sendrecv_all_if(ypserv_t)
-corenet_tcp_sendrecv_all_nodes(ypserv_t)
-corenet_udp_sendrecv_all_nodes(ypserv_t)
-corenet_tcp_sendrecv_all_ports(ypserv_t)
-corenet_udp_sendrecv_all_ports(ypserv_t)
-corenet_tcp_bind_all_nodes(ypserv_t)
-corenet_udp_bind_all_nodes(ypserv_t)
-corenet_tcp_bind_reserved_port(ypserv_t)
-corenet_udp_bind_reserved_port(ypserv_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
-corenet_sendrecv_generic_server_packets(ypserv_t)
-
-dev_read_sysfs(ypserv_t)
-
-fs_getattr_all_fs(ypserv_t)
-fs_search_auto_mountpoints(ypserv_t)
-
-term_dontaudit_use_console(ypserv_t)
-
-corecmd_exec_bin(ypserv_t)
-
-domain_use_interactive_fds(ypserv_t)
-
-files_read_var_files(ypserv_t)
-
-init_use_fds(ypserv_t)
-init_use_script_ptys(ypserv_t)
-init_udp_send_script(ypserv_t)
-
-libs_use_ld_so(ypserv_t)
-libs_use_shared_libs(ypserv_t)
-
-logging_send_syslog_msg(ypserv_t)
-
-miscfiles_read_localization(ypserv_t)
-
-nis_domtrans_ypxfr(ypserv_t)
-
-sysnet_read_config(ypserv_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-
-portmap_udp_send(ypserv_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ypserv_t)
- term_dontaudit_use_generic_ptys(ypserv_t)
- files_dontaudit_read_root_files(ypserv_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ypserv_t)
-')
-
-optional_policy(`
- udev_read_db(ypserv_t)
-')
-
-########################################
-#
-# ypxfr local policy
-#
-
-allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
-
-corenet_non_ipsec_sendrecv(ypxfr_t)
-corenet_tcp_sendrecv_all_if(ypxfr_t)
-corenet_udp_sendrecv_all_if(ypxfr_t)
-corenet_tcp_sendrecv_all_nodes(ypxfr_t)
-corenet_udp_sendrecv_all_nodes(ypxfr_t)
-corenet_tcp_sendrecv_all_ports(ypxfr_t)
-corenet_udp_sendrecv_all_ports(ypxfr_t)
-corenet_tcp_bind_all_nodes(ypxfr_t)
-corenet_udp_bind_all_nodes(ypxfr_t)
-corenet_tcp_bind_reserved_port(ypxfr_t)
-corenet_udp_bind_reserved_port(ypxfr_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
-corenet_tcp_connect_all_ports(ypxfr_t)
-corenet_sendrecv_generic_server_packets(ypxfr_t)
-corenet_sendrecv_all_client_packets(ypxfr_t)
-
-files_read_etc_files(ypxfr_t)
diff --git a/refpolicy/policy/modules/services/nscd.fc b/refpolicy/policy/modules/services/nscd.fc
deleted file mode 100644
index 1f8489b..0000000
--- a/refpolicy/policy/modules/services/nscd.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-
-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
-
-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
-
-/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
-/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
deleted file mode 100644
index 0625b2d..0000000
--- a/refpolicy/policy/modules/services/nscd.if
+++ /dev/null
@@ -1,146 +0,0 @@
-## <summary>Name service cache daemon</summary>
-
-########################################
-## <summary>
-## Send generic signals to NSCD.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nscd_signal',`
- gen_require(`
- type nscd_t;
- ')
-
- allow $1 nscd_t:process signal;
-')
-
-########################################
-## <summary>
-## Execute NSCD in the nscd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`nscd_domtrans',`
- gen_require(`
- type nscd_t, nscd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,nscd_exec_t,nscd_t)
-
- allow $1 nscd_t:fd use;
- allow nscd_t $1:fd use;
- allow nscd_t $1:fifo_file rw_file_perms;
- allow nscd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Use NSCD services by connecting using
-## a unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nscd_socket_use',`
- gen_require(`
- type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- ')
-
- allow $1 self:unix_stream_socket create_socket_perms;
-
- allow $1 nscd_t:unix_stream_socket connectto;
- allow $1 nscd_t:nscd { getpwd getgrp gethost };
- dontaudit $1 nscd_t:fd use;
- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
- files_search_pids($1)
- allow $1 nscd_var_run_t:dir r_dir_perms;
- allow $1 nscd_var_run_t:sock_file rw_file_perms;
- dontaudit $1 nscd_var_run_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Use NSCD services by mapping the database from
-## an inherited NSCD file descriptor.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nscd_shm_use',`
- gen_require(`
- type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
- ')
-
- allow $1 nscd_var_run_t:dir r_dir_perms;
- allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
- # Receive fd from nscd and map the backing file with read access.
- allow $1 nscd_t:fd use;
-
- # cjp: these were originally inherited from the
- # nscd_socket_domain macro. need to investigate
- # if they are all actually required
- allow $1 self:unix_stream_socket create_stream_socket_perms;
- allow $1 nscd_t:unix_stream_socket connectto;
- allow $1 nscd_var_run_t:sock_file rw_file_perms;
- files_search_pids($1)
- allow $1 nscd_t:nscd { getpwd getgrp gethost };
- dontaudit $1 nscd_var_run_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read NSCD pid file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nscd_read_pid',`
- gen_require(`
- type nscd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 nscd_var_run_t:dir search;
- allow $1 nscd_var_run_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Unconfined access to NSCD services.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nscd_unconfined',`
- gen_require(`
- type nscd_t;
- class nscd all_nscd_perms;
- ')
-
- allow $1 nscd_t:nscd *;
-')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
deleted file mode 100644
index 1b44ce8..0000000
--- a/refpolicy/policy/modules/services/nscd.te
+++ /dev/null
@@ -1,138 +0,0 @@
-
-policy_module(nscd,1.2.5)
-
-gen_require(`
- class nscd all_nscd_perms;
-')
-
-########################################
-#
-# Declarations
-#
-
-# cjp: this is out of order because of an
-# ordering problem with loadable modules
-type nscd_var_run_t;
-files_pid_file(nscd_var_run_t)
-
-# nscd is both the client program and the daemon.
-type nscd_t;
-type nscd_exec_t;
-init_daemon_domain(nscd_t,nscd_exec_t)
-
-type nscd_log_t;
-logging_log_file(nscd_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow nscd_t self:capability { kill setgid setuid };
-dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
-allow nscd_t self:fifo_file { read write };
-allow nscd_t self:unix_stream_socket create_stream_socket_perms;
-allow nscd_t self:unix_dgram_socket create_socket_perms;
-allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow nscd_t self:tcp_socket create_socket_perms;
-allow nscd_t self:udp_socket create_socket_perms;
-
-# For client program operation, invoked from sysadm_t.
-# Transition occurs to nscd_t due to direct_sysadm_daemon.
-allow nscd_t self:nscd { admin getstat };
-
-allow nscd_t nscd_log_t:file create_file_perms;
-logging_log_filetrans(nscd_t,nscd_log_t,file)
-
-allow nscd_t nscd_var_run_t:file create_file_perms;
-allow nscd_t nscd_var_run_t:sock_file create_file_perms;
-allow nscd_t nscd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
-
-kernel_read_kernel_sysctls(nscd_t)
-kernel_list_proc(nscd_t)
-kernel_read_proc_symlinks(nscd_t)
-
-dev_read_sysfs(nscd_t)
-dev_read_rand(nscd_t)
-dev_read_urand(nscd_t)
-
-fs_getattr_all_fs(nscd_t)
-fs_search_auto_mountpoints(nscd_t)
-
-term_dontaudit_use_console(nscd_t)
-
-# for when /etc/passwd has just been updated and has the wrong type
-auth_getattr_shadow(nscd_t)
-
-corenet_non_ipsec_sendrecv(nscd_t)
-corenet_tcp_sendrecv_all_if(nscd_t)
-corenet_udp_sendrecv_all_if(nscd_t)
-corenet_tcp_sendrecv_all_nodes(nscd_t)
-corenet_udp_sendrecv_all_nodes(nscd_t)
-corenet_tcp_sendrecv_all_ports(nscd_t)
-corenet_udp_sendrecv_all_ports(nscd_t)
-corenet_tcp_connect_all_ports(nscd_t)
-corenet_sendrecv_all_client_packets(nscd_t)
-corenet_rw_tun_tap_dev(nscd_t)
-
-selinux_get_fs_mount(nscd_t)
-selinux_validate_context(nscd_t)
-selinux_compute_access_vector(nscd_t)
-selinux_compute_create_context(nscd_t)
-selinux_compute_relabel_context(nscd_t)
-selinux_compute_user_contexts(nscd_t)
-domain_use_interactive_fds(nscd_t)
-
-files_read_etc_files(nscd_t)
-files_read_generic_tmp_symlinks(nscd_t)
-
-init_use_fds(nscd_t)
-init_use_script_ptys(nscd_t)
-
-libs_use_ld_so(nscd_t)
-libs_use_shared_libs(nscd_t)
-
-logging_send_syslog_msg(nscd_t)
-
-miscfiles_read_certs(nscd_t)
-miscfiles_read_localization(nscd_t)
-
-seutil_read_config(nscd_t)
-seutil_read_default_contexts(nscd_t)
-seutil_sigchld_newrole(nscd_t)
-
-sysnet_dns_name_resolve(nscd_t)
-sysnet_read_config(nscd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(nscd_t)
- term_use_generic_ptys(nscd_t)
-
- term_dontaudit_use_unallocated_ttys(nscd_t)
- term_dontaudit_use_generic_ptys(nscd_t)
- files_dontaudit_read_root_files(nscd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(nscd_t)
-')
-
-optional_policy(`
- samba_stream_connect_winbind(nscd_t)
-')
-
-optional_policy(`
- udev_read_db(nscd_t)
-')
-
-optional_policy(`
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
- xen_append_log(nscd_t)
-')
diff --git a/refpolicy/policy/modules/services/nsd.fc b/refpolicy/policy/modules/services/nsd.fc
deleted file mode 100644
index e18eae8..0000000
--- a/refpolicy/policy/modules/services/nsd.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-
-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
-
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
-/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/nsd.if b/refpolicy/policy/modules/services/nsd.if
deleted file mode 100644
index 3004b55..0000000
--- a/refpolicy/policy/modules/services/nsd.if
+++ /dev/null
@@ -1,39 +0,0 @@
-## <summary>Authoritative only name server</summary>
-
-########################################
-## <summary>
-## Send and receive datagrams from NSD.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nsd_udp_chat',`
- gen_require(`
- type nsd_t;
- ')
- allow $1 nsd_t:udp_socket sendto;
- allow nsd_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Connect to NSD over a TCP socket
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nsd_tcp_connect',`
- gen_require(`
- type nsd_t;
- ')
-
- allow $1 nsd_t:tcp_socket { connectto recvfrom };
- allow nsd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/nsd.te b/refpolicy/policy/modules/services/nsd.te
deleted file mode 100644
index e3b56d8..0000000
--- a/refpolicy/policy/modules/services/nsd.te
+++ /dev/null
@@ -1,203 +0,0 @@
-
-policy_module(nsd,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type nsd_t;
-type nsd_exec_t;
-init_daemon_domain(nsd_t,nsd_exec_t)
-
-# A type for configuration files of nsd
-type nsd_conf_t;
-files_type(nsd_conf_t)
-
-type nsd_crond_t;
-domain_type(nsd_crond_t)
-domain_entry_file(nsd_crond_t,nsd_exec_t)
-role system_r types nsd_crond_t;
-
-# a type for nsd.db
-type nsd_db_t;
-files_type(nsd_db_t)
-
-type nsd_var_run_t;
-files_pid_file(nsd_var_run_t)
-
-# A type for zone files
-type nsd_zone_t;
-files_type(nsd_zone_t)
-
-########################################
-#
-# NSD Local policy
-#
-
-allow nsd_t self:capability { dac_override chown setuid setgid };
-dontaudit nsd_t self:capability sys_tty_config;
-allow nsd_t self:process signal_perms;
-allow nsd_t self:tcp_socket create_stream_socket_perms;
-allow nsd_t self:udp_socket create_socket_perms;
-
-allow nsd_t nsd_conf_t:dir r_dir_perms;
-allow nsd_t nsd_conf_t:file r_file_perms;
-allow nsd_t nsd_conf_t:lnk_file { getattr read };
-
-allow nsd_t nsd_db_t:file manage_file_perms;
-type_transition nsd_t nsd_zone_t:file nsd_db_t;
-allow nsd_t nsd_zone_t:dir rw_dir_perms;
-
-allow nsd_t nsd_var_run_t:file create_file_perms;
-allow nsd_t nsd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nsd_t,nsd_var_run_t,file)
-
-allow nsd_t nsd_zone_t:dir r_dir_perms;
-allow nsd_t nsd_zone_t:file r_file_perms;
-allow nsd_t nsd_zone_t:lnk_file { getattr read };
-
-can_exec(nsd_t,nsd_exec_t)
-
-kernel_read_system_state(nsd_t)
-kernel_read_kernel_sysctls(nsd_t)
-
-corecmd_exec_bin(nsd_t)
-
-corenet_non_ipsec_sendrecv(nsd_t)
-corenet_tcp_sendrecv_generic_if(nsd_t)
-corenet_udp_sendrecv_generic_if(nsd_t)
-corenet_tcp_sendrecv_all_nodes(nsd_t)
-corenet_udp_sendrecv_all_nodes(nsd_t)
-corenet_tcp_sendrecv_all_ports(nsd_t)
-corenet_udp_sendrecv_all_ports(nsd_t)
-corenet_tcp_bind_all_nodes(nsd_t)
-corenet_udp_bind_all_nodes(nsd_t)
-corenet_tcp_bind_dns_port(nsd_t)
-corenet_udp_bind_dns_port(nsd_t)
-corenet_sendrecv_dns_server_packets(nsd_t)
-
-dev_read_sysfs(nsd_t)
-
-domain_use_interactive_fds(nsd_t)
-
-files_read_etc_files(nsd_t)
-files_read_etc_runtime_files(nsd_t)
-
-fs_getattr_all_fs(nsd_t)
-fs_search_auto_mountpoints(nsd_t)
-
-term_dontaudit_use_console(nsd_t)
-
-init_use_fds(nsd_t)
-init_use_script_ptys(nsd_t)
-
-libs_use_ld_so(nsd_t)
-libs_use_shared_libs(nsd_t)
-
-logging_send_syslog_msg(nsd_t)
-
-miscfiles_read_localization(nsd_t)
-
-sysnet_read_config(nsd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(nsd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nsd_t)
- term_dontaudit_use_generic_ptys(nsd_t)
- files_dontaudit_read_root_files(nsd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(nsd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(nsd_t)
-')
-
-optional_policy(`
- udev_read_db(nsd_t)
-')
-
-########################################
-#
-# Zone update cron job local policy
-#
-
-# kill capability for root cron job and non-root daemon
-allow nsd_crond_t self:capability { dac_override kill };
-dontaudit nsd_crond_t self:capability sys_nice;
-allow nsd_crond_t self:process { setsched signal_perms };
-allow nsd_crond_t self:fifo_file rw_file_perms;
-allow nsd_crond_t self:tcp_socket create_socket_perms;
-allow nsd_crond_t self:udp_socket create_socket_perms;
-
-allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
-
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
-type_transition nsd_crond_t nsd_zone_t:file nsd_db_t;
-allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
-files_search_var_lib(nsd_crond_t)
-
-allow nsd_crond_t nsd_t:process signal;
-allow nsd_crond_t nsd_t:dir { search getattr read };
-allow nsd_crond_t nsd_t:{ file lnk_file } { read getattr };
-allow nsd_crond_t nsd_t:process getattr;
-
-allow nsd_crond_t nsd_zone_t:file manage_file_perms;
-allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
-type_transition nsd_crond_t nsd_conf_t:file nsd_zone_t;
-allow nsd_crond_t nsd_conf_t:dir rw_dir_perms;
-
-can_exec(nsd_crond_t,nsd_exec_t)
-
-kernel_read_system_state(nsd_crond_t)
-
-corecmd_exec_bin(nsd_crond_t)
-corecmd_exec_sbin(nsd_crond_t)
-corecmd_exec_shell(nsd_crond_t)
-
-corenet_non_ipsec_sendrecv(nsd_crond_t)
-corenet_tcp_sendrecv_generic_if(nsd_crond_t)
-corenet_udp_sendrecv_generic_if(nsd_crond_t)
-corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
-corenet_udp_sendrecv_all_nodes(nsd_crond_t)
-corenet_tcp_sendrecv_all_ports(nsd_crond_t)
-corenet_udp_sendrecv_all_ports(nsd_crond_t)
-corenet_tcp_connect_all_ports(nsd_crond_t)
-corenet_sendrecv_all_client_packets(nsd_crond_t)
-
-# for SSP
-dev_read_urand(nsd_crond_t)
-
-domain_dontaudit_read_all_domains_state(nsd_crond_t)
-
-files_read_etc_files(nsd_crond_t)
-files_read_etc_runtime_files(nsd_crond_t)
-files_search_var_lib(nsd_t)
-
-libs_use_ld_so(nsd_crond_t)
-libs_use_shared_libs(nsd_crond_t)
-
-logging_send_syslog_msg(nsd_crond_t)
-
-miscfiles_read_localization(nsd_crond_t)
-
-sysnet_read_config(nsd_crond_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(nsd_crond_t)
-
-optional_policy(`
- cron_system_entry(nsd_crond_t,nsd_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(nsd_crond_t)
-')
-
-optional_policy(`
- nscd_read_pid(nsd_crond_t)
-')
diff --git a/refpolicy/policy/modules/services/ntop.fc b/refpolicy/policy/modules/services/ntop.fc
deleted file mode 100644
index da88341..0000000
--- a/refpolicy/policy/modules/services/ntop.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
-
-/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0)
-
-/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
-/var/run/ntop.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ntop.if b/refpolicy/policy/modules/services/ntop.if
deleted file mode 100644
index 4bf0a14..0000000
--- a/refpolicy/policy/modules/services/ntop.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Network Top</summary>
diff --git a/refpolicy/policy/modules/services/ntop.te b/refpolicy/policy/modules/services/ntop.te
deleted file mode 100644
index d4a2380..0000000
--- a/refpolicy/policy/modules/services/ntop.te
+++ /dev/null
@@ -1,113 +0,0 @@
-
-policy_module(ntop,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type ntop_t;
-type ntop_exec_t;
-init_daemon_domain(ntop_t,ntop_exec_t)
-
-type ntop_etc_t;
-files_config_file(ntop_etc_t)
-
-type ntop_http_content_t;
-files_type(ntop_http_content_t)
-
-type ntop_tmp_t;
-files_tmp_file(ntop_tmp_t)
-
-type ntop_var_lib_t;
-files_type(ntop_var_lib_t)
-
-type ntop_var_run_t;
-files_pid_file(ntop_var_run_t)
-
-########################################
-#
-# Local Policy
-#
-
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
-dontaudit ntop_t self:capability sys_tty_config;
-allow ntop_t self:process signal_perms;
-allow ntop_t self:fifo_file { read write };
-allow ntop_t self:tcp_socket create_stream_socket_perms;
-allow ntop_t self:udp_socket create_socket_perms;
-allow ntop_t self:packet_socket create_socket_perms;
-
-allow ntop_t ntop_etc_t:file r_file_perms;
-allow ntop_t ntop_etc_t:dir r_dir_perms;
-allow ntop_t ntop_etc_t:lnk_file { getattr read };
-
-allow ntop_t ntop_http_content_t:file r_file_perms;
-allow ntop_t ntop_http_content_t:dir r_dir_perms;
-
-allow ntop_t ntop_tmp_t:dir create_dir_perms;
-allow ntop_t ntop_tmp_t:file create_file_perms;
-files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
-
-allow ntop_t ntop_var_lib_t:file create_file_perms;
-allow ntop_t ntop_var_lib_t:dir { create rw_dir_perms };
-files_var_lib_filetrans(ntop_t,ntop_var_lib_t,file)
-
-allow ntop_t ntop_var_run_t:file manage_file_perms;
-allow ntop_t ntop_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ntop_t,ntop_var_run_t,file)
-
-kernel_read_network_state(ntop_t)
-kernel_read_kernel_sysctls(ntop_t)
-kernel_list_proc(ntop_t)
-kernel_read_proc_symlinks(ntop_t)
-
-corenet_non_ipsec_sendrecv(ntop_t)
-corenet_tcp_sendrecv_generic_if(ntop_t)
-corenet_udp_sendrecv_generic_if(ntop_t)
-corenet_raw_sendrecv_generic_if(ntop_t)
-corenet_tcp_sendrecv_all_nodes(ntop_t)
-corenet_udp_sendrecv_all_nodes(ntop_t)
-corenet_raw_sendrecv_all_nodes(ntop_t)
-corenet_tcp_sendrecv_all_ports(ntop_t)
-corenet_udp_sendrecv_all_ports(ntop_t)
-
-dev_read_sysfs(ntop_t)
-
-domain_use_interactive_fds(ntop_t)
-
-files_read_etc_files(ntop_t)
-
-fs_getattr_all_fs(ntop_t)
-fs_search_auto_mountpoints(ntop_t)
-
-term_dontaudit_use_console(ntop_t)
-
-init_use_fds(ntop_t)
-init_use_script_ptys(ntop_t)
-
-libs_use_ld_so(ntop_t)
-libs_use_shared_libs(ntop_t)
-
-logging_send_syslog_msg(ntop_t)
-
-miscfiles_read_localization(ntop_t)
-
-sysnet_read_config(ntop_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ntop_t)
- term_dontaudit_use_generic_ptys(ntop_t)
- files_dontaudit_read_root_files(ntop_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ntop_t)
-')
-
-optional_policy(`
- udev_read_db(ntop_t)
-')
diff --git a/refpolicy/policy/modules/services/ntp.fc b/refpolicy/policy/modules/services/ntp.fc
deleted file mode 100644
index 6719480..0000000
--- a/refpolicy/policy/modules/services/ntp.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-
-/etc/ntp(d)?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-
-/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if
deleted file mode 100644
index bbae8f8..0000000
--- a/refpolicy/policy/modules/services/ntp.if
+++ /dev/null
@@ -1,65 +0,0 @@
-## <summary>Network time protocol daemon</summary>
-
-########################################
-## <summary>
-## NTP stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`ntp_stub',`
- gen_require(`
- type ntpd_t;
- ')
-')
-
-########################################
-## <summary>
-## Execute ntp server in the ntpd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ntp_domtrans',`
- gen_require(`
- type ntpd_t, ntpd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,ntpd_exec_t,ntpd_t)
-
- allow $1 ntpd_t:fd use;
- allow ntpd_t $1:fd use;
- allow ntpd_t $1:fifo_file rw_file_perms;
- allow ntpd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute ntp server in the ntpd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ntp_domtrans_ntpdate',`
- gen_require(`
- type ntpd_t, ntpdate_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,ntpdate_exec_t,ntpd_t)
-
- allow $1 ntpd_t:fd use;
- allow ntpd_t $1:fd use;
- allow ntpd_t $1:fifo_file rw_file_perms;
- allow ntpd_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
deleted file mode 100644
index 859cf22..0000000
--- a/refpolicy/policy/modules/services/ntp.te
+++ /dev/null
@@ -1,159 +0,0 @@
-
-policy_module(ntp,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-type ntp_drift_t;
-files_type(ntp_drift_t)
-
-type ntpd_t;
-type ntpd_exec_t;
-init_daemon_domain(ntpd_t,ntpd_exec_t)
-
-type ntpd_log_t;
-logging_log_file(ntpd_log_t)
-
-type ntpd_tmp_t;
-files_tmp_file(ntpd_tmp_t)
-
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
-type ntpdate_exec_t;
-init_system_domain(ntpd_t,ntpdate_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-# sys_resource and setrlimit is for locking memory
-# ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
-allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
-allow ntpd_t self:fifo_file { read write getattr };
-allow ntpd_t self:unix_dgram_socket create_socket_perms;
-allow ntpd_t self:unix_stream_socket create_socket_perms;
-allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
-allow ntpd_t self:tcp_socket create_stream_socket_perms;
-allow ntpd_t self:udp_socket { create_socket_perms sendto recvfrom };
-
-allow ntpd_t ntp_drift_t:dir rw_dir_perms;
-allow ntpd_t ntp_drift_t:file create_file_perms;
-
-can_exec(ntpd_t,ntpd_exec_t)
-
-allow ntpd_t ntpd_log_t:file create_file_perms;
-allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
-
-# for some reason it creates a file in /tmp
-allow ntpd_t ntpd_tmp_t:dir create_dir_perms;
-allow ntpd_t ntpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
-
-allow ntpd_t ntpd_var_run_t:file create_file_perms;
-allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
-
-kernel_read_kernel_sysctls(ntpd_t)
-kernel_read_system_state(ntpd_t)
-kernel_read_network_state(ntpd_t)
-
-corenet_non_ipsec_sendrecv(ntpd_t)
-corenet_tcp_sendrecv_all_if(ntpd_t)
-corenet_udp_sendrecv_all_if(ntpd_t)
-corenet_tcp_sendrecv_all_nodes(ntpd_t)
-corenet_udp_sendrecv_all_nodes(ntpd_t)
-corenet_tcp_sendrecv_all_ports(ntpd_t)
-corenet_udp_sendrecv_all_ports(ntpd_t)
-corenet_tcp_bind_all_nodes(ntpd_t)
-corenet_udp_bind_all_nodes(ntpd_t)
-corenet_udp_bind_ntp_port(ntpd_t)
-corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_sendrecv_ntp_server_packets(ntpd_t)
-corenet_sendrecv_ntp_client_packets(ntpd_t)
-
-dev_read_sysfs(ntpd_t)
-# for SSP
-dev_read_urand(ntpd_t)
-
-fs_getattr_all_fs(ntpd_t)
-fs_search_auto_mountpoints(ntpd_t)
-
-term_dontaudit_use_console(ntpd_t)
-
-auth_use_nsswitch(ntpd_t)
-
-corecmd_exec_bin(ntpd_t)
-corecmd_exec_sbin(ntpd_t)
-corecmd_exec_ls(ntpd_t)
-corecmd_exec_shell(ntpd_t)
-
-domain_use_interactive_fds(ntpd_t)
-domain_dontaudit_list_all_domains_state(ntpd_t)
-
-files_read_etc_files(ntpd_t)
-files_read_etc_runtime_files(ntpd_t)
-files_read_usr_files(ntpd_t)
-files_list_var_lib(ntpd_t)
-
-init_exec_script_files(ntpd_t)
-init_use_fds(ntpd_t)
-init_use_script_ptys(ntpd_t)
-
-libs_use_ld_so(ntpd_t)
-libs_use_shared_libs(ntpd_t)
-
-logging_send_syslog_msg(ntpd_t)
-
-miscfiles_read_localization(ntpd_t)
-
-sysnet_read_config(ntpd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
-userdom_list_sysadm_home_dirs(ntpd_t)
-userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ntpd_t)
- term_dontaudit_use_generic_ptys(ntpd_t)
- files_dontaudit_read_root_files(ntpd_t)
-')
-
-optional_policy(`
- # for cron jobs
- cron_system_entry(ntpd_t,ntpdate_exec_t)
-')
-
-optional_policy(`
- firstboot_dontaudit_use_fds(ntpd_t)
-')
-
-optional_policy(`
- logrotate_exec(ntpd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ntpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(ntpd_t)
-')
-
-optional_policy(`
- samba_stream_connect_winbind(ntpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ntpd_t)
-')
-
-optional_policy(`
- udev_read_db(ntpd_t)
-')
diff --git a/refpolicy/policy/modules/services/nx.fc b/refpolicy/policy/modules/services/nx.fc
deleted file mode 100644
index 3a294f3..0000000
--- a/refpolicy/policy/modules/services/nx.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-
-/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-
-/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/nx.if b/refpolicy/policy/modules/services/nx.if
deleted file mode 100644
index 2287f85..0000000
--- a/refpolicy/policy/modules/services/nx.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>NX remote desktop</summary>
-
-########################################
-## <summary>
-## Transition to NX server.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nx_spec_domtrans_server',`
- gen_require(`
- type nx_server_t, nx_server_exec_t;
- ')
-
- domain_trans($1,nx_server_exec_t,nx_server_t)
- allow nx_server_t $1:fd use;
- allow nx_server_t $1:fifo_file rw_file_perms;
- allow nx_server_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/nx.te b/refpolicy/policy/modules/services/nx.te
deleted file mode 100644
index 7c6d817..0000000
--- a/refpolicy/policy/modules/services/nx.te
+++ /dev/null
@@ -1,94 +0,0 @@
-
-policy_module(nx,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type nx_server_t;
-type nx_server_exec_t;
-domain_type(nx_server_t)
-domain_entry_file(nx_server_t,nx_server_exec_t)
-domain_user_exemption_target(nx_server_t)
-# we need an extra role because nxserver is called from sshd
-# cjp: do we really need this?
-role nx_server_r types nx_server_t;
-allow system_r nx_server_r;
-
-type nx_server_devpts_t;
-term_user_pty(nx_server_t,nx_server_devpts_t)
-
-type nx_server_tmp_t;
-files_tmp_file(nx_server_tmp_t)
-
-type nx_server_var_run_t;
-files_pid_file(nx_server_var_run_t)
-
-########################################
-#
-# NX server local policy
-#
-
-allow nx_server_t self:fifo_file { getattr ioctl read write };
-allow nx_server_t self:tcp_socket create_socket_perms;
-allow nx_server_t self:udp_socket create_socket_perms;
-
-allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(nx_server_t,nx_server_devpts_t)
-
-allow nx_server_t nx_server_tmp_t:dir manage_dir_perms;
-allow nx_server_t nx_server_tmp_t:file manage_file_perms;
-files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
-
-allow nx_server_t nx_server_var_run_t:file manage_file_perms;
-allow nx_server_t nx_server_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)
-
-kernel_read_system_state(nx_server_t)
-kernel_read_kernel_sysctls(nx_server_t)
-
-# nxserver is a shell script --> call other programs
-corecmd_exec_shell(nx_server_t)
-corecmd_exec_bin(nx_server_t)
-
-corenet_non_ipsec_sendrecv(nx_server_t)
-corenet_tcp_sendrecv_generic_if(nx_server_t)
-corenet_udp_sendrecv_generic_if(nx_server_t)
-corenet_tcp_sendrecv_all_nodes(nx_server_t)
-corenet_udp_sendrecv_all_nodes(nx_server_t)
-corenet_tcp_sendrecv_all_ports(nx_server_t)
-corenet_udp_sendrecv_all_ports(nx_server_t)
-corenet_tcp_connect_all_ports(nx_server_t)
-corenet_sendrecv_all_client_packets(nx_server_t)
-
-dev_read_urand(nx_server_t)
-
-files_read_etc_files(nx_server_t)
-files_read_etc_runtime_files(nx_server_t)
-# for reading the config files; maybe a separate type,
-# but users need to be able to also read the config
-files_read_usr_files(nx_server_t)
-
-libs_use_ld_so(nx_server_t)
-libs_use_shared_libs(nx_server_t)
-
-miscfiles_read_localization(nx_server_t)
-
-seutil_dontaudit_search_config(nx_server_t)
-
-sysnet_read_config(nx_server_t)
-
-ifdef(`TODO',`
-# clients already have create permissions; the nxclient wants to also have unlink rights
-allow userdomain xdm_tmp_t:sock_file unlink;
-# for a lockfile created by the client process
-allow nx_server_t user_tmpfile:file getattr;
-')
-
-########################################
-#
-# SSH component local policy
-#
-
-ssh_basic_client_template(nx_server,nx_server_t,nx_server_r)
diff --git a/refpolicy/policy/modules/services/oav.fc b/refpolicy/policy/modules/services/oav.fc
deleted file mode 100644
index 0a66474..0000000
--- a/refpolicy/policy/modules/services/oav.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
-/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
-
-/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
-/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
-
-/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
-/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
-/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
diff --git a/refpolicy/policy/modules/services/oav.if b/refpolicy/policy/modules/services/oav.if
deleted file mode 100644
index 122b069..0000000
--- a/refpolicy/policy/modules/services/oav.if
+++ /dev/null
@@ -1,56 +0,0 @@
-## <summary>Open AntiVirus scannerdaemon and signature update</summary>
-
-########################################
-## <summary>
-## Execute oav_update in the oav_update domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`oav_domtrans_update',`
- gen_require(`
- type oav_update_t, oav_update_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,oav_update_exec_t,oav_update_t)
-
- allow $1 oav_update_t:fd use;
- allow oav_update_t $1:fd use;
- allow oav_update_t $1:fifo_file rw_file_perms;
- allow oav_update_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute oav_update in the oav_update domain, and
-## allow the specified role the oav_update domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the oav_update domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the oav_update domain to use.
-## </summary>
-## </param>
-#
-interface(`oav_run_update',`
- gen_require(`
- type oav_update_t;
- ')
-
- oav_domtrans_update($1)
- role $2 types oav_update_t;
- allow oav_update_t $3:chr_file rw_term_perms;
-')
diff --git a/refpolicy/policy/modules/services/oav.te b/refpolicy/policy/modules/services/oav.te
deleted file mode 100644
index 736c67e..0000000
--- a/refpolicy/policy/modules/services/oav.te
+++ /dev/null
@@ -1,164 +0,0 @@
-
-policy_module(oav,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type oav_update_t;
-type oav_update_exec_t;
-domain_type(oav_update_t)
-domain_entry_file(oav_update_t,oav_update_exec_t)
-
-# cjp: may be collapsable to etc_t
-type oav_update_etc_t;
-files_type(oav_update_etc_t)
-
-type oav_update_var_lib_t;
-files_type(oav_update_var_lib_t)
-
-type scannerdaemon_t;
-type scannerdaemon_exec_t;
-init_daemon_domain(scannerdaemon_t,scannerdaemon_exec_t)
-
-type scannerdaemon_etc_t;
-files_type(scannerdaemon_etc_t)
-
-type scannerdaemon_log_t;
-logging_log_file(scannerdaemon_log_t)
-
-type scannerdaemon_var_run_t;
-files_pid_file(scannerdaemon_var_run_t)
-
-########################################
-#
-# OAV update local policy
-#
-
-allow oav_update_t self:tcp_socket create_stream_socket_perms;
-allow oav_update_t self:udp_socket create_socket_perms;
-
-# Can read /etc/oav-update/* files
-allow oav_update_t oav_update_etc_t:dir r_dir_perms;
-allow oav_update_t oav_update_etc_t:file r_file_perms;
-
-# Can read /var/lib/oav-update/current
-allow oav_update_t oav_update_var_lib_t:dir manage_dir_perms;
-allow oav_update_t oav_update_var_lib_t:file manage_file_perms;
-allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
-
-corecmd_exec_all_executables(oav_update_t)
-
-corenet_non_ipsec_sendrecv(oav_update_t)
-corenet_tcp_sendrecv_generic_if(oav_update_t)
-corenet_udp_sendrecv_generic_if(oav_update_t)
-corenet_tcp_sendrecv_all_nodes(oav_update_t)
-corenet_udp_sendrecv_all_nodes(oav_update_t)
-corenet_tcp_sendrecv_all_ports(oav_update_t)
-corenet_udp_sendrecv_all_ports(oav_update_t)
-
-files_exec_etc_files(oav_update_t)
-
-libs_use_ld_so(oav_update_t)
-libs_use_shared_libs(oav_update_t)
-libs_exec_ld_so(oav_update_t)
-libs_exec_lib_files(oav_update_t)
-libs_use_ld_so(oav_update_t)
-libs_use_shared_libs(oav_update_t)
-
-logging_send_syslog_msg(oav_update_t)
-
-sysnet_read_config(oav_update_t)
-
-optional_policy(`
- cron_system_entry(oav_update_t,oav_update_exec_t)
-')
-
-########################################
-#
-# Scannerdaemon local policy
-#
-
-dontaudit scannerdaemon_t self:capability sys_tty_config;
-allow scannerdaemon_t self:process signal_perms;
-allow scannerdaemon_t self:fifo_file { read write };
-allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
-allow scannerdaemon_t self:udp_socket create_socket_perms;
-
-allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
-allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
-files_search_var_lib(scannerdaemon_t)
-
-allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
-
-allow scannerdaemon_t scannerdaemon_log_t:file create_file_perms;
-logging_log_filetrans(scannerdaemon_t,scannerdaemon_log_t,file)
-
-allow scannerdaemon_t scannerdaemon_var_run_t:file create_file_perms;
-allow scannerdaemon_t scannerdaemon_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(scannerdaemon_t,scannerdaemon_var_run_t,file)
-
-kernel_read_system_state(scannerdaemon_t)
-kernel_read_kernel_sysctls(scannerdaemon_t)
-
-# Can run kaffe
-corecmd_exec_all_executables(scannerdaemon_t)
-
-corenet_non_ipsec_sendrecv(scannerdaemon_t)
-corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
-corenet_udp_sendrecv_generic_if(scannerdaemon_t)
-corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
-corenet_udp_sendrecv_all_nodes(scannerdaemon_t)
-corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
-corenet_udp_sendrecv_all_ports(scannerdaemon_t)
-
-dev_read_sysfs(scannerdaemon_t)
-
-domain_use_interactive_fds(scannerdaemon_t)
-
-files_read_etc_files(scannerdaemon_t)
-files_read_etc_runtime_files(scannerdaemon_t)
-# Can run kaffe
-files_exec_etc_files(scannerdaemon_t)
-
-fs_getattr_all_fs(scannerdaemon_t)
-fs_search_auto_mountpoints(scannerdaemon_t)
-
-term_dontaudit_use_console(scannerdaemon_t)
-
-auth_dontaudit_read_shadow(scannerdaemon_t)
-
-init_use_fds(scannerdaemon_t)
-init_use_script_ptys(scannerdaemon_t)
-
-libs_use_ld_so(scannerdaemon_t)
-libs_use_shared_libs(scannerdaemon_t)
-# Can run kaffe
-libs_use_ld_so(scannerdaemon_t)
-libs_use_shared_libs(scannerdaemon_t)
-libs_exec_ld_so(scannerdaemon_t)
-libs_exec_lib_files(scannerdaemon_t)
-
-logging_send_syslog_msg(scannerdaemon_t)
-
-miscfiles_read_localization(scannerdaemon_t)
-
-sysnet_read_config(scannerdaemon_t)
-
-userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(scannerdaemon_t)
- term_dontaudit_use_generic_ptys(scannerdaemon_t)
- files_dontaudit_read_root_files(scannerdaemon_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(scannerdaemon_t)
-')
-
-optional_policy(`
- udev_read_db(scannerdaemon_t)
-')
diff --git a/refpolicy/policy/modules/services/openca.fc b/refpolicy/policy/modules/services/openca.fc
deleted file mode 100644
index dc360b9..0000000
--- a/refpolicy/policy/modules/services/openca.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0)
-/etc/openca/*.\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0)
-/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0)
-
-/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0)
-/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0)
-
-/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0)
-/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/refpolicy/policy/modules/services/openca.if b/refpolicy/policy/modules/services/openca.if
deleted file mode 100644
index d84d2ed..0000000
--- a/refpolicy/policy/modules/services/openca.if
+++ /dev/null
@@ -1,80 +0,0 @@
-## <summary>OpenCA - Open Certificate Authority</summary>
-
-########################################
-## <summary>
-## Execute the OpenCA program with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`openca_domtrans',`
- gen_require(`
- type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
- ')
-
- domain_auto_trans($1,openca_ca_exec_t,openca_ca_t)
- allow httpd_t openca_usr_share_t:dir search_dir_perms;
- files_search_usr(httpd_t)
-
- allow openca_ca_t $1:fd use;
- allow openca_ca_t $1:fifo_file rw_file_perms;
- allow openca_ca_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send OpenCA generic signals.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`openca_signal',`
- gen_require(`
- type openca_ca_t;
- ')
-
- allow $1 openca_ca_t:process signal;
-')
-
-########################################
-## <summary>
-## Send OpenCA stop signals.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`openca_sigstop',`
- gen_require(`
- type openca_ca_t;
- ')
-
- allow $1 openca_ca_t:process sigstop;
-')
-
-########################################
-## <summary>
-## Kill OpenCA.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`openca_kill',`
- gen_require(`
- type openca_ca_t;
- ')
-
- allow $1 openca_ca_t:process sigkill;
-')
diff --git a/refpolicy/policy/modules/services/openca.te b/refpolicy/policy/modules/services/openca.te
deleted file mode 100644
index 04fc293..0000000
--- a/refpolicy/policy/modules/services/openca.te
+++ /dev/null
@@ -1,85 +0,0 @@
-
-policy_module(openca,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type openca_ca_t;
-type openca_ca_exec_t;
-domain_type(openca_ca_t)
-domain_entry_file(openca_ca_t,openca_ca_exec_t)
-role system_r types openca_ca_t;
-
-# cjp: seems like some of these types
-# can be removed and replaced with generic
-# etc or usr files.
-
-# /etc/openca standard files
-type openca_etc_t;
-files_type(openca_etc_t)
-
-# /etc/openca template files
-type openca_etc_in_t;
-files_type(openca_etc_in_t)
-
-# /etc/openca writeable (from CGI script) files
-type openca_etc_writeable_t;
-files_type(openca_etc_writeable_t)
-
-# /usr/share/openca/crypto/keys
-type openca_usr_share_t;
-files_type(openca_usr_share_t)
-
-# /var/lib/openca
-type openca_var_lib_t;
-files_type(openca_var_lib_t)
-
-# /var/lib/openca/crypto/keys
-type openca_var_lib_keys_t;
-files_type(openca_var_lib_keys_t)
-
-########################################
-#
-# Local policy
-#
-
-# Allow access to other files under /etc/openca
-allow openca_ca_t openca_etc_t:file r_file_perms;
-allow openca_ca_t openca_etc_t:dir r_dir_perms;
-
-# Allow access to writeable files under /etc/openca
-allow openca_ca_t openca_etc_writeable_t:file manage_file_perms;
-allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms;
-
-# Allow access to other /var/lib/openca files
-allow openca_ca_t openca_var_lib_t:file manage_file_perms;
-allow openca_ca_t openca_var_lib_t:dir manage_dir_perms;
-
-# Allow access to private CA key
-allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms;
-allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms;
-
-# Allow access to other /usr/share/openca files
-allow openca_ca_t openca_usr_share_t:file r_file_perms;
-allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
-allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
-
-# the perl executable will be able to run a perl script
-corecmd_exec_bin(openca_ca_t)
-
-dev_read_rand(openca_ca_t)
-
-files_list_default(openca_ca_t)
-
-init_use_fds(openca_ca_t)
-init_use_script_fds(openca_ca_t)
-
-libs_use_ld_so(openca_ca_t)
-libs_use_shared_libs(openca_ca_t)
-libs_exec_lib_files(openca_ca_t)
-
-apache_append_log(openca_ca_t)
-# Allow the script to return its output
-apache_rw_cache_files(openca_ca_t)
diff --git a/refpolicy/policy/modules/services/openct.fc b/refpolicy/policy/modules/services/openct.fc
deleted file mode 100644
index 8aaadc5..0000000
--- a/refpolicy/policy/modules/services/openct.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
-
-#
-# /var
-#
-/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/openct.if b/refpolicy/policy/modules/services/openct.if
deleted file mode 100644
index 6df1a48..0000000
--- a/refpolicy/policy/modules/services/openct.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Service for handling smart card readers.</summary>
diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te
deleted file mode 100644
index 3e55f55..0000000
--- a/refpolicy/policy/modules/services/openct.te
+++ /dev/null
@@ -1,71 +0,0 @@
-
-policy_module(openct,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type openct_t;
-type openct_exec_t;
-init_daemon_domain(openct_t,openct_exec_t)
-
-type openct_var_run_t;
-files_pid_file(openct_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit openct_t self:capability sys_tty_config;
-allow openct_t self:process signal_perms;
-
-allow openct_t openct_var_run_t:file create_file_perms;
-allow openct_t openct_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(openct_t,openct_var_run_t,file)
-
-kernel_read_kernel_sysctls(openct_t)
-kernel_list_proc(openct_t)
-kernel_read_proc_symlinks(openct_t)
-
-dev_read_sysfs(openct_t)
-# openct asks for this
-dev_rw_usbfs(openct_t)
-
-domain_use_interactive_fds(openct_t)
-
-# openct asks for this
-files_read_etc_files(openct_t)
-
-fs_getattr_all_fs(openct_t)
-fs_search_auto_mountpoints(openct_t)
-
-term_dontaudit_use_console(openct_t)
-
-init_use_fds(openct_t)
-init_use_script_ptys(openct_t)
-
-libs_use_ld_so(openct_t)
-libs_use_shared_libs(openct_t)
-
-logging_send_syslog_msg(openct_t)
-
-miscfiles_read_localization(openct_t)
-
-userdom_dontaudit_use_unpriv_user_fds(openct_t)
-userdom_dontaudit_search_sysadm_home_dirs(openct_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(openct_t)
- term_dontaudit_use_generic_ptys(openct_t)
- files_dontaudit_read_root_files(openct_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(openct_t)
-')
-
-optional_policy(`
- udev_read_db(openct_t)
-')
diff --git a/refpolicy/policy/modules/services/openvpn.fc b/refpolicy/policy/modules/services/openvpn.fc
deleted file mode 100644
index 046d5d7..0000000
--- a/refpolicy/policy/modules/services/openvpn.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# /etc
-#
-/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
-
-#
-# /var
-#
-/var/log/openvpn.* -- gen_context(system_u:object_r:openvpn_var_log_t,s0)
-/var/run/openvpn.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/openvpn.if b/refpolicy/policy/modules/services/openvpn.if
deleted file mode 100644
index 78bbc4b..0000000
--- a/refpolicy/policy/modules/services/openvpn.if
+++ /dev/null
@@ -1,23 +0,0 @@
-## <summary>full-featured SSL VPN solution</summary>
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## OpenVPN configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`openvpn_read_config',`
- gen_require(`
- type openvpn_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 openvpn_etc_t:dir r_dir_perms;
- allow $1 openvpn_etc_t:file r_file_perms;
- allow $1 openvpn_etc_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/services/openvpn.te b/refpolicy/policy/modules/services/openvpn.te
deleted file mode 100644
index 8277b36..0000000
--- a/refpolicy/policy/modules/services/openvpn.te
+++ /dev/null
@@ -1,91 +0,0 @@
-
-policy_module(openvpn,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-# main openvpn domain
-type openvpn_t;
-type openvpn_exec_t;
-init_daemon_domain(openvpn_t, openvpn_exec_t)
-
-# configuration files
-type openvpn_etc_t;
-files_type(openvpn_etc_t)
-
-# log files
-type openvpn_var_log_t;
-logging_log_file(openvpn_var_log_t)
-
-# pid files
-type openvpn_var_run_t;
-files_pid_file(openvpn_var_run_t)
-
-########################################
-#
-# openvpn local policy
-#
-
-allow openvpn_t self:capability { net_admin setgid setuid };
-allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
-allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow openvpn_t self:udp_socket create_socket_perms;
-allow openvpn_t self:tcp_socket create_socket_perms;
-
-allow openvpn_t openvpn_etc_t:dir r_dir_perms;
-allow openvpn_t openvpn_etc_t:file r_file_perms;
-allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
-
-allow openvpn_t openvpn_var_log_t:file create_file_perms;
-logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
-
-allow openvpn_t openvpn_var_run_t:file create_file_perms;
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
-
-kernel_read_kernel_sysctls(openvpn_t)
-kernel_read_net_sysctls(openvpn_t)
-kernel_read_network_state(openvpn_t)
-kernel_read_system_state(openvpn_t)
-
-corecmd_exec_bin(openvpn_t)
-corecmd_exec_sbin(openvpn_t)
-corecmd_exec_shell(openvpn_t)
-
-corenet_non_ipsec_sendrecv(openvpn_t)
-corenet_tcp_sendrecv_all_if(openvpn_t)
-corenet_udp_sendrecv_all_if(openvpn_t)
-corenet_tcp_sendrecv_generic_node(openvpn_t)
-corenet_udp_sendrecv_generic_node(openvpn_t)
-corenet_tcp_sendrecv_all_ports(openvpn_t)
-corenet_udp_sendrecv_all_ports(openvpn_t)
-corenet_tcp_bind_all_nodes(openvpn_t)
-corenet_udp_bind_all_nodes(openvpn_t)
-corenet_tcp_bind_openvpn_port(openvpn_t)
-corenet_udp_bind_openvpn_port(openvpn_t)
-corenet_sendrecv_openvpn_server_packets(openvpn_t)
-corenet_rw_tun_tap_dev(openvpn_t)
-
-dev_read_rand(openvpn_t)
-dev_read_urand(openvpn_t)
-
-files_read_etc_files(openvpn_t)
-files_read_etc_runtime_files(openvpn_t)
-
-libs_use_ld_so(openvpn_t)
-libs_use_shared_libs(openvpn_t)
-
-logging_send_syslog_msg(openvpn_t)
-
-miscfiles_read_localization(openvpn_t)
-
-sysnet_exec_ifconfig(openvpn_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(openvpn_t)
-')
-
-optional_policy(`
- daemontools_service_domain(openvpn_t,openvpn_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/pegasus.fc b/refpolicy/policy/modules/services/pegasus.fc
deleted file mode 100644
index 601c91c..0000000
--- a/refpolicy/policy/modules/services/pegasus.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
-/etc/Pegasus/pegasus_current.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/refpolicy/policy/modules/services/pegasus.if b/refpolicy/policy/modules/services/pegasus.if
deleted file mode 100644
index 920b13f..0000000
--- a/refpolicy/policy/modules/services/pegasus.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
deleted file mode 100644
index 7769803..0000000
--- a/refpolicy/policy/modules/services/pegasus.te
+++ /dev/null
@@ -1,155 +0,0 @@
-
-policy_module(pegasus,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-type pegasus_t;
-type pegasus_exec_t;
-init_daemon_domain(pegasus_t,pegasus_exec_t)
-
-type pegasus_data_t;
-files_type(pegasus_data_t)
-
-type pegasus_tmp_t;
-files_tmp_file(pegasus_tmp_t)
-
-type pegasus_conf_t;
-files_type(pegasus_conf_t)
-
-type pegasus_mof_t;
-files_type(pegasus_mof_t)
-
-type pegasus_var_run_t;
-files_pid_file(pegasus_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write };
-dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
-allow pegasus_t self:fifo_file rw_file_perms;
-allow pegasus_t self:unix_dgram_socket create_socket_perms;
-allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
-allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow pegasus_t self:tcp_socket create_stream_socket_perms;
-
-allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
-allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
-
-allow pegasus_t pegasus_data_t:dir rw_dir_perms;
-allow pegasus_t pegasus_data_t:file create_file_perms;
-allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
-type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
-
-can_exec(pegasus_t,pegasus_exec_t)
-
-allow pegasus_t pegasus_mof_t:dir r_dir_perms;
-allow pegasus_t pegasus_mof_t:file r_file_perms;
-allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
-
-allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
-allow pegasus_t pegasus_tmp_t:file create_file_perms;
-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
-
-allow pegasus_t pegasus_var_run_t:file create_file_perms;
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
-allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(pegasus_t,pegasus_var_run_t,file)
-
-kernel_read_kernel_sysctls(pegasus_t)
-kernel_read_fs_sysctls(pegasus_t)
-kernel_read_system_state(pegasus_t)
-kernel_search_vm_sysctl(pegasus_t)
-kernel_read_net_sysctls(pegasus_t)
-
-corenet_non_ipsec_sendrecv(pegasus_t)
-corenet_tcp_sendrecv_all_if(pegasus_t)
-corenet_tcp_sendrecv_all_nodes(pegasus_t)
-corenet_tcp_sendrecv_all_ports(pegasus_t)
-corenet_tcp_bind_all_nodes(pegasus_t)
-corenet_tcp_bind_pegasus_http_port(pegasus_t)
-corenet_tcp_bind_pegasus_https_port(pegasus_t)
-corenet_tcp_connect_pegasus_http_port(pegasus_t)
-corenet_tcp_connect_pegasus_https_port(pegasus_t)
-corenet_tcp_connect_generic_port(pegasus_t)
-corenet_sendrecv_generic_client_packets(pegasus_t)
-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
-
-corecmd_exec_sbin(pegasus_t)
-corecmd_exec_bin(pegasus_t)
-corecmd_exec_shell(pegasus_t)
-
-dev_read_sysfs(pegasus_t)
-dev_read_urand(pegasus_t)
-
-fs_getattr_all_fs(pegasus_t)
-fs_search_auto_mountpoints(pegasus_t)
-files_getattr_all_dirs(pegasus_t)
-
-term_dontaudit_use_console(pegasus_t)
-
-auth_use_nsswitch(pegasus_t)
-auth_domtrans_chk_passwd(pegasus_t)
-
-domain_use_interactive_fds(pegasus_t)
-domain_read_all_domains_state(pegasus_t)
-
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
-files_read_var_lib_symlinks(pegasus_t)
-
-hostname_exec(pegasus_t)
-
-init_use_fds(pegasus_t)
-init_use_script_ptys(pegasus_t)
-init_rw_utmp(pegasus_t)
-init_stream_connect_script(pegasus_t)
-
-libs_use_ld_so(pegasus_t)
-libs_use_shared_libs(pegasus_t)
-
-miscfiles_read_localization(pegasus_t)
-
-sysnet_read_config(pegasus_t)
-
-userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pegasus_t)
- term_dontaudit_use_generic_ptys(pegasus_t)
- files_dontaudit_read_root_files(pegasus_t)
- unconfined_signull(pegasus_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
- nscd_socket_use(pegasus_t)
-')
-
-optional_policy(`
- rpm_exec(pegasus_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pegasus_t)
- seutil_dontaudit_read_config(pegasus_t)
-')
-
-optional_policy(`
- udev_read_db(pegasus_t)
-')
diff --git a/refpolicy/policy/modules/services/perdition.fc b/refpolicy/policy/modules/services/perdition.fc
deleted file mode 100644
index bcdf89b..0000000
--- a/refpolicy/policy/modules/services/perdition.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
-
-/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/perdition.if b/refpolicy/policy/modules/services/perdition.if
deleted file mode 100644
index 949cc11..0000000
--- a/refpolicy/policy/modules/services/perdition.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Perdition POP and IMAP proxy</summary>
-
-########################################
-## <summary>
-## Connect to perdition over a TCP socket
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`perdition_tcp_connect',`
- gen_require(`
- type perdition_t;
- ')
-
- allow $1 perdition_t:tcp_socket { connectto recvfrom };
- allow perdition_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/perdition.te b/refpolicy/policy/modules/services/perdition.te
deleted file mode 100644
index d9c4037..0000000
--- a/refpolicy/policy/modules/services/perdition.te
+++ /dev/null
@@ -1,91 +0,0 @@
-
-policy_module(perdition,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type perdition_t;
-type perdition_exec_t;
-init_daemon_domain(perdition_t,perdition_exec_t)
-
-type perdition_etc_t;
-files_config_file(perdition_etc_t)
-
-type perdition_var_run_t;
-files_pid_file(perdition_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow perdition_t self:capability { setgid setuid };
-dontaudit perdition_t self:capability sys_tty_config;
-allow perdition_t self:process signal_perms;
-allow perdition_t self:tcp_socket create_stream_socket_perms;
-allow perdition_t self:udp_socket create_socket_perms;
-
-allow perdition_t perdition_etc_t:file { getattr read };
-files_search_etc(perdition_t)
-
-allow perdition_t perdition_var_run_t:file create_file_perms;
-allow perdition_t perdition_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(perdition_t,perdition_var_run_t,file)
-
-kernel_read_kernel_sysctls(perdition_t)
-kernel_list_proc(perdition_t)
-kernel_read_proc_symlinks(perdition_t)
-kernel_tcp_recvfrom(perdition_t)
-
-corenet_non_ipsec_sendrecv(perdition_t)
-corenet_tcp_sendrecv_generic_if(perdition_t)
-corenet_udp_sendrecv_generic_if(perdition_t)
-corenet_tcp_sendrecv_all_nodes(perdition_t)
-corenet_udp_sendrecv_all_nodes(perdition_t)
-corenet_tcp_sendrecv_all_ports(perdition_t)
-corenet_udp_sendrecv_all_ports(perdition_t)
-corenet_tcp_bind_all_nodes(perdition_t)
-corenet_tcp_bind_pop_port(perdition_t)
-corenet_sendrecv_pop_server_packets(perdition_t)
-
-dev_read_sysfs(perdition_t)
-
-domain_use_interactive_fds(perdition_t)
-
-fs_getattr_all_fs(perdition_t)
-fs_search_auto_mountpoints(perdition_t)
-
-files_read_etc_files(perdition_t)
-
-term_dontaudit_use_console(perdition_t)
-
-init_use_fds(perdition_t)
-init_use_script_ptys(perdition_t)
-
-libs_use_ld_so(perdition_t)
-libs_use_shared_libs(perdition_t)
-
-logging_send_syslog_msg(perdition_t)
-
-miscfiles_read_localization(perdition_t)
-
-sysnet_read_config(perdition_t)
-
-userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(perdition_t)
- term_dontaudit_use_generic_ptys(perdition_t)
- files_dontaudit_read_root_files(perdition_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(perdition_t)
-')
-
-optional_policy(`
- udev_read_db(perdition_t)
-')
diff --git a/refpolicy/policy/modules/services/portmap.fc b/refpolicy/policy/modules/services/portmap.fc
deleted file mode 100644
index 2c42dfd..0000000
--- a/refpolicy/policy/modules/services/portmap.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
-
-ifdef(`distro_debian',`
-/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-', `
-/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-')
-
-/var/run/portmap.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
deleted file mode 100644
index 430138c..0000000
--- a/refpolicy/policy/modules/services/portmap.if
+++ /dev/null
@@ -1,125 +0,0 @@
-## <summary>RPC port mapping service.</summary>
-
-########################################
-## <summary>
-## Execute portmap_helper in the helper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portmap_domtrans_helper',`
- gen_require(`
- type portmap_helper_t, portmap_helper_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
-
- allow $1 portmap_helper_t:fd use;
- allow portmap_helper_t $1:fd use;
- allow portmap_helper_t $1:fifo_file rw_file_perms;
- allow portmap_helper_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute portmap helper in the helper domain, and
-## allow the specified role the helper domain.
-## Communicate with portmap.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the portmap domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the portmap domain to use.
-## </summary>
-## </param>
-#
-interface(`portmap_run_helper',`
- gen_require(`
- type portmap_t, portmap_helper_t;
- ')
-
- portmap_domtrans_helper($1)
- role $2 types portmap_helper_t;
- allow portmap_helper_t $3:chr_file { getattr read write ioctl };
-
- # send to portmap
- allow $1 portmap_t:udp_socket sendto;
- allow portmap_t $1:udp_socket recvfrom;
-
- # receive from portmap
- allow portmap_t $1:udp_socket sendto;
- allow $1 portmap_t:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to portmap.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`portmap_udp_send',`
- gen_require(`
- type portmap_t;
- ')
-
- allow $1 portmap_t:udp_socket sendto;
- allow portmap_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic from portmap.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portmap_udp_chat',`
- gen_require(`
- type portmap_t;
- ')
-
- allow $1 portmap_t:udp_socket sendto;
- allow portmap_t $1:udp_socket recvfrom;
- allow portmap_t $1:udp_socket sendto;
- allow $1 portmap_t:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Connect to portmap over a TCP socket
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`portmap_tcp_connect',`
- gen_require(`
- type portmap_t;
- ')
-
- allow $1 portmap_t:tcp_socket { connectto recvfrom };
- allow portmap_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
deleted file mode 100644
index 06e0af5..0000000
--- a/refpolicy/policy/modules/services/portmap.te
+++ /dev/null
@@ -1,184 +0,0 @@
-
-policy_module(portmap,1.2.4)
-
-########################################
-#
-# Declarations
-#
-
-type portmap_t;
-type portmap_exec_t;
-init_daemon_domain(portmap_t,portmap_exec_t)
-
-type portmap_helper_t;
-type portmap_helper_exec_t;
-init_system_domain(portmap_helper_t,portmap_helper_exec_t)
-role system_r types portmap_helper_t;
-
-type portmap_tmp_t;
-files_tmp_file(portmap_tmp_t)
-
-type portmap_var_run_t;
-files_pid_file(portmap_var_run_t)
-
-########################################
-#
-# Portmap local policy
-#
-
-allow portmap_t self:capability { setuid setgid };
-dontaudit portmap_t self:capability sys_tty_config;
-allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
-allow portmap_t self:unix_dgram_socket create_socket_perms;
-allow portmap_t self:unix_stream_socket create_stream_socket_perms;
-allow portmap_t self:tcp_socket create_stream_socket_perms;
-allow portmap_t self:udp_socket create_socket_perms;
-
-allow portmap_t portmap_tmp_t:dir create_dir_perms;
-allow portmap_t portmap_tmp_t:file create_file_perms;
-files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
-
-allow portmap_t portmap_var_run_t:file create_file_perms;
-allow portmap_t portmap_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(portmap_t,portmap_var_run_t,file)
-
-kernel_read_kernel_sysctls(portmap_t)
-kernel_list_proc(portmap_t)
-kernel_read_proc_symlinks(portmap_t)
-kernel_tcp_recvfrom(portmap_t)
-
-corenet_non_ipsec_sendrecv(portmap_t)
-corenet_tcp_sendrecv_all_if(portmap_t)
-corenet_udp_sendrecv_all_if(portmap_t)
-corenet_tcp_sendrecv_all_nodes(portmap_t)
-corenet_udp_sendrecv_all_nodes(portmap_t)
-corenet_tcp_sendrecv_all_ports(portmap_t)
-corenet_udp_sendrecv_all_ports(portmap_t)
-corenet_tcp_bind_all_nodes(portmap_t)
-corenet_udp_bind_all_nodes(portmap_t)
-corenet_tcp_bind_portmap_port(portmap_t)
-corenet_udp_bind_portmap_port(portmap_t)
-corenet_tcp_connect_all_ports(portmap_t)
-corenet_sendrecv_portmap_client_packets(portmap_t)
-corenet_sendrecv_portmap_server_packets(portmap_t)
-# portmap binds to arbitary ports
-corenet_tcp_bind_generic_port(portmap_t)
-corenet_udp_bind_generic_port(portmap_t)
-corenet_tcp_bind_reserved_port(portmap_t)
-corenet_udp_bind_reserved_port(portmap_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)
-
-dev_read_sysfs(portmap_t)
-
-fs_getattr_all_fs(portmap_t)
-fs_search_auto_mountpoints(portmap_t)
-
-term_dontaudit_use_console(portmap_t)
-
-domain_use_interactive_fds(portmap_t)
-
-files_read_etc_files(portmap_t)
-
-init_use_fds(portmap_t)
-init_use_script_ptys(portmap_t)
-init_udp_send(portmap_t)
-init_udp_send_script(portmap_t)
-
-libs_use_ld_so(portmap_t)
-libs_use_shared_libs(portmap_t)
-
-logging_send_syslog_msg(portmap_t)
-
-miscfiles_read_localization(portmap_t)
-
-sysnet_read_config(portmap_t)
-
-userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(portmap_t)
- term_dontaudit_use_generic_ptys(portmap_t)
- files_dontaudit_read_root_files(portmap_t)
-')
-
-optional_policy(`
- inetd_udp_send(portmap_t)
-')
-
-optional_policy(`
- nis_use_ypbind(portmap_t)
- nis_udp_send_ypbind(portmap_t)
-')
-
-optional_policy(`
- nscd_socket_use(portmap_t)
-')
-
-optional_policy(`
- rpc_udp_send_nfs(portmap_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(portmap_t)
-')
-
-optional_policy(`
- udev_read_db(portmap_t)
-')
-
-########################################
-#
-# Portmap helper local policy
-#
-
-dontaudit portmap_helper_t self:capability net_admin;
-allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
-allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
-allow portmap_helper_t self:udp_socket create_socket_perms;
-
-allow portmap_helper_t portmap_var_run_t:file create_file_perms;
-files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
-
-corenet_tcp_sendrecv_all_if(portmap_helper_t)
-corenet_udp_sendrecv_all_if(portmap_helper_t)
-corenet_raw_sendrecv_all_if(portmap_helper_t)
-corenet_tcp_sendrecv_all_nodes(portmap_helper_t)
-corenet_udp_sendrecv_all_nodes(portmap_helper_t)
-corenet_raw_sendrecv_all_nodes(portmap_helper_t)
-corenet_tcp_sendrecv_all_ports(portmap_helper_t)
-corenet_udp_sendrecv_all_ports(portmap_helper_t)
-corenet_non_ipsec_sendrecv(portmap_helper_t)
-corenet_tcp_bind_all_nodes(portmap_helper_t)
-corenet_udp_bind_all_nodes(portmap_helper_t)
-corenet_tcp_bind_reserved_port(portmap_helper_t)
-corenet_udp_bind_reserved_port(portmap_helper_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
-corenet_tcp_connect_all_ports(portmap_helper_t)
-
-domain_dontaudit_use_interactive_fds(portmap_helper_t)
-
-files_read_etc_files(portmap_helper_t)
-files_rw_generic_pids(portmap_helper_t)
-
-init_rw_utmp(portmap_helper_t)
-
-libs_use_ld_so(portmap_helper_t)
-libs_use_shared_libs(portmap_helper_t)
-
-logging_send_syslog_msg(portmap_helper_t)
-
-sysnet_read_config(portmap_helper_t)
-
-userdom_dontaudit_use_all_users_fds(portmap_helper_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(portmap_helper_t)
- term_dontaudit_use_generic_ptys(portmap_helper_t)
-')
-
-optional_policy(`
- nis_use_ypbind(portmap_helper_t)
-')
diff --git a/refpolicy/policy/modules/services/portslave.fc b/refpolicy/policy/modules/services/portslave.fc
deleted file mode 100644
index 2dd7786..0000000
--- a/refpolicy/policy/modules/services/portslave.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
-
-/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
-/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/portslave.if b/refpolicy/policy/modules/services/portslave.if
deleted file mode 100644
index 410cdb1..0000000
--- a/refpolicy/policy/modules/services/portslave.if
+++ /dev/null
@@ -1,24 +0,0 @@
-## <summary>Portslave terminal server software</summary>
-
-########################################
-## <summary>
-## Execute portslave with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`portslave_domtrans',`
- gen_require(`
- type portslave_t, portslave_exec_t;
- ')
-
- domain_auto_trans($1,portslave_exec_t,portslave_t)
-
- allow $1 portslave_t:fd use;
- allow portslave_t $1:fd use;
- allow portslave_t $1:fifo_file rw_file_perms;
- allow portslave_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/portslave.te b/refpolicy/policy/modules/services/portslave.te
deleted file mode 100644
index 5ebc80d..0000000
--- a/refpolicy/policy/modules/services/portslave.te
+++ /dev/null
@@ -1,140 +0,0 @@
-
-policy_module(portslave,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type portslave_t;
-type portslave_exec_t;
-init_domain(portslave_t,portslave_exec_t)
-init_daemon_domain(portslave_t,portslave_exec_t)
-
-type portslave_etc_t;
-files_type(portslave_etc_t)
-
-type portslave_lock_t;
-files_lock_file(portslave_lock_t)
-
-########################################
-#
-# Local policy
-#
-
-# setuid setgid net_admin fsetid for pppd
-# sys_admin for ctlportslave
-# net_bind_service for rlogin
-allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
-dontaudit portslave_t self:capability sys_admin;
-allow portslave_t self:process signal_perms;
-allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow portslave_t self:fd use;
-allow portslave_t self:fifo_file rw_file_perms;
-allow portslave_t self:unix_dgram_socket create_socket_perms;
-allow portslave_t self:unix_stream_socket create_stream_socket_perms;
-allow portslave_t self:unix_dgram_socket sendto;
-allow portslave_t self:unix_stream_socket connectto;
-allow portslave_t self:shm create_shm_perms;
-allow portslave_t self:sem create_sem_perms;
-allow portslave_t self:msgq create_msgq_perms;
-allow portslave_t self:msg { send receive };
-allow portslave_t self:tcp_socket create_stream_socket_perms;
-allow portslave_t self:udp_socket create_socket_perms;
-
-allow portslave_t portslave_etc_t:dir r_dir_perms;
-allow portslave_t portslave_etc_t:file r_file_perms;
-allow portslave_t portslave_etc_t:lnk_file { getattr read };
-
-allow portslave_t portslave_lock_t:file create_file_perms;
-files_lock_filetrans(portslave_t,portslave_lock_t,file)
-
-kernel_read_system_state(portslave_t)
-kernel_read_kernel_sysctls(portslave_t)
-
-corecmd_exec_bin(portslave_t)
-corecmd_exec_shell(portslave_t)
-
-corenet_non_ipsec_sendrecv(portslave_t)
-corenet_tcp_sendrecv_generic_if(portslave_t)
-corenet_udp_sendrecv_generic_if(portslave_t)
-corenet_tcp_sendrecv_all_nodes(portslave_t)
-corenet_udp_sendrecv_all_nodes(portslave_t)
-corenet_tcp_sendrecv_all_ports(portslave_t)
-corenet_udp_sendrecv_all_ports(portslave_t)
-corenet_rw_ppp_dev(portslave_t)
-
-dev_read_sysfs(portslave_t)
-# for ssh
-dev_read_urand(portslave_t)
-
-domain_use_interactive_fds(portslave_t)
-
-files_read_etc_files(portslave_t)
-files_read_etc_runtime_files(portslave_t)
-files_exec_etc_files(portslave_t)
-
-fs_search_auto_mountpoints(portslave_t)
-fs_getattr_xattr_fs(portslave_t)
-
-term_use_unallocated_ttys(portslave_t)
-term_setattr_unallocated_ttys(portslave_t)
-term_use_all_user_ttys(portslave_t)
-term_dontaudit_use_console(portslave_t)
-term_search_ptys(portslave_t)
-
-auth_rw_login_records(portslave_t)
-auth_domtrans_chk_passwd(portslave_t)
-init_use_fds(portslave_t)
-init_use_script_ptys(portslave_t)
-init_rw_utmp(portslave_t)
-
-libs_use_ld_so(portslave_t)
-libs_use_shared_libs(portslave_t)
-
-logging_send_syslog_msg(portslave_t)
-logging_search_logs(portslave_t)
-
-sysnet_read_config(portslave_t)
-
-userdom_use_unpriv_users_fds(portslave_t)
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-userdom_search_all_users_home_dirs(portslave_t)
-
-mta_send_mail(portslave_t)
-
-# this should probably be a domtrans to pppd
-# instead of exec.
-ppp_read_rw_config(portslave_t)
-ppp_exec(portslave_t)
-ppp_read_secrets(portslave_t)
-ppp_manage_pid_files(portslave_t)
-ppp_pid_filetrans(portslave_t)
-
-ssh_exec(portslave_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(portslave_t)
- term_dontaudit_use_generic_ptys(portslave_t)
- files_dontaudit_read_root_files(portslave_t)
-')
-
-optional_policy(`
- inetd_tcp_service_domain(portslave_t,portslave_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(portslave_t)
-')
-
-optional_policy(`
- radius_use(portslave_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(portslave_t)
-')
-
-optional_policy(`
- udev_read_db(portslave_t)
-')
diff --git a/refpolicy/policy/modules/services/postfix.fc b/refpolicy/policy/modules/services/postfix.fc
deleted file mode 100644
index 696b5c5..0000000
--- a/refpolicy/policy/modules/services/postfix.fc
+++ /dev/null
@@ -1,48 +0,0 @@
-# postfix
-/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
-ifdef(`distro_redhat', `
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-', `
-/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-')
-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
-/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
-/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
-/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
-/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
deleted file mode 100644
index b6c9bb1..0000000
--- a/refpolicy/policy/modules/services/postfix.if
+++ /dev/null
@@ -1,484 +0,0 @@
-## <summary>Postfix email server</summary>
-
-########################################
-## <summary>
-## Postfix stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`postfix_stub',`
- gen_require(`
- type postfix_master_t;
- ')
-')
-
-########################################
-## <summary>
-## Creates types and rules for a basic
-## postfix process domain.
-## </summary>
-## <param name="prefix">
-## <summary>
-## Prefix for the domain.
-## </summary>
-## </param>
-#
-template(`postfix_domain_template',`
- type postfix_$1_t;
- type postfix_$1_exec_t;
- domain_type(postfix_$1_t)
- domain_entry_file(postfix_$1_t,postfix_$1_exec_t)
- role system_r types postfix_$1_t;
-
- dontaudit postfix_$1_t self:capability sys_tty_config;
- allow postfix_$1_t self:process { signal_perms setpgid };
- allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
- allow postfix_$1_t self:unix_stream_socket connectto;
-
- allow postfix_master_t postfix_$1_t:process signal;
-
- allow postfix_$1_t postfix_etc_t:dir r_dir_perms;
- allow postfix_$1_t postfix_etc_t:file r_file_perms;
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
-
- allow postfix_$1_t postfix_exec_t:file rx_file_perms;
- # cjp: ???
- allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
-
- allow postfix_$1_t postfix_master_t:process sigchld;
-
- allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
-
- allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
- files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
-
- kernel_read_system_state(postfix_$1_t)
- kernel_read_network_state(postfix_$1_t)
- kernel_read_all_sysctls(postfix_$1_t)
-
- dev_read_sysfs(postfix_$1_t)
- dev_read_rand(postfix_$1_t)
- dev_read_urand(postfix_$1_t)
-
- fs_search_auto_mountpoints(postfix_$1_t)
- fs_getattr_xattr_fs(postfix_$1_t)
-
- term_dontaudit_use_console(postfix_$1_t)
-
- corecmd_list_bin(postfix_$1_t)
- corecmd_list_sbin(postfix_$1_t)
- corecmd_read_bin_symlinks(postfix_$1_t)
- corecmd_read_sbin_symlinks(postfix_$1_t)
- corecmd_exec_shell(postfix_$1_t)
-
- files_read_etc_files(postfix_$1_t)
- files_read_etc_runtime_files(postfix_$1_t)
- files_read_usr_symlinks(postfix_$1_t)
- files_search_spool(postfix_$1_t)
- files_getattr_tmp_dirs(postfix_$1_t)
-
- init_use_fds(postfix_$1_t)
- init_sigchld(postfix_$1_t)
-
- libs_use_ld_so(postfix_$1_t)
- libs_use_shared_libs(postfix_$1_t)
-
- logging_send_syslog_msg(postfix_$1_t)
-
- miscfiles_read_localization(postfix_$1_t)
- miscfiles_read_certs(postfix_$1_t)
-
- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
-
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(postfix_$1_t)
- term_dontaudit_use_generic_ptys(postfix_$1_t)
- files_dontaudit_read_root_files(postfix_$1_t)
- ')
-
- optional_policy(`
- nscd_socket_use(postfix_$1_t)
- ')
-
- optional_policy(`
- udev_read_db(postfix_$1_t)
- ')
-')
-
-########################################
-## <summary>
-## Creates a postfix server process domain.
-## </summary>
-## <param name="prefix">
-## <summary>
-## Prefix of the domain.
-## </summary>
-## </param>
-#
-template(`postfix_server_domain_template',`
- postfix_domain_template($1)
-
- allow postfix_$1_t self:capability { setuid setgid dac_override };
- allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
- allow postfix_$1_t self:tcp_socket create_socket_perms;
- allow postfix_$1_t self:udp_socket create_socket_perms;
-
- domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
- allow postfix_master_t postfix_$1_t:fd use;
- allow postfix_$1_t postfix_master_t:fd use;
- allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
- allow postfix_$1_t postfix_master_t:process sigchld;
-
- corenet_non_ipsec_sendrecv(postfix_$1_t)
- corenet_tcp_sendrecv_all_if(postfix_$1_t)
- corenet_udp_sendrecv_all_if(postfix_$1_t)
- corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
- corenet_udp_sendrecv_all_nodes(postfix_$1_t)
- corenet_tcp_sendrecv_all_ports(postfix_$1_t)
- corenet_udp_sendrecv_all_ports(postfix_$1_t)
- corenet_tcp_bind_all_nodes(postfix_$1_t)
- corenet_udp_bind_all_nodes(postfix_$1_t)
- corenet_tcp_connect_all_ports(postfix_$1_t)
- corenet_sendrecv_all_client_packets(postfix_$1_t)
-
- sysnet_read_config(postfix_$1_t)
-
- optional_policy(`
- nis_use_ypbind(postfix_$1_t)
- ')
-')
-
-########################################
-## <summary>
-## Creates a process domain for programs
-## that are ran by users.
-## </summary>
-## <param name="prefix">
-## <summary>
-## Prefix of the domain.
-## </summary>
-## </param>
-#
-template(`postfix_user_domain_template',`
- gen_require(`
- attribute postfix_user_domains, postfix_user_domtrans;
- ')
-
- postfix_domain_template($1)
-
- typeattribute postfix_$1_t postfix_user_domains;
-
- allow postfix_$1_t self:capability dac_override;
-
- domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
- allow postfix_user_domtrans postfix_$1_t:fd use;
- allow postfix_$1_t postfix_user_domtrans:fd use;
- allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
- allow postfix_$1_t postfix_user_domtrans:process sigchld;
-
- domain_use_interactive_fds(postfix_$1_t)
-')
-
-########################################
-## <summary>
-## The per-userdomain template for the postfix module.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the user domain.
-## (e.g., user is the prefix of user_t)
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## User domain type.
-## </summary>
-## </param>
-#
-template(`postfix_per_userdomain_template',`
- gen_require(`
- attribute postfix_user_domains;
- type postfix_postdrop_t;
- ')
-
- role $3 types postfix_postdrop_t;
-
- allow postfix_user_domains $2:process sigchld;
- allow postfix_user_domains $2:fifo_file { write getattr };
- allow postfix_user_domains $2:fd use;
-')
-
-########################################
-## <summary>
-## Read postfix configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_read_config',`
- gen_require(`
- type postfix_etc_t;
- ')
-
- allow $1 postfix_etc_t:dir { getattr read search };
- allow $1 postfix_etc_t:file { read getattr };
- allow $1 postfix_etc_t:lnk_file { getattr read };
- files_search_etc($1)
-')
-
-########################################
-## <summary>
-## Create files with the specified type in
-## the postfix configuration directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`postfix_config_filetrans',`
- gen_require(`
- type postfix_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 postfix_etc_t:dir rw_dir_perms;
- type_transition $1 postfix_etc_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write postfix local delivery
-## TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`postfix_dontaudit_rw_local_tcp_sockets',`
- gen_require(`
- type postfix_local_t;
- ')
-
- dontaudit $1 postfix_local_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use
-## postfix master process file
-## file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`postfix_dontaudit_use_fds',`
- gen_require(`
- type postfix_master_t;
- ')
-
- dontaudit $1 postfix_master_t:fd use;
-')
-
-########################################
-## <summary>
-## Execute postfix_map in the postfix_map domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_map',`
- gen_require(`
- type postfix_map_t, postfix_map_exec_t;
- ')
-
- domain_auto_trans($1,postfix_map_exec_t,postfix_map_t)
-
- allow $1 postfix_map_t:fd use;
- allow postfix_map_t $1:fd use;
- allow postfix_map_t $1:fifo_file rw_file_perms;
- allow postfix_map_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute postfix_map in the postfix_map domain, and
-## allow the specified role the postfix_map domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the postfix_map domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the postfix_map domain to use.
-## </summary>
-## </param>
-#
-interface(`postfix_run_map',`
- gen_require(`
- type postfix_map_t;
- ')
-
- postfix_domtrans_map($1)
- role $2 types postfix_map_t;
- allow postfix_map_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute the master postfix program in the
-## postfix_master domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_master',`
- gen_require(`
- type postfix_master_t, postfix_master_exec_t;
- ')
-
- domain_auto_trans($1,postfix_master_exec_t,postfix_master_t)
-
- allow $1 postfix_master_t:fd use;
- allow postfix_master_t $1:fd use;
- allow postfix_master_t $1:fifo_file rw_file_perms;
- allow postfix_master_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute the master postfix program in the
-## caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_exec_master',`
- gen_require(`
- type postfix_master_exec_t;
- ')
-
- can_exec($1,postfix_master_exec_t)
-')
-
-########################################
-## <summary>
-## Execute the master postfix program in the
-## postfix_master domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_smtp',`
- gen_require(`
- type postfix_smtp_t, postfix_smtp_exec_t;
- ')
-
- domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
-
- allow postfix_smtp_t $1:fd use;
- allow postfix_smtp_t $1:fifo_file rw_file_perms;
- allow postfix_smtp_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Search postfix mail spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_search_spool',`
- gen_require(`
- type postfix_spool_t;
- ')
-
- allow $1 postfix_spool_t:dir search_dir_perms;
- files_search_spool($1)
-')
-
-########################################
-## <summary>
-## List postfix mail spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_list_spool',`
- gen_require(`
- type postfix_spool_t;
- ')
-
- allow $1 postfix_spool_t:dir list_dir_perms;
- files_search_spool($1)
-')
-
-########################################
-## <summary>
-## Execute postfix user mail programs
-## in their respective domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_domtrans_user_mail_handler',`
- gen_require(`
- attribute postfix_user_domtrans;
- ')
-
- typeattribute $1 postfix_user_domtrans;
-')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
deleted file mode 100644
index 8a1dd9f..0000000
--- a/refpolicy/policy/modules/services/postfix.te
+++ /dev/null
@@ -1,595 +0,0 @@
-
-policy_module(postfix,1.2.9)
-
-########################################
-#
-# Declarations
-#
-
-attribute postfix_user_domains;
-# domains that transition to the
-# postfix user domains
-attribute postfix_user_domtrans;
-
-postfix_server_domain_template(bounce)
-
-type postfix_spool_bounce_t;
-files_type(postfix_spool_bounce_t)
-
-postfix_server_domain_template(cleanup)
-
-type postfix_etc_t;
-files_type(postfix_etc_t)
-
-type postfix_exec_t;
-corecmd_executable_file(postfix_exec_t)
-
-postfix_server_domain_template(local)
-mta_mailserver_delivery(postfix_local_t)
-
-type postfix_local_tmp_t;
-files_tmp_file(postfix_local_tmp_t)
-
-# Program for creating database files
-type postfix_map_t;
-type postfix_map_exec_t;
-domain_type(postfix_map_t)
-domain_entry_file(postfix_map_t,postfix_map_exec_t)
-
-type postfix_map_tmp_t;
-files_tmp_file(postfix_map_tmp_t)
-
-postfix_domain_template(master)
-typealias postfix_master_t alias postfix_t;
-# alias is a hack to make the disable trans bool
-# generation macro work
-mta_mailserver(postfix_t,postfix_master_exec_t)
-
-postfix_server_domain_template(pickup)
-
-postfix_server_domain_template(pipe)
-
-postfix_user_domain_template(postdrop)
-mta_mailserver_user_agent(postfix_postdrop_t)
-
-postfix_user_domain_template(postqueue)
-
-type postfix_private_t;
-files_type(postfix_private_t)
-
-type postfix_prng_t;
-files_type(postfix_prng_t)
-
-postfix_server_domain_template(qmgr)
-
-postfix_user_domain_template(showq)
-
-postfix_server_domain_template(smtp)
-mta_mailserver_sender(postfix_smtp_t)
-
-postfix_server_domain_template(smtpd)
-
-type postfix_spool_t;
-files_type(postfix_spool_t)
-
-type postfix_spool_maildrop_t;
-files_type(postfix_spool_maildrop_t)
-
-type postfix_spool_flush_t;
-files_type(postfix_spool_flush_t)
-
-type postfix_public_t;
-files_type(postfix_public_t)
-
-type postfix_var_run_t;
-files_pid_file(postfix_var_run_t)
-
-########################################
-#
-# Postfix master process local policy
-#
-
-# chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-allow postfix_master_t self:fifo_file rw_file_perms;
-allow postfix_master_t self:tcp_socket create_stream_socket_perms;
-allow postfix_master_t self:udp_socket create_socket_perms;
-
-allow postfix_master_t postfix_etc_t:file rw_file_perms;
-
-can_exec(postfix_master_t,postfix_exec_t)
-
-allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
-
-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
-
-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
-
-allow postfix_master_t postfix_private_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:sock_file create_file_perms;
-allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
-
-allow postfix_master_t postfix_prng_t:file rw_file_perms;
-
-allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
-allow postfix_master_t postfix_public_t:sock_file create_file_perms;
-allow postfix_master_t postfix_public_t:dir rw_dir_perms;
-
-# allow access to deferred queue and allow removing bogus incoming entries
-allow postfix_master_t postfix_spool_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_t:file create_file_perms;
-
-allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr;
-
-allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
-allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
-
-allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
-
-kernel_read_all_sysctls(postfix_master_t)
-
-corenet_non_ipsec_sendrecv(postfix_master_t)
-corenet_tcp_sendrecv_all_if(postfix_master_t)
-corenet_udp_sendrecv_all_if(postfix_master_t)
-corenet_tcp_sendrecv_all_nodes(postfix_master_t)
-corenet_udp_sendrecv_all_nodes(postfix_master_t)
-corenet_tcp_sendrecv_all_ports(postfix_master_t)
-corenet_udp_sendrecv_all_ports(postfix_master_t)
-corenet_tcp_bind_all_nodes(postfix_master_t)
-corenet_tcp_bind_amavisd_send_port(postfix_master_t)
-corenet_tcp_bind_smtp_port(postfix_master_t)
-corenet_tcp_connect_all_ports(postfix_master_t)
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
-corenet_sendrecv_all_client_packets(postfix_master_t)
-
-# for a find command
-selinux_dontaudit_search_fs(postfix_master_t)
-
-corecmd_exec_ls(postfix_master_t)
-corecmd_exec_sbin(postfix_master_t)
-corecmd_exec_shell(postfix_master_t)
-corecmd_exec_bin(postfix_master_t)
-
-domain_use_interactive_fds(postfix_master_t)
-
-files_read_usr_files(postfix_master_t)
-
-init_use_script_ptys(postfix_master_t)
-
-miscfiles_dontaudit_search_man_pages(postfix_master_t)
-
-seutil_sigchld_newrole(postfix_master_t)
-# postfix does a "find" on startup for some reason - keep it quiet
-seutil_dontaudit_search_config(postfix_master_t)
-
-sysnet_read_config(postfix_master_t)
-
-mta_rw_aliases(postfix_master_t)
-mta_read_sendmail_bin(postfix_master_t)
-
-optional_policy(`
- cyrus_stream_connect(postfix_master_t)
-')
-
-optional_policy(`
-# for postalias
- mailman_manage_data_files(postfix_master_t)
-')
-
-optional_policy(`
- nis_use_ypbind(postfix_master_t)
-')
-
-###########################################################
-#
-# Partially converted rules. THESE ARE ONLY TEMPORARY
-#
-
-ifdef(`distro_redhat',`
- # for newer main.cf that uses /etc/aliases
- allow postfix_master_t etc_t:dir rw_dir_perms;
- allow postfix_master_t etc_aliases_t:dir create_dir_perms;
- allow postfix_master_t etc_aliases_t:file create_file_perms;
- allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
- allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
- allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
- type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
-
- allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
- allow postfix_master_t etc_aliases_t:dir create_dir_perms;
- allow postfix_master_t etc_aliases_t:file create_file_perms;
- allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
- allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
- allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
- type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t;
-')
-
-# end partially converted rules
-
-########################################
-#
-# Postfix bounce local policy
-#
-
-allow postfix_bounce_t self:capability dac_read_search;
-allow postfix_bounce_t self:tcp_socket create_socket_perms;
-
-allow postfix_bounce_t postfix_public_t:sock_file write;
-allow postfix_bounce_t postfix_public_t:dir search;
-
-allow postfix_bounce_t postfix_spool_t:dir create_dir_perms;
-allow postfix_bounce_t postfix_spool_t:file create_file_perms;
-allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms;
-
-allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms;
-allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms;
-allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
-
-########################################
-#
-# Postfix cleanup local policy
-#
-
-allow postfix_cleanup_t self:process setrlimit;
-
-# connect to master process
-allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_cleanup_t postfix_private_t:dir search;
-allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
-
-allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
-allow postfix_cleanup_t postfix_public_t:dir search;
-
-allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms;
-allow postfix_cleanup_t postfix_spool_t:file create_file_perms;
-allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
-
-allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
-
-########################################
-#
-# Postfix local local policy
-#
-
-allow postfix_local_t self:fifo_file rw_file_perms;
-allow postfix_local_t self:process { setsched setrlimit };
-
-allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
-allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
-files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
-
-# connect to master process
-allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_local_t postfix_public_t:dir search;
-allow postfix_local_t postfix_public_t:sock_file write;
-
-# for .forward - maybe we need a new type for it?
-allow postfix_local_t postfix_private_t:dir search;
-allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
-
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
-
-corecmd_exec_shell(postfix_local_t)
-corecmd_exec_bin(postfix_local_t)
-
-files_read_etc_files(postfix_local_t)
-
-mta_read_aliases(postfix_local_t)
-mta_delete_spool(postfix_local_t)
-# For reading spamassasin
-mta_read_config(postfix_local_t)
-
-optional_policy(`
-# for postalias
- mailman_manage_data_files(postfix_local_t)
-')
-
-optional_policy(`
- procmail_domtrans(postfix_local_t)
-')
-
-########################################
-#
-# Postfix map local policy
-#
-
-allow postfix_map_t self:capability setgid;
-allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
-allow postfix_map_t self:unix_dgram_socket create_socket_perms;
-allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-allow postfix_map_t self:udp_socket create_socket_perms;
-
-allow postfix_map_t postfix_etc_t:dir create_dir_perms;
-allow postfix_map_t postfix_etc_t:file create_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
-
-allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
-allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
-files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(postfix_map_t)
-kernel_dontaudit_list_proc(postfix_map_t)
-kernel_dontaudit_read_system_state(postfix_map_t)
-
-corenet_non_ipsec_sendrecv(postfix_map_t)
-corenet_tcp_sendrecv_all_if(postfix_map_t)
-corenet_udp_sendrecv_all_if(postfix_map_t)
-corenet_tcp_sendrecv_all_nodes(postfix_map_t)
-corenet_udp_sendrecv_all_nodes(postfix_map_t)
-corenet_tcp_sendrecv_all_ports(postfix_map_t)
-corenet_udp_sendrecv_all_ports(postfix_map_t)
-corenet_tcp_connect_all_ports(postfix_map_t)
-corenet_sendrecv_all_client_packets(postfix_map_t)
-
-corecmd_list_bin(postfix_map_t)
-corecmd_read_bin_symlinks(postfix_map_t)
-corecmd_read_bin_files(postfix_map_t)
-corecmd_read_bin_pipes(postfix_map_t)
-corecmd_read_bin_sockets(postfix_map_t)
-corecmd_list_sbin(postfix_map_t)
-corecmd_read_sbin_symlinks(postfix_map_t)
-corecmd_read_sbin_files(postfix_map_t)
-corecmd_read_sbin_pipes(postfix_map_t)
-corecmd_read_sbin_sockets(postfix_map_t)
-
-files_list_home(postfix_map_t)
-files_read_usr_files(postfix_map_t)
-files_read_etc_files(postfix_map_t)
-files_read_etc_runtime_files(postfix_map_t)
-files_dontaudit_search_var(postfix_map_t)
-
-libs_use_ld_so(postfix_map_t)
-libs_use_shared_libs(postfix_map_t)
-
-logging_send_syslog_msg(postfix_map_t)
-
-miscfiles_read_localization(postfix_map_t)
-
-seutil_read_config(postfix_map_t)
-
-sysnet_read_config(postfix_map_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(postfix_map_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(postfix_map_t)
- files_read_default_files(postfix_map_t)
- files_read_default_symlinks(postfix_map_t)
- files_read_default_sockets(postfix_map_t)
- files_read_default_pipes(postfix_map_t)
-')
-
-optional_policy(`
- locallogin_dontaudit_use_fds(postfix_map_t)
-')
-
-# a "run" interface needs to be
-# added, and have sysadm_t use it
-# in a optional_policy block.
-
-########################################
-#
-# Postfix pickup local policy
-#
-
-allow postfix_pickup_t self:tcp_socket create_socket_perms;
-
-allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
-
-allow postfix_pickup_t postfix_private_t:dir search;
-allow postfix_pickup_t postfix_private_t:sock_file write;
-
-allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:dir search;
-
-postfix_list_spool(postfix_pickup_t)
-allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
-
-########################################
-#
-# Postfix pipe local policy
-#
-
-allow postfix_pipe_t self:fifo_file { read write };
-
-allow postfix_pipe_t postfix_private_t:dir search;
-allow postfix_pipe_t postfix_private_t:sock_file write;
-
-allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
-allow postfix_pipe_t postfix_public_t:dir search;
-
-allow postfix_pipe_t postfix_spool_t:dir search;
-allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
-
-optional_policy(`
- procmail_domtrans(postfix_pipe_t)
-')
-
-optional_policy(`
- mailman_domtrans_queue(postfix_pipe_t)
-')
-
-########################################
-#
-# Postfix postdrop local policy
-#
-
-# usually it does not need a UDP socket
-allow postfix_postdrop_t self:capability sys_resource;
-allow postfix_postdrop_t self:tcp_socket create;
-allow postfix_postdrop_t self:udp_socket create_socket_perms;
-
-allow postfix_postdrop_t postfix_public_t:dir search;
-allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
-
-postfix_list_spool(postfix_postdrop_t)
-allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
-
-corenet_udp_sendrecv_all_if(postfix_postdrop_t)
-corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
-
-term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
-term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
-
-sysnet_dns_name_resolve(postfix_postdrop_t)
-
-mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
-
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(postfix_postdrop_t)
- term_use_generic_ptys(postfix_postdrop_t)
-')
-
-optional_policy(`
- cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
-')
-
-optional_policy(`
- ppp_use_fds(postfix_postqueue_t)
- ppp_sigchld(postfix_postqueue_t)
-')
-
-#######################################
-#
-# Postfix postqueue local policy
-#
-
-allow postfix_postqueue_t self:tcp_socket create;
-allow postfix_postqueue_t self:udp_socket { create ioctl };
-
-# wants to write to /var/spool/postfix/public/showq
-allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
-
-allow postfix_postqueue_t postfix_public_t:dir search;
-# write to /var/spool/postfix/public/qmgr
-allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
-
-domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-allow postfix_master_t postfix_postqueue_t:fd use;
-allow postfix_postqueue_t postfix_master_t:fd use;
-allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:process sigchld;
-
-domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_postqueue_t postfix_showq_t:fd use;
-allow postfix_showq_t postfix_postqueue_t:fd use;
-allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
-allow postfix_showq_t postfix_postqueue_t:process sigchld;
-
-# to write the mailq output, it really should not need read access!
-term_use_all_user_ptys(postfix_postqueue_t)
-term_use_all_user_ttys(postfix_postqueue_t)
-
-init_sigchld_script(postfix_postqueue_t)
-init_use_script_fds(postfix_postqueue_t)
-
-sysnet_dontaudit_read_config(postfix_postqueue_t)
-
-########################################
-#
-# Postfix qmgr local policy
-#
-
-allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
-
-allow postfix_qmgr_t postfix_private_t:dir search;
-allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
-
-allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_qmgr_t postfix_public_t:sock_file write;
-allow postfix_qmgr_t postfix_public_t:dir search;
-
-# for /var/spool/postfix/active
-allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms;
-allow postfix_qmgr_t postfix_spool_t:file create_file_perms;
-allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms;
-
-allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
-allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
-
-########################################
-#
-# Postfix showq local policy
-#
-
-allow postfix_showq_t self:capability { setuid setgid };
-allow postfix_showq_t self:tcp_socket create_socket_perms;
-
-# the following auto_trans is usually in postfix server domain
-domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_master_t postfix_showq_t:fd use;
-allow postfix_showq_t postfix_master_t:fd use;
-allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms;
-allow postfix_showq_t postfix_master_t:process sigchld;
-
-allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-
-allow postfix_showq_t postfix_spool_t:file r_file_perms;
-
-postfix_list_spool(postfix_showq_t)
-
-allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
-allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
-
-# to write the mailq output, it really should not need read access!
-term_use_all_user_ptys(postfix_showq_t)
-term_use_all_user_ttys(postfix_showq_t)
-
-sysnet_dns_name_resolve(postfix_showq_t)
-
-########################################
-#
-# Postfix smtp delivery local policy
-#
-
-# connect to master process
-allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
-
-allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-
-kernel_tcp_recvfrom(postfix_smtp_t)
-
-# if you have two different mail servers on the same host let them talk via
-# SMTP, also if one mail server wants to talk to itself then allow it and let
-# the SMTP protocol sort it out (SE Linux is not to prevent mail server
-# misconfiguration)
-mta_tcp_connect_all_mailservers(postfix_smtp_t)
-
-########################################
-#
-# Postfix smtpd local policy
-#
-allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
-
-# connect to master process
-allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
-
-# for prng_exch
-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
-
-# for OpenSSL certificates
-files_read_usr_files(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
-
-optional_policy(`
- sasl_connect(postfix_smtpd_t)
-')
diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc
deleted file mode 100644
index a77d9eb..0000000
--- a/refpolicy/policy/modules/services/postgresql.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# /etc
-#
-/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
-
-#
-# /usr
-#
-/usr/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-ifdef(`distro_debian', `
-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
-
-ifdef(`distro_redhat', `
-/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-')
-
-#
-# /var
-#
-/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-
-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-/var/lib/pgsql/pgstartup.log gen_context(system_u:object_r:postgresql_log_t,s0)
-
-/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
-/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-
-ifdef(`distro_redhat', `
-/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-')
-
-/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if
deleted file mode 100644
index 818ba7c..0000000
--- a/refpolicy/policy/modules/services/postgresql.if
+++ /dev/null
@@ -1,124 +0,0 @@
-## <summary>PostgreSQL relational database</summary>
-
-########################################
-## <summary>
-## Allow the specified domain to search postgresql's database directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postgresql_search_db',`
- gen_require(`
- type postgresql_db_t;
- ')
-
- allow $1 postgresql_db_t:dir search;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to manage postgresql's database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-interface(`postgresql_manage_db',`
- gen_require(`
- type postgresql_db_t;
- ')
-
- allow $1 postgresql_db_t:dir rw_dir_perms;
- allow $1 postgresql_db_t:file rw_file_perms;
- allow $1 postgresql_db_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Execute postgresql in the postgresql domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`postgresql_domtrans',`
- gen_require(`
- type postgresql_t, postgresql_exec_t;
- ')
-
- domain_auto_trans($1,postgresql_exec_t,postgresql_t)
-
- allow $1 postgresql_t:fd use;
- allow postgresql_t $1:fd use;
- allow postgresql_t $1:fifo_file rw_file_perms;
- allow postgresql_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read postgresql's etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postgresql_read_config',`
- gen_require(`
- type postgresql_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 postgresql_etc_t:dir { getattr read search };
- allow $1 postgresql_etc_t:file { read getattr };
- allow $1 postgresql_etc_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to connect to postgresql with a tcp socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postgresql_tcp_connect',`
- gen_require(`
- type postgresql_t;
- ')
-
- kernel_tcp_recvfrom($1)
- allow $1 postgresql_t:tcp_socket { connectto recvfrom };
- allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to connect to postgresql with a unix socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postgresql_stream_connect',`
- gen_require(`
- type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
- ')
-
- files_search_pids($1)
- allow $1 postgresql_t:unix_stream_socket connectto;
- allow $1 postgresql_var_run_t:sock_file write;
- # Some versions of postgresql put the sock file in /tmp
- allow $1 postgresql_tmp_t:sock_file write;
-')
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
deleted file mode 100644
index 452f96c..0000000
--- a/refpolicy/policy/modules/services/postgresql.te
+++ /dev/null
@@ -1,209 +0,0 @@
-
-policy_module(postgresql,1.1.2)
-
-#################################
-#
-# Declarations
-#
-type postgresql_t;
-type postgresql_exec_t;
-init_daemon_domain(postgresql_t,postgresql_exec_t)
-
-type postgresql_db_t;
-files_type(postgresql_db_t)
-
-type postgresql_etc_t;
-files_config_file(postgresql_etc_t)
-
-type postgresql_lock_t;
-files_lock_file(postgresql_lock_t)
-
-type postgresql_log_t;
-logging_log_file(postgresql_log_t)
-
-type postgresql_tmp_t;
-files_tmp_file(postgresql_tmp_t)
-
-type postgresql_var_run_t;
-files_pid_file(postgresql_var_run_t)
-
-########################################
-#
-# postgresql Local policy
-#
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
-dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
-allow postgresql_t self:process signal_perms;
-allow postgresql_t self:fifo_file { getattr read write ioctl };
-allow postgresql_t self:file { getattr read };
-allow postgresql_t self:sem create_sem_perms;
-allow postgresql_t self:shm create_shm_perms;
-allow postgresql_t self:tcp_socket create_stream_socket_perms;
-allow postgresql_t self:udp_socket create_stream_socket_perms;
-allow postgresql_t self:unix_dgram_socket create_socket_perms;
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow postgresql_t postgresql_db_t:dir create_dir_perms;
-allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
-allow postgresql_t postgresql_db_t:file create_file_perms;
-allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
-allow postgresql_t postgresql_db_t:sock_file create_file_perms;
-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
-
-allow postgresql_t postgresql_etc_t:dir r_dir_perms;
-allow postgresql_t postgresql_etc_t:file r_file_perms;
-allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
-
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
-can_exec(postgresql_t, postgresql_exec_t )
-
-allow postgresql_t postgresql_lock_t:file create_file_perms;
-files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
-
-allow postgresql_t postgresql_log_t:dir rw_dir_perms;
-allow postgresql_t postgresql_log_t:file create_file_perms;
-logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
-
-allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
-allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
-allow postgresql_t postgresql_tmp_t:file create_file_perms;
-allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
-allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
-files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
-
-allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
-allow postgresql_t postgresql_var_run_t:file create_file_perms;
-allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
-
-kernel_read_kernel_sysctls(postgresql_t)
-kernel_read_system_state(postgresql_t)
-kernel_list_proc(postgresql_t)
-kernel_read_all_sysctls(postgresql_t)
-kernel_read_proc_symlinks(postgresql_t)
-kernel_tcp_recvfrom(postgresql_t)
-
-corenet_non_ipsec_sendrecv(postgresql_t)
-corenet_tcp_sendrecv_all_if(postgresql_t)
-corenet_udp_sendrecv_all_if(postgresql_t)
-corenet_tcp_sendrecv_all_nodes(postgresql_t)
-corenet_udp_sendrecv_all_nodes(postgresql_t)
-corenet_tcp_sendrecv_all_ports(postgresql_t)
-corenet_udp_sendrecv_all_ports(postgresql_t)
-corenet_tcp_bind_all_nodes(postgresql_t)
-corenet_tcp_bind_postgresql_port(postgresql_t)
-corenet_tcp_connect_auth_port(postgresql_t)
-corenet_sendrecv_postgresql_server_packets(postgresql_t)
-corenet_sendrecv_auth_client_packets(postgresql_t)
-
-dev_read_sysfs(postgresql_t)
-dev_read_urand(postgresql_t)
-
-fs_getattr_all_fs(postgresql_t)
-fs_search_auto_mountpoints(postgresql_t)
-
-term_use_controlling_term(postgresql_t)
-term_dontaudit_use_console(postgresql_t)
-
-corecmd_exec_bin(postgresql_t)
-corecmd_exec_ls(postgresql_t)
-corecmd_exec_sbin(postgresql_t)
-corecmd_exec_shell(postgresql_t)
-
-domain_dontaudit_list_all_domains_state(postgresql_t)
-domain_use_interactive_fds(postgresql_t)
-
-files_dontaudit_search_home(postgresql_t)
-files_manage_etc_files(postgresql_t)
-files_search_etc(postgresql_t)
-files_read_etc_runtime_files(postgresql_t)
-files_read_usr_files(postgresql_t)
-
-init_read_utmp(postgresql_t)
-init_use_fds(postgresql_t)
-init_use_script_ptys(postgresql_t)
-
-libs_use_ld_so(postgresql_t)
-libs_use_shared_libs(postgresql_t)
-
-logging_send_syslog_msg(postgresql_t)
-
-miscfiles_read_localization(postgresql_t)
-
-seutil_dontaudit_search_config(postgresql_t)
-
-sysnet_read_config(postgresql_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
-userdom_dontaudit_use_sysadm_ttys(postgresql_t)
-userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
-
-mta_getattr_spool(postgresql_t)
-
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(postgresql_t)
- term_dontaudit_use_generic_ptys(postgresql_t)
- term_dontaudit_use_unallocated_ttys(postgresql_t)
-')
-
-tunable_policy(`allow_execmem',`
- allow postgresql_t self:process execmem;
-')
-
-optional_policy(`
- consoletype_exec(postgresql_t)
-')
-
-optional_policy(`
- cron_search_spool(postgresql_t)
- cron_system_entry(postgresql_t,postgresql_exec_t)
-')
-
-optional_policy(`
- hostname_exec(postgresql_t)
-')
-
-optional_policy(`
- kerberos_use(postgresql_t)
-')
-
-optional_policy(`
- nis_use_ypbind(postgresql_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(postgresql_t)
-')
-
-optional_policy(`
- udev_read_db(postgresql_t)
-')
-
-ifdef(`TODO',`
-ifdef(`targeted_policy', `', `
-bool allow_user_postgresql_connect false;
-
-if (allow_user_postgresql_connect) {
-# allow any user domain to connect to the database server
-can_tcp_connect(userdomain, postgresql_t)
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
-allow userdomain postgresql_tmp_t:sock_file write;
-}
-')
-ifdef(`distro_debian', `
- init_exec_script_files(postgresql_t)
- # gross hack
- postgresql_domtrans(dpkg_t)
- can_exec(postgresql_t, dpkg_exec_t)
-')
-
-ifdef(`distro_gentoo', `
- allow postgresql_t initrc_su_t:process { sigchld };
- # "su - postgres ..." is called from initrc_t
- postgresql_search_db(initrc_su_t)
- dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
-')
-')
diff --git a/refpolicy/policy/modules/services/postgrey.fc b/refpolicy/policy/modules/services/postgrey.fc
deleted file mode 100644
index 74c88dc..0000000
--- a/refpolicy/policy/modules/services/postgrey.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-
-/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
-
-/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
-
-/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
-
-/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/postgrey.if b/refpolicy/policy/modules/services/postgrey.if
deleted file mode 100644
index f5cae30..0000000
--- a/refpolicy/policy/modules/services/postgrey.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Postfix grey-listing server</summary>
diff --git a/refpolicy/policy/modules/services/postgrey.te b/refpolicy/policy/modules/services/postgrey.te
deleted file mode 100644
index b794ca6..0000000
--- a/refpolicy/policy/modules/services/postgrey.te
+++ /dev/null
@@ -1,105 +0,0 @@
-
-policy_module(postgrey,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type postgrey_t;
-type postgrey_exec_t;
-init_daemon_domain(postgrey_t,postgrey_exec_t)
-
-type postgrey_etc_t;
-files_config_file(postgrey_etc_t)
-
-type postgrey_var_lib_t;
-files_type(postgrey_var_lib_t)
-
-type postgrey_var_run_t;
-files_pid_file(postgrey_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow postgrey_t self:capability { chown setgid setuid };
-dontaudit postgrey_t self:capability sys_tty_config;
-allow postgrey_t self:process signal_perms;
-allow postgrey_t self:tcp_socket create_stream_socket_perms;
-
-allow postgrey_t postgrey_etc_t:file r_file_perms;
-allow postgrey_t postgrey_etc_t:dir r_dir_perms;
-allow postgrey_t postgrey_etc_t:lnk_file { getattr read };
-
-allow postgrey_t postgrey_var_lib_t:file create_file_perms;
-allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
-
-allow postgrey_t postgrey_var_run_t:file create_file_perms;
-allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
-
-kernel_read_system_state(postgrey_t)
-kernel_read_kernel_sysctls(postgrey_t)
-
-# for perl
-corecmd_search_bin(postgrey_t)
-corecmd_search_sbin(postgrey_t)
-
-corenet_non_ipsec_sendrecv(postgrey_t)
-corenet_tcp_sendrecv_generic_if(postgrey_t)
-corenet_tcp_sendrecv_all_nodes(postgrey_t)
-corenet_tcp_sendrecv_all_ports(postgrey_t)
-corenet_tcp_bind_all_nodes(postgrey_t)
-corenet_tcp_bind_postgrey_port(postgrey_t)
-corenet_sendrecv_postgrey_server_packets(postgrey_t)
-
-dev_read_urand(postgrey_t)
-dev_read_sysfs(postgrey_t)
-
-domain_use_interactive_fds(postgrey_t)
-
-files_read_etc_files(postgrey_t)
-files_read_etc_runtime_files(postgrey_t)
-files_read_usr_files(postgrey_t)
-files_getattr_tmp_dirs(postgrey_t)
-
-fs_getattr_all_fs(postgrey_t)
-fs_search_auto_mountpoints(postgrey_t)
-
-term_dontaudit_use_console(postgrey_t)
-
-init_use_fds(postgrey_t)
-init_use_script_ptys(postgrey_t)
-
-libs_use_ld_so(postgrey_t)
-libs_use_shared_libs(postgrey_t)
-
-logging_send_syslog_msg(postgrey_t)
-
-miscfiles_read_localization(postgrey_t)
-
-sysnet_read_config(postgrey_t)
-
-userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
-userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postgrey_t)
- term_dontaudit_use_generic_ptys(postgrey_t)
- files_dontaudit_read_root_files(postgrey_t)
-')
-
-optional_policy(`
- nis_use_ypbind(postgrey_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(postgrey_t)
-')
-
-optional_policy(`
- udev_read_db(postgrey_t)
-')
diff --git a/refpolicy/policy/modules/services/ppp.fc b/refpolicy/policy/modules/services/ppp.fc
deleted file mode 100644
index 3b2595c..0000000
--- a/refpolicy/policy/modules/services/ppp.fc
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# /etc
-#
-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp/.* -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-
-# Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-
-#
-# /var
-#
-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
-# Fix pptp sockets
-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
-
-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
deleted file mode 100644
index afec620..0000000
--- a/refpolicy/policy/modules/services/ppp.if
+++ /dev/null
@@ -1,237 +0,0 @@
-## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
-
-########################################
-## <summary>
-## Use PPP file discriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_use_fds',`
- gen_require(`
- type pppd_t;
- ')
-
- allow $1 pppd_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit
-## and use PPP file discriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`ppp_dontaudit_use_fds',`
- gen_require(`
- type pppd_t;
- ')
-
- dontaudit $1 pppd_t:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to PPP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_sigchld',`
- gen_require(`
- type pppd_t;
-
- ')
-
- allow $1 pppd_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a generic signal to PPP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_signal',`
- gen_require(`
- type pppd_t;
- ')
-
- allow $1 pppd_t:process signal;
-')
-
-########################################
-## <summary>
-## Execute domain in the ppp domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_domtrans',`
- gen_require(`
- type pppd_t, pppd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, pppd_exec_t, pppd_t)
-
- allow $1 pppd_t:fd use;
- allow pppd_t $1:fd use;
- allow pppd_t $1:fifo_file rw_file_perms;
- allow pppd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Conditionally execute ppp daemon on behalf of a user or staff type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_run_cond',`
- gen_require(`
- type pppd_t;
- ')
-
- role $2 types pppd_t;
-
- tunable_policy(`pppd_for_user',`
- ppp_domtrans($1)
- allow pppd_t $3:chr_file rw_term_perms;
- ')
-')
-
-########################################
-## <summary>
-## Unconditionally execute ppp daemon on behalf of a user or staff type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_run',`
- gen_require(`
- type pppd_t;
- ')
-
- ppp_domtrans($1)
- role $2 types pppd_t;
- allow pppd_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute domain in the ppp caller.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_exec',`
- gen_require(`
- type pppd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1, pppd_exec_t)
-')
-
-########################################
-## <summary>
-## Read PPP-writable configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_read_rw_config',`
- gen_require(`
- type pppd_etc_t, pppd_etc_rw_t;
- ')
-
- allow $1 pppd_etc_t:dir list_dir_perms;
- allow $1 pppd_etc_rw_t:file { getattr read };
- files_search_etc($1)
-')
-
-########################################
-## <summary>
-## Read PPP secrets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_read_secrets',`
- gen_require(`
- type pppd_etc_t, pppd_secret_t;
- ')
-
- allow $1 pppd_etc_t:dir list_dir_perms;
- allow $1 pppd_secret_t:file { getattr read };
- files_search_etc($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete PPP pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_manage_pid_files',`
- gen_require(`
- type pppd_var_run_t;
- ')
-
- allow $1 pppd_var_run_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete PPP pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ppp_pid_filetrans',`
- gen_require(`
- type pppd_var_run_t;
- ')
-
- files_pid_filetrans($1,pppd_var_run_t,file)
-')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
deleted file mode 100644
index 4f48f9b..0000000
--- a/refpolicy/policy/modules/services/ppp.te
+++ /dev/null
@@ -1,333 +0,0 @@
-
-policy_module(ppp,1.2.4)
-
-########################################
-#
-# Declarations
-#
-
-# pppd_t is the domain for the pppd program.
-# pppd_exec_t is the type of the pppd executable.
-type pppd_t;
-type pppd_exec_t;
-init_daemon_domain(pppd_t,pppd_exec_t)
-
-type pppd_devpts_t;
-term_pty(pppd_devpts_t)
-
-# Define a separate type for /etc/ppp
-type pppd_etc_t;
-files_config_file(pppd_etc_t)
-
-# Define a separate type for writable files under /etc/ppp
-type pppd_etc_rw_t;
-files_type(pppd_etc_rw_t)
-
-type pppd_script_exec_t;
-files_type(pppd_script_exec_t)
-
-# pppd_secret_t is the type of the pap and chap password files
-type pppd_secret_t;
-files_type(pppd_secret_t)
-
-type pppd_log_t;
-logging_log_file(pppd_log_t)
-
-type pppd_lock_t;
-files_lock_file(pppd_lock_t)
-
-type pppd_tmp_t;
-files_tmp_file(pppd_tmp_t)
-
-type pppd_var_run_t;
-files_pid_file(pppd_var_run_t)
-
-type pptp_t;
-type pptp_exec_t;
-init_daemon_domain(pptp_t,pptp_exec_t)
-
-type pptp_log_t;
-logging_log_file(pptp_log_t)
-
-type pptp_var_run_t;
-files_pid_file(pptp_var_run_t)
-
-########################################
-#
-# PPPD Local policy
-#
-
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
-dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process signal;
-allow pppd_t self:fifo_file rw_file_perms;
-allow pppd_t self:socket create_socket_perms;
-allow pppd_t self:unix_dgram_socket create_socket_perms;
-allow pppd_t self:unix_stream_socket create_socket_perms;
-allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
-allow pppd_t self:tcp_socket create_stream_socket_perms;
-allow pppd_t self:udp_socket { connect connected_socket_perms };
-allow pppd_t self:packet_socket create_socket_perms;
-
-domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
-allow pppd_t pptp_t:fd use;
-allow pptp_t pppd_t:fd use;
-allow pptp_t pppd_t:fifo_file rw_file_perms;
-allow pptp_t pppd_t:process sigchld;
-
-allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
-
-allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t pppd_etc_t:file r_file_perms;
-allow pppd_t pppd_etc_t:lnk_file { getattr read };
-files_etc_filetrans(pppd_t,pppd_etc_t,file)
-
-allow pppd_t pppd_etc_rw_t:file create_file_perms;
-
-allow pppd_t pppd_lock_t:file create_file_perms;
-files_lock_filetrans(pppd_t,pppd_lock_t,file)
-
-allow pppd_t pppd_log_t:file create_file_perms;
-logging_log_filetrans(pppd_t,pppd_log_t,file)
-
-allow pppd_t pppd_tmp_t:dir create_dir_perms;
-allow pppd_t pppd_tmp_t:file create_file_perms;
-files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
-
-allow pppd_t pppd_var_run_t:dir rw_dir_perms;
-allow pppd_t pppd_var_run_t:file create_file_perms;
-files_pid_filetrans(pppd_t,pppd_var_run_t,file)
-
-allow pppd_t pptp_t:process signal;
-
-# for SSP
-# Access secret files
-allow pppd_t pppd_secret_t:file r_file_perms;
-
-# Automatically label newly created files under /etc/ppp with this type
-type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
-
-kernel_read_kernel_sysctls(pppd_t)
-kernel_read_system_state(pppd_t)
-kernel_read_net_sysctls(pppd_t)
-kernel_read_network_state(pppd_t)
-kernel_load_module(pppd_t)
-
-dev_read_urand(pppd_t)
-dev_search_sysfs(pppd_t)
-dev_read_sysfs(pppd_t)
-
-corenet_non_ipsec_sendrecv(pppd_t)
-corenet_tcp_sendrecv_all_if(pppd_t)
-corenet_raw_sendrecv_all_if(pppd_t)
-corenet_udp_sendrecv_all_if(pppd_t)
-corenet_tcp_sendrecv_all_nodes(pppd_t)
-corenet_raw_sendrecv_all_nodes(pppd_t)
-corenet_udp_sendrecv_all_nodes(pppd_t)
-corenet_tcp_sendrecv_all_ports(pppd_t)
-corenet_udp_sendrecv_all_ports(pppd_t)
-# Access /dev/ppp.
-corenet_rw_ppp_dev(pppd_t)
-
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
-
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-# for pppoe
-term_create_pty(pppd_t,pppd_devpts_t)
-term_dontaudit_use_console(pppd_t)
-
-# allow running ip-up and ip-down scripts and running chat.
-corecmd_exec_bin(pppd_t)
-corecmd_exec_sbin(pppd_t)
-corecmd_exec_shell(pppd_t)
-
-domain_use_interactive_fds(pppd_t)
-
-files_exec_etc_files(pppd_t)
-files_read_etc_runtime_files(pppd_t)
-# for scripts
-files_read_etc_files(pppd_t)
-
-init_read_utmp(pppd_t)
-init_dontaudit_write_utmp(pppd_t)
-init_use_fds(pppd_t)
-init_use_script_ptys(pppd_t)
-
-libs_use_ld_so(pppd_t)
-libs_use_shared_libs(pppd_t)
-
-logging_send_syslog_msg(pppd_t)
-
-miscfiles_read_localization(pppd_t)
-
-sysnet_read_config(pppd_t)
-sysnet_exec_ifconfig(pppd_t)
-sysnet_manage_config(pppd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(pppd_t)
-userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-userdom_search_sysadm_home_dirs(pppd_t)
-userdom_search_unpriv_users_home_dirs(pppd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pppd_t)
- term_dontaudit_use_generic_ptys(pppd_t)
- files_dontaudit_read_root_files(pppd_t)
-
- optional_policy(`
- gen_require(`
- bool postfix_disable_trans;
- ')
-
- if(!postfix_disable_trans) {
- postfix_domtrans_master(pppd_t)
- }
- ')
-',`
- optional_policy(`
- postfix_domtrans_master(pppd_t)
- ')
-')
-
-optional_policy(`
- ddclient_domtrans(pppd_t)
-')
-
-optional_policy(`
- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
- modutils_domtrans_insmod_uncond(pppd_t)
- ')
-')
-
-optional_policy(`
- mta_send_mail(pppd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(pppd_t)
-')
-
-optional_policy(`
- nscd_socket_use(pppd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pppd_t)
-')
-
-optional_policy(`
- udev_read_db(pppd_t)
-')
-
-########################################
-#
-# PPTP Local policy
-#
-
-dontaudit pptp_t self:capability sys_tty_config;
-allow pptp_t self:capability net_raw;
-allow pptp_t self:fifo_file { read write };
-allow pptp_t self:unix_dgram_socket create_socket_perms;
-allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:tcp_socket create_socket_perms;
-
-allow pptp_t pppd_etc_t:dir { getattr read search };
-allow pptp_t pppd_etc_t:file { read getattr };
-allow pptp_t pppd_etc_t:lnk_file { getattr read };
-
-allow pptp_t pppd_etc_rw_t:dir { getattr read search };
-allow pptp_t pppd_etc_rw_t:file { read getattr };
-allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
-can_exec(pptp_t, pppd_etc_rw_t)
-
-# Allow pptp to append to pppd log files
-allow pptp_t pppd_log_t:file append;
-
-allow pptp_t pptp_log_t:file create_file_perms;
-logging_log_filetrans(pptp_t,pptp_log_t,file)
-
-allow pptp_t pptp_var_run_t:file create_file_perms;
-allow pptp_t pptp_var_run_t:dir rw_dir_perms;
-allow pptp_t pptp_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(pptp_t,pptp_var_run_t,file)
-
-kernel_list_proc(pptp_t)
-kernel_read_kernel_sysctls(pptp_t)
-kernel_read_proc_symlinks(pptp_t)
-
-dev_read_sysfs(pptp_t)
-
-corenet_non_ipsec_sendrecv(pptp_t)
-corenet_tcp_sendrecv_all_if(pptp_t)
-corenet_raw_sendrecv_all_if(pptp_t)
-corenet_tcp_sendrecv_all_nodes(pptp_t)
-corenet_raw_sendrecv_all_nodes(pptp_t)
-corenet_tcp_sendrecv_all_ports(pptp_t)
-corenet_tcp_bind_all_nodes(pptp_t)
-corenet_tcp_connect_generic_port(pptp_t)
-corenet_tcp_connect_all_reserved_ports(pptp_t)
-corenet_sendrecv_generic_client_packets(pptp_t)
-
-fs_getattr_all_fs(pptp_t)
-fs_search_auto_mountpoints(pptp_t)
-
-term_dontaudit_use_console(pptp_t)
-term_ioctl_generic_ptys(pptp_t)
-term_search_ptys(pptp_t)
-term_use_ptmx(pptp_t)
-
-domain_use_interactive_fds(pptp_t)
-
-init_use_fds(pptp_t)
-init_use_script_ptys(pptp_t)
-
-libs_use_ld_so(pptp_t)
-libs_use_shared_libs(pptp_t)
-
-logging_send_syslog_msg(pptp_t)
-
-miscfiles_read_localization(pptp_t)
-
-sysnet_read_config(pptp_t)
-
-userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pptp_t)
- term_dontaudit_use_generic_ptys(pptp_t)
- files_dontaudit_read_root_files(pptp_t)
-')
-
-optional_policy(`
- hostname_exec(pptp_t)
-')
-
-optional_policy(`
- nscd_socket_use(pptp_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pptp_t)
-')
-
-optional_policy(`
- udev_read_db(pptp_t)
-')
-
-optional_policy(`
- postfix_read_config(pppd_t)
-')
-
-# FIXME:
-domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-allow pppd_t initrc_t:fd use;
-allow initrc_t pppd_t:fd use;
-allow initrc_t pppd_t:fifo_file rw_file_perms;
-allow initrc_t pppd_t:process sigchld;
diff --git a/refpolicy/policy/modules/services/privoxy.fc b/refpolicy/policy/modules/services/privoxy.fc
deleted file mode 100644
index 79e1e13..0000000
--- a/refpolicy/policy/modules/services/privoxy.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
-
-/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
-
-/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/refpolicy/policy/modules/services/privoxy.if b/refpolicy/policy/modules/services/privoxy.if
deleted file mode 100644
index 26d15d7..0000000
--- a/refpolicy/policy/modules/services/privoxy.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Privacy enhancing web proxy.</summary>
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
deleted file mode 100644
index 866b3e3..0000000
--- a/refpolicy/policy/modules/services/privoxy.te
+++ /dev/null
@@ -1,109 +0,0 @@
-
-policy_module(privoxy,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-type privoxy_t; # web_client_domain
-type privoxy_exec_t;
-init_daemon_domain(privoxy_t,privoxy_exec_t)
-
-type privoxy_etc_rw_t;
-files_type(privoxy_etc_rw_t)
-
-type privoxy_log_t;
-logging_log_file(privoxy_log_t)
-
-type privoxy_var_run_t;
-files_pid_file(privoxy_var_run_t)
-
-########################################
-#
-# Local Policy
-#
-
-allow privoxy_t self:capability { setgid setuid };
-dontaudit privoxy_t self:capability sys_tty_config;
-allow privoxy_t self:tcp_socket create_stream_socket_perms;
-
-allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
-
-allow privoxy_t privoxy_log_t:file create_file_perms;
-allow privoxy_t privoxy_log_t:dir rw_dir_perms;
-logging_log_filetrans(privoxy_t,privoxy_log_t,file)
-
-allow privoxy_t privoxy_var_run_t:file create_file_perms;
-allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(privoxy_t,privoxy_var_run_t,file)
-
-kernel_read_kernel_sysctls(privoxy_t)
-kernel_list_proc(privoxy_t)
-kernel_read_proc_symlinks(privoxy_t)
-
-corenet_non_ipsec_sendrecv(privoxy_t)
-corenet_tcp_sendrecv_all_if(privoxy_t)
-corenet_tcp_sendrecv_all_nodes(privoxy_t)
-corenet_tcp_sendrecv_all_ports(privoxy_t)
-corenet_tcp_bind_all_nodes(privoxy_t)
-corenet_tcp_bind_http_cache_port(privoxy_t)
-corenet_tcp_connect_http_port(privoxy_t)
-corenet_tcp_connect_http_cache_port(privoxy_t)
-corenet_tcp_connect_ftp_port(privoxy_t)
-corenet_tcp_connect_tor_port(privoxy_t)
-corenet_sendrecv_http_cache_client_packets(privoxy_t)
-corenet_sendrecv_http_cache_server_packets(privoxy_t)
-corenet_sendrecv_http_client_packets(privoxy_t)
-corenet_sendrecv_ftp_client_packets(privoxy_t)
-corenet_sendrecv_tor_client_packets(privoxy_t)
-
-dev_read_sysfs(privoxy_t)
-
-fs_getattr_all_fs(privoxy_t)
-fs_search_auto_mountpoints(privoxy_t)
-
-term_dontaudit_use_console(privoxy_t)
-
-domain_use_interactive_fds(privoxy_t)
-
-files_read_etc_files(privoxy_t)
-
-init_use_fds(privoxy_t)
-init_use_script_ptys(privoxy_t)
-
-libs_use_ld_so(privoxy_t)
-libs_use_shared_libs(privoxy_t)
-
-logging_send_syslog_msg(privoxy_t)
-
-miscfiles_read_localization(privoxy_t)
-
-sysnet_dns_name_resolve(privoxy_t)
-
-userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
-userdom_dontaudit_search_sysadm_home_dirs(privoxy_t)
-# cjp: this should really not be needed
-userdom_use_sysadm_terms(privoxy_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(privoxy_t)
- term_dontaudit_use_generic_ptys(privoxy_t)
- files_dontaudit_read_root_files(privoxy_t)
-')
-
-optional_policy(`
- nis_use_ypbind(privoxy_t)
-')
-
-optional_policy(`
- nscd_socket_use(privoxy_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(privoxy_t)
-')
-
-optional_policy(`
- udev_read_db(privoxy_t)
-')
diff --git a/refpolicy/policy/modules/services/procmail.fc b/refpolicy/policy/modules/services/procmail.fc
deleted file mode 100644
index 5c335d4..0000000
--- a/refpolicy/policy/modules/services/procmail.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/procmail.if b/refpolicy/policy/modules/services/procmail.if
deleted file mode 100644
index 078fca3..0000000
--- a/refpolicy/policy/modules/services/procmail.if
+++ /dev/null
@@ -1,46 +0,0 @@
-## <summary>Procmail mail delivery agent</summary>
-
-########################################
-## <summary>
-## Execute procmail with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`procmail_domtrans',`
- gen_require(`
- type procmail_exec_t, procmail_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,procmail_exec_t,procmail_t)
-
- allow $1 procmail_t:fd use;
- allow procmail_t $1:fd use;
- allow procmail_t $1:fifo_file rw_file_perms;
- allow procmail_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute procmail in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`procmail_exec',`
- gen_require(`
- type procmail_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- can_exec($1,procmail_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
deleted file mode 100644
index 29eefae..0000000
--- a/refpolicy/policy/modules/services/procmail.te
+++ /dev/null
@@ -1,116 +0,0 @@
-
-policy_module(procmail,1.2.4)
-
-########################################
-#
-# Declarations
-#
-
-type procmail_t;
-type procmail_exec_t;
-domain_type(procmail_t)
-domain_entry_file(procmail_t,procmail_exec_t)
-role system_r types procmail_t;
-
-########################################
-#
-# Local policy
-#
-
-allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-allow procmail_t self:process { setsched signal };
-allow procmail_t self:fifo_file rw_file_perms;
-allow procmail_t self:unix_stream_socket create_socket_perms;
-allow procmail_t self:unix_dgram_socket create_socket_perms;
-allow procmail_t self:tcp_socket create_stream_socket_perms;
-allow procmail_t self:udp_socket create_socket_perms;
-
-kernel_read_system_state(procmail_t)
-kernel_read_kernel_sysctls(procmail_t)
-
-corenet_non_ipsec_sendrecv(procmail_t)
-corenet_tcp_sendrecv_all_if(procmail_t)
-corenet_udp_sendrecv_all_if(procmail_t)
-corenet_tcp_sendrecv_all_nodes(procmail_t)
-corenet_udp_sendrecv_all_nodes(procmail_t)
-corenet_tcp_sendrecv_all_ports(procmail_t)
-corenet_udp_sendrecv_all_ports(procmail_t)
-corenet_tcp_connect_spamd_port(procmail_t)
-corenet_sendrecv_spamd_client_packets(procmail_t)
-
-dev_read_urand(procmail_t)
-
-fs_getattr_xattr_fs(procmail_t)
-
-auth_use_nsswitch(procmail_t)
-
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
-corecmd_dontaudit_search_sbin(procmail_t)
-
-files_read_etc_files(procmail_t)
-files_read_etc_runtime_files(procmail_t)
-files_search_pids(procmail_t)
-# for spamassasin
-files_read_usr_files(procmail_t)
-
-libs_use_ld_so(procmail_t)
-libs_use_shared_libs(procmail_t)
-
-miscfiles_read_localization(procmail_t)
-
-# only works until we define a different type for maildir
-userdom_priveleged_home_dir_manager(procmail_t)
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
-userdom_dontaudit_search_staff_home_dirs(procmail_t)
-
-mta_manage_spool(procmail_t)
-
-ifdef(`hide_broken_symptoms',`
- mta_dontaudit_rw_queue(procmail_t)
-')
-
-ifdef(`targeted_policy', `
- corenet_udp_bind_generic_port(procmail_t)
- files_getattr_tmp_dirs(procmail_t)
-')
-
-optional_policy(`
- clamav_domtrans_clamscan(procmail_t)
- clamav_search_lib(procmail_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(procmail_t)
-')
-
-optional_policy(`
- nscd_socket_use(procmail_t)
-')
-
-optional_policy(`
- # for a bug in the postfix local program
- postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
- postfix_dontaudit_use_fds(procmail_t)
-')
-
-optional_policy(`
- pyzor_domtrans(procmail_t)
-')
-
-optional_policy(`
- mta_read_config(procmail_t)
- sendmail_domtrans(procmail_t)
- sendmail_rw_tcp_sockets(procmail_t)
- sendmail_rw_unix_stream_sockets(procmail_t)
-')
-
-optional_policy(`
- corenet_udp_bind_generic_port(procmail_t)
-
- files_getattr_tmp_dirs(procmail_t)
-
- spamassassin_exec(procmail_t)
- spamassassin_exec_client(procmail_t)
-')
diff --git a/refpolicy/policy/modules/services/publicfile.fc b/refpolicy/policy/modules/services/publicfile.fc
deleted file mode 100644
index 5b20b68..0000000
--- a/refpolicy/policy/modules/services/publicfile.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
-/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
-
-# this is the place where online content located
-# set this to suit your needs
-#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0)
diff --git a/refpolicy/policy/modules/services/publicfile.if b/refpolicy/policy/modules/services/publicfile.if
deleted file mode 100644
index 5b07592..0000000
--- a/refpolicy/policy/modules/services/publicfile.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>publicfile supplies files to the public through HTTP and FTP</summary>
diff --git a/refpolicy/policy/modules/services/publicfile.te b/refpolicy/policy/modules/services/publicfile.te
deleted file mode 100644
index 7b91ac9..0000000
--- a/refpolicy/policy/modules/services/publicfile.te
+++ /dev/null
@@ -1,39 +0,0 @@
-
-policy_module(publicfile,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type publicfile_t;
-type publicfile_exec_t;
-init_system_domain(publicfile_t,publicfile_exec_t)
-role system_r types publicfile_t;
-
-type publicfile_content_t;
-files_type(publicfile_content_t)
-
-########################################
-#
-# Local policy
-#
-
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
-allow publicfile_t publicfile_content_t:dir r_dir_perms;
-allow publicfile_t publicfile_content_t:file r_file_perms;
-
-files_search_var(publicfile_t)
-
-libs_use_ld_so(publicfile_t)
-libs_use_shared_libs(publicfile_t)
-
-optional_policy(`
- daemontools_ipc_domain(publicfile_t)
-')
-
-optional_policy(`
- ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
-')
-
-#allow publicfile_t initrc_t:tcp_socket { read write };
diff --git a/refpolicy/policy/modules/services/pxe.fc b/refpolicy/policy/modules/services/pxe.fc
deleted file mode 100644
index 44b3a0c..0000000
--- a/refpolicy/policy/modules/services/pxe.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
-
-/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
-
-/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/pxe.if b/refpolicy/policy/modules/services/pxe.if
deleted file mode 100644
index d3d6a6b..0000000
--- a/refpolicy/policy/modules/services/pxe.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Server for the PXE network boot protocol</summary>
diff --git a/refpolicy/policy/modules/services/pxe.te b/refpolicy/policy/modules/services/pxe.te
deleted file mode 100644
index d992e7d..0000000
--- a/refpolicy/policy/modules/services/pxe.te
+++ /dev/null
@@ -1,79 +0,0 @@
-
-policy_module(pxe,1.0.0)
-
-# cjp: policy seems incomplete
-
-########################################
-#
-# Declarations
-#
-
-type pxe_t;
-type pxe_exec_t;
-init_daemon_domain(pxe_t,pxe_exec_t)
-
-type pxe_log_t;
-logging_log_file(pxe_log_t)
-
-type pxe_var_run_t;
-files_pid_file(pxe_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pxe_t self:capability { chown setgid setuid };
-dontaudit pxe_t self:capability sys_tty_config;
-allow pxe_t self:process signal_perms;
-
-allow pxe_t pxe_log_t:file create_file_perms;
-logging_log_filetrans(pxe_t,pxe_log_t,file)
-
-allow pxe_t pxe_var_run_t:file create_file_perms;
-allow pxe_t pxe_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(pxe_t,pxe_var_run_t,file)
-
-kernel_read_kernel_sysctls(pxe_t)
-kernel_list_proc(pxe_t)
-kernel_read_proc_symlinks(pxe_t)
-
-corenet_udp_bind_pxe_port(pxe_t)
-
-dev_read_sysfs(pxe_t)
-
-domain_use_interactive_fds(pxe_t)
-
-files_read_etc_files(pxe_t)
-
-fs_getattr_all_fs(pxe_t)
-fs_search_auto_mountpoints(pxe_t)
-
-term_dontaudit_use_console(pxe_t)
-
-init_use_fds(pxe_t)
-init_use_script_ptys(pxe_t)
-
-libs_use_ld_so(pxe_t)
-libs_use_shared_libs(pxe_t)
-
-logging_send_syslog_msg(pxe_t)
-
-miscfiles_read_localization(pxe_t)
-
-userdom_dontaudit_use_unpriv_user_fds(pxe_t)
-userdom_dontaudit_search_sysadm_home_dirs(pxe_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pxe_t)
- term_dontaudit_use_generic_ptys(pxe_t)
- files_dontaudit_read_root_files(pxe_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pxe_t)
-')
-
-optional_policy(`
- udev_read_db(pxe_t)
-')
diff --git a/refpolicy/policy/modules/services/pyzor.fc b/refpolicy/policy/modules/services/pyzor.fc
deleted file mode 100644
index 71e71c8..0000000
--- a/refpolicy/policy/modules/services/pyzor.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-
-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-
-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
-/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/pyzor.if b/refpolicy/policy/modules/services/pyzor.if
deleted file mode 100644
index ef23b07..0000000
--- a/refpolicy/policy/modules/services/pyzor.if
+++ /dev/null
@@ -1,80 +0,0 @@
-## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
-
-########################################
-## <summary>
-## Execute pyzor with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pyzor_domtrans',`
- gen_require(`
- type pyzor_exec_t, pyzor_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,pyzor_exec_t,pyzor_t)
-
- allow $1 pyzor_t:fd use;
- allow pyzor_t $1:fd use;
- allow pyzor_t $1:fifo_file rw_file_perms;
- allow pyzor_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute pyzor in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pyzor_exec',`
- gen_require(`
- type pyzor_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- can_exec($1,pyzor_exec_t)
-')
-
-#######################################
-## <summary>
-## The per user domain template for the pyzor module.
-## </summary>
-## <desc>
-## <p>
-## This template allows pyzor to manage files in
-## a user home directory, creating files with the
-## correct type.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`pyzor_per_userdomain_template',`
- type $1_pyzor_home_t;
- userdom_user_home_content($1,$1_pyzor_home_t)
-
- allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
- allow pyzord_t $1_pyzor_home_t:file create_file_perms;
- allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
- userdom_search_user_home_dirs($1,pyzord_t)
- userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
-')
diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te
deleted file mode 100644
index 547a1c7..0000000
--- a/refpolicy/policy/modules/services/pyzor.te
+++ /dev/null
@@ -1,132 +0,0 @@
-
-policy_module(pyzor,1.0.4)
-
-########################################
-#
-# Declarations
-#
-
-type pyzor_t;
-type pyzor_exec_t;
-domain_type(pyzor_t)
-domain_entry_file(pyzor_t,pyzor_exec_t)
-role system_r types pyzor_t;
-
-type pyzord_t;
-type pyzord_exec_t;
-domain_type(pyzord_t)
-init_daemon_domain(pyzord_t,pyzord_exec_t)
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
-
-type pyzor_var_lib_t;
-files_type(pyzor_var_lib_t)
-
-########################################
-#
-# Pyzor local policy
-#
-
-allow pyzor_t self:udp_socket create_socket_perms;
-
-allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
-allow pyzor_t pyzor_var_lib_t:file r_file_perms;
-files_search_var_lib(pyzor_t)
-
-kernel_read_kernel_sysctls(pyzor_t)
-kernel_read_system_state(pyzor_t)
-
-corecmd_list_bin(pyzor_t)
-corecmd_getattr_bin_files(pyzor_t)
-
-corenet_udp_sendrecv_all_if(pyzor_t)
-corenet_udp_sendrecv_all_nodes(pyzor_t)
-corenet_udp_sendrecv_all_ports(pyzor_t)
-
-dev_read_urand(pyzor_t)
-
-files_read_etc_files(pyzor_t)
-
-auth_use_nsswitch(pyzor_t)
-
-libs_use_ld_so(pyzor_t)
-libs_use_shared_libs(pyzor_t)
-
-miscfiles_read_localization(pyzor_t)
-
-optional_policy(`
- amavis_manage_lib_files(pyzor_t)
- amavis_manage_spool_files(pyzor_t)
-')
-
-optional_policy(`
- spamassassin_read_spamd_tmp_files(pyzor_t)
-')
-
-########################################
-#
-# Pyzord local policy
-#
-
-allow pyzord_t self:udp_socket create_socket_perms;
-
-allow pyzord_t pyzor_var_lib_t:file create_file_perms;
-allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
-files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
-
-allow pyzord_t pyzor_etc_t:file create_file_perms;
-allow pyzord_t pyzor_etc_t:dir r_dir_perms;
-
-can_exec(pyzord_t,pyzor_exec_t)
-
-allow pyzord_t pyzord_log_t:file create_file_perms;
-allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
-
-kernel_read_kernel_sysctls(pyzord_t)
-kernel_read_system_state(pyzord_t)
-
-dev_read_urand(pyzord_t)
-
-corecmd_exec_bin(pyzord_t)
-
-corenet_non_ipsec_sendrecv(pyzord_t)
-corenet_udp_sendrecv_all_if(pyzord_t)
-corenet_udp_sendrecv_all_nodes(pyzord_t)
-corenet_udp_sendrecv_all_ports(pyzord_t)
-corenet_udp_bind_all_nodes(pyzord_t)
-corenet_udp_bind_pyzor_port(pyzord_t)
-corenet_sendrecv_pyzor_server_packets(pyzord_t)
-
-files_read_etc_files(pyzord_t)
-
-term_dontaudit_use_generic_ptys(pyzord_t)
-
-auth_use_nsswitch(pyzord_t)
-
-libs_use_ld_so(pyzord_t)
-libs_use_shared_libs(pyzord_t)
-
-miscfiles_read_localization(pyzord_t)
-
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
-userdom_dontaudit_search_staff_home_dirs(pyzord_t)
-
-mta_manage_spool(pyzord_t)
-
-ifdef(`targeted_policy',`
- userdom_read_generic_user_home_content_files(pyzord_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(pyzord_t)
-')
-
-optional_policy(`
- nscd_socket_use(pyzord_t)
-')
diff --git a/refpolicy/policy/modules/services/qmail.fc b/refpolicy/policy/modules/services/qmail.fc
deleted file mode 100644
index 0055e54..0000000
--- a/refpolicy/policy/modules/services/qmail.fc
+++ /dev/null
@@ -1,47 +0,0 @@
-
-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
-
-/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
-/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
-/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
-/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
-/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
-/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
-/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
-/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
-/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
-/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
-/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
-/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
-
-ifdef(`distro_debian', `
-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
-#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
-
-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-
-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
-')
-
diff --git a/refpolicy/policy/modules/services/qmail.if b/refpolicy/policy/modules/services/qmail.if
deleted file mode 100644
index a9ac709..0000000
--- a/refpolicy/policy/modules/services/qmail.if
+++ /dev/null
@@ -1,209 +0,0 @@
-## <summary>Qmail Mail Server</summary>
-
-#######################################
-## <summary>
-## The per user domain template for qmail
-## </summary>
-## <desc>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`qmail_per_userdomain_template',`
- gen_require(`
- attribute qmail_user_domains;
- ')
-
- role $3 types qmail_user_domains;
-
- qmail_domtrans_inject($2)
-
- allow qmail_user_domains $2:process sigchld;
- allow qmail_user_domains $2:fifo_file { write getattr };
- allow qmail_user_domains $2:fd use;
-
-')
-
-########################################
-## <summary>
-## Template for qmail parent/sub-domain pairs
-## </summary>
-## <param name="child_prefix">
-## <summary>
-## The prefix of the child domain
-## </summary>
-## </param>
-## <param name="parent_domain">
-## <summary>
-## The name of the parent domain.
-## </summary>
-## </param>
-#
-template(`qmail_child_domain_template',`
- type $1_t;
- domain_type($1_t)
- type $1_exec_t;
- domain_entry_file($1_t,$1_exec_t)
- domain_auto_trans($2, $1_exec_t, $1_t)
- role system_r types $1_t;
-
- allow $1_t self:process signal_perms;
-
- allow $1_t $2:fd use;
- allow $1_t $2:fifo_file rw_file_perms;
- allow $1_t $2:process sigchld;
-
- allow $1_t qmail_etc_t:dir { getattr read search };
- allow $1_t qmail_etc_t:file { getattr read };
- allow $1_t qmail_etc_t:lnk_file { getattr read };
-
- allow $1_t qmail_start_t:fd use;
-
- kernel_list_proc($2)
- kernel_read_proc_symlinks($2)
-
- corecmd_search_bin($1_t)
-
- files_search_var($1_t)
-
- fs_getattr_xattr_fs($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
- miscfiles_read_localization($1_t)
-')
-
-########################################
-## <summary>
-## Transition to qmail_inject_t
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`qmail_domtrans_inject',`
- gen_require(`
- type qmail_inject_t;
- type qmail_inject_exec_t;
- ')
-
- domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
- allow qmail_inject_t $1:fd use;
- allow qmail_inject_t $1:fifo_file { read write };
- allow qmail_inject_t $1:process sigchld;
-
- ifdef(`distro_debian',`
- files_search_usr($1)
- corecmd_search_sbin($1)
- ',`
- files_search_var($1)
- corecmd_search_bin($1)
- ')
-')
-
-########################################
-## <summary>
-## Transition to qmail_queue_t
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`qmail_domtrans_queue',`
- gen_require(`
- type qmail_queue_t;
- type qmail_queue_exec_t;
- ')
-
- domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
-
- allow qmail_queue_t $1:fd use;
- allow qmail_queue_t $1:fifo_file { read write };
- allow qmail_queue_t $1:process sigchld;
-
- ifdef(`distro_debian',`
- files_search_usr($1)
- corecmd_search_sbin($1)
- ',`
- files_search_var($1)
- corecmd_search_bin($1)
- ')
-')
-
-########################################
-## <summary>
-## Read qmail configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`qmail_read_config',`
- gen_require(`
- type qmail_etc_t;
- ')
-
- allow $1 qmail_etc_t:dir { getattr read search };
- allow $1 qmail_etc_t:file { getattr read };
- allow $1 qmail_etc_t:lnk_file { getattr read };
- files_search_var($1)
-
- ifdef(`distro_debian',`
- # handle /etc/qmail
- files_search_etc($1)
- ')
-')
-
-########################################
-## <summary>
-## Define the specified domain as a qmail-smtp service.
-## Needed by antivirus/antispam filters.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`qmail_smtpd_service_domain',`
- gen_require(`
- type qmail_smtpd_t;
- ')
-
- domain_auto_trans(qmail_smtpd_t, $2, $1)
-
- allow $1 qmail_smtpd_t:fd use;
- allow $1 qmail_smtpd_t:fifo_file { read write };
- allow $1 qmail_smtpd_t:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/qmail.te b/refpolicy/policy/modules/services/qmail.te
deleted file mode 100644
index 3cd7e62..0000000
--- a/refpolicy/policy/modules/services/qmail.te
+++ /dev/null
@@ -1,314 +0,0 @@
-
-policy_module(qmail,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute qmail_user_domains;
-
-type qmail_alias_home_t;
-files_type(qmail_alias_home_t)
-
-qmail_child_domain_template(qmail_clean, qmail_start_t)
-
-type qmail_etc_t;
-files_type(qmail_etc_t)
-
-type qmail_exec_t;
-files_type(qmail_exec_t)
-
-type qmail_inject_t, qmail_user_domains;
-type qmail_inject_exec_t;
-domain_type(qmail_inject_t)
-domain_entry_file(qmail_inject_t,qmail_inject_exec_t)
-mta_mailserver_user_agent(qmail_inject_t)
-role system_r types qmail_inject_t;
-
-qmail_child_domain_template(qmail_local, qmail_lspawn_t)
-mta_mailserver_delivery(qmail_local_t)
-
-qmail_child_domain_template(qmail_lspawn, qmail_start_t)
-mta_mailserver_delivery(qmail_lspawn_t)
-
-qmail_child_domain_template(qmail_queue, qmail_inject_t)
-typeattribute qmail_queue_t qmail_user_domains;
-mta_mailserver_user_agent(qmail_queue_t)
-
-qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
-mta_mailserver_sender(qmail_remote_t)
-
-qmail_child_domain_template(qmail_rspawn, qmail_start_t)
-
-qmail_child_domain_template(qmail_send, qmail_start_t)
-
-qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
-
-qmail_child_domain_template(qmail_splogger, qmail_start_t)
-
-type qmail_spool_t;
-files_type(qmail_spool_t)
-
-type qmail_start_t;
-type qmail_start_exec_t;
-init_daemon_domain(qmail_start_t,qmail_start_exec_t)
-
-type qmail_tcp_env_t;
-type qmail_tcp_env_exec_t;
-domain_type(qmail_tcp_env_t)
-domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
-
-########################################
-#
-# qmail-clean local policy
-# this component cleans up the queue directory
-#
-
-allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
-allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
-
-########################################
-#
-# qmail-inject local policy
-# this component preprocesses mail from stdin and invokes qmail-queue
-#
-
-allow qmail_inject_t self:fifo_file write;
-allow qmail_inject_t self:process signal_perms;
-
-allow qmail_inject_t qmail_queue_exec_t:file read;
-
-corecmd_search_bin(qmail_inject_t)
-corecmd_search_sbin(qmail_inject_t)
-
-files_search_var(qmail_inject_t)
-
-libs_use_ld_so(qmail_inject_t)
-libs_use_shared_libs(qmail_inject_t)
-
-qmail_read_config(qmail_inject_t)
-
-########################################
-#
-# qmail-local local policy
-# this component delivers a mail message
-#
-
-allow qmail_local_t self:fifo_file write;
-allow qmail_local_t self:process signal_perms;
-allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
-
-allow qmail_local_t qmail_alias_home_t:dir create_dir_perms;
-allow qmail_local_t qmail_alias_home_t:file create_file_perms;
-
-allow qmail_local_t qmail_queue_exec_t:file read;
-
-allow qmail_local_t qmail_spool_t:file r_file_perms;
-
-kernel_read_system_state(qmail_local_t)
-
-corecmd_exec_shell(qmail_local_t)
-corecmd_search_sbin(qmail_local_t)
-
-files_read_etc_files(qmail_local_t)
-files_read_etc_runtime_files(qmail_local_t)
-
-mta_append_spool(qmail_local_t)
-
-qmail_domtrans_queue(qmail_local_t)
-
-########################################
-#
-# qmail-lspawn local policy
-# this component schedules local deliveries
-#
-
-allow qmail_lspawn_t self:capability { setuid setgid };
-allow qmail_lspawn_t self:process signal_perms;
-allow qmail_lspawn_t self:fifo_file { read write };
-allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
-
-can_exec(qmail_lspawn_t, qmail_exec_t)
-
-allow qmail_lspawn_t qmail_local_exec_t:file read;
-
-allow qmail_lspawn_t qmail_spool_t:dir search;
-allow qmail_lspawn_t qmail_spool_t:file { read getattr };
-
-corecmd_search_sbin(qmail_lspawn_t)
-
-files_read_etc_files(qmail_lspawn_t)
-files_search_pids(qmail_lspawn_t)
-files_search_tmp(qmail_lspawn_t)
-
-########################################
-#
-# qmail-queue local policy
-# this component places a mail in a delivery queue, later to be processed by qmail-send
-#
-
-allow qmail_queue_t qmail_lspawn_t:fd use;
-allow qmail_queue_t qmail_lspawn_t:fifo_file write;
-
-allow qmail_queue_t qmail_smtpd_t:fd use;
-allow qmail_queue_t qmail_smtpd_t:fifo_file read;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
-
-allow qmail_queue_t qmail_spool_t:dir create_dir_perms;
-allow qmail_queue_t qmail_spool_t:fifo_file { read write };
-allow qmail_queue_t qmail_spool_t:file create_file_perms;
-
-optional_policy(`
- daemontools_ipc_domain(qmail_queue_t)
-')
-
-########################################
-#
-# qmail-remote local policy
-# this component sends mail via SMTP
-#
-
-allow qmail_remote_t self:tcp_socket create_socket_perms;
-allow qmail_remote_t self:udp_socket create_socket_perms;
-
-allow qmail_remote_t qmail_spool_t:dir search;
-allow qmail_remote_t qmail_spool_t:file rw_file_perms;
-
-corenet_non_ipsec_sendrecv(qmail_remote_t)
-corenet_tcp_sendrecv_generic_if(qmail_remote_t)
-corenet_udp_sendrecv_generic_if(qmail_remote_t)
-corenet_tcp_sendrecv_generic_node(qmail_remote_t)
-corenet_udp_sendrecv_generic_node(qmail_remote_t)
-corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
-corenet_udp_sendrecv_dns_port(qmail_remote_t)
-corenet_tcp_connect_smtp_port(qmail_remote_t)
-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
-
-dev_read_rand(qmail_remote_t)
-dev_read_urand(qmail_remote_t)
-
-sysnet_read_config(qmail_remote_t)
-
-########################################
-#
-# qmail-rspawn local policy
-# this component scedules remote deliveries
-#
-
-allow qmail_rspawn_t self:process signal_perms;
-allow qmail_rspawn_t self:fifo_file read;
-
-allow qmail_rspawn_t qmail_remote_exec_t:file read;
-
-allow qmail_rspawn_t qmail_spool_t:dir search;
-allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
-
-corecmd_search_bin(qmail_rspawn_t)
-corecmd_search_sbin(qmail_rspawn_t)
-
-########################################
-#
-# qmail-send local policy
-# this component delivers mail messages from the queue
-#
-
-allow qmail_send_t self:process signal_perms;
-allow qmail_send_t self:fifo_file write;
-
-allow qmail_send_t qmail_spool_t:dir create_dir_perms;
-allow qmail_send_t qmail_spool_t:file create_file_perms;
-allow qmail_send_t qmail_spool_t:fifo_file read;
-
-qmail_domtrans_queue(qmail_send_t)
-
-optional_policy(`
- daemontools_ipc_domain(qmail_send_t)
-')
-
-########################################
-#
-# qmail-smtpd local policy
-# this component receives mails via SMTP
-#
-
-allow qmail_smtpd_t self:process signal_perms;
-allow qmail_smtpd_t self:fifo_file write;
-allow qmail_smtpd_t self:tcp_socket create_socket_perms;
-
-allow qmail_smtpd_t qmail_queue_exec_t:file read;
-
-dev_read_rand(qmail_smtpd_t)
-dev_read_urand(qmail_smtpd_t)
-
-qmail_domtrans_queue(qmail_smtpd_t)
-
-optional_policy(`
- daemontools_ipc_domain(qmail_smtpd_t)
-')
-
-optional_policy(`
- ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
-')
-
-########################################
-#
-# splogger local policy
-# this component creates entries in syslog
-#
-
-allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-
-files_read_etc_files(qmail_splogger_t)
-
-init_dontaudit_use_script_fds(qmail_splogger_t)
-
-miscfiles_read_localization(qmail_splogger_t)
-
-########################################
-#
-# qmail-start local policy
-# this component starts up the mail delivery component
-#
-
-allow qmail_start_t self:capability { setgid setuid };
-dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file { getattr read write };
-allow qmail_start_t self:process signal_perms;
-
-can_exec(qmail_start_t, qmail_start_exec_t)
-
-corecmd_search_bin(qmail_start_t)
-corecmd_search_sbin(qmail_start_t)
-
-files_search_var(qmail_start_t)
-
-libs_use_ld_so(qmail_start_t)
-libs_use_shared_libs(qmail_start_t)
-
-qmail_read_config(qmail_start_t)
-
-optional_policy(`
- daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
- daemontools_ipc_domain(qmail_start_t)
-')
-
-########################################
-#
-# tcp-env local policy
-# this component sets up TCP-related environment variables
-#
-
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
-
-corecmd_search_sbin(qmail_tcp_env_t)
-
-sysnet_read_config(qmail_tcp_env_t)
-
-optional_policy(`
- inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
-')
-
-optional_policy(`
- ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/radius.fc b/refpolicy/policy/modules/services/radius.fc
deleted file mode 100644
index 576f54f..0000000
--- a/refpolicy/policy/modules/services/radius.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-
-/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-
-/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
-
-/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-
-/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
-/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
-/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
-/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
-/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
-/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
-/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
-
-/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
-/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/radius.if b/refpolicy/policy/modules/services/radius.if
deleted file mode 100644
index 59963cb..0000000
--- a/refpolicy/policy/modules/services/radius.if
+++ /dev/null
@@ -1,23 +0,0 @@
-## <summary>RADIUS authentication and accounting server.</summary>
-
-########################################
-## <summary>
-## Use radius over a UDP connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`radius_use',`
- gen_require(`
- type radiusd_t;
- ')
-
- allow $1 radiusd_t:udp_socket sendto;
- allow radiusd_t $1:udp_socket recvfrom;
-
- allow radiusd_t $1:udp_socket sendto;
- allow $1 radiusd_t:udp_socket recvfrom;
-')
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
deleted file mode 100644
index 4f61a75..0000000
--- a/refpolicy/policy/modules/services/radius.te
+++ /dev/null
@@ -1,134 +0,0 @@
-
-policy_module(radius,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type radiusd_t;
-type radiusd_exec_t;
-init_daemon_domain(radiusd_t,radiusd_exec_t)
-
-type radiusd_etc_t;
-files_config_file(radiusd_etc_t)
-
-type radiusd_log_t;
-logging_log_file(radiusd_log_t)
-
-type radiusd_var_run_t;
-files_pid_file(radiusd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-# fsetid is for gzip which needs it when run from scripts
-# gzip also needs chown access to preserve GID for radwtmp files
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process setsched;
-allow radiusd_t self:fifo_file rw_file_perms;
-allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
-allow radiusd_t self:tcp_socket create_stream_socket_perms;
-allow radiusd_t self:udp_socket create_socket_perms;
-
-allow radiusd_t radiusd_etc_t:file r_file_perms;
-allow radiusd_t radiusd_etc_t:dir r_dir_perms;
-allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
-files_search_etc(radiusd_t)
-
-allow radiusd_t radiusd_log_t:file create_file_perms;
-allow radiusd_t radiusd_log_t:dir create_dir_perms;
-logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
-
-allow radiusd_t radiusd_var_run_t:file create_file_perms;
-allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
-
-kernel_read_kernel_sysctls(radiusd_t)
-kernel_read_system_state(radiusd_t)
-
-corenet_non_ipsec_sendrecv(radiusd_t)
-corenet_tcp_sendrecv_all_if(radiusd_t)
-corenet_udp_sendrecv_all_if(radiusd_t)
-corenet_tcp_sendrecv_all_nodes(radiusd_t)
-corenet_udp_sendrecv_all_nodes(radiusd_t)
-corenet_tcp_sendrecv_all_ports(radiusd_t)
-corenet_udp_sendrecv_all_ports(radiusd_t)
-corenet_udp_bind_all_nodes(radiusd_t)
-corenet_udp_bind_radacct_port(radiusd_t)
-corenet_udp_bind_radius_port(radiusd_t)
-corenet_sendrecv_radius_server_packets(radiusd_t)
-corenet_sendrecv_radacct_server_packets(radiusd_t)
-# for RADIUS proxy port
-corenet_udp_bind_generic_port(radiusd_t)
-corenet_sendrecv_generic_server_packets(radiusd_t)
-
-dev_read_sysfs(radiusd_t)
-
-fs_getattr_all_fs(radiusd_t)
-fs_search_auto_mountpoints(radiusd_t)
-
-term_dontaudit_use_console(radiusd_t)
-
-auth_read_shadow(radiusd_t)
-auth_domtrans_chk_passwd(radiusd_t)
-
-corecmd_exec_bin(radiusd_t)
-corecmd_exec_shell(radiusd_t)
-corecmd_search_sbin(radiusd_t)
-
-domain_use_interactive_fds(radiusd_t)
-
-files_read_usr_files(radiusd_t)
-files_read_etc_files(radiusd_t)
-files_read_etc_runtime_files(radiusd_t)
-
-init_use_fds(radiusd_t)
-init_use_script_ptys(radiusd_t)
-
-libs_use_ld_so(radiusd_t)
-libs_use_shared_libs(radiusd_t)
-libs_exec_lib_files(radiusd_t)
-
-logging_send_syslog_msg(radiusd_t)
-
-miscfiles_read_localization(radiusd_t)
-
-sysnet_read_config(radiusd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(radiusd_t)
- term_dontaudit_use_generic_ptys(radiusd_t)
- files_dontaudit_read_root_files(radiusd_t)
-')
-
-optional_policy(`
- cron_system_entry(radiusd_t,radiusd_exec_t)
-')
-
-optional_policy(`
- logrotate_exec(radiusd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(radiusd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(radiusd_t)
-')
-
-optional_policy(`
- snmp_tcp_connect(radiusd_t)
-')
-
-optional_policy(`
- udev_read_db(radiusd_t)
-')
diff --git a/refpolicy/policy/modules/services/radvd.fc b/refpolicy/policy/modules/services/radvd.fc
deleted file mode 100644
index c699ccd..0000000
--- a/refpolicy/policy/modules/services/radvd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
-
-/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
-
-/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0)
-/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/radvd.if b/refpolicy/policy/modules/services/radvd.if
deleted file mode 100644
index 6fe38b7..0000000
--- a/refpolicy/policy/modules/services/radvd.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>IPv6 router advertisement daemon</summary>
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
deleted file mode 100644
index a4c9bc8..0000000
--- a/refpolicy/policy/modules/services/radvd.te
+++ /dev/null
@@ -1,95 +0,0 @@
-
-policy_module(radvd,1.1.1)
-
-########################################
-#
-# Declarations
-#
-type radvd_t;
-type radvd_exec_t;
-init_daemon_domain(radvd_t,radvd_exec_t)
-
-type radvd_var_run_t;
-files_pid_file(radvd_var_run_t)
-
-type radvd_etc_t;
-files_config_file(radvd_etc_t)
-
-########################################
-#
-# Local policy
-#
-allow radvd_t self:capability { setgid setuid net_raw };
-dontaudit radvd_t self:capability sys_tty_config;
-allow radvd_t self:process signal_perms;
-allow radvd_t self:unix_dgram_socket create_socket_perms;
-allow radvd_t self:unix_stream_socket create_socket_perms;
-allow radvd_t self:rawip_socket create_socket_perms;
-allow radvd_t self:tcp_socket create_stream_socket_perms;
-allow radvd_t self:udp_socket create_socket_perms;
-
-allow radvd_t radvd_etc_t:file { getattr read };
-
-allow radvd_t radvd_var_run_t:file create_file_perms;
-allow radvd_t radvd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(radvd_t,radvd_var_run_t,file)
-
-kernel_read_kernel_sysctls(radvd_t)
-kernel_read_net_sysctls(radvd_t)
-kernel_read_network_state(radvd_t)
-kernel_read_system_state(radvd_t)
-
-corenet_non_ipsec_sendrecv(radvd_t)
-corenet_tcp_sendrecv_all_if(radvd_t)
-corenet_udp_sendrecv_all_if(radvd_t)
-corenet_raw_sendrecv_all_if(radvd_t)
-corenet_tcp_sendrecv_all_nodes(radvd_t)
-corenet_udp_sendrecv_all_nodes(radvd_t)
-corenet_raw_sendrecv_all_nodes(radvd_t)
-corenet_tcp_sendrecv_all_ports(radvd_t)
-corenet_udp_sendrecv_all_ports(radvd_t)
-
-dev_read_sysfs(radvd_t)
-
-fs_getattr_all_fs(radvd_t)
-fs_search_auto_mountpoints(radvd_t)
-
-term_dontaudit_use_console(radvd_t)
-
-domain_use_interactive_fds(radvd_t)
-
-files_read_etc_files(radvd_t)
-files_list_usr(radvd_t)
-
-init_use_fds(radvd_t)
-init_use_script_ptys(radvd_t)
-
-libs_use_ld_so(radvd_t)
-libs_use_shared_libs(radvd_t)
-
-logging_send_syslog_msg(radvd_t)
-
-miscfiles_read_localization(radvd_t)
-
-sysnet_read_config(radvd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(radvd_t)
-userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(radvd_t)
- term_dontaudit_use_generic_ptys(radvd_t)
- files_dontaudit_read_root_files(radvd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(radvd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(radvd_t)
-')
-
-optional_policy(`
- udev_read_db(radvd_t)
-')
diff --git a/refpolicy/policy/modules/services/razor.fc b/refpolicy/policy/modules/services/razor.fc
deleted file mode 100644
index 82c87b4..0000000
--- a/refpolicy/policy/modules/services/razor.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-ifdef(`strict_policy',`
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
-')
-
-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-
-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
-
-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
-/var/log/razor-agent.log -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/refpolicy/policy/modules/services/razor.if b/refpolicy/policy/modules/services/razor.if
deleted file mode 100644
index 26b3637..0000000
--- a/refpolicy/policy/modules/services/razor.if
+++ /dev/null
@@ -1,217 +0,0 @@
-## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
-## <desc>
-## <p>
-## A distributed, collaborative, spam detection and filtering network.
-## </p>
-## <p>
-## This policy will work with either the ATrpms provided config
-## file in /etc/razor, or with the default of dumping everything into
-## $HOME/.razor.
-## </p>
-## </desc>
-
-#######################################
-## <summary>
-## Template to create types and rules common to
-## all razor domains.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`razor_common_domain_template',`
-
- allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:unix_dgram_socket create_socket_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:unix_dgram_socket sendto;
- allow $1_t self:unix_stream_socket connectto;
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- allow $1_t self:tcp_socket create_socket_perms;
-
- # Read system config file
- allow $1_t razor_etc_t:dir list_dir_perms;
- allow $1_t razor_etc_t:file read_file_perms;
- allow $1_t razor_etc_t:lnk_file { getattr read };
-
- allow $1_t razor_log_t:dir manage_dir_perms;
- allow $1_t razor_log_t:file manage_file_perms;
- allow $1_t razor_log_t:lnk_file create_lnk_perms;
- logging_log_filetrans($1_t,razor_log_t,file)
-
- allow $1_t razor_var_lib_t:dir manage_dir_perms;
- allow $1_t razor_var_lib_t:file manage_file_perms;
- allow $1_t razor_var_lib_t:lnk_file create_lnk_perms;
- files_search_var_lib($1_t)
-
- # Razor is one executable and several symlinks
- allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_software_raid_state($1_t)
- kernel_getattr_core_if($1_t)
- kernel_getattr_message_if($1_t)
- kernel_read_kernel_sysctls($1_t)
-
- corecmd_exec_bin($1_t)
-
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_raw_sendrecv_generic_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_raw_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_razor_port($1_t)
-
- # mktemp and other randoms
- dev_read_rand($1_t)
- dev_read_urand($1_t)
-
- files_search_pids($1_t)
- # Allow access to various files in the /etc/directory including mtab
- # and nsswitch
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
-
- fs_search_auto_mountpoints($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_read_lib_files($1_t)
-
- miscfiles_read_localization($1_t)
-
- sysnet_read_config($1_t)
- sysnet_dns_name_resolve($1_t)
-
- userdom_use_unpriv_users_fds($1_t)
-
- optional_policy(`
- nis_use_ypbind($1_t)
- ')
-')
-
-#######################################
-## <summary>
-## The per user domain template for the razor module.
-## </summary>
-## <desc>
-## <p>
-## The per user domain template for the razor module.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`razor_per_userdomain_template',`
-
- type $1_razor_t;
- domain_type($1_razor_t)
- domain_entry_file($1_razor_t,razor_exec_t)
- razor_common_domain_template($1_razor)
- role $3 types $1_razor_t;
-
- type $1_razor_home_t alias $1_razor_rw_t;
- files_poly_member($1_razor_home_t)
- userdom_user_home_content($1,$1_razor_home_t)
-
- type $1_razor_tmp_t;
- files_tmp_file($1_razor_tmp_t)
-
- ##############################
- #
- # Local policy
- #
-
- allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_razor_t $1_razor_home_t:dir manage_dir_perms;
- allow $1_razor_t $1_razor_home_t:file manage_file_perms;
- allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms;
- userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)
-
- allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms;
- allow $1_razor_t $1_razor_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
-
- domain_auto_trans($2, razor_exec_t, $1_razor_t)
- allow $1_razor_t $2:fd use;
- allow $1_razor_t $2:fifo_file rw_file_perms;
- allow $1_razor_t $2:process sigchld;
-
- allow $2 $1_razor_home_t:dir manage_dir_perms;
- allow $2 $1_razor_home_t:file manage_file_perms;
- allow $2 $1_razor_home_t:lnk_file create_lnk_perms;
- allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
- logging_send_syslog_msg($1_razor_t)
-
- userdom_search_user_home_dirs($1,$1_razor_t)
- # Allow razor to be run by hand. Needed by any action other than
- # invocation from a spam filter.
- userdom_use_user_terminals($1,$1_razor_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_razor_t)
- fs_manage_nfs_files($1_razor_t)
- fs_manage_nfs_symlinks($1_razor_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_razor_t)
- fs_manage_cifs_files($1_razor_t)
- fs_manage_cifs_symlinks($1_razor_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_razor_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute razor in the system razor domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`razor_domtrans',`
- gen_require(`
- type razor_t, razor_exec_t;
- ')
-
- domain_auto_trans($1, razor_exec_t, razor_t)
- allow razor_t $1:fd use;
- allow razor_t $1:fifo_file rw_file_perms;
- allow razor_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/razor.te b/refpolicy/policy/modules/services/razor.te
deleted file mode 100644
index 08e7b72..0000000
--- a/refpolicy/policy/modules/services/razor.te
+++ /dev/null
@@ -1,61 +0,0 @@
-
-policy_module(razor,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type razor_t;
-type razor_exec_t;
-domain_type(razor_t)
-domain_entry_file(razor_t,razor_exec_t)
-razor_common_domain_template(razor)
-role system_r types razor_t;
-
-type razor_etc_t;
-files_config_file(razor_etc_t)
-
-type razor_log_t;
-logging_log_file(razor_log_t)
-
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow razor_t self:tcp_socket create_socket_perms;
-
-allow razor_t razor_etc_t:dir create_dir_perms;
-allow razor_t razor_etc_t:file create_file_perms;
-allow razor_t razor_etc_t:lnk_file create_lnk_perms;
-files_search_etc(razor_t)
-
-allow razor_t razor_log_t:file create_file_perms;
-logging_log_filetrans(razor_t,razor_log_t,file)
-
-allow razor_t razor_var_lib_t:file create_file_perms;
-allow razor_t razor_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
-
-corenet_non_ipsec_sendrecv(razor_t)
-corenet_tcp_sendrecv_generic_if(razor_t)
-corenet_raw_sendrecv_generic_if(razor_t)
-corenet_tcp_sendrecv_all_nodes(razor_t)
-corenet_raw_sendrecv_all_nodes(razor_t)
-corenet_tcp_sendrecv_razor_port(razor_t)
-corenet_tcp_connect_razor_port(razor_t)
-corenet_sendrecv_razor_client_packets(razor_t)
-
-sysnet_read_config(razor_t)
-
-optional_policy(`
- logging_send_syslog_msg(razor_t)
-')
-
-optional_policy(`
- nscd_socket_use(razor_t)
-')
diff --git a/refpolicy/policy/modules/services/rdisc.fc b/refpolicy/policy/modules/services/rdisc.fc
deleted file mode 100644
index dee4adc..0000000
--- a/refpolicy/policy/modules/services/rdisc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/rdisc.if b/refpolicy/policy/modules/services/rdisc.if
deleted file mode 100644
index c163e27..0000000
--- a/refpolicy/policy/modules/services/rdisc.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Network router discovery daemon</summary>
diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te
deleted file mode 100644
index 72d587d..0000000
--- a/refpolicy/policy/modules/services/rdisc.te
+++ /dev/null
@@ -1,70 +0,0 @@
-
-policy_module(rdisc,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type rdisc_t;
-type rdisc_exec_t;
-init_daemon_domain(rdisc_t,rdisc_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rdisc_t self:capability net_raw;
-dontaudit rdisc_t self:capability sys_tty_config;
-allow rdisc_t self:process signal_perms;
-allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
-allow rdisc_t self:udp_socket create_socket_perms;
-allow rdisc_t self:rawip_socket create_socket_perms;
-
-kernel_list_proc(rdisc_t)
-kernel_read_proc_symlinks(rdisc_t)
-kernel_read_kernel_sysctls(rdisc_t)
-
-corenet_non_ipsec_sendrecv(rdisc_t)
-corenet_udp_sendrecv_generic_if(rdisc_t)
-corenet_raw_sendrecv_generic_if(rdisc_t)
-corenet_udp_sendrecv_all_nodes(rdisc_t)
-corenet_raw_sendrecv_all_nodes(rdisc_t)
-corenet_udp_sendrecv_all_ports(rdisc_t)
-
-dev_read_sysfs(rdisc_t)
-
-fs_search_auto_mountpoints(rdisc_t)
-
-term_dontaudit_use_console(rdisc_t)
-
-domain_use_interactive_fds(rdisc_t)
-
-files_read_etc_files(rdisc_t)
-
-init_use_fds(rdisc_t)
-init_use_script_ptys(rdisc_t)
-
-libs_use_ld_so(rdisc_t)
-libs_use_shared_libs(rdisc_t)
-
-logging_send_syslog_msg(rdisc_t)
-
-sysnet_read_config(rdisc_t)
-
-userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(rdisc_t)
- term_dontaudit_use_generic_ptys(rdisc_t)
- files_dontaudit_read_root_files(rdisc_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(rdisc_t)
-')
-
-optional_policy(`
- udev_read_db(rdisc_t)
-')
diff --git a/refpolicy/policy/modules/services/remotelogin.fc b/refpolicy/policy/modules/services/remotelogin.fc
deleted file mode 100644
index d8691bd..0000000
--- a/refpolicy/policy/modules/services/remotelogin.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-# Remote login currently has no file contexts.
diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if
deleted file mode 100644
index 3b86750..0000000
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ /dev/null
@@ -1,20 +0,0 @@
-## <summary>Policy for rshd, rlogind, and telnetd.</summary>
-
-########################################
-## <summary>
-## Domain transition to the remote login domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`remotelogin_domtrans',`
- gen_require(`
- type remote_login_t;
- ')
-
- auth_domtrans_login_program($1,remote_login_t)
-')
-
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
deleted file mode 100644
index 18d90dc..0000000
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ /dev/null
@@ -1,170 +0,0 @@
-
-policy_module(remotelogin,1.2.0)
-
-########################################
-#
-# Declarations
-#
-
-type remote_login_t;
-domain_obj_id_change_exemption(remote_login_t)
-domain_subj_id_change_exemption(remote_login_t)
-domain_role_change_exemption(remote_login_t)
-domain_type(remote_login_t)
-domain_interactive_fd(remote_login_t)
-auth_login_entry_type(remote_login_t)
-role system_r types remote_login_t;
-
-type remote_login_tmp_t;
-files_tmp_file(remote_login_tmp_t)
-
-########################################
-#
-# Remote login remote policy
-#
-
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow remote_login_t self:process { setrlimit setexec };
-allow remote_login_t self:fd use;
-allow remote_login_t self:fifo_file rw_file_perms;
-allow remote_login_t self:sock_file r_file_perms;
-allow remote_login_t self:unix_dgram_socket create_socket_perms;
-allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
-allow remote_login_t self:unix_dgram_socket sendto;
-allow remote_login_t self:unix_stream_socket connectto;
-allow remote_login_t self:shm create_shm_perms;
-allow remote_login_t self:sem create_sem_perms;
-allow remote_login_t self:msgq create_msgq_perms;
-allow remote_login_t self:msg { send receive };
-
-allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
-allow remote_login_t remote_login_tmp_t:file create_file_perms;
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
-
-kernel_read_system_state(remote_login_t)
-kernel_read_kernel_sysctls(remote_login_t)
-
-dev_getattr_mouse_dev(remote_login_t)
-dev_setattr_mouse_dev(remote_login_t)
-dev_dontaudit_search_sysfs(remote_login_t)
-# for SSP/ProPolice
-dev_read_urand(remote_login_t)
-
-fs_getattr_xattr_fs(remote_login_t)
-fs_search_auto_mountpoints(remote_login_t)
-
-selinux_get_fs_mount(remote_login_t)
-selinux_validate_context(remote_login_t)
-selinux_compute_access_vector(remote_login_t)
-selinux_compute_create_context(remote_login_t)
-selinux_compute_relabel_context(remote_login_t)
-selinux_compute_user_contexts(remote_login_t)
-
-term_relabel_all_user_ptys(remote_login_t)
-
-auth_domtrans_chk_passwd(remote_login_t)
-auth_dontaudit_read_shadow(remote_login_t)
-auth_rw_login_records(remote_login_t)
-auth_rw_lastlog(remote_login_t)
-auth_rw_faillog(remote_login_t)
-auth_exec_pam(remote_login_t)
-auth_manage_pam_console_data(remote_login_t)
-auth_domtrans_pam_console(remote_login_t)
-
-corecmd_list_bin(remote_login_t)
-corecmd_list_sbin(remote_login_t)
-corecmd_read_bin_symlinks(remote_login_t)
-corecmd_read_sbin_symlinks(remote_login_t)
-# cjp: these are probably not needed:
-corecmd_read_bin_files(remote_login_t)
-corecmd_read_bin_pipes(remote_login_t)
-corecmd_read_bin_sockets(remote_login_t)
-corecmd_read_sbin_files(remote_login_t)
-corecmd_read_sbin_pipes(remote_login_t)
-corecmd_read_sbin_sockets(remote_login_t)
-
-domain_read_all_entry_files(remote_login_t)
-
-files_read_etc_files(remote_login_t)
-files_read_etc_runtime_files(remote_login_t)
-files_list_home(remote_login_t)
-files_read_usr_files(remote_login_t)
-files_list_world_readable(remote_login_t)
-files_read_world_readable_files(remote_login_t)
-files_read_world_readable_symlinks(remote_login_t)
-files_read_world_readable_pipes(remote_login_t)
-files_read_world_readable_sockets(remote_login_t)
-files_list_mnt(remote_login_t)
-files_polyinstantiate_all(remote_login_t)
-# for when /var/mail is a sym-link
-files_read_var_symlinks(remote_login_t)
-
-init_rw_utmp(remote_login_t)
-
-libs_use_ld_so(remote_login_t)
-libs_use_shared_libs(remote_login_t)
-
-logging_send_syslog_msg(remote_login_t)
-
-mls_file_read_up(remote_login_t)
-mls_file_write_down(remote_login_t)
-mls_file_upgrade(remote_login_t)
-mls_file_downgrade(remote_login_t)
-mls_process_set_level(remote_login_t)
-
-seutil_read_config(remote_login_t)
-seutil_read_default_contexts(remote_login_t)
-
-sysnet_dns_name_resolve(remote_login_t)
-
-miscfiles_read_localization(remote_login_t)
-
-userdom_use_unpriv_users_fds(remote_login_t)
-userdom_search_all_users_home_content(remote_login_t)
-# Only permit unprivileged user domains to be entered via rlogin,
-# since very weak authentication is used.
-userdom_signal_unpriv_users(remote_login_t)
-userdom_spec_domtrans_unpriv_users(remote_login_t)
-
-# Search for mail spool file.
-mta_getattr_spool(remote_login_t)
-
-ifdef(`targeted_policy',`
- unconfined_domain(remote_login_t)
- unconfined_shell_domtrans(remote_login_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(remote_login_t)
- files_read_default_files(remote_login_t)
- files_read_default_symlinks(remote_login_t)
- files_read_default_sockets(remote_login_t)
- files_read_default_pipes(remote_login_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
- fs_read_nfs_symlinks(remote_login_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(remote_login_t)
- fs_read_cifs_symlinks(remote_login_t)
-')
-
-optional_policy(`
- alsa_domtrans(remote_login_t)
-')
-
-optional_policy(`
- nis_use_ypbind(remote_login_t)
-')
-
-optional_policy(`
- nscd_socket_use(remote_login_t)
-')
-
-optional_policy(`
- usermanage_read_crack_db(remote_login_t)
-')
diff --git a/refpolicy/policy/modules/services/resmgr.fc b/refpolicy/policy/modules/services/resmgr.fc
deleted file mode 100644
index af810b9..0000000
--- a/refpolicy/policy/modules/services/resmgr.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
-
-/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-
-/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
-/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/resmgr.if b/refpolicy/policy/modules/services/resmgr.if
deleted file mode 100644
index d457736..0000000
--- a/refpolicy/policy/modules/services/resmgr.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>Resource management daemon</summary>
-
-########################################
-## <summary>
-## Connect to resmgrd over a unix domain
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`resmgr_stream_connect',`
- gen_require(`
- type resmgrd_var_run_t, resmgrd_t;
- ')
-
- allow $1 resmgrd_t:unix_stream_socket connectto;
- allow $1 resmgrd_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-')
diff --git a/refpolicy/policy/modules/services/resmgr.te b/refpolicy/policy/modules/services/resmgr.te
deleted file mode 100644
index 695d7c6..0000000
--- a/refpolicy/policy/modules/services/resmgr.te
+++ /dev/null
@@ -1,81 +0,0 @@
-
-policy_module(resmgr,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type resmgrd_t;
-type resmgrd_exec_t;
-init_daemon_domain(resmgrd_t,resmgrd_exec_t)
-
-type resmgrd_etc_t;
-files_config_file(resmgrd_etc_t)
-
-type resmgrd_var_run_t;
-files_pid_file(resmgrd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
-dontaudit resmgrd_t self:capability sys_tty_config;
-allow resmgrd_t self:process signal_perms;
-
-allow resmgrd_t resmgrd_etc_t:file { getattr read };
-files_search_etc(resmgrd_t)
-
-allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
-allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms;
-files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file })
-
-kernel_list_proc(resmgrd_t)
-kernel_read_proc_symlinks(resmgrd_t)
-kernel_read_kernel_sysctls(resmgrd_t)
-
-dev_read_sysfs(resmgrd_t)
-dev_getattr_scanner_dev(resmgrd_t)
-
-domain_use_interactive_fds(resmgrd_t)
-
-files_read_etc_files(resmgrd_t)
-
-fs_search_auto_mountpoints(resmgrd_t)
-
-storage_dontaudit_read_fixed_disk(resmgrd_t)
-storage_read_scsi_generic(resmgrd_t)
-storage_raw_read_removable_device(resmgrd_t)
-# not sure if it needs write access, needs to be investigated further...
-storage_write_scsi_generic(resmgrd_t)
-storage_raw_write_removable_device(resmgrd_t)
-
-term_dontaudit_use_console(resmgrd_t)
-
-init_use_fds(resmgrd_t)
-init_use_script_ptys(resmgrd_t)
-
-libs_use_ld_so(resmgrd_t)
-libs_use_shared_libs(resmgrd_t)
-
-logging_send_syslog_msg(resmgrd_t)
-
-miscfiles_read_localization(resmgrd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(resmgrd_t)
- term_dontaudit_use_generic_ptys(resmgrd_t)
- files_dontaudit_read_root_files(resmgrd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(resmgrd_t)
-')
-
-optional_policy(`
- udev_read_db(resmgrd_t)
-')
diff --git a/refpolicy/policy/modules/services/rhgb.fc b/refpolicy/policy/modules/services/rhgb.fc
deleted file mode 100644
index 9e5d31b..0000000
--- a/refpolicy/policy/modules/services/rhgb.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# /usr
-#
-/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/rhgb.if b/refpolicy/policy/modules/services/rhgb.if
deleted file mode 100644
index 639ece6..0000000
--- a/refpolicy/policy/modules/services/rhgb.if
+++ /dev/null
@@ -1,126 +0,0 @@
-## <summary> Red Hat Graphical Boot </summary>
-
-########################################
-## <summary>
-## RHGB stub interface. No access allowed.
-## </summary>
-## <param name="domain">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`rhgb_stub',`
- gen_require(`
- type rhgb_t;
- ')
-')
-
-########################################
-## <summary>
-## Use a rhgb file descriptor.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rhgb_use_fds',`
- gen_require(`
- type rhgb_t;
- ')
-
- allow $1 rhgb_t:fd use;
-')
-
-########################################
-## <summary>
-## Read and write to unix stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rhgb_rw_stream_sockets',`
- gen_require(`
- type rhgb_t;
- ')
-
- allow $1 rhgb_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## rhgb unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rhgb_dontaudit_rw_stream_sockets',`
- gen_require(`
- type rhgb_t;
- ')
-
- dontaudit $1 rhgb_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Connected to rhgb unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rhgb_stream_connect',`
- gen_require(`
- type rhgb_t;
- ')
-
- allow $1 rhgb_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Read and write to rhgb shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rhgb_rw_shm',`
- gen_require(`
- type rhgb_t;
- ')
-
- allow $1 rhgb_t:shm rw_shm_perms;
-')
-
-########################################
-## <summary>
-## Read and write to rhgb temporary file system.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rhgb_rw_tmpfs_files',`
- gen_require(`
- type rhgb_tmpfs_t;
- ')
-
- allow $1 rhgb_tmpfs_t:file { read write };
-')
diff --git a/refpolicy/policy/modules/services/rhgb.te b/refpolicy/policy/modules/services/rhgb.te
deleted file mode 100644
index c12d219..0000000
--- a/refpolicy/policy/modules/services/rhgb.te
+++ /dev/null
@@ -1,146 +0,0 @@
-
-policy_module(rhgb,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type rhgb_t;
-type rhgb_exec_t;
-init_daemon_domain(rhgb_t,rhgb_exec_t)
-
-type rhgb_devpts_t;
-term_pty(rhgb_devpts_t)
-
-type rhgb_tmpfs_t;
-files_tmpfs_file(rhgb_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rhgb_t self:capability { sys_admin sys_tty_config };
-dontaudit rhgb_t self:capability sys_tty_config;
-allow rhgb_t self:process signal_perms;
-allow rhgb_t self:shm create_shm_perms;
-allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
-allow rhgb_t self:fifo_file rw_file_perms;
-allow rhgb_t self:tcp_socket create_socket_perms;
-allow rhgb_t self:udp_socket create_socket_perms;
-
-allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(rhgb_t,rhgb_devpts_t)
-
-allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
-allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
-allow rhgb_t rhgb_tmpfs_t:lnk_file create_lnk_perms;
-allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms;
-allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms;
-fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-kernel_read_kernel_sysctls(rhgb_t)
-kernel_read_system_state(rhgb_t)
-
-corecmd_exec_bin(rhgb_t)
-corecmd_exec_sbin(rhgb_t)
-
-corenet_non_ipsec_sendrecv(rhgb_t)
-corenet_tcp_sendrecv_generic_if(rhgb_t)
-corenet_udp_sendrecv_generic_if(rhgb_t)
-corenet_tcp_sendrecv_all_nodes(rhgb_t)
-corenet_udp_sendrecv_all_nodes(rhgb_t)
-corenet_tcp_sendrecv_all_ports(rhgb_t)
-corenet_udp_sendrecv_all_ports(rhgb_t)
-corenet_tcp_connect_all_ports(rhgb_t)
-corenet_sendrecv_all_client_packets(rhgb_t)
-
-dev_read_sysfs(rhgb_t)
-
-domain_use_interactive_fds(rhgb_t)
-
-files_read_etc_files(rhgb_t)
-files_read_etc_runtime_files(rhgb_t)
-files_search_tmp(rhgb_t)
-files_read_usr_files(rhgb_t)
-files_mounton_mnt(rhgb_t)
-files_dontaudit_read_default_files(rhgb_t)
-files_dontaudit_search_pids(rhgb_t)
-# for nscd
-files_dontaudit_search_var(rhgb_t)
-
-fs_search_auto_mountpoints(rhgb_t)
-fs_mount_ramfs(rhgb_t)
-fs_unmount_ramfs(rhgb_t)
-# for ramfs file systems
-fs_manage_ramfs_files(rhgb_t)
-fs_manage_ramfs_pipes(rhgb_t)
-fs_manage_ramfs_sockets(rhgb_t)
-
-term_dontaudit_use_console(rhgb_t)
-term_use_unallocated_ttys(rhgb_t)
-
-init_use_fds(rhgb_t)
-init_use_script_ptys(rhgb_t)
-init_write_initctl(rhgb_t)
-
-libs_use_ld_so(rhgb_t)
-libs_use_shared_libs(rhgb_t)
-# for localization
-libs_read_lib_files(rhgb_t)
-
-logging_send_syslog_msg(rhgb_t)
-
-miscfiles_read_localization(rhgb_t)
-miscfiles_read_fonts(rhgb_t)
-
-sysnet_read_config(rhgb_t)
-
-userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
-
-xserver_read_xdm_xserver_tmp_files(rhgb_t)
-xserver_kill_xdm_xserver(rhgb_t)
-# for running setxkbmap
-xserver_read_xkb_libs(rhgb_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(rhgb_t)
- files_dontaudit_read_root_files(rhgb_t)
-')
-
-optional_policy(`
- firstboot_read_rw_files(rhgb_t)
-')
-
-optional_policy(`
- nis_use_ypbind(rhgb_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(rhgb_t)
-')
-
-optional_policy(`
- udev_read_db(rhgb_t)
-')
-
-ifdef(`TODO',`
- #TODO
- ifdef(`hide_broken_symptoms', `
- # for a bug in the X server
- dontaudit mount_t rhgb_gph_t:fd use;
- ')
- #TODO this seems a bit much
- allow domain rhgb_devpts_t:chr_file { read write };
- #TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
- allow rhgb_t default_t:file { getattr read };
- #TODO
- # for gnome-pty-helper
- gph_domain(rhgb, system)
- allow initrc_t rhgb_gph_t:fd use;
- ifdef(`hide_broken_symptoms', `
- # it should not do this
- dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
- ')
-')
diff --git a/refpolicy/policy/modules/services/rlogin.fc b/refpolicy/policy/modules/services/rlogin.fc
deleted file mode 100644
index b447800..0000000
--- a/refpolicy/policy/modules/services/rlogin.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-
-/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-
-/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/rlogin.if b/refpolicy/policy/modules/services/rlogin.if
deleted file mode 100644
index 9326e5a..0000000
--- a/refpolicy/policy/modules/services/rlogin.if
+++ /dev/null
@@ -1,25 +0,0 @@
-## <summary>Remote login daemon</summary>
-
-########################################
-## <summary>
-## Execute rlogind in the rlogin domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rlogin_domtrans',`
- gen_require(`
- type rlogind_t, rlogind_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,rlogind_exec_t,rlogind_t)
-
- allow $1 rlogind_t:fd use;
- allow rlogind_t $1:fd use;
- allow rlogind_t $1:fifo_file rw_file_perms;
- allow rlogind_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te
deleted file mode 100644
index 191ac11..0000000
--- a/refpolicy/policy/modules/services/rlogin.te
+++ /dev/null
@@ -1,111 +0,0 @@
-
-policy_module(rlogin,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type rlogind_t;
-type rlogind_exec_t;
-inetd_service_domain(rlogind_t,rlogind_exec_t)
-role system_r types rlogind_t;
-
-type rlogind_devpts_t; #, userpty_type;
-term_login_pty(rlogind_devpts_t)
-
-type rlogind_tmp_t;
-files_tmp_file(rlogind_tmp_t)
-
-type rlogind_var_run_t;
-files_pid_file(rlogind_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
-allow rlogind_t self:process signal_perms;
-allow rlogind_t self:fifo_file rw_file_perms;
-allow rlogind_t self:tcp_socket connected_stream_socket_perms;
-# for identd; cjp: this should probably only be inetd_child rules?
-allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rlogind_t self:capability { setuid setgid };
-
-allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(rlogind_t,rlogind_devpts_t)
-
-# for /usr/lib/telnetlogin
-can_exec(rlogind_t, rlogind_exec_t)
-
-allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
-allow rlogind_t rlogind_tmp_t:file create_file_perms;
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
-
-allow rlogind_t rlogind_var_run_t:file create_file_perms;
-allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
-
-kernel_read_kernel_sysctls(rlogind_t)
-kernel_read_system_state(rlogind_t)
-kernel_read_network_state(rlogind_t)
-
-corenet_non_ipsec_sendrecv(rlogind_t)
-corenet_tcp_sendrecv_all_if(rlogind_t)
-corenet_udp_sendrecv_all_if(rlogind_t)
-corenet_tcp_sendrecv_all_nodes(rlogind_t)
-corenet_udp_sendrecv_all_nodes(rlogind_t)
-corenet_tcp_sendrecv_all_ports(rlogind_t)
-corenet_udp_sendrecv_all_ports(rlogind_t)
-
-dev_read_urand(rlogind_t)
-
-fs_getattr_xattr_fs(rlogind_t)
-
-auth_domtrans_chk_passwd(rlogind_t)
-auth_rw_login_records(rlogind_t)
-
-files_read_etc_files(rlogind_t)
-files_read_etc_runtime_files(rlogind_t)
-files_search_home(rlogind_t)
-files_search_default(rlogind_t)
-
-init_rw_utmp(rlogind_t)
-
-libs_use_ld_so(rlogind_t)
-libs_use_shared_libs(rlogind_t)
-
-logging_send_syslog_msg(rlogind_t)
-
-miscfiles_read_localization(rlogind_t)
-
-seutil_dontaudit_search_config(rlogind_t)
-
-sysnet_read_config(rlogind_t)
-
-userdom_setattr_unpriv_users_ptys(rlogind_t)
-# cjp: this is egregious
-userdom_read_all_users_home_content_files(rlogind_t)
-
-remotelogin_domtrans(rlogind_t)
-
-optional_policy(`
- kerberos_read_keytab(rlogind_t)
-
- # for identd; cjp: this should probably only be inetd_child rules?
- kerberos_use(rlogind_t)
-')
-
-optional_policy(`
- nis_use_ypbind(rlogind_t)
-')
-
-optional_policy(`
- nscd_socket_use(rlogind_t)
-')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
diff --git a/refpolicy/policy/modules/services/roundup.fc b/refpolicy/policy/modules/services/roundup.fc
deleted file mode 100644
index 0b5ac58..0000000
--- a/refpolicy/policy/modules/services/roundup.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# /usr
-#
-/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/roundup.if b/refpolicy/policy/modules/services/roundup.if
deleted file mode 100644
index f93997c..0000000
--- a/refpolicy/policy/modules/services/roundup.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Roundup Issue Tracking System policy</summary>
diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te
deleted file mode 100644
index a4dd1ab..0000000
--- a/refpolicy/policy/modules/services/roundup.te
+++ /dev/null
@@ -1,109 +0,0 @@
-
-policy_module(roundup,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type roundup_t;
-type roundup_exec_t;
-init_daemon_domain(roundup_t,roundup_exec_t)
-
-type roundup_var_run_t;
-files_pid_file(roundup_var_run_t)
-
-type roundup_var_lib_t;
-files_type(roundup_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow roundup_t self:capability { setgid setuid };
-dontaudit roundup_t self:capability sys_tty_config;
-allow roundup_t self:process signal_perms;
-allow roundup_t self:unix_stream_socket create_stream_socket_perms;
-allow roundup_t self:tcp_socket create_stream_socket_perms;
-allow roundup_t self:udp_socket create_socket_perms;
-
-allow roundup_t roundup_var_run_t:file create_file_perms;
-allow roundup_t roundup_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(roundup_t,roundup_var_run_t,file)
-
-allow roundup_t roundup_var_lib_t:file create_file_perms;
-allow roundup_t roundup_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(roundup_t,roundup_var_lib_t,file)
-
-kernel_read_kernel_sysctls(roundup_t)
-kernel_list_proc(roundup_t)
-kernel_read_proc_symlinks(roundup_t)
-
-dev_read_sysfs(roundup_t)
-
-# execute python
-corecmd_exec_bin(roundup_t)
-
-corenet_non_ipsec_sendrecv(roundup_t)
-corenet_tcp_sendrecv_generic_if(roundup_t)
-corenet_udp_sendrecv_generic_if(roundup_t)
-corenet_raw_sendrecv_generic_if(roundup_t)
-corenet_tcp_sendrecv_all_nodes(roundup_t)
-corenet_udp_sendrecv_all_nodes(roundup_t)
-corenet_raw_sendrecv_all_nodes(roundup_t)
-corenet_tcp_sendrecv_all_ports(roundup_t)
-corenet_udp_sendrecv_all_ports(roundup_t)
-corenet_tcp_bind_all_nodes(roundup_t)
-corenet_tcp_bind_http_cache_port(roundup_t)
-corenet_tcp_connect_smtp_port(roundup_t)
-corenet_sendrecv_http_cache_server_packets(roundup_t)
-corenet_sendrecv_smtp_client_packets(roundup_t)
-
-# /usr/share/mysql/charsets/Index.xml
-dev_read_urand(roundup_t)
-
-domain_use_interactive_fds(roundup_t)
-
-# /usr/share/mysql/charsets/Index.xml
-files_read_usr_files(roundup_t)
-files_read_etc_files(roundup_t)
-
-fs_getattr_all_fs(roundup_t)
-fs_search_auto_mountpoints(roundup_t)
-
-term_dontaudit_use_console(roundup_t)
-
-init_use_fds(roundup_t)
-init_use_script_ptys(roundup_t)
-
-libs_use_ld_so(roundup_t)
-libs_use_shared_libs(roundup_t)
-
-logging_send_syslog_msg(roundup_t)
-
-miscfiles_read_localization(roundup_t)
-
-sysnet_read_config(roundup_t)
-
-userdom_dontaudit_use_unpriv_user_fds(roundup_t)
-userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
-
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(roundup_t)
- term_dontaudit_use_unallocated_ttys(roundup_t)
- term_dontaudit_use_generic_ptys(roundup_t)
-')
-
-optional_policy(`
- mysql_stream_connect(roundup_t)
- mysql_search_db(roundup_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(roundup_t)
-')
-
-optional_policy(`
- udev_read_db(roundup_t)
-')
diff --git a/refpolicy/policy/modules/services/rpc.fc b/refpolicy/policy/modules/services/rpc.fc
deleted file mode 100644
index dbe7c72..0000000
--- a/refpolicy/policy/modules/services/rpc.fc
+++ /dev/null
@@ -1,27 +0,0 @@
-#
-# /etc
-#
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
-
-#
-# /sbin
-#
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0)
-/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
-/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
-/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
-
-/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
deleted file mode 100644
index 831a1cb..0000000
--- a/refpolicy/policy/modules/services/rpc.if
+++ /dev/null
@@ -1,351 +0,0 @@
-## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
-
-#######################################
-## <summary>
-## The template to define a rpc domain.
-## </summary>
-## <desc>
-## <p>
-## This template creates a domain to be used for
-## a new rpc daemon.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The type of daemon to be used.
-## </summary>
-## </param>
-#
-template(`rpc_domain_template', `
- ########################################
- #
- # Declarations
- #
-
- type $1_t;
- type $1_exec_t;
- init_daemon_domain($1_t,$1_exec_t)
- domain_use_interactive_fds($1_t)
-
- ####################################
- #
- # Local Policy
- #
-
- dontaudit $1_t self:capability { net_admin sys_tty_config };
- allow $1_t self:capability net_bind_service;
- allow $1_t self:process signal_perms;
- allow $1_t self:unix_dgram_socket create_socket_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:netlink_route_socket r_netlink_socket_perms;
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-
- allow $1_t var_lib_nfs_t:dir create_dir_perms;
- allow $1_t var_lib_nfs_t:file create_file_perms;
-
- kernel_list_proc($1_t)
- kernel_read_proc_symlinks($1_t)
- kernel_read_kernel_sysctls($1_t)
- # bind to arbitary unused ports
- kernel_rw_rpc_sysctls($1_t)
-
- dev_read_sysfs($1_t)
-
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_udp_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_udp_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_bind_all_nodes($1_t)
- corenet_udp_bind_all_nodes($1_t)
- corenet_tcp_bind_reserved_port($1_t)
- corenet_tcp_bind_reserved_port($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_portmap_client_packets($1_t)
- # do not log when it tries to bind to a port belonging to another domain
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
- # bind to arbitary unused ports
- corenet_tcp_bind_generic_port($1_t)
- corenet_udp_bind_generic_port($1_t)
- corenet_udp_bind_reserved_port($1_t)
- corenet_sendrecv_generic_server_packets($1_t)
-
- fs_search_auto_mountpoints($1_t)
-
- term_dontaudit_use_console($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_search_var($1_t)
- files_search_var_lib($1_t)
-
- init_use_fds($1_t)
- init_use_script_ptys($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
- logging_send_syslog_msg($1_t)
-
- miscfiles_read_localization($1_t)
-
- sysnet_read_config($1_t)
-
- userdom_dontaudit_use_unpriv_user_fds($1_t)
-
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1_t)
- term_dontaudit_use_generic_ptys($1_t)
- files_dontaudit_read_root_files($1_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_t)
- ')
-
- optional_policy(`
- seutil_sigchld_newrole($1_t)
- ')
-
- optional_policy(`
- udev_read_db($1_t)
- ')
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to rpc and recieve UDP traffic from rpc.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpc_udp_send',`
- gen_require(`
- type rpc_t;
- ')
-
- allow $1 rpc_t:udp_socket sendto;
- allow rpc_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of the NFS export file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpc_dontaudit_getattr_exports',`
- gen_require(`
- type exports_t;
- ')
-
- dontaudit $1 exports_t:file getattr;
-')
-
-########################################
-## <summary>
-## Allow read access to exports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpc_read_exports',`
- gen_require(`
- type exports_t;
- ')
-
- allow $1 exports_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow write access to exports.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpc_write_exports',`
- gen_require(`
- type exports_t;
- ')
-
- allow $1 exports_t:file write;
-')
-
-########################################
-## <summary>
-## Execute domain in nfsd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rpc_domtrans_nfsd',`
- gen_require(`
- type nfsd_t, nfsd_exec_t;
- ')
-
- domain_auto_trans($1,nfsd_exec_t,nfsd_t)
-
- allow $1 nfsd_t:fd use;
- allow nfsd_t $1:fd use;
- allow nfsd_t $1:fifo_file rw_file_perms;
- allow nfsd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Read NFS exported content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_read_nfs_content',`
- gen_require(`
- type nfsd_ro_t, nfsd_rw_t;
- ')
-
- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow domain to create read and write NFS directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_manage_nfs_rw_content',`
- gen_require(`
- type nfsd_rw_t;
- ')
-
- allow $1 nfsd_rw_t:dir manage_dir_perms;
- allow $1 nfsd_rw_t:file manage_file_perms;
- allow $1 nfsd_rw_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Allow domain to create read and write NFS directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_manage_nfs_ro_content',`
- gen_require(`
- type nfsd_ro_t;
- ')
-
- allow $1 nfsd_ro_t:dir manage_dir_perms;
- allow $1 nfsd_ro_t:file manage_file_perms;
- allow $1 nfsd_ro_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Allow domain to read and write to an NFS UDP socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_udp_rw_nfs_sockets',`
- gen_require(`
- type nfsd_t;
- ')
-
- allow $1 nfsd_t:udp_socket rw_socket_perms;
-
-')
-
-########################################
-## <summary>
-## Send UDP traffic to NFSd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_udp_send_nfs',`
- gen_require(`
- type nfsd_t;
- ')
-
- allow $1 nfsd_t:udp_socket sendto;
- allow nfsd_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Search NFS state data in /var/lib/nfs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_search_nfs_state_data',`
- gen_require(`
- type var_lib_nfs_t;
- ')
-
- files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
-')
-
-########################################
-## <summary>
-## Read NFS state data in /var/lib/nfs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_read_nfs_state_data',`
- gen_require(`
- type var_lib_nfs_t;
- ')
-
- files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search_dir_perms;
- allow $1 var_lib_nfs_t:file read_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
deleted file mode 100644
index 8536f77..0000000
--- a/refpolicy/policy/modules/services/rpc.te
+++ /dev/null
@@ -1,162 +0,0 @@
-
-policy_module(rpc,1.2.9)
-
-########################################
-#
-# Declarations
-#
-
-type exports_t;
-files_type(exports_t)
-
-rpc_domain_template(gssd)
-
-type gssd_tmp_t;
-files_tmp_file(gssd_tmp_t)
-
-type rpcd_var_run_t;
-files_pid_file(rpcd_var_run_t)
-
-# rpcd_t is the domain of rpc daemons.
-# rpc_exec_t is the type of rpc daemon programs.
-rpc_domain_template(rpcd)
-
-rpc_domain_template(nfsd)
-
-type nfsd_rw_t;
-files_type(nfsd_rw_t)
-
-type nfsd_ro_t;
-files_type(nfsd_ro_t)
-
-type var_lib_nfs_t;
-files_mountpoint(var_lib_nfs_t)
-
-########################################
-#
-# RPC local policy
-#
-
-allow rpcd_t self:fifo_file rw_file_perms;
-allow rpcd_t self:file { getattr read };
-
-allow rpcd_t rpcd_var_run_t:file manage_file_perms;
-allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
-files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
-
-kernel_search_network_state(rpcd_t)
-# for rpc.rquotad
-kernel_read_sysctl(rpcd_t)
-
-dev_read_urand(rpcd_t)
-dev_read_rand(rpcd_t)
-
-fs_list_rpc(rpcd_t)
-fs_read_rpc_files(rpcd_t)
-fs_read_rpc_symlinks(rpcd_t)
-fs_read_rpc_sockets(rpcd_t)
-term_use_controlling_term(rpcd_t)
-
-# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
-
-miscfiles_read_certs(rpcd_t)
-
-seutil_dontaudit_search_config(rpcd_t)
-
-portmap_udp_chat(rpcd_t)
-
-ifdef(`distro_redhat',`
- allow rpcd_t self:capability { chown dac_override setgid setuid };
-')
-
-optional_policy(`
- nis_read_ypserv_config(rpcd_t)
-')
-
-########################################
-#
-# NFSD local policy
-#
-
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
-
-allow nfsd_t exports_t:file { getattr read };
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
-
-# for /proc/fs/nfs/exports - should we have a new type?
-kernel_read_system_state(nfsd_t)
-kernel_read_network_state(nfsd_t)
-kernel_udp_send(nfsd_t)
-kernel_tcp_recvfrom(nfsd_t)
-
-fs_mount_nfsd_fs(nfsd_t)
-fs_search_nfsd_fs(nfsd_t)
-fs_getattr_all_fs(nfsd_t)
-fs_rw_nfsd_fs(nfsd_t)
-
-term_use_controlling_term(nfsd_t)
-
-# does not really need this, but it is easier to just allow it
-files_search_pids(nfsd_t)
-# for exportfs and rpc.mountd
-files_getattr_tmp_dirs(nfsd_t)
-# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
-
-# Read access to public_content_t and public_content_rw_t
-miscfiles_read_public_files(nfsd_t)
-
-portmap_tcp_connect(nfsd_t)
-portmap_udp_chat(nfsd_t)
-
-# Write access to public_content_t and public_content_rw_t
-tunable_policy(`allow_nfsd_anon_write',`
- miscfiles_manage_public_files(nfsd_t)
-')
-
-tunable_policy(`nfs_export_all_rw',`
- fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_shadow(nfsd_t)
-')
-
-tunable_policy(`nfs_export_all_ro',`
- fs_read_noxattr_fs_files(nfsd_t)
- auth_read_all_files_except_shadow(nfsd_t)
-')
-
-########################################
-#
-# GSSD local policy
-#
-
-allow gssd_t self:capability { dac_override dac_read_search setuid };
-allow gssd_t self:fifo_file { read write };
-
-allow gssd_t gssd_tmp_t:dir create_dir_perms;
-allow gssd_t gssd_tmp_t:file create_file_perms;
-files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
-
-kernel_read_network_state(gssd_t)
-kernel_read_network_state_symlinks(gssd_t)
-
-dev_read_urand(gssd_t)
-
-fs_list_rpc(gssd_t)
-fs_read_rpc_sockets(gssd_t)
-fs_read_rpc_files(gssd_t)
-
-files_list_tmp(gssd_t)
-files_read_generic_tmp_files(gssd_t)
-files_read_generic_tmp_symlinks(gssd_t)
-
-tunable_policy(`allow_gssd_read_tmp',`
- userdom_list_unpriv_users_tmp(gssd_t)
- userdom_read_unpriv_users_tmp_files(gssd_t)
- userdom_read_unpriv_users_tmp_symlinks(gssd_t)
-')
-
-optional_policy(`
- kerberos_use(gssd_t)
- kerberos_read_keytab(gssd_t)
-')
diff --git a/refpolicy/policy/modules/services/rshd.fc b/refpolicy/policy/modules/services/rshd.fc
deleted file mode 100644
index 6a4db03..0000000
--- a/refpolicy/policy/modules/services/rshd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
-
-/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
-/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/rshd.if b/refpolicy/policy/modules/services/rshd.if
deleted file mode 100644
index eefcd30..0000000
--- a/refpolicy/policy/modules/services/rshd.if
+++ /dev/null
@@ -1,26 +0,0 @@
-## <summary>Remote shell service.</summary>
-
-########################################
-## <summary>
-## Domain transition to rshd.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`rshd_domtrans',`
- gen_require(`
- type rshd_exec_t, rshd_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,rshd_exec_t,rshd_t)
-
- allow $1 rshd_t:fd use;
- allow rshd_t $1:fd use;
- allow rshd_t $1:fifo_file rw_file_perms;
- allow rshd_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
deleted file mode 100644
index aaf4950..0000000
--- a/refpolicy/policy/modules/services/rshd.te
+++ /dev/null
@@ -1,96 +0,0 @@
-
-policy_module(rshd,1.1.1)
-
-########################################
-#
-# Declarations
-#
-type rshd_t;
-type rshd_exec_t;
-inetd_tcp_service_domain(rshd_t,rshd_exec_t)
-domain_subj_id_change_exemption(rshd_t)
-domain_role_change_exemption(rshd_t)
-role system_r types rshd_t;
-
-########################################
-#
-# Local policy
-#
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
-allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
-allow rshd_t self:fifo_file rw_file_perms;
-allow rshd_t self:tcp_socket create_stream_socket_perms;
-
-kernel_read_kernel_sysctls(rshd_t)
-
-corenet_non_ipsec_sendrecv(rshd_t)
-corenet_tcp_sendrecv_generic_if(rshd_t)
-corenet_udp_sendrecv_generic_if(rshd_t)
-corenet_tcp_sendrecv_all_nodes(rshd_t)
-corenet_udp_sendrecv_all_nodes(rshd_t)
-corenet_tcp_sendrecv_all_ports(rshd_t)
-corenet_udp_sendrecv_all_ports(rshd_t)
-corenet_tcp_bind_all_nodes(rshd_t)
-corenet_tcp_bind_rsh_port(rshd_t)
-corenet_sendrecv_rsh_server_packets(rshd_t)
-
-dev_read_urand(rshd_t)
-
-selinux_get_fs_mount(rshd_t)
-selinux_validate_context(rshd_t)
-selinux_compute_access_vector(rshd_t)
-selinux_compute_create_context(rshd_t)
-selinux_compute_relabel_context(rshd_t)
-selinux_compute_user_contexts(rshd_t)
-
-auth_domtrans_chk_passwd(rshd_t)
-
-corecmd_read_bin_symlinks(rshd_t)
-corecmd_read_sbin_symlinks(rshd_t)
-
-files_list_home(rshd_t)
-files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
-
-libs_use_ld_so(rshd_t)
-libs_use_shared_libs(rshd_t)
-
-logging_send_syslog_msg(rshd_t)
-
-miscfiles_read_localization(rshd_t)
-
-seutil_read_config(rshd_t)
-seutil_read_default_contexts(rshd_t)
-
-sysnet_read_config(rshd_t)
-
-userdom_search_all_users_home_content(rshd_t)
-
-ifdef(`targeted_policy',`
- unconfined_domain(rshd_t)
- unconfined_shell_domtrans(rshd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
- fs_read_nfs_symlinks(rshd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(rshd_t)
- fs_read_cifs_symlinks(rshd_t)
-')
-
-optional_policy(`
- kerberos_use(rshd_t)
-')
-
-optional_policy(`
- nscd_socket_use(rshd_t)
-')
-
-ifdef(`TODO',`
-optional_policy(`
- allow rshd_t rlogind_tmp_t:file rw_file_perms;
-')
-')
diff --git a/refpolicy/policy/modules/services/rsync.fc b/refpolicy/policy/modules/services/rsync.fc
deleted file mode 100644
index 231149a..0000000
--- a/refpolicy/policy/modules/services/rsync.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/rsync.if b/refpolicy/policy/modules/services/rsync.if
deleted file mode 100644
index 9f1bdd8..0000000
--- a/refpolicy/policy/modules/services/rsync.if
+++ /dev/null
@@ -1,104 +0,0 @@
-## <summary>Fast incremental file transfer for synchronization</summary>
-
-########################################
-## <summary>
-## Make rsync an entry point for
-## the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which init scripts are an entrypoint.
-## </summary>
-## </param>
-# cjp: added for portage
-interface(`rsync_entry_type',`
- gen_require(`
- type rsync_exec_t;
- ')
-
- domain_entry_file($1,rsync_exec_t)
-')
-
-########################################
-## <summary>
-## Execute a rsync in a specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a rsync in a specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="source_domain">
-## <summary>
-## Domain to transition from.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-# cjp: added for portage
-interface(`rsync_entry_spec_domtrans',`
- gen_require(`
- type rsync_exec_t;
- ')
-
- domain_trans($1,rsync_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Execute a rsync in a specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a rsync in a specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="source_domain">
-## <summary>
-## Domain to transition from.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-# cjp: added for portage
-interface(`rsync_entry_domtrans',`
- gen_require(`
- type rsync_exec_t;
- ')
-
- domain_auto_trans($1,rsync_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Execute rsync in the caller domain domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rsync_exec',`
- gen_require(`
- type rsync_exec_t;
- ')
-
- can_exec($1,rsync_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
deleted file mode 100644
index 5ba24bb..0000000
--- a/refpolicy/policy/modules/services/rsync.te
+++ /dev/null
@@ -1,110 +0,0 @@
-
-policy_module(rsync,1.2.4)
-
-########################################
-#
-# Declarations
-#
-
-type rsync_t;
-type rsync_exec_t;
-init_daemon_domain(rsync_t,rsync_exec_t)
-role system_r types rsync_t;
-
-type rsync_data_t;
-files_type(rsync_data_t)
-
-type rsync_tmp_t;
-files_tmp_file(rsync_tmp_t)
-
-type rsync_var_run_t;
-files_pid_file(rsync_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rsync_t self:capability sys_chroot;
-allow rsync_t self:process signal_perms;
-allow rsync_t self:fifo_file rw_file_perms;
-allow rsync_t self:tcp_socket create_stream_socket_perms;
-allow rsync_t self:udp_socket connected_socket_perms;
-
-# for identd
-# cjp: this should probably only be inetd_child_t rules?
-# search home and kerberos also.
-allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
-#end for identd
-
-allow rsync_t rsync_data_t:dir r_dir_perms;
-allow rsync_t rsync_data_t:file r_file_perms;
-allow rsync_t rsync_data_t:lnk_file r_file_perms;
-
-allow rsync_t rsync_tmp_t:dir create_dir_perms;
-allow rsync_t rsync_tmp_t:file create_file_perms;
-files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
-
-allow rsync_t rsync_var_run_t:file create_file_perms;
-allow rsync_t rsync_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(rsync_t,rsync_var_run_t,file)
-
-kernel_read_kernel_sysctls(rsync_t)
-kernel_read_system_state(rsync_t)
-kernel_read_network_state(rsync_t)
-
-corenet_non_ipsec_sendrecv(rsync_t)
-corenet_tcp_sendrecv_all_if(rsync_t)
-corenet_udp_sendrecv_all_if(rsync_t)
-corenet_tcp_sendrecv_all_nodes(rsync_t)
-corenet_udp_sendrecv_all_nodes(rsync_t)
-corenet_tcp_sendrecv_all_ports(rsync_t)
-corenet_udp_sendrecv_all_ports(rsync_t)
-corenet_tcp_bind_all_nodes(rsync_t)
-corenet_tcp_bind_rsync_port(rsync_t)
-corenet_sendrecv_rsync_server_packets(rsync_t)
-
-dev_read_urand(rsync_t)
-
-fs_getattr_xattr_fs(rsync_t)
-
-files_read_etc_files(rsync_t)
-files_search_home(rsync_t)
-
-init_dontaudit_use_fds(rsync_t)
-
-libs_use_ld_so(rsync_t)
-libs_use_shared_libs(rsync_t)
-
-logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
-
-miscfiles_read_localization(rsync_t)
-miscfiles_read_public_files(rsync_t)
-
-sysnet_read_config(rsync_t)
-
-tunable_policy(`allow_rsync_anon_write',`
- miscfiles_manage_public_files(rsync_t)
-')
-
-optional_policy(`
- daemontools_service_domain(rsync_t, rsync_exec_t)
-')
-
-optional_policy(`
- kerberos_use(rsync_t)
-')
-
-optional_policy(`
- inetd_service_domain(rsync_t,rsync_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(rsync_t)
-')
-
-optional_policy(`
- nscd_socket_use(rsync_t)
-')
diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc
deleted file mode 100644
index d0e6b6d..0000000
--- a/refpolicy/policy/modules/services/samba.fc
+++ /dev/null
@@ -1,45 +0,0 @@
-
-#
-# /etc
-#
-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
-
-#
-# /usr
-#
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
-
-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
-
-#
-# /var
-#
-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-
-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
-
-/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-
-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
deleted file mode 100644
index 7cacf8b..0000000
--- a/refpolicy/policy/modules/services/samba.if
+++ /dev/null
@@ -1,392 +0,0 @@
-## <summary>
-## SMB and CIFS client/server programs for UNIX and
-## name Service Switch daemon for resolving names
-## from Windows NT servers.
-## </summary>
-
-#######################################
-## <summary>
-## The per user domain template for the samba module.
-## </summary>
-## <desc>
-## <p>
-## This template allows smbd to manage files in
-## a user home directory, creating files with the
-## correct type.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`samba_per_userdomain_template',`
- gen_require(`
- type smbd_t;
- ')
-
- tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs($1,smbd_t)
- userdom_manage_user_home_content_files($1,smbd_t)
- userdom_manage_user_home_content_symlinks($1,smbd_t)
- userdom_manage_user_home_content_sockets($1,smbd_t)
- userdom_manage_user_home_content_pipes($1,smbd_t)
- userdom_user_home_dir_filetrans_user_home_content($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
- ')
-')
-
-########################################
-## <summary>
-## Execute samba net in the samba_net domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`samba_domtrans_net',`
- gen_require(`
- type samba_net_t, samba_net_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,samba_net_exec_t,samba_net_t)
-
- allow $1 samba_net_t:fd use;
- allow samba_net_t $1:fd use;
- allow samba_net_t $1:fifo_file rw_file_perms;
- allow samba_net_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute samba net in the samba_net domain, and
-## allow the specified role the samba_net domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the samba_net domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the samba_net domain to use.
-## </summary>
-## </param>
-#
-interface(`samba_run_net',`
- gen_require(`
- type samba_net_t;
- ')
-
- samba_domtrans_net($1)
- role $2 types samba_net_t;
- allow samba_net_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute smbmount in the smbmount domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`samba_domtrans_smbmount',`
- gen_require(`
- type smbmount_t, smbmount_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,smbmount_exec_t,smbmount_t)
-
- allow $1 smbmount_t:fd use;
- allow smbmount_t $1:fd use;
- allow smbmount_t $1:fifo_file rw_file_perms;
- allow smbmount_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## samba configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_read_config',`
- gen_require(`
- type samba_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 samba_etc_t:file { read getattr lock };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read
-## and write samba configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_rw_config',`
- gen_require(`
- type samba_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 samba_etc_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read samba's log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_read_log',`
- gen_require(`
- type samba_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 samba_log_t:dir r_dir_perms;
- allow $1 samba_log_t:file { read getattr lock };
-')
-
-########################################
-## <summary>
-## Execute samba log in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`samba_exec_log',`
- gen_require(`
- type samba_log_t;
- ')
-
- logging_search_logs($1)
- can_exec($1,samba_log_t)
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read samba's secrets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_read_secrets',`
- gen_require(`
- type samba_secrets_t;
- ')
-
- files_search_etc($1)
- allow $1 samba_secrets_t:file { read getattr lock };
-')
-
-########################################
-## <summary>
-## Allow the specified domain to search
-## samba /var directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_search_var',`
- gen_require(`
- type samba_var_t;
- ')
-
- files_search_var($1)
- allow $1 samba_var_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to
-## read and write samba /var files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_rw_var_files',`
- gen_require(`
- type samba_var_t;
- ')
-
- files_search_var($1)
- allow $1 samba_var_t:dir search_dir_perms;
- allow $1 samba_var_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to write to smbmount tcp sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_write_smbmount_tcp_sockets',`
- gen_require(`
- type smbmount_t;
- ')
-
- allow $1 smbmount_t:tcp_socket write;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read and write to smbmount tcp sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_rw_smbmount_tcp_sockets',`
- gen_require(`
- type smbmount_t;
- ')
-
- allow $1 smbmount_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Execute winbind_helper in the winbind_helper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`samba_domtrans_winbind_helper',`
- gen_require(`
- type winbind_helper_t, winbind_helper_exec_t;
- ')
-
- domain_auto_trans($1,winbind_helper_exec_t,winbind_helper_t)
-
- allow $1 winbind_helper_t:fd use;
- allow winbind_helper_t $1:fd use;
- allow winbind_helper_t $1:fifo_file rw_file_perms;
- allow winbind_helper_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute winbind_helper in the winbind_helper domain, and
-## allow the specified role the winbind_helper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the winbind_helper domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the winbind_helper domain to use.
-## </summary>
-## </param>
-#
-interface(`samba_run_winbind_helper',`
- gen_require(`
- type winbind_helper_t;
- ')
-
- samba_domtrans_winbind_helper($1)
- role $2 types winbind_helper_t;
- allow winbind_helper_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read the winbind pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_read_winbind_pid',`
- gen_require(`
- type winbind_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 winbind_var_run_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Connect to winbind.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`samba_stream_connect_winbind',`
- gen_require(`
- type samba_var_t, winbind_t, winbind_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 samba_var_t:dir search_dir_perms;
- allow $1 winbind_var_run_t:dir search_dir_perms;
- allow $1 winbind_var_run_t:sock_file { getattr read write };
- allow $1 winbind_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
deleted file mode 100644
index 5577c67..0000000
--- a/refpolicy/policy/modules/services/samba.te
+++ /dev/null
@@ -1,778 +0,0 @@
-
-policy_module(samba,1.2.8)
-
-#################################
-#
-# Declarations
-#
-
-type nmbd_t;
-type nmbd_exec_t;
-init_daemon_domain(nmbd_t,nmbd_exec_t)
-
-type nmbd_var_run_t;
-files_pid_file(nmbd_var_run_t)
-
-type samba_etc_t;
-files_config_file(samba_etc_t)
-
-type samba_log_t;
-logging_log_file(samba_log_t)
-
-type samba_net_t;
-domain_type(samba_net_t)
-role system_r types samba_net_t;
-
-type samba_net_exec_t;
-domain_entry_file(samba_net_t,samba_net_exec_t)
-
-type samba_net_tmp_t;
-files_tmp_file(samba_net_tmp_t)
-
-type samba_secrets_t;
-files_type(samba_secrets_t)
-
-type samba_share_t; # customizable
-files_type(samba_share_t)
-
-type samba_var_t;
-files_type(samba_var_t)
-
-type smbd_t;
-type smbd_exec_t;
-init_daemon_domain(smbd_t,smbd_exec_t)
-
-type smbd_tmp_t;
-files_tmp_file(smbd_tmp_t)
-
-type smbd_var_run_t;
-files_pid_file(smbd_var_run_t)
-
-type smbmount_t;
-domain_type(smbmount_t)
-
-type smbmount_exec_t;
-domain_entry_file(smbmount_t,smbmount_exec_t)
-
-type swat_t;
-type swat_exec_t;
-inetd_service_domain(swat_t,swat_exec_t)
-role system_r types swat_t;
-
-type swat_tmp_t;
-files_tmp_file(swat_tmp_t)
-
-type swat_var_run_t;
-files_pid_file(swat_var_run_t)
-
-type winbind_t;
-type winbind_exec_t;
-init_daemon_domain(winbind_t,winbind_exec_t)
-
-type winbind_helper_t;
-domain_type(winbind_helper_t)
-role system_r types winbind_helper_t;
-
-type winbind_helper_exec_t;
-domain_entry_file(winbind_helper_t,winbind_helper_exec_t)
-
-type winbind_log_t;
-logging_log_file(winbind_log_t)
-
-type winbind_tmp_t;
-files_tmp_file(winbind_tmp_t)
-
-type winbind_var_run_t;
-files_pid_file(winbind_var_run_t)
-
-########################################
-#
-# Samba net local policy
-#
-
-allow samba_net_t self:unix_dgram_socket create_socket_perms;
-allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
-allow samba_net_t self:udp_socket create_socket_perms;
-allow samba_net_t self:tcp_socket create_socket_perms;
-
-allow samba_net_t samba_etc_t:file r_file_perms;
-
-allow samba_net_t samba_secrets_t:file create_file_perms;
-allow samba_net_t samba_etc_t:dir rw_dir_perms;
-type_transition samba_net_t samba_etc_t:file samba_secrets_t;
-
-allow samba_net_t samba_net_tmp_t:dir create_dir_perms;
-allow samba_net_t samba_net_tmp_t:file create_file_perms;
-files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
-
-allow samba_net_t samba_var_t:dir rw_dir_perms;
-allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
-allow samba_net_t samba_var_t:file create_file_perms;
-
-kernel_read_proc_symlinks(samba_net_t)
-
-corenet_tcp_sendrecv_all_if(samba_net_t)
-corenet_udp_sendrecv_all_if(samba_net_t)
-corenet_raw_sendrecv_all_if(samba_net_t)
-corenet_tcp_sendrecv_all_nodes(samba_net_t)
-corenet_udp_sendrecv_all_nodes(samba_net_t)
-corenet_raw_sendrecv_all_nodes(samba_net_t)
-corenet_tcp_sendrecv_all_ports(samba_net_t)
-corenet_udp_sendrecv_all_ports(samba_net_t)
-corenet_non_ipsec_sendrecv(samba_net_t)
-corenet_tcp_bind_all_nodes(samba_net_t)
-corenet_udp_bind_all_nodes(samba_net_t)
-corenet_tcp_connect_smbd_port(samba_net_t)
-
-dev_read_urand(samba_net_t)
-
-domain_use_interactive_fds(samba_net_t)
-
-files_read_etc_files(samba_net_t)
-
-libs_use_ld_so(samba_net_t)
-libs_use_shared_libs(samba_net_t)
-
-logging_send_syslog_msg(samba_net_t)
-
-miscfiles_read_localization(samba_net_t)
-
-sysnet_read_config(samba_net_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(samba_net_t)
- term_use_unallocated_ttys(samba_net_t)
-')
-
-optional_policy(`
- kerberos_use(samba_net_t)
-')
-
-optional_policy(`
- allow samba_net_t self:tcp_socket create_socket_perms;
- corenet_tcp_sendrecv_all_if(samba_net_t)
- corenet_raw_sendrecv_all_if(samba_net_t)
- corenet_tcp_sendrecv_all_nodes(samba_net_t)
- corenet_raw_sendrecv_all_nodes(samba_net_t)
- corenet_tcp_sendrecv_ldap_port(samba_net_t)
- corenet_non_ipsec_sendrecv(samba_net_t)
- corenet_tcp_bind_all_nodes(samba_net_t)
- sysnet_read_config(samba_net_t)
- corenet_tcp_connect_ldap_port(samba_net_t)
-')
-
-optional_policy(`
- nscd_socket_use(samba_net_t)
-')
-
-########################################
-#
-# smbd Local policy
-#
-allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
-dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow smbd_t self:process setrlimit;
-allow smbd_t self:fd use;
-allow smbd_t self:fifo_file rw_file_perms;
-allow smbd_t self:msg { send receive };
-allow smbd_t self:msgq create_msgq_perms;
-allow smbd_t self:sem create_sem_perms;
-allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file r_file_perms;
-allow smbd_t self:tcp_socket create_stream_socket_perms;
-allow smbd_t self:udp_socket create_socket_perms;
-allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
-allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow smbd_t samba_etc_t:dir rw_dir_perms;
-allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-
-allow smbd_t samba_log_t:dir ra_dir_perms;
-dontaudit smbd_t samba_log_t:dir remove_name;
-allow smbd_t samba_log_t:file { create ra_file_perms };
-
-allow smbd_t samba_net_tmp_t:file getattr;
-
-allow smbd_t samba_secrets_t:dir rw_dir_perms;
-allow smbd_t samba_secrets_t:file create_file_perms;
-type_transition smbd_t samba_etc_t:file samba_secrets_t;
-
-allow smbd_t samba_share_t:dir create_dir_perms;
-allow smbd_t samba_share_t:file create_file_perms;
-allow smbd_t samba_share_t:lnk_file create_lnk_perms;
-
-allow smbd_t samba_var_t:dir create_dir_perms;
-allow smbd_t samba_var_t:file create_file_perms;
-allow smbd_t samba_var_t:lnk_file create_lnk_perms;
-allow smbd_t samba_var_t:sock_file create_file_perms;
-
-allow smbd_t smbd_tmp_t:dir create_dir_perms;
-allow smbd_t smbd_tmp_t:file create_file_perms;
-files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-
-allow smbd_t nmbd_var_run_t:file rw_file_perms;
-
-allow smbd_t smbd_var_run_t:dir create_dir_perms;
-allow smbd_t smbd_var_run_t:file create_file_perms;
-allow smbd_t smbd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(smbd_t,smbd_var_run_t,file)
-
-allow smbd_t winbind_var_run_t:sock_file { read write getattr };
-
-kernel_getattr_core_if(smbd_t)
-kernel_getattr_message_if(smbd_t)
-kernel_read_network_state(smbd_t)
-kernel_read_fs_sysctls(smbd_t)
-kernel_read_kernel_sysctls(smbd_t)
-kernel_read_software_raid_state(smbd_t)
-kernel_read_system_state(smbd_t)
-
-corenet_tcp_sendrecv_all_if(smbd_t)
-corenet_udp_sendrecv_all_if(smbd_t)
-corenet_raw_sendrecv_all_if(smbd_t)
-corenet_tcp_sendrecv_all_nodes(smbd_t)
-corenet_udp_sendrecv_all_nodes(smbd_t)
-corenet_raw_sendrecv_all_nodes(smbd_t)
-corenet_tcp_sendrecv_all_ports(smbd_t)
-corenet_udp_sendrecv_all_ports(smbd_t)
-corenet_non_ipsec_sendrecv(smbd_t)
-corenet_tcp_bind_all_nodes(smbd_t)
-corenet_udp_bind_all_nodes(smbd_t)
-corenet_tcp_bind_smbd_port(smbd_t)
-corenet_tcp_connect_ipp_port(smbd_t)
-corenet_tcp_connect_smbd_port(smbd_t)
-
-dev_read_sysfs(smbd_t)
-dev_read_urand(smbd_t)
-dev_getattr_mtrr_dev(smbd_t)
-dev_dontaudit_getattr_usbfs_dirs(smbd_t)
-
-fs_getattr_all_fs(smbd_t)
-fs_get_xattr_fs_quotas(smbd_t)
-fs_search_auto_mountpoints(smbd_t)
-fs_getattr_rpc_dirs(smbd_t)
-
-term_dontaudit_use_console(smbd_t)
-
-auth_use_nsswitch(smbd_t)
-auth_domtrans_chk_passwd(smbd_t)
-
-domain_use_interactive_fds(smbd_t)
-
-files_list_var_lib(smbd_t)
-files_read_etc_files(smbd_t)
-files_read_etc_runtime_files(smbd_t)
-files_read_usr_files(smbd_t)
-files_search_spool(smbd_t)
-# Allow samba to list mnt_t for potential mounted dirs
-files_list_mnt(smbd_t)
-
-init_use_fds(smbd_t)
-init_use_script_ptys(smbd_t)
-init_rw_utmp(smbd_t)
-
-libs_use_ld_so(smbd_t)
-libs_use_shared_libs(smbd_t)
-
-logging_search_logs(smbd_t)
-logging_send_syslog_msg(smbd_t)
-
-miscfiles_read_localization(smbd_t)
-miscfiles_read_public_files(smbd_t)
-
-sysnet_read_config(smbd_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
-userdom_dontaudit_use_unpriv_user_fds(smbd_t)
-userdom_use_unpriv_users_fds(smbd_t)
-
-ifdef(`hide_broken_symptoms', `
- files_dontaudit_getattr_default_dirs(smbd_t)
- files_dontaudit_getattr_boot_dirs(smbd_t)
- fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
-')
-
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(smbd_t)
- term_dontaudit_use_generic_ptys(smbd_t)
- term_dontaudit_use_unallocated_ttys(smbd_t)
-')
-
-tunable_policy(`allow_smbd_anon_write',`
- miscfiles_manage_public_files(smbd_t)
-')
-
-# Support Samba sharing of NFS mount points
-tunable_policy(`samba_share_nfs',`
- fs_manage_nfs_dirs(smbd_t)
- fs_manage_nfs_files(smbd_t)
-')
-
-optional_policy(`
- cups_read_rw_config(smbd_t)
-')
-
-optional_policy(`
- kerberos_use(smbd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(smbd_t)
-')
-
-optional_policy(`
- nscd_socket_use(smbd_t)
-')
-
-optional_policy(`
- rpc_search_nfs_state_data(smbd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(smbd_t)
-')
-
-optional_policy(`
- udev_read_db(smbd_t)
-')
-
-########################################
-#
-# nmbd Local policy
-#
-
-dontaudit nmbd_t self:capability sys_tty_config;
-allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow nmbd_t self:fd use;
-allow nmbd_t self:fifo_file rw_file_perms;
-allow nmbd_t self:msg { send receive };
-allow nmbd_t self:msgq create_msgq_perms;
-allow nmbd_t self:sem create_sem_perms;
-allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file r_file_perms;
-allow nmbd_t self:tcp_socket create_stream_socket_perms;
-allow nmbd_t self:udp_socket create_socket_perms;
-allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow nmbd_t nmbd_var_run_t:file create_file_perms;
-allow nmbd_t nmbd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
-
-allow nmbd_t samba_etc_t:dir { search getattr };
-allow nmbd_t samba_etc_t:file { getattr read };
-
-allow nmbd_t samba_log_t:dir ra_dir_perms;
-allow nmbd_t samba_log_t:file { create ra_file_perms };
-
-allow nmbd_t samba_var_t:dir rw_dir_perms;
-allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
-
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-
-kernel_getattr_core_if(nmbd_t)
-kernel_getattr_message_if(nmbd_t)
-kernel_read_kernel_sysctls(nmbd_t)
-kernel_read_network_state(nmbd_t)
-kernel_read_software_raid_state(nmbd_t)
-kernel_read_system_state(nmbd_t)
-
-corenet_non_ipsec_sendrecv(nmbd_t)
-corenet_tcp_sendrecv_all_if(nmbd_t)
-corenet_udp_sendrecv_all_if(nmbd_t)
-corenet_tcp_sendrecv_all_nodes(nmbd_t)
-corenet_udp_sendrecv_all_nodes(nmbd_t)
-corenet_tcp_sendrecv_all_ports(nmbd_t)
-corenet_udp_sendrecv_all_ports(nmbd_t)
-corenet_udp_bind_all_nodes(nmbd_t)
-corenet_udp_bind_nmbd_port(nmbd_t)
-corenet_sendrecv_nmbd_server_packets(nmbd_t)
-corenet_sendrecv_nmbd_client_packets(nmbd_t)
-
-dev_read_sysfs(nmbd_t)
-dev_getattr_mtrr_dev(nmbd_t)
-
-fs_getattr_all_fs(nmbd_t)
-fs_search_auto_mountpoints(nmbd_t)
-
-term_dontaudit_use_console(nmbd_t)
-
-domain_use_interactive_fds(nmbd_t)
-
-files_read_usr_files(nmbd_t)
-files_read_etc_files(nmbd_t)
-
-init_use_fds(nmbd_t)
-init_use_script_ptys(nmbd_t)
-
-libs_use_ld_so(nmbd_t)
-libs_use_shared_libs(nmbd_t)
-
-logging_search_logs(nmbd_t)
-logging_send_syslog_msg(nmbd_t)
-
-miscfiles_read_localization(nmbd_t)
-
-sysnet_read_config(nmbd_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
-userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
-userdom_use_unpriv_users_fds(nmbd_t)
-
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(nmbd_t)
- term_dontaudit_use_generic_ptys(nmbd_t)
- term_dontaudit_use_unallocated_ttys(nmbd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(nmbd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(nmbd_t)
-')
-
-optional_policy(`
- udev_read_db(nmbd_t)
-')
-
-########################################
-#
-# smbmount Local policy
-#
-
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
-allow smbmount_t self:process { fork signal_perms };
-allow smbmount_t self:tcp_socket create_stream_socket_perms;
-allow smbmount_t self:udp_socket connect;
-allow smbmount_t self:unix_dgram_socket create_socket_perms;
-allow smbmount_t self:unix_stream_socket create_socket_perms;
-
-allow smbmount_t samba_etc_t:dir r_dir_perms;
-allow smbmount_t samba_etc_t:file r_file_perms;
-
-can_exec(smbmount_t, smbmount_exec_t)
-
-allow smbmount_t samba_log_t:dir r_dir_perms;
-allow smbmount_t samba_log_t:file create_file_perms;
-
-allow smbmount_t samba_secrets_t:file create_file_perms;
-
-allow smbmount_t samba_var_t:dir rw_dir_perms;
-allow smbmount_t samba_var_t:file create_file_perms;
-allow smbmount_t samba_var_t:lnk_file create_lnk_perms;
-
-kernel_read_system_state(smbmount_t)
-
-corenet_tcp_sendrecv_all_if(smbmount_t)
-corenet_raw_sendrecv_all_if(smbmount_t)
-corenet_udp_sendrecv_all_if(smbmount_t)
-corenet_tcp_sendrecv_all_nodes(smbmount_t)
-corenet_raw_sendrecv_all_nodes(smbmount_t)
-corenet_udp_sendrecv_all_nodes(smbmount_t)
-corenet_tcp_sendrecv_all_ports(smbmount_t)
-corenet_udp_sendrecv_all_ports(smbmount_t)
-corenet_non_ipsec_sendrecv(smbmount_t)
-corenet_tcp_bind_all_nodes(smbmount_t)
-corenet_udp_bind_all_nodes(smbmount_t)
-corenet_tcp_connect_all_ports(smbmount_t)
-
-fs_getattr_cifs(smbmount_t)
-fs_mount_cifs(smbmount_t)
-fs_remount_cifs(smbmount_t)
-fs_unmount_cifs(smbmount_t)
-fs_list_cifs(smbmount_t)
-fs_read_cifs_files(smbmount_t)
-
-storage_raw_read_fixed_disk(smbmount_t)
-storage_raw_write_fixed_disk(smbmount_t)
-
-term_list_ptys(smbmount_t)
-term_use_controlling_term(smbmount_t)
-
-corecmd_list_bin(smbmount_t)
-
-files_list_mnt(smbmount_t)
-files_mounton_mnt(smbmount_t)
-files_manage_etc_runtime_files(smbmount_t)
-files_etc_filetrans_etc_runtime(smbmount_t,file)
-files_read_etc_files(smbmount_t)
-
-miscfiles_read_localization(smbmount_t)
-
-mount_use_fds(smbmount_t)
-
-libs_use_ld_so(smbmount_t)
-libs_use_shared_libs(smbmount_t)
-
-locallogin_use_fds(smbmount_t)
-
-logging_search_logs(smbmount_t)
-
-sysnet_read_config(smbmount_t)
-
-userdom_use_all_users_fds(smbmount_t)
-userdom_use_sysadm_ttys(smbmount_t)
-
-optional_policy(`
- cups_read_rw_config(smbd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(smbmount_t)
-')
-
-optional_policy(`
- nscd_socket_use(smbmount_t)
-')
-
-########################################
-#
-# SWAT Local policy
-#
-
-allow swat_t self:capability { setuid setgid };
-allow swat_t self:process signal_perms;
-allow swat_t self:fifo_file rw_file_perms;
-allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:netlink_audit_socket create;
-allow swat_t self:tcp_socket create_stream_socket_perms;
-allow swat_t self:udp_socket create_socket_perms;
-
-
-allow swat_t nmbd_exec_t:file { execute read };
-
-allow swat_t samba_etc_t:dir search;
-allow swat_t samba_etc_t:file { getattr write read };
-
-allow swat_t samba_log_t:dir search;
-allow swat_t samba_log_t:file append;
-
-allow swat_t smbd_exec_t:file execute ;
-
-allow swat_t smbd_t:process signull;
-
-allow swat_t smbd_var_run_t:file read;
-
-allow swat_t swat_tmp_t:dir create_dir_perms;
-allow swat_t swat_tmp_t:file create_file_perms;
-files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
-
-allow swat_t swat_var_run_t:file create_file_perms;
-allow swat_t swat_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(swat_t,swat_var_run_t,file)
-
-allow swat_t winbind_exec_t:file execute;
-
-kernel_read_kernel_sysctls(swat_t)
-kernel_read_system_state(swat_t)
-kernel_read_network_state(swat_t)
-
-corecmd_search_sbin(swat_t)
-
-corenet_non_ipsec_sendrecv(swat_t)
-corenet_tcp_sendrecv_generic_if(swat_t)
-corenet_udp_sendrecv_generic_if(swat_t)
-corenet_raw_sendrecv_generic_if(swat_t)
-corenet_tcp_sendrecv_all_nodes(swat_t)
-corenet_udp_sendrecv_all_nodes(swat_t)
-corenet_raw_sendrecv_all_nodes(swat_t)
-corenet_tcp_sendrecv_all_ports(swat_t)
-corenet_udp_sendrecv_all_ports(swat_t)
-corenet_tcp_bind_all_nodes(swat_t)
-corenet_udp_bind_all_nodes(swat_t)
-corenet_tcp_connect_smbd_port(swat_t)
-
-dev_read_urand(swat_t)
-
-files_read_etc_files(swat_t)
-files_search_home(swat_t)
-files_read_usr_files(swat_t)
-fs_getattr_xattr_fs(swat_t)
-
-auth_domtrans_chk_passwd(swat_t)
-
-libs_use_ld_so(swat_t)
-libs_use_shared_libs(swat_t)
-
-logging_send_syslog_msg(swat_t)
-logging_search_logs(swat_t)
-
-miscfiles_read_localization(swat_t)
-
-sysnet_read_config(swat_t)
-
-optional_policy(`
- cups_read_rw_config(swat_t)
-')
-
-optional_policy(`
- kerberos_use(swat_t)
-')
-
-optional_policy(`
- nis_use_ypbind(swat_t)
-')
-
-optional_policy(`
- nscd_socket_use(swat_t)
-')
-
-########################################
-#
-# Winbind local policy
-#
-
-dontaudit winbind_t self:capability sys_tty_config;
-allow winbind_t self:process signal_perms;
-allow winbind_t self:fifo_file { read write };
-allow winbind_t self:unix_dgram_socket create_socket_perms;
-allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow winbind_t self:tcp_socket create_stream_socket_perms;
-allow winbind_t self:udp_socket create_socket_perms;
-
-allow winbind_t samba_etc_t:dir r_dir_perms;
-allow winbind_t samba_etc_t:lnk_file { getattr read };
-allow winbind_t samba_etc_t:file r_file_perms;
-
-allow winbind_t samba_secrets_t:file create_file_perms;
-allow winbind_t samba_etc_t:dir rw_dir_perms;
-type_transition winbind_t samba_etc_t:file samba_secrets_t;
-
-allow winbind_t samba_log_t:dir rw_dir_perms;
-allow winbind_t samba_log_t:file create_file_perms;
-allow winbind_t samba_log_t:lnk_file create_lnk_perms;
-
-allow winbind_t samba_var_t:dir rw_dir_perms;
-allow winbind_t samba_var_t:file create_file_perms;
-allow winbind_t samba_var_t:lnk_file create_lnk_perms;
-
-allow winbind_t winbind_log_t:file create_file_perms;
-logging_log_filetrans(winbind_t,winbind_log_t,file)
-
-allow winbind_t winbind_tmp_t:dir create_dir_perms;
-allow winbind_t winbind_tmp_t:file create_file_perms;
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
-
-allow winbind_t winbind_var_run_t:file create_file_perms;
-allow winbind_t winbind_var_run_t:sock_file create_file_perms;
-allow winbind_t winbind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(winbind_t,winbind_var_run_t,file)
-
-kernel_read_kernel_sysctls(winbind_t)
-kernel_list_proc(winbind_t)
-kernel_read_proc_symlinks(winbind_t)
-
-corenet_tcp_sendrecv_all_if(winbind_t)
-corenet_udp_sendrecv_all_if(winbind_t)
-corenet_raw_sendrecv_all_if(winbind_t)
-corenet_tcp_sendrecv_all_nodes(winbind_t)
-corenet_udp_sendrecv_all_nodes(winbind_t)
-corenet_raw_sendrecv_all_nodes(winbind_t)
-corenet_tcp_sendrecv_all_ports(winbind_t)
-corenet_udp_sendrecv_all_ports(winbind_t)
-corenet_non_ipsec_sendrecv(winbind_t)
-corenet_tcp_bind_all_nodes(winbind_t)
-corenet_udp_bind_all_nodes(winbind_t)
-corenet_tcp_connect_smbd_port(winbind_t)
-
-dev_read_sysfs(winbind_t)
-dev_read_urand(winbind_t)
-
-fs_getattr_all_fs(winbind_t)
-fs_search_auto_mountpoints(winbind_t)
-
-term_dontaudit_use_console(winbind_t)
-
-auth_domtrans_chk_passwd(winbind_t)
-
-domain_use_interactive_fds(winbind_t)
-
-files_read_etc_files(winbind_t)
-
-init_use_fds(winbind_t)
-init_use_script_ptys(winbind_t)
-
-libs_use_ld_so(winbind_t)
-libs_use_shared_libs(winbind_t)
-
-logging_send_syslog_msg(winbind_t)
-
-miscfiles_read_localization(winbind_t)
-
-sysnet_read_config(winbind_t)
-sysnet_dns_name_resolve(winbind_t)
-
-userdom_dontaudit_use_unpriv_user_fds(winbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
-userdom_priveleged_home_dir_manager(winbind_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(winbind_t)
- term_dontaudit_use_generic_ptys(winbind_t)
- files_dontaudit_read_root_files(winbind_t)
-')
-
-optional_policy(`
- kerberos_use(winbind_t)
-')
-
-optional_policy(`
- nscd_socket_use(winbind_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(winbind_t)
-')
-
-optional_policy(`
- udev_read_db(winbind_t)
-')
-
-########################################
-#
-# Winbind helper local policy
-#
-
-allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
-allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
-
-allow winbind_helper_t samba_etc_t:dir r_dir_perms;
-allow winbind_helper_t samba_etc_t:lnk_file { getattr read };
-allow winbind_helper_t samba_etc_t:file r_file_perms;
-
-allow winbind_helper_t samba_var_t:dir search;
-
-allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
-allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write };
-allow winbind_helper_t winbind_t:unix_stream_socket connectto;
-
-term_list_ptys(winbind_helper_t)
-
-domain_use_interactive_fds(winbind_helper_t)
-
-libs_use_ld_so(winbind_helper_t)
-libs_use_shared_libs(winbind_helper_t)
-
-logging_send_syslog_msg(winbind_helper_t)
-
-miscfiles_read_localization(winbind_helper_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(winbind_helper_t)
- term_use_unallocated_ttys(winbind_helper_t)
-')
-
-optional_policy(`
- nscd_socket_use(winbind_helper_t)
-')
-
-optional_policy(`
- squid_read_log(winbind_helper_t)
- squid_append_log(winbind_helper_t)
-')
diff --git a/refpolicy/policy/modules/services/sasl.fc b/refpolicy/policy/modules/services/sasl.fc
deleted file mode 100644
index 2bc1dd8..0000000
--- a/refpolicy/policy/modules/services/sasl.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-#
-# /usr
-#
-/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
-
-#
-# /var
-#
-/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/sasl.if b/refpolicy/policy/modules/services/sasl.if
deleted file mode 100644
index 60a8cfe..0000000
--- a/refpolicy/policy/modules/services/sasl.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>SASL authentication server</summary>
-
-########################################
-## <summary>
-## Connect to SASL.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sasl_connect',`
- gen_require(`
- type saslauthd_t, saslauthd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 saslauthd_var_run_t:dir search;
- allow $1 saslauthd_var_run_t:sock_file { read write };
- allow $1 saslauthd_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
deleted file mode 100644
index 7e858d2..0000000
--- a/refpolicy/policy/modules/services/sasl.te
+++ /dev/null
@@ -1,105 +0,0 @@
-
-policy_module(sasl,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type saslauthd_t;
-type saslauthd_exec_t;
-init_daemon_domain(saslauthd_t,saslauthd_exec_t)
-
-type saslauthd_var_run_t;
-files_pid_file(saslauthd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow saslauthd_t self:capability setuid;
-dontaudit saslauthd_t self:capability sys_tty_config;
-allow saslauthd_t self:process signal_perms;
-allow saslauthd_t self:fifo_file { read write };
-allow saslauthd_t self:unix_dgram_socket create_socket_perms;
-allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
-allow saslauthd_t self:tcp_socket create_socket_perms;
-
-allow saslauthd_t saslauthd_var_run_t:file create_file_perms;
-allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
-allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
-
-kernel_read_kernel_sysctls(saslauthd_t)
-kernel_read_system_state(saslauthd_t)
-
-corenet_non_ipsec_sendrecv(saslauthd_t)
-corenet_tcp_sendrecv_all_if(saslauthd_t)
-corenet_tcp_sendrecv_all_nodes(saslauthd_t)
-corenet_tcp_sendrecv_all_ports(saslauthd_t)
-corenet_tcp_connect_pop_port(saslauthd_t)
-corenet_sendrecv_pop_client_packets(saslauthd_t)
-
-dev_read_sysfs(saslauthd_t)
-dev_read_urand(saslauthd_t)
-
-fs_getattr_all_fs(saslauthd_t)
-fs_search_auto_mountpoints(saslauthd_t)
-
-term_dontaudit_use_console(saslauthd_t)
-
-auth_domtrans_chk_passwd(saslauthd_t)
-auth_use_nsswitch(saslauthd_t)
-
-domain_use_interactive_fds(saslauthd_t)
-
-files_read_etc_files(saslauthd_t)
-files_dontaudit_read_etc_runtime_files(saslauthd_t)
-files_search_var_lib(saslauthd_t)
-files_dontaudit_getattr_home_dir(saslauthd_t)
-files_dontaudit_getattr_tmp_dirs(saslauthd_t)
-
-init_use_fds(saslauthd_t)
-init_use_script_ptys(saslauthd_t)
-init_dontaudit_stream_connect_script(saslauthd_t)
-
-libs_use_ld_so(saslauthd_t)
-libs_use_shared_libs(saslauthd_t)
-
-logging_send_syslog_msg(saslauthd_t)
-
-miscfiles_read_localization(saslauthd_t)
-miscfiles_read_certs(saslauthd_t)
-
-seutil_dontaudit_read_config(saslauthd_t)
-
-sysnet_read_config(saslauthd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
-userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(saslauthd_t)
- term_dontaudit_use_generic_ptys(saslauthd_t)
- files_dontaudit_read_root_files(saslauthd_t)
-')
-
-# cjp: typeattribute dont work in conditionals yet
-auth_can_read_shadow_passwords(saslauthd_t)
-tunable_policy(`allow_saslauthd_read_shadow',`
- auth_tunable_read_shadow(saslauthd_t)
-')
-
-optional_policy(`
- mysql_search_db(saslauthd_t)
- mysql_stream_connect(saslauthd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(saslauthd_t)
-')
-
-optional_policy(`
- udev_read_db(saslauthd_t)
-')
diff --git a/refpolicy/policy/modules/services/sendmail.fc b/refpolicy/policy/modules/services/sendmail.fc
deleted file mode 100644
index a86ec50..0000000
--- a/refpolicy/policy/modules/services/sendmail.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
-/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
-
-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
-/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
deleted file mode 100644
index 28a0ca6..0000000
--- a/refpolicy/policy/modules/services/sendmail.if
+++ /dev/null
@@ -1,112 +0,0 @@
-## <summary>Policy for sendmail.</summary>
-
-########################################
-## <summary>
-## Sendmail stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`sendmail_stub',`
- gen_require(`
- type sendmail_t;
- ')
-')
-
-########################################
-## <summary>
-## Domain transition to sendmail.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sendmail_domtrans',`
- gen_require(`
- type sendmail_t;
- ')
-
- mta_sendmail_domtrans($1,sendmail_t)
-
- allow $1 sendmail_t:fd use;
- allow sendmail_t $1:fd use;
- allow sendmail_t $1:fifo_file rw_file_perms;
- allow sendmail_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Read and write sendmail TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sendmail_rw_tcp_sockets',`
- gen_require(`
- type sendmail_t;
- ')
-
- allow $1 sendmail_t:tcp_socket { read write };
-')
-########################################
-## <summary>
-## Read and write sendmail unix_stream_sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sendmail_rw_unix_stream_sockets',`
- gen_require(`
- type sendmail_t;
- ')
-
- allow $1 sendmail_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete sendmail logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sendmail_manage_log',`
- gen_require(`
- type sendmail_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 sendmail_log_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Create sendmail logs with the correct type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sendmail_create_log',`
- gen_require(`
- type sendmail_log_t;
- ')
-
- logging_log_filetrans($1,sendmail_log_t,file)
-')
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
deleted file mode 100644
index 66ae8fe..0000000
--- a/refpolicy/policy/modules/services/sendmail.te
+++ /dev/null
@@ -1,159 +0,0 @@
-
-policy_module(sendmail,1.2.2)
-
-########################################
-#
-# Declarations
-#
-
-type sendmail_log_t;
-logging_log_file(sendmail_log_t)
-
-type sendmail_tmp_t;
-files_tmp_file(sendmail_tmp_t)
-
-type sendmail_var_run_t;
-files_pid_file(sendmail_var_run_t)
-
-type sendmail_t;
-mta_sendmail_mailserver(sendmail_t)
-mta_mailserver_delivery(sendmail_t)
-mta_mailserver_sender(sendmail_t)
-
-########################################
-#
-# Sendmail local policy
-#
-
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
-allow sendmail_t self:fifo_file rw_file_perms;
-allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
-allow sendmail_t self:unix_dgram_socket create_socket_perms;
-allow sendmail_t self:tcp_socket create_stream_socket_perms;
-allow sendmail_t self:udp_socket create_socket_perms;
-
-allow sendmail_t sendmail_log_t:file create_file_perms;
-allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir })
-
-kernel_read_kernel_sysctls(sendmail_t)
-# for piping mail to a command
-kernel_read_system_state(sendmail_t)
-
-corenet_non_ipsec_sendrecv(sendmail_t)
-corenet_tcp_sendrecv_all_if(sendmail_t)
-corenet_tcp_sendrecv_all_nodes(sendmail_t)
-corenet_tcp_sendrecv_all_ports(sendmail_t)
-corenet_tcp_bind_all_nodes(sendmail_t)
-corenet_tcp_bind_smtp_port(sendmail_t)
-corenet_tcp_connect_all_ports(sendmail_t)
-corenet_sendrecv_smtp_server_packets(sendmail_t)
-corenet_sendrecv_smtp_client_packets(sendmail_t)
-
-dev_read_urand(sendmail_t)
-dev_read_sysfs(sendmail_t)
-
-fs_getattr_all_fs(sendmail_t)
-fs_search_auto_mountpoints(sendmail_t)
-
-term_dontaudit_use_console(sendmail_t)
-
-# for piping mail to a command
-corecmd_exec_shell(sendmail_t)
-corecmd_search_sbin(sendmail_t)
-
-domain_use_interactive_fds(sendmail_t)
-
-files_read_etc_files(sendmail_t)
-files_search_spool(sendmail_t)
-# for piping mail to a command
-files_read_etc_runtime_files(sendmail_t)
-
-init_use_fds(sendmail_t)
-init_use_script_ptys(sendmail_t)
-# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
-init_read_utmp(sendmail_t)
-init_dontaudit_write_utmp(sendmail_t)
-
-libs_use_ld_so(sendmail_t)
-libs_use_shared_libs(sendmail_t)
-# Read /usr/lib/sasl2/.*
-libs_read_lib_files(sendmail_t)
-
-logging_send_syslog_msg(sendmail_t)
-
-miscfiles_read_localization(sendmail_t)
-
-sysnet_dns_name_resolve(sendmail_t)
-sysnet_read_config(sendmail_t)
-
-userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
-
-mta_read_config(sendmail_t)
-mta_etc_filetrans_aliases(sendmail_t)
-# Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
-# Write to /var/spool/mail and /var/spool/mqueue.
-mta_manage_queue(sendmail_t)
-mta_manage_spool(sendmail_t)
-
-ifdef(`targeted_policy',`
- unconfined_domain(sendmail_t)
- term_dontaudit_use_unallocated_ttys(sendmail_t)
- term_dontaudit_use_generic_ptys(sendmail_t)
- files_dontaudit_read_root_files(sendmail_t)
-',`
- allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
- allow sendmail_t sendmail_tmp_t:file create_file_perms;
- files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
-
- allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
- files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
-')
-
-optional_policy(`
- nis_use_ypbind(sendmail_t)
-')
-
-optional_policy(`
- nscd_socket_use(sendmail_t)
-')
-
-optional_policy(`
- postfix_exec_master(sendmail_t)
- postfix_read_config(sendmail_t)
- postfix_search_spool(sendmail_t)
-')
-
-optional_policy(`
- procmail_domtrans(sendmail_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(sendmail_t)
-')
-
-optional_policy(`
- udev_read_db(sendmail_t)
-')
-
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file create_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file create_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
-
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
-
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/slrnpull.fc b/refpolicy/policy/modules/services/slrnpull.fc
deleted file mode 100644
index 1714ce0..0000000
--- a/refpolicy/policy/modules/services/slrnpull.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# /usr
-#
-
-/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0)
-
-#
-# /var
-#
-/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/slrnpull.if b/refpolicy/policy/modules/services/slrnpull.if
deleted file mode 100644
index bfac15a..0000000
--- a/refpolicy/policy/modules/services/slrnpull.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>Service for downloading news feeds the slrn newsreader.</summary>
-
-########################################
-## <summary>
-## Allow the domain to search slrnpull spools.
-## </summary>
-## <param name="pty_type">
-## <summary>
-## domain allowed access
-## </summary>
-## </param>
-#
-interface(`slrnpull_search_spool',`
- gen_require(`
- type slrnpull_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 slrnpull_spool_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Allow the domain to create, read,
-## write, and delete slrnpull spools.
-## </summary>
-## <param name="pty_type">
-## <summary>
-## domain allowed access
-## </summary>
-## </param>
-#
-interface(`slrnpull_manage_spool',`
- gen_require(`
- type slrnpull_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 slrnpull_spool_t:dir create_dir_perms;
- allow $1 slrnpull_spool_t:file create_file_perms;
- allow $1 slrnpull_spool_t:lnk_file create_lnk_perms;
-')
diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te
deleted file mode 100644
index c7de93a..0000000
--- a/refpolicy/policy/modules/services/slrnpull.te
+++ /dev/null
@@ -1,87 +0,0 @@
-
-policy_module(slrnpull,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type slrnpull_t;
-type slrnpull_exec_t;
-init_daemon_domain(slrnpull_t,slrnpull_exec_t)
-
-type slrnpull_var_run_t;
-files_pid_file(slrnpull_var_run_t)
-
-type slrnpull_spool_t;
-files_type(slrnpull_spool_t)
-
-type slrnpull_log_t;
-logging_log_file(slrnpull_log_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit slrnpull_t self:capability sys_tty_config;
-allow slrnpull_t self:process signal_perms;
-
-allow slrnpull_t slrnpull_log_t:file create_file_perms;
-logging_log_filetrans(slrnpull_t,slrnpull_log_t,file)
-
-allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms;
-allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
-allow slrnpull_t slrnpull_spool_t:file create_file_perms;
-allow slrnpull_t slrnpull_spool_t:lnk_file create_lnk_perms;
-files_search_spool(slrnpull_t)
-
-allow slrnpull_t slrnpull_var_run_t:file create_file_perms;
-allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slrnpull_t,slrnpull_var_run_t,file)
-
-kernel_list_proc(slrnpull_t)
-kernel_read_kernel_sysctls(slrnpull_t)
-kernel_read_proc_symlinks(slrnpull_t)
-
-dev_read_sysfs(slrnpull_t)
-
-domain_use_interactive_fds(slrnpull_t)
-
-files_read_etc_files(slrnpull_t)
-
-fs_getattr_all_fs(slrnpull_t)
-fs_search_auto_mountpoints(slrnpull_t)
-
-term_dontaudit_use_console(slrnpull_t)
-
-init_use_fds(slrnpull_t)
-init_use_script_ptys(slrnpull_t)
-
-libs_use_ld_so(slrnpull_t)
-libs_use_shared_libs(slrnpull_t)
-
-logging_send_syslog_msg(slrnpull_t)
-
-miscfiles_read_localization(slrnpull_t)
-
-userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
-userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t)
-
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(slrnpull_t)
- term_dontaudit_use_unallocated_ttys(slrnpull_t)
- term_dontaudit_use_generic_ptys(slrnpull_t)
-')
-
-optional_policy(`
- cron_system_entry(slrnpull_t,slrnpull_exec_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(slrnpull_t)
-')
-
-optional_policy(`
- udev_read_db(slrnpull_t)
-')
diff --git a/refpolicy/policy/modules/services/smartmon.fc b/refpolicy/policy/modules/services/smartmon.fc
deleted file mode 100644
index a8863e8..0000000
--- a/refpolicy/policy/modules/services/smartmon.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
-
-#
-# /var
-#
-/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
-
diff --git a/refpolicy/policy/modules/services/smartmon.if b/refpolicy/policy/modules/services/smartmon.if
deleted file mode 100644
index c976663..0000000
--- a/refpolicy/policy/modules/services/smartmon.if
+++ /dev/null
@@ -1,19 +0,0 @@
-## <summary>Smart disk monitoring daemon policy</summary>
-
-#######################################
-## <summary>
-## Allow caller to read smartmon temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The process type reading the temporary files.
-## </summary>
-## </param>
-#
-interface(`smartmon_read_tmp_files',`
- gen_require(`
- type fsdaemon_tmp_t;
- ')
-
- allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
-')
diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te
deleted file mode 100644
index 3edc67a..0000000
--- a/refpolicy/policy/modules/services/smartmon.te
+++ /dev/null
@@ -1,102 +0,0 @@
-
-policy_module(smartmon,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type fsdaemon_t;
-type fsdaemon_exec_t;
-init_daemon_domain(fsdaemon_t,fsdaemon_exec_t)
-
-type fsdaemon_var_run_t;
-files_pid_file(fsdaemon_var_run_t)
-
-type fsdaemon_tmp_t;
-files_tmp_file(fsdaemon_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
-dontaudit fsdaemon_t self:capability sys_tty_config;
-allow fsdaemon_t self:process signal_perms;
-allow fsdaemon_t self:fifo_file rw_file_perms;
-allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
-allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
-allow fsdaemon_t self:udp_socket create_socket_perms;
-
-allow fsdaemon_t fsdaemon_tmp_t:dir create_dir_perms;
-allow fsdaemon_t fsdaemon_tmp_t:file create_file_perms;
-files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
-
-allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms;
-allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t,file)
-
-kernel_read_kernel_sysctls(fsdaemon_t)
-kernel_read_software_raid_state(fsdaemon_t)
-kernel_read_system_state(fsdaemon_t)
-
-corecmd_exec_all_executables(fsdaemon_t)
-
-corenet_non_ipsec_sendrecv(fsdaemon_t)
-corenet_udp_sendrecv_generic_if(fsdaemon_t)
-corenet_udp_sendrecv_all_nodes(fsdaemon_t)
-corenet_udp_sendrecv_all_ports(fsdaemon_t)
-
-dev_read_sysfs(fsdaemon_t)
-
-domain_use_interactive_fds(fsdaemon_t)
-
-files_exec_etc_files(fsdaemon_t)
-files_read_etc_runtime_files(fsdaemon_t)
-# for config
-files_read_etc_files(fsdaemon_t)
-
-fs_getattr_all_fs(fsdaemon_t)
-fs_search_auto_mountpoints(fsdaemon_t)
-
-storage_raw_read_fixed_disk(fsdaemon_t)
-storage_raw_write_fixed_disk(fsdaemon_t)
-
-term_dontaudit_use_console(fsdaemon_t)
-term_dontaudit_search_ptys(fsdaemon_t)
-
-init_use_fds(fsdaemon_t)
-init_use_script_ptys(fsdaemon_t)
-
-libs_use_ld_so(fsdaemon_t)
-libs_use_shared_libs(fsdaemon_t)
-libs_exec_ld_so(fsdaemon_t)
-libs_exec_lib_files(fsdaemon_t)
-
-logging_send_syslog_msg(fsdaemon_t)
-
-miscfiles_read_localization(fsdaemon_t)
-
-sysnet_read_config(fsdaemon_t)
-
-userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fsdaemon_t)
- term_dontaudit_use_generic_ptys(fsdaemon_t)
- files_dontaudit_read_root_files(fsdaemon_t)
-')
-
-optional_policy(`
- mta_send_mail(fsdaemon_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(fsdaemon_t)
-')
-
-optional_policy(`
- udev_read_db(fsdaemon_t)
-')
diff --git a/refpolicy/policy/modules/services/snmp.fc b/refpolicy/policy/modules/services/snmp.fc
deleted file mode 100644
index 5ebade8..0000000
--- a/refpolicy/policy/modules/services/snmp.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-
-#
-# /etc
-#
-
-/etc/snmp/snmp(trap)?d\.conf -- gen_context(system_u:object_r:snmpd_etc_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0)
-
-/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-
-#
-# /var
-#
-/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-
-/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
-
-/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-
-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
-/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/snmp.if b/refpolicy/policy/modules/services/snmp.if
deleted file mode 100644
index f9ebe44..0000000
--- a/refpolicy/policy/modules/services/snmp.if
+++ /dev/null
@@ -1,59 +0,0 @@
-## <summary>Simple network management protocol services</summary>
-
-########################################
-## <summary>
-## Use snmp over a TCP connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`snmp_tcp_connect',`
- gen_require(`
- type snmpd_t;
- ')
-
- allow $1 snmpd_t:tcp_socket { connectto recvfrom };
- allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-########################################
-## <summary>
-## Send and receive UDP traffic to SNMP
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`snmp_udp_chat',`
- gen_require(`
- type snmpd_t;
- ')
-
- allow $1 snmpd_t:udp_socket { sendto recvfrom };
- allow snmpd_t $1:udp_socket { sendto recvfrom };
-')
-
-########################################
-## <summary>
-## Read snmpd libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`snmp_read_snmp_var_lib_files',`
- gen_require(`
- type snmpd_var_lib_t;
- ')
- allow $1 snmpd_var_lib_t:dir r_dir_perms;
- allow $1 snmpd_var_lib_t:file r_file_perms;
- allow $1 snmpd_var_lib_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
deleted file mode 100644
index e00284d..0000000
--- a/refpolicy/policy/modules/services/snmp.te
+++ /dev/null
@@ -1,158 +0,0 @@
-
-policy_module(snmp,1.1.2)
-
-########################################
-#
-# Declarations
-#
-type snmpd_t;
-type snmpd_exec_t;
-init_daemon_domain(snmpd_t,snmpd_exec_t)
-
-type snmpd_etc_t;
-files_config_file(snmpd_etc_t)
-
-type snmpd_log_t;
-logging_log_file(snmpd_log_t)
-
-type snmpd_var_run_t;
-files_pid_file(snmpd_var_run_t)
-
-type snmpd_var_lib_t;
-files_type(snmpd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
-dontaudit snmpd_t self:capability sys_tty_config;
-allow snmpd_t self:fifo_file rw_file_perms;
-allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
-allow snmpd_t self:tcp_socket create_stream_socket_perms;
-allow snmpd_t self:udp_socket connected_stream_socket_perms;
-
-allow snmpd_t snmpd_etc_t:file { getattr read };
-
-allow snmpd_t snmpd_log_t:file create_file_perms;
-logging_log_filetrans(snmpd_t,snmpd_log_t,file)
-
-allow snmpd_t snmpd_var_lib_t:file create_file_perms;
-allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
-allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
-files_usr_filetrans(snmpd_t,snmpd_var_lib_t,file)
-files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t,file)
-
-allow snmpd_t snmpd_var_run_t:file create_file_perms;
-allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
-
-kernel_read_device_sysctls(snmpd_t)
-kernel_read_kernel_sysctls(snmpd_t)
-kernel_read_net_sysctls(snmpd_t)
-kernel_read_proc_symlinks(snmpd_t)
-kernel_read_system_state(snmpd_t)
-kernel_read_network_state(snmpd_t)
-kernel_tcp_recvfrom(snmpd_t)
-
-corecmd_exec_bin(snmpd_t)
-corecmd_exec_sbin(snmpd_t)
-corecmd_exec_shell(snmpd_t)
-
-corenet_non_ipsec_sendrecv(snmpd_t)
-corenet_tcp_sendrecv_all_if(snmpd_t)
-corenet_udp_sendrecv_all_if(snmpd_t)
-corenet_tcp_sendrecv_all_nodes(snmpd_t)
-corenet_udp_sendrecv_all_nodes(snmpd_t)
-corenet_tcp_sendrecv_all_ports(snmpd_t)
-corenet_udp_sendrecv_all_ports(snmpd_t)
-corenet_tcp_bind_all_nodes(snmpd_t)
-corenet_udp_bind_all_nodes(snmpd_t)
-corenet_tcp_bind_snmp_port(snmpd_t)
-corenet_udp_bind_snmp_port(snmpd_t)
-corenet_sendrecv_snmp_server_packets(snmpd_t)
-
-dev_list_sysfs(snmpd_t)
-dev_read_sysfs(snmpd_t)
-dev_read_urand(snmpd_t)
-dev_read_rand(snmpd_t)
-
-domain_use_interactive_fds(snmpd_t)
-domain_signull_all_domains(snmpd_t)
-domain_read_all_domains_state(snmpd_t)
-
-files_read_etc_files(snmpd_t)
-files_read_usr_files(snmpd_t)
-files_read_etc_runtime_files(snmpd_t)
-files_search_home(snmpd_t)
-
-fs_getattr_all_fs(snmpd_t)
-fs_getattr_rpc_dirs(snmpd_t)
-fs_search_auto_mountpoints(snmpd_t)
-
-storage_dontaudit_read_fixed_disk(snmpd_t)
-storage_dontaudit_read_removable_device(snmpd_t)
-
-term_dontaudit_use_console(snmpd_t)
-
-init_read_utmp(snmpd_t)
-init_use_fds(snmpd_t)
-init_use_script_ptys(snmpd_t)
-init_dontaudit_write_utmp(snmpd_t)
-
-libs_use_ld_so(snmpd_t)
-libs_use_shared_libs(snmpd_t)
-
-logging_send_syslog_msg(snmpd_t)
-
-miscfiles_read_localization(snmpd_t)
-
-seutil_dontaudit_search_config(snmpd_t)
-
-sysnet_read_config(snmpd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(snmpd_t)
-
-ifdef(`distro_redhat', `
- optional_policy(`
- rpm_read_db(snmpd_t)
- rpm_dontaudit_manage_db(snmpd_t)
- ')
-')
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(snmpd_t)
- term_dontaudit_use_generic_ptys(snmpd_t)
- files_dontaudit_read_root_files(snmpd_t)
-')
-
-optional_policy(`
- amanda_dontaudit_read_dumpdates(snmpd_t)
-')
-
-optional_policy(`
- cups_read_rw_config(snmpd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(snmpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(snmpd_t)
-')
-
-optional_policy(`
- rpc_search_nfs_state_data(snmpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(snmpd_t)
-')
-
-optional_policy(`
- udev_read_db(snmpd_t)
-')
diff --git a/refpolicy/policy/modules/services/snort.fc b/refpolicy/policy/modules/services/snort.fc
deleted file mode 100644
index cfd80ff..0000000
--- a/refpolicy/policy/modules/services/snort.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-
-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
-
-/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/refpolicy/policy/modules/services/snort.if b/refpolicy/policy/modules/services/snort.if
deleted file mode 100644
index a32cfc8..0000000
--- a/refpolicy/policy/modules/services/snort.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Snort network intrusion detection system</summary>
diff --git a/refpolicy/policy/modules/services/snort.te b/refpolicy/policy/modules/services/snort.te
deleted file mode 100644
index eea79d6..0000000
--- a/refpolicy/policy/modules/services/snort.te
+++ /dev/null
@@ -1,108 +0,0 @@
-
-policy_module(snort,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type snort_t;
-type snort_exec_t;
-init_daemon_domain(snort_t,snort_exec_t)
-
-type snort_etc_t;
-files_type(snort_etc_t)
-
-type snort_log_t;
-logging_log_file(snort_log_t)
-
-type snort_tmp_t;
-files_tmp_file(snort_tmp_t)
-
-type snort_var_run_t;
-files_pid_file(snort_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
-dontaudit snort_t self:capability sys_tty_config;
-allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow snort_t self:tcp_socket create_stream_socket_perms;
-allow snort_t self:udp_socket create_socket_perms;
-allow snort_t self:packet_socket create_socket_perms;
-
-allow snort_t snort_etc_t:dir r_dir_perms;
-allow snort_t snort_etc_t:file r_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
-
-allow snort_t snort_log_t:file create_file_perms;
-allow snort_t snort_log_t:dir { create rw_dir_perms };
-logging_log_filetrans(snort_t,snort_log_t,{ file dir })
-
-allow snort_t snort_tmp_t:dir create_dir_perms;
-allow snort_t snort_tmp_t:file create_file_perms;
-files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
-
-allow snort_t snort_var_run_t:file create_file_perms;
-allow snort_t snort_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(snort_t,snort_var_run_t,file)
-
-kernel_read_kernel_sysctls(snort_t)
-kernel_list_proc(snort_t)
-kernel_read_proc_symlinks(snort_t)
-kernel_dontaudit_read_system_state(snort_t)
-
-corenet_non_ipsec_sendrecv(snort_t)
-corenet_tcp_sendrecv_generic_if(snort_t)
-corenet_udp_sendrecv_generic_if(snort_t)
-corenet_raw_sendrecv_generic_if(snort_t)
-corenet_tcp_sendrecv_all_nodes(snort_t)
-corenet_udp_sendrecv_all_nodes(snort_t)
-corenet_raw_sendrecv_all_nodes(snort_t)
-corenet_tcp_sendrecv_all_ports(snort_t)
-corenet_udp_sendrecv_all_ports(snort_t)
-
-dev_read_sysfs(snort_t)
-
-domain_use_interactive_fds(snort_t)
-
-files_read_etc_files(snort_t)
-files_dontaudit_read_etc_runtime_files(snort_t)
-
-fs_getattr_all_fs(snort_t)
-fs_search_auto_mountpoints(snort_t)
-
-term_dontaudit_use_console(snort_t)
-
-init_use_fds(snort_t)
-init_use_script_ptys(snort_t)
-
-libs_use_ld_so(snort_t)
-libs_use_shared_libs(snort_t)
-
-logging_send_syslog_msg(snort_t)
-
-miscfiles_read_localization(snort_t)
-
-sysnet_read_config(snort_t)
-
-userdom_dontaudit_use_unpriv_user_fds(snort_t)
-userdom_dontaudit_search_sysadm_home_dirs(snort_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(snort_t)
- term_dontaudit_use_generic_ptys(snort_t)
- files_dontaudit_read_root_files(snort_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(snort_t)
-')
-
-optional_policy(`
- udev_read_db(snort_t)
-')
diff --git a/refpolicy/policy/modules/services/soundserver.fc b/refpolicy/policy/modules/services/soundserver.fc
deleted file mode 100644
index b930d5f..0000000
--- a/refpolicy/policy/modules/services/soundserver.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
-/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
-/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
-/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
-/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --git a/refpolicy/policy/modules/services/soundserver.if b/refpolicy/policy/modules/services/soundserver.if
deleted file mode 100644
index 4156204..0000000
--- a/refpolicy/policy/modules/services/soundserver.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>sound server for network audio server programs, nasd, yiff, etc</summary>
-
-########################################
-## <summary>
-## Connect to the sound server over a TCP socket
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`soundserver_tcp_connect',`
- gen_require(`
- type soundd_t;
- ')
-
- allow $1 soundd_t:tcp_socket { connectto recvfrom };
- allow soundd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/soundserver.te b/refpolicy/policy/modules/services/soundserver.te
deleted file mode 100644
index 22ba8e2..0000000
--- a/refpolicy/policy/modules/services/soundserver.te
+++ /dev/null
@@ -1,121 +0,0 @@
-
-policy_module(soundserver,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type soundd_t;
-type soundd_exec_t;
-init_daemon_domain(soundd_t,soundd_exec_t)
-
-type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
-
-type soundd_state_t;
-files_type(soundd_state_t)
-
-type soundd_tmp_t;
-files_tmp_file(soundd_tmp_t)
-
-# for yiff - probably need some rules for the client support too
-type soundd_tmpfs_t;
-files_tmpfs_file(soundd_tmpfs_t)
-
-type soundd_var_run_t;
-files_pid_file(soundd_var_run_t)
-
-########################################
-#
-# Declarations
-#
-
-dontaudit soundd_t self:capability sys_tty_config;
-allow soundd_t self:process { setpgid signal_perms };
-allow soundd_t self:tcp_socket create_stream_socket_perms;
-allow soundd_t self:udp_socket create_socket_perms;
-# for yiff
-allow soundd_t self:shm create_shm_perms;
-
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
-
-allow soundd_t soundd_state_t:dir rw_dir_perms;
-allow soundd_t soundd_state_t:file manage_file_perms;
-allow soundd_t soundd_state_t:lnk_file create_lnk_perms;
-
-allow soundd_t soundd_tmp_t:dir manage_dir_perms;
-allow soundd_t soundd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir })
-
-allow soundd_t soundd_tmpfs_t:dir rw_dir_perms;
-allow soundd_t soundd_tmpfs_t:file manage_file_perms;
-allow soundd_t soundd_tmpfs_t:lnk_file create_lnk_perms;
-allow soundd_t soundd_tmpfs_t:sock_file manage_file_perms;
-allow soundd_t soundd_tmpfs_t:fifo_file manage_file_perms;
-fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-allow soundd_t soundd_var_run_t:file manage_file_perms;
-allow soundd_t soundd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
-
-kernel_read_kernel_sysctls(soundd_t)
-kernel_list_proc(soundd_t)
-kernel_read_proc_symlinks(soundd_t)
-kernel_tcp_recvfrom(soundd_t)
-
-corenet_non_ipsec_sendrecv(soundd_t)
-corenet_tcp_sendrecv_generic_if(soundd_t)
-corenet_udp_sendrecv_generic_if(soundd_t)
-corenet_tcp_sendrecv_all_nodes(soundd_t)
-corenet_udp_sendrecv_all_nodes(soundd_t)
-corenet_tcp_sendrecv_all_ports(soundd_t)
-corenet_udp_sendrecv_all_ports(soundd_t)
-corenet_tcp_bind_all_nodes(soundd_t)
-corenet_tcp_bind_soundd_port(soundd_t)
-corenet_sendrecv_soundd_server_packets(soundd_t)
-
-dev_read_sysfs(soundd_t)
-dev_read_sound(soundd_t)
-dev_write_sound(soundd_t)
-
-domain_use_interactive_fds(soundd_t)
-
-files_read_etc_files(soundd_t)
-files_read_etc_runtime_files(soundd_t)
-
-fs_getattr_all_fs(soundd_t)
-fs_search_auto_mountpoints(soundd_t)
-
-term_dontaudit_use_console(soundd_t)
-
-init_use_fds(soundd_t)
-init_use_script_ptys(soundd_t)
-
-libs_use_ld_so(soundd_t)
-libs_use_shared_libs(soundd_t)
-
-logging_send_syslog_msg(soundd_t)
-
-miscfiles_read_localization(soundd_t)
-
-sysnet_read_config(soundd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(soundd_t)
- term_dontaudit_use_generic_ptys(soundd_t)
- files_dontaudit_read_root_files(soundd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(soundd_t)
-')
-
-optional_policy(`
- udev_read_db(soundd_t)
-')
diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc
deleted file mode 100644
index 3da7107..0000000
--- a/refpolicy/policy/modules/services/spamassassin.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-
-/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-
-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-
-/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
deleted file mode 100644
index 1405466..0000000
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ /dev/null
@@ -1,511 +0,0 @@
-## <summary>Filter used for removing unsolicited email.</summary>
-
-#######################################
-## <summary>
-## The per user domain template for the spamassassin module.
-## </summary>
-## <desc>
-## <p>
-## The per user domain template for the spamassassin module.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-# cjp: when tunables are available, spamc stuff should be
-# toggled on activation of spamc, and similarly for spamd.
-template(`spamassassin_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type $1_spamc_t;
- domain_type($1_spamc_t)
- domain_entry_file($1_spamc_t,spamc_exec_t)
- role $3 types $1_spamc_t;
-
- type $1_spamc_tmp_t;
- files_tmp_file($1_spamc_tmp_t)
-
- type $1_spamassassin_t;
- domain_type($1_spamassassin_t)
- domain_entry_file($1_spamassassin_t,spamassassin_exec_t)
- role $3 types $1_spamassassin_t;
-
- type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
- userdom_user_home_content($1,$1_spamassassin_home_t)
- files_poly_member($1_spamassassin_home_t)
-
- type $1_spamassassin_tmp_t;
- files_tmp_file($1_spamassassin_tmp_t)
-
- ##############################
- #
- # $1_spamc_t local policy
- #
-
- allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_spamc_t self:fd use;
- allow $1_spamc_t self:fifo_file rw_file_perms;
- allow $1_spamc_t self:sock_file r_file_perms;
- allow $1_spamc_t self:shm create_shm_perms;
- allow $1_spamc_t self:sem create_sem_perms;
- allow $1_spamc_t self:msgq create_msgq_perms;
- allow $1_spamc_t self:msg { send receive };
- allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
- allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_spamc_t self:unix_dgram_socket sendto;
- allow $1_spamc_t self:unix_stream_socket connectto;
- allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamc_t self:udp_socket create_socket_perms;
-
- allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms;
- allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
-
- # Allow connecting to a local spamd
- allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom };
- allow spamd_t $1_spamc_t:tcp_socket { acceptfrom recvfrom };
- allow $1_spamc_t spamd_t:unix_stream_socket connectto;
- allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
-
- domain_auto_trans($2, spamc_exec_t, $1_spamc_t)
- allow $2 $1_spamc_t:fd use;
- allow $1_spamc_t $2:fd use;
- allow $1_spamc_t $2:fifo_file rw_file_perms;
- allow $1_spamc_t $2:process sigchld;
-
- kernel_read_kernel_sysctls($1_spamc_t)
- kernel_tcp_recvfrom($1_spamc_t)
-
- corenet_non_ipsec_sendrecv($1_spamc_t)
- corenet_tcp_sendrecv_generic_if($1_spamc_t)
- corenet_udp_sendrecv_generic_if($1_spamc_t)
- corenet_tcp_sendrecv_all_nodes($1_spamc_t)
- corenet_udp_sendrecv_all_nodes($1_spamc_t)
- corenet_tcp_sendrecv_all_ports($1_spamc_t)
- corenet_udp_sendrecv_all_ports($1_spamc_t)
- corenet_tcp_connect_all_ports($1_spamc_t)
- corenet_sendrecv_all_client_packets($1_spamc_t)
-
- fs_search_auto_mountpoints($1_spamc_t)
-
- # cjp: these should probably be removed:
- corecmd_list_bin($1_spamc_t)
- corecmd_read_bin_symlinks($1_spamc_t)
- corecmd_read_bin_files($1_spamc_t)
- corecmd_read_bin_pipes($1_spamc_t)
- corecmd_read_bin_sockets($1_spamc_t)
- corecmd_list_sbin($1_spamc_t)
- corecmd_read_sbin_symlinks($1_spamc_t)
- corecmd_read_sbin_files($1_spamc_t)
- corecmd_read_sbin_pipes($1_spamc_t)
- corecmd_read_sbin_sockets($1_spamc_t)
-
- domain_use_interactive_fds($1_spamc_t)
-
- files_read_etc_files($1_spamc_t)
- files_read_etc_runtime_files($1_spamc_t)
- files_read_usr_files($1_spamc_t)
- files_dontaudit_search_var($1_spamc_t)
- # cjp: this may be removable:
- files_list_home($1_spamc_t)
-
- libs_use_ld_so($1_spamc_t)
- libs_use_shared_libs($1_spamc_t)
-
- logging_send_syslog_msg($1_spamc_t)
-
- miscfiles_read_localization($1_spamc_t)
-
- # cjp: this should probably be removed:
- seutil_read_config($1_spamc_t)
-
- sysnet_read_config($1_spamc_t)
-
- userdom_use_unpriv_users_fds($1_spamc_t)
- # cjp: this really should just be the
- # terminal specific to the role
- userdom_use_unpriv_users_ptys($1_spamc_t)
-
- # cjp: this should probably be removed:
- tunable_policy(`read_default_t',`
- files_list_default($1_spamc_t)
- files_read_default_files($1_spamc_t)
- files_read_default_symlinks($1_spamc_t)
- files_read_default_sockets($1_spamc_t)
- files_read_default_pipes($1_spamc_t)
- ')
-
- optional_policy(`
- # Allow connection to spamd socket above
- evolution_stream_connect($1,$1_spamc_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_spamc_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_spamc_t)
- ')
-
- optional_policy(`
- mta_read_config($1_spamc_t)
- sendmail_stub($1_spamc_t)
- ')
-
- ##############################
- #
- # $1_spamassassin_t local policy
- #
-
- allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_spamassassin_t self:fd use;
- allow $1_spamassassin_t self:fifo_file rw_file_perms;
- allow $1_spamassassin_t self:sock_file r_file_perms;
- allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
- allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_spamassassin_t self:unix_dgram_socket sendto;
- allow $1_spamassassin_t self:unix_stream_socket connectto;
- allow $1_spamassassin_t self:shm create_shm_perms;
- allow $1_spamassassin_t self:sem create_sem_perms;
- allow $1_spamassassin_t self:msgq create_msgq_perms;
- allow $1_spamassassin_t self:msg { send receive };
-
- allow $1_spamassassin_t $1_spamassassin_home_t:dir create_dir_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:file create_file_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms;
- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms;
- allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
-
- allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto };
- allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto };
- allow $2 $1_spamassassin_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-
- domain_auto_trans($2, spamassassin_exec_t, $1_spamassassin_t)
- allow $2 $1_spamassassin_t:fd use;
- allow $1_spamassassin_t $2:fd use;
- allow $1_spamassassin_t $2:fifo_file rw_file_perms;
- allow $1_spamassassin_t $2:process sigchld;
-
- allow spamd_t $1_spamassassin_home_t:dir create_dir_perms;
- allow spamd_t $1_spamassassin_home_t:file create_file_perms;
- allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
- allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms;
- allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-
- kernel_read_kernel_sysctls($1_spamassassin_t)
-
- dev_read_urand($1_spamassassin_t)
-
- fs_search_auto_mountpoints($1_spamassassin_t)
-
- # this should probably be removed
- corecmd_list_bin($1_spamassassin_t)
- corecmd_read_bin_symlinks($1_spamassassin_t)
- corecmd_read_bin_files($1_spamassassin_t)
- corecmd_read_bin_pipes($1_spamassassin_t)
- corecmd_read_bin_sockets($1_spamassassin_t)
- corecmd_list_sbin($1_spamassassin_t)
- corecmd_read_sbin_symlinks($1_spamassassin_t)
- corecmd_read_sbin_files($1_spamassassin_t)
- corecmd_read_sbin_pipes($1_spamassassin_t)
- corecmd_read_sbin_sockets($1_spamassassin_t)
-
- domain_use_interactive_fds($1_spamassassin_t)
-
- files_read_etc_files($1_spamassassin_t)
- files_read_etc_runtime_files($1_spamassassin_t)
- files_list_home($1_spamassassin_t)
- files_read_usr_files($1_spamassassin_t)
- files_dontaudit_search_var($1_spamassassin_t)
-
- libs_use_ld_so($1_spamassassin_t)
- libs_use_shared_libs($1_spamassassin_t)
-
- logging_send_syslog_msg($1_spamassassin_t)
-
- miscfiles_read_localization($1_spamassassin_t)
-
- # cjp: this could probably be removed
- seutil_read_config($1_spamassassin_t)
-
- sysnet_dns_name_resolve($1_spamassassin_t)
-
- userdom_use_unpriv_users_fds($1_spamassassin_t)
- userdom_search_user_home_dirs($1,$1_spamassassin_t)
- # cjp: this really should just be the
- # terminal specific to the role
- userdom_use_unpriv_users_ptys($1_spamassassin_t)
-
- # this should probably be removed:
- tunable_policy(`read_default_t',`
- files_list_default($1_spamassassin_t)
- files_read_default_files($1_spamassassin_t)
- files_read_default_symlinks($1_spamassassin_t)
- files_read_default_sockets($1_spamassassin_t)
- files_read_default_pipes($1_spamassassin_t)
- ')
-
- # set tunable if you have spamassassin do DNS lookups
- tunable_policy(`spamassassin_can_network',`
- allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamassassin_t self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv($1_spamassassin_t)
- corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
- corenet_udp_sendrecv_generic_if($1_spamassassin_t)
- corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
- corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
- corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
- corenet_udp_sendrecv_all_ports($1_spamassassin_t)
- corenet_tcp_connect_all_ports($1_spamassassin_t)
- corenet_sendrecv_all_client_packets($1_spamassassin_t)
-
- sysnet_read_config($1_spamassassin_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_spamassassin_t)
- fs_manage_nfs_files($1_spamassassin_t)
- fs_manage_nfs_symlinks($1_spamassassin_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_spamassassin_t)
- fs_manage_cifs_files($1_spamassassin_t)
- fs_manage_cifs_symlinks($1_spamassassin_t)
- ')
-
- optional_policy(`
- # Write pid file and socket in ~/.evolution/cache/tmp
- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
- ')
-
- optional_policy(`
- # cjp: clearly some redundancy here
-
- nis_use_ypbind($1_spamassassin_t)
-
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
- nis_use_ypbind_uncond($1_spamassassin_t)
- ')
- ')
-
- optional_policy(`
- mta_read_config($1_spamassassin_t)
- sendmail_stub($1_spamassassin_t)
- ')
-
- # For perl libraries.
- allow $1_spamassassin_t lib_t:file rx_file_perms;
-')
-
-########################################
-## <summary>
-## Execute the standalone spamassassin
-## program in the caller directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`spamassassin_exec',`
- gen_require(`
- type spamassassin_exec_t;
- ')
-
- can_exec($1,spamassassin_exec_t)
-
-')
-
-########################################
-## <summary>
-## Singnal the spam assassin daemon
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`spamassassin_signal_spamd',`
- gen_require(`
- type spamd_t;
- ')
-
- allow $1 spamd_t:process signal;
-')
-
-########################################
-## <summary>
-## Execute the spamassassin daemon
-## program in the caller directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`spamassassin_exec_spamd',`
- gen_require(`
- type spamd_exec_t;
- ')
-
- can_exec($1,spamd_exec_t)
-')
-
-########################################
-## <summary>
-## Execute spamassassin client in the user spamassassin client domain.
-## </summary>
-## <desc>
-## <p>
-## This is a template and should only be called
-## from per user domain tempaltes.
-## </p>
-## </desc>
-## <param name="prefix">
-## <summary>
-## The prefix of the user domain. eg user would be the prefix of user_t.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-template(`spamassassin_domtrans_user_client',`
- gen_require(`
- type $1_spamc_t, spamc_exec_t;
- ')
-
- domain_auto_trans($2,spamc_exec_t,$1_spamc_t)
-
- allow $2 $1_spamc_t:fd use;
- allow $1_spamc_t $2:fd use;
- allow $1_spamc_t $2:fifo_file rw_file_perms;
- allow $1_spamc_t $2:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute the spamassassin client
-## program in the caller directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`spamassassin_exec_client',`
- gen_require(`
- type spamc_exec_t;
- ')
-
- can_exec($1,spamc_exec_t)
-')
-
-########################################
-## <summary>
-## Execute spamassassin in the user spamassassin domain.
-## </summary>
-## <desc>
-## <p>
-## This is a template and should only be called
-## from per user domain tempaltes.
-## </p>
-## </desc>
-## <param name="prefix">
-## <summary>
-## The prefix of the user domain. eg user would be the prefix of user_t.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-template(`spamassassin_domtrans_user_local_client',`
- gen_require(`
- type $1_spamassassin_t, spamassassin_exec_t;
- ')
-
- domain_auto_trans($2,spamassassin_exec_t,$1_spamassassin_t)
-
- allow $2 $1_spamassassin_t:fd use;
- allow $1_spamassassin_t $2:fd use;
- allow $1_spamassassin_t $2:fifo_file rw_file_perms;
- allow $1_spamassassin_t $2:process sigchld;
-')
-
-########################################
-## <summary>
-## Read temporary spamd file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`spamassassin_read_spamd_tmp_files',`
- gen_require(`
- type spamd_tmp_t;
- ')
-
- allow $1 spamd_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attributes of temporary
-## spamd sockets/
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
- gen_require(`
- type spamd_tmp_t;
- ')
-
- dontaudit $1 spamd_tmp_t:sock_file getattr;
-')
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
deleted file mode 100644
index ba0d6e5..0000000
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ /dev/null
@@ -1,196 +0,0 @@
-
-policy_module(spamassassin,1.3.9)
-
-########################################
-#
-# Declarations
-#
-
-# spamassassin client executable
-type spamc_exec_t;
-corecmd_executable_file(spamc_exec_t)
-
-type spamd_t;
-type spamd_exec_t;
-init_daemon_domain(spamd_t,spamd_exec_t)
-
-type spamd_spool_t;
-files_type(spamd_spool_t)
-
-type spamd_tmp_t;
-files_tmp_file(spamd_tmp_t)
-
-type spamd_var_run_t;
-files_pid_file(spamd_var_run_t)
-
-type spamassassin_exec_t;
-corecmd_executable_file(spamassassin_exec_t)
-
-########################################
-#
-# Spamassassin daemon local policy
-#
-
-# Spamassassin, when run as root and using per-user config files,
-# setuids to the user running spamc. Comment this if you are not
-# using this ability.
-
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
-dontaudit spamd_t self:capability sys_tty_config;
-allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow spamd_t self:fd use;
-allow spamd_t self:fifo_file rw_file_perms;
-allow spamd_t self:sock_file r_file_perms;
-allow spamd_t self:shm create_shm_perms;
-allow spamd_t self:sem create_sem_perms;
-allow spamd_t self:msgq create_msgq_perms;
-allow spamd_t self:msg { send receive };
-allow spamd_t self:unix_dgram_socket create_socket_perms;
-allow spamd_t self:unix_stream_socket create_stream_socket_perms;
-allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket connectto;
-allow spamd_t self:tcp_socket create_stream_socket_perms;
-allow spamd_t self:udp_socket create_socket_perms;
-
-allow spamd_t spamd_spool_t:file create_file_perms;
-allow spamd_t spamd_spool_t:dir create_dir_perms;
-files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
-
-allow spamd_t spamd_tmp_t:dir create_dir_perms;
-allow spamd_t spamd_tmp_t:file create_file_perms;
-files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
-
-allow spamd_t spamd_var_run_t:file create_file_perms;
-allow spamd_t spamd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(spamd_t,spamd_var_run_t,file)
-
-kernel_read_all_sysctls(spamd_t)
-kernel_read_system_state(spamd_t)
-kernel_tcp_recvfrom(spamd_t)
-
-corenet_non_ipsec_sendrecv(spamd_t)
-corenet_tcp_sendrecv_all_if(spamd_t)
-corenet_udp_sendrecv_all_if(spamd_t)
-corenet_tcp_sendrecv_all_nodes(spamd_t)
-corenet_udp_sendrecv_all_nodes(spamd_t)
-corenet_tcp_sendrecv_all_ports(spamd_t)
-corenet_udp_sendrecv_all_ports(spamd_t)
-corenet_tcp_bind_all_nodes(spamd_t)
-corenet_tcp_bind_spamd_port(spamd_t)
-corenet_tcp_connect_razor_port(spamd_t)
-corenet_sendrecv_razor_client_packets(spamd_t)
-corenet_sendrecv_spamd_server_packets(spamd_t)
-# spamassassin 3.1 needs this for its
-# DnsResolver.pm module which binds to
-# random ports >= 1024.
-corenet_udp_bind_all_nodes(spamd_t)
-corenet_udp_bind_generic_port(spamd_t)
-corenet_udp_bind_imaze_port(spamd_t)
-corenet_sendrecv_imaze_server_packets(spamd_t)
-corenet_sendrecv_generic_server_packets(spamd_t)
-
-dev_read_sysfs(spamd_t)
-dev_read_urand(spamd_t)
-
-fs_getattr_all_fs(spamd_t)
-fs_search_auto_mountpoints(spamd_t)
-
-term_dontaudit_use_console(spamd_t)
-
-auth_dontaudit_read_shadow(spamd_t)
-
-corecmd_exec_bin(spamd_t)
-corecmd_search_sbin(spamd_t)
-
-domain_use_interactive_fds(spamd_t)
-
-files_read_usr_files(spamd_t)
-files_read_etc_files(spamd_t)
-files_read_etc_runtime_files(spamd_t)
-files_search_var_lib(spamd_t)
-
-init_use_fds(spamd_t)
-init_use_script_ptys(spamd_t)
-init_dontaudit_rw_utmp(spamd_t)
-
-libs_use_ld_so(spamd_t)
-libs_use_shared_libs(spamd_t)
-# Various Perl bits
-libs_use_lib_files(spamd_t)
-
-logging_send_syslog_msg(spamd_t)
-
-miscfiles_read_localization(spamd_t)
-
-sysnet_read_config(spamd_t)
-sysnet_use_ldap(spamd_t)
-sysnet_dns_name_resolve(spamd_t)
-
-userdom_use_unpriv_users_fds(spamd_t)
-userdom_search_unpriv_users_home_dirs(spamd_t)
-userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(spamd_t)
- term_dontaudit_use_generic_ptys(spamd_t)
- files_dontaudit_read_root_files(spamd_t)
- tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_generic_user_home_content_dirs(spamd_t)
- userdom_manage_generic_user_home_content_files(spamd_t)
- userdom_manage_generic_user_home_content_symlinks(spamd_t)
- ')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(spamd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(spamd_t)
-')
-
-optional_policy(`
- amavis_manage_lib_files(spamd_t)
-')
-
-optional_policy(`
- cron_system_entry(spamd_t,spamd_exec_t)
-')
-
-optional_policy(`
- daemontools_service_domain(spamd_t,spamd_exec_t)
-')
-
-optional_policy(`
- dcc_domtrans_client(spamd_t)
- dcc_stream_connect_dccifd(spamd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(spamd_t)
-')
-
-optional_policy(`
- postgresql_stream_connect(spamd_t)
-')
-
-optional_policy(`
- pyzor_domtrans(spamd_t)
-')
-
-optional_policy(`
- razor_domtrans(spamd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(spamd_t)
-')
-
-optional_policy(`
- sendmail_stub(spamd_t)
- mta_read_config(spamd_t)
-')
-
-optional_policy(`
- udev_read_db(spamd_t)
-')
diff --git a/refpolicy/policy/modules/services/speedtouch.fc b/refpolicy/policy/modules/services/speedtouch.fc
deleted file mode 100644
index 9760d15..0000000
--- a/refpolicy/policy/modules/services/speedtouch.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
-
diff --git a/refpolicy/policy/modules/services/speedtouch.if b/refpolicy/policy/modules/services/speedtouch.if
deleted file mode 100644
index 826e2db..0000000
--- a/refpolicy/policy/modules/services/speedtouch.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Alcatel speedtouch USB ADSL modem</summary>
diff --git a/refpolicy/policy/modules/services/speedtouch.te b/refpolicy/policy/modules/services/speedtouch.te
deleted file mode 100644
index edf09ce..0000000
--- a/refpolicy/policy/modules/services/speedtouch.te
+++ /dev/null
@@ -1,77 +0,0 @@
-
-policy_module(speedtouch,1.0.0)
-
-#######################################
-#
-# Rules for the speedmgmt_t domain.
-#
-
-type speedmgmt_t;
-type speedmgmt_exec_t;
-init_daemon_domain(speedmgmt_t,speedmgmt_exec_t)
-
-type speedmgmt_tmp_t;
-files_tmp_file(speedmgmt_tmp_t)
-
-type speedmgmt_var_run_t;
-files_pid_file(speedmgmt_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit speedmgmt_t self:capability sys_tty_config;
-allow speedmgmt_t self:process signal_perms;
-
-allow speedmgmt_t speedmgmt_tmp_t:dir create_dir_perms;
-allow speedmgmt_t speedmgmt_tmp_t:file create_file_perms;
-files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir })
-
-allow speedmgmt_t speedmgmt_var_run_t:file create_file_perms;
-allow speedmgmt_t speedmgmt_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(speedmgmt_t,speedmgmt_var_run_t,file)
-
-kernel_read_kernel_sysctls(speedmgmt_t)
-kernel_list_proc(speedmgmt_t)
-kernel_read_proc_symlinks(speedmgmt_t)
-
-dev_read_sysfs(speedmgmt_t)
-dev_read_usbfs(speedmgmt_t)
-
-domain_use_interactive_fds(speedmgmt_t)
-
-files_read_etc_files(speedmgmt_t)
-files_read_usr_files(speedmgmt_t)
-
-fs_getattr_all_fs(speedmgmt_t)
-fs_search_auto_mountpoints(speedmgmt_t)
-
-term_dontaudit_use_console(speedmgmt_t)
-
-init_use_fds(speedmgmt_t)
-init_use_script_ptys(speedmgmt_t)
-
-libs_use_ld_so(speedmgmt_t)
-libs_use_shared_libs(speedmgmt_t)
-
-logging_send_syslog_msg(speedmgmt_t)
-
-miscfiles_read_localization(speedmgmt_t)
-
-userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
-userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(speedmgmt_t)
- term_dontaudit_use_generic_ptys(speedmgmt_t)
- files_dontaudit_read_root_files(speedmgmt_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(speedmgmt_t)
-')
-
-optional_policy(`
- udev_read_db(speedmgmt_t)
-')
diff --git a/refpolicy/policy/modules/services/squid.fc b/refpolicy/policy/modules/services/squid.fc
deleted file mode 100644
index 067b669..0000000
--- a/refpolicy/policy/modules/services/squid.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-
-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-
-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
-
-/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-
-/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-
-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
-
-/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
-
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if
deleted file mode 100644
index 10e77d7..0000000
--- a/refpolicy/policy/modules/services/squid.if
+++ /dev/null
@@ -1,125 +0,0 @@
-## <summary>Squid caching http proxy server</summary>
-
-########################################
-## <summary>
-## Execute squid in the squid domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`squid_domtrans',`
- gen_require(`
- type squid_t, squid_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,squid_exec_t,squid_t)
-
- allow $1 squid_t:fd use;
- allow squid_t $1:fd use;
- allow squid_t $1:fifo_file rw_file_perms;
- allow squid_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Read squid configuration file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`squid_read_config',`
- gen_require(`
- type squid_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 squid_conf_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Append squid logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`squid_read_log',`
- gen_require(`
- type squid_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 squid_log_t:dir search_dir_perms;
- allow $1 squid_log_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Append squid logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`squid_append_log',`
- gen_require(`
- type squid_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 squid_log_t:dir search_dir_perms;
- allow $1 squid_log_t:file { getattr append };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## squid logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`squid_manage_logs',`
- gen_require(`
- type squid_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 squid_log_t:dir rw_dir_perms;
- allow $1 squid_log_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Use squid services by connecting over TCP.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`squid_use',`
- gen_require(`
- type squid_t;
- ')
-
- allow $1 squid_t:tcp_socket { connectto recvfrom };
- allow squid_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
deleted file mode 100644
index a1480f4..0000000
--- a/refpolicy/policy/modules/services/squid.te
+++ /dev/null
@@ -1,184 +0,0 @@
-
-policy_module(squid,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-type squid_t;
-type squid_exec_t;
-init_daemon_domain(squid_t,squid_exec_t)
-
-# type for /var/cache/squid
-type squid_cache_t;
-files_type(squid_cache_t)
-
-type squid_conf_t;
-files_type(squid_conf_t)
-
-type squid_log_t;
-logging_log_file(squid_log_t)
-
-type squid_var_run_t;
-files_pid_file(squid_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow squid_t self:capability { setgid setuid dac_override };
-dontaudit squid_t self:capability sys_tty_config;
-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow squid_t self:fifo_file rw_file_perms;
-allow squid_t self:sock_file r_file_perms;
-allow squid_t self:fd use;
-allow squid_t self:shm create_shm_perms;
-allow squid_t self:sem create_sem_perms;
-allow squid_t self:msgq create_msgq_perms;
-allow squid_t self:msg { send receive };
-allow squid_t self:unix_stream_socket create_stream_socket_perms;
-allow squid_t self:unix_dgram_socket create_socket_perms;
-allow squid_t self:unix_dgram_socket sendto;
-allow squid_t self:unix_stream_socket connectto;
-allow squid_t self:tcp_socket create_stream_socket_perms;
-allow squid_t self:udp_socket create_socket_perms;
-
-# Grant permissions to create, access, and delete cache files.
-allow squid_t squid_cache_t:dir create_dir_perms;
-allow squid_t squid_cache_t:file create_file_perms;
-allow squid_t squid_cache_t:lnk_file create_lnk_perms;
-
-allow squid_t squid_conf_t:file r_file_perms;
-allow squid_t squid_conf_t:dir r_dir_perms;
-allow squid_t squid_conf_t:lnk_file read;
-
-can_exec(squid_t,squid_exec_t)
-
-allow squid_t squid_log_t:file create_file_perms;
-allow squid_t squid_log_t:dir rw_dir_perms;
-logging_log_filetrans(squid_t,squid_log_t,{ file dir })
-
-allow squid_t squid_var_run_t:file create_file_perms;
-allow squid_t squid_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(squid_t,squid_var_run_t,file)
-
-kernel_read_kernel_sysctls(squid_t)
-kernel_read_system_state(squid_t)
-kernel_tcp_recvfrom(squid_t)
-
-files_dontaudit_getattr_boot_dirs(squid_t)
-
-corenet_non_ipsec_sendrecv(squid_t)
-corenet_tcp_sendrecv_all_if(squid_t)
-corenet_udp_sendrecv_all_if(squid_t)
-corenet_tcp_sendrecv_all_nodes(squid_t)
-corenet_udp_sendrecv_all_nodes(squid_t)
-corenet_tcp_sendrecv_all_ports(squid_t)
-corenet_udp_sendrecv_all_ports(squid_t)
-corenet_tcp_bind_all_nodes(squid_t)
-corenet_udp_bind_all_nodes(squid_t)
-corenet_tcp_bind_http_cache_port(squid_t)
-corenet_tcp_bind_ftp_port(squid_t)
-corenet_tcp_bind_gopher_port(squid_t)
-corenet_tcp_connect_ftp_port(squid_t)
-corenet_tcp_connect_gopher_port(squid_t)
-corenet_tcp_connect_http_port(squid_t)
-corenet_tcp_connect_http_cache_port(squid_t)
-corenet_sendrecv_http_client_packets(squid_t)
-corenet_sendrecv_ftp_client_packets(squid_t)
-corenet_sendrecv_gopher_client_packets(squid_t)
-corenet_sendrecv_http_cache_server_packets(squid_t)
-corenet_sendrecv_http_cache_client_packets(squid_t)
-
-dev_read_sysfs(squid_t)
-dev_read_urand(squid_t)
-
-fs_getattr_all_fs(squid_t)
-fs_search_auto_mountpoints(squid_t)
-
-selinux_dontaudit_getattr_dir(squid_t)
-
-term_dontaudit_use_console(squid_t)
-term_dontaudit_getattr_pty_dirs(squid_t)
-
-# to allow running programs from /usr/lib/squid (IE unlinkd)
-corecmd_exec_bin(squid_t)
-corecmd_exec_sbin(squid_t)
-corecmd_exec_shell(squid_t)
-
-domain_use_interactive_fds(squid_t)
-
-files_read_etc_files(squid_t)
-files_read_etc_runtime_files(squid_t)
-files_read_usr_files(squid_t)
-files_search_spool(squid_t)
-files_dontaudit_getattr_tmp_dirs(squid_t)
-files_getattr_home_dir(squid_t)
-
-init_use_fds(squid_t)
-init_use_script_ptys(squid_t)
-
-libs_use_ld_so(squid_t)
-libs_use_shared_libs(squid_t)
-# to allow running programs from /usr/lib/squid (IE unlinkd)
-libs_exec_lib_files(squid_t)
-
-logging_send_syslog_msg(squid_t)
-
-miscfiles_read_certs(squid_t)
-miscfiles_read_localization(squid_t)
-
-sysnet_dns_name_resolve(squid_t)
-sysnet_read_config(squid_t)
-
-userdom_use_unpriv_users_fds(squid_t)
-userdom_dontaudit_use_unpriv_user_fds(squid_t)
-userdom_dontaudit_search_sysadm_home_dirs(squid_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(squid_t)
- term_dontaudit_use_generic_ptys(squid_t)
- files_dontaudit_read_root_files(squid_t)
-')
-
-tunable_policy(`squid_connect_any',`
- corenet_tcp_connect_all_ports(squid_t)
-')
-
-optional_policy(`
- allow squid_t self:capability kill;
- cron_use_fds(squid_t)
- cron_use_system_job_fds(squid_t)
- cron_rw_pipes(squid_t)
- cron_write_system_job_pipes(squid_t)
-')
-
-optional_policy(`
- nis_use_ypbind(squid_t)
-')
-
-optional_policy(`
- nscd_socket_use(squid_t)
-')
-
-optional_policy(`
- samba_domtrans_winbind_helper(squid_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(squid_t)
-')
-
-optional_policy(`
- udev_read_db(squid_t)
-')
-
-ifdef(`TODO',`
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ssh.fc b/refpolicy/policy/modules/services/ssh.fc
deleted file mode 100644
index e83a852..0000000
--- a/refpolicy/policy/modules/services/ssh.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-
-/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
-/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-
-/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
-
-/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-
-/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-
-ifdef(`targeted_policy', `', `
-/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
deleted file mode 100644
index 7c7f58b..0000000
--- a/refpolicy/policy/modules/services/ssh.if
+++ /dev/null
@@ -1,754 +0,0 @@
-## <summary>Secure shell client and server policy.</summary>
-
-#######################################
-## <summary>
-## Basic SSH client template.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for ssh client sessions. A derived
-## type is also created to protect the user ssh keys.
-## </p>
-## <p>
-## This template was added for NX.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`ssh_basic_client_template',`
-
- gen_require(`
- attribute ssh_server;
- type ssh_exec_t, sshd_key_t;
-
- ifdef(`strict_policy',`
- type sshd_tmp_t;
- ')
- ')
-
- ##############################
- #
- # Declarations
- #
-
- type $1_ssh_t;
- domain_type($1_ssh_t)
- domain_entry_file($1_ssh_t,ssh_exec_t)
- role $3 types $1_ssh_t;
-
- type $1_home_ssh_t;
- files_type($1_home_ssh_t)
-
- ##############################
- #
- # Client local policy
- #
-
- allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
- allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_ssh_t self:fd use;
- allow $1_ssh_t self:fifo_file rw_file_perms;
- allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_ssh_t self:shm create_shm_perms;
- allow $1_ssh_t self:sem create_sem_perms;
- allow $1_ssh_t self:msgq create_msgq_perms;
- allow $1_ssh_t self:msg { send receive };
- allow $1_ssh_t self:tcp_socket create_socket_perms;
-
- # for rsync
- allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
- allow $1_ssh_t $2:unix_stream_socket connectto;
-
- # Read the ssh key file.
- allow $1_ssh_t sshd_key_t:file r_file_perms;
-
- # Transition from the domain to the derived domain.
- domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
- allow $2 $1_ssh_t:fd use;
- allow $1_ssh_t $2:fd use;
- allow $1_ssh_t $2:fifo_file rw_file_perms;
- allow $1_ssh_t $2:process sigchld;
-
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- # cjp: should probably fix target to be an attribute for ssh servers
- # or "regular" (not special like sshd_extern_t) servers
- allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
-
- # allow ps to show ssh
- allow $2 $1_ssh_t:dir { search getattr read };
- allow $2 $1_ssh_t:{ file lnk_file } { read getattr };
- allow $2 $1_ssh_t:process getattr;
-
- # user can manage the keys and config
- allow $2 $1_home_ssh_t:dir rw_dir_perms;
- allow $2 $1_home_ssh_t:file create_file_perms;
- allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
- allow $2 $1_home_ssh_t:sock_file create_file_perms;
-
- # ssh client can manage the keys and config
- allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
- allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
- allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
-
- # ssh servers can read the user keys and config
- allow ssh_server $1_home_ssh_t:dir r_dir_perms;
- allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
- allow ssh_server $1_home_ssh_t:file r_file_perms;
-
- kernel_read_kernel_sysctls($1_ssh_t)
-
- corenet_non_ipsec_sendrecv($1_ssh_t)
- corenet_tcp_sendrecv_all_if($1_ssh_t)
- corenet_tcp_sendrecv_all_nodes($1_ssh_t)
- corenet_tcp_sendrecv_all_ports($1_ssh_t)
- corenet_tcp_connect_ssh_port($1_ssh_t)
- corenet_sendrecv_ssh_client_packets($1_ssh_t)
-
- dev_read_urand($1_ssh_t)
-
- fs_getattr_all_fs($1_ssh_t)
- fs_search_auto_mountpoints($1_ssh_t)
-
- # run helper programs - needed eg for x11-ssh-askpass
- corecmd_exec_shell($1_ssh_t)
- corecmd_exec_bin($1_ssh_t)
- corecmd_list_sbin($1_ssh_t)
- corecmd_read_sbin_symlinks($1_ssh_t)
-
- domain_use_interactive_fds($1_ssh_t)
-
- files_list_home($1_ssh_t)
- files_read_usr_files($1_ssh_t)
- files_read_etc_runtime_files($1_ssh_t)
- files_read_etc_files($1_ssh_t)
- files_read_var_files($1_ssh_t)
-
- libs_use_ld_so($1_ssh_t)
- libs_use_shared_libs($1_ssh_t)
-
- logging_send_syslog_msg($1_ssh_t)
- logging_read_generic_logs($1_ssh_t)
-
- miscfiles_read_localization($1_ssh_t)
-
- seutil_read_config($1_ssh_t)
-
- sysnet_read_config($1_ssh_t)
- sysnet_dns_name_resolve($1_ssh_t)
-
- ifdef(`strict_policy',`
- # Access the ssh temporary files.
- allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
- allow $1_ssh_t sshd_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
- ')
-
- tunable_policy(`read_default_t',`
- files_list_default($1_ssh_t)
- files_read_default_files($1_ssh_t)
- files_read_default_symlinks($1_ssh_t)
- files_read_default_sockets($1_ssh_t)
- files_read_default_pipes($1_ssh_t)
- ')
-
- optional_policy(`
- kerberos_use($1_ssh_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_ssh_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_ssh_t)
- ')
-')
-
-#######################################
-## <summary>
-## The per user domain template for the ssh module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for ssh client sessions and user ssh agents. A derived
-## type is also created to protect the user ssh keys.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`ssh_per_userdomain_template',`
- gen_require(`
- type ssh_agent_exec_t, ssh_keysign_exec_t;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- ssh_basic_client_template($1,$2,$3)
-
- userdom_user_home_content($1,$1_home_ssh_t)
-
- type $1_ssh_agent_t;
- domain_type($1_ssh_agent_t)
- domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
- role $3 types $1_ssh_agent_t;
-
- type $1_ssh_keysign_t;
- domain_type($1_ssh_keysign_t)
- domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
- role $3 types $1_ssh_keysign_t;
-
- type $1_ssh_tmpfs_t;
- files_tmpfs_file($1_ssh_tmpfs_t)
-
- ##############################
- #
- # Client local policy
- #
-
- allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms;
- allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
-
- userdom_use_unpriv_users_fds($1_ssh_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
- userdom_search_user_home_dirs($1,$1_ssh_t)
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_ssh_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_ssh_t)
- fs_manage_nfs_files($1_ssh_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_ssh_t)
- fs_manage_cifs_files($1_ssh_t)
- ')
-
- # for port forwarding
- tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_ssh_port($1_ssh_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
- xserver_domtrans_user_xauth($1,$1_ssh_t)
- ')
-
- ifdef(`TODO',`
- allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
-
- # for /bin/sh used to execute xauth
- dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
- #allow ssh to access keys stored on removable media
- # Should we have a boolean around this?
- files_search_mnt($1_ssh_t)
- r_dir_file($1_ssh_t, removable_t)
-
- if (allow_ssh_keysign) {
- domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
- allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
- allow $1_ssh_keysign_t self:capability { setgid setuid };
- allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
- uses_shlib($1_ssh_keysign_t)
- dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
- dontaudit $1_ssh_keysign_t proc_t:dir search;
- dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
- allow $1_ssh_keysign_t usr_t:dir search;
- allow $1_ssh_keysign_t etc_t:file { getattr read };
- allow $1_ssh_keysign_t self:dir search;
- allow $1_ssh_keysign_t self:file { getattr read };
- allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
- }
-
- ') dnl endif TODO
-
- ##############################
- #
- # $1_ssh_agent_t local policy
- #
-
- allow $1_ssh_agent_t self:process setrlimit;
- allow $1_ssh_agent_t self:capability setgid;
-
- allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
-
- allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms };
-
- allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
-
- # for ssh-add
- allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
-
- # Allow the user shell to signal the ssh program.
- allow $2 $1_ssh_agent_t:process signal;
-
- # for the transition back to normal privs upon exec
- allow $1_ssh_agent_t $2:fd use;
- allow $2 $1_ssh_agent_t:fd use;
- allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $2 $1_ssh_agent_t:process sigchld;
-
- # Allow the ssh program to communicate with ssh-agent.
- allow $1_ssh_t sshd_t:unix_stream_socket connectto;
-
- domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
- allow $2 $1_ssh_agent_t:fd use;
- allow $1_ssh_agent_t $2:fd use;
- allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
- allow $1_ssh_agent_t $2:process sigchld;
-
- kernel_read_kernel_sysctls($1_ssh_agent_t)
-
- dev_read_urand($1_ssh_agent_t)
- dev_read_rand($1_ssh_agent_t)
-
- fs_search_auto_mountpoints($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- corecmd_shell_domtrans($1_ssh_agent_t,$1_t)
- corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
-
- domain_use_interactive_fds($1_ssh_agent_t)
-
- files_read_etc_files($1_ssh_agent_t)
- files_read_etc_runtime_files($1_ssh_agent_t)
- files_search_home($1_ssh_agent_t)
-
- libs_read_lib_files($1_ssh_agent_t)
- libs_use_ld_so($1_ssh_agent_t)
- libs_use_shared_libs($1_ssh_agent_t)
-
- logging_send_syslog_msg($1_ssh_agent_t)
-
- miscfiles_read_localization($1_ssh_agent_t)
-
- seutil_dontaudit_read_config($1_ssh_agent_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_ssh_agent_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- fs_nfs_domtrans($1_ssh_agent_t, $1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- fs_cifs_domtrans($1_ssh_agent_t, $1_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_ssh_agent_t)
- ')
-
-# optional_policy(`
-# # KDM:
-# xdm_sigchld($1_ssh_agent_t)
-# ')
-
- ifdef(`TODO',`
- ifdef(`xdm.te',`
- can_pipe_xdm($1_ssh_agent_t)
- ')
-
- # allow ps to show ssh
- can_ps($1_t, $1_ssh_agent_t)
-
- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-
- # Access the ssh temporary files. Should we have an own type here
- # to which only ssh, ssh-agent and ssh-add have access?
- allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
- file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
-
- # transition back to normal privs upon exec
- domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t)
- allow $1_ssh_agent_t $1_home_dir_t:dir search;
-
- allow $1_ssh_t $1_tmp_t:sock_file write;
-
- #
- # Allow command to ssh-agent > ~/.ssh_agent
- #
- allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
- allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
-
- # Allow the ssh program to communicate with ssh-agent.
- allow $1_ssh_t $1_tmp_t:sock_file write;
- allow $1_ssh_t $2:unix_stream_socket connectto;
- ') dnl endif TODO
-
- ##############################
- #
- # $1_ssh_keysign_t local policy
- #
-
- optional_policy(`
- nscd_socket_use($1_ssh_keysign_t)
- ')
-')
-
-#######################################
-## <summary>
-## The template to define a ssh server.
-## </summary>
-## <desc>
-## <p>
-## This template creates a domains to be used for
-## creating a ssh server. This is typically done
-## to have multiple ssh servers of different sensitivities,
-## such as for an internal network-facing ssh server, and
-## a external network-facing ssh server.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the server domain (e.g., sshd
-## is the prefix for sshd_t).
-## </summary>
-## </param>
-#
-template(`ssh_server_template', `
- type $1_t, ssh_server;
-
- domain_type($1_t)
- role system_r types $1_t;
-
- type $1_devpts_t;
- term_login_pty($1_devpts_t)
-
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
-
- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:process { signal setsched setrlimit setexec };
-
- allow $1_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
- allow $1_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
-
- allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
- term_create_pty($1_t,$1_devpts_t)
-
- allow $1_t $1_var_run_t:file create_file_perms;
- files_pid_filetrans($1_t,$1_var_run_t,file)
-
- can_exec($1_t, sshd_exec_t)
-
- # Access key files
- allow $1_t sshd_key_t:file { getattr read };
-
- kernel_read_kernel_sysctls($1_t)
-
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_udp_sendrecv_all_if($1_t)
- corenet_raw_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_udp_sendrecv_all_nodes($1_t)
- corenet_raw_sendrecv_all_nodes($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_bind_all_nodes($1_t)
- corenet_udp_bind_all_nodes($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-
- dev_read_urand($1_t)
-
- fs_dontaudit_getattr_all_fs($1_t)
-
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
-
- auth_dontaudit_read_shadow($1_t)
- auth_domtrans_chk_passwd($1_t)
- auth_rw_login_records($1_t)
- auth_rw_lastlog($1_t)
- auth_append_faillog($1_t)
-
- corecmd_read_bin_symlinks($1_t)
- corecmd_getattr_bin_files($1_t)
- # for sshd subsystems, such as sftp-server.
- corecmd_getattr_bin_files($1_t)
-
- domain_interactive_fd($1_t)
- domain_subj_id_change_exemption($1_t)
- domain_role_change_exemption($1_t)
- domain_obj_id_change_exemption($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
-
- init_rw_utmp($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
- logging_search_logs($1_t)
- logging_send_syslog_msg($1_t)
-
- miscfiles_read_localization($1_t)
-
- mls_file_read_up($1_t)
- mls_file_write_down($1_t)
- mls_file_upgrade($1_t)
- mls_file_downgrade($1_t)
- mls_process_set_level($1_t)
-
- seutil_read_default_contexts($1_t)
-
- sysnet_read_config($1_t)
-
- userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
- userdom_search_all_users_home_content($1_t)
-
- # Allow checking users mail at login
- mta_getattr_spool($1_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files($1_t)
- ')
-
- # cjp: commenting out until typeattribute works in conditional
- # and require block in optional else is resolved
- #optional_policy(`
- # tunable_policy(`run_ssh_inetd',`
- # allow $1_t self:process signal;
- # files_list_pids($1_t)
- # ',`
- # corenet_tcp_bind_ssh_port($1_t)
- # init_use_fds($1_t)
- # init_use_script_ptys($1_t)
- # ')
- #',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- corenet_tcp_bind_ssh_port($1_t)
- init_use_fds($1_t)
- init_use_script_ptys($1_t)
- #')
-
- optional_policy(`
- kerberos_use($1_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_t)
- ')
-
- optional_policy(`
- nx_spec_domtrans_server($1_t)
- ')
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to the ssh server.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_sigchld',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Read a ssh server unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_read_pipes',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:fifo_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read and write ssh server unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_rw_stream_sockets',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
-')
-
-########################################
-## <summary>
-## Read and write ssh server TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_rw_tcp_sockets',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## ssh server TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`ssh_dontaudit_rw_tcp_sockets',`
- gen_require(`
- type sshd_t;
- ')
-
- dontaudit $1 sshd_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Connect to SSH daemons over TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_tcp_connect',`
- gen_require(`
- type sshd_t;
- ')
-
- allow $1 sshd_t:tcp_socket { connectto recvfrom };
- allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
- kernel_tcp_recvfrom($1)
-')
-
-########################################
-## <summary>
-## Execute the ssh client in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_exec',`
- gen_require(`
- type ssh_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1,ssh_exec_t)
-')
-
-########################################
-## <summary>
-## Read ssh server keys
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ssh_dontaudit_read_server_keys',`
- gen_require(`
- type sshd_key_t;
- ')
-
- dontaudit $1 sshd_key_t:file { getattr read };
-')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
deleted file mode 100644
index 6296c6b..0000000
--- a/refpolicy/policy/modules/services/ssh.te
+++ /dev/null
@@ -1,271 +0,0 @@
-
-policy_module(ssh,1.3.5)
-
-########################################
-#
-# Declarations
-#
-
-attribute ssh_server;
-
-# ssh client executable.
-type ssh_exec_t;
-corecmd_executable_file(ssh_exec_t)
-
-type ssh_keygen_exec_t;
-corecmd_executable_file(ssh_keygen_exec_t)
-
-type ssh_keysign_exec_t;
-corecmd_executable_file(ssh_keysign_exec_t)
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type sshd_exec_t;
-')
-corecmd_executable_file(sshd_exec_t)
-
-type sshd_key_t;
-files_type(sshd_key_t)
-
-ifdef(`targeted_policy',`
- unconfined_alias_domain(sshd_t)
- init_system_domain(sshd_t,sshd_exec_t)
-
- type sshd_var_run_t;
- files_type(sshd_var_run_t)
-',`
- # Type for the ssh-agent executable.
- type ssh_agent_exec_t;
- files_type(ssh_agent_exec_t)
-
- type ssh_keygen_t;
- init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
- role system_r types ssh_keygen_t;
-
- ssh_server_template(sshd)
- ssh_server_template(sshd_extern)
-
- # cjp: commenting this out until typeattribute works in a conditional
-# optional_policy(`
-# tunable_policy(`run_ssh_inetd',`
-# inetd_tcp_service_domain(sshd_t,sshd_exec_t)
-# ',`
-# init_daemon_domain(sshd_t,sshd_exec_t)
-# ')
-# ',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- init_daemon_domain(sshd_t,sshd_exec_t)
-# ')
-
- type sshd_tmp_t;
- files_tmp_file(sshd_tmp_t)
-')
-
-#################################
-#
-# sshd local policy
-#
-# sshd_t is the domain for the sshd program.
-#
-
-ifdef(`strict_policy',`
- # so a tunnel can point to another ssh tunnel
- allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
- allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow sshd_t sshd_tmp_t:dir create_dir_perms;
- allow sshd_t sshd_tmp_t:file create_file_perms;
- allow sshd_t sshd_tmp_t:sock_file create_file_perms;
- files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
-
- # for X forwarding
- corenet_tcp_bind_xserver_port(sshd_t)
- corenet_sendrecv_xserver_server_packets(sshd_t)
-
- mls_file_read_up(sshd_t)
- mls_file_write_down(sshd_t)
- mls_file_upgrade(sshd_t)
- mls_file_downgrade(sshd_t)
- mls_process_set_level(sshd_t)
-
- auth_exec_pam(sshd_t)
-
- seutil_read_config(sshd_t)
-
- tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- term_use_all_user_ptys(sshd_t)
- term_setattr_all_user_ptys(sshd_t)
- term_relabelto_all_user_ptys(sshd_t)
-
- userdom_spec_domtrans_all_users(sshd_t)
- userdom_signal_all_users(sshd_t)
- ',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
-
- userdom_setattr_unpriv_users_ptys(sshd_t)
- userdom_relabelto_unpriv_users_ptys(sshd_t)
- userdom_use_unpriv_users_ptys(sshd_t)
- ')
-
- optional_policy(`
- daemontools_service_domain(sshd_t, sshd_exec_t)
- ')
-
- optional_policy(`
- rpm_use_script_fds(sshd_t)
- ')
-
- optional_policy(`
- rssh_spec_domtrans_all_users(sshd_t)
- # For reading /home/user/.ssh
- rssh_read_all_users_ro_content(sshd_t)
- ')
-
- ifdef(`TODO',`
- tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t ptyfile:chr_file relabelto;
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
- ')
- ',`
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
- ')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
- ')
- ') dnl endif TODO
-')
-
-#################################
-#
-# sshd_extern local policy
-#
-# sshd_extern_t is the domain for ssh from outside our network
-#
-
-ifdef(`strict_policy',`
- ifdef(`TODO',`
- domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
- # Signal the user domains.
- allow sshd_extern_t user_mini_domain:process signal;
-
- ifdef(`xauth.te', `
- domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
- ')
-
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
-
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
-
- optional_policy(`
- tunable_policy(`run_ssh_inetd',`
- domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
- ',`
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
- ')
- ',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
- ')
-
- ifdef(`direct_sysadm_daemon', `
- # Direct execution by sysadm_r.
- domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
- role_transition sysadm_r sshd_exec_t system_r;
- ')
-
- # for port forwarding
- allow userdomain sshd_t:tcp_socket { connectto recvfrom };
- allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
- allow userdomain kernel_t:tcp_socket recvfrom;
- allow sshd_t kernel_t:tcp_socket recvfrom;
- ') dnl endif TODO
-')
-
-########################################
-#
-# ssh_keygen local policy
-#
-
-ifdef(`targeted_policy',`',`
- # ssh_keygen_t is the type of the ssh-keygen program when run at install time
- # and by sysadm_t
-
- dontaudit ssh_keygen_t self:capability sys_tty_config;
- allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-
- allow ssh_keygen_t sshd_key_t:file create_file_perms;
- files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
-
- kernel_read_kernel_sysctls(ssh_keygen_t)
-
- fs_search_auto_mountpoints(ssh_keygen_t)
-
- dev_read_sysfs(ssh_keygen_t)
- dev_read_urand(ssh_keygen_t)
-
- term_dontaudit_use_console(ssh_keygen_t)
-
- domain_use_interactive_fds(ssh_keygen_t)
-
- files_read_etc_files(ssh_keygen_t)
-
- init_use_fds(ssh_keygen_t)
- init_use_script_ptys(ssh_keygen_t)
-
- libs_use_ld_so(ssh_keygen_t)
- libs_use_shared_libs(ssh_keygen_t)
-
- logging_send_syslog_msg(ssh_keygen_t)
-
- allow ssh_keygen_t proc_t:dir r_dir_perms;
- allow ssh_keygen_t proc_t:lnk_file read;
-
- userdom_use_sysadm_ttys(ssh_keygen_t)
- userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-
- # cjp: with the old daemon_(base_)domain being broken up into
- # a daemon and system interface, this probably is not needed:
- ifdef(`direct_sysadm_daemon',`
- userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
- ')
-
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
- term_dontaudit_use_generic_ptys(ssh_keygen_t)
- files_dontaudit_read_root_files(ssh_keygen_t)
- ')
-
- optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
- ')
-
- optional_policy(`
- udev_read_db(ssh_keygen_t)
- ')
-')
diff --git a/refpolicy/policy/modules/services/stunnel.fc b/refpolicy/policy/modules/services/stunnel.fc
deleted file mode 100644
index 2806b91..0000000
--- a/refpolicy/policy/modules/services/stunnel.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
-
-/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
-
-/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/stunnel.if b/refpolicy/policy/modules/services/stunnel.if
deleted file mode 100644
index d137c27..0000000
--- a/refpolicy/policy/modules/services/stunnel.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>SSL Tunneling Proxy</summary>
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
deleted file mode 100644
index 783fad6..0000000
--- a/refpolicy/policy/modules/services/stunnel.te
+++ /dev/null
@@ -1,148 +0,0 @@
-
-policy_module(stunnel,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type stunnel_t;
-domain_type(stunnel_t)
-role system_r types stunnel_t;
-
-type stunnel_exec_t;
-domain_entry_file(stunnel_t,stunnel_exec_t)
-
-ifdef(`distro_gentoo',`
- init_daemon_domain(stunnel_t,stunnel_exec_t)
-',`
- inetd_tcp_service_domain(stunnel_t,stunnel_exec_t)
-')
-
-type stunnel_etc_t;
-files_type(stunnel_etc_t)
-
-type stunnel_tmp_t;
-files_tmp_file(stunnel_tmp_t)
-
-type stunnel_var_run_t;
-files_pid_file(stunnel_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow stunnel_t self:capability { setgid setuid sys_chroot };
-allow stunnel_t self:process signal_perms;
-allow stunnel_t self:fifo_file rw_file_perms;
-allow stunnel_t self:tcp_socket create_stream_socket_perms;
-allow stunnel_t self:udp_socket create_socket_perms;
-
-allow stunnel_t stunnel_etc_t:dir { getattr read search };
-allow stunnel_t stunnel_etc_t:file { read getattr };
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
-
-allow stunnel_t stunnel_tmp_t:dir create_dir_perms;
-allow stunnel_t stunnel_tmp_t:file create_file_perms;
-files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
-
-allow stunnel_t stunnel_var_run_t:file create_file_perms;
-allow stunnel_t stunnel_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(stunnel_t,stunnel_var_run_t,file)
-
-kernel_read_kernel_sysctls(stunnel_t)
-kernel_read_system_state(stunnel_t)
-kernel_read_network_state(stunnel_t)
-
-corenet_non_ipsec_sendrecv(stunnel_t)
-corenet_tcp_sendrecv_all_if(stunnel_t)
-corenet_udp_sendrecv_all_if(stunnel_t)
-corenet_tcp_sendrecv_all_nodes(stunnel_t)
-corenet_udp_sendrecv_all_nodes(stunnel_t)
-corenet_tcp_sendrecv_all_ports(stunnel_t)
-corenet_udp_sendrecv_all_ports(stunnel_t)
-corenet_tcp_bind_all_nodes(stunnel_t)
-#corenet_tcp_bind_stunnel_port(stunnel_t)
-
-fs_getattr_all_fs(stunnel_t)
-
-libs_use_ld_so(stunnel_t)
-libs_use_shared_libs(stunnel_t)
-
-logging_send_syslog_msg(stunnel_t)
-
-miscfiles_read_localization(stunnel_t)
-
-sysnet_read_config(stunnel_t)
-
-ifdef(`distro_gentoo', `
- dontaudit stunnel_t self:capability sys_tty_config;
- allow stunnel_t self:udp_socket create_socket_perms;
-
- dev_read_sysfs(stunnel_t)
-
- fs_search_auto_mountpoints(stunnel_t)
-
- term_dontaudit_use_console(stunnel_t)
-
- domain_use_interactive_fds(stunnel_t)
-
- init_use_fds(stunnel_t)
- init_use_script_ptys(stunnel_t)
-
- userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
- userdom_dontaudit_search_sysadm_home_dirs(stunnel_t)
-
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(stunnel_t)
- term_dontaudit_use_generic_ptys(stunnel_t)
- files_dontaudit_read_root_files(stunnel_t)
- ')
-
- optional_policy(`
- daemontools_service_domain(stunnel_t, stunnel_exec_t)
- ')
-
- optional_policy(`
- mount_send_nfs_client_request(stunnel_t)
- ')
-
- optional_policy(`
- seutil_sigchld_newrole(stunnel_t)
- ')
-
- optional_policy(`
- udev_read_db(stunnel_t)
- ')
-',`
- allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-
- dev_read_urand(stunnel_t)
-
- files_read_etc_files(stunnel_t)
- files_search_home(stunnel_t)
-
- optional_policy(`
- kerberos_use(stunnel_t)
- ')
-
- optional_policy(`
- nis_use_ypbind(stunnel_t)
- ')
-
- optional_policy(`
- nscd_socket_use(stunnel_t)
- ')
-')
-
-tunable_policy(`stunnel_is_daemon',`
- allow stunnel_t self:tcp_socket create_stream_socket_perms;
-
- # hack since this port has no interfaces since it doesnt
- # have net_contexts
- gen_require(`
- type stunnel_port_t;
- ')
- allow stunnel_t stunnel_port_t:tcp_socket name_bind;
-')
diff --git a/refpolicy/policy/modules/services/sysstat.fc b/refpolicy/policy/modules/services/sysstat.fc
deleted file mode 100644
index b319f6a..0000000
--- a/refpolicy/policy/modules/services/sysstat.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-
-/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
-/usr/lib(64)?/sa/sadc -- gen_context(system_u:object_r:sysstat_exec_t,s0)
-/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
-
-/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
-/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
-/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/refpolicy/policy/modules/services/sysstat.if b/refpolicy/policy/modules/services/sysstat.if
deleted file mode 100644
index d646197..0000000
--- a/refpolicy/policy/modules/services/sysstat.if
+++ /dev/null
@@ -1,21 +0,0 @@
-## <summary>Policy for sysstat. Reports on various system states</summary>
-
-########################################
-## <summary>
-## Manage sysstat logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysstat_manage_log',`
- gen_require(`
- type sysstat_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 sysstat_log_t:dir rw_dir_perms;
- allow $1 sysstat_log_t:file manage_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te
deleted file mode 100644
index 21ac35a..0000000
--- a/refpolicy/policy/modules/services/sysstat.te
+++ /dev/null
@@ -1,70 +0,0 @@
-
-policy_module(sysstat,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type sysstat_t;
-type sysstat_exec_t;
-init_system_domain(sysstat_t,sysstat_exec_t)
-role system_r types sysstat_t;
-
-type sysstat_log_t;
-logging_log_file(sysstat_log_t)
-
-########################################
-#
-# Local policy
-#
-
-allow sysstat_t self:capability sys_resource;
-dontaudit sysstat_t self:capability sys_admin;
-allow sysstat_t self:fifo_file rw_file_perms;
-
-can_exec(sysstat_t, sysstat_exec_t)
-
-allow sysstat_t sysstat_log_t:file create_file_perms;
-allow sysstat_t sysstat_log_t:dir rw_dir_perms;
-logging_log_filetrans(sysstat_t,sysstat_log_t,{ file dir })
-
-# get info from /proc
-kernel_read_system_state(sysstat_t)
-kernel_read_network_state(sysstat_t)
-kernel_read_kernel_sysctls(sysstat_t)
-kernel_read_fs_sysctls(sysstat_t)
-kernel_read_rpc_sysctls(sysstat_t)
-
-corecmd_dontaudit_search_sbin(sysstat_t)
-corecmd_exec_bin(sysstat_t)
-
-dev_read_urand(sysstat_t)
-
-files_search_var(sysstat_t)
-# for mtab
-files_read_etc_runtime_files(sysstat_t)
-#for fstab
-files_read_etc_files(sysstat_t)
-
-fs_getattr_xattr_fs(sysstat_t)
-
-term_use_console(sysstat_t)
-
-init_use_fds(sysstat_t)
-init_use_script_ptys(sysstat_t)
-
-libs_use_ld_so(sysstat_t)
-libs_use_shared_libs(sysstat_t)
-
-miscfiles_read_localization(sysstat_t)
-
-userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
-
-optional_policy(`
- cron_system_entry(sysstat_t,sysstat_exec_t)
-')
-
-optional_policy(`
- logging_send_syslog_msg(sysstat_t)
-')
diff --git a/refpolicy/policy/modules/services/tcpd.fc b/refpolicy/policy/modules/services/tcpd.fc
deleted file mode 100644
index 2e8d7a1..0000000
--- a/refpolicy/policy/modules/services/tcpd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/tcpd.if b/refpolicy/policy/modules/services/tcpd.if
deleted file mode 100644
index 16e8fb1..0000000
--- a/refpolicy/policy/modules/services/tcpd.if
+++ /dev/null
@@ -1,24 +0,0 @@
-## <summary>Policy for TCP daemon.</summary>
-
-########################################
-## <summary>
-## Execute tcpd in the tcpd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`tcpd_domtrans',`
- gen_require(`
- type tcpd_t, tcpd_exec_t;
- ')
-
- domain_auto_trans($1,tcpd_exec_t,tcpd_t)
-
- allow $1 tcpd_t:fd use;
- allow tcpd_t $1:fd use;
- allow tcpd_t $1:fifo_file rw_file_perms;
- allow tcpd_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te
deleted file mode 100644
index a902b93..0000000
--- a/refpolicy/policy/modules/services/tcpd.te
+++ /dev/null
@@ -1,78 +0,0 @@
-
-policy_module(tcpd,1.0.3)
-
-########################################
-#
-# Declarations
-#
-type tcpd_t;
-type tcpd_exec_t;
-inetd_tcp_service_domain(tcpd_t,tcpd_exec_t)
-role system_r types tcpd_t;
-
-type tcpd_tmp_t;
-files_tmp_file(tcpd_tmp_t)
-
-########################################
-#
-# Local policy
-#
-allow tcpd_t self:tcp_socket create_stream_socket_perms;
-
-allow tcpd_t tcpd_tmp_t:dir create_dir_perms;
-allow tcpd_t tcpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
-
-corenet_non_ipsec_sendrecv(tcpd_t)
-corenet_tcp_sendrecv_all_if(tcpd_t)
-corenet_tcp_sendrecv_all_nodes(tcpd_t)
-corenet_tcp_sendrecv_all_ports(tcpd_t)
-
-fs_getattr_xattr_fs(tcpd_t)
-
-# Run other daemons in the inetd child domain.
-corecmd_search_bin(tcpd_t)
-corecmd_search_sbin(tcpd_t)
-
-files_read_etc_files(tcpd_t)
-# no good reason for files_dontaudit_search_var, probably nscd
-files_dontaudit_search_var(tcpd_t)
-
-libs_use_ld_so(tcpd_t)
-libs_use_shared_libs(tcpd_t)
-
-logging_send_syslog_msg(tcpd_t)
-
-miscfiles_read_localization(tcpd_t)
-
-sysnet_read_config(tcpd_t)
-
-inetd_domtrans_child(tcpd_t)
-
-optional_policy(`
- finger_domtrans(tcpd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(tcpd_t)
-')
-
-optional_policy(`
- nagios_domtrans_nrpe(tcpd_t)
-')
-
-optional_policy(`
- portmap_udp_send(tcpd_t)
-')
-
-optional_policy(`
- rlogin_domtrans(tcpd_t)
-')
-
-optional_policy(`
- rshd_domtrans(tcpd_t)
-')
-
-optional_policy(`
- uwimap_domtrans(tcpd_t)
-')
diff --git a/refpolicy/policy/modules/services/telnet.fc b/refpolicy/policy/modules/services/telnet.fc
deleted file mode 100644
index 7405170..0000000
--- a/refpolicy/policy/modules/services/telnet.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
-
-/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/telnet.if b/refpolicy/policy/modules/services/telnet.if
deleted file mode 100644
index 58e7ec0..0000000
--- a/refpolicy/policy/modules/services/telnet.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Telnet daemon</summary>
diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te
deleted file mode 100644
index 005992d..0000000
--- a/refpolicy/policy/modules/services/telnet.te
+++ /dev/null
@@ -1,104 +0,0 @@
-
-policy_module(telnet,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type telnetd_t;
-type telnetd_exec_t;
-inetd_service_domain(telnetd_t,telnetd_exec_t)
-role system_r types telnetd_t;
-
-type telnetd_devpts_t; #, userpty_type;
-term_login_pty(telnetd_devpts_t)
-
-type telnetd_tmp_t;
-files_tmp_file(telnetd_tmp_t)
-
-type telnetd_var_run_t;
-files_pid_file(telnetd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
-allow telnetd_t self:process signal_perms;
-allow telnetd_t self:fifo_file rw_file_perms;
-allow telnetd_t self:tcp_socket connected_stream_socket_perms;
-allow telnetd_t self:udp_socket create_socket_perms;
-# for identd; cjp: this should probably only be inetd_child rules?
-allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow telnetd_t self:capability { setuid setgid };
-
-allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(telnetd_t,telnetd_devpts_t)
-
-allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
-allow telnetd_t telnetd_tmp_t:file create_file_perms;
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
-
-allow telnetd_t telnetd_var_run_t:file create_file_perms;
-allow telnetd_t telnetd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(telnetd_t,telnetd_var_run_t,file)
-
-kernel_read_kernel_sysctls(telnetd_t)
-kernel_read_system_state(telnetd_t)
-kernel_read_network_state(telnetd_t)
-
-corenet_non_ipsec_sendrecv(telnetd_t)
-corenet_tcp_sendrecv_all_if(telnetd_t)
-corenet_udp_sendrecv_all_if(telnetd_t)
-corenet_tcp_sendrecv_all_nodes(telnetd_t)
-corenet_udp_sendrecv_all_nodes(telnetd_t)
-corenet_tcp_sendrecv_all_ports(telnetd_t)
-corenet_udp_sendrecv_all_ports(telnetd_t)
-
-dev_read_urand(telnetd_t)
-
-fs_getattr_xattr_fs(telnetd_t)
-
-auth_rw_login_records(telnetd_t)
-
-corecmd_search_sbin(telnetd_t)
-
-files_read_etc_files(telnetd_t)
-files_read_etc_runtime_files(telnetd_t)
-# for identd; cjp: this should probably only be inetd_child rules?
-files_search_home(telnetd_t)
-
-init_rw_utmp(telnetd_t)
-
-libs_use_ld_so(telnetd_t)
-libs_use_shared_libs(telnetd_t)
-
-logging_send_syslog_msg(telnetd_t)
-
-miscfiles_read_localization(telnetd_t)
-
-seutil_dontaudit_search_config(telnetd_t)
-
-sysnet_read_config(telnetd_t)
-
-remotelogin_domtrans(telnetd_t)
-
-# for identd; cjp: this should probably only be inetd_child rules?
-optional_policy(`
- kerberos_use(telnetd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(telnetd_t)
-')
-
-optional_policy(`
- nscd_socket_use(telnetd_t)
-')
-
-ifdef(`TODO',`
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
-')
diff --git a/refpolicy/policy/modules/services/tftp.fc b/refpolicy/policy/modules/services/tftp.fc
deleted file mode 100644
index bb4a3be..0000000
--- a/refpolicy/policy/modules/services/tftp.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
-/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
-
-/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
-/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
diff --git a/refpolicy/policy/modules/services/tftp.if b/refpolicy/policy/modules/services/tftp.if
deleted file mode 100644
index ad41363..0000000
--- a/refpolicy/policy/modules/services/tftp.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Trivial file transfer protocol daemon</summary>
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
deleted file mode 100644
index 4df1189..0000000
--- a/refpolicy/policy/modules/services/tftp.te
+++ /dev/null
@@ -1,102 +0,0 @@
-
-policy_module(tftp,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type tftpd_t;
-type tftpd_exec_t;
-init_daemon_domain(tftpd_t,tftpd_exec_t)
-inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
-
-type tftpd_var_run_t;
-files_pid_file(tftpd_var_run_t)
-
-type tftpdir_t;
-files_type(tftpdir_t)
-
-########################################
-#
-# Local policy
-#
-
-allow tftpd_t self:capability { setgid setuid sys_chroot };
-allow tftpd_t self:tcp_socket create_stream_socket_perms;
-allow tftpd_t self:udp_socket create_socket_perms;
-allow tftpd_t self:unix_dgram_socket create_socket_perms;
-allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit tftpd_t self:capability sys_tty_config;
-
-allow tftpd_t tftpdir_t:dir { getattr read search };
-allow tftpd_t tftpdir_t:file { read getattr };
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
-
-allow tftpd_t tftpd_var_run_t:file create_file_perms;
-allow tftpd_t tftpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
-
-kernel_read_kernel_sysctls(tftpd_t)
-kernel_list_proc(tftpd_t)
-kernel_read_proc_symlinks(tftpd_t)
-
-corenet_non_ipsec_sendrecv(tftpd_t)
-corenet_tcp_sendrecv_all_if(tftpd_t)
-corenet_udp_sendrecv_all_if(tftpd_t)
-corenet_tcp_sendrecv_all_nodes(tftpd_t)
-corenet_udp_sendrecv_all_nodes(tftpd_t)
-corenet_tcp_sendrecv_all_ports(tftpd_t)
-corenet_udp_sendrecv_all_ports(tftpd_t)
-corenet_tcp_bind_all_nodes(tftpd_t)
-corenet_udp_bind_all_nodes(tftpd_t)
-corenet_udp_bind_tftp_port(tftpd_t)
-corenet_sendrecv_tftp_server_packets(tftpd_t)
-
-dev_read_sysfs(tftpd_t)
-
-fs_getattr_all_fs(tftpd_t)
-fs_search_auto_mountpoints(tftpd_t)
-
-term_dontaudit_use_console(tftpd_t)
-
-domain_use_interactive_fds(tftpd_t)
-
-files_read_etc_files(tftpd_t);
-files_read_var_files(tftpd_t)
-files_read_var_symlinks(tftpd_t)
-files_search_var(tftpd_t)
-
-init_use_fds(tftpd_t)
-init_use_script_ptys(tftpd_t)
-
-libs_use_ld_so(tftpd_t)
-libs_use_shared_libs(tftpd_t)
-
-logging_send_syslog_msg(tftpd_t)
-
-miscfiles_read_localization(tftpd_t)
-
-sysnet_read_config(tftpd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-userdom_dontaudit_use_sysadm_ttys(tftpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(tftpd_t)
- term_dontaudit_use_generic_ptys(tftpd_t)
- files_dontaudit_read_root_files(tftpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(tftpd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(tftpd_t)
-')
-
-optional_policy(`
- udev_read_db(tftpd_t)
-')
diff --git a/refpolicy/policy/modules/services/timidity.fc b/refpolicy/policy/modules/services/timidity.fc
deleted file mode 100644
index ed5eef3..0000000
--- a/refpolicy/policy/modules/services/timidity.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/timidity.if b/refpolicy/policy/modules/services/timidity.if
deleted file mode 100644
index 989b240..0000000
--- a/refpolicy/policy/modules/services/timidity.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>MIDI to WAV converter and player configured as a service</summary>
diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te
deleted file mode 100644
index 86d9c26..0000000
--- a/refpolicy/policy/modules/services/timidity.te
+++ /dev/null
@@ -1,96 +0,0 @@
-
-policy_module(timidity,1.1.1)
-
-# Note: You only need this policy if you want to run timidity as a server
-
-########################################
-#
-# Declarations
-#
-
-type timidity_t;
-type timidity_exec_t;
-init_daemon_domain(timidity_t,timidity_exec_t)
-
-type timidity_tmpfs_t;
-files_tmpfs_file(timidity_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow timidity_t self:capability { dac_override dac_read_search };
-dontaudit timidity_t self:capability sys_tty_config;
-allow timidity_t self:process { signal_perms getsched };
-allow timidity_t self:shm create_shm_perms;
-allow timidity_t self:unix_stream_socket create_stream_socket_perms;
-allow timidity_t self:tcp_socket create_stream_socket_perms;
-allow timidity_t self:udp_socket create_socket_perms;
-
-allow timidity_t timidity_tmpfs_t:dir create_dir_perms;
-allow timidity_t timidity_tmpfs_t:file create_file_perms;
-allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms;
-allow timidity_t timidity_tmpfs_t:sock_file create_file_perms;
-allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms;
-fs_tmpfs_filetrans(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-kernel_read_kernel_sysctls(timidity_t)
-# read /proc/cpuinfo
-kernel_read_system_state(timidity_t)
-
-corenet_non_ipsec_sendrecv(timidity_t)
-corenet_tcp_sendrecv_generic_if(timidity_t)
-corenet_udp_sendrecv_generic_if(timidity_t)
-corenet_tcp_sendrecv_all_nodes(timidity_t)
-corenet_udp_sendrecv_all_nodes(timidity_t)
-corenet_tcp_sendrecv_all_ports(timidity_t)
-corenet_udp_sendrecv_all_ports(timidity_t)
-
-dev_read_sysfs(timidity_t)
-dev_read_sound(timidity_t)
-dev_write_sound(timidity_t)
-
-fs_search_auto_mountpoints(timidity_t)
-
-term_dontaudit_use_console(timidity_t)
-
-domain_use_interactive_fds(timidity_t)
-
-files_search_tmp(timidity_t)
-# read /usr/share/alsa/alsa.conf
-files_read_usr_files(timidity_t)
-# read /etc/esd.conf
-files_read_etc_files(timidity_t)
-
-init_use_fds(timidity_t)
-init_use_script_ptys(timidity_t)
-
-libs_use_ld_so(timidity_t)
-libs_use_shared_libs(timidity_t)
-# read libartscbackend.la
-libs_read_lib_files(timidity_t)
-
-logging_send_syslog_msg(timidity_t)
-
-sysnet_read_config(timidity_t)
-
-userdom_dontaudit_use_unpriv_user_fds(timidity_t)
-# stupid timidity won't start if it can't search its current directory.
-# allow this so /etc/init.d/alsasound start works from /root
-# cjp: this should be fixed if possible so this rule can be removed.
-userdom_search_sysadm_home_dirs(timidity_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(timidity_t)
- term_dontaudit_use_generic_ptys(timidity_t)
- files_dontaudit_read_root_files(timidity_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(timidity_t)
-')
-
-optional_policy(`
- udev_read_db(timidity_t)
-')
diff --git a/refpolicy/policy/modules/services/tor.fc b/refpolicy/policy/modules/services/tor.fc
deleted file mode 100644
index 3ae4b72..0000000
--- a/refpolicy/policy/modules/services/tor.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
-
-/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
-
-/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
-/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)
-/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/tor.if b/refpolicy/policy/modules/services/tor.if
deleted file mode 100644
index 7427b97..0000000
--- a/refpolicy/policy/modules/services/tor.if
+++ /dev/null
@@ -1,24 +0,0 @@
-## <summary>TOR, the onion router</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run TOR.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`tor_domtrans',`
- gen_require(`
- type tor_t, tor_exec_t;
- ')
-
- domain_auto_trans($1,tor_exec_t,tor_t)
-
- allow $1 tor_t:fd use;
- allow tor_t $1:fd use;
- allow tor_t $1:fifo_file rw_file_perms;
- allow tor_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/tor.te b/refpolicy/policy/modules/services/tor.te
deleted file mode 100644
index aa9c4a5..0000000
--- a/refpolicy/policy/modules/services/tor.te
+++ /dev/null
@@ -1,99 +0,0 @@
-
-policy_module(tor,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type tor_t;
-type tor_exec_t;
-init_daemon_domain(tor_t, tor_exec_t)
-
-# etc/tor
-type tor_etc_t;
-files_config_file(tor_etc_t)
-
-# var/lib/tor
-type tor_var_lib_t;
-files_type(tor_var_lib_t)
-
-# log files
-type tor_var_log_t;
-logging_log_file(tor_var_log_t)
-
-# pid files
-type tor_var_run_t;
-files_pid_file(tor_var_run_t)
-
-########################################
-#
-# tor local policy
-#
-
-allow tor_t self:fifo_file { read write };
-allow tor_t self:unix_stream_socket create_stream_socket_perms;
-allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-allow tor_t self:tcp_socket create_stream_socket_perms;
-
-# configuration files
-allow tor_t tor_etc_t:dir r_dir_perms;
-allow tor_t tor_etc_t:file r_file_perms;
-allow tor_t tor_etc_t:lnk_file { getattr read };
-
-# var/lib/tor files
-allow tor_t tor_var_lib_t:file create_file_perms;
-allow tor_t tor_var_lib_t:sock_file create_file_perms;
-allow tor_t tor_var_lib_t:dir create_dir_perms;
-files_usr_filetrans(tor_t,tor_var_lib_t,file)
-files_var_filetrans(tor_t,tor_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(tor_t,tor_var_lib_t,file)
-
-# log files
-allow tor_t tor_var_log_t:file create_file_perms;
-allow tor_t tor_var_log_t:sock_file create_file_perms;
-allow tor_t tor_var_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(tor_t,tor_var_log_t,{ sock_file file dir })
-
-# pid file
-allow tor_t tor_var_run_t:file manage_file_perms;
-allow tor_t tor_var_run_t:sock_file manage_file_perms;
-allow tor_t tor_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
-
-# networking basics
-corenet_non_ipsec_sendrecv(tor_t)
-corenet_tcp_sendrecv_all_if(tor_t)
-corenet_tcp_sendrecv_all_nodes(tor_t)
-corenet_tcp_sendrecv_all_ports(tor_t)
-corenet_tcp_sendrecv_all_reserved_ports(tor_t)
-corenet_tcp_bind_all_nodes(tor_t)
-corenet_tcp_bind_tor_port(tor_t)
-corenet_sendrecv_tor_server_packets(tor_t)
-# TOR will need to connect to various ports
-corenet_tcp_connect_all_ports(tor_t)
-corenet_sendrecv_all_client_packets(tor_t)
-# ... especially including port 80 and other privileged ports
-corenet_tcp_connect_all_reserved_ports(tor_t)
-
-# tor uses crypto and needs random
-dev_read_urand(tor_t)
-
-domain_use_interactive_fds(tor_t)
-
-files_read_etc_files(tor_t)
-
-# comm with init
-init_use_fds(tor_t)
-init_use_script_ptys(tor_t)
-
-libs_use_ld_so(tor_t)
-libs_use_shared_libs(tor_t)
-
-miscfiles_read_localization(tor_t)
-
-sysnet_dns_name_resolve(tor_t)
-
-optional_policy(`
- seutil_sigchld_newrole(tor_t)
-')
diff --git a/refpolicy/policy/modules/services/transproxy.fc b/refpolicy/policy/modules/services/transproxy.fc
deleted file mode 100644
index ce33f17..0000000
--- a/refpolicy/policy/modules/services/transproxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
-
-/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/transproxy.if b/refpolicy/policy/modules/services/transproxy.if
deleted file mode 100644
index 23323f9..0000000
--- a/refpolicy/policy/modules/services/transproxy.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>HTTP transperant proxy</summary>
diff --git a/refpolicy/policy/modules/services/transproxy.te b/refpolicy/policy/modules/services/transproxy.te
deleted file mode 100644
index 91edbeb..0000000
--- a/refpolicy/policy/modules/services/transproxy.te
+++ /dev/null
@@ -1,80 +0,0 @@
-
-policy_module(transproxy,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type transproxy_t;
-type transproxy_exec_t;
-init_daemon_domain(transproxy_t,transproxy_exec_t)
-
-type transproxy_var_run_t;
-files_pid_file(transproxy_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow transproxy_t self:capability { setgid setuid };
-dontaudit transproxy_t self:capability sys_tty_config;
-allow transproxy_t self:process signal_perms;
-allow transproxy_t self:tcp_socket create_stream_socket_perms;
-
-allow transproxy_t transproxy_var_run_t:file create_file_perms;
-allow transproxy_t transproxy_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(transproxy_t,transproxy_var_run_t,file)
-
-kernel_read_kernel_sysctls(transproxy_t)
-kernel_list_proc(transproxy_t)
-kernel_read_proc_symlinks(transproxy_t)
-
-corenet_non_ipsec_sendrecv(transproxy_t)
-corenet_tcp_sendrecv_generic_if(transproxy_t)
-corenet_tcp_sendrecv_all_nodes(transproxy_t)
-corenet_tcp_sendrecv_all_ports(transproxy_t)
-corenet_tcp_bind_all_nodes(transproxy_t)
-corenet_tcp_bind_transproxy_port(transproxy_t)
-corenet_sendrecv_transproxy_server_packets(transproxy_t)
-
-dev_read_sysfs(transproxy_t)
-
-domain_use_interactive_fds(transproxy_t)
-
-files_read_etc_files(transproxy_t)
-
-fs_getattr_all_fs(transproxy_t)
-fs_search_auto_mountpoints(transproxy_t)
-
-term_dontaudit_use_console(transproxy_t)
-
-init_use_fds(transproxy_t)
-init_use_script_ptys(transproxy_t)
-
-libs_use_ld_so(transproxy_t)
-libs_use_shared_libs(transproxy_t)
-
-logging_send_syslog_msg(transproxy_t)
-
-miscfiles_read_localization(transproxy_t)
-
-sysnet_read_config(transproxy_t)
-
-userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
-userdom_dontaudit_search_sysadm_home_dirs(transproxy_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(transproxy_t)
- term_dontaudit_use_generic_ptys(transproxy_t)
- files_dontaudit_read_root_files(transproxy_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(transproxy_t)
-')
-
-optional_policy(`
- udev_read_db(transproxy_t)
-')
diff --git a/refpolicy/policy/modules/services/ucspitcp.fc b/refpolicy/policy/modules/services/ucspitcp.fc
deleted file mode 100644
index 667d0b5..0000000
--- a/refpolicy/policy/modules/services/ucspitcp.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-
-/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
-/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/ucspitcp.if b/refpolicy/policy/modules/services/ucspitcp.if
deleted file mode 100644
index 03f11c5..0000000
--- a/refpolicy/policy/modules/services/ucspitcp.if
+++ /dev/null
@@ -1,40 +0,0 @@
-## <summary>ucspitcp policy</summary>
-## <desc>
-## <p>
-## Policy for DJB's ucspi-tcpd
-## </p>
-## </desc>
-
-########################################
-## <summary>
-## Define a specified domain as a ucspitcp service.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`ucspitcp_service_domain', `
- gen_require(`
- type ucspitcp_t;
- role system_r;
- ')
-
- domain_type($1)
- domain_entry_file($1,$2)
-
- role system_r types $1;
-
- domain_auto_trans(ucspitcp_t, $2, $1)
-
- allow $1 ucspitcp_t:fd use;
- allow $1 ucspitcp_t:process sigchld;
- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
-')
-
diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te
deleted file mode 100644
index 26fed63..0000000
--- a/refpolicy/policy/modules/services/ucspitcp.te
+++ /dev/null
@@ -1,101 +0,0 @@
-
-policy_module(ucspitcp,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type rblsmtpd_t;
-type rblsmtpd_exec_t;
-init_system_domain(rblsmtpd_t,rblsmtpd_exec_t)
-role system_r types rblsmtpd_t;
-
-type ucspitcp_t;
-type ucspitcp_exec_t;
-init_system_domain(ucspitcp_t,ucspitcp_exec_t)
-role system_r types ucspitcp_t;
-
-########################################
-#
-# Local policy for rblsmtpd
-#
-
-ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
-
-allow rblsmtpd_t self:process { fork sigchld };
-
-corecmd_search_bin(rblsmtpd_t)
-
-corenet_tcp_sendrecv_all_if(rblsmtpd_t)
-corenet_udp_sendrecv_all_if(rblsmtpd_t)
-corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
-corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
-corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
-corenet_udp_sendrecv_all_ports(rblsmtpd_t)
-corenet_non_ipsec_sendrecv(rblsmtpd_t)
-corenet_tcp_bind_all_nodes(rblsmtpd_t)
-corenet_udp_bind_generic_port(rblsmtpd_t)
-
-files_read_etc_files(rblsmtpd_t)
-files_search_var(rblsmtpd_t)
-
-libs_use_ld_so(rblsmtpd_t)
-libs_use_shared_libs(rblsmtpd_t)
-
-optional_policy(`
- daemontools_ipc_domain(rblsmtpd_t)
-')
-
-########################################
-#
-# Local policy for tcpserver
-#
-
-allow ucspitcp_t self:capability { setgid setuid };
-allow ucspitcp_t self:fifo_file { read write };
-allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
-allow ucspitcp_t self:udp_socket create_socket_perms;
-
-corecmd_search_bin(ucspitcp_t)
-corecmd_search_sbin(ucspitcp_t)
-
-# base networking:
-corenet_non_ipsec_sendrecv(ucspitcp_t)
-corenet_tcp_sendrecv_all_if(ucspitcp_t)
-corenet_udp_sendrecv_all_if(ucspitcp_t)
-corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
-corenet_udp_sendrecv_all_nodes(ucspitcp_t)
-corenet_tcp_sendrecv_all_ports(ucspitcp_t)
-corenet_udp_sendrecv_all_ports(ucspitcp_t)
-corenet_tcp_bind_all_nodes(ucspitcp_t)
-corenet_udp_bind_all_nodes(ucspitcp_t)
-
-# server ports:
-corenet_tcp_bind_ftp_port(ucspitcp_t)
-corenet_tcp_bind_ftp_data_port(ucspitcp_t)
-corenet_tcp_bind_http_port(ucspitcp_t)
-corenet_tcp_bind_smtp_port(ucspitcp_t)
-corenet_tcp_bind_dns_port(ucspitcp_t)
-corenet_udp_bind_dns_port(ucspitcp_t)
-corenet_udp_bind_generic_port(ucspitcp_t)
-
-# server packets:
-corenet_sendrecv_ftp_server_packets(ucspitcp_t)
-corenet_sendrecv_http_server_packets(ucspitcp_t)
-corenet_sendrecv_smtp_server_packets(ucspitcp_t)
-corenet_sendrecv_dns_server_packets(ucspitcp_t)
-corenet_sendrecv_generic_server_packets(ucspitcp_t)
-
-files_search_var(ucspitcp_t)
-files_read_etc_files(ucspitcp_t)
-
-libs_use_ld_so(ucspitcp_t)
-libs_use_shared_libs(ucspitcp_t)
-
-sysnet_read_config(ucspitcp_t)
-
-optional_policy(`
- daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
- daemontools_read_svc(ucspitcp_t)
-')
diff --git a/refpolicy/policy/modules/services/uptime.fc b/refpolicy/policy/modules/services/uptime.fc
deleted file mode 100644
index 1f22545..0000000
--- a/refpolicy/policy/modules/services/uptime.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-
-/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0)
-
-/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
-
-/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/uptime.if b/refpolicy/policy/modules/services/uptime.if
deleted file mode 100644
index 447abf7..0000000
--- a/refpolicy/policy/modules/services/uptime.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Uptime daemon</summary>
diff --git a/refpolicy/policy/modules/services/uptime.te b/refpolicy/policy/modules/services/uptime.te
deleted file mode 100644
index 0e02460..0000000
--- a/refpolicy/policy/modules/services/uptime.te
+++ /dev/null
@@ -1,90 +0,0 @@
-
-policy_module(uptime,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type uptimed_t;
-type uptimed_exec_t;
-init_daemon_domain(uptimed_t,uptimed_exec_t)
-
-type uptimed_etc_t alias etc_uptimed_t;
-files_config_file(uptimed_etc_t)
-
-type uptimed_spool_t;
-files_type(uptimed_spool_t)
-
-type uptimed_var_run_t;
-files_pid_file(uptimed_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit uptimed_t self:capability sys_tty_config;
-allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file { getattr write };
-
-allow uptimed_t uptimed_etc_t:file { getattr read };
-files_search_etc(uptimed_t)
-
-allow uptimed_t uptimed_spool_t:file manage_file_perms;
-
-allow uptimed_t uptimed_var_run_t:file manage_file_perms;
-allow uptimed_t uptimed_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(uptimed_t,uptimed_var_run_t,file)
-
-allow uptimed_t uptimed_spool_t:dir manage_dir_perms;
-allow uptimed_t uptimed_spool_t:file manage_file_perms;
-files_spool_filetrans(uptimed_t,uptimed_spool_t,{ dir file })
-
-kernel_read_system_state(uptimed_t)
-kernel_read_kernel_sysctls(uptimed_t)
-
-corecmd_exec_shell(uptimed_t)
-corecmd_search_sbin(uptimed_t)
-
-dev_read_sysfs(uptimed_t)
-
-domain_use_interactive_fds(uptimed_t)
-
-files_read_etc_runtime_files(uptimed_t)
-
-fs_getattr_all_fs(uptimed_t)
-fs_search_auto_mountpoints(uptimed_t)
-
-term_dontaudit_use_console(uptimed_t)
-
-init_use_fds(uptimed_t)
-init_use_script_ptys(uptimed_t)
-
-libs_use_ld_so(uptimed_t)
-libs_use_shared_libs(uptimed_t)
-
-logging_send_syslog_msg(uptimed_t)
-
-miscfiles_read_localization(uptimed_t)
-
-userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
-userdom_dontaudit_search_sysadm_home_dirs(uptimed_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(uptimed_t)
- term_dontaudit_use_generic_ptys(uptimed_t)
- files_dontaudit_read_root_files(uptimed_t)
-')
-
-optional_policy(`
- mta_send_mail(uptimed_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(uptimed_t)
-')
-
-optional_policy(`
- udev_read_db(uptimed_t)
-')
diff --git a/refpolicy/policy/modules/services/uucp.fc b/refpolicy/policy/modules/services/uucp.fc
deleted file mode 100644
index f1c2fea..0000000
--- a/refpolicy/policy/modules/services/uucp.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
-
-/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
-/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
-
-/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
diff --git a/refpolicy/policy/modules/services/uucp.if b/refpolicy/policy/modules/services/uucp.if
deleted file mode 100644
index 5efdf15..0000000
--- a/refpolicy/policy/modules/services/uucp.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Unix to Unix Copy</summary>
diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te
deleted file mode 100644
index 0b78f3e..0000000
--- a/refpolicy/policy/modules/services/uucp.te
+++ /dev/null
@@ -1,107 +0,0 @@
-
-policy_module(uucp,1.1.1)
-
-########################################
-#
-# Declarations
-#
-type uucpd_t;
-type uucpd_exec_t;
-inetd_tcp_service_domain(uucpd_t,uucpd_exec_t)
-role system_r types uucpd_t;
-
-type uucpd_tmp_t;
-files_tmp_file(uucpd_tmp_t)
-
-type uucpd_var_run_t;
-files_pid_file(uucpd_var_run_t)
-
-type uucpd_rw_t;
-files_type(uucpd_rw_t)
-
-type uucpd_ro_t;
-files_type(uucpd_ro_t)
-
-type uucpd_spool_t;
-files_type(uucpd_spool_t)
-
-type uucpd_log_t;
-logging_log_file(uucpd_log_t)
-
-########################################
-#
-# Local policy
-#
-allow uucpd_t self:capability { setuid setgid };
-allow uucpd_t self:process signal_perms;
-allow uucpd_t self:fifo_file rw_file_perms;
-allow uucpd_t self:tcp_socket connected_stream_socket_perms;
-allow uucpd_t self:udp_socket create_socket_perms;
-allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-
-allow uucpd_t uucpd_log_t:file create_file_perms;
-allow uucpd_t uucpd_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(uucpd_t,uucpd_log_t,{ file dir })
-
-allow uucpd_t uucpd_ro_t:dir r_dir_perms;
-allow uucpd_t uucpd_ro_t:file r_file_perms;
-allow uucpd_t uucpd_ro_t:lnk_file { getattr read };
-
-allow uucpd_t uucpd_rw_t:dir create_dir_perms;
-allow uucpd_t uucpd_rw_t:file create_file_perms;
-allow uucpd_t uucpd_rw_t:lnk_file create_lnk_perms;
-
-allow uucpd_t uucpd_spool_t:dir create_dir_perms;
-allow uucpd_t uucpd_spool_t:file create_file_perms;
-allow uucpd_t uucpd_spool_t:lnk_file create_lnk_perms;
-
-allow uucpd_t uucpd_tmp_t:dir create_dir_perms;
-allow uucpd_t uucpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
-
-allow uucpd_t uucpd_var_run_t:file create_file_perms;
-allow uucpd_t uucpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(uucpd_t,uucpd_var_run_t,file)
-
-kernel_read_kernel_sysctls(uucpd_t)
-kernel_read_system_state(uucpd_t)
-kernel_read_network_state(uucpd_t)
-
-corenet_non_ipsec_sendrecv(uucpd_t)
-corenet_tcp_sendrecv_all_if(uucpd_t)
-corenet_udp_sendrecv_all_if(uucpd_t)
-corenet_tcp_sendrecv_all_nodes(uucpd_t)
-corenet_udp_sendrecv_all_nodes(uucpd_t)
-corenet_tcp_sendrecv_all_ports(uucpd_t)
-corenet_udp_sendrecv_all_ports(uucpd_t)
-
-dev_read_urand(uucpd_t)
-
-fs_getattr_xattr_fs(uucpd_t)
-
-corecmd_exec_sbin(uucpd_t)
-
-files_read_etc_files(uucpd_t)
-files_search_home(uucpd_t)
-files_search_spool(uucpd_t)
-
-libs_use_ld_so(uucpd_t)
-libs_use_shared_libs(uucpd_t)
-
-logging_send_syslog_msg(uucpd_t)
-
-miscfiles_read_localization(uucpd_t)
-
-sysnet_read_config(uucpd_t)
-
-optional_policy(`
- kerberos_use(uucpd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(uucpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(uucpd_t)
-')
diff --git a/refpolicy/policy/modules/services/uwimap.fc b/refpolicy/policy/modules/services/uwimap.fc
deleted file mode 100644
index 43bdef0..0000000
--- a/refpolicy/policy/modules/services/uwimap.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/uwimap.if b/refpolicy/policy/modules/services/uwimap.if
deleted file mode 100644
index f228be9..0000000
--- a/refpolicy/policy/modules/services/uwimap.if
+++ /dev/null
@@ -1,25 +0,0 @@
-## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary>
-
-########################################
-## <summary>
-## Execute the UW IMAP/POP3 servers with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`uwimap_domtrans',`
- gen_require(`
- type imapd_t, imapd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,imapd_exec_t,imapd_t)
-
- allow $1 imapd_t:fd use;
- allow imapd_t $1:fd use;
- allow imapd_t $1:fifo_file rw_file_perms;
- allow imapd_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/services/uwimap.te b/refpolicy/policy/modules/services/uwimap.te
deleted file mode 100644
index 07ec96b..0000000
--- a/refpolicy/policy/modules/services/uwimap.te
+++ /dev/null
@@ -1,102 +0,0 @@
-
-policy_module(uwimap,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type imapd_t;
-type imapd_exec_t;
-init_daemon_domain(imapd_t,imapd_exec_t)
-inetd_tcp_service_domain(imapd_t,imapd_exec_t)
-
-type imapd_tmp_t;
-files_tmp_file(imapd_tmp_t)
-
-type imapd_var_run_t;
-files_pid_file(imapd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-dontaudit imapd_t self:capability sys_tty_config;
-allow imapd_t self:process signal_perms;
-allow imapd_t self:fifo_file rw_file_perms;
-allow imapd_t self:tcp_socket create_stream_socket_perms;
-
-allow imapd_t imapd_tmp_t:dir create_dir_perms;
-allow imapd_t imapd_tmp_t:file create_file_perms;
-files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
-
-allow imapd_t imapd_var_run_t:file create_file_perms;
-allow imapd_t imapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(imapd_t,imapd_var_run_t,file)
-
-kernel_read_kernel_sysctls(imapd_t)
-kernel_list_proc(imapd_t)
-kernel_read_proc_symlinks(imapd_t)
-
-corenet_non_ipsec_sendrecv(imapd_t)
-corenet_tcp_sendrecv_generic_if(imapd_t)
-corenet_tcp_sendrecv_all_nodes(imapd_t)
-corenet_tcp_sendrecv_all_ports(imapd_t)
-corenet_tcp_bind_all_nodes(imapd_t)
-corenet_tcp_bind_pop_port(imapd_t)
-corenet_tcp_connect_all_ports(imapd_t)
-corenet_sendrecv_pop_server_packets(imapd_t)
-corenet_sendrecv_all_client_packets(imapd_t)
-
-dev_read_sysfs(imapd_t)
-#urandom, for ssl
-dev_read_rand(imapd_t)
-dev_read_urand(imapd_t)
-
-domain_use_interactive_fds(imapd_t)
-
-#read /etc/ for hostname nsswitch.conf
-files_read_etc_files(imapd_t)
-
-fs_getattr_all_fs(imapd_t)
-fs_search_auto_mountpoints(imapd_t)
-
-term_dontaudit_use_console(imapd_t)
-
-auth_domtrans_chk_passwd(imapd_t)
-
-init_use_fds(imapd_t)
-init_use_script_ptys(imapd_t)
-
-libs_use_ld_so(imapd_t)
-libs_use_shared_libs(imapd_t)
-
-logging_send_syslog_msg(imapd_t)
-
-miscfiles_read_localization(imapd_t)
-
-sysnet_read_config(imapd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(imapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(imapd_t)
-# cjp: this is excessive, should be limited to the
-# mail directories
-userdom_priveleged_home_dir_manager(imapd_t)
-
-mta_rw_spool(imapd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(imapd_t)
- term_dontaudit_use_generic_ptys(imapd_t)
- files_dontaudit_read_root_files(imapd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(imapd_t)
-')
-
-optional_policy(`
- udev_read_db(imapd_t)
-')
diff --git a/refpolicy/policy/modules/services/watchdog.fc b/refpolicy/policy/modules/services/watchdog.fc
deleted file mode 100644
index 7551c51..0000000
--- a/refpolicy/policy/modules/services/watchdog.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
-
-/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
-
-/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/watchdog.if b/refpolicy/policy/modules/services/watchdog.if
deleted file mode 100644
index f8acf10..0000000
--- a/refpolicy/policy/modules/services/watchdog.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>Software watchdog</summary>
diff --git a/refpolicy/policy/modules/services/watchdog.te b/refpolicy/policy/modules/services/watchdog.te
deleted file mode 100644
index f6928ff..0000000
--- a/refpolicy/policy/modules/services/watchdog.te
+++ /dev/null
@@ -1,121 +0,0 @@
-
-policy_module(watchdog,1.0.1)
-
-#################################
-#
-# Rules for the watchdog_t domain.
-#
-
-type watchdog_t;
-type watchdog_exec_t;
-init_daemon_domain(watchdog_t,watchdog_exec_t)
-
-type watchdog_log_t;
-logging_log_file(watchdog_log_t)
-
-type watchdog_var_run_t;
-files_pid_file(watchdog_var_run_t)
-
-########################################
-#
-# Declarations
-#
-
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
-dontaudit watchdog_t self:capability sys_tty_config;
-allow watchdog_t self:process { setsched signal_perms };
-allow watchdog_t self:fifo_file rw_file_perms;
-allow watchdog_t self:unix_stream_socket create_socket_perms;
-allow watchdog_t self:tcp_socket create_stream_socket_perms;
-allow watchdog_t self:udp_socket create_socket_perms;
-
-allow watchdog_t watchdog_log_t:file create_file_perms;
-logging_log_filetrans(watchdog_t,watchdog_log_t,file)
-
-allow watchdog_t watchdog_var_run_t:file create_file_perms;
-allow watchdog_t watchdog_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
-
-kernel_read_system_state(watchdog_t)
-kernel_read_kernel_sysctls(watchdog_t)
-kernel_unmount_proc(watchdog_t)
-
-corecmd_search_sbin(watchdog_t)
-# for orderly shutdown
-corecmd_exec_shell(watchdog_t)
-
-# cjp: why networking?
-corenet_non_ipsec_sendrecv(watchdog_t)
-corenet_tcp_sendrecv_generic_if(watchdog_t)
-corenet_udp_sendrecv_generic_if(watchdog_t)
-corenet_tcp_sendrecv_all_nodes(watchdog_t)
-corenet_udp_sendrecv_all_nodes(watchdog_t)
-corenet_tcp_sendrecv_all_ports(watchdog_t)
-corenet_udp_sendrecv_all_ports(watchdog_t)
-corenet_tcp_connect_all_ports(watchdog_t)
-corenet_sendrecv_all_client_packets(watchdog_t)
-
-dev_read_sysfs(watchdog_t)
-dev_write_watchdog(watchdog_t)
-# do not care about saving the random seed
-dev_dontaudit_read_rand(watchdog_t)
-dev_dontaudit_read_urand(watchdog_t)
-
-domain_use_interactive_fds(watchdog_t)
-domain_getsession_all_domains(watchdog_t)
-domain_sigchld_all_domains(watchdog_t)
-domain_sigstop_all_domains(watchdog_t)
-domain_signull_all_domains(watchdog_t)
-domain_signal_all_domains(watchdog_t)
-domain_kill_all_domains(watchdog_t)
-
-files_read_etc_files(watchdog_t)
-# for updating mtab on umount
-files_manage_etc_runtime_files(watchdog_t)
-files_etc_filetrans_etc_runtime(watchdog_t,file)
-
-fs_unmount_xattr_fs(watchdog_t)
-fs_getattr_all_fs(watchdog_t)
-fs_search_auto_mountpoints(watchdog_t)
-
-term_dontaudit_use_console(watchdog_t)
-
-# record the fact that we are going down
-auth_append_login_records(watchdog_t)
-
-init_use_fds(watchdog_t)
-init_use_script_ptys(watchdog_t)
-
-libs_use_ld_so(watchdog_t)
-libs_use_shared_libs(watchdog_t)
-
-logging_send_syslog_msg(watchdog_t)
-
-miscfiles_read_localization(watchdog_t)
-
-sysnet_read_config(watchdog_t)
-
-userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(watchdog_t)
- term_dontaudit_use_generic_ptys(watchdog_t)
- files_dontaudit_read_root_files(watchdog_t)
-')
-
-optional_policy(`
- mta_send_mail(watchdog_t)
-')
-
-optional_policy(`
- nis_use_ypbind(watchdog_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(watchdog_t)
-')
-
-optional_policy(`
- udev_read_db(watchdog_t)
-')
diff --git a/refpolicy/policy/modules/services/xfs.fc b/refpolicy/policy/modules/services/xfs.fc
deleted file mode 100644
index 8e70038..0000000
--- a/refpolicy/policy/modules/services/xfs.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-
-/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0)
-
-/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
-/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0)
-
-/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
-/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/xfs.if b/refpolicy/policy/modules/services/xfs.if
deleted file mode 100644
index d8bf4d1..0000000
--- a/refpolicy/policy/modules/services/xfs.if
+++ /dev/null
@@ -1,63 +0,0 @@
-## <summary>X Windows Font Server </summary>
-
-########################################
-## <summary>
-## Read a X font server named socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xfs_read_sockets',`
- gen_require(`
- type xfs_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 xfs_tmp_t:dir search;
- allow $1 xfs_tmp_t:sock_file { getattr read };
-')
-
-########################################
-## <summary>
-## Connect to a X font server over
-## a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xfs_stream_connect',`
- gen_require(`
- type xfs_tmp_t, xfs_t;
- ')
-
- files_search_tmp($1)
- allow $1 xfs_tmp_t:dir search;
- allow $1 xfs_tmp_t:sock_file write;
- allow $1 xfs_t:unix_stream_socket connectto;
-')
-
-
-########################################
-## <summary>
-## Allow the specified domain to execute xfs
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xfs_exec',`
- gen_require(`
- type xfs_exec_t;
- ')
-
- can_exec($1,xfs_exec_t)
-')
diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te
deleted file mode 100644
index 5752f5d..0000000
--- a/refpolicy/policy/modules/services/xfs.te
+++ /dev/null
@@ -1,100 +0,0 @@
-
-policy_module(xfs,1.0.3)
-
-########################################
-#
-# Declarations
-#
-
-type xfs_t;
-type xfs_exec_t;
-init_daemon_domain(xfs_t,xfs_exec_t)
-
-type xfs_tmp_t;
-files_tmp_file(xfs_tmp_t)
-
-type xfs_var_run_t;
-files_pid_file(xfs_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow xfs_t self:capability { setgid setuid };
-dontaudit xfs_t self:capability sys_tty_config;
-allow xfs_t self:process { signal_perms setpgid };
-allow xfs_t self:unix_stream_socket create_stream_socket_perms;
-allow xfs_t self:unix_dgram_socket create_socket_perms;
-
-allow xfs_t xfs_tmp_t:dir create_dir_perms;
-allow xfs_t xfs_tmp_t:sock_file create_file_perms;
-files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
-
-allow xfs_t xfs_var_run_t:file create_file_perms;
-allow xfs_t xfs_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(xfs_t,xfs_var_run_t,file)
-
-# Bind to /tmp/.font-unix/fs-1.
-# cjp: I do not believe this has an effect.
-allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
-
-kernel_read_kernel_sysctls(xfs_t)
-kernel_read_system_state(xfs_t)
-
-corecmd_list_bin(xfs_t)
-corecmd_list_sbin(xfs_t)
-
-dev_read_sysfs(xfs_t)
-
-fs_getattr_all_fs(xfs_t)
-fs_search_auto_mountpoints(xfs_t)
-
-domain_use_interactive_fds(xfs_t)
-
-files_read_etc_files(xfs_t)
-files_read_etc_runtime_files(xfs_t)
-files_read_usr_files(xfs_t)
-
-term_dontaudit_use_console(xfs_t)
-
-auth_use_nsswitch(xfs_t)
-
-init_use_fds(xfs_t)
-init_use_script_ptys(xfs_t)
-
-libs_use_ld_so(xfs_t)
-libs_use_shared_libs(xfs_t)
-
-logging_send_syslog_msg(xfs_t)
-
-miscfiles_read_localization(xfs_t)
-miscfiles_read_fonts(xfs_t)
-
-userdom_dontaudit_use_unpriv_user_fds(xfs_t)
-userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
-
-xfs_exec(xfs_t)
-
-ifdef(`distro_debian',`
- # for /tmp/.font-unix/fs7100
- init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xfs_t)
- term_dontaudit_use_generic_ptys(xfs_t)
- files_dontaudit_read_root_files(xfs_t)
-')
-
-optional_policy(`
- nis_use_ypbind(xfs_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(xfs_t)
-')
-
-optional_policy(`
- udev_read_db(xfs_t)
-')
diff --git a/refpolicy/policy/modules/services/xprint.fc b/refpolicy/policy/modules/services/xprint.fc
deleted file mode 100644
index 6a857ff..0000000
--- a/refpolicy/policy/modules/services/xprint.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/xprint.if b/refpolicy/policy/modules/services/xprint.if
deleted file mode 100644
index e69a82a..0000000
--- a/refpolicy/policy/modules/services/xprint.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>X print server</summary>
diff --git a/refpolicy/policy/modules/services/xprint.te b/refpolicy/policy/modules/services/xprint.te
deleted file mode 100644
index f74a498..0000000
--- a/refpolicy/policy/modules/services/xprint.te
+++ /dev/null
@@ -1,99 +0,0 @@
-
-policy_module(xprint,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type xprint_t;
-type xprint_exec_t;
-init_daemon_domain(xprint_t,xprint_exec_t)
-
-type xprint_var_run_t;
-files_pid_file(xprint_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit xprint_t self:capability sys_tty_config;
-allow xprint_t self:process signal_perms;
-allow xprint_t self:fifo_file rw_file_perms;
-allow xprint_t self:tcp_socket create_stream_socket_perms;
-allow xprint_t self:udp_socket create_socket_perms;
-
-allow xprint_t xprint_var_run_t:file create_file_perms;
-allow xprint_t xprint_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(xprint_t,xprint_var_run_t,file)
-
-kernel_read_system_state(xprint_t)
-kernel_read_kernel_sysctls(xprint_t)
-
-corecmd_exec_bin(xprint_t)
-corecmd_exec_sbin(xprint_t)
-corecmd_exec_ls(xprint_t)
-corecmd_exec_shell(xprint_t)
-
-corenet_non_ipsec_sendrecv(xprint_t)
-corenet_tcp_sendrecv_generic_if(xprint_t)
-corenet_udp_sendrecv_generic_if(xprint_t)
-corenet_tcp_sendrecv_all_nodes(xprint_t)
-corenet_udp_sendrecv_all_nodes(xprint_t)
-corenet_tcp_sendrecv_all_ports(xprint_t)
-corenet_udp_sendrecv_all_ports(xprint_t)
-
-dev_read_sysfs(xprint_t)
-dev_read_urand(xprint_t)
-
-domain_use_interactive_fds(xprint_t)
-
-files_read_etc_files(xprint_t)
-files_read_etc_runtime_files(xprint_t)
-files_read_usr_files(xprint_t)
-files_search_var_lib(xprint_t)
-files_search_tmp(xprint_t)
-
-fs_getattr_all_fs(xprint_t)
-fs_search_auto_mountpoints(xprint_t)
-
-term_dontaudit_use_console(xprint_t)
-
-init_use_fds(xprint_t)
-init_use_script_ptys(xprint_t)
-
-libs_use_ld_so(xprint_t)
-libs_use_shared_libs(xprint_t)
-
-logging_send_syslog_msg(xprint_t)
-
-miscfiles_read_fonts(xprint_t)
-miscfiles_read_localization(xprint_t)
-
-sysnet_read_config(xprint_t)
-
-userdom_dontaudit_use_unpriv_user_fds(xprint_t)
-userdom_dontaudit_search_sysadm_home_dirs(xprint_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xprint_t)
- term_dontaudit_use_generic_ptys(xprint_t)
- files_dontaudit_read_root_files(xprint_t)
-')
-
-optional_policy(`
- cups_read_config(xprint_t)
-')
-
-optional_policy(`
- nis_use_ypbind(xprint_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(xprint_t)
-')
-
-optional_policy(`
- udev_read_db(xprint_t)
-')
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
deleted file mode 100644
index e5e55a6..0000000
--- a/refpolicy/policy/modules/services/xserver.fc
+++ /dev/null
@@ -1,105 +0,0 @@
-#
-# HOME_DIR
-#
-ifdef(`strict_policy',`
-HOME_DIR/\.fonts.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
-HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
-HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.fonts.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-')
-
-#
-# /dev
-#
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
-# /etc
-#
-
-/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
-
-/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/[wx]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-
-#
-# /opt
-#
-
-/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-
-#
-# /tmp
-#
-
-/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
-/tmp/\.ICE-unix/.* -s <<none>>
-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix/.* -s <<none>>
-
-ifdef(`strict_policy',`
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
-')
-
-#
-# /usr
-#
-
-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
-/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
-/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-ifdef(`distro_debian', `
-/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-')
-
-/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-
-/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
-/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
-/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
-
-#
-# /var
-#
-
-/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
-
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-
-/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
deleted file mode 100644
index e0b8511..0000000
--- a/refpolicy/policy/modules/services/xserver.if
+++ /dev/null
@@ -1,1131 +0,0 @@
-## <summary>X Windows Server</summary>
-
-#######################################
-## <summary>
-## Template to create types and rules common to
-## all X server domains.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`xserver_common_domain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type $1_xserver_t;
- domain_type($1_xserver_t)
- domain_entry_file($1_xserver_t,xserver_exec_t)
-
- type $1_xserver_tmp_t;
- files_tmp_file($1_xserver_tmp_t)
-
- type $1_xserver_tmpfs_t;
- files_tmpfs_file($1_xserver_tmpfs_t)
-
- ##############################
- #
- # $1_xserver_t local policy
- #
-
- # setuid/setgid for the wrapper program to change UID
- # sys_rawio is for iopl access - should not be needed for frame-buffer
- # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
- # admin of APM bios?
- # sys_nice is so that the X server can set a negative nice value
- # execheap needed until the X module loader is fixed.
- # NVIDIA Needs execstack
-
- allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
- dontaudit $1_xserver_t self:capability chown;
- allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_xserver_t self:process { execmem execheap execstack setsched };
- allow $1_xserver_t self:fd use;
- allow $1_xserver_t self:fifo_file rw_file_perms;
- allow $1_xserver_t self:sock_file r_file_perms;
- allow $1_xserver_t self:shm create_shm_perms;
- allow $1_xserver_t self:sem create_sem_perms;
- allow $1_xserver_t self:msgq create_msgq_perms;
- allow $1_xserver_t self:msg { send receive };
- allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
- allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
- allow $1_xserver_t self:udp_socket create_socket_perms;
-
- allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms;
- allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms;
- allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms;
- files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
-
- allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms;
- type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t;
-
- allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms;
- allow $1_xserver_t xkb_var_lib_t:file manage_file_perms;
- allow $1_xserver_t xkb_var_lib_t:lnk_file create_lnk_perms;
- files_search_var_lib($1_xserver_t)
-
- # Create files in /var/log with the xserver_log_t type.
- allow $1_xserver_t xserver_log_t:file manage_file_perms;
- allow $1_xserver_t xserver_log_t:dir r_dir_perms;
- logging_log_filetrans($1_xserver_t,xserver_log_t,file)
-
- kernel_read_system_state($1_xserver_t)
- kernel_read_device_sysctls($1_xserver_t)
- kernel_read_modprobe_sysctls($1_xserver_t)
- # Xorg wants to check if kernel is tainted
- kernel_read_kernel_sysctls($1_xserver_t)
- kernel_write_proc_files($1_xserver_t)
-
- # Run helper programs in $1_xserver_t.
- corecmd_search_sbin($1_xserver_t)
- corecmd_exec_bin($1_xserver_t)
- corecmd_exec_shell($1_xserver_t)
-
- corenet_non_ipsec_sendrecv($1_xserver_t)
- corenet_tcp_sendrecv_generic_if($1_xserver_t)
- corenet_udp_sendrecv_generic_if($1_xserver_t)
- corenet_tcp_sendrecv_all_nodes($1_xserver_t)
- corenet_udp_sendrecv_all_nodes($1_xserver_t)
- corenet_tcp_sendrecv_all_ports($1_xserver_t)
- corenet_udp_sendrecv_all_ports($1_xserver_t)
- corenet_tcp_bind_all_nodes($1_xserver_t)
- corenet_tcp_bind_xserver_port($1_xserver_t)
- corenet_tcp_connect_all_ports($1_xserver_t)
- corenet_sendrecv_xserver_server_packets($1_xserver_t)
- corenet_sendrecv_all_client_packets($1_xserver_t)
-
- dev_read_sysfs($1_xserver_t)
- dev_rw_mouse($1_xserver_t)
- dev_rw_mtrr($1_xserver_t)
- dev_rw_apm_bios($1_xserver_t)
- dev_rw_agp($1_xserver_t)
- dev_rw_framebuffer($1_xserver_t)
- dev_manage_dri_dev($1_xserver_t)
- dev_create_generic_dirs($1_xserver_t)
- dev_setattr_generic_dirs($1_xserver_t)
- # raw memory access is needed if not using the frame buffer
- dev_read_raw_memory($1_xserver_t)
- dev_write_raw_memory($1_xserver_t)
- # for other device nodes such as the NVidia binary-only driver
- dev_rw_xserver_misc($1_xserver_t)
- # read events - the synaptics touchpad driver reads raw events
- dev_rw_input_dev($1_xserver_t)
- dev_rwx_zero($1_xserver_t)
-
- files_read_etc_files($1_xserver_t)
- files_read_etc_runtime_files($1_xserver_t)
- files_read_usr_files($1_xserver_t)
-
- # brought on by rhgb
- files_search_mnt($1_xserver_t)
- # for nscd
- files_dontaudit_search_pids($1_xserver_t)
-
- fs_getattr_xattr_fs($1_xserver_t)
- fs_search_nfs($1_xserver_t)
- fs_search_auto_mountpoints($1_xserver_t)
-
- init_getpgid($1_xserver_t)
-
- term_setattr_unallocated_ttys($1_xserver_t)
- term_use_unallocated_ttys($1_xserver_t)
-
- libs_use_ld_so($1_xserver_t)
- libs_use_shared_libs($1_xserver_t)
-
- logging_send_syslog_msg($1_xserver_t)
-
- miscfiles_read_localization($1_xserver_t)
- miscfiles_read_fonts($1_xserver_t)
-
- modutils_domtrans_insmod($1_xserver_t)
-
- seutil_dontaudit_search_config($1_xserver_t)
-
- sysnet_read_config($1_xserver_t)
-
- optional_policy(`
- auth_search_pam_console_data($1_xserver_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_xserver_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_xserver_t)
- ')
-
- optional_policy(`
- xfs_stream_connect($1_xserver_t)
- ')
-
- ifdef(`TODO',`
- ifdef(`distro_redhat',`
- ifdef(`rpm.te', `
- allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
- allow $1_xserver_t rpm_tmpfs_t:file { read write };
- rpm_use_fds($1_xserver_t)
- ')
- ')
- ') dnl end TODO
-')
-
-#######################################
-## <summary>
-## The per user domain template for the xserver module.
-## </summary>
-## <desc>
-## <p>
-## Define a derived domain for the X server when executed
-## by a user domain (e.g. via startx). See the xdm module
-## if using an X Display Manager.
-## </p>
-## <p>
-## This is invoked automatically for each user and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`xserver_per_userdomain_template',`
-
- ##############################
- #
- # Declarations
- #
-
- xserver_common_domain_template($1)
- role $3 types $1_xserver_t;
-
- type $1_fonts_t, fonts_type;
- userdom_user_home_content($1,$1_fonts_t)
-
- type $1_fonts_cache_t, fonts_cache_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
-
- type $1_fonts_config_t, fonts_config_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
-
- type $1_iceauth_t;
- domain_type($1_iceauth_t)
- domain_entry_file($1_iceauth_t,iceauth_exec_t)
- role $3 types $1_iceauth_t;
-
- type $1_iceauth_home_t alias $1_iceauth_rw_t;
- files_poly_member($1_iceauth_home_t)
- userdom_user_home_content($1,$1_iceauth_home_t)
-
- type $1_xauth_t;
- domain_type($1_xauth_t)
- domain_entry_file($1_xauth_t,xauth_exec_t)
- role $3 types $1_xauth_t;
-
- type $1_xauth_home_t alias $1_xauth_rw_t;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1,$1_xauth_home_t)
-
- type $1_xauth_tmp_t;
- files_tmp_file($1_xauth_tmp_t)
-
- ##############################
- #
- # $1_xserver_t Local policy
- #
-
- domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
- allow $1_xserver_t $1_xauth_t:fd use;
- allow $1_xauth_t $1_xserver_t:fd use;
- allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
- allow $1_xauth_t $1_xserver_t:process sigchld;
-
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
-
- domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
- allow $2 $1_xserver_t:fd use;
- allow $1_xserver_t $2:fd use;
- allow $1_xserver_t $2:fifo_file rw_file_perms;
- allow $1_xserver_t $2:process { signal sigchld };
-
- allow $1_xserver_t $2:shm rw_shm_perms;
-
- allow $2 $1_fonts_t:dir manage_dir_perms;
- allow $2 $1_fonts_t:file manage_file_perms;
- allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
-
- allow $2 $1_fonts_config_t:dir manage_dir_perms;
- allow $2 $1_fonts_config_t:file manage_file_perms;
- allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
-
- # For startup relabel
- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
-
- allow $2 $1_xserver_tmp_t:dir r_dir_perms;
- allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
- allow $2 $1_xserver_t:unix_stream_socket connectto;
-
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
-
- # Communicate via System V shared memory.
- allow $1_xserver_t $2:shm rw_shm_perms;
- allow $2 $1_xserver_t:shm rw_shm_perms;
-
- getty_use_fds($1_xserver_t)
-
- locallogin_use_fds($1_xserver_t)
-
- userdom_search_user_home_dirs($1,$1_xserver_t)
- userdom_use_user_ttys($1,$1_xserver_t)
- userdom_setattr_user_ttys($1,$1_xserver_t)
- userdom_rw_user_tmpfs_files($1,$1_xserver_t)
-
- xserver_use_user_fonts($1,$1_xserver_t)
-
- optional_policy(`
- userhelper_search_config($1_xserver_t)
- ')
-
- ifdef(`TODO',`
- allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
- allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-
- ifdef(`xdm.te', `
- allow $1_t xdm_tmp_t:sock_file unlink;
- allow $1_xserver_t xdm_var_run_t:dir search;
- ')
- ') dnl end TODO
-
- ##############################
- #
- # $1_xauth_t Local policy
- #
-
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-
- allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
- allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-
- domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
- allow $2 $1_xauth_t:fd use;
- allow $1_xauth_t $2:fd use;
- allow $1_xauth_t $2:fifo_file rw_file_perms;
- allow $1_xauth_t $2:process sigchld;
-
- allow $2 $1_xauth_t:process signal;
-
- # allow ps to show xauth
- allow $2 $1_xauth_t:dir { search getattr read };
- allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
- allow $2 $1_xauth_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_xauth_t:process ptrace;
-
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-
- domain_use_interactive_fds($1_xauth_t)
-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-
- fs_getattr_xattr_fs($1_xauth_t)
- fs_search_auto_mountpoints($1_xauth_t)
-
- # cjp: why?
- term_use_ptmx($1_xauth_t)
-
- libs_use_ld_so($1_xauth_t)
- libs_use_shared_libs($1_xauth_t)
-
- sysnet_dns_name_resolve($1_xauth_t)
-
- userdom_use_user_terminals($1,$1_xauth_t)
- userdom_read_user_tmp_files($1,$1_xauth_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_xauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_xauth_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_xauth_t)
- ')
-
- optional_policy(`
- ssh_sigchld($1_xauth_t)
- ssh_read_pipes($1_xauth_t)
- ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
- ')
-
- ##############################
- #
- # $1_iceauth_t Local policy
- #
-
- domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
- allow $2 $1_iceauth_t:fd use;
- allow $1_iceauth_t $2:fd use;
- allow $1_iceauth_t $2:fifo_file rw_file_perms;
- allow $1_iceauth_t $2:process sigchld;
-
- allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
-
- # allow ps to show iceauth
- allow $2 $1_iceauth_t:dir { search getattr read };
- allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
- allow $2 $1_iceauth_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_iceauth_t:process ptrace;
-
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
-
- fs_search_auto_mountpoints($1_iceauth_t)
-
- libs_use_ld_so($1_iceauth_t)
- libs_use_shared_libs($1_iceauth_t)
-
- userdom_use_user_terminals($1,$1_iceauth_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
-')
-
-#######################################
-## <summary>
-## Template for creating sessions on a
-## prefix X server, with read-only
-## access to the X server shared
-## memory segments.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="tmpfs_type">
-## <summary>
-## The type of the domain SYSV tmpfs files.
-## </summary>
-## </param>
-#
-template(`xserver_ro_session_template',`
- gen_require(`
- type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
- ')
-
- # Xserver read/write client shm
- allow $1_xserver_t $2:fd use;
- allow $1_xserver_t $2:shm rw_shm_perms;
- allow $1_xserver_t $3:file rw_file_perms;
-
- # Connect to xserver
- allow $2 $1_xserver_t:unix_stream_socket connectto;
- allow $2 $1_xserver_t:process signal;
-
- # Read /tmp/.X0-lock
- allow $2 $1_xserver_tmp_t:file { getattr read };
-
- # Client read xserver shm
- allow $2 $1_xserver_t:fd use;
- allow $2 $1_xserver_t:shm r_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Template for creating sessions on a
-## prefix X server, with read and write
-## access to the X server shared
-## memory segments.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="tmpfs_type">
-## <summary>
-## The type of the domain SYSV tmpfs files.
-## </summary>
-## </param>
-#
-template(`xserver_rw_session_template',`
- gen_require(`
- type $1_xserver_t, $1_xserver_tmpfs_t;
- ')
-
- xserver_ro_session_template($1,$2,$3)
- allow $2 $1_xserver_t:shm rw_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
-')
-
-#######################################
-## <summary>
-## Template for creating full client sessions
-## on a user X server.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="tmpfs_type">
-## <summary>
-## The type of the domain SYSV tmpfs files.
-## </summary>
-## </param>
-#
-template(`xserver_user_client_template',`
-
- gen_require(`
- type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
- ')
-
- allow $2 self:shm create_shm_perms;
- allow $2 self:unix_dgram_socket create_socket_perms;
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
-
- # Read .Xauthority file
- allow $2 $1_xauth_home_t:file { getattr read };
-
- # for when /tmp/.X11-unix is created by the system
- allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xdm_tmp_t:dir search;
- allow $2 xdm_tmp_t:sock_file { read write };
- dontaudit $2 xdm_t:tcp_socket { read write };
-
- # Allow connections to X server.
- files_search_tmp($2)
-
- miscfiles_read_fonts($2)
-
- userdom_search_user_home_dirs($1,$2)
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1,$2)
-
- xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
- xserver_use_user_fonts($1,$2)
-
- # Client write xserver shm
- tunable_policy(`allow_write_xshm',`
- allow $2 $1_xserver_t:shm rw_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
- ')
-
- # for X over a ssh tunnel
- optional_policy(`
- kernel_tcp_recvfrom($2)
- ssh_tcp_connect($2)
- ')
-')
-
-########################################
-## <summary>
-## Read user fonts, user font configuration,
-## and manage the user font cache.
-## </summary>
-## <desc>
-## <p>
-## Read user fonts, user font configuration,
-## and manage the user font cache.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`xserver_use_user_fonts',`
- gen_require(`
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
- ')
-
- # Read per user fonts
- allow $2 $1_fonts_t:dir list_dir_perms;
- allow $2 $1_fonts_t:file read_file_perms;
-
- # Manipulate the global font cache
- allow $2 $1_fonts_cache_t:dir manage_dir_perms;
- allow $2 $1_fonts_cache_t:file manage_file_perms;
-
- # Read per user font config
- allow $2 $1_fonts_config_t:dir list_dir_perms;
- allow $2 $1_fonts_config_t:file read_file_perms;
-
- userdom_search_user_home_dirs($1,$2)
-')
-
-########################################
-## <summary>
-## Transition to a user Xauthority domain.
-## </summary>
-## <desc>
-## <p>
-## Transition to a user Xauthority domain.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`xserver_domtrans_user_xauth',`
- gen_require(`
- type $1_xauth_t, xauth_exec_t;
- ')
-
- domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
- allow $2 $1_xauth_t:fd use;
- allow $1_xauth_t $2:fd use;
- allow $1_xauth_t $2:fifo_file rw_file_perms;
- allow $1_xauth_t $2:process sigchld;
-')
-
-########################################
-## <summary>
-## Read all users fonts, user font configurations,
-## and manage all users font caches.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_use_all_users_fonts',`
- gen_require(`
- attribute fonts_type, fonts_cache_type, fonts_config_type;
- ')
-
- # Read per user fonts
- allow $1 fonts_type:dir list_dir_perms;
- allow $1 fonts_type:file read_file_perms;
-
- # Manipulate the global font cache
- allow $1 fonts_cache_type:dir manage_dir_perms;
- allow $1 fonts_cache_type:file manage_file_perms;
-
- # Read per user font config
- allow $1 fonts_config_type:dir list_dir_perms;
- allow $1 fonts_config_type:file read_file_perms;
-
- userdom_search_all_users_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Set the attributes of the X windows console named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_setattr_console_pipes',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write the X windows console named pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_rw_console',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file { getattr read write };
-')
-
-########################################
-## <summary>
-## Use file descriptors for xdm.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_use_xdm_fds',`
- gen_require(`
- type xdm_t;
- ')
-
- allow $1 xdm_t:fd use;
-')
-
-########################################
-## <summary>
-## Read and write XDM unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`xserver_rw_xdm_pipes',`
- gen_require(`
- type xdm_t;
- ')
-
- allow $1 xdm_t:fifo_file { getattr read write };
-')
-
-########################################
-## <summary>
-## Connect to XDM over a unix domain
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_stream_connect_xdm',`
- gen_require(`
- type xdm_t;
- ')
-
- allow $1 xdm_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Read xdm-writable configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_read_xdm_rw_config',`
- gen_require(`
- type xdm_rw_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 xdm_rw_etc_t:dir { getattr read };
-')
-
-########################################
-## <summary>
-## Set the attributes of XDM temporary directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_setattr_xdm_tmp_dirs',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
- allow $1 xdm_tmp_t:dir setattr;
-')
-
-########################################
-## <summary>
-## Create a named socket in a XDM
-## temporary directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_create_xdm_tmp_sockets',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 xdm_tmp_t:dir ra_dir_perms;
- allow $1 xdm_tmp_t:sock_file create;
-')
-
-########################################
-## <summary>
-## Read XDM pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_read_xdm_pid',`
- gen_require(`
- type xdm_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 xdm_var_run_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read XDM var lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_read_xdm_lib_files',`
- gen_require(`
- type xdm_var_lib_t;
- ')
-
- allow $1 xdm_var_lib_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Execute the X server in the XDM X server domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_domtrans_xdm_xserver',`
- gen_require(`
- type xdm_xserver_t, xserver_exec_t;
- ')
-
- domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
-
- allow $1 xdm_xserver_t:fd use;
- allow xdm_xserver_t $1:fd use;
- allow xdm_xserver_t $1:fifo_file rw_file_perms;
- allow xdm_xserver_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Make an X session script an entrypoint for the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which the shell is an entrypoint.
-## </summary>
-## </param>
-#
-interface(`xserver_xsession_entry_type',`
- gen_require(`
- type xsession_exec_t;
- ')
-
- domain_entry_file($1,xsession_exec_t)
-')
-
-########################################
-## <summary>
-## Execute an X session in the target domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Execute an Xsession in the target domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the shell process.
-## </summary>
-## </param>
-#
-interface(`xserver_xsession_spec_domtrans',`
- gen_require(`
- type xsession_exec_t;
- ')
-
- domain_trans($1,xsession_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Get the attributes of X server logs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_getattr_log',`
- gen_require(`
- type xserver_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 xserver_log_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write the X server
-## log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_dontaudit_write_log',`
- gen_require(`
- type xserver_log_t;
- ')
-
- dontaudit $1 xserver_log_t:file { append write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write the X server
-## log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_delete_log',`
- gen_require(`
- type xserver_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 xserver_log_t:dir rw_dir_perms;
- allow $1 xserver_log_t:file unlink;
-')
-
-########################################
-## <summary>
-## Read X keyboard extension libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_read_xkb_libs',`
- gen_require(`
- type xkb_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 xkb_var_lib_t:dir list_dir_perms;
- allow $1 xkb_var_lib_t:file r_file_perms;
- allow $1 xkb_var_lib_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read xdm temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_read_xdm_xserver_tmp_files',`
- gen_require(`
- type xdm_xserver_tmp_t;
- ')
-
- allow $1 xdm_xserver_tmp_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Kill XDM X servers
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_kill_xdm_xserver',`
- gen_require(`
- type xdm_xserver_t;
- ')
-
- allow $1 xdm_xserver_t:process sigkill;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write to
-## a XDM X server socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
- gen_require(`
- type xdm_xserver_t;
- ')
-
- dontaudit $1 xdm_xserver_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Connect to xdm_xserver over a unix domain
-## stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_stream_connect_xdm_xserver',`
- gen_require(`
- type xdm_xserver_t, xdm_xserver_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 xdm_xserver_tmp_t:sock_file write;
- allow $1 xdm_xserver_t:unix_stream_socket connectto;
-')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
deleted file mode 100644
index 5bc2356..0000000
--- a/refpolicy/policy/modules/services/xserver.te
+++ /dev/null
@@ -1,486 +0,0 @@
-
-policy_module(xserver,1.1.10)
-
-########################################
-#
-# Declarations
-#
-
-attribute fonts_type;
-attribute fonts_cache_type;
-attribute fonts_config_type;
-
-type ice_tmp_t;
-files_tmp_file(ice_tmp_t)
-
-type iceauth_exec_t;
-corecmd_executable_file(iceauth_exec_t)
-
-type xauth_exec_t;
-corecmd_executable_file(xauth_exec_t)
-
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
-type xdm_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type xdm_exec_t;
-')
-init_domain(xdm_t,xdm_exec_t)
-init_daemon_domain(xdm_t,xdm_exec_t)
-
-type xdm_lock_t;
-files_lock_file(xdm_lock_t)
-
-type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
-
-type xdm_var_lib_t;
-files_type(xdm_var_lib_t)
-
-type xdm_var_run_t;
-files_pid_file(xdm_var_run_t)
-
-type xdm_tmp_t;
-files_tmp_file(xdm_tmp_t)
-
-type xdm_tmpfs_t;
-files_tmpfs_file(xdm_tmpfs_t)
-
-# type for /var/lib/xkb
-type xkb_var_lib_t;
-files_type(xkb_var_lib_t)
-
-# Type for the executable used to start the X server, e.g. Xwrapper.
-type xserver_exec_t;
-corecmd_executable_file(xserver_exec_t)
-
-type xsession_exec_t;
-corecmd_executable_file(xsession_exec_t)
-
-# Type for the X server log file.
-type xserver_log_t;
-logging_log_file(xserver_log_t)
-
-xserver_common_domain_template(xdm)
-init_system_domain(xdm_xserver_t,xserver_exec_t)
-
-optional_policy(`
- prelink_object_file(xkb_var_lib_t)
-')
-
-########################################
-#
-# XDM Local policy
-#
-
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
-allow xdm_t self:fifo_file rw_file_perms;
-allow xdm_t self:shm create_shm_perms;
-allow xdm_t self:sem create_sem_perms;
-allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
-allow xdm_t self:tcp_socket create_stream_socket_perms;
-allow xdm_t self:udp_socket create_socket_perms;
-
-# Supress permission check on .ICE-unix
-dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
-
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-
-# Allow gdm to run gdm-binary
-can_exec(xdm_t, xdm_exec_t)
-
-# wdm has its own config dir /etc/X11/wdm
-# this is ugly, daemons should not create files under /etc!
-allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
-allow xdm_t xdm_rw_etc_t:file create_file_perms;
-
-kernel_read_system_state(xdm_t)
-kernel_read_kernel_sysctls(xdm_t)
-
-corecmd_exec_shell(xdm_t)
-corecmd_exec_bin(xdm_t)
-corecmd_exec_sbin(xdm_t)
-
-corenet_non_ipsec_sendrecv(xdm_t)
-corenet_tcp_sendrecv_generic_if(xdm_t)
-corenet_udp_sendrecv_generic_if(xdm_t)
-corenet_tcp_sendrecv_all_nodes(xdm_t)
-corenet_udp_sendrecv_all_nodes(xdm_t)
-corenet_tcp_sendrecv_all_ports(xdm_t)
-corenet_udp_sendrecv_all_ports(xdm_t)
-corenet_tcp_bind_all_nodes(xdm_t)
-corenet_udp_bind_all_nodes(xdm_t)
-corenet_tcp_connect_all_ports(xdm_t)
-corenet_sendrecv_all_client_packets(xdm_t)
-# xdm tries to bind to biff_port_t
-corenet_dontaudit_tcp_bind_all_ports(xdm_t)
-
-dev_read_rand(xdm_t)
-dev_read_urand(xdm_t)
-dev_read_sysfs(xdm_t)
-dev_getattr_framebuffer_dev(xdm_t)
-dev_setattr_framebuffer_dev(xdm_t)
-dev_getattr_mouse_dev(xdm_t)
-dev_setattr_mouse_dev(xdm_t)
-dev_rw_apm_bios(xdm_t)
-dev_setattr_apm_bios_dev(xdm_t)
-dev_rw_dri(xdm_t)
-dev_rw_agp(xdm_t)
-dev_getattr_xserver_misc_dev(xdm_t)
-dev_setattr_xserver_misc_dev(xdm_t)
-dev_getattr_misc_dev(xdm_t)
-dev_setattr_misc_dev(xdm_t)
-dev_dontaudit_rw_misc(xdm_t)
-dev_getattr_video_dev(xdm_t)
-dev_setattr_video_dev(xdm_t)
-dev_getattr_scanner_dev(xdm_t)
-dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
-dev_getattr_power_mgmt_dev(xdm_t)
-dev_setattr_power_mgmt_dev(xdm_t)
-
-domain_use_interactive_fds(xdm_t)
-# Do not audit denied probes of /proc.
-domain_dontaudit_read_all_domains_state(xdm_t)
-
-files_read_etc_files(xdm_t)
-files_read_etc_runtime_files(xdm_t)
-files_exec_etc_files(xdm_t)
-files_list_mnt(xdm_t)
-# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
-files_read_usr_files(xdm_t)
-# Poweroff wants to create the /poweroff file when run from xdm
-files_create_boot_flag(xdm_t)
-
-fs_getattr_all_fs(xdm_t)
-fs_search_auto_mountpoints(xdm_t)
-
-selinux_get_fs_mount(xdm_t)
-selinux_validate_context(xdm_t)
-selinux_compute_access_vector(xdm_t)
-selinux_compute_create_context(xdm_t)
-selinux_compute_relabel_context(xdm_t)
-selinux_compute_user_contexts(xdm_t)
-
-storage_dontaudit_read_fixed_disk(xdm_t)
-storage_dontaudit_write_fixed_disk(xdm_t)
-storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
-storage_dontaudit_raw_read_removable_device(xdm_t)
-storage_dontaudit_raw_write_removable_device(xdm_t)
-storage_dontaudit_setattr_removable_dev(xdm_t)
-storage_dontaudit_rw_scsi_generic(xdm_t)
-
-term_setattr_console(xdm_t)
-term_dontaudit_use_console(xdm_t)
-term_use_unallocated_ttys(xdm_t)
-term_setattr_unallocated_ttys(xdm_t)
-
-auth_rw_lastlog(xdm_t)
-auth_read_login_records(xdm_t)
-auth_append_login_records(xdm_t)
-auth_manage_pam_pid(xdm_t)
-auth_exec_pam(xdm_t)
-auth_manage_pam_console_data(xdm_t)
-
-init_rw_utmp(xdm_t)
-init_use_script_ptys(xdm_t)
-# Run telinit->init to shutdown.
-init_exec(xdm_t)
-init_write_initctl(xdm_t)
-
-libs_use_ld_so(xdm_t)
-libs_use_shared_libs(xdm_t)
-libs_exec_lib_files(xdm_t)
-
-logging_send_syslog_msg(xdm_t)
-logging_read_generic_logs(xdm_t)
-
-miscfiles_read_localization(xdm_t)
-miscfiles_read_fonts(xdm_t)
-
-seutil_read_config(xdm_t)
-seutil_read_default_contexts(xdm_t)
-
-sysnet_read_config(xdm_t)
-
-userdom_dontaudit_use_unpriv_user_fds(xdm_t)
-userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
-userdom_create_all_users_keys(xdm_t)
-# for .dmrc
-userdom_read_unpriv_users_home_content_files(xdm_t)
-# Search /proc for any user domain processes.
-userdom_read_all_users_state(xdm_t)
-userdom_signal_all_users(xdm_t)
-
-ifdef(`enable_polyinstantiation',`
- # xdm_t can polyinstantiate
- files_polyinstantiate_all(xdm_t)
-')
-
-ifdef(`strict_policy',`
- allow xdm_t xdm_lock_t:file create_file_perms;
- files_lock_filetrans(xdm_t,xdm_lock_t,file)
-
- allow xdm_t xdm_tmp_t:dir manage_dir_perms;
- allow xdm_t xdm_tmp_t:file manage_file_perms;
- allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-
- allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
- allow xdm_t xdm_tmpfs_t:file manage_file_perms;
- allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
- allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms;
- allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow xdm_t xdm_var_lib_t:file create_file_perms;
- allow xdm_t xdm_var_lib_t:dir create_dir_perms;
- files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
-
- allow xdm_t xdm_var_run_t:dir manage_dir_perms;
- allow xdm_t xdm_var_run_t:file manage_file_perms;
- allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
- files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
-
- allow xdm_t xdm_xserver_t:process signal;
- allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-
- allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
- allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
-
- # transition to the xdm xserver
- domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
- allow xdm_t xdm_xserver_t:fd use;
- allow xdm_xserver_t xdm_t:fd use;
- allow xdm_xserver_t xdm_t:fifo_file rw_file_perms;
- allow xdm_xserver_t xdm_t:process { signal sigchld };
- allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
-
- allow xdm_t xdm_xserver_t:shm rw_shm_perms;
-
- # connect to xdm xserver over stream socket
- allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
- allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
- allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-
- # Remove /tmp/.X11-unix/X0.
- allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
- allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
- allow xdm_t xdm_xserver_tmp_t:file unlink;
-
- allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
- allow xdm_t xserver_log_t:file manage_file_perms;
- allow xdm_t xserver_log_t:fifo_file manage_file_perms;
- logging_log_filetrans(xdm_t,xserver_log_t,file)
-
- domain_subj_id_change_exemption(xdm_t)
- domain_role_change_exemption(xdm_t)
- domain_obj_id_change_exemption(xdm_t)
-
- auth_domtrans_chk_passwd(xdm_t)
- auth_domtrans_pam_console(xdm_t)
-
- xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-
- tunable_policy(`xdm_sysadm_login',`
- userdom_xsession_spec_domtrans_all_users(xdm_t)
- # FIXME:
-# xserver_rw_session_template(xdm,userdomain)
- ',`
- userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
- # FIXME:
-# xserver_rw_session_template(xdm,unpriv_userdomain)
-# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
- ')
-
- optional_policy(`
- alsa_domtrans(xdm_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- allow xdm_t self:process { execheap execmem };
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
-
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_t)
- fs_manage_nfs_files(xdm_t)
- fs_manage_nfs_symlinks(xdm_t)
- fs_exec_nfs_files(xdm_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xdm_t)
- fs_manage_cifs_files(xdm_t)
- fs_manage_cifs_symlinks(xdm_t)
- fs_exec_cifs_files(xdm_t)
-')
-
-optional_policy(`
- consoletype_domtrans(xdm_t)
-')
-
-optional_policy(`
- # Talk to the console mouse server.
- gpm_stream_connect(xdm_t)
- gpm_setattr_gpmctl(xdm_t)
-')
-
-optional_policy(`
- hostname_exec(xdm_t)
-')
-
-optional_policy(`
- loadkeys_exec(xdm_t)
-')
-
-optional_policy(`
- locallogin_signull(xdm_t)
-')
-
-optional_policy(`
- # Do not audit attempts to check whether user root has email
- mta_dontaudit_getattr_spool_files(xdm_t)
-')
-
-optional_policy(`
- nscd_socket_use(xdm_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(xdm_t)
-')
-
-optional_policy(`
- udev_read_db(xdm_t)
-')
-
-optional_policy(`
- userhelper_dontaudit_search_config(xdm_t)
-')
-
-optional_policy(`
- usermanage_read_crack_db(xdm_t)
-')
-
-optional_policy(`
- xfs_stream_connect(xdm_t)
-')
-
-########################################
-#
-# XDM Xserver local policy
-#
-
-allow xdm_xserver_t xdm_t:process { signal getpgid };
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
-# handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-
-# Label pid and temporary files with derived types.
-allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
-allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
-allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
-allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
-
-# Run xkbcomp.
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-files_search_var_lib(xdm_xserver_t)
-
-# VNC v4 module in X server
-corenet_tcp_bind_vnc_port(xdm_xserver_t)
-
-fs_search_auto_mountpoints(xdm_xserver_t)
-
-init_use_fds(xdm_xserver_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_xserver_t)
- fs_manage_nfs_files(xdm_xserver_t)
- fs_manage_nfs_symlinks(xdm_xserver_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xdm_xserver_t)
- fs_manage_cifs_files(xdm_xserver_t)
- fs_manage_cifs_symlinks(xdm_xserver_t)
-')
-
-ifdef(`strict_policy',`
- # FIXME: After per user fonts are properly working
- # xdm_xserver_t may no longer have any reason
- # to read ROLE_home_t - examine this in more detail
- # (xauth?)
- userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
-
- xserver_use_all_users_fonts(xdm_xserver_t)
-')
-
-ifdef(`targeted_policy',`
- allow xdm_xserver_t self:process { execheap execmem };
-
- unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t)
-')
-
-optional_policy(`
- resmgr_stream_connect(xdm_t)
-')
-
-optional_policy(`
- rhgb_rw_shm(xdm_xserver_t)
- rhgb_rw_tmpfs_files(xdm_xserver_t)
-')
-
-ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file create_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-ifdef(`enable_polyinstantiation',`
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-')
-
-#
-# Wants to delete .xsession-errors file
-#
-allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/zebra.fc b/refpolicy/policy/modules/services/zebra.fc
deleted file mode 100644
index 33c70f1..0000000
--- a/refpolicy/policy/modules/services/zebra.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-
-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
-
-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-
-/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-
-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
-
-/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
-/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/zebra.if b/refpolicy/policy/modules/services/zebra.if
deleted file mode 100644
index 4c6bcc9..0000000
--- a/refpolicy/policy/modules/services/zebra.if
+++ /dev/null
@@ -1,22 +0,0 @@
-## <summary>Zebra border gateway protocol network routing service</summary>
-
-########################################
-## <summary>
-## Read the configuration files for zebra.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`zebra_read_config',`
- gen_require(`
- type zebra_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 zebra_conf_t:file r_file_perms;
- allow $1 zebra_conf_t:dir r_dir_perms;
- allow $1 zebra_conf_t:lnk_file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
deleted file mode 100644
index 3d331a3..0000000
--- a/refpolicy/policy/modules/services/zebra.te
+++ /dev/null
@@ -1,137 +0,0 @@
-
-policy_module(zebra,1.2.2)
-
-########################################
-#
-# Declarations
-#
-
-type zebra_t;
-type zebra_exec_t;
-init_daemon_domain(zebra_t,zebra_exec_t)
-
-type zebra_conf_t;
-files_type(zebra_conf_t)
-
-type zebra_log_t;
-logging_log_file(zebra_log_t)
-
-type zebra_tmp_t;
-files_tmp_file(zebra_tmp_t)
-
-type zebra_var_run_t;
-files_pid_file(zebra_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow zebra_t self:capability { setgid setuid net_admin net_raw };
-dontaudit zebra_t self:capability sys_tty_config;
-allow zebra_t self:process { signal_perms setcap };
-allow zebra_t self:file { ioctl read write getattr lock append };
-allow zebra_t self:unix_dgram_socket create_socket_perms;
-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
-allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
-allow zebra_t self:udp_socket create_socket_perms;
-allow zebra_t self:rawip_socket create_socket_perms;
-
-allow zebra_t zebra_conf_t:dir r_dir_perms;
-allow zebra_t zebra_conf_t:file r_file_perms;
-allow zebra_t zebra_conf_t:lnk_file { getattr read };
-
-allow zebra_t zebra_log_t:file create_file_perms;
-allow zebra_t zebra_log_t:sock_file create_file_perms;
-allow zebra_t zebra_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir })
-
-# /tmp/.bgpd is such a bad idea!
-allow zebra_t zebra_tmp_t:sock_file create_file_perms;
-files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file)
-
-allow zebra_t zebra_var_run_t:file manage_file_perms;
-allow zebra_t zebra_var_run_t:sock_file manage_file_perms;
-allow zebra_t zebra_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
-
-kernel_read_system_state(zebra_t)
-kernel_read_kernel_sysctls(zebra_t)
-kernel_tcp_recvfrom(zebra_t)
-kernel_rw_net_sysctls(zebra_t)
-
-corenet_non_ipsec_sendrecv(zebra_t)
-corenet_tcp_sendrecv_all_if(zebra_t)
-corenet_udp_sendrecv_all_if(zebra_t)
-corenet_raw_sendrecv_all_if(zebra_t)
-corenet_tcp_sendrecv_all_nodes(zebra_t)
-corenet_udp_sendrecv_all_nodes(zebra_t)
-corenet_raw_sendrecv_all_nodes(zebra_t)
-corenet_tcp_sendrecv_all_ports(zebra_t)
-corenet_udp_sendrecv_all_ports(zebra_t)
-corenet_tcp_bind_all_nodes(zebra_t)
-corenet_udp_bind_all_nodes(zebra_t)
-corenet_tcp_bind_zebra_port(zebra_t)
-corenet_udp_bind_router_port(zebra_t)
-corenet_sendrecv_zebra_server_packets(zebra_t)
-corenet_sendrecv_router_server_packets(zebra_t)
-
-dev_associate_usbfs(zebra_var_run_t)
-dev_list_all_dev_nodes(zebra_t)
-dev_read_sysfs(zebra_t)
-dev_rw_zero(zebra_t)
-
-fs_getattr_all_fs(zebra_t)
-fs_search_auto_mountpoints(zebra_t)
-
-term_dontaudit_use_console(zebra_t)
-term_list_ptys(zebra_t)
-
-domain_use_interactive_fds(zebra_t)
-
-files_search_etc(zebra_t)
-files_read_etc_files(zebra_t)
-files_read_etc_runtime_files(zebra_t)
-
-init_use_fds(zebra_t)
-init_use_script_ptys(zebra_t)
-
-libs_use_ld_so(zebra_t)
-libs_use_shared_libs(zebra_t)
-
-logging_send_syslog_msg(zebra_t)
-
-miscfiles_read_localization(zebra_t)
-
-sysnet_read_config(zebra_t)
-
-userdom_dontaudit_use_unpriv_user_fds(zebra_t)
-userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(zebra_t)
- term_dontaudit_use_generic_ptys(zebra_t)
- files_dontaudit_read_root_files(zebra_t)
- unconfined_sigchld(zebra_t)
-')
-
-optional_policy(`
- ldap_use(zebra_t)
-')
-
-optional_policy(`
- nis_use_ypbind(zebra_t)
-')
-
-optional_policy(`
- rpm_read_pipes(zebra_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(zebra_t)
-')
-
-optional_policy(`
- udev_read_db(zebra_t)
-')
diff --git a/refpolicy/policy/modules/system/authlogin.fc b/refpolicy/policy/modules/system/authlogin.fc
deleted file mode 100644
index 370f411..0000000
--- a/refpolicy/policy/modules/system/authlogin.fc
+++ /dev/null
@@ -1,41 +0,0 @@
-
-/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-
-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-
-/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-
-/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
-/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-ifdef(`distro_suse', `
-/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-')
-
-/usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
-
-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
-ifdef(`distro_gentoo', `
-/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-')
-
-/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-
-/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
-/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
-/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
-/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
-/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
-/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
-
-/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-
-/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
deleted file mode 100644
index a6bdb4e..0000000
--- a/refpolicy/policy/modules/system/authlogin.if
+++ /dev/null
@@ -1,1337 +0,0 @@
-## <summary>Common policy for authentication and user login.</summary>
-
-#######################################
-## <summary>
-## Common template to create a domain for authentication.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is allowed
-## to authenticate users by using PAM unix_chkpwd support.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`authlogin_common_auth_domain_template',`
- gen_require(`
- attribute can_read_shadow_passwords;
- type chkpwd_exec_t, shadow_t;
- ')
-
- type $1_chkpwd_t, can_read_shadow_passwords;
- domain_type($1_chkpwd_t)
- domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
-
- allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
- allow $1_chkpwd_t self:process getattr;
-
- files_list_etc($1_chkpwd_t)
- allow $1_chkpwd_t shadow_t:file { getattr read };
-
- # is_selinux_enabled
- kernel_read_system_state($1_chkpwd_t)
-
- dev_read_rand($1_chkpwd_t)
- dev_read_urand($1_chkpwd_t)
-
- fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
-
- libs_use_ld_so($1_chkpwd_t)
- libs_use_shared_libs($1_chkpwd_t)
-
- files_read_etc_files($1_chkpwd_t)
- # for nscd
- files_dontaudit_search_var($1_chkpwd_t)
-
- logging_send_syslog_msg($1_chkpwd_t)
-
- miscfiles_read_certs($1_chkpwd_t)
- miscfiles_read_localization($1_chkpwd_t)
-
- seutil_read_config($1_chkpwd_t)
-
- sysnet_dns_name_resolve($1_chkpwd_t)
- sysnet_use_ldap($1_chkpwd_t)
-
- optional_policy(`
- kerberos_use($1_chkpwd_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_chkpwd_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_chkpwd_t)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind($1_chkpwd_t)
- ')
-')
-
-#######################################
-## <summary>
-## The per user domain template for the authlogin module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domain which is allowed
-## to authenticate users by using PAM unix_chkpwd support.
-## This domain will be used by any programs running in the
-## user domain which use PAM to authenticate.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-#
-template(`authlogin_per_userdomain_template',`
-
- gen_require(`
- type system_chkpwd_t, shadow_t;
- ')
-
- authlogin_common_auth_domain_template($1)
-
- role $3 types $1_chkpwd_t;
- role $3 types system_chkpwd_t;
-
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
- dontaudit $2 shadow_t:file { getattr read };
-
- # Transition from the user domain to this domain.
- domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
- allow $1_chkpwd_t $2:fd use;
- allow $2 $1_chkpwd_t:fd use;
- allow $1_chkpwd_t $2:fifo_file rw_file_perms;
- allow $1_chkpwd_t $2:process sigchld;
-
- domain_use_interactive_fds($1_chkpwd_t)
-
- seutil_use_newrole_fds($1_chkpwd_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_chkpwd_t)
-')
-
-########################################
-## <summary>
-## Run unix_chkpwd to check a password
-## for a user domain.
-## </summary>
-## <desc>
-## <p>
-## Run unix_chkpwd to check a password
-## for a user domain.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`auth_domtrans_user_chk_passwd',`
- ifdef(`targeted_policy',`
- gen_require(`
- type system_chkpwd_t, chkpwd_exec_t;
- ')
-
- domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t)
- allow $2 system_chkpwd_t:fd use;
- allow system_chkpwd_t $2:fd use;
- allow system_chkpwd_t $2:fifo_file rw_file_perms;
- allow system_chkpwd_t $2:process sigchld;
- ',`
- gen_require(`
- type $1_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
- allow $2 $1_chkpwd_t:fd use;
- allow $1_chkpwd_t $2:fd use;
- allow $1_chkpwd_t $2:fifo_file rw_file_perms;
- allow $1_chkpwd_t $2:process sigchld;
- ')
-')
-
-########################################
-## <summary>
-## Use the login program as an entry point program.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of process using the login program as entry point.
-## </summary>
-## </param>
-#
-interface(`auth_login_entry_type',`
- gen_require(`
- type login_exec_t;
- ')
-
- domain_entry_file($1,login_exec_t)
-')
-
-########################################
-## <summary>
-## Execute a login_program in the target domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the login_program process.
-## </summary>
-## </param>
-#
-interface(`auth_domtrans_login_program',`
- gen_require(`
- type login_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,login_exec_t,$2)
-
- allow $1 $2:fd use;
- allow $2 $1:fd use;
- allow $2 $1:fifo_file rw_file_perms;
- allow $2 $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Run unix_chkpwd to check a password.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_domtrans_chk_passwd',`
- gen_require(`
- type system_chkpwd_t, chkpwd_exec_t, shadow_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
-
- allow $1 self:capability { audit_write audit_control };
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
- allow $1 system_chkpwd_t:fd use;
- allow system_chkpwd_t $1:fd use;
- allow system_chkpwd_t $1:fifo_file rw_file_perms;
- allow system_chkpwd_t $1:process sigchld;
-
- dontaudit $1 shadow_t:file { getattr read };
-
- dev_read_rand($1)
- dev_read_urand($1)
-
- miscfiles_read_certs($1)
-
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
- kerberos_use($1)
- ')
-
- optional_policy(`
- nis_use_ypbind($1)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind($1)
- ')
-')
-
-########################################
-## <summary>
-## Get the attributes of the shadow passwords file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_getattr_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_search_etc($1)
- allow $1 shadow_t:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of the shadow passwords file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`auth_dontaudit_getattr_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- dontaudit $1 shadow_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read the shadow passwords file (/etc/shadow)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: these next three interfaces are split
-# since typeattribute does not work in conditionals
-# yet, otherwise they should be one interface.
-#
-interface(`auth_read_shadow',`
- auth_can_read_shadow_passwords($1)
- auth_tunable_read_shadow($1)
-')
-
-########################################
-## <summary>
-## Pass shadow assertion for reading.
-## </summary>
-## <desc>
-## <p>
-## Pass shadow assertion for reading.
-## This should only be used with
-## auth_tunable_read_shadow(), and
-## only exists because typeattribute
-## does not work in conditionals.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_can_read_shadow_passwords',`
- gen_require(`
- attribute can_read_shadow_passwords;
- ')
-
- typeattribute $1 can_read_shadow_passwords;
-')
-
-########################################
-## <summary>
-## Read the shadow password file.
-## </summary>
-## <desc>
-## <p>
-## Read the shadow password file. This
-## should only be used in a conditional;
-## it does not pass the reading shadow
-## assertion.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_tunable_read_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_list_etc($1)
- allow $1 shadow_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the shadow
-## password file (/etc/shadow).
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain to not audit.
-## </summary>
-## </param>
-#
-interface(`auth_dontaudit_read_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- dontaudit $1 shadow_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read and write the shadow password file (/etc/shadow).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_rw_shadow',`
- gen_require(`
- attribute can_read_shadow_passwords, can_write_shadow_passwords;
- type shadow_t;
- ')
-
- files_list_etc($1)
- allow $1 shadow_t:file rw_file_perms;
- typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the shadow
-## password file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_manage_shadow',`
- gen_require(`
- attribute can_read_shadow_passwords, can_write_shadow_passwords;
- type shadow_t;
- ')
-
- allow $1 shadow_t:file create_file_perms;
- typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
-')
-
-#######################################
-## <summary>
-## Automatic transition from etc to shadow.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_etc_filetrans_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_etc_filetrans($1,shadow_t,file)
-')
-
-#######################################
-## <summary>
-## Relabel to the shadow
-## password file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_relabelto_shadow',`
- gen_require(`
- attribute can_relabelto_shadow_passwords;
- type shadow_t;
- ')
-
- files_search_etc($1)
- allow $1 shadow_t:file relabelto;
- typeattribute $1 can_relabelto_shadow_passwords;
-')
-
-#######################################
-## <summary>
-## Relabel from and to the shadow
-## password file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_relabel_shadow',`
- gen_require(`
- attribute can_relabelto_shadow_passwords;
- type shadow_t;
- ')
-
- files_search_etc($1)
- allow $1 shadow_t:file { relabelfrom relabelto };
- typeattribute $1 can_relabelto_shadow_passwords;
-')
-
-#######################################
-## <summary>
-## Append to the login failure log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_append_faillog',`
- gen_require(`
- type faillog_t;
- ')
-
- logging_search_logs($1)
- allow $1 faillog_t:file { getattr append };
-')
-
-########################################
-## <summary>
-## Read and write the login failure log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_rw_faillog',`
- gen_require(`
- type faillog_t;
- ')
-
- logging_search_logs($1)
- allow $1 faillog_t:file rw_file_perms;
-')
-
-#######################################
-## <summary>
-## Read the last logins log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_read_lastlog',`
- gen_require(`
- type lastlog_t;
- ')
-
- logging_search_logs($1)
- allow $1 lastlog_t:file { getattr read };
-')
-
-#######################################
-## <summary>
-## Append only to the last logins log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_append_lastlog',`
- gen_require(`
- type lastlog_t;
- ')
-
- logging_search_logs($1)
- allow $1 lastlog_t:file { getattr lock append };
-')
-
-#######################################
-## <summary>
-## Read and write to the last logins log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_rw_lastlog',`
- gen_require(`
- type lastlog_t;
- ')
-
- logging_search_logs($1)
- allow $1 lastlog_t:file { getattr read write setattr };
-')
-
-########################################
-## <summary>
-## Execute pam programs in the pam domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_domtrans_pam',`
- gen_require(`
- type pam_t, pam_exec_t;
- ')
-
- domain_auto_trans($1,pam_exec_t,pam_t)
-
- allow $1 pam_t:fd use;
- allow pam_t $1:fd use;
- allow pam_t $1:fifo_file rw_file_perms;
- allow pam_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute pam programs in the PAM domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the PAM domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the PAM domain to use.
-## </summary>
-## </param>
-#
-interface(`auth_run_pam',`
- gen_require(`
- type pam_t;
- ')
-
- auth_domtrans_pam($1)
- role $2 types pam_t;
- allow pam_t $3:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Execute the pam program.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_exec_pam',`
- gen_require(`
- type pam_exec_t;
- ')
-
- can_exec($1,pam_exec_t)
-')
-
-########################################
-## <summary>
-## Manage var auth files. Used by various other applications
-## and pam applets etc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_manage_var_auth',`
- gen_require(`
- type var_auth_t;
- ')
-
- files_search_var($1)
- allow $1 var_auth_t:dir create_dir_perms;
- allow $1 var_auth_t:file rw_file_perms;
- allow $1 var_auth_t:lnk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read PAM PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_read_pam_pid',`
- gen_require(`
- type pam_var_run_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_run_t:dir r_dir_perms;
- allow $1 pam_var_run_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Do not audit attemps to read PAM PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`auth_dontaudit_read_pam_pid',`
- gen_require(`
- type pam_var_run_t;
- ')
-
- dontaudit $1 pam_var_run_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Delete pam PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_delete_pam_pid',`
- gen_require(`
- type pam_var_run_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_run_t:dir { getattr search read write remove_name };
- allow $1 pam_var_run_t:file { getattr unlink };
-')
-
-########################################
-## <summary>
-## Manage pam PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_manage_pam_pid',`
- gen_require(`
- type pam_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 pam_var_run_t:dir create_dir_perms;
- allow $1 pam_var_run_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Execute pam_console with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_domtrans_pam_console',`
- gen_require(`
- type pam_console_t, pam_console_exec_t;
- ')
-
- domain_auto_trans($1,pam_console_exec_t,pam_console_t)
-
- allow $1 pam_console_t:fd use;
- allow pam_console_t $1:fd use;
- allow pam_console_t $1:fifo_file rw_file_perms;
- allow pam_console_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Search the contents of the
-## pam_console data directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_search_pam_console_data',`
- gen_require(`
- type pam_var_console_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_console_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of the pam_console
-## data directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_list_pam_console_data',`
- gen_require(`
- type pam_var_console_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_console_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read pam_console data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_read_pam_console_data',`
- gen_require(`
- type pam_var_console_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_console_t:dir r_dir_perms;
- allow $1 pam_var_console_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## pam_console data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_manage_pam_console_data',`
- gen_require(`
- type pam_var_console_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_console_t:dir rw_dir_perms;
- allow $1 pam_var_console_t:file create_file_perms;
- allow $1 pam_var_console_t:lnk_file create_lnk_perms;
-')
-
-#######################################
-## <summary>
-## Delete pam_console data.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_delete_pam_console_data',`
- gen_require(`
- type pam_var_console_t;
- ')
-
- files_search_var($1)
- files_search_pids($1)
- allow $1 pam_var_console_t:dir rw_dir_perms;
- allow $1 pam_var_console_t:file unlink;
-')
-
-########################################
-## <summary>
-## Read all directories on the filesystem, except
-## the shadow passwords and listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`auth_read_all_dirs_except_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_read_all_dirs_except($1,$2 -shadow_t)
-')
-
-########################################
-## <summary>
-## Read all files on the filesystem, except
-## the shadow passwords and listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`auth_read_all_files_except_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_read_all_files_except($1,$2 -shadow_t)
-')
-
-########################################
-## <summary>
-## Read all symbolic links on the filesystem, except
-## the shadow passwords and listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-interface(`auth_read_all_symlinks_except_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_read_all_symlinks_except($1,$2 -shadow_t)
-')
-
-########################################
-## <summary>
-## Relabel all files on the filesystem, except
-## the shadow passwords and listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-
-interface(`auth_relabel_all_files_except_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_relabel_all_files($1,$2 -shadow_t)
-')
-
-########################################
-## <summary>
-## Manage all files on the filesystem, except
-## the shadow passwords and listed exceptions.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the domain perfoming this action.
-## </summary>
-## </param>
-## <param name="exception_types" optional="true">
-## <summary>
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </summary>
-## </param>
-#
-
-interface(`auth_manage_all_files_except_shadow',`
- gen_require(`
- type shadow_t;
- ')
-
- files_manage_all_files($1,$2 -shadow_t)
-')
-
-########################################
-## <summary>
-## Execute utempter programs in the utempter domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_domtrans_utempter',`
- gen_require(`
- type utempter_t, utempter_exec_t;
- ')
-
- domain_auto_trans($1,utempter_exec_t,utempter_t)
-
- allow $1 utempter_t:fd use;
- allow utempter_t $1:fd use;
- allow utempter_t $1:fifo_file rw_file_perms;
- allow utempter_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute utempter programs in the utempter domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the utempter domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the utempter domain to use.
-## </summary>
-## </param>
-#
-interface(`auth_run_utempter',`
- gen_require(`
- type utempter_t;
- ')
-
- auth_domtrans_utempter($1)
- role $2 types utempter_t;
- allow utempter_t $3:chr_file rw_file_perms;
-')
-
-#######################################
-## <summary>
-## Do not audit attemps to execute utempter executable.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`auth_dontaudit_exec_utempter',`
- gen_require(`
- type utempter_exec_t;
- ')
-
- dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
-')
-
-########################################
-## <summary>
-## Set the attributes of login record files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_setattr_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- allow $1 wtmp_t:file setattr;
- logging_search_logs($1)
-')
-
-########################################
-## <summary>
-## Read login records files (/var/log/wtmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_read_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- logging_search_logs($1)
- allow $1 wtmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write to
-## login records files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`auth_dontaudit_write_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- dontaudit $1 wtmp_t:file write;
-')
-
-#######################################
-## <summary>
-## Append to login records (wtmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_append_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- allow $1 wtmp_t:file { getattr append };
-')
-
-#######################################
-## <summary>
-## Write to login records (wtmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_write_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- allow $1 wtmp_t:file { write lock };
-')
-
-########################################
-## <summary>
-## Read and write login records.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_rw_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- allow $1 wtmp_t:file rw_file_perms;
- logging_search_logs($1)
-')
-
-########################################
-## <summary>
-## Create a login records in the log directory
-## using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_log_filetrans_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- logging_log_filetrans($1,wtmp_t,file)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete login
-## records files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_manage_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- logging_rw_generic_log_dirs($1)
- allow $1 wtmp_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Use nsswitch to look up uid-username mappings.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_use_nsswitch',`
- gen_require(`
- type var_auth_t;
- ')
-
- allow $1 self:netlink_route_socket r_netlink_socket_perms;
-
- allow $1 var_auth_t:dir r_dir_perms;
- allow $1 var_auth_t:file create_file_perms;
- files_list_var_lib($1)
-
- miscfiles_read_certs($1)
-
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
- nis_use_ypbind($1)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind($1)
- ')
-')
-
-########################################
-## <summary>
-## Unconfined access to the authlogin module.
-## </summary>
-## <desc>
-## <p>
-## Unconfined access to the authlogin module.
-## </p>
-## <p>
-## Currently, this only allows assertions for
-## the shadow passwords file (/etc/shadow) to
-## be passed. No access is granted yet.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_unconfined',`
- gen_require(`
- attribute can_read_shadow_passwords;
- attribute can_write_shadow_passwords;
- attribute can_relabelto_shadow_passwords;
- ')
-
- typeattribute $1 can_read_shadow_passwords;
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
-')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
deleted file mode 100644
index 209101a..0000000
--- a/refpolicy/policy/modules/system/authlogin.te
+++ /dev/null
@@ -1,317 +0,0 @@
-
-policy_module(authlogin,1.3.7)
-
-########################################
-#
-# Declarations
-#
-
-attribute can_read_shadow_passwords;
-attribute can_write_shadow_passwords;
-attribute can_relabelto_shadow_passwords;
-
-type chkpwd_exec_t;
-files_type(chkpwd_exec_t)
-
-type faillog_t;
-logging_log_file(faillog_t)
-
-type lastlog_t;
-logging_log_file(lastlog_t)
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type login_exec_t;
-')
-files_type(login_exec_t)
-
-type pam_console_t;
-type pam_console_exec_t;
-init_system_domain(pam_console_t,pam_console_exec_t)
-role system_r types pam_console_t;
-
-type pam_t;
-domain_type(pam_t)
-role system_r types pam_t;
-
-type pam_exec_t;
-domain_entry_file(pam_t,pam_exec_t)
-
-type pam_tmp_t;
-files_tmp_file(pam_tmp_t)
-
-type pam_var_console_t;
-files_type(pam_var_console_t)
-
-type pam_var_run_t;
-files_pid_file(pam_var_run_t)
-
-type shadow_t;
-files_security_file(shadow_t)
-neverallow ~can_read_shadow_passwords shadow_t:file read;
-neverallow ~can_write_shadow_passwords shadow_t:file { create write };
-neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-
-authlogin_common_auth_domain_template(system)
-role system_r types system_chkpwd_t;
-
-type utempter_t;
-domain_type(utempter_t)
-
-type utempter_exec_t;
-domain_entry_file(utempter_t,utempter_exec_t)
-
-#
-# var_auth_t is the type of /var/lib/auth, usually
-# used for auth data in pam_able
-#
-type var_auth_t;
-files_type(var_auth_t)
-
-type wtmp_t;
-logging_log_file(wtmp_t)
-
-########################################
-#
-# PAM local policy
-#
-
-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-dontaudit pam_t self:capability sys_tty_config;
-
-allow pam_t self:fd use;
-allow pam_t self:fifo_file rw_file_perms;
-allow pam_t self:unix_dgram_socket create_socket_perms;
-allow pam_t self:unix_stream_socket rw_stream_socket_perms;
-allow pam_t self:unix_dgram_socket sendto;
-allow pam_t self:unix_stream_socket connectto;
-allow pam_t self:shm create_shm_perms;
-allow pam_t self:sem create_sem_perms;
-allow pam_t self:msgq create_msgq_perms;
-allow pam_t self:msg { send receive };
-
-allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
-allow pam_t pam_var_run_t:file { getattr read unlink };
-
-allow pam_t pam_tmp_t:dir create_dir_perms;
-allow pam_t pam_tmp_t:file create_file_perms;
-files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
-
-kernel_read_system_state(pam_t)
-
-fs_search_auto_mountpoints(pam_t)
-
-term_use_all_user_ttys(pam_t)
-term_use_all_user_ptys(pam_t)
-
-init_dontaudit_rw_utmp(pam_t)
-
-files_read_etc_files(pam_t)
-files_list_pids(pam_t)
-
-libs_use_ld_so(pam_t)
-libs_use_shared_libs(pam_t)
-
-logging_send_syslog_msg(pam_t)
-
-userdom_use_unpriv_users_fds(pam_t)
-
-optional_policy(`
- locallogin_use_fds(pam_t)
-')
-
-optional_policy(`
- nis_use_ypbind(pam_t)
-')
-
-optional_policy(`
- nscd_socket_use(pam_t)
-')
-
-########################################
-#
-# PAM console local policy
-#
-
-allow pam_console_t self:capability { chown fowner fsetid };
-dontaudit pam_console_t self:capability sys_tty_config;
-
-allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
-
-# for /var/run/console.lock checking
-allow pam_console_t pam_var_console_t:dir r_dir_perms;;
-allow pam_console_t pam_var_console_t:file r_file_perms;
-dontaudit pam_console_t pam_var_console_t:file write;
-allow pam_console_t pam_var_console_t:lnk_file { getattr read };
-
-kernel_read_kernel_sysctls(pam_console_t)
-kernel_use_fds(pam_console_t)
-# Read /proc/meminfo
-kernel_read_system_state(pam_console_t)
-
-dev_read_sysfs(pam_console_t)
-dev_getattr_apm_bios_dev(pam_console_t)
-dev_setattr_apm_bios_dev(pam_console_t)
-dev_getattr_dri_dev(pam_console_t)
-dev_setattr_dri_dev(pam_console_t)
-dev_getattr_framebuffer_dev(pam_console_t)
-dev_setattr_framebuffer_dev(pam_console_t)
-dev_getattr_generic_usb_dev(pam_console_t)
-dev_setattr_generic_usb_dev(pam_console_t)
-dev_getattr_misc_dev(pam_console_t)
-dev_setattr_misc_dev(pam_console_t)
-dev_getattr_mouse_dev(pam_console_t)
-dev_setattr_mouse_dev(pam_console_t)
-dev_getattr_power_mgmt_dev(pam_console_t)
-dev_setattr_power_mgmt_dev(pam_console_t)
-dev_getattr_scanner_dev(pam_console_t)
-dev_setattr_scanner_dev(pam_console_t)
-dev_getattr_sound_dev(pam_console_t)
-dev_setattr_sound_dev(pam_console_t)
-dev_getattr_video_dev(pam_console_t)
-dev_setattr_video_dev(pam_console_t)
-dev_getattr_xserver_misc_dev(pam_console_t)
-dev_setattr_xserver_misc_dev(pam_console_t)
-dev_read_urand(pam_console_t)
-
-fs_search_auto_mountpoints(pam_console_t)
-
-mls_file_read_up(pam_console_t)
-mls_file_write_down(pam_console_t)
-
-storage_getattr_fixed_disk_dev(pam_console_t)
-storage_setattr_fixed_disk_dev(pam_console_t)
-storage_getattr_removable_dev(pam_console_t)
-storage_setattr_removable_dev(pam_console_t)
-storage_getattr_scsi_generic_dev(pam_console_t)
-storage_setattr_scsi_generic_dev(pam_console_t)
-
-term_use_console(pam_console_t)
-term_use_all_user_ttys(pam_console_t)
-term_use_all_user_ptys(pam_console_t)
-term_setattr_console(pam_console_t)
-term_getattr_unallocated_ttys(pam_console_t)
-term_setattr_unallocated_ttys(pam_console_t)
-
-auth_use_nsswitch(pam_console_t)
-
-domain_use_interactive_fds(pam_console_t)
-
-files_read_etc_files(pam_console_t)
-files_search_pids(pam_console_t)
-files_list_mnt(pam_console_t)
-# read /etc/mtab
-files_read_etc_runtime_files(pam_console_t)
-
-init_use_fds(pam_console_t)
-init_use_script_ptys(pam_console_t)
-
-libs_use_ld_so(pam_console_t)
-libs_use_shared_libs(pam_console_t)
-
-logging_send_syslog_msg(pam_console_t)
-
-miscfiles_read_localization(pam_console_t)
-miscfiles_read_certs(pam_console_t)
-
-seutil_read_file_contexts(pam_console_t)
-
-userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
-
-# cjp: with the old daemon_(base_)domain being broken up into
-# a daemon and system interface, this probably is not needed:
-ifdef(`direct_sysadm_daemon', `
- userdom_dontaudit_use_sysadm_terms(pam_console_t)
-')
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pam_console_t)
- term_dontaudit_use_generic_ptys(pam_console_t)
- files_dontaudit_read_root_files(pam_console_t)
-')
-
-optional_policy(`
- gpm_getattr_gpmctl(pam_console_t)
- gpm_setattr_gpmctl(pam_console_t)
-')
-
-optional_policy(`
- hotplug_use_fds(pam_console_t)
- hotplug_dontaudit_search_config(pam_console_t)
-')
-
-optional_policy(`
- nscd_socket_use(pam_console_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(pam_console_t)
-')
-
-optional_policy(`
- udev_read_db(pam_console_t)
-')
-
-optional_policy(`
- xserver_read_xdm_pid(pam_console_t)
-')
-
-########################################
-#
-# System check password local policy
-#
-
-allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow system_chkpwd_t shadow_t:file { getattr read };
-
-corecmd_search_sbin(system_chkpwd_t)
-
-domain_dontaudit_use_interactive_fds(system_chkpwd_t)
-
-term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
-term_dontaudit_use_generic_ptys(system_chkpwd_t)
-
-userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
-
-########################################
-#
-# Utempter local policy
-#
-
-allow utempter_t self:capability setgid;
-allow utempter_t self:unix_stream_socket create_stream_socket_perms;
-
-allow utempter_t wtmp_t:file rw_file_perms;
-
-dev_read_urand(utempter_t)
-
-term_getattr_all_user_ttys(utempter_t)
-term_getattr_all_user_ptys(utempter_t)
-term_dontaudit_use_all_user_ttys(utempter_t)
-term_dontaudit_use_all_user_ptys(utempter_t)
-term_dontaudit_use_ptmx(utempter_t)
-
-init_rw_utmp(utempter_t)
-
-files_read_etc_files(utempter_t)
-
-domain_use_interactive_fds(utempter_t)
-
-libs_use_ld_so(utempter_t)
-libs_use_shared_libs(utempter_t)
-
-logging_search_logs(utempter_t)
-
-# Allow utemper to write to /tmp/.xses-*
-userdom_write_unpriv_users_tmp_files(utempter_t)
-
-optional_policy(`
- nscd_socket_use(utempter_t)
-')
-
-optional_policy(`
- xserver_use_xdm_fds(utempter_t)
- xserver_rw_xdm_pipes(utempter_t)
-')
diff --git a/refpolicy/policy/modules/system/clock.fc b/refpolicy/policy/modules/system/clock.fc
deleted file mode 100644
index c5e05ca..0000000
--- a/refpolicy/policy/modules/system/clock.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
-
-/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
deleted file mode 100644
index d5c66e3..0000000
--- a/refpolicy/policy/modules/system/clock.if
+++ /dev/null
@@ -1,93 +0,0 @@
-## <summary>Policy for reading and setting the hardware clock.</summary>
-
-########################################
-## <summary>
-## Execute hwclock in the clock domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`clock_domtrans',`
- gen_require(`
- type hwclock_t, hwclock_exec_t;
- ')
-
- domain_auto_trans($1,hwclock_exec_t,hwclock_t)
-
- allow $1 hwclock_t:fd use;
- allow hwclock_t $1:fd use;
- allow hwclock_t $1:fifo_file rw_file_perms;
- allow hwclock_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute hwclock in the clock domain, and
-## allow the specified role the hwclock domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the clock domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the clock domain to use.
-## </summary>
-## </param>
-#
-interface(`clock_run',`
- gen_require(`
- type hwclock_t;
- ')
-
- clock_domtrans($1)
- role $2 types hwclock_t;
- allow hwclock_t $3:chr_file { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Execute hwclock in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`clock_exec',`
- gen_require(`
- type hwclock_exec_t;
- ')
-
- can_exec($1,hwclock_exec_t)
-')
-
-########################################
-## <summary>
-## Allow executing domain to modify clock drift
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`clock_rw_adjtime',`
- gen_require(`
- type adjtime_t;
- ')
-
- allow $1 adjtime_t:file rw_file_perms;
- files_list_etc($1)
-')
-
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
deleted file mode 100644
index 03d9885..0000000
--- a/refpolicy/policy/modules/system/clock.te
+++ /dev/null
@@ -1,88 +0,0 @@
-
-policy_module(clock,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type adjtime_t;
-files_type(adjtime_t)
-
-type hwclock_t;
-type hwclock_exec_t;
-init_system_domain(hwclock_t,hwclock_exec_t)
-role system_r types hwclock_t;
-
-########################################
-#
-# Local policy
-#
-
-# Give hwclock the capabilities it requires. dac_override is a surprise,
-# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config audit_write };
-dontaudit hwclock_t self:capability sys_tty_config;
-allow hwclock_t self:process signal_perms;
-allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-# Allow hwclock to store & retrieve correction factors.
-allow hwclock_t adjtime_t:file { rw_file_perms setattr };
-
-kernel_read_kernel_sysctls(hwclock_t)
-kernel_list_proc(hwclock_t)
-kernel_read_proc_symlinks(hwclock_t)
-
-dev_read_sysfs(hwclock_t)
-dev_rw_realtime_clock(hwclock_t)
-
-fs_getattr_xattr_fs(hwclock_t)
-fs_search_auto_mountpoints(hwclock_t)
-
-term_dontaudit_use_console(hwclock_t)
-term_use_unallocated_ttys(hwclock_t)
-term_use_all_user_ttys(hwclock_t)
-term_use_all_user_ptys(hwclock_t)
-
-domain_use_interactive_fds(hwclock_t)
-
-init_use_fds(hwclock_t)
-init_use_script_ptys(hwclock_t)
-
-files_read_etc_files(hwclock_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(hwclock_t)
-
-libs_use_ld_so(hwclock_t)
-libs_use_shared_libs(hwclock_t)
-
-logging_send_syslog_msg(hwclock_t)
-
-miscfiles_read_localization(hwclock_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(hwclock_t)
- term_dontaudit_use_generic_ptys(hwclock_t)
- files_dontaudit_read_root_files(hwclock_t)
-')
-
-optional_policy(`
- apm_append_log(hwclock_t)
- apm_rw_stream_sockets(hwclock_t)
-')
-
-optional_policy(`
- nscd_socket_use(hwclock_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hwclock_t)
-')
-
-optional_policy(`
- udev_read_db(hwclock_t)
-')
-
-optional_policy(`
- userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
-')
diff --git a/refpolicy/policy/modules/system/daemontools.fc b/refpolicy/policy/modules/system/daemontools.fc
deleted file mode 100644
index 26df050..0000000
--- a/refpolicy/policy/modules/system/daemontools.fc
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# /service
-#
-
-/service -d gen_context(system_u:object_r:svc_svc_t,s0)
-/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
-
-#
-# /usr
-#
-
-/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0)
-/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
-/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
-/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
-/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0)
-/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0)
-
-#
-# /var
-#
-
-/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
-/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
-
-/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
-/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
-/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-
-/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
-/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-
-/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
-/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
-/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
-/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)
-
-/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
-/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
-/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
diff --git a/refpolicy/policy/modules/system/daemontools.if b/refpolicy/policy/modules/system/daemontools.if
deleted file mode 100644
index 598e580..0000000
--- a/refpolicy/policy/modules/system/daemontools.if
+++ /dev/null
@@ -1,163 +0,0 @@
-## <summary>Collection of tools for managing UNIX services</summary>
-## <desc>
-## <p>
-## Policy for DJB's daemontools
-## </p>
-## </desc>
-
-########################################
-## <summary>
-## An ipc channel between the supervised domain and svc_start_t
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access to svc_start_t.
-## </summary>
-## </param>
-#
-interface(`daemontools_ipc_domain',`
- gen_require(`
- type svc_start_t;
- ')
-
- allow $1 svc_start_t:process sigchld;
- allow $1 svc_start_t:fd use;
- allow $1 svc_start_t:fifo_file { read write getattr };
- allow svc_start_t $1:process signal;
-')
-
-########################################
-## <summary>
-## Define a specified domain as a supervised service.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## The type associated with the process program.
-## </summary>
-## </param>
-#
-interface(`daemontools_service_domain',`
- gen_require(`
- type svc_run_t;
- ')
-
- domain_auto_trans(svc_run_t, $2, $1)
- daemontools_ipc_domain($1)
-
- allow svc_run_t $1:process signal;
- allow $1 svc_run_t:fd use;
-')
-
-########################################
-## <summary>
-## Execute in the svc_start_t domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`daemontools_domtrans_start',`
- gen_require(`
- type svc_start_t, svc_start_exec_t;
- ')
-
- domain_auto_trans($1, svc_start_exec_t, svc_start_t)
-
- allow $1 svc_start_t:fd use;
- allow svc_start_t $1:fd use;
- allow svc_start_t $1:fifo_file rw_file_perms;
- allow svc_start_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute in the svc_run_t domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`daemontools_domtrans_run',`
- gen_require(`
- type svc_run_t, svc_run_exec_t;
- ')
-
- domain_auto_trans($1, svc_run_exec_t, svc_run_t)
-
- allow $1 svc_run_t:fd use;
- allow svc_run_t $1:fd use;
- allow svc_run_t $1:fifo_file rw_file_perms;
- allow svc_run_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute in the svc_multilog_t domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`daemontools_domtrans_multilog',`
- gen_require(`
- type svc_multilog_t, svc_multilog_exec_t;
- ')
-
- domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t)
-
- allow $1 svc_multilog_t:fd use;
- allow svc_multilog_t $1:fd use;
- allow svc_multilog_t $1:fifo_file rw_file_perms;
- allow svc_multilog_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow a domain to read svc_svc_t files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`daemontools_read_svc',`
- gen_require(`
- type svc_svc_t;
- ')
-
- allow $1 svc_svc_t:dir r_dir_perms;
- allow $1 svc_svc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow a domain to create svc_svc_t files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`daemontools_manage_svc',`
- gen_require(`
- type svc_svc_t;
- ')
-
- allow $1 svc_svc_t:dir create_dir_perms;
- allow $1 svc_svc_t:fifo_file create_file_perms;
- allow $1 svc_svc_t:file create_file_perms;
- allow $1 svc_svc_t:lnk_file { read create };
-')
diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te
deleted file mode 100644
index 7f4a387..0000000
--- a/refpolicy/policy/modules/system/daemontools.te
+++ /dev/null
@@ -1,124 +0,0 @@
-
-policy_module(daemontools,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type svc_conf_t;
-files_type(svc_conf_t)
-
-type svc_log_t;
-files_type(svc_log_t)
-
-type svc_multilog_t;
-type svc_multilog_exec_t;
-domain_type(svc_multilog_t)
-domain_entry_file(svc_multilog_t,svc_multilog_exec_t)
-role system_r types svc_multilog_t;
-
-type svc_run_t;
-type svc_run_exec_t;
-domain_type(svc_run_t)
-domain_entry_file(svc_run_t,svc_run_exec_t)
-role system_r types svc_run_t;
-
-type svc_start_t;
-type svc_start_exec_t;
-init_domain(svc_start_t,svc_start_exec_t)
-init_system_domain(svc_start_t,svc_start_exec_t)
-role system_r types svc_start_t;
-
-type svc_svc_t;
-files_type(svc_svc_t)
-
-########################################
-#
-# multilog local policy
-#
-
-# multilog creates /service/*/log/status
-allow svc_multilog_t svc_svc_t:dir rw_dir_perms;
-allow svc_multilog_t svc_svc_t:file create_file_perms;
-
-init_use_fds(svc_multilog_t)
-
-libs_use_ld_so(svc_multilog_t)
-libs_use_shared_libs(svc_multilog_t)
-
-# writes to /var/log/*/*
-logging_manage_generic_logs(svc_multilog_t)
-
-daemontools_ipc_domain(svc_multilog_t)
-
-########################################
-#
-# local policy for binaries that impose
-# a given environment to supervised daemons
-# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
-#
-
-allow svc_run_t self:capability { setgid setuid chown fsetid };
-allow svc_run_t self:process setrlimit;
-allow svc_run_t self:fifo_file rw_file_perms;
-allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
-
-allow svc_run_t svc_conf_t:dir r_dir_perms;
-allow svc_run_t svc_conf_t:file r_file_perms;
-
-can_exec(svc_run_t svc_run_exec_t)
-
-kernel_read_system_state(svc_run_t)
-
-corecmd_exec_bin(svc_run_t)
-corecmd_exec_sbin(svc_run_t)
-corecmd_exec_shell(svc_run_t)
-corecmd_exec_ls(svc_run_t)
-
-files_read_etc_files(svc_run_t)
-files_read_etc_runtime_files(svc_run_t)
-files_search_pids(svc_run_t)
-files_search_var_lib(svc_run_t)
-
-init_use_script_fds(svc_run_t)
-init_use_fds(svc_run_t)
-
-libs_use_ld_so(svc_run_t)
-libs_use_shared_libs(svc_run_t)
-
-daemontools_domtrans_multilog(svc_run_t)
-daemontools_read_svc(svc_run_t)
-
-optional_policy(`
- qmail_read_config(svc_run_t)
-')
-
-########################################
-#
-# local policy for service monitoring programs
-# ie svc, svscan, supervise ...
-#
-
-allow svc_start_t svc_run_t:process signal;
-
-allow svc_start_t self:fifo_file rw_file_perms;
-allow svc_start_t self:capability kill;
-allow svc_start_t self:unix_stream_socket create_socket_perms;
-
-can_exec(svc_start_t svc_start_exec_t)
-
-corecmd_read_sbin_symlinks(svc_start_t)
-corecmd_exec_bin(svc_start_t)
-corecmd_exec_shell(svc_start_t)
-
-files_read_etc_files(svc_start_t)
-files_read_etc_runtime_files(svc_start_t)
-files_search_var(svc_start_t)
-files_search_pids(svc_start_t)
-
-libs_use_ld_so(svc_start_t)
-libs_use_shared_libs(svc_start_t)
-
-daemontools_domtrans_run(svc_start_t)
-daemontools_manage_svc(svc_start_t)
diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc
deleted file mode 100644
index f55036c..0000000
--- a/refpolicy/policy/modules/system/fstools.fc
+++ /dev/null
@@ -1,39 +0,0 @@
-/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if
deleted file mode 100644
index 29ec471..0000000
--- a/refpolicy/policy/modules/system/fstools.if
+++ /dev/null
@@ -1,130 +0,0 @@
-## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
-
-########################################
-## <summary>
-## Execute fs tools in the fstools domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`fstools_domtrans',`
- gen_require(`
- type fsadm_t, fsadm_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,fsadm_exec_t,fsadm_t)
-
- allow $1 fsadm_t:fd use;
- allow fsadm_t $1:fd use;
- allow fsadm_t $1:fifo_file rw_file_perms;
- allow fsadm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute fs tools in the fstools domain, and
-## allow the specified role the fs tools domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the fs tools domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the fs tools domain to use.
-## </summary>
-## </param>
-#
-interface(`fstools_run',`
- gen_require(`
- type fsadm_t;
- ')
-
- fstools_domtrans($1)
- role $2 types fsadm_t;
- allow fsadm_t $3:chr_file { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Execute fsadm in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`fstools_exec',`
- gen_require(`
- type fsadm_exec_t;
- ')
-
- can_exec($1,fsadm_exec_t)
-')
-
-########################################
-## <summary>
-## Relabel a file to the type used by the
-## filesystem tools programs.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`fstools_relabelto_entry_files',`
- gen_require(`
- type fsadm_exec_t;
- ')
-
- allow $1 fsadm_exec_t:file relabelto;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete a file used by the
-## filesystem tools programs.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`fstools_manage_entry_files',`
- gen_require(`
- type fsadm_exec_t;
- ')
-
- allow $1 fsadm_exec_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Getattr swapfile
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`fstools_getattr_swap_files',`
- gen_require(`
- type swapfile_t;
- ')
-
- allow $1 swapfile_t:file getattr;
-')
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
deleted file mode 100644
index 73a8fe0..0000000
--- a/refpolicy/policy/modules/system/fstools.te
+++ /dev/null
@@ -1,180 +0,0 @@
-
-policy_module(fstools,1.3.2)
-
-########################################
-#
-# Declarations
-#
-
-type fsadm_t;
-type fsadm_exec_t;
-init_system_domain(fsadm_t,fsadm_exec_t)
-mls_file_read_up(fsadm_t)
-role system_r types fsadm_t;
-
-type fsadm_tmp_t;
-files_tmp_file(fsadm_tmp_t)
-
-type swapfile_t; # customizable
-files_type(swapfile_t)
-
-########################################
-#
-# local policy
-#
-
-# ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
-allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
-allow fsadm_t self:fd use;
-allow fsadm_t self:fifo_file rw_file_perms;
-allow fsadm_t self:sock_file r_file_perms;
-allow fsadm_t self:unix_dgram_socket create_socket_perms;
-allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
-allow fsadm_t self:unix_dgram_socket sendto;
-allow fsadm_t self:unix_stream_socket connectto;
-allow fsadm_t self:shm create_shm_perms;
-allow fsadm_t self:sem create_sem_perms;
-allow fsadm_t self:msgq create_msgq_perms;
-allow fsadm_t self:msg { send receive };
-
-can_exec(fsadm_t, fsadm_exec_t)
-
-allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
-allow fsadm_t fsadm_tmp_t:file create_file_perms;
-files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
-
-# Enable swapping to files
-allow fsadm_t swapfile_t:file { read write getattr swapon };
-
-kernel_read_system_state(fsadm_t)
-kernel_read_kernel_sysctls(fsadm_t)
-# Allow console log change (updfstab)
-kernel_change_ring_buffer_level(fsadm_t)
-# mkreiserfs needs this
-kernel_getattr_proc(fsadm_t)
-kernel_getattr_core_if(fsadm_t)
-# Access to /initrd devices
-kernel_rw_unlabeled_dirs(fsadm_t)
-kernel_rw_unlabeled_blk_files(fsadm_t)
-
-files_getattr_boot_dirs(fsadm_t)
-
-dev_getattr_all_chr_files(fsadm_t)
-dev_dontaudit_getattr_all_blk_files(fsadm_t)
-# mkreiserfs and other programs need this for UUID
-dev_read_rand(fsadm_t)
-dev_read_urand(fsadm_t)
-# Recreate /dev/cdrom.
-dev_manage_generic_symlinks(fsadm_t)
-# fdisk needs this for early boot
-dev_manage_generic_blk_files(fsadm_t)
-# Access to /initrd devices
-dev_search_usbfs(fsadm_t)
-# for swapon
-dev_read_sysfs(fsadm_t)
-# Access to /initrd devices
-dev_getattr_usbfs_dirs(fsadm_t)
-# Access to /dev/mapper/control
-dev_rw_lvm_control(fsadm_t)
-
-fs_search_auto_mountpoints(fsadm_t)
-fs_getattr_xattr_fs(fsadm_t)
-fs_rw_ramfs_pipes(fsadm_t)
-fs_rw_tmpfs_files(fsadm_t)
-# remount file system to apply changes
-fs_remount_xattr_fs(fsadm_t)
-# for /dev/shm
-fs_search_tmpfs(fsadm_t)
-fs_getattr_tmpfs_dirs(fsadm_t)
-fs_read_tmpfs_symlinks(fsadm_t)
-
-mls_file_write_down(fsadm_t)
-
-storage_raw_read_fixed_disk(fsadm_t)
-storage_raw_write_fixed_disk(fsadm_t)
-storage_raw_read_removable_device(fsadm_t)
-storage_raw_write_removable_device(fsadm_t)
-storage_read_scsi_generic(fsadm_t)
-storage_swapon_fixed_disk(fsadm_t)
-
-term_use_console(fsadm_t)
-
-corecmd_list_bin(fsadm_t)
-corecmd_list_sbin(fsadm_t)
-corecmd_read_bin_symlinks(fsadm_t)
-corecmd_read_sbin_symlinks(fsadm_t)
-# cjp: these are probably not needed:
-corecmd_read_bin_files(fsadm_t)
-corecmd_read_bin_pipes(fsadm_t)
-corecmd_read_bin_sockets(fsadm_t)
-corecmd_read_sbin_files(fsadm_t)
-corecmd_read_sbin_pipes(fsadm_t)
-corecmd_read_sbin_sockets(fsadm_t)
-
-domain_use_interactive_fds(fsadm_t)
-
-files_list_home(fsadm_t)
-files_read_usr_files(fsadm_t)
-files_read_etc_files(fsadm_t)
-files_manage_lost_found(fsadm_t)
-files_manage_isid_type_dirs(fsadm_t)
-# Write to /etc/mtab.
-files_manage_etc_runtime_files(fsadm_t)
-files_etc_filetrans_etc_runtime(fsadm_t,file)
-# Access to /initrd devices
-files_rw_isid_type_dirs(fsadm_t)
-files_rw_isid_type_blk_files(fsadm_t)
-# Recreate /mnt/cdrom.
-files_manage_mnt_dirs(fsadm_t)
-# for tune2fs
-files_search_all(fsadm_t)
-
-init_use_fds(fsadm_t)
-init_use_script_ptys(fsadm_t)
-init_dontaudit_getattr_initctl(fsadm_t)
-
-libs_use_ld_so(fsadm_t)
-libs_use_shared_libs(fsadm_t)
-
-logging_send_syslog_msg(fsadm_t)
-
-miscfiles_read_localization(fsadm_t)
-
-modutils_read_module_config(fsadm_t)
-
-seutil_read_config(fsadm_t)
-
-userdom_use_unpriv_users_fds(fsadm_t)
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(fsadm_t)
- term_use_generic_ptys(fsadm_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(fsadm_t)
- files_read_default_files(fsadm_t)
- files_read_default_symlinks(fsadm_t)
- files_read_default_sockets(fsadm_t)
- files_read_default_pipes(fsadm_t)
-')
-
-optional_policy(`
- amanda_rw_dumpdates_files(fsadm_t)
- amanda_append_log_files(fsadm_t)
-')
-
-optional_policy(`
- # for smartctl cron jobs
- cron_system_entry(fsadm_t,fsadm_exec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(fsadm_t)
-')
-
-optional_policy(`
- fs_dontaudit_write_ramfs_pipes(fsadm_t)
- rhgb_stub(fsadm_t)
-')
diff --git a/refpolicy/policy/modules/system/getty.fc b/refpolicy/policy/modules/system/getty.fc
deleted file mode 100644
index b778309..0000000
--- a/refpolicy/policy/modules/system/getty.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-
-/etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0)
-
-/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-
-/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
-/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
-
-/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
-
-/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
deleted file mode 100644
index 79a89e7..0000000
--- a/refpolicy/policy/modules/system/getty.if
+++ /dev/null
@@ -1,100 +0,0 @@
-## <summary>Policy for getty.</summary>
-
-########################################
-## <summary>
-## Execute gettys in the getty domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`getty_domtrans',`
- gen_require(`
- type getty_t, getty_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,getty_exec_t,getty_t)
-
- allow $1 getty_t:fd use;
- allow getty_t $1:fd use;
- allow getty_t $1:fifo_file rw_file_perms;
- allow getty_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use getty file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`getty_use_fds',`
- gen_require(`
- type getty_t;
- ')
-
- allow $1 getty_t:fd use;
-')
-
-########################################
-## <summary>
-## Allow process to read getty log file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`getty_read_log',`
- gen_require(`
- type getty_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 getty_log_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow process to read getty config file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`getty_read_config',`
- gen_require(`
- type getty_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 getty_etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow process to edit getty config file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`getty_rw_config',`
- gen_require(`
- type getty_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 getty_etc_t:file rw_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
deleted file mode 100644
index aaac752..0000000
--- a/refpolicy/policy/modules/system/getty.te
+++ /dev/null
@@ -1,126 +0,0 @@
-
-policy_module(getty,1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type getty_t;
-')
-type getty_exec_t;
-init_domain(getty_t,getty_exec_t)
-domain_interactive_fd(getty_t)
-
-type getty_etc_t;
-typealias getty_etc_t alias etc_getty_t;
-files_config_file(getty_etc_t)
-
-type getty_lock_t;
-files_lock_file(getty_lock_t)
-
-type getty_log_t;
-logging_log_file(getty_log_t)
-
-type getty_tmp_t;
-files_tmp_file(getty_tmp_t)
-
-type getty_var_run_t;
-files_pid_file(getty_var_run_t)
-
-########################################
-#
-# Getty local policy
-#
-
-# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
-dontaudit getty_t self:capability sys_tty_config;
-allow getty_t self:process { getpgid getsession signal_perms };
-
-allow getty_t getty_etc_t:dir r_dir_perms;
-allow getty_t getty_etc_t:file r_file_perms;
-allow getty_t getty_etc_t:lnk_file { getattr read };
-files_etc_filetrans(getty_t,getty_etc_t,{ file dir })
-
-allow getty_t getty_lock_t:file create_file_perms;
-files_lock_filetrans(getty_t,getty_lock_t,file)
-
-allow getty_t getty_log_t:file create_file_perms;
-logging_log_filetrans(getty_t,getty_log_t,file)
-
-allow getty_t getty_tmp_t:file create_file_perms;
-allow getty_t getty_tmp_t:dir create_dir_perms;
-files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir })
-
-allow getty_t getty_var_run_t:file create_file_perms;
-allow getty_t getty_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(getty_t,getty_var_run_t,file)
-
-kernel_list_proc(getty_t)
-kernel_read_proc_symlinks(getty_t)
-
-dev_read_sysfs(getty_t)
-
-fs_search_auto_mountpoints(getty_t)
-# for error condition handling
-fs_getattr_xattr_fs(getty_t)
-
-mcs_process_set_categories(getty_t)
-
-mls_file_read_up(getty_t)
-mls_file_write_down(getty_t)
-
-# Chown, chmod, read and write ttys.
-term_use_all_user_ttys(getty_t)
-term_use_unallocated_ttys(getty_t)
-term_setattr_all_user_ttys(getty_t)
-term_setattr_unallocated_ttys(getty_t)
-term_setattr_console(getty_t)
-term_dontaudit_use_console(getty_t)
-
-auth_rw_login_records(getty_t)
-
-corecmd_search_bin(getty_t)
-corecmd_search_sbin(getty_t)
-
-files_rw_generic_pids(getty_t)
-files_read_etc_runtime_files(getty_t)
-files_read_etc_files(getty_t)
-
-init_rw_utmp(getty_t)
-init_use_script_ptys(getty_t)
-init_dontaudit_use_script_ptys(getty_t)
-
-libs_use_ld_so(getty_t)
-libs_use_shared_libs(getty_t)
-
-locallogin_domtrans(getty_t)
-
-logging_send_syslog_msg(getty_t)
-
-miscfiles_read_localization(getty_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(getty_t)
- term_dontaudit_use_generic_ptys(getty_t)
-')
-
-optional_policy(`
- mta_send_mail(getty_t)
-')
-
-optional_policy(`
- nscd_socket_use(getty_t)
-')
-
-optional_policy(`
- ppp_domtrans(getty_t)
-')
-
-optional_policy(`
- udev_read_db(getty_t)
-')
diff --git a/refpolicy/policy/modules/system/hostname.fc b/refpolicy/policy/modules/system/hostname.fc
deleted file mode 100644
index 9dfecf7..0000000
--- a/refpolicy/policy/modules/system/hostname.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
deleted file mode 100644
index d7a3090..0000000
--- a/refpolicy/policy/modules/system/hostname.if
+++ /dev/null
@@ -1,75 +0,0 @@
-## <summary>Policy for changing the system host name.</summary>
-
-########################################
-## <summary>
-## Execute hostname in the hostname domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hostname_domtrans',`
- gen_require(`
- type hostname_t, hostname_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,hostname_exec_t,hostname_t)
-
- allow $1 hostname_t:fd use;
- allow hostname_t $1:fd use;
- allow hostname_t $1:fifo_file rw_file_perms;
- allow hostname_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute hostname in the hostname domain, and
-## allow the specified role the hostname domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the hostname domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the hostname domain to use.
-## </summary>
-## </param>
-#
-interface(`hostname_run',`
- gen_require(`
- type hostname_t;
- ')
-
- hostname_domtrans($1)
- role $2 types hostname_t;
- allow hostname_t $3:chr_file { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Execute hostname in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hostname_exec',`
- gen_require(`
- type hostname_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1,hostname_exec_t)
-')
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
deleted file mode 100644
index dbe028b..0000000
--- a/refpolicy/policy/modules/system/hostname.te
+++ /dev/null
@@ -1,61 +0,0 @@
-
-policy_module(hostname,1.2.0)
-
-########################################
-#
-# Declarations
-#
-
-type hostname_t;
-type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
-role system_r types hostname_t;
-
-########################################
-#
-# Local policy
-#
-
-# for setting the hostname
-allow hostname_t self:process { sigchld sigkill sigstop signull signal };
-allow hostname_t self:capability sys_admin;
-allow hostname_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit hostname_t self:capability sys_tty_config;
-
-kernel_list_proc(hostname_t)
-kernel_read_proc_symlinks(hostname_t)
-
-dev_read_sysfs(hostname_t)
-
-fs_getattr_xattr_fs(hostname_t)
-fs_search_auto_mountpoints(hostname_t)
-fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
-
-term_dontaudit_use_console(hostname_t)
-term_use_all_user_ttys(hostname_t)
-term_use_all_user_ptys(hostname_t)
-
-init_use_fds(hostname_t)
-init_use_script_fds(hostname_t)
-init_use_script_ptys(hostname_t)
-
-domain_use_interactive_fds(hostname_t)
-
-files_read_etc_files(hostname_t)
-files_dontaudit_search_var(hostname_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(hostname_t)
-
-libs_use_ld_so(hostname_t)
-libs_use_shared_libs(hostname_t)
-
-logging_send_syslog_msg(hostname_t)
-
-miscfiles_read_localization(hostname_t)
-
-sysnet_read_config(hostname_t)
-sysnet_dns_name_resolve(hostname_t)
-
-
-
-
diff --git a/refpolicy/policy/modules/system/hotplug.fc b/refpolicy/policy/modules/system/hotplug.fc
deleted file mode 100644
index 1af8916..0000000
--- a/refpolicy/policy/modules/system/hotplug.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-
-/etc/hotplug(/.*)? gen_context(system_u:object_r:hotplug_etc_t,s0)
-/etc/hotplug/firmware.agent -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-
-/etc/hotplug\.d/.* -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-
-/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-
-/var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
-/var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
deleted file mode 100644
index e9e0ee9..0000000
--- a/refpolicy/policy/modules/system/hotplug.if
+++ /dev/null
@@ -1,161 +0,0 @@
-## <summary>
-## Policy for hotplug system, for supporting the
-## connection and disconnection of devices at runtime.
-## </summary>
-
-########################################
-## <summary>
-## Execute hotplug with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hotplug_domtrans',`
- gen_require(`
- type hotplug_t, hotplug_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,hotplug_exec_t,hotplug_t)
-
- allow $1 hotplug_t:fd use;
- allow hotplug_t $1:fd use;
- allow hotplug_t $1:fifo_file rw_file_perms;
- allow hotplug_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute hotplug in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hotplug_exec',`
- gen_require(`
- type hotplug_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,hotplug_exec_t)
-')
-
-########################################
-## <summary>
-## Inherit and use hotplug file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hotplug_use_fds',`
- gen_require(`
- type hotplug_t;
- ')
-
- allow $1 hotplug_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit
-## hotplug file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`hotplug_dontaudit_use_fds',`
- gen_require(`
- type hotplug_t;
- ')
-
- dontaudit $1 hotplug_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the
-## hotplug configuration directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`hotplug_dontaudit_search_config',`
- gen_require(`
- type hotplug_etc_t;
- ')
-
- dontaudit $1 hotplug_etc_t:dir search;
-')
-
-########################################
-## <summary>
-## Get the attributes of the hotplug configuration directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hotplug_getattr_config_dirs',`
- gen_require(`
- type hotplug_etc_t;
- ')
-
- allow $1 hotplug_etc_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the hotplug configuration directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hotplug_search_config',`
- gen_require(`
- type hotplug_etc_t;
- ')
-
- allow $1 hotplug_etc_t:dir { getattr search };
-')
-
-########################################
-## <summary>
-## Read the configuration files for hotplug.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`hotplug_read_config',`
- gen_require(`
- type hotplug_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 hotplug_etc_t:file r_file_perms;
- allow $1 hotplug_etc_t:dir r_dir_perms;
- allow $1 hotplug_etc_t:lnk_file r_file_perms;
-')
-
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
deleted file mode 100644
index 14bad2d..0000000
--- a/refpolicy/policy/modules/system/hotplug.te
+++ /dev/null
@@ -1,207 +0,0 @@
-
-policy_module(hotplug,1.2.1)
-
-########################################
-#
-# Declarations
-#
-
-type hotplug_t;
-type hotplug_exec_t;
-kernel_domtrans_to(hotplug_t,hotplug_exec_t)
-init_daemon_domain(hotplug_t,hotplug_exec_t)
-
-type hotplug_etc_t;
-files_config_file(hotplug_etc_t)
-init_daemon_domain(hotplug_t,hotplug_etc_t)
-
-type hotplug_var_run_t;
-files_pid_file(hotplug_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit hotplug_t self:capability { dac_override dac_read_search };
-allow hotplug_t self:process { getsession getattr signal_perms };
-allow hotplug_t self:fifo_file rw_file_perms;
-allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
-allow hotplug_t self:udp_socket create_socket_perms;
-allow hotplug_t self:tcp_socket connected_stream_socket_perms;
-
-allow hotplug_t hotplug_etc_t:file r_file_perms;
-allow hotplug_t hotplug_etc_t:dir r_dir_perms;
-allow hotplug_t hotplug_etc_t:lnk_file r_file_perms;
-can_exec(hotplug_t,hotplug_etc_t)
-
-can_exec(hotplug_t,hotplug_exec_t)
-
-allow hotplug_t hotplug_var_run_t:file manage_file_perms;
-allow hotplug_t hotplug_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hotplug_t,hotplug_var_run_t,file)
-
-kernel_sigchld(hotplug_t)
-kernel_setpgid(hotplug_t)
-kernel_read_system_state(hotplug_t)
-kernel_read_kernel_sysctls(hotplug_t)
-kernel_read_net_sysctls(hotplug_t)
-
-files_read_kernel_modules(hotplug_t)
-
-corenet_non_ipsec_sendrecv(hotplug_t)
-corenet_tcp_sendrecv_all_if(hotplug_t)
-corenet_udp_sendrecv_all_if(hotplug_t)
-corenet_tcp_sendrecv_all_nodes(hotplug_t)
-corenet_udp_sendrecv_all_nodes(hotplug_t)
-corenet_tcp_sendrecv_all_ports(hotplug_t)
-corenet_udp_sendrecv_all_ports(hotplug_t)
-
-dev_rw_sysfs(hotplug_t)
-dev_read_usbfs(hotplug_t)
-dev_setattr_printer_dev(hotplug_t)
-dev_setattr_sound_dev(hotplug_t)
-# for SSP:
-dev_read_urand(hotplug_t)
-
-fs_getattr_all_fs(hotplug_t)
-fs_search_auto_mountpoints(hotplug_t)
-
-storage_setattr_fixed_disk_dev(hotplug_t)
-storage_setattr_removable_dev(hotplug_t)
-
-term_dontaudit_use_console(hotplug_t)
-
-corecmd_exec_bin(hotplug_t)
-corecmd_exec_shell(hotplug_t)
-corecmd_exec_sbin(hotplug_t)
-corecmd_exec_ls(hotplug_t)
-
-domain_use_interactive_fds(hotplug_t)
-# for ps
-domain_dontaudit_read_all_domains_state(hotplug_t)
-domain_dontaudit_getattr_all_domains(hotplug_t)
-
-files_read_etc_files(hotplug_t)
-files_manage_etc_runtime_files(hotplug_t)
-files_etc_filetrans_etc_runtime(hotplug_t,file)
-files_exec_etc_files(hotplug_t)
-# for when filesystems are not mounted early in the boot:
-files_dontaudit_search_isid_type_dirs(hotplug_t)
-
-init_use_fds(hotplug_t)
-init_use_script_ptys(hotplug_t)
-init_read_script_state(hotplug_t)
-# Allow hotplug (including /sbin/ifup-local) to start/stop services and
-# run sendmail -q
-init_domtrans_script(hotplug_t)
-# kernel threads inherit from shared descriptor table used by init
-init_dontaudit_rw_initctl(hotplug_t)
-
-logging_send_syslog_msg(hotplug_t)
-logging_search_logs(hotplug_t)
-
-libs_use_ld_so(hotplug_t)
-libs_use_shared_libs(hotplug_t)
-# Read /usr/lib/gconv/.*
-libs_read_lib_files(hotplug_t)
-
-miscfiles_read_hwdata(hotplug_t)
-miscfiles_read_localization(hotplug_t)
-
-modutils_domtrans_insmod(hotplug_t)
-modutils_read_module_deps(hotplug_t)
-
-seutil_dontaudit_search_config(hotplug_t)
-
-sysnet_read_config(hotplug_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
-userdom_dontaudit_search_sysadm_home_dirs(hotplug_t)
-
-ifdef(`distro_redhat', `
- optional_policy(`
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(hotplug_t)
- fs_rw_tmpfs_chr_files(hotplug_t)
- ')
- files_getattr_generic_locks(hotplug_t)
-')
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(hotplug_t)
- term_dontaudit_use_generic_ptys(hotplug_t)
-
- optional_policy(`
- consoletype_domtrans(hotplug_t)
- ')
-')
-
-optional_policy(`
- dbus_system_bus_client_template(hotplug,hotplug_t)
-')
-
-optional_policy(`
- fstools_domtrans(hotplug_t)
-')
-
-optional_policy(`
- hal_dgram_send(hotplug_t)
-')
-
-optional_policy(`
- hostname_exec(hotplug_t)
-')
-
-optional_policy(`
- iptables_domtrans(hotplug_t)
-')
-
-optional_policy(`
- mount_domtrans(hotplug_t)
-')
-
-optional_policy(`
- mta_send_mail(hotplug_t)
-')
-
-optional_policy(`
- nis_use_ypbind(hotplug_t)
-')
-
-optional_policy(`
- nscd_socket_use(hotplug_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hotplug_t)
-')
-
-optional_policy(`
- sysnet_domtrans_dhcpc(hotplug_t)
- sysnet_signal_dhcpc(hotplug_t)
- sysnet_kill_dhcpc(hotplug_t)
- sysnet_signull_dhcpc(hotplug_t)
- sysnet_sigstop_dhcpc(hotplug_t)
- sysnet_sigchld_dhcpc(hotplug_t)
- sysnet_read_dhcpc_pid(hotplug_t)
- sysnet_rw_dhcp_config(hotplug_t)
- sysnet_domtrans_ifconfig(hotplug_t)
-')
-
-optional_policy(`
- udev_domtrans(hotplug_t)
- udev_helper_domtrans(hotplug_t)
- udev_read_db(hotplug_t)
-')
-
-optional_policy(`
- updfstab_domtrans(hotplug_t)
-')
-
-optional_policy(`
- usbmodules_domtrans(hotplug_t)
-')
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
deleted file mode 100644
index 46ef80a..0000000
--- a/refpolicy/policy/modules/system/init.fc
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# /etc
-#
-/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-ifdef(`targeted_policy', `', `
-/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
-')
-
-#
-# /dev
-#
-/dev/initctl -p gen_context(system_u:object_r:initctl_t,s0)
-
-#
-# /sbin
-#
-/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-
-
-ifdef(`distro_gentoo', `
-/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
-')
-
-#
-# /usr
-#
-/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-#
-# /var
-#
-ifdef(`distro_gentoo', `
-/var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
-/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-')
-
-/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-
-ifdef(`distro_suse', `
-/var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
-')
-
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
deleted file mode 100644
index 4e76bd4..0000000
--- a/refpolicy/policy/modules/system/init.if
+++ /dev/null
@@ -1,1139 +0,0 @@
-## <summary>System initialization programs (init and init scripts).</summary>
-
-########################################
-## <summary>
-## Create a domain which can be started by init.
-## </summary>
-## <param name="domain">
-## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
-## <param name="entry_point">
-## <summary>
-## Type of the program to be used as an entry point to this domain.
-## </summary>
-## </param>
-#
-interface(`init_domain',`
- gen_require(`
- type init_t;
- role system_r;
- ')
-
- domain_type($1)
- domain_entry_file($1,$2)
-
- role system_r types $1;
-
- domain_auto_trans(init_t,$2,$1)
-
- allow $1 init_t:fd use;
- allow init_t $1:fd use;
- allow $1 init_t:fifo_file rw_file_perms;
- allow $1 init_t:process sigchld;
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
-')
-
-########################################
-## <summary>
-## Create a domain for long running processes
-## (daemons) which can be started by init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
-## <param name="entry_point">
-## <summary>
-## Type of the program to be used as an entry point to this domain.
-## </summary>
-## </param>
-#
-interface(`init_daemon_domain',`
- gen_require(`
- attribute direct_run_init, direct_init, direct_init_entry;
- type initrc_t;
- role system_r;
- ')
-
- domain_type($1)
- domain_entry_file($1,$2)
-
- role system_r types $1;
-
- ifdef(`direct_sysadm_daemon',`
- domain_auto_trans(direct_run_init,$2,$1)
-
- allow direct_run_init $1:fd use;
- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
- allow $1 direct_run_init:fd use;
- allow $1 direct_run_init:fifo_file rw_file_perms;
- allow $1 direct_run_init:process sigchld;
-
- typeattribute $1 direct_init;
- typeattribute $2 direct_init_entry;
- ')
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
-
- ifdef(`targeted_policy',`
- # this regex is a hack, since it assumes there is a
- # _t at the end of the domain type. If there is no _t
- # at the end of the type, it returns empty!
- ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
- bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
- define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
- ')
- if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
- can_exec(initrc_t,$2)
- can_exec(direct_run_init,$2)
- } else {
- domain_auto_trans(initrc_t,$2,$1)
- allow initrc_t $1:fd use;
- allow $1 initrc_t:fd use;
- allow $1 initrc_t:fifo_file rw_file_perms;
- allow $1 initrc_t:process sigchld;
- allow initrc_t $1:process { noatsecure siginh rlimitinh };
- }
- ',`
- domain_auto_trans(initrc_t,$2,$1)
- allow initrc_t $1:fd use;
- allow $1 initrc_t:fd use;
- allow $1 initrc_t:fifo_file rw_file_perms;
- allow $1 initrc_t:process sigchld;
- dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
- ')
-
- optional_policy(`
- nscd_socket_use($1)
- ')
-')
-
-########################################
-## <summary>
-## Create a domain for short running processes
-## which can be started by init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
-## <param name="entry_point">
-## <summary>
-## Type of the program to be used as an entry point to this domain.
-## </summary>
-## </param>
-#
-interface(`init_system_domain',`
- gen_require(`
- type initrc_t;
- role system_r;
- ')
-
- domain_type($1)
- domain_entry_file($1,$2)
-
- role system_r types $1;
-
- domain_auto_trans(initrc_t,$2,$1)
-
- allow initrc_t $1:fd use;
- allow $1 initrc_t:fd use;
- allow $1 initrc_t:fifo_file rw_file_perms;
- allow $1 initrc_t:process sigchld;
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
- ')
-')
-
-########################################
-## <summary>
-## Execute init (/sbin/init) with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_domtrans',`
- gen_require(`
- type init_t, init_exec_t;
- ')
-
- domain_auto_trans($1,init_exec_t,init_t)
-
- allow $1 init_t:fd use;
- allow init_t $1:fd use;
- allow init_t $1:fifo_file rw_file_perms;
- allow init_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute the init program in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_exec',`
- gen_require(`
- type init_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,init_exec_t)
-')
-
-########################################
-## <summary>
-## Get the process group of init.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_getpgid',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- allow $1 init_t:process getpgid;
-')
-
-########################################
-## <summary>
-## Send init a null signal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_signull',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- allow $1 init_t:process signull;
-')
-
-########################################
-## <summary>
-## Send init a SIGCHLD signal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_sigchld',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- allow $1 init_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from init.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_use_fds',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- allow $1 init_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit file
-## descriptors from init.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_use_fds',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- dontaudit $1 init_t:fd use;
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to init.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_udp_send',`
- gen_require(`
- type init_t;
-
- # cjp: remove this when init_t decl is moved back to this module
- attribute direct_run_init;
- ')
-
- allow $1 init_t:udp_socket sendto;
- allow init_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Get the attributes of initctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_getattr_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- allow $1 initctl_t:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of initctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_getattr_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dontaudit $1 initctl_t:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Write to initctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_write_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Read and write initctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_rw_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write initctl.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_rw_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dontaudit $1 initctl_t:fifo_file { read write };
-')
-
-########################################
-## <summary>
-## Make init scripts an entry point for
-## the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which init scripts are an entrypoint.
-## </summary>
-## </param>
-# cjp: added for gentoo integrated run_init
-interface(`init_script_file_entry_type',`
- gen_require(`
- type initrc_exec_t;
- ')
-
- domain_entry_file($1,initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Execute init scripts with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_domtrans_script',`
- gen_require(`
- type initrc_t, initrc_exec_t;
- ')
-
- files_list_etc($1)
- domain_auto_trans($1,initrc_exec_t,initrc_t)
-
- allow initrc_t $1:fd use;
- allow initrc_t $1:fifo_file rw_file_perms;
- allow initrc_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute a init script in a specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a init script in a specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="source_domain">
-## <summary>
-## Domain to transition from.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-# cjp: added for gentoo integrated run_init
-interface(`init_script_file_domtrans',`
- gen_require(`
- type initrc_exec_t;
- ')
-
- files_list_etc($1)
- domain_auto_trans($1,initrc_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Start and stop daemon programs directly.
-## </summary>
-## <desc>
-## <p>
-## Start and stop daemon programs directly
-## in the traditional "/etc/init.d/daemon start"
-## style, and do not require run_init.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be performing this action.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal of the user.
-## </summary>
-## </param>
-#
-interface(`init_run_daemon',`
- gen_require(`
- attribute direct_run_init, direct_init, direct_init_entry;
- role system_r;
- ')
-
- typeattribute $1 direct_run_init;
- role_transition $2 direct_init_entry system_r;
- dontaudit direct_init $3:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Write an init script unnamed pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_write_script_pipes',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:fifo_file write;
-')
-
-########################################
-## <summary>
-## Get the attribute of init script entrypoint files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_getattr_script_files',`
- gen_require(`
- type initrc_exec_t;
- ')
-
- files_list_etc($1)
- allow $1 initrc_exec_t:file getattr;
-')
-
-########################################
-## <summary>
-## Execute init scripts in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_exec_script_files',`
- gen_require(`
- type initrc_exec_t;
- ')
-
- files_list_etc($1)
- can_exec($1,initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Read the process state (/proc/pid) of the init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_read_script_state',`
- gen_require(`
- type initrc_t;
- ')
-
- #FIXME: search proc dir
- allow $1 initrc_t:dir r_dir_perms;
- allow $1 initrc_t:{ file lnk_file } r_file_perms;
- allow $1 initrc_t:process getattr;
-
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $1 initrc_t:process ptrace;
-')
-
-########################################
-## <summary>
-## Inherit and use init script file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_use_script_fds',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit
-## init script file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_use_script_fds',`
- gen_require(`
- type initrc_t;
- ')
-
- dontaudit $1 initrc_t:fd use;
-')
-
-########################################
-## <summary>
-## Get the process group ID of init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_getpgid_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:process getpgid;
-')
-
-########################################
-## <summary>
-## Send SIGCHLD signals to init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_sigchld_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send generic signals to init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_signal_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:process signal;
-')
-
-########################################
-## <summary>
-## Send null signals to init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_signull_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:process signull;
-')
-
-########################################
-## <summary>
-## Read and write init script unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_rw_script_pipes',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:fifo_file { read write };
-')
-
-########################################
-## <summary>
-## Send UDP network traffic to init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_udp_send_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:udp_socket sendto;
- allow initrc_t $1:udp_socket recvfrom;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to connect to
-## init scripts with a unix socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_stream_connect_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Allow the specified domain to read/write to
-## init scripts with a unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_rw_script_stream_sockets',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Dont audit the specified domain connecting to
-## init scripts with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_stream_connect_script',`
- gen_require(`
- type initrc_t;
- ')
-
- dontaudit $1 initrc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## init scripts over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dbus_chat_script',`
- gen_require(`
- type initrc_t;
- class dbus send_msg;
- ')
-
- allow $1 initrc_t:dbus send_msg;
- allow initrc_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Read and write the init script pty.
-## </summary>
-## <desc>
-## <p>
-## Read and write the init script pty. This
-## pty is generally opened by the open_init_pty
-## portion of the run_init program so that the
-## daemon does not require direct access to
-## the administrator terminal.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_use_script_ptys',`
- gen_require(`
- type initrc_devpts_t;
- ')
-
- term_list_ptys($1)
- allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write the init script pty.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_use_script_ptys',`
- gen_require(`
- type initrc_devpts_t;
- ')
-
- dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
-')
-
-########################################
-## <summary>
-## Read init scripts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_read_script_files',`
- gen_require(`
- type initrc_exec_t;
- ')
-
- files_search_etc($1)
- allow $1 initrc_exec_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read init script
-## status files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_read_script_status_files',`
- gen_require(`
- type initrc_state_t;
- ')
-
- dontaudit $1 initrc_state_t:dir search_dir_perms;
- dontaudit $1 initrc_state_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write init script temporary data.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_rw_script_tmp_files',`
- gen_require(`
- type initrc_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 initrc_tmp_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create files in a init script
-## temporary data directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-#
-interface(`init_script_tmp_filetrans',`
- gen_require(`
- type initrc_tmp_t;
- ')
-
- files_search_tmp($1)
-
- allow $1 initrc_tmp_t:dir rw_dir_perms;
- type_transition $1 initrc_tmp_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Get the attributes of init script process id files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_getattr_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- allow $1 initrc_var_run_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read utmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_read_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- files_list_pids($1)
- allow $1 initrc_var_run_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write utmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_write_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- dontaudit $1 initrc_var_run_t:file { write lock };
-')
-
-########################################
-## <summary>
-## Write to utmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_write_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- files_list_pids($1)
- allow $1 initrc_var_run_t:file { getattr write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to lock
-## init script pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_lock_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- dontaudit $1 initrc_var_run_t:file lock;
-')
-
-########################################
-## <summary>
-## Read and write utmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_rw_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- files_list_pids($1)
- allow $1 initrc_var_run_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write utmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_dontaudit_rw_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- dontaudit $1 initrc_var_run_t:file { getattr read write append };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete utmp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain access allowed.
-## </summary>
-## </param>
-#
-interface(`init_manage_utmp',`
- gen_require(`
- type initrc_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 initrc_var_run_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
deleted file mode 100644
index 65cf3de..0000000
--- a/refpolicy/policy/modules/system/init.te
+++ /dev/null
@@ -1,744 +0,0 @@
-
-policy_module(init,1.3.17)
-
-gen_require(`
- class passwd rootok;
-')
-
-########################################
-#
-# Declarations
-#
-
-# used for direct running of init scripts
-# by admin domains
-attribute direct_run_init;
-attribute direct_init;
-attribute direct_init_entry;
-
-#
-# init_t is the domain of the init process.
-#
-# real declaration moved to mls until
-# range_transition works in loadable modules
-# also remove the extra init_exec_t dependencies
-# in init_t interfaces when the decl gets moved back here.
-gen_require(`
- type init_t;
-')
-domain_type(init_t)
-role system_r types init_t;
-
-#
-# init_exec_t is the type of the init program.
-#
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type init_exec_t;
-')
-kernel_domtrans_to(init_t,init_exec_t)
-domain_entry_file(init_t,init_exec_t)
-
-#
-# init_var_run_t is the type for /var/run/shutdown.pid.
-#
-type init_var_run_t;
-files_pid_file(init_var_run_t)
-
-#
-# initctl_t is the type of the named pipe created
-# by init during initialization. This pipe is used
-# to communicate with init.
-#
-type initctl_t;
-files_type(initctl_t)
-mls_trusted_object(initctl_t)
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type initrc_t;
-')
-domain_type(initrc_t)
-role system_r types initrc_t;
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type initrc_exec_t;
-')
-domain_entry_file(initrc_t,initrc_exec_t)
-
-type initrc_devpts_t;
-term_pty(initrc_devpts_t)
-files_type(initrc_devpts_t)
-
-type initrc_state_t;
-files_type(initrc_state_t)
-
-type initrc_tmp_t;
-files_tmp_file(initrc_tmp_t)
-
-type initrc_var_run_t;
-files_pid_file(initrc_var_run_t)
-
-########################################
-#
-# Init local policy
-#
-
-# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
-# is ~sys_module really needed? observed:
-# sys_boot
-# sys_tty_config
-# kill: now provided by domain_kill_all_domains()
-# setuid (from /sbin/shutdown)
-# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
-
-allow init_t self:fifo_file rw_file_perms;
-
-# Re-exec itself
-allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
-
-allow init_t initrc_t:unix_stream_socket connectto;
-
-# For /var/run/shutdown.pid.
-allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
-files_pid_filetrans(init_t,init_var_run_t,file)
-
-allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
-fs_associate_tmpfs(initctl_t)
-dev_filetrans(init_t,initctl_t,fifo_file)
-
-# Modify utmp.
-allow init_t initrc_var_run_t:file { rw_file_perms setattr };
-
-kernel_read_system_state(init_t)
-kernel_share_state(init_t)
-
-corecmd_exec_chroot(init_t)
-corecmd_exec_bin(init_t)
-corecmd_exec_sbin(init_t)
-
-dev_read_sysfs(init_t)
-
-domain_kill_all_domains(init_t)
-domain_signal_all_domains(init_t)
-domain_signull_all_domains(init_t)
-domain_sigstop_all_domains(init_t)
-domain_sigstop_all_domains(init_t)
-domain_sigchld_all_domains(init_t)
-
-files_read_etc_files(init_t)
-files_rw_generic_pids(init_t)
-files_dontaudit_search_isid_type_dirs(init_t)
-files_manage_etc_runtime_files(init_t)
-files_etc_filetrans_etc_runtime(init_t,file)
-# Run /etc/X11/prefdm:
-files_exec_etc_files(init_t)
-# file descriptors inherited from the rootfs:
-files_dontaudit_rw_root_files(init_t)
-files_dontaudit_rw_root_chr_files(init_t)
-
-# cjp: this may be related to /dev/log
-fs_write_ramfs_sockets(init_t)
-
-mcs_process_set_categories(init_t)
-
-mls_process_write_down(init_t)
-
-selinux_set_boolean(init_t)
-
-term_use_all_terms(init_t)
-
-# Run init scripts.
-init_domtrans_script(init_t)
-
-libs_use_ld_so(init_t)
-libs_use_shared_libs(init_t)
-libs_rw_ld_so_cache(init_t)
-
-logging_send_syslog_msg(init_t)
-logging_rw_generic_logs(init_t)
-
-mcs_killall(init_t)
-
-mls_file_read_up(init_t)
-mls_file_write_down(init_t)
-mls_rangetrans_target(init_t)
-
-seutil_read_config(init_t)
-
-miscfiles_read_localization(init_t)
-
-ifdef(`distro_redhat',`
- fs_rw_tmpfs_chr_files(init_t)
- fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(init_t)
-')
-
-optional_policy(`
- auth_rw_login_records(init_t)
-')
-
-optional_policy(`
- nscd_socket_use(init_t)
-')
-
-optional_policy(`
- portmap_udp_send(init_t)
-')
-
-# Run the shell in the sysadm_t domain for single-user mode.
-optional_policy(`
- userdom_shell_domtrans_sysadm(init_t)
-')
-
-########################################
-#
-# Init script local policy
-#
-
-allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
-allow initrc_t self:passwd rootok;
-
-# Allow IPC with self
-allow initrc_t self:unix_dgram_socket create_socket_perms;
-allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
-allow initrc_t self:tcp_socket create_stream_socket_perms;
-allow initrc_t self:udp_socket create_socket_perms;
-allow initrc_t self:fifo_file rw_file_perms;
-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
-term_create_pty(initrc_t,initrc_devpts_t)
-
-can_exec(initrc_t,initrc_exec_t)
-
-allow initrc_t initrc_state_t:dir create_dir_perms;
-allow initrc_t initrc_state_t:file create_file_perms;
-allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
-
-allow initrc_t initrc_var_run_t:file create_file_perms;
-files_pid_filetrans(initrc_t,initrc_var_run_t,file)
-
-can_exec(initrc_t,initrc_tmp_t)
-allow initrc_t initrc_tmp_t:file create_file_perms;
-allow initrc_t initrc_tmp_t:dir create_dir_perms;
-files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir })
-
-init_write_initctl(initrc_t)
-
-kernel_read_system_state(initrc_t)
-kernel_read_software_raid_state(initrc_t)
-kernel_read_network_state(initrc_t)
-kernel_read_ring_buffer(initrc_t)
-kernel_change_ring_buffer_level(initrc_t)
-kernel_clear_ring_buffer(initrc_t)
-kernel_get_sysvipc_info(initrc_t)
-kernel_read_all_sysctls(initrc_t)
-kernel_rw_all_sysctls(initrc_t)
-# for lsof which is used by alsa shutdown:
-kernel_dontaudit_getattr_message_if(initrc_t)
-
-files_read_kernel_symbol_table(initrc_t)
-
-corenet_non_ipsec_sendrecv(initrc_t)
-corenet_tcp_sendrecv_all_if(initrc_t)
-corenet_udp_sendrecv_all_if(initrc_t)
-corenet_tcp_sendrecv_all_nodes(initrc_t)
-corenet_udp_sendrecv_all_nodes(initrc_t)
-corenet_tcp_sendrecv_all_ports(initrc_t)
-corenet_udp_sendrecv_all_ports(initrc_t)
-corenet_tcp_connect_all_ports(initrc_t)
-corenet_sendrecv_all_client_packets(initrc_t)
-
-dev_read_rand(initrc_t)
-dev_read_urand(initrc_t)
-dev_write_rand(initrc_t)
-dev_write_urand(initrc_t)
-dev_rw_sysfs(initrc_t)
-dev_list_usbfs(initrc_t)
-dev_read_framebuffer(initrc_t)
-dev_read_realtime_clock(initrc_t)
-dev_read_sound_mixer(initrc_t)
-dev_write_sound_mixer(initrc_t)
-dev_setattr_all_chr_files(initrc_t)
-dev_read_lvm_control(initrc_t)
-dev_delete_lvm_control_dev(initrc_t)
-dev_manage_generic_symlinks(initrc_t)
-dev_manage_generic_files(initrc_t)
-# Wants to remove udev.tbl:
-dev_delete_generic_symlinks(initrc_t)
-
-fs_register_binary_executable_type(initrc_t)
-# rhgb-console writes to ramfs
-fs_write_ramfs_pipes(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-fs_mount_all_fs(initrc_t)
-fs_unmount_all_fs(initrc_t)
-fs_remount_all_fs(initrc_t)
-fs_getattr_all_fs(initrc_t)
-
-selinux_get_enforce_mode(initrc_t)
-
-storage_getattr_fixed_disk_dev(initrc_t)
-storage_setattr_fixed_disk_dev(initrc_t)
-storage_setattr_removable_dev(initrc_t)
-
-term_use_all_terms(initrc_t)
-term_reset_tty_labels(initrc_t)
-
-auth_rw_login_records(initrc_t)
-auth_setattr_login_records(initrc_t)
-auth_rw_lastlog(initrc_t)
-auth_read_pam_pid(initrc_t)
-auth_delete_pam_pid(initrc_t)
-auth_delete_pam_console_data(initrc_t)
-
-corecmd_exec_all_executables(initrc_t)
-
-domain_kill_all_domains(initrc_t)
-domain_signal_all_domains(initrc_t)
-domain_signull_all_domains(initrc_t)
-domain_sigstop_all_domains(initrc_t)
-domain_sigstop_all_domains(initrc_t)
-domain_sigchld_all_domains(initrc_t)
-domain_read_all_domains_state(initrc_t)
-domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
-domain_getsession_all_domains(initrc_t)
-domain_use_interactive_fds(initrc_t)
-# for lsof which is used by alsa shutdown:
-domain_dontaudit_getattr_all_udp_sockets(initrc_t)
-domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
-domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
-domain_dontaudit_getattr_all_pipes(initrc_t)
-
-files_getattr_all_dirs(initrc_t)
-files_getattr_all_files(initrc_t)
-files_getattr_all_symlinks(initrc_t)
-files_getattr_all_pipes(initrc_t)
-files_getattr_all_sockets(initrc_t)
-files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
-files_read_all_pids(initrc_t)
-files_delete_all_pids(initrc_t)
-files_delete_all_pid_dirs(initrc_t)
-files_read_etc_files(initrc_t)
-files_manage_etc_runtime_files(initrc_t)
-files_etc_filetrans_etc_runtime(initrc_t,file)
-files_manage_generic_locks(initrc_t)
-files_exec_etc_files(initrc_t)
-files_read_usr_files(initrc_t)
-files_manage_urandom_seed(initrc_t)
-files_manage_generic_spool(initrc_t)
-# Mount and unmount file systems.
-# cjp: not sure why these are here; should use mount policy
-files_list_isid_type_dirs(initrc_t)
-files_mounton_isid_type_dirs(initrc_t)
-files_list_default(initrc_t)
-files_mounton_default(initrc_t)
-
-libs_rw_ld_so_cache(initrc_t)
-libs_use_ld_so(initrc_t)
-libs_use_shared_libs(initrc_t)
-libs_exec_lib_files(initrc_t)
-
-logging_send_syslog_msg(initrc_t)
-logging_manage_generic_logs(initrc_t)
-logging_read_all_logs(initrc_t)
-logging_append_all_logs(initrc_t)
-logging_read_audit_config(initrc_t)
-
-miscfiles_read_localization(initrc_t)
-# slapd needs to read cert files from its initscript
-miscfiles_read_certs(initrc_t)
-
-mcs_killall(initrc_t)
-mcs_process_set_categories(initrc_t)
-
-mls_file_read_up(initrc_t)
-mls_file_write_down(initrc_t)
-mls_process_read_up(initrc_t)
-mls_process_write_down(initrc_t)
-mls_rangetrans_source(initrc_t)
-mls_rangetrans_target(initrc_t)
-
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
-
-seutil_read_config(initrc_t)
-
-sysnet_read_config(initrc_t)
-
-userdom_read_all_users_home_content_files(initrc_t)
-# Allow access to the sysadm TTYs. Note that this will give access to the
-# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-userdom_use_sysadm_terms(initrc_t)
-
-ifdef(`distro_debian',`
- dev_setattr_generic_dirs(initrc_t)
-
- fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
-
- # for storing state under /dev/shm
- fs_setattr_tmpfs_dirs(initrc_t)
- storage_manage_fixed_disk(initrc_t)
- storage_tmpfs_filetrans_fixed_disk(initrc_t)
-
- files_setattr_etc_dirs(initrc_t)
-')
-
-ifdef(`distro_gentoo',`
- optional_policy(`
- arpwatch_manage_data_files(initrc_t)
- ')
-
- optional_policy(`
- dhcpd_setattr_state_files(initrc_t)
- ')
-')
-
-ifdef(`distro_redhat',`
- # this is from kmodule, which should get its own policy:
- allow initrc_t self:capability sys_admin;
-
- # Red Hat systems seem to have a stray
- # fd open from the initrd
- kernel_dontaudit_use_fds(initrc_t)
- files_dontaudit_read_root_files(initrc_t)
-
- selinux_set_enforce_mode(initrc_t)
-
- # Create and read /boot/kernel.h and /boot/System.map.
- # Redhat systems typically create this file at boot time.
- bootloader_create_runtime_file(initrc_t)
- files_rw_boot_symlinks(initrc_t)
-
- # These seem to be from the initrd
- # during device initialization:
- dev_create_generic_dirs(initrc_t)
- dev_rwx_zero(initrc_t)
- dev_rx_raw_memory(initrc_t)
- dev_wx_raw_memory(initrc_t)
- storage_raw_read_fixed_disk(initrc_t)
- storage_raw_write_fixed_disk(initrc_t)
-
- files_create_boot_flag(initrc_t)
- # wants to read /.fonts directory
- files_read_default_files(initrc_t)
- files_mountpoint(initrc_tmp_t)
-
- fs_rw_tmpfs_chr_files(initrc_t)
-
- storage_manage_fixed_disk(initrc_t)
- storage_dev_filetrans_fixed_disk(initrc_t)
- storage_getattr_removable_dev(initrc_t)
-
- # readahead asks for these
- auth_dontaudit_read_shadow(initrc_t)
-
- miscfiles_read_fonts(initrc_t)
- miscfiles_read_hwdata(initrc_t)
-
- optional_policy(`
- bind_manage_config_dirs(initrc_t)
- bind_write_config(initrc_t)
- ')
-
- optional_policy(`
- #for /etc/rc.d/init.d/nfs to create /etc/exports
- rpc_write_exports(initrc_t)
- ')
-
- optional_policy(`
- sysnet_rw_dhcp_config(initrc_t)
- ')
-
- optional_policy(`
- xserver_delete_log(initrc_t)
- ')
-')
-
-ifdef(`distro_suse',`
- optional_policy(`
- # set permissions on /tmp/.X11-unix
- xserver_setattr_xdm_tmp_dirs(initrc_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- domain_subj_id_change_exemption(initrc_t)
- unconfined_domain(initrc_t)
-
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-',`
- # cjp: require doesnt work in optionals :\
- # this also would result in a type transition
- # conflict if sendmail is enabled
-# optional_policy(`',`
-# mta_send_mail(initrc_t)
-# ')
-')
-
-optional_policy(`
- amavis_search_lib(initrc_t)
- amavis_setattr_pid_files(initrc_t)
-')
-
-optional_policy(`
- dev_rw_apm_bios(initrc_t)
-')
-
-optional_policy(`
- apache_read_config(initrc_t)
- apache_list_modules(initrc_t)
-')
-
-optional_policy(`
- automount_exec_config(initrc_t)
-')
-
-optional_policy(`
- bind_read_config(initrc_t)
-
- # for chmod in start script
- bind_setattr_pid_dirs(initrc_t)
-')
-
-optional_policy(`
- dev_read_usbfs(initrc_t)
- bluetooth_read_config(initrc_t)
-')
-
-optional_policy(`
- clamav_read_config(initrc_t)
-')
-
-optional_policy(`
- cpucontrol_stub(initrc_t)
- dev_getattr_cpu_dev(initrc_t)
-')
-
-optional_policy(`
- dev_getattr_printer_dev(initrc_t)
-
- cups_read_log(initrc_t)
- cups_read_rw_config(initrc_t)
-')
-
-optional_policy(`
- daemontools_manage_svc(initrc_t)
-')
-
-optional_policy(`
- dbus_connect_system_bus(initrc_t)
- dbus_send_system_bus(initrc_t)
- dbus_system_bus_client_template(initrc,initrc_t)
- dbus_read_config(initrc_t)
-
- optional_policy(`
- networkmanager_dbus_chat(initrc_t)
- ')
-')
-
-optional_policy(`
- ftp_read_config(initrc_t)
-')
-
-optional_policy(`
- gpm_setattr_gpmctl(initrc_t)
-')
-
-optional_policy(`
- dev_read_usbfs(initrc_t)
-
- # init scripts run /etc/hotplug/usb.rc
- hotplug_read_config(initrc_t)
-
- modutils_read_module_deps(initrc_t)
-')
-
-optional_policy(`
- inn_exec_config(initrc_t)
-')
-
-optional_policy(`
- ipsec_read_config(initrc_t)
- ipsec_manage_pid(initrc_t)
-')
-
-optional_policy(`
- kerberos_use(initrc_t)
-')
-
-optional_policy(`
- ldap_read_config(initrc_t)
- ldap_list_db(initrc_t)
-')
-
-optional_policy(`
- loadkeys_exec(initrc_t)
-')
-
-optional_policy(`
- # This is needed to permit chown to read /var/spool/lpd/lp.
- # This is opens up security more than necessary; this means that ANYTHING
- # running in the initrc_t domain can read the printer spool directory.
- # Perhaps executing /etc/rc.d/init.d/lpd should transition
- # to domain lpd_t, instead of waiting for executing lpd.
- lpd_list_spool(initrc_t)
-
- lpd_read_config(initrc_t)
-')
-
-optional_policy(`
- #allow initrc_t lvm_control_t:chr_file unlink;
-
- dev_read_lvm_control(initrc_t)
- dev_create_generic_chr_files(initrc_t)
-
- lvm_read_config(initrc_t)
-')
-
-optional_policy(`
- mailman_list_data(initrc_t)
- mailman_read_data_symlinks(initrc_t)
-')
-
-optional_policy(`
- mta_read_config(initrc_t)
- mta_dontaudit_read_spool_symlinks(initrc_t)
-')
-
-optional_policy(`
- ifdef(`distro_redhat',`
- mysql_manage_db_dirs(initrc_t)
- ')
-
- mysql_stream_connect(initrc_t)
- mysql_write_log(initrc_t)
-')
-
-optional_policy(`
- nis_use_ypbind(initrc_t)
- nis_udp_send_ypbind(initrc_t)
- nis_list_var_yp(initrc_t)
-')
-
-optional_policy(`
- nscd_socket_use(initrc_t)
-')
-
-optional_policy(`
- openvpn_read_config(initrc_t)
-')
-
-optional_policy(`
- postgresql_manage_db(initrc_t)
- postgresql_read_config(initrc_t)
-')
-
-optional_policy(`
- postfix_list_spool(initrc_t)
-')
-
-optional_policy(`
- quota_manage_flags(initrc_t)
-')
-
-optional_policy(`
- raid_manage_mdadm_pid(initrc_t)
-')
-
-optional_policy(`
- corecmd_shell_entry_type(initrc_t)
- fs_write_ramfs_sockets(initrc_t)
- fs_search_ramfs(initrc_t)
-
- rhgb_rw_stream_sockets(initrc_t)
- rhgb_stream_connect(initrc_t)
-')
-
-optional_policy(`
- rpc_read_exports(initrc_t)
-')
-
-optional_policy(`
- # bash tries to access a block device in the initrd
- kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
-
- # for a bug in rm
- files_dontaudit_write_all_pids(initrc_t)
-
- # bash tries ioctl for some reason
- files_dontaudit_ioctl_all_pids(initrc_t)
-
- # why is this needed:
- rpm_manage_db(initrc_t)
-')
-
-optional_policy(`
- samba_rw_config(initrc_t)
- samba_read_winbind_pid(initrc_t)
-')
-
-optional_policy(`
- squid_read_config(initrc_t)
- squid_manage_logs(initrc_t)
-')
-
-optional_policy(`
- ssh_dontaudit_read_server_keys(initrc_t)
-')
-
-# allow init scripts to su
-optional_policy(`
- su_restricted_domain_template(initrc,initrc_t,system_r)
-')
-
-optional_policy(`
- sysnet_read_dhcpc_state(initrc_t)
-')
-
-optional_policy(`
- udev_rw_db(initrc_t)
-')
-
-optional_policy(`
- uml_setattr_util_sockets(initrc_t)
-')
-
-optional_policy(`
- vmware_read_system_config(initrc_t)
- vmware_append_system_config(initrc_t)
-')
-
-optional_policy(`
- miscfiles_manage_fonts(initrc_t)
-
- # cjp: is this really needed?
- xfs_read_sockets(initrc_t)
-')
-
-optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
- # init script wants to check if it needs to update windowmanagerlist
- xserver_read_xdm_rw_config(initrc_t)
-')
-
-optional_policy(`
- zebra_read_config(initrc_t)
-')
diff --git a/refpolicy/policy/modules/system/ipsec.fc b/refpolicy/policy/modules/system/ipsec.fc
deleted file mode 100644
index f0aa1f1..0000000
--- a/refpolicy/policy/modules/system/ipsec.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
-/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-
-/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
-/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
-
-/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
-
-/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
-/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
-/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
-/usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
-/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
-
-/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/ipsec.if b/refpolicy/policy/modules/system/ipsec.if
deleted file mode 100644
index a3fc91d..0000000
--- a/refpolicy/policy/modules/system/ipsec.if
+++ /dev/null
@@ -1,120 +0,0 @@
-## <summary>TCP/IP encryption</summary>
-
-########################################
-## <summary>
-## Execute ipsec in the ipsec domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ipsec_domtrans',`
- gen_require(`
- type ipsec_t, ipsec_exec_t;
- ')
-
- domain_auto_trans($1,ipsec_exec_t,ipsec_t)
-
- allow $1 ipsec_t:fd use;
- allow ipsec_t $1:fd use;
- allow ipsec_t $1:fifo_file rw_file_perms;
- allow ipsec_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Connect to IPSEC using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ipsec_stream_connect',`
- gen_require(`
- type ipsec_t, ipsec_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 ipsec_var_run_t:dir search;
- allow $1 ipsec_var_run_t:sock_file write;
- allow $1 ipsec_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Get the attributes of an IPSEC key socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ipsec_getattr_key_sockets',`
- gen_require(`
- type ipsec_t;
- ')
-
- allow $1 ipsec_t:key_socket getattr;
-')
-
-########################################
-## <summary>
-## Execute the IPSEC management program in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ipsec_exec_mgmt',`
- gen_require(`
- type ipsec_exec_t;
- ')
-
- can_exec($1,ipsec_exec_t)
-')
-
-########################################
-## <summary>
-## Read the IPSEC configuration
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ipsec_read_config',`
- gen_require(`
- type ipsec_conf_file_t;
- ')
-
- files_search_etc($1)
- allow $1 ipsec_conf_file_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the IPSEC pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`ipsec_manage_pid',`
- gen_require(`
- type ipsec_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 ipsec_var_run_t:dir rw_dir_perms;
- allow $1 ipsec_var_run_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
deleted file mode 100644
index 930c8dc..0000000
--- a/refpolicy/policy/modules/system/ipsec.te
+++ /dev/null
@@ -1,274 +0,0 @@
-
-policy_module(ipsec,1.1.1)
-
-########################################
-#
-# Declarations
-#
-
-type ipsec_t;
-type ipsec_exec_t;
-init_daemon_domain(ipsec_t,ipsec_exec_t)
-role system_r types ipsec_t;
-
-# type for ipsec configuration file(s) - not for keys
-type ipsec_conf_file_t;
-files_type(ipsec_conf_file_t)
-
-# type for file(s) containing ipsec keys - RSA or preshared
-type ipsec_key_file_t;
-files_type(ipsec_key_file_t)
-
-# type for runtime files, including pluto.ctl
-type ipsec_var_run_t;
-files_pid_file(ipsec_var_run_t)
-
-type ipsec_mgmt_t;
-type ipsec_mgmt_exec_t;
-init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
-corecmd_shell_entry_type(ipsec_mgmt_t)
-role system_r types ipsec_mgmt_t;
-
-type ipsec_mgmt_lock_t;
-files_lock_file(ipsec_mgmt_lock_t)
-
-type ipsec_mgmt_var_run_t;
-files_pid_file(ipsec_mgmt_var_run_t)
-
-########################################
-#
-# ipsec Local policy
-#
-
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
-dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process signal;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
-allow ipsec_t self:tcp_socket create_stream_socket_perms;
-allow ipsec_t self:key_socket { create write read setopt };
-allow ipsec_t self:fifo_file { read getattr };
-
-allow ipsec_t ipsec_conf_file_t:dir r_dir_perms;
-allow ipsec_t ipsec_conf_file_t:file r_file_perms;
-allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms;
-
-allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
-allow ipsec_t ipsec_key_file_t:file r_file_perms;
-allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms;
-
-allow ipsec_t ipsec_var_run_t:file create_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
-
-can_exec(ipsec_t, ipsec_mgmt_exec_t)
-
-# pluto runs an updown script (by calling popen()!); as this is by default
-# a shell script, we need to find a way to make things work without
-# letting all sorts of stuff possibly be run...
-# so try flipping back into the ipsec_mgmt_t domain
-corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
-allow ipsec_t ipsec_mgmt_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
-allow ipsec_mgmt_t ipsec_t:process sigchld;
-
-kernel_read_kernel_sysctls(ipsec_t)
-kernel_list_proc(ipsec_t)
-kernel_read_proc_symlinks(ipsec_t)
-# allow pluto to access /proc/net/ipsec_eroute;
-kernel_read_system_state(ipsec_t)
-kernel_read_network_state(ipsec_t)
-kernel_read_software_raid_state(ipsec_t)
-kernel_getattr_core_if(ipsec_t)
-kernel_getattr_message_if(ipsec_t)
-
-# Pluto needs network access
-corenet_non_ipsec_sendrecv(ipsec_t)
-corenet_tcp_sendrecv_all_if(ipsec_t)
-corenet_raw_sendrecv_all_if(ipsec_t)
-corenet_tcp_sendrecv_all_nodes(ipsec_t)
-corenet_raw_sendrecv_all_nodes(ipsec_t)
-corenet_tcp_sendrecv_all_ports(ipsec_t)
-corenet_tcp_bind_all_nodes(ipsec_t)
-corenet_tcp_bind_reserved_port(ipsec_t)
-corenet_tcp_bind_isakmp_port(ipsec_t)
-corenet_sendrecv_generic_server_packets(ipsec_t)
-corenet_sendrecv_isakmp_server_packets(ipsec_t)
-
-dev_read_sysfs(ipsec_t)
-dev_read_rand(ipsec_t)
-dev_read_urand(ipsec_t)
-
-fs_getattr_all_fs(ipsec_t)
-fs_search_auto_mountpoints(ipsec_t)
-
-term_use_console(ipsec_t)
-term_dontaudit_use_all_user_ttys(ipsec_t)
-
-corecmd_exec_shell(ipsec_t)
-corecmd_exec_bin(ipsec_t)
-
-domain_use_interactive_fds(ipsec_t)
-
-files_read_etc_files(ipsec_t)
-
-init_use_fds(ipsec_t)
-init_use_script_ptys(ipsec_t)
-
-libs_use_ld_so(ipsec_t)
-libs_use_shared_libs(ipsec_t)
-
-logging_send_syslog_msg(ipsec_t)
-
-miscfiles_read_localization(ipsec_t)
-
-sysnet_read_config(ipsec_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
-userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ipsec_t)
- term_dontaudit_use_generic_ptys(ipsec_t)
- files_dontaudit_read_root_files(ipsec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ipsec_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(ipsec_t)
-')
-
-optional_policy(`
- udev_read_db(ipsec_t)
-')
-
-########################################
-#
-# ipsec_mgmt Local policy
-#
-
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-allow ipsec_mgmt_t self:tcp_socket create_socket_perms;
-allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-allow ipsec_mgmt_t self:key_socket { create setopt };
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
-
-allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
-files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
-
-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
-files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
-
-allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
-allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
-allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms;
-
-allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
-
-# _realsetup needs to be able to cat /var/run/pluto.pid,
-# run ps on that pid, and delete the file
-allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
-
-# logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
-allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
-
-allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
-
-allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
-allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
-allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
-files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
-
-# whack needs to connect to pluto
-allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
-allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
-
-can_exec(ipsec_mgmt_t, ipsec_exec_t)
-can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
-allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
-
-domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
-allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_t ipsec_mgmt_t:fd use;
-allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms;
-allow ipsec_t ipsec_mgmt_t:process sigchld;
-
-kernel_rw_net_sysctls(ipsec_mgmt_t)
-# allow pluto to access /proc/net/ipsec_eroute;
-kernel_read_system_state(ipsec_mgmt_t)
-kernel_read_network_state(ipsec_mgmt_t)
-kernel_read_software_raid_state(ipsec_mgmt_t)
-kernel_read_kernel_sysctls(ipsec_mgmt_t)
-kernel_getattr_core_if(ipsec_mgmt_t)
-kernel_getattr_message_if(ipsec_mgmt_t)
-
-files_read_kernel_symbol_table(ipsec_mgmt_t)
-files_getattr_kernel_modules(ipsec_mgmt_t)
-
-dev_read_rand(ipsec_mgmt_t)
-dev_read_urand(ipsec_mgmt_t)
-
-fs_getattr_xattr_fs(ipsec_mgmt_t)
-fs_list_tmpfs(ipsec_mgmt_t)
-
-term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-
-# the default updown script wants to run route
-corecmd_exec_sbin(ipsec_mgmt_t)
-# the ipsec wrapper wants to run /usr/bin/logger (should we put
-# it in its own domain?)
-corecmd_exec_bin(ipsec_mgmt_t)
-
-domain_use_interactive_fds(ipsec_mgmt_t)
-# denials when ps tries to search /proc. Do not audit these denials.
-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
-# suppress audit messages about unnecessary socket access
-# cjp: this seems excessive
-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
-
-files_read_etc_files(ipsec_mgmt_t)
-files_exec_etc_files(ipsec_mgmt_t)
-files_read_etc_runtime_files(ipsec_mgmt_t)
-files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
-files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-
-init_use_script_ptys(ipsec_mgmt_t)
-init_exec_script_files(ipsec_mgmt_t)
-init_use_fds(ipsec_mgmt_t)
-
-libs_use_ld_so(ipsec_mgmt_t)
-libs_use_shared_libs(ipsec_mgmt_t)
-
-miscfiles_read_localization(ipsec_mgmt_t)
-
-modutils_domtrans_insmod(ipsec_mgmt_t)
-
-seutil_dontaudit_search_config(ipsec_mgmt_t)
-
-sysnet_domtrans_ifconfig(ipsec_mgmt_t)
-
-userdom_use_sysadm_terms(ipsec_mgmt_t)
-
-optional_policy(`
- consoletype_exec(ipsec_mgmt_t)
-')
-
-optional_policy(`
- nscd_socket_use(ipsec_mgmt_t)
-')
-
-ifdef(`TODO',`
-# ideally it would not need this. It wants to write to /root/.rnd
-file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-
-allow ipsec_mgmt_t dev_fs:file_class_set getattr;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/iptables.fc b/refpolicy/policy/modules/system/iptables.fc
deleted file mode 100644
index f715d71..0000000
--- a/refpolicy/policy/modules/system/iptables.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
deleted file mode 100644
index 2d748cb..0000000
--- a/refpolicy/policy/modules/system/iptables.if
+++ /dev/null
@@ -1,75 +0,0 @@
-## <summary>Policy for iptables.</summary>
-
-########################################
-## <summary>
-## Execute iptables in the iptables domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`iptables_domtrans',`
- gen_require(`
- type iptables_t, iptables_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,iptables_exec_t,iptables_t)
-
- allow $1 iptables_t:fd use;
- allow iptables_t $1:fd use;
- allow iptables_t $1:fifo_file rw_file_perms;
- allow iptables_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute iptables in the iptables domain, and
-## allow the specified role the iptables domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the iptables domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the iptables domain to use.
-## </summary>
-## </param>
-#
-interface(`iptables_run',`
- gen_require(`
- type iptables_t;
- ')
-
- iptables_domtrans($1)
- role $2 types iptables_t;
- allow iptables_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute iptables in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`iptables_exec',`
- gen_require(`
- type iptables_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,iptables_exec_t)
-')
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
deleted file mode 100644
index 4e12496..0000000
--- a/refpolicy/policy/modules/system/iptables.te
+++ /dev/null
@@ -1,106 +0,0 @@
-
-policy_module(iptables,1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type iptables_t;
-type iptables_exec_t;
-init_system_domain(iptables_t,iptables_exec_t)
-role system_r types iptables_t;
-
-type iptables_tmp_t;
-files_tmp_file(iptables_tmp_t)
-
-type iptables_var_run_t;
-files_pid_file(iptables_var_run_t)
-
-########################################
-#
-# Iptables local policy
-#
-
-allow iptables_t self:capability { net_admin net_raw };
-dontaudit iptables_t self:capability sys_tty_config;
-allow iptables_t self:process { sigchld sigkill sigstop signull signal };
-
-allow iptables_t iptables_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(iptables_t,iptables_var_run_t,file)
-
-can_exec(iptables_t,iptables_exec_t)
-
-allow iptables_t iptables_tmp_t:dir create_dir_perms;
-allow iptables_t iptables_tmp_t:file create_file_perms;
-files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
-
-allow iptables_t self:rawip_socket create_socket_perms;
-
-kernel_read_system_state(iptables_t)
-kernel_read_network_state(iptables_t)
-kernel_read_kernel_sysctls(iptables_t)
-kernel_read_modprobe_sysctls(iptables_t)
-kernel_use_fds(iptables_t)
-
-corenet_relabelto_all_packets(iptables_t)
-
-dev_read_sysfs(iptables_t)
-
-fs_getattr_xattr_fs(iptables_t)
-fs_search_auto_mountpoints(iptables_t)
-
-mls_file_read_up(iptables_t)
-
-term_dontaudit_use_console(iptables_t)
-
-domain_use_interactive_fds(iptables_t)
-
-files_read_etc_files(iptables_t)
-
-init_use_fds(iptables_t)
-init_use_script_ptys(iptables_t)
-# to allow rules to be saved on reboot:
-init_rw_script_tmp_files(iptables_t)
-
-libs_use_ld_so(iptables_t)
-libs_use_shared_libs(iptables_t)
-
-logging_send_syslog_msg(iptables_t)
-# system-config-network appends to /var/log
-#logging_append_system_logs(iptables_t)
-
-miscfiles_read_localization(iptables_t)
-
-sysnet_domtrans_ifconfig(iptables_t)
-sysnet_dns_name_resolve(iptables_t)
-
-userdom_use_all_users_fds(iptables_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(iptables_t)
- term_dontaudit_use_generic_ptys(iptables_t)
- files_dontaudit_read_root_files(iptables_t)
-')
-
-optional_policy(`
- firstboot_use_fds(iptables_t)
- firstboot_write_pipes(iptables_t)
-')
-
-optional_policy(`
- modutils_domtrans_insmod(iptables_t)
-')
-
-optional_policy(`
- # for iptables -L
- nis_use_ypbind(iptables_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(iptables_t)
-')
-
-optional_policy(`
- udev_read_db(iptables_t)
-')
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
deleted file mode 100644
index 9126380..0000000
--- a/refpolicy/policy/modules/system/libraries.fc
+++ /dev/null
@@ -1,264 +0,0 @@
-#
-# /emul
-#
-ifdef(`distro_gentoo',`
-/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/linux/x86/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/linux/x86/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-')
-
-ifdef(`distro_redhat',`
-/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-')
-
-#
-# /etc
-#
-/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-
-/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:shlib_t,s0)
-
-#
-# /lib(64)?
-#
-/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/lib64/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
-/lib/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/lib64/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-ifdef(`distro_gentoo',`
-/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/lib32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-')
-
-#
-# /opt
-#
-/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/cisco-vpnclient/lib/libvpnapi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-ifdef(`distro_gentoo',`
-/opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/netscape/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-')
-
-#
-# /sbin
-#
-/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-
-#
-# /usr
-#
-/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?/RealPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
-
-/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib64/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-
-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
-/usr/(.*/)?nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
-
-/usr/lib(64)?/xulrunner-[^/]*/libxul.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ati-fglrx/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-ifdef(`distro_redhat',`
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
-
-# The following are libraries with text relocations in need of execmod permissions
-# Some of them should be fixed and removed from this list
-
-# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/gstreamer-.*/libgstmms\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/vorbisrend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-# Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/php/modules/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-# Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-# Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdivxdecore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-# vmware
-/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-# Java, Sun Microsystems (JPackage SRPM)
-/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/matlab.*/bin/glnx86/libmwlapack.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/acroread/(.*/)?nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/acroread/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-') dnl end distro_redhat
-
-#
-# /var
-#
-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-
-/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- gen_context(system_u:object_r:shlib_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/samba/bin/.*\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
-')
-
-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
deleted file mode 100644
index 64e70c8..0000000
--- a/refpolicy/policy/modules/system/libraries.if
+++ /dev/null
@@ -1,473 +0,0 @@
-## <summary>Policy for system libraries.</summary>
-
-########################################
-## <summary>
-## Execute ldconfig in the ldconfig domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_domtrans_ldconfig',`
- gen_require(`
- type ldconfig_t, ldconfig_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
-
- allow $1 ldconfig_t:fd use;
- allow ldconfig_t $1:fd use;
- allow ldconfig_t $1:fifo_file rw_file_perms;
- allow ldconfig_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute ldconfig in the ldconfig domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the ldconfig domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the ldconfig domain to use.
-## </summary>
-## </param>
-#
-interface(`libs_run_ldconfig',`
- gen_require(`
- type ldconfig_t;
- ')
-
- libs_domtrans_ldconfig($1)
- role $2 types ldconfig_t;
- allow ldconfig_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Use the dynamic link/loader for automatic loading
-## of shared libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_use_ld_so',`
- gen_require(`
- type lib_t, ld_so_t, ld_so_cache_t;
- ')
-
- files_list_etc($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 ld_so_t:lnk_file r_file_perms;
- allow $1 ld_so_t:file rx_file_perms;
- allow $1 ld_so_cache_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Use the dynamic link/loader for automatic loading
-## of shared libraries with legacy support.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_legacy_use_ld_so',`
- gen_require(`
- type ld_so_t, ld_so_cache_t;
- ')
-
- libs_use_ld_so($1)
- allow $1 ld_so_t:file execmod;
- allow $1 ld_so_cache_t:file execute;
-')
-
-########################################
-## <summary>
-## Execute the dynamic link/loader in the caller's domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_exec_ld_so',`
- gen_require(`
- type lib_t, ld_so_t;
- ')
-
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 ld_so_t:lnk_file r_file_perms;
- can_exec($1,ld_so_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the
-## dynamic link/loader.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_manage_ld_so',`
- gen_require(`
- type lib_t, ld_so_t;
- ')
-
- allow $1 lib_t:dir rw_dir_perms;
- allow $1 ld_so_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel to and from the type used for
-## the dynamic link/loader.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_relabel_ld_so',`
- gen_require(`
- type lib_t, ld_so_t;
- ')
-
- allow $1 lib_t:dir search_dir_perms;
- allow $1 ld_so_t:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Modify the dynamic link/loader's cached listing
-## of shared libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_rw_ld_so_cache',`
- gen_require(`
- type ld_so_cache_t;
- ')
-
- files_list_etc($1)
- allow $1 ld_so_cache_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Search library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_search_lib',`
- gen_require(`
- type lib_t;
- ')
-
- allow $1 lib_t:dir search;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_manage_lib_dirs',`
- gen_require(`
- type lib_t;
- ')
-
- allow $1 lib_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files in the library directories, such
-## as static libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_read_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- files_search_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute library scripts in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_exec_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- files_search_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- can_exec($1,lib_t)
-')
-
-########################################
-## <summary>
-## Load and execute functions from generic
-## lib files as shared libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_use_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- files_list_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 lib_t:file rx_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete generic
-## files in library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_manage_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- allow $1 lib_t:dir rw_dir_perms;
- allow $1 lib_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Relabel files to the type used in library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_relabelto_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- allow $1 lib_t:dir search_dir_perms;
- allow $1 lib_t:file relabelto;
-')
-
-########################################
-## <summary>
-## Relabel to and from the type used
-## for generic lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_relabel_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- allow $1 lib_t:dir search_dir_perms;
- allow $1 lib_t:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Delete generic symlinks in library directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_delete_lib_symlinks',`
- gen_require(`
- type lib_t;
- ')
-
- allow $1 lib_t:dir { getattr search read write remove_name };
- allow $1 lib_t:lnk_file unlink;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete shared libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_manage_shared_libs',`
- gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
- ')
-
- allow $1 lib_t:dir rw_dir_perms;
- allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Load and execute functions from shared libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_use_shared_libs',`
- gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
- ')
-
- files_list_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
- allow $1 { shlib_t textrel_shlib_t }:file rx_file_perms;
- allow $1 textrel_shlib_t:file execmod;
-')
-
-########################################
-## <summary>
-## Load and execute functions from shared libraries,
-## with legacy support.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`libs_legacy_use_shared_libs',`
- gen_require(`
- type shlib_t, textrel_shlib_t;
- ')
-
- libs_use_shared_libs($1)
- allow $1 { shlib_t textrel_shlib_t }:file execmod;
-')
-
-########################################
-## <summary>
-## Relabel to and from the type used for
-## shared libraries.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: added for prelink
-interface(`libs_relabel_shared_libs',`
- gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
- ')
-
- allow $1 lib_t:dir search_dir_perms;
- allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
-')
-
-########################################
-## <summary>
-## Create an object in lib directories, with
-## the shared libraries type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`files_lib_filetrans_shared_lib',`
- gen_require(`
- type root_t;
- ')
-
- allow $1 root_t:dir rw_dir_perms;
- type_transition $1 root_t:$2 shlib_t;
-')
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
deleted file mode 100644
index 03ce1fa..0000000
--- a/refpolicy/policy/modules/system/libraries.te
+++ /dev/null
@@ -1,98 +0,0 @@
-
-policy_module(libraries,1.3.9)
-
-########################################
-#
-# Declarations
-#
-
-#
-# ld_so_cache_t is the type of /etc/ld.so.cache.
-#
-type ld_so_cache_t;
-files_type(ld_so_cache_t)
-
-#
-# ld_so_t is the type of the system dynamic loaders.
-#
-type ld_so_t;
-files_type(ld_so_t)
-
-#
-# lib_t is the type of files in the system lib directories.
-#
-type lib_t;
-files_type(lib_t)
-
-#
-# shlib_t is the type of shared objects in the system lib
-# directories.
-#
-ifdef(`targeted_policy',`
- typealias lib_t alias shlib_t;
-',`
- type shlib_t;
- files_type(shlib_t)
-')
-
-#
-# textrel_shlib_t is the type of shared objects in the system lib
-# directories, which require text relocation.
-#
-type textrel_shlib_t alias texrel_shlib_t;
-files_type(textrel_shlib_t)
-
-########################################
-#
-# ldconfig local policy
-#
-type ldconfig_t;
-type ldconfig_exec_t;
-init_system_domain(ldconfig_t,ldconfig_exec_t)
-role system_r types ldconfig_t;
-
-allow ldconfig_t ld_so_cache_t:file create_file_perms;
-files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
-
-allow ldconfig_t lib_t:dir rw_dir_perms;
-allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
-allow ldconfig_t ld_so_t:lnk_file r_file_perms;
-allow ldconfig_t ld_so_t:file rx_file_perms;
-allow ldconfig_t ld_so_cache_t:file r_file_perms;
-allow ldconfig_t { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
-allow ldconfig_t { shlib_t textrel_shlib_t }:file rx_file_perms;
-
-kernel_read_system_state(ldconfig_t)
-
-fs_getattr_xattr_fs(ldconfig_t)
-
-domain_use_interactive_fds(ldconfig_t)
-
-files_search_var_lib(ldconfig_t)
-files_read_etc_files(ldconfig_t)
-files_search_tmp(ldconfig_t)
-files_search_usr(ldconfig_t)
-# for when /etc/ld.so.cache is mislabeled:
-files_delete_etc_files(ldconfig_t)
-
-init_use_script_ptys(ldconfig_t)
-
-logging_send_syslog_msg(ldconfig_t)
-
-userdom_use_all_users_fds(ldconfig_t)
-
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- allow ldconfig_t lib_t:file r_file_perms;
- unconfined_domain(ldconfig_t)
-')
-
-optional_policy(`
- # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
- apache_dontaudit_search_modules(ldconfig_t)
-')
diff --git a/refpolicy/policy/modules/system/locallogin.fc b/refpolicy/policy/modules/system/locallogin.fc
deleted file mode 100644
index 7570583..0000000
--- a/refpolicy/policy/modules/system/locallogin.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-
-/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
deleted file mode 100644
index 801aa12..0000000
--- a/refpolicy/policy/modules/system/locallogin.if
+++ /dev/null
@@ -1,73 +0,0 @@
-## <summary>Policy for local logins.</summary>
-
-########################################
-## <summary>
-## Execute local logins in the local login domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`locallogin_domtrans',`
- gen_require(`
- type local_login_t;
- ')
-
- auth_domtrans_login_program($1,local_login_t)
-')
-
-########################################
-## <summary>
-## Allow processes to inherit local login file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`locallogin_use_fds',`
- gen_require(`
- type local_login_t;
- ')
-
- allow $1 local_login_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit local login file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`locallogin_dontaudit_use_fds',`
- gen_require(`
- type local_login_t;
- ')
-
- dontaudit $1 local_login_t:fd use;
-')
-
-########################################
-## <summary>
-## Send a null signal to local login processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`locallogin_signull',`
- gen_require(`
- type local_login_t;
- ')
-
- allow $1 local_login_t:process signull;
-')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
deleted file mode 100644
index 6a16f92..0000000
--- a/refpolicy/policy/modules/system/locallogin.te
+++ /dev/null
@@ -1,290 +0,0 @@
-
-policy_module(locallogin,1.2.3)
-
-########################################
-#
-# Declarations
-#
-
-type local_login_t;
-auth_login_entry_type(local_login_t)
-domain_type(local_login_t)
-domain_obj_id_change_exemption(local_login_t)
-domain_subj_id_change_exemption(local_login_t)
-domain_role_change_exemption(local_login_t)
-domain_interactive_fd(local_login_t)
-role system_r types local_login_t;
-
-type local_login_lock_t;
-files_lock_file(local_login_lock_t)
-
-type local_login_tmp_t;
-files_tmp_file(local_login_tmp_t)
-files_poly_parent(local_login_tmp_t)
-
-type sulogin_t;
-type sulogin_exec_t;
-domain_obj_id_change_exemption(sulogin_t)
-domain_subj_id_change_exemption(sulogin_t)
-domain_role_change_exemption(sulogin_t)
-domain_interactive_fd(sulogin_t)
-init_domain(sulogin_t,sulogin_exec_t)
-init_system_domain(sulogin_t,sulogin_exec_t)
-role system_r types sulogin_t;
-
-########################################
-#
-# Local login local policy
-#
-
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
-allow local_login_t self:fd use;
-allow local_login_t self:fifo_file rw_file_perms;
-allow local_login_t self:sock_file r_file_perms;
-allow local_login_t self:unix_dgram_socket create_socket_perms;
-allow local_login_t self:unix_stream_socket create_stream_socket_perms;
-allow local_login_t self:unix_dgram_socket sendto;
-allow local_login_t self:unix_stream_socket connectto;
-allow local_login_t self:shm create_shm_perms;
-allow local_login_t self:sem create_sem_perms;
-allow local_login_t self:msgq create_msgq_perms;
-allow local_login_t self:msg { send receive };
-
-allow local_login_t local_login_lock_t:file create_file_perms;
-files_lock_filetrans(local_login_t,local_login_lock_t,file)
-
-allow local_login_t local_login_tmp_t:dir create_dir_perms;
-allow local_login_t local_login_tmp_t:file create_file_perms;
-files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
-
-kernel_read_system_state(local_login_t)
-kernel_read_kernel_sysctls(local_login_t)
-
-dev_setattr_mouse_dev(local_login_t)
-dev_getattr_mouse_dev(local_login_t)
-dev_getattr_power_mgmt_dev(local_login_t)
-dev_setattr_power_mgmt_dev(local_login_t)
-dev_getattr_sound_dev(local_login_t)
-dev_setattr_sound_dev(local_login_t)
-dev_dontaudit_getattr_apm_bios_dev(local_login_t)
-dev_dontaudit_setattr_apm_bios_dev(local_login_t)
-dev_dontaudit_read_framebuffer(local_login_t)
-dev_dontaudit_setattr_framebuffer_dev(local_login_t)
-dev_dontaudit_getattr_generic_blk_files(local_login_t)
-dev_dontaudit_setattr_generic_blk_files(local_login_t)
-dev_dontaudit_getattr_generic_chr_files(local_login_t)
-dev_dontaudit_setattr_generic_chr_files(local_login_t)
-dev_dontaudit_setattr_generic_symlinks(local_login_t)
-dev_dontaudit_getattr_misc_dev(local_login_t)
-dev_dontaudit_setattr_misc_dev(local_login_t)
-dev_dontaudit_getattr_scanner_dev(local_login_t)
-dev_dontaudit_setattr_scanner_dev(local_login_t)
-dev_dontaudit_search_sysfs(local_login_t)
-dev_dontaudit_getattr_video_dev(local_login_t)
-dev_dontaudit_setattr_video_dev(local_login_t)
-# for SSP/ProPolice
-dev_read_urand(local_login_t)
-
-fs_search_auto_mountpoints(local_login_t)
-
-selinux_get_fs_mount(local_login_t)
-selinux_validate_context(local_login_t)
-selinux_compute_access_vector(local_login_t)
-selinux_compute_create_context(local_login_t)
-selinux_compute_relabel_context(local_login_t)
-selinux_compute_user_contexts(local_login_t)
-
-storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
-storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
-storage_dontaudit_getattr_removable_dev(local_login_t)
-storage_dontaudit_setattr_removable_dev(local_login_t)
-
-term_use_all_user_ttys(local_login_t)
-term_use_unallocated_ttys(local_login_t)
-term_relabel_unallocated_ttys(local_login_t)
-term_relabel_all_user_ttys(local_login_t)
-term_setattr_all_user_ttys(local_login_t)
-term_setattr_unallocated_ttys(local_login_t)
-
-auth_domtrans_chk_passwd(local_login_t)
-auth_dontaudit_read_shadow(local_login_t)
-auth_rw_login_records(local_login_t)
-auth_rw_lastlog(local_login_t)
-auth_rw_faillog(local_login_t)
-auth_exec_pam(local_login_t)
-auth_manage_pam_console_data(local_login_t)
-auth_domtrans_pam_console(local_login_t)
-
-corecmd_list_bin(local_login_t)
-corecmd_list_sbin(local_login_t)
-corecmd_read_bin_symlinks(local_login_t)
-corecmd_read_sbin_symlinks(local_login_t)
-# cjp: these are probably not needed:
-corecmd_read_bin_files(local_login_t)
-corecmd_read_bin_pipes(local_login_t)
-corecmd_read_bin_sockets(local_login_t)
-corecmd_read_sbin_files(local_login_t)
-corecmd_read_sbin_pipes(local_login_t)
-corecmd_read_sbin_sockets(local_login_t)
-
-domain_read_all_entry_files(local_login_t)
-
-files_read_etc_files(local_login_t)
-files_read_etc_runtime_files(local_login_t)
-files_read_usr_files(local_login_t)
-files_list_mnt(local_login_t)
-files_list_world_readable(local_login_t)
-files_read_world_readable_files(local_login_t)
-files_read_world_readable_symlinks(local_login_t)
-files_read_world_readable_pipes(local_login_t)
-files_read_world_readable_sockets(local_login_t)
-# for when /var/mail is a symlink
-files_read_var_symlinks(local_login_t)
-# Login can polyinstantiate
-files_polyinstantiate_all(local_login_t)
-
-init_rw_utmp(local_login_t)
-init_dontaudit_use_fds(local_login_t)
-
-libs_use_ld_so(local_login_t)
-libs_use_shared_libs(local_login_t)
-
-logging_send_syslog_msg(local_login_t)
-
-miscfiles_read_localization(local_login_t)
-
-mls_file_read_up(local_login_t)
-mls_file_write_down(local_login_t)
-mls_file_upgrade(local_login_t)
-mls_file_downgrade(local_login_t)
-mls_process_set_level(local_login_t)
-
-seutil_read_config(local_login_t)
-seutil_read_default_contexts(local_login_t)
-
-userdom_spec_domtrans_all_users(local_login_t)
-userdom_signal_all_users(local_login_t)
-userdom_search_all_users_home_content(local_login_t)
-userdom_use_unpriv_users_fds(local_login_t)
-userdom_sigchld_all_users(local_login_t)
-userdom_create_all_users_keys(local_login_t)
-
-ifdef(`targeted_policy',`
- unconfined_domain(local_login_t)
- unconfined_shell_domtrans(local_login_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(local_login_t)
- files_read_default_files(local_login_t)
- files_read_default_symlinks(local_login_t)
- files_read_default_sockets(local_login_t)
- files_read_default_pipes(local_login_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(local_login_t)
- fs_read_nfs_symlinks(local_login_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(local_login_t)
- fs_read_cifs_symlinks(local_login_t)
-')
-
-optional_policy(`
- gpm_getattr_gpmctl(local_login_t)
- gpm_setattr_gpmctl(local_login_t)
-')
-
-optional_policy(`
- # Search for mail spool file.
- mta_getattr_spool(local_login_t)
-')
-
-optional_policy(`
- nis_use_ypbind(local_login_t)
-')
-
-optional_policy(`
- nscd_socket_use(local_login_t)
-')
-
-optional_policy(`
- usermanage_read_crack_db(local_login_t)
-')
-
-optional_policy(`
- alsa_domtrans(local_login_t)
-')
-
-#################################
-#
-# Sulogin local policy
-#
-
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow sulogin_t self:fd use;
-allow sulogin_t self:fifo_file rw_file_perms;
-allow sulogin_t self:unix_dgram_socket create_socket_perms;
-allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
-allow sulogin_t self:unix_dgram_socket sendto;
-allow sulogin_t self:unix_stream_socket connectto;
-allow sulogin_t self:shm create_shm_perms;
-allow sulogin_t self:sem create_sem_perms;
-allow sulogin_t self:msgq create_msgq_perms;
-allow sulogin_t self:msg { send receive };
-
-kernel_read_system_state(sulogin_t)
-
-fs_search_auto_mountpoints(sulogin_t)
-fs_rw_tmpfs_chr_files(sulogin_t)
-
-files_read_etc_files(sulogin_t)
-# because file systems are not mounted:
-files_dontaudit_search_isid_type_dirs(sulogin_t)
-
-init_getpgid_script(sulogin_t)
-
-libs_use_ld_so(sulogin_t)
-libs_use_shared_libs(sulogin_t)
-
-logging_send_syslog_msg(sulogin_t)
-
-seutil_read_config(sulogin_t)
-seutil_read_default_contexts(sulogin_t)
-
-auth_read_shadow(sulogin_t)
-
-userdom_shell_domtrans_sysadm(sulogin_t)
-userdom_use_unpriv_users_fds(sulogin_t)
-userdom_use_sysadm_ptys(sulogin_t)
-userdom_search_staff_home_dirs(sulogin_t)
-userdom_search_sysadm_home_dirs(sulogin_t)
-
-# suse and debian do not use pam with sulogin...
-ifdef(`distro_suse', `define(`sulogin_no_pam')')
-ifdef(`distro_debian', `define(`sulogin_no_pam')')
-
-ifdef(`sulogin_no_pam', `
- allow sulogin_t self:capability sys_tty_config;
- init_getpgid(sulogin_t)
-', `
- allow sulogin_t self:process setexec;
- selinux_get_fs_mount(sulogin_t)
- selinux_validate_context(sulogin_t)
- selinux_compute_access_vector(sulogin_t)
- selinux_compute_create_context(sulogin_t)
- selinux_compute_relabel_context(sulogin_t)
- selinux_compute_user_contexts(sulogin_t)
-')
-
-optional_policy(`
- nis_use_ypbind(sulogin_t)
-')
-
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc
deleted file mode 100644
index cdd15cd..0000000
--- a/refpolicy/policy/modules/system/logging.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-
-/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-
-/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
-
-/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
-/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
-/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-ifdef(`distro_gentoo', `
-/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-')
-
-ifdef(`distro_suse', `
-/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-')
-
-/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
-/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
-/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
-/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
-
-/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
-
-/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
-/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
-/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-
-/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
-
-/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
deleted file mode 100644
index 32bf657..0000000
--- a/refpolicy/policy/modules/system/logging.if
+++ /dev/null
@@ -1,553 +0,0 @@
-## <summary>Policy for the kernel message logger and system logging daemon.</summary>
-
-#######################################
-## <summary>
-## Make the specified type a file
-## used for logs.
-## </summary>
-## <param name="file_type">
-## <summary>
-## Type of the file to be used as a log.
-## </summary>
-## </param>
-#
-interface(`logging_log_file',`
- gen_require(`
- attribute logfile;
- ')
-
- files_type($1)
- files_associate_tmp($1)
- fs_associate_tmpfs($1)
- typeattribute $1 logfile;
-')
-
-########################################
-## <summary>
-## Read the audit log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_read_audit_log',`
- gen_require(`
- type auditd_log_t;
- ')
-
- files_search_var($1)
- allow $1 auditd_log_t:dir r_dir_perms;
- allow $1 auditd_log_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute auditctl in the auditctl domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_domtrans_auditctl',`
- gen_require(`
- type auditctl_t, auditctl_exec_t;
- ')
-
- domain_auto_trans($1,auditctl_exec_t,auditctl_t)
-
- allow $1 auditctl_t:fd use;
- allow auditctl_t $1:fd use;
- allow auditctl_t $1:fifo_file rw_file_perms;
- allow auditctl_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute auditctl in the auditctl domain, and
-## allow the specified role the auditctl domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the auditctl domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the auditctl domain to use.
-## </summary>
-## </param>
-#
-interface(`logging_run_auditctl',`
- gen_require(`
- type auditctl_t;
- ')
-
- logging_domtrans_auditctl($1)
- role $2 types auditctl_t;
- allow auditctl_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute auditd in the auditd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_domtrans_auditd',`
- gen_require(`
- type auditd_t, auditd_exec_t;
- ')
-
- domain_auto_trans($1,auditd_exec_t,auditd_t)
-
- allow auditd_t $1:fd use;
- allow auditd_t $1:fifo_file rw_file_perms;
- allow auditd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute auditd in the auditd domain, and
-## allow the specified role the auditd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the auditd domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the auditd domain to use.
-## </summary>
-## </param>
-#
-interface(`logging_run_auditd',`
- gen_require(`
- type auditd_t;
- ')
-
- logging_domtrans_auditd($1)
- role $2 types auditd_t;
- allow auditd_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Manage the auditd configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_manage_audit_config',`
- gen_require(`
- type auditd_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 auditd_etc_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Manage the audit log.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_manage_audit_log',`
- gen_require(`
- type auditd_log_t;
- ')
-
- files_search_var($1)
- allow $1 auditd_log_t:dir create_dir_perms;
- allow $1 auditd_log_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Execute syslogd in the syslog domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_domtrans_syslog',`
- gen_require(`
- type syslogd_t, syslogd_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,syslogd_exec_t,syslogd_t)
-
- allow $1 syslogd_t:fd use;
- allow syslogd_t $1:fd use;
- allow syslogd_t $1:fifo_file rw_file_perms;
- allow syslogd_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Create an object in the log directory, with a private
-## type using a type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-#
-interface(`logging_log_filetrans',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
- type_transition $1 var_log_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Send system log messages.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_send_syslog_msg',`
- gen_require(`
- type syslogd_t, devlog_t;
- ')
-
- allow $1 devlog_t:lnk_file read;
- allow $1 devlog_t:sock_file rw_file_perms;
-
- # the type of socket depends on the syslog daemon
- allow $1 syslogd_t:unix_dgram_socket sendto;
- allow $1 syslogd_t:unix_stream_socket connectto;
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 self:unix_stream_socket create_socket_perms;
-
- # cjp: this should most likely be removed:
- term_use_console($1)
-')
-
-########################################
-## <summary>
-## Read the auditd configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_read_audit_config',`
- gen_require(`
- type auditd_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 auditd_etc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allows the domain to open a file in the
-## log directory, but does not allow the listing
-## of the contents of the log directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_search_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir search;
-')
-
-#######################################
-## <summary>
-## Do not audit attempts to search the var log directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain not to audit.
-## </summary>
-## </param>
-#
-interface(`logging_dontaudit_search_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- dontaudit $1 var_log_t:dir search;
-')
-
-#######################################
-## <summary>
-## List the contents of the generic log directory (/var/log).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_list_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
-')
-
-#######################################
-## <summary>
-## Read and write the generic log directory (/var/log).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_rw_generic_log_dirs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the atttributes
-## of any log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_dontaudit_getattr_all_logs',`
- gen_require(`
- attribute logfile;
- ')
-
- dontaudit $1 logfile:file getattr;
-')
-
-########################################
-## <summary>
-## Append to all log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_append_all_logs',`
- gen_require(`
- attribute logfile;
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 logfile:file { getattr append };
-')
-
-########################################
-## <summary>
-## Read all log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_read_all_logs',`
- gen_require(`
- attribute logfile;
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 logfile:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute all log files in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: not sure why this is needed. This was added
-# because of logrotate.
-interface(`logging_exec_all_logs',`
- gen_require(`
- attribute logfile;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir r_dir_perms;
- can_exec($1,logfile)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_manage_all_logs',`
- gen_require(`
- attribute logfile;
- ')
-
- files_search_var($1)
- allow $1 logfile:dir rw_dir_perms;
- allow $1 logfile:lnk_file read;
- allow $1 logfile:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read generic log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_read_generic_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 var_log_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Write generic log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_write_generic_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 var_log_t:file { getattr write };
-')
-
-########################################
-## <summary>
-## Read and write generic log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_rw_generic_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 var_log_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## generic log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`logging_manage_generic_logs',`
- gen_require(`
- type var_log_t;
- ')
-
- files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
- allow $1 var_log_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
deleted file mode 100644
index 74aee44..0000000
--- a/refpolicy/policy/modules/system/logging.te
+++ /dev/null
@@ -1,385 +0,0 @@
-
-policy_module(logging,1.3.7)
-
-########################################
-#
-# Declarations
-#
-
-attribute logfile;
-
-type auditctl_t;
-type auditctl_exec_t;
-init_system_domain(auditctl_t,auditctl_exec_t)
-role system_r types auditctl_t;
-
-type auditd_etc_t;
-files_security_file(auditd_etc_t)
-
-type auditd_log_t;
-files_security_file(auditd_log_t)
-
-type auditd_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type auditd_exec_t;
-')
-init_daemon_domain(auditd_t,auditd_exec_t)
-
-type auditd_var_run_t;
-files_pid_file(auditd_var_run_t)
-
-type devlog_t;
-files_type(devlog_t)
-mls_trusted_object(devlog_t)
-
-type klogd_t;
-type klogd_exec_t;
-init_daemon_domain(klogd_t,klogd_exec_t)
-
-type klogd_tmp_t;
-files_tmp_file(klogd_tmp_t)
-
-type klogd_var_run_t;
-files_pid_file(klogd_var_run_t)
-
-type syslogd_t;
-type syslogd_exec_t;
-init_daemon_domain(syslogd_t,syslogd_exec_t)
-
-type syslogd_tmp_t;
-files_tmp_file(syslogd_tmp_t)
-
-type syslogd_var_run_t;
-files_pid_file(syslogd_var_run_t)
-
-type var_log_t;
-logging_log_file(var_log_t)
-
-########################################
-#
-# Auditd local policy
-#
-
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-
-libs_use_ld_so(auditctl_t)
-libs_use_shared_libs(auditctl_t)
-
-allow auditctl_t etc_t:file { getattr read };
-
-allow auditctl_t auditd_etc_t:dir r_dir_perms;
-allow auditctl_t auditd_etc_t:file r_file_perms;
-
-# Needed for adding watches
-files_getattr_all_dirs(auditctl_t)
-files_read_etc_files(auditctl_t)
-
-kernel_read_kernel_sysctls(auditctl_t)
-kernel_read_proc_symlinks(auditctl_t)
-
-domain_read_all_domains_state(auditctl_t)
-domain_use_interactive_fds(auditctl_t)
-
-mls_file_read_up(auditctl_t)
-
-term_use_all_terms(auditctl_t)
-
-init_use_script_ptys(auditctl_t)
-init_dontaudit_use_fds(auditctl_t)
-
-locallogin_dontaudit_use_fds(auditctl_t)
-
-logging_send_syslog_msg(auditctl_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(auditctl_t)
- term_use_unallocated_ttys(auditctl_t)
-')
-
-########################################
-#
-# Auditd local policy
-#
-
-allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
-dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process { signal_perms setpgid setsched };
-allow auditd_t self:file { getattr read write };
-allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t self:fifo_file rw_file_perms;
-
-allow auditd_t auditd_etc_t:dir r_dir_perms;
-allow auditd_t auditd_etc_t:file r_file_perms;
-
-allow auditd_t auditd_log_t:dir rw_dir_perms;
-allow auditd_t auditd_log_t:file create_file_perms;
-allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
-allow auditd_t var_log_t:dir search;
-
-allow auditd_t auditd_var_run_t:file create_file_perms;
-allow auditd_t auditd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(auditd_t,auditd_var_run_t,file)
-
-kernel_read_kernel_sysctls(auditd_t)
-# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
-# Probably want a transition, and a new auditd_helper app
-kernel_read_system_state(auditd_t)
-
-dev_read_sysfs(auditd_t)
-
-fs_getattr_all_fs(auditd_t)
-fs_search_auto_mountpoints(auditd_t)
-
-term_dontaudit_use_console(auditd_t)
-
-# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
-# Probably want a transition, and a new auditd_helper app
-corecmd_exec_sbin(auditd_t)
-corecmd_exec_bin(auditd_t)
-
-
-domain_use_interactive_fds(auditd_t)
-
-files_read_etc_files(auditd_t)
-files_list_usr(auditd_t)
-
-init_use_fds(auditd_t)
-init_exec(auditd_t)
-init_write_initctl(auditd_t)
-init_dontaudit_use_script_ptys(auditd_t)
-
-logging_send_syslog_msg(auditd_t)
-
-libs_use_ld_so(auditd_t)
-libs_use_shared_libs(auditd_t)
-
-miscfiles_read_localization(auditd_t)
-
-mls_file_read_up(auditd_t)
-mls_rangetrans_target(auditd_t)
-
-seutil_dontaudit_read_config(auditd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
-# cjp: this is questionable
-userdom_use_sysadm_ttys(auditd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(auditd_t)
- term_dontaudit_use_unallocated_ttys(auditd_t)
- unconfined_dontaudit_read_pipes(auditd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(auditd_t)
-')
-
-optional_policy(`
- udev_read_db(auditd_t)
-')
-
-########################################
-#
-# klogd local policy
-#
-
-allow klogd_t self:capability sys_admin;
-dontaudit klogd_t self:capability { sys_resource sys_tty_config };
-allow klogd_t self:process signal_perms;
-
-allow klogd_t klogd_tmp_t:file create_file_perms;
-allow klogd_t klogd_tmp_t:dir create_dir_perms;
-files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir })
-
-allow klogd_t klogd_var_run_t:file create_file_perms;
-allow klogd_t klogd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(klogd_t,klogd_var_run_t,file)
-
-kernel_read_system_state(klogd_t)
-kernel_read_messages(klogd_t)
-kernel_read_kernel_sysctls(klogd_t)
-# Control syslog and console logging
-kernel_clear_ring_buffer(klogd_t)
-kernel_change_ring_buffer_level(klogd_t)
-
-files_read_kernel_symbol_table(klogd_t)
-
-dev_read_raw_memory(klogd_t)
-dev_read_sysfs(klogd_t)
-
-fs_getattr_all_fs(klogd_t)
-fs_search_auto_mountpoints(klogd_t)
-
-term_dontaudit_use_console(klogd_t)
-
-domain_use_interactive_fds(klogd_t)
-
-files_read_etc_runtime_files(klogd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(klogd_t)
-
-init_use_fds(klogd_t)
-init_use_script_ptys(klogd_t)
-
-libs_use_ld_so(klogd_t)
-libs_use_shared_libs(klogd_t)
-
-logging_send_syslog_msg(klogd_t)
-
-miscfiles_read_localization(klogd_t)
-
-mls_file_read_up(klogd_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
-
-optional_policy(`
- udev_read_db(klogd_t)
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(klogd_t)
- term_dontaudit_use_unallocated_ttys(klogd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(klogd_t)
-')
-
-########################################
-#
-# syslogd local policy
-#
-
-# sys_admin chown fsetid for syslog-ng
-# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-dontaudit syslogd_t self:capability sys_tty_config;
-allow syslogd_t self:process signal_perms;
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
-# receive messages to be logged
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
-allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file rw_file_perms;
-allow syslogd_t self:udp_socket create_socket_perms;
-
-# Create and bind to /dev/log or /var/run/log.
-allow syslogd_t devlog_t:sock_file create_file_perms;
-files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-
-# create/append log files.
-allow syslogd_t var_log_t:dir rw_dir_perms;
-allow syslogd_t var_log_t:file create_file_perms;
-# Allow access for syslog-ng
-allow syslogd_t var_log_t:dir { create setattr };
-
-# manage temporary files
-allow syslogd_t syslogd_tmp_t:file create_file_perms;
-allow syslogd_t syslogd_tmp_t:dir create_dir_perms;
-files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
-
-allow syslogd_t syslogd_var_run_t:file create_file_perms;
-files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-
-# manage pid file
-allow syslogd_t syslogd_var_run_t:file create_file_perms;
-allow syslogd_t syslogd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-
-kernel_read_kernel_sysctls(syslogd_t)
-kernel_read_proc_symlinks(syslogd_t)
-# Allow access to /proc/kmsg for syslog-ng
-kernel_read_messages(syslogd_t)
-kernel_clear_ring_buffer(syslogd_t)
-kernel_change_ring_buffer_level(syslogd_t)
-
-dev_filetrans(syslogd_t,devlog_t,sock_file)
-dev_read_sysfs(syslogd_t)
-
-fs_search_auto_mountpoints(syslogd_t)
-
-term_write_console(syslogd_t)
-# Allow syslog to a terminal
-term_write_unallocated_ttys(syslogd_t)
-
-# for sending messages to logged in users
-init_read_utmp(syslogd_t)
-init_dontaudit_write_utmp(syslogd_t)
-term_write_all_user_ttys(syslogd_t)
-
-corenet_non_ipsec_sendrecv(syslogd_t)
-corenet_udp_sendrecv_all_if(syslogd_t)
-corenet_udp_sendrecv_all_nodes(syslogd_t)
-corenet_udp_sendrecv_all_ports(syslogd_t)
-corenet_udp_bind_all_nodes(syslogd_t)
-corenet_udp_bind_syslogd_port(syslogd_t)
-# syslog-ng can send or receive logs
-corenet_sendrecv_syslogd_client_packets(syslogd_t)
-corenet_sendrecv_syslogd_server_packets(syslogd_t)
-
-fs_getattr_all_fs(syslogd_t)
-
-init_use_fds(syslogd_t)
-init_use_script_ptys(syslogd_t)
-
-domain_use_interactive_fds(syslogd_t)
-
-files_read_etc_files(syslogd_t)
-files_read_etc_runtime_files(syslogd_t)
-# /initrd is not umounted before minilog starts
-files_dontaudit_search_isid_type_dirs(syslogd_t)
-
-libs_use_ld_so(syslogd_t)
-libs_use_shared_libs(syslogd_t)
-
-# cjp: this doesnt make sense
-logging_send_syslog_msg(syslogd_t)
-
-sysnet_read_config(syslogd_t)
-
-miscfiles_read_localization(syslogd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
-
-ifdef(`distro_suse',`
- # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
- files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
-')
-
-ifdef(`targeted_policy',`
- allow syslogd_t var_run_t:fifo_file { ioctl read write };
- term_dontaudit_use_unallocated_ttys(syslogd_t)
- term_dontaudit_use_generic_ptys(syslogd_t)
- files_dontaudit_read_root_files(syslogd_t)
-')
-
-optional_policy(`
- inn_manage_log(syslogd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(syslogd_t)
-')
-
-optional_policy(`
- nscd_socket_use(syslogd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(syslogd_t)
-')
-
-optional_policy(`
- udev_read_db(syslogd_t)
-')
-
-optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
-')
diff --git a/refpolicy/policy/modules/system/lvm.fc b/refpolicy/policy/modules/system/lvm.fc
deleted file mode 100644
index 0339693..0000000
--- a/refpolicy/policy/modules/system/lvm.fc
+++ /dev/null
@@ -1,90 +0,0 @@
-
-# LVM creates lock files in /var before /var is mounted
-# configure LVM to put lockfiles in /etc/lvm/lock instead
-# for this policy to work (unless you have no separate /var)
-
-#
-# /etc
-#
-/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
-/etc/lvm/\.cache -- gen_context(system_u:object_r:lvm_metadata_t,s0)
-/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-
-/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-
-#
-# /lib
-#
-/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
-#
-# /sbin
-#
-/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
-/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
-#
-# /var
-#
-/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-
-/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
deleted file mode 100644
index 193069c..0000000
--- a/refpolicy/policy/modules/system/lvm.if
+++ /dev/null
@@ -1,76 +0,0 @@
-## <summary>Policy for logical volume management programs.</summary>
-
-########################################
-## <summary>
-## Execute lvm programs in the lvm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`lvm_domtrans',`
- gen_require(`
- type lvm_t, lvm_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, lvm_exec_t, lvm_t)
-
- allow $1 lvm_t:fd use;
- allow lvm_t $1:fd use;
- allow lvm_t $1:fifo_file rw_file_perms;
- allow lvm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute lvm programs in the lvm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the LVM domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the LVM domain to use.
-## </summary>
-## </param>
-#
-interface(`lvm_run',`
- gen_require(`
- type lvm_t;
- ')
-
- lvm_domtrans($1)
- role $2 types lvm_t;
- allow lvm_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Read LVM configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`lvm_read_config',`
- gen_require(`
- type lvm_t, lvm_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 lvm_etc_t:dir r_dir_perms;
- allow $1 lvm_etc_t:file r_file_perms;
-')
-
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
deleted file mode 100644
index 5aca3d0..0000000
--- a/refpolicy/policy/modules/system/lvm.te
+++ /dev/null
@@ -1,268 +0,0 @@
-
-policy_module(lvm,1.3.4)
-
-########################################
-#
-# Declarations
-#
-
-type clvmd_t;
-type clvmd_exec_t;
-init_daemon_domain(clvmd_t,clvmd_exec_t)
-
-type clvmd_var_run_t;
-files_pid_file(clvmd_var_run_t)
-
-type lvm_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type lvm_exec_t;
-')
-init_system_domain(lvm_t,lvm_exec_t)
-# needs privowner because it assigns the identity system_u to device nodes
-# but runs as the identity of the sysadmin
-domain_obj_id_change_exemption(lvm_t)
-role system_r types lvm_t;
-
-type lvm_etc_t;
-files_type(lvm_etc_t)
-
-type lvm_lock_t;
-files_lock_file(lvm_lock_t)
-
-type lvm_metadata_t;
-files_type(lvm_metadata_t)
-
-type lvm_var_run_t;
-files_pid_file(lvm_var_run_t)
-
-type lvm_tmp_t;
-files_tmp_file(lvm_tmp_t)
-
-########################################
-#
-# Cluster LVM daemon local policy
-#
-
-dontaudit clvmd_t self:capability sys_tty_config;
-allow clvmd_t self:process signal_perms;
-allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file { read write };
-allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow clvmd_t self:tcp_socket create_stream_socket_perms;
-allow clvmd_t self:udp_socket create_socket_perms;
-
-allow clvmd_t clvmd_var_run_t:file create_file_perms;
-allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
-
-kernel_read_kernel_sysctls(clvmd_t)
-kernel_list_proc(clvmd_t)
-kernel_read_proc_symlinks(clvmd_t)
-
-corenet_non_ipsec_sendrecv(clvmd_t)
-corenet_tcp_sendrecv_all_if(clvmd_t)
-corenet_udp_sendrecv_all_if(clvmd_t)
-corenet_raw_sendrecv_all_if(clvmd_t)
-corenet_tcp_sendrecv_all_nodes(clvmd_t)
-corenet_udp_sendrecv_all_nodes(clvmd_t)
-corenet_raw_sendrecv_all_nodes(clvmd_t)
-corenet_tcp_sendrecv_all_ports(clvmd_t)
-corenet_udp_sendrecv_all_ports(clvmd_t)
-corenet_tcp_bind_all_nodes(clvmd_t)
-corenet_tcp_bind_reserved_port(clvmd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
-corenet_sendrecv_generic_server_packets(clvmd_t)
-
-dev_read_sysfs(clvmd_t)
-
-fs_getattr_all_fs(clvmd_t)
-fs_search_auto_mountpoints(clvmd_t)
-
-term_dontaudit_use_console(clvmd_t)
-
-domain_use_interactive_fds(clvmd_t)
-
-files_list_usr(clvmd_t)
-
-init_use_fds(clvmd_t)
-init_use_script_ptys(clvmd_t)
-
-libs_use_ld_so(clvmd_t)
-libs_use_shared_libs(clvmd_t)
-
-logging_send_syslog_msg(clvmd_t)
-
-miscfiles_read_localization(clvmd_t)
-
-seutil_dontaudit_search_config(clvmd_t)
-seutil_sigchld_newrole(clvmd_t)
-
-sysnet_read_config(clvmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(clvmd_t)
- term_dontaudit_use_generic_ptys(clvmd_t)
- files_dontaudit_read_root_files(clvmd_t)
-')
-
-optional_policy(`
- nis_use_ypbind(clvmd_t)
-')
-
-optional_policy(`
- udev_read_db(clvmd_t)
-')
-
-########################################
-#
-# LVM Local policy
-#
-
-# DAC overrides and mknod for modifying /dev entries (vgmknodes)
-# rawio needed for dmraid
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
-dontaudit lvm_t self:capability sys_tty_config;
-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
-# LVM will complain a lot if it cannot set its priority.
-allow lvm_t self:process setsched;
-allow lvm_t self:file rw_file_perms;
-allow lvm_t self:fifo_file rw_file_perms;
-allow lvm_t self:unix_dgram_socket create_socket_perms;
-
-allow lvm_t lvm_tmp_t:dir create_dir_perms;
-allow lvm_t lvm_tmp_t:file create_file_perms;
-files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
-
-# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
-allow lvm_t lvm_exec_t:dir search;
-allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
-
-# LVM is split into many individual binaries
-can_exec(lvm_t, lvm_exec_t)
-
-# Creating lock files
-allow lvm_t lvm_lock_t:dir rw_dir_perms;
-allow lvm_t lvm_lock_t:file create_file_perms;
-files_lock_filetrans(lvm_t,lvm_lock_t,file)
-
-allow lvm_t lvm_var_run_t:file create_file_perms;
-allow lvm_t lvm_var_run_t:dir create_dir_perms;
-files_pid_filetrans(lvm_t,lvm_var_run_t,file)
-
-allow lvm_t lvm_etc_t:file r_file_perms;
-allow lvm_t lvm_etc_t:lnk_file r_file_perms;
-# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
-allow lvm_t lvm_etc_t:dir rw_dir_perms;
-allow lvm_t lvm_metadata_t:file create_file_perms;
-allow lvm_t lvm_metadata_t:dir rw_dir_perms;
-type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
-files_etc_filetrans(lvm_t,lvm_metadata_t,file)
-
-kernel_read_system_state(lvm_t)
-kernel_read_kernel_sysctls(lvm_t)
-# Read system variables in /proc/sys
-kernel_read_kernel_sysctls(lvm_t)
-# it has no reason to need this
-kernel_dontaudit_getattr_core_if(lvm_t)
-
-selinux_get_fs_mount(lvm_t)
-selinux_validate_context(lvm_t)
-selinux_compute_access_vector(lvm_t)
-selinux_compute_create_context(lvm_t)
-selinux_compute_relabel_context(lvm_t)
-selinux_compute_user_contexts(lvm_t)
-
-dev_create_generic_chr_files(lvm_t)
-dev_read_rand(lvm_t)
-dev_read_urand(lvm_t)
-dev_rw_lvm_control(lvm_t)
-dev_manage_generic_symlinks(lvm_t)
-dev_relabel_generic_dev_dirs(lvm_t)
-dev_manage_generic_blk_files(lvm_t)
-# Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(lvm_t)
-# cjp: this has no effect since LVM does not
-# have lnk_file relabelto for anything else.
-# perhaps this should be blk_files?
-dev_relabel_generic_symlinks(lvm_t)
-# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dev_dontaudit_read_all_chr_files(lvm_t)
-dev_dontaudit_read_all_blk_files(lvm_t)
-dev_dontaudit_getattr_generic_chr_files(lvm_t)
-dev_dontaudit_getattr_generic_blk_files(lvm_t)
-dev_dontaudit_getattr_generic_pipes(lvm_t)
-dev_create_generic_dirs(lvm_t)
-
-fs_getattr_xattr_fs(lvm_t)
-fs_search_auto_mountpoints(lvm_t)
-fs_read_tmpfs_symlinks(lvm_t)
-fs_dontaudit_read_removable_files(lvm_t)
-
-storage_relabel_fixed_disk(lvm_t)
-storage_dontaudit_read_removable_device(lvm_t)
-# LVM creates block devices in /dev/mapper or /dev/<vg>
-# depending on its version
-# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
-# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
-# cjp: need create interface here for fixed disk create
-storage_dev_filetrans_fixed_disk(lvm_t)
-# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
-storage_manage_fixed_disk(lvm_t)
-
-term_dontaudit_getattr_all_user_ttys(lvm_t)
-term_dontaudit_getattr_pty_dirs(lvm_t)
-
-corecmd_search_sbin(lvm_t)
-corecmd_dontaudit_getattr_sbin_files(lvm_t)
-
-domain_use_interactive_fds(lvm_t)
-
-files_read_etc_files(lvm_t)
-files_read_etc_runtime_files(lvm_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(lvm_t)
-
-init_use_fds(lvm_t)
-init_dontaudit_getattr_initctl(lvm_t)
-init_use_script_ptys(lvm_t)
-
-libs_use_ld_so(lvm_t)
-libs_use_shared_libs(lvm_t)
-
-logging_send_syslog_msg(lvm_t)
-
-miscfiles_read_localization(lvm_t)
-
-seutil_read_config(lvm_t)
-seutil_read_file_contexts(lvm_t)
-seutil_search_default_contexts(lvm_t)
-seutil_sigchld_newrole(lvm_t)
-
-ifdef(`distro_redhat',`
- # this is from the initrd:
- files_rw_isid_type_dirs(lvm_t)
-')
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(lvm_t)
- term_dontaudit_use_generic_ptys(lvm_t)
-
- files_dontaudit_read_root_files(lvm_t)
-')
-
-optional_policy(`
- bootloader_rw_tmp_files(lvm_t)
-')
-
-optional_policy(`
- gpm_dontaudit_getattr_gpmctl(lvm_t)
-')
-
-optional_policy(`
- udev_read_db(lvm_t)
-')
diff --git a/refpolicy/policy/modules/system/metadata.xml b/refpolicy/policy/modules/system/metadata.xml
deleted file mode 100644
index 4866e97..0000000
--- a/refpolicy/policy/modules/system/metadata.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<summary>
- Policy modules for system functions from init to multi-user login.
-</summary>
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
deleted file mode 100644
index 7f4bdcd..0000000
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ /dev/null
@@ -1,66 +0,0 @@
-#
-# /emul
-#
-ifdef(`distro_gentoo',`
-/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
-')
-
-#
-# /etc
-#
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-
-#
-# /opt
-#
-/opt/(.*/)?man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-#
-# /srv
-#
-/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
-/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:public_content_t,s0)
-
-#
-# /usr
-#
-/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
-
-/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-
-/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
-/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
-/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
-
-/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
-/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
-
-/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-
-/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-#
-# /var
-#
-/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
-
-ifdef(`distro_debian', `
-/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-')
-
-/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-
-/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
deleted file mode 100644
index 7838a10..0000000
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ /dev/null
@@ -1,364 +0,0 @@
-## <summary>Miscelaneous files.</summary>
-
-########################################
-## <summary>
-## Read system SSL certificates.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_certs',`
- gen_require(`
- type cert_t;
- ')
-
- allow $1 cert_t:dir r_dir_perms;
- allow $1 cert_t:file r_file_perms;
- allow $1 cert_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read fonts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_fonts',`
- gen_require(`
- type fonts_t;
- ')
-
- # cjp: fonts can be in either of these dirs
- files_search_usr($1)
- libs_search_lib($1)
-
- allow $1 fonts_t:dir r_dir_perms;
- allow $1 fonts_t:file r_file_perms;
- allow $1 fonts_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete fonts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_manage_fonts',`
- gen_require(`
- type fonts_t;
- ')
-
- # cjp: fonts can be in either of these dirs
- files_search_usr($1)
- libs_search_lib($1)
-
- allow $1 fonts_t:dir create_dir_perms;
- allow $1 fonts_t:file create_file_perms;
- allow $1 fonts_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Read hardware identification data.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_hwdata',`
- gen_require(`
- type hwdata_t;
- ')
-
- allow $1 hwdata_t:dir r_dir_perms;
- allow $1 hwdata_t:file r_file_perms;
- allow $1 hwdata_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Allow process to read localization info
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_localization',`
- gen_require(`
- type locale_t;
- ')
-
- files_search_etc($1)
- # FIXME: $1 read etc_t:lnk_file here
- files_search_usr($1)
- allow $1 locale_t:dir r_dir_perms;
- allow $1 locale_t:lnk_file r_file_perms;
- allow $1 locale_t:file r_file_perms;
-
- # why?
- libs_read_lib_files($1)
-')
-
-########################################
-## <summary>
-## Allow process to read legacy time localization info
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_legacy_read_localization',`
- gen_require(`
- type locale_t;
- ')
-
- miscfiles_read_localization($1)
- allow $1 locale_t:file execute;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search man pages.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`miscfiles_dontaudit_search_man_pages',`
- gen_require(`
- type man_t;
- ')
-
- dontaudit $1 man_t:dir search;
-')
-
-########################################
-## <summary>
-## Read man pages
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_man_pages',`
- gen_require(`
- type man_t;
- ')
-
- files_search_usr($1)
- allow $1 man_t:dir r_dir_perms;
- allow $1 man_t:file r_file_perms;
- allow $1 man_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Delete man pages
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-# cjp: added for tmpreaper
-#
-interface(`miscfiles_delete_man_pages',`
- gen_require(`
- type man_t;
- ')
-
- files_search_usr($1)
- allow $1 man_t:dir { setattr rw_dir_perms rmdir };
- allow $1 man_t:file { getattr unlink };
- allow $1 man_t:lnk_file { getattr unlink };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete man pages
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_manage_man_pages',`
- gen_require(`
- type man_t;
- ')
-
- files_search_usr($1)
- allow $1 man_t:dir create_dir_perms;
- allow $1 man_t:file create_file_perms;
- allow $1 man_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read public files used for file
-## transfer services.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_public_files',`
- gen_require(`
- type public_content_t, public_content_rw_t;
- ')
-
- allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
- allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
- allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete public files
-## and directories used for file transfer services.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_manage_public_files',`
- gen_require(`
- type public_content_rw_t;
- ')
-
- allow $1 public_content_rw_t:dir create_dir_perms;
- allow $1 public_content_rw_t:file create_file_perms;
- allow $1 public_content_rw_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Read TeX data
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_tetex_data',`
- gen_require(`
- type tetex_data_t;
- ')
-
- files_search_var($1)
- files_search_var_lib($1)
-
- # cjp: TeX data can be in either of the above dirs
- allow $1 tetex_data_t:dir r_dir_perms;
- allow $1 tetex_data_t:file r_file_perms;
- allow $1 tetex_data_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute TeX data programs in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_exec_tetex_data',`
- gen_require(`
- type fonts_t;
- ')
-
- files_search_var($1)
- files_search_var_lib($1)
-
- # cjp: TeX data can be in either of the above dirs
- allow $1 tetex_data_t:dir r_dir_perms;
- can_exec($1,tetex_data_t)
-')
-
-########################################
-## <summary>
-## Let test files be an entry point for
-## a specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to be entered.
-## </summary>
-## </param>
-#
-interface(`miscfiles_domain_entry_test_files',`
- gen_require(`
- type test_file_t;
- ')
-
- domain_entry_file($1, test_file_t)
-')
-
-########################################
-## <summary>
-## Read test files and directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_read_test_files',`
- gen_require(`
- type test_file_t;
- ')
-
- allow $1 test_file_t:dir r_dir_perms;
- allow $1 test_file_t:file r_file_perms;
- allow $1 test_file_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute test files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`miscfiles_exec_test_files',`
- gen_require(`
- type test_file_t;
- ')
-
- allow $1 test_file_t:dir r_dir_perms;
- allow $1 test_file_t:lnk_file r_file_perms;
- can_exec($1, test_file_t)
-')
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
deleted file mode 100644
index 7ccd2bc..0000000
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ /dev/null
@@ -1,59 +0,0 @@
-
-policy_module(miscfiles,1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-#
-# cert_t is the type of files in the system certs directories.
-#
-type cert_t;
-files_type(cert_t)
-
-#
-# fonts_t is the type of various font
-# files in /usr
-#
-type fonts_t;
-files_type(fonts_t)
-
-#
-# type for /usr/share/hwdata
-#
-type hwdata_t;
-files_type(hwdata_t)
-
-#
-# locale_t is the type for system localization
-#
-type locale_t;
-files_type(locale_t)
-
-#
-# man_t is the type for the man directories.
-#
-type man_t alias catman_t;
-files_type(man_t)
-
-#
-# Types for public content
-#
-type public_content_t; #, customizable;
-files_type(public_content_t)
-
-type public_content_rw_t; #, customizable;
-files_type(public_content_rw_t)
-
-#
-# Base type for the tests directory.
-#
-type test_file_t;
-files_type(test_file_t)
-
-#
-# for /var/{spool,lib}/texmf index files
-#
-type tetex_data_t;
-files_tmp_file(tetex_data_t)
diff --git a/refpolicy/policy/modules/system/modutils.fc b/refpolicy/policy/modules/system/modutils.fc
deleted file mode 100644
index aa219c1..0000000
--- a/refpolicy/policy/modules/system/modutils.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-
-/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
-/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
-
-/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-
-/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-
-/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
-/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
deleted file mode 100644
index b1dca23..0000000
--- a/refpolicy/policy/modules/system/modutils.if
+++ /dev/null
@@ -1,307 +0,0 @@
-## <summary>Policy for kernel module utilities</summary>
-
-########################################
-## <summary>
-## Read the dependencies of kernel modules.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_read_module_deps',`
- gen_require(`
- type modules_dep_t;
- ')
-
- files_list_kernel_modules($1)
- allow $1 modules_dep_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read the configuration options used when
-## loading modules.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_read_module_config',`
- gen_require(`
- type modules_conf_t;
- ')
-
- # This file type can be in /etc or
- # /lib(64)?/modules
- files_search_etc($1)
- files_search_boot($1)
-
- allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Rename a file with the configuration options used when
-## loading modules.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_rename_module_config',`
- gen_require(`
- type modules_conf_t;
- ')
-
- allow $1 modules_conf_t:file rename;
-')
-
-########################################
-## <summary>
-## Unconditionally execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-# cjp: this is added for pppd, due to nested
-# conditionals not working.
-interface(`modutils_domtrans_insmod_uncond',`
- gen_require(`
- type insmod_t, insmod_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, insmod_exec_t, insmod_t)
-
- allow $1 insmod_t:fd use;
- allow insmod_t $1:fd use;
- allow insmod_t $1:fifo_file rw_file_perms;
- allow insmod_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_insmod',`
- gen_require(`
- bool secure_mode_insmod;
- ')
-
- if (!secure_mode_insmod) {
- modutils_domtrans_insmod_uncond($1)
- }
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain, and
-## allow the specified role the insmod domain,
-## and use the caller's terminal. Has a sigchld
-## backchannel.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the insmod domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the insmod domain to use.
-## </summary>
-## </param>
-#
-interface(`modutils_run_insmod',`
- gen_require(`
- type insmod_t;
- ')
-
- modutils_domtrans_insmod($1)
- role $2 types insmod_t;
- allow insmod_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute insmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_insmod',`
- gen_require(`
- type insmod_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1, insmod_exec_t)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_depmod',`
- gen_require(`
- type depmod_t, depmod_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, depmod_exec_t, depmod_t)
-
- allow $1 depmod_t:fd use;
- allow depmod_t $1:fd use;
- allow depmod_t $1:fifo_file rw_file_perms;
- allow depmod_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the depmod domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the depmod domain to use.
-## </summary>
-## </param>
-#
-interface(`modutils_run_depmod',`
- gen_require(`
- type depmod_t;
- ')
-
- modutils_domtrans_depmod($1)
- role $2 types depmod_t;
- allow insmod_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute depmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_depmod',`
- gen_require(`
- type depmod_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1, depmod_exec_t)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_update_mods',`
- gen_require(`
- type update_modules_t, update_modules_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, update_modules_exec_t, update_modules_t)
-
- allow $1 update_modules_t:fd use;
- allow update_modules_t $1:fd use;
- allow update_modules_t $1:fifo_file rw_file_perms;
- allow update_modules_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the update_modules domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the update_modules domain to use.
-## </summary>
-## </param>
-#
-interface(`modutils_run_update_mods',`
- gen_require(`
- type update_modules_t;
- ')
-
- modutils_domtrans_update_mods($1)
- role $2 types update_modules_t;
- allow update_modules_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute update_modules in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_update_mods',`
- gen_require(`
- type update_modules_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1, update_modules_exec_t)
-')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
deleted file mode 100644
index 9ac0adf..0000000
--- a/refpolicy/policy/modules/system/modutils.te
+++ /dev/null
@@ -1,281 +0,0 @@
-
-policy_module(modutils,1.1.2)
-
-gen_require(`
- bool secure_mode_insmod;
-')
-
-########################################
-#
-# Declarations
-#
-
-# module loading config
-type modules_conf_t;
-files_type(modules_conf_t)
-
-# module dependencies
-type modules_dep_t;
-files_type(modules_dep_t)
-
-type insmod_t;
-type insmod_exec_t;
-domain_type(insmod_t)
-domain_entry_file(insmod_t,insmod_exec_t)
-mls_file_write_down(insmod_t)
-role system_r types insmod_t;
-
-type depmod_t;
-type depmod_exec_t;
-init_system_domain(depmod_t,depmod_exec_t)
-role system_r types depmod_t;
-
-type update_modules_t;
-type update_modules_exec_t;
-init_system_domain(update_modules_t,update_modules_exec_t)
-role system_r types update_modules_t;
-
-type update_modules_tmp_t;
-files_tmp_file(update_modules_tmp_t)
-
-########################################
-#
-# insmod local policy
-#
-
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
-allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
-
-allow insmod_t self:udp_socket create_socket_perms;
-allow insmod_t self:rawip_socket create_socket_perms;
-
-# Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
-
-can_exec(insmod_t, insmod_exec_t)
-
-kernel_load_module(insmod_t)
-kernel_read_system_state(insmod_t)
-kernel_write_proc_files(insmod_t)
-kernel_mount_debugfs(insmod_t)
-kernel_read_debugfs(insmod_t)
-# Rules for /proc/sys/kernel/tainted
-kernel_read_kernel_sysctls(insmod_t)
-kernel_rw_kernel_sysctl(insmod_t)
-kernel_read_hotplug_sysctls(insmod_t)
-
-files_read_kernel_modules(insmod_t)
-# for locking: (cjp: ????)
-files_write_kernel_modules(insmod_t)
-
-dev_search_sysfs(insmod_t)
-dev_search_usbfs(insmod_t)
-dev_write_mtrr(insmod_t)
-dev_read_urand(insmod_t)
-dev_rw_agp(insmod_t)
-dev_read_sound(insmod_t)
-dev_write_sound(insmod_t)
-dev_rw_apm_bios(insmod_t)
-# cjp: why is this needed? insmod cannot mounton any dir
-# and it also transitions to mount
-dev_mount_usbfs(insmod_t)
-
-fs_getattr_xattr_fs(insmod_t)
-
-corecmd_exec_bin(insmod_t)
-corecmd_exec_sbin(insmod_t)
-corecmd_exec_shell(insmod_t)
-
-domain_signal_all_domains(insmod_t)
-domain_use_interactive_fds(insmod_t)
-
-files_read_etc_runtime_files(insmod_t)
-files_read_etc_files(insmod_t)
-files_read_usr_files(insmod_t)
-files_exec_etc_files(insmod_t)
-# for nscd:
-files_dontaudit_search_pids(insmod_t)
-# for when /var is not mounted early in the boot:
-files_dontaudit_search_isid_type_dirs(insmod_t)
-
-init_rw_initctl(insmod_t)
-init_use_fds(insmod_t)
-init_use_script_fds(insmod_t)
-init_use_script_ptys(insmod_t)
-
-libs_use_ld_so(insmod_t)
-libs_use_shared_libs(insmod_t)
-
-logging_send_syslog_msg(insmod_t)
-logging_search_logs(insmod_t)
-
-miscfiles_read_localization(insmod_t)
-
-seutil_read_file_contexts(insmod_t)
-
-if( ! secure_mode_insmod ) {
- kernel_domtrans_to(insmod_t,insmod_exec_t)
-}
-
-ifdef(`hide_broken_symptoms',`
- dev_dontaudit_rw_cardmgr(insmod_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(insmod_t)
-')
-
-optional_policy(`
- hotplug_search_config(insmod_t)
-')
-
-optional_policy(`
- mount_domtrans(insmod_t)
-')
-
-optional_policy(`
- nis_use_ypbind(insmod_t)
-')
-
-optional_policy(`
- nscd_socket_use(insmod_t)
-')
-
-optional_policy(`
- fs_manage_ramfs_files(insmod_t)
-
- rhgb_use_fds(insmod_t)
-
- ifdef(`hide_broken_symptoms',`
- xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)
- ')
-')
-
-optional_policy(`
- rpm_rw_pipes(insmod_t)
-')
-
-optional_policy(`
- # cjp: why is this needed:
- dev_rw_xserver_misc(insmod_t)
-
- xserver_getattr_log(insmod_t)
-')
-
-########################################
-#
-# depmod local policy
-#
-
-can_exec(depmod_t, depmod_exec_t)
-
-# Read conf.modules.
-allow depmod_t modules_conf_t:file r_file_perms;
-
-allow depmod_t modules_dep_t:file create_file_perms;
-files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
-
-kernel_read_system_state(depmod_t)
-
-files_read_kernel_symbol_table(depmod_t)
-files_read_kernel_modules(depmod_t)
-
-fs_getattr_xattr_fs(depmod_t)
-
-term_use_console(depmod_t)
-
-corecmd_search_bin(depmod_t)
-corecmd_search_sbin(depmod_t)
-
-domain_use_interactive_fds(depmod_t)
-
-init_use_fds(depmod_t)
-init_use_script_fds(depmod_t)
-init_use_script_ptys(depmod_t)
-
-files_read_etc_runtime_files(depmod_t)
-files_read_etc_files(depmod_t)
-files_read_usr_src_files(depmod_t)
-files_list_usr(depmod_t)
-
-libs_use_ld_so(depmod_t)
-libs_use_shared_libs(depmod_t)
-
-# Read System.map from home directories.
-files_list_home(depmod_t)
-userdom_read_staff_home_content_files(depmod_t)
-userdom_read_sysadm_home_content_files(depmod_t)
-
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(depmod_t)
- term_use_generic_ptys(depmod_t)
-')
-
-optional_policy(`
- rpm_rw_pipes(depmod_t)
-')
-
-#################################
-#
-# update-modules local policy
-#
-
-allow update_modules_t self:fifo_file rw_file_perms;
-
-allow update_modules_t modules_dep_t:file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-can_exec(update_modules_t, update_modules_exec_t)
-
-# manage module loading configuration
-allow update_modules_t modules_conf_t:file create_file_perms;
-files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file)
-files_etc_filetrans(update_modules_t,modules_conf_t,file)
-
-# transition to depmod
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-allow update_modules_t depmod_t:fd use;
-allow depmod_t update_modules_t:fd use;
-allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
-
-allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
-allow update_modules_t update_modules_tmp_t:file create_file_perms;
-files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(update_modules_t)
-kernel_read_system_state(update_modules_t)
-
-dev_read_urand(update_modules_t)
-
-fs_getattr_xattr_fs(update_modules_t)
-
-term_use_console(update_modules_t)
-
-init_use_fds(update_modules_t)
-init_use_script_fds(update_modules_t)
-init_use_script_ptys(update_modules_t)
-
-domain_use_interactive_fds(update_modules_t)
-
-files_read_etc_runtime_files(update_modules_t)
-files_read_etc_files(update_modules_t)
-files_exec_etc_files(update_modules_t)
-
-corecmd_exec_bin(update_modules_t)
-corecmd_exec_sbin(update_modules_t)
-corecmd_exec_shell(update_modules_t)
-
-libs_use_ld_so(update_modules_t)
-libs_use_shared_libs(update_modules_t)
-
-logging_send_syslog_msg(update_modules_t)
-
-miscfiles_read_localization(update_modules_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(update_modules_t)
- term_use_unallocated_ttys(update_modules_t)
-')
diff --git a/refpolicy/policy/modules/system/mount.fc b/refpolicy/policy/modules/system/mount.fc
deleted file mode 100644
index b2b7f82..0000000
--- a/refpolicy/policy/modules/system/mount.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-
-########################################
-#
-# mount file contexts
-#
-/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
deleted file mode 100644
index 2bfa5f2..0000000
--- a/refpolicy/policy/modules/system/mount.if
+++ /dev/null
@@ -1,148 +0,0 @@
-## <summary>Policy for mount.</summary>
-
-########################################
-## <summary>
-## Execute mount in the mount domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`mount_domtrans',`
- gen_require(`
- type mount_t, mount_exec_t;
- ')
-
- domain_auto_trans($1,mount_exec_t,mount_t)
-
- allow $1 mount_t:fd use;
- allow mount_t $1:fd use;
- allow mount_t $1:fifo_file rw_file_perms;
- allow mount_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute mount in the mount domain, and
-## allow the specified role the mount domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the mount domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the mount domain to use.
-## </summary>
-## </param>
-#
-interface(`mount_run',`
- gen_require(`
- type mount_t;
- ')
-
- mount_domtrans($1)
- role $2 types mount_t;
- allow mount_t $3:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Execute mount in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`mount_exec',`
- gen_require(`
- type mount_exec_t;
- ')
-
- allow $1 mount_exec_t:dir r_dir_perms;
- allow $1 mount_exec_t:lnk_file r_file_perms;
- can_exec($1,mount_exec_t)
-
-')
-
-########################################
-## <summary>
-## Use file descriptors for mount.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`mount_use_fds',`
- gen_require(`
- type mount_t;
- ')
-
- allow $1 mount_t:fd use;
-')
-
-########################################
-## <summary>
-## Allow the mount domain to send nfs requests for mounting
-## network drives
-## </summary>
-## <desc>
-## <p>
-## Allow the mount domain to send nfs requests for mounting
-## network drives
-## </p>
-## <p>
-## This interface has been deprecated as these rules were
-## a side effect of leaked mount file descriptors. This
-## interface has no effect.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mount_send_nfs_client_request',`
- errprint(__file__:__line__:` $0($*) has been deprecated.'__endline__)
-')
-
-########################################
-## <summary>
-## Execute mount in the unconfined mount domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mount_domtrans_unconfined',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_mount_t, mount_exec_t;
- ')
-
- domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
-
- allow $1 unconfined_mount_t:fd use;
- allow unconfined_mount_t $1:fd use;
- allow unconfined_mount_t $1:fifo_file rw_file_perms;
- allow unconfined_mount_t $1:process sigchld;
- ',`
- errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
- ')
-')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
deleted file mode 100644
index cb763fe..0000000
--- a/refpolicy/policy/modules/system/mount.te
+++ /dev/null
@@ -1,179 +0,0 @@
-
-policy_module(mount,1.3.8)
-
-########################################
-#
-# Declarations
-#
-
-type mount_t;
-type mount_exec_t;
-init_system_domain(mount_t,mount_exec_t)
-role system_r types mount_t;
-
-type mount_tmp_t;
-files_tmp_file(mount_tmp_t)
-
-ifdef(`targeted_policy',`
- type unconfined_mount_t;
- domain_type(unconfined_mount_t)
- domain_entry_file(unconfined_mount_t,mount_exec_t)
-')
-
-########################################
-#
-# mount local policy
-#
-
-# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-
-allow mount_t mount_tmp_t:file create_file_perms;
-allow mount_t mount_tmp_t:dir create_dir_perms;
-files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
-
-kernel_read_system_state(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
-
-dev_getattr_all_blk_files(mount_t)
-dev_list_all_dev_nodes(mount_t)
-dev_rw_lvm_control(mount_t)
-dev_dontaudit_getattr_all_chr_files(mount_t)
-dev_dontaudit_getattr_memory_dev(mount_t)
-dev_getattr_sound_dev(mount_t)
-
-storage_raw_read_fixed_disk(mount_t)
-storage_raw_write_fixed_disk(mount_t)
-storage_raw_read_removable_device(mount_t)
-storage_raw_write_removable_device(mount_t)
-
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
-fs_mount_all_fs(mount_t)
-fs_unmount_all_fs(mount_t)
-fs_remount_all_fs(mount_t)
-fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
-fs_rw_tmpfs_chr_files(mount_t)
-fs_read_tmpfs_symlinks(mount_t)
-
-term_use_all_terms(mount_t)
-
-# required for mount.smbfs
-corecmd_exec_sbin(mount_t)
-corecmd_exec_bin(mount_t)
-
-domain_use_interactive_fds(mount_t)
-
-files_search_all(mount_t)
-files_read_etc_files(mount_t)
-files_manage_etc_runtime_files(mount_t)
-files_etc_filetrans_etc_runtime(mount_t,file)
-files_mounton_all_mountpoints(mount_t)
-files_unmount_rootfs(mount_t)
-# These rules need to be generalized. Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
-files_mount_all_file_type_fs(mount_t)
-files_unmount_all_file_type_fs(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-files_read_isid_type_files(mount_t)
-# For reading cert files
-files_read_usr_files(mount_t)
-
-init_use_fds(mount_t)
-init_use_script_ptys(mount_t)
-init_dontaudit_getattr_initctl(mount_t)
-
-libs_use_ld_so(mount_t)
-libs_use_shared_libs(mount_t)
-
-logging_send_syslog_msg(mount_t)
-
-miscfiles_read_localization(mount_t)
-
-mls_file_read_up(mount_t)
-mls_file_write_down(mount_t)
-
-sysnet_use_portmap(mount_t)
-
-userdom_use_all_users_fds(mount_t)
-
-ifdef(`distro_redhat',`
- optional_policy(`
- auth_read_pam_console_data(mount_t)
- # mount config by default sets fscontext=removable_t
- fs_relabelfrom_dos_fs(mount_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- tunable_policy(`allow_mount_anyfile',`
- auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
- files_mounton_non_security(mount_t)
- ')
-')
-
-optional_policy(`
- # for nfs
- corenet_non_ipsec_sendrecv(mount_t)
- corenet_tcp_sendrecv_all_if(mount_t)
- corenet_raw_sendrecv_all_if(mount_t)
- corenet_udp_sendrecv_all_if(mount_t)
- corenet_tcp_sendrecv_all_nodes(mount_t)
- corenet_raw_sendrecv_all_nodes(mount_t)
- corenet_udp_sendrecv_all_nodes(mount_t)
- corenet_tcp_sendrecv_all_ports(mount_t)
- corenet_udp_sendrecv_all_ports(mount_t)
- corenet_tcp_bind_all_nodes(mount_t)
- corenet_udp_bind_all_nodes(mount_t)
- corenet_tcp_bind_generic_port(mount_t)
- corenet_udp_bind_generic_port(mount_t)
- corenet_tcp_bind_reserved_port(mount_t)
- corenet_udp_bind_reserved_port(mount_t)
- corenet_tcp_bind_all_rpc_ports(mount_t)
- corenet_udp_bind_all_rpc_ports(mount_t)
- corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
- corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
- corenet_tcp_connect_all_ports(mount_t)
-
- fs_search_rpc(mount_t)
-
- portmap_udp_chat(mount_t)
-
- optional_policy(`
- nis_use_ypbind(mount_t)
- ')
-')
-
-optional_policy(`
- apm_use_fds(mount_t)
-')
-
-optional_policy(`
- ifdef(`hide_broken_symptoms',`
- # for a bug in the X server
- rhgb_dontaudit_rw_stream_sockets(mount_t)
- term_dontaudit_use_ptmx(mount_t)
- ')
-')
-
-# for kernel package installation
-optional_policy(`
- rpm_rw_pipes(mount_t)
-')
-
-optional_policy(`
- samba_domtrans_smbmount(mount_t)
-')
-
-########################################
-#
-# Unconfined mount local policy
-#
-
-ifdef(`targeted_policy',`
- files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
- unconfined_domain(unconfined_mount_t)
-')
diff --git a/refpolicy/policy/modules/system/pcmcia.fc b/refpolicy/policy/modules/system/pcmcia.fc
deleted file mode 100644
index 9cf0e56..0000000
--- a/refpolicy/policy/modules/system/pcmcia.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-
-/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-
-/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
-/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-
-/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
-
-/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
-/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
deleted file mode 100644
index 15155f4..0000000
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ /dev/null
@@ -1,175 +0,0 @@
-## <summary>PCMCIA card management services</summary>
-
-########################################
-## <summary>
-## PCMCIA stub interface. No access allowed.
-## </summary>
-## <param name="domain" optional="true">
-## <summary>
-## N/A
-## </summary>
-## </param>
-#
-interface(`pcmcia_stub',`
- gen_require(`
- type cardmgr_t;
- ')
-')
-
-########################################
-## <summary>
-## Execute cardmgr in the cardmgr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`pcmcia_domtrans_cardmgr',`
- gen_require(`
- type cardmgr_t, cardmgr_exec_t;
- ')
-
- domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
-
- allow $1 cardmgr_t:fd use;
- allow cardmgr_t $1:fd use;
- allow cardmgr_t $1:fifo_file rw_file_perms;
- allow cardmgr_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from cardmgr.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pcmcia_use_cardmgr_fds',`
- gen_require(`
- type cardmgr_t;
- ')
-
- allow $1 cardmgr_t:fd use;
-')
-
-########################################
-## <summary>
-## Execute cardctl in the cardmgr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`pcmcia_domtrans_cardctl',`
- gen_require(`
- type cardmgr_t, cardctl_exec_t;
- ')
-
- domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
-
- allow $1 cardmgr_t:fd use;
- allow cardmgr_t $1:fd use;
- allow cardmgr_t $1:fifo_file rw_file_perms;
- allow cardmgr_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute cardmgr in the cardctl domain, and
-## allow the specified role the cardmgr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the cardmgr domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the cardmgr domain to use.
-## </summary>
-## </param>
-#
-interface(`pcmcia_run_cardctl',`
- gen_require(`
- type cardmgr_t;
- ')
-
- pcmcia_domtrans_cardctl($1)
- role $2 types cardmgr_t;
- allow cardmgr_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Read cardmgr pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pcmcia_read_pid',`
- gen_require(`
- type cardmgr_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cardmgr_var_run_t:dir r_dir_perms;
- allow $1 cardmgr_var_run_t:file r_file_perms;
- allow $1 cardmgr_var_run_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## cardmgr pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pcmcia_manage_pid',`
- gen_require(`
- type cardmgr_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cardmgr_var_run_t:dir rw_dir_perms;
- allow $1 cardmgr_var_run_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## cardmgr runtime character nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pcmcia_manage_pid_chr_files',`
- gen_require(`
- type cardmgr_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cardmgr_var_run_t:dir rw_dir_perms;
- allow $1 cardmgr_var_run_t:chr_file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
deleted file mode 100644
index e2d419f..0000000
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ /dev/null
@@ -1,152 +0,0 @@
-
-policy_module(pcmcia,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type cardmgr_t;
-type cardmgr_exec_t;
-init_daemon_domain(cardmgr_t,cardmgr_exec_t)
-
-# Create symbolic links in /dev.
-# cjp: this should probably be eliminated
-type cardmgr_lnk_t;
-files_type(cardmgr_lnk_t)
-
-type cardmgr_var_lib_t;
-files_type(cardmgr_var_lib_t)
-
-type cardmgr_var_run_t;
-files_pid_file(cardmgr_var_run_t)
-
-type cardctl_exec_t;
-domain_entry_file(cardmgr_t,cardctl_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-# Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
-dontaudit cardmgr_t self:capability sys_tty_config;
-allow cardmgr_t self:process signal_perms;
-allow cardmgr_t self:fifo_file rw_file_perms;
-allow cardmgr_t self:unix_dgram_socket create_socket_perms;
-allow cardmgr_t self:unix_stream_socket create_socket_perms;
-
-allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
-dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file)
-
-# Create stab file
-allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
-allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file)
-
-allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
-files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file)
-
-kernel_read_system_state(cardmgr_t)
-kernel_read_kernel_sysctls(cardmgr_t)
-kernel_dontaudit_getattr_message_if(cardmgr_t)
-
-files_search_kernel_modules(cardmgr_t)
-
-dev_read_sysfs(cardmgr_t)
-dev_manage_cardmgr_dev(cardmgr_t)
-dev_create_cardmgr_dev(cardmgr_t)
-dev_getattr_all_chr_files(cardmgr_t)
-dev_getattr_all_blk_files(cardmgr_t)
-# for SSP
-dev_read_urand(cardmgr_t)
-
-fs_getattr_all_fs(cardmgr_t)
-fs_search_auto_mountpoints(cardmgr_t)
-
-term_use_unallocated_ttys(cardmgr_t)
-term_getattr_all_user_ttys(cardmgr_t)
-term_dontaudit_use_console(cardmgr_t)
-term_dontaudit_getattr_all_user_ptys(cardmgr_t)
-
-corecmd_exec_all_executables(cardmgr_t)
-
-domain_use_interactive_fds(cardmgr_t)
-# Read /proc/PID directories for all domains (for fuser).
-domain_read_confined_domains_state(cardmgr_t)
-domain_getattr_confined_domains(cardmgr_t)
-domain_dontaudit_ptrace_confined_domains(cardmgr_t)
-# cjp: these look excessive:
-domain_dontaudit_getattr_all_pipes(cardmgr_t)
-domain_dontaudit_getattr_all_sockets(cardmgr_t)
-
-files_list_usr(cardmgr_t)
-files_search_home(cardmgr_t)
-files_read_etc_runtime_files(cardmgr_t)
-files_exec_etc_files(cardmgr_t)
-# for /var/lib/misc/pcmcia-scheme
-# would be better to have it in a different type if I knew how it was created..
-files_read_var_lib_files(cardmgr_t)
-# cjp: these look excessive:
-files_dontaudit_getattr_all_dirs(cardmgr_t)
-files_dontaudit_getattr_all_files(cardmgr_t)
-files_dontaudit_getattr_all_symlinks(cardmgr_t)
-files_dontaudit_getattr_all_pipes(cardmgr_t)
-files_dontaudit_getattr_all_sockets(cardmgr_t)
-
-init_use_fds(cardmgr_t)
-init_use_script_ptys(cardmgr_t)
-
-libs_use_ld_so(cardmgr_t)
-libs_use_shared_libs(cardmgr_t)
-libs_exec_ld_so(cardmgr_t)
-libs_exec_lib_files(cardmgr_t)
-
-logging_send_syslog_msg(cardmgr_t)
-
-miscfiles_read_localization(cardmgr_t)
-
-modutils_domtrans_insmod(cardmgr_t)
-
-sysnet_domtrans_ifconfig(cardmgr_t)
-# for /etc/resolv.conf
-sysnet_etc_filetrans_config(cardmgr_t)
-sysnet_manage_config(cardmgr_t)
-
-userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
-userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t)
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(cardmgr_t)
- term_use_generic_ptys(cardmgr_t)
- term_dontaudit_use_unallocated_ttys(cardmgr_t)
- term_dontaudit_use_generic_ptys(cardmgr_t)
- files_dontaudit_read_root_files(cardmgr_t)
-')
-
-optional_policy(`
- seutil_dontaudit_read_config(cardmgr_t)
- seutil_sigchld_newrole(cardmgr_t)
-')
-
-optional_policy(`
- sysnet_domtrans_dhcpc(cardmgr_t)
-
- sysnet_read_dhcpc_pid(cardmgr_t)
- sysnet_delete_dhcpc_pid(cardmgr_t)
- sysnet_kill_dhcpc(cardmgr_t)
- sysnet_sigchld_dhcpc(cardmgr_t)
- sysnet_signal_dhcpc(cardmgr_t)
- sysnet_signull_dhcpc(cardmgr_t)
- sysnet_sigstop_dhcpc(cardmgr_t)
-')
-
-optional_policy(`
- udev_read_db(cardmgr_t)
-')
-
-# Create device files in /tmp.
-# cjp: why is this created all over the place?
-allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
-type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
diff --git a/refpolicy/policy/modules/system/raid.fc b/refpolicy/policy/modules/system/raid.fc
deleted file mode 100644
index 0709927..0000000
--- a/refpolicy/policy/modules/system/raid.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-
-/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
-/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if
deleted file mode 100644
index 04673a8..0000000
--- a/refpolicy/policy/modules/system/raid.if
+++ /dev/null
@@ -1,54 +0,0 @@
-## <summary>RAID array management tools</summary>
-
-########################################
-## <summary>
-## Execute software raid tools in the mdadm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`raid_domtrans_mdadm',`
- gen_require(`
- type mdadm_t, mdadm_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,mdadm_exec_t,mdadm_t)
-
- allow $1 mdadm_t:fd use;
- allow mdadm_t $1:fd use;
- allow mdadm_t $1:fifo_file rw_file_perms;
- allow mdadm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the mdadm pid files.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete the mdadm pid files.
-## </p>
-## <p>
-## Added for use in the init module.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`raid_manage_mdadm_pid',`
- gen_require(`
- type mdadm_var_run_t;
- ')
-
- # FIXME: maybe should have a type_transition. not
- # clear what this is doing, from the original
- # mdadm policy
- allow $1 mdadm_var_run_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
deleted file mode 100644
index 8e18595..0000000
--- a/refpolicy/policy/modules/system/raid.te
+++ /dev/null
@@ -1,84 +0,0 @@
-
-policy_module(raid,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type mdadm_t;
-type mdadm_exec_t;
-init_daemon_domain(mdadm_t,mdadm_exec_t)
-role system_r types mdadm_t;
-
-type mdadm_var_run_t;
-files_pid_file(mdadm_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
-
-allow mdadm_t mdadm_var_run_t:file create_file_perms;
-files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
-
-kernel_read_system_state(mdadm_t)
-kernel_read_kernel_sysctls(mdadm_t)
-kernel_rw_software_raid_state(mdadm_t)
-
-dev_read_sysfs(mdadm_t)
-# Ignore attempts to read every device file
-dev_dontaudit_getattr_all_blk_files(mdadm_t)
-dev_dontaudit_getattr_all_chr_files(mdadm_t)
-
-fs_search_auto_mountpoints(mdadm_t)
-fs_dontaudit_list_tmpfs(mdadm_t)
-
-# RAID block device access
-storage_manage_fixed_disk(mdadm_t)
-
-term_dontaudit_use_console(mdadm_t)
-term_dontaudit_list_ptys(mdadm_t)
-
-# Helper program access
-corecmd_exec_bin(mdadm_t)
-corecmd_exec_sbin(mdadm_t)
-
-domain_use_interactive_fds(mdadm_t)
-
-files_read_etc_files(mdadm_t)
-files_read_etc_runtime_files(mdadm_t)
-
-init_use_fds(mdadm_t)
-init_use_script_ptys(mdadm_t)
-init_dontaudit_getattr_initctl(mdadm_t)
-
-libs_use_ld_so(mdadm_t)
-libs_use_shared_libs(mdadm_t)
-
-logging_send_syslog_msg(mdadm_t)
-
-miscfiles_read_localization(mdadm_t)
-
-userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
-userdom_dontaudit_use_sysadm_ttys(mdadm_t)
-
-mta_send_mail(mdadm_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mdadm_t)
- term_dontaudit_use_generic_ptys(mdadm_t)
- files_dontaudit_read_root_files(mdadm_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(mdadm_t)
-')
-
-optional_policy(`
- udev_read_db(mdadm_t)
-')
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc
deleted file mode 100644
index 8cb4179..0000000
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ /dev/null
@@ -1,50 +0,0 @@
-# SELinux userland utilities
-
-#
-# /etc
-#
-/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
-/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
-/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
-
-#
-# /root
-#
-/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
-
-#
-# /sbin
-#
-/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
-/sbin/restorecon -- gen_context(system_u:object_r:restorecon_exec_t,s0)
-
-#
-# /usr
-#
-/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
-/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
-
-/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
-
-/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
-/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
-/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
-/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
-
-ifdef(`distro_debian', `
-/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
-')
-
-#
-# /var/run
-#
-/var/run/restorecond.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
deleted file mode 100644
index 4e2f51b..0000000
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ /dev/null
@@ -1,1047 +0,0 @@
-## <summary>Policy for SELinux policy and userland applications.</summary>
-
-#######################################
-## <summary>
-## Execute checkpolicy in the checkpolicy domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_checkpolicy',`
- gen_require(`
- type checkpolicy_t, checkpolicy_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
-
- allow $1 checkpolicy_t:fd use;
- allow checkpolicy_t $1:fd use;
- allow checkpolicy_t $1:fifo_file rw_file_perms;
- allow checkpolicy_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute checkpolicy in the checkpolicy domain, and
-## allow the specified role the checkpolicy domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the checkpolicy domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the checkpolicy domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_checkpolicy',`
- gen_require(`
- type checkpolicy_t;
- ')
-
- seutil_domtrans_checkpolicy($1)
- role $2 types checkpolicy_t;
- allow checkpolicy_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute checkpolicy in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_exec_checkpolicy',`
- gen_require(`
- type checkpolicy_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- can_exec($1,checkpolicy_exec_t)
-')
-
-#######################################
-## <summary>
-## Execute load_policy in the load_policy domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_loadpolicy',`
- gen_require(`
- type load_policy_t, load_policy_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,load_policy_exec_t,load_policy_t)
-
- allow $1 load_policy_t:fd use;
- allow load_policy_t $1:fd use;
- allow load_policy_t $1:fifo_file rw_file_perms;
- allow load_policy_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute load_policy in the load_policy domain, and
-## allow the specified role the load_policy domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the load_policy domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the load_policy domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_loadpolicy',`
- gen_require(`
- type load_policy_t;
- ')
-
- seutil_domtrans_loadpolicy($1)
- role $2 types load_policy_t;
- allow load_policy_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute load_policy in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_exec_loadpolicy',`
- gen_require(`
- type load_policy_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,load_policy_exec_t)
-')
-
-########################################
-## <summary>
-## Read the load_policy program file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_read_loadpolicy',`
- gen_require(`
- type load_policy_exec_t;
- ')
-
- corecmd_search_sbin($1)
- allow $1 load_policy_exec_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Execute newrole in the load_policy domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_newrole',`
- gen_require(`
- type newrole_t, newrole_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,newrole_exec_t,newrole_t)
-
- allow $1 newrole_t:fd use;
- allow newrole_t $1:fd use;
- allow newrole_t $1:fifo_file rw_file_perms;
- allow newrole_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute newrole in the newrole domain, and
-## allow the specified role the newrole domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the newrole domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the newrole domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_newrole',`
- gen_require(`
- type newrole_t;
- ')
-
- seutil_domtrans_newrole($1)
- role $2 types newrole_t;
- allow newrole_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute newrole in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_exec_newrole',`
- gen_require(`
- type newrole_t, newrole_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- can_exec($1,newrole_exec_t)
-')
-
-########################################
-## <summary>
-## Do not audit the caller attempts to send
-## a signal to newrole.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_dontaudit_signal_newrole',`
- gen_require(`
- type newrole_t;
- ')
-
- dontaudit $1 newrole_t:process signal;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to newrole.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_sigchld_newrole',`
- gen_require(`
- type newrole_t;
- ')
-
- allow $1 newrole_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use newrole file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_use_newrole_fds',`
- gen_require(`
- type newrole_t;
- ')
-
- allow $1 newrole_t:fd use;
-')
-
-#######################################
-## <summary>
-## Execute restorecon in the restorecon domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_restorecon',`
- gen_require(`
- type restorecon_t, restorecon_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1,restorecon_exec_t,restorecon_t)
-
- allow $1 restorecon_t:fd use;
- allow restorecon_t $1:fd use;
- allow restorecon_t $1:fifo_file rw_file_perms;
- allow restorecon_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute restorecon in the restorecon domain, and
-## allow the specified role the restorecon domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the restorecon domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the restorecon domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_restorecon',`
- gen_require(`
- type restorecon_t;
- ')
-
- seutil_domtrans_restorecon($1)
- role $2 types restorecon_t;
- allow restorecon_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute restorecon in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_exec_restorecon',`
- gen_require(`
- type restorecon_t, restorecon_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,restorecon_exec_t)
-')
-
-########################################
-## <summary>
-## Execute run_init in the run_init domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_runinit',`
- gen_require(`
- type run_init_t, run_init_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- domain_auto_trans($1,run_init_exec_t,run_init_t)
-
- allow $1 run_init_t:fd use;
- allow run_init_t $1:fd use;
- allow run_init_t $1:fifo_file rw_file_perms;
- allow run_init_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute init scripts in the run_init domain.
-## </summary>
-## <desc>
-## <p>
-## Execute init scripts in the run_init domain.
-## This is used for the Gentoo integrated run_init.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_init_script_domtrans_runinit',`
- gen_require(`
- type run_init_t;
- ')
-
- init_script_file_domtrans($1,run_init_t)
-
- allow $1 run_init_t:fd use;
- allow run_init_t $1:fd use;
- allow run_init_t $1:fifo_file rw_file_perms;
- allow run_init_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute run_init in the run_init domain, and
-## allow the specified role the run_init domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the run_init domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the run_init domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_runinit',`
- gen_require(`
- type run_init_t;
- role system_r;
- ')
-
- seutil_domtrans_runinit($1)
- role $2 types run_init_t;
- allow run_init_t $3:chr_file rw_term_perms;
- allow $2 system_r;
-')
-
-########################################
-## <summary>
-## Execute init scripts in the run_init domain, and
-## allow the specified role the run_init domain,
-## and use the caller's terminal.
-## </summary>
-## <desc>
-## <p>
-## Execute init scripts in the run_init domain, and
-## allow the specified role the run_init domain,
-## and use the caller's terminal.
-## </p>
-## <p>
-## This is used for the Gentoo integrated run_init.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the run_init domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the run_init domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_init_script_run_runinit',`
- gen_require(`
- type run_init_t;
- role system_r;
- ')
-
- seutil_init_script_domtrans_runinit($1)
- role $2 types run_init_t;
- allow run_init_t $3:chr_file rw_term_perms;
- allow $2 system_r;
-')
-
-########################################
-## <summary>
-## Inherit and use run_init file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_use_runinit_fds',`
- gen_require(`
- type run_init_t;
- ')
-
- allow $1 run_init_t:fd use;
-')
-
-########################################
-## <summary>
-## Execute setfiles in the setfiles domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_setfiles',`
- gen_require(`
- type setfiles_t, setfiles_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- domain_auto_trans($1,setfiles_exec_t,setfiles_t)
-
- allow $1 setfiles_t:fd use;
- allow setfiles_t $1:fd use;
- allow setfiles_t $1:fifo_file rw_file_perms;
- allow setfiles_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute setfiles in the setfiles domain, and
-## allow the specified role the setfiles domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the setfiles domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the setfiles domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_setfiles',`
- gen_require(`
- type setfiles_t;
- ')
-
- seutil_domtrans_setfiles($1)
- role $2 types setfiles_t;
- allow setfiles_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute setfiles in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_exec_setfiles',`
- gen_require(`
- type setfiles_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_sbin($1)
- can_exec($1,setfiles_exec_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the SELinux
-## configuration directory (/etc/selinux).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`seutil_dontaudit_search_config',`
- gen_require(`
- type selinux_config_t;
- ')
-
- dontaudit $1 selinux_config_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the SELinux
-## userland configuration (/etc/selinux).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`seutil_dontaudit_read_config',`
- gen_require(`
- type selinux_config_t;
- ')
-
- dontaudit $1 selinux_config_t:dir search;
- dontaudit $1 selinux_config_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read the general SELinux configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_read_config',`
- gen_require(`
- type selinux_config_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir r_dir_perms;
- allow $1 selinux_config_t:file r_file_perms;
- allow $1 selinux_config_t:lnk_file { getattr read };
-')
-
-#######################################
-## <summary>
-## Create, read, write, and delete
-## the general selinux configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_manage_selinux_config',`
- gen_require(`
- type selinux_config_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir rw_dir_perms;
- allow $1 selinux_config_t:file manage_file_perms;
- allow $1 selinux_config_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Search the policy directory with default_context files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_search_default_contexts',`
- gen_require(`
- type selinux_config_t, default_context_t;
- ')
-
- files_search_etc($1)
- allow $1 { selinux_config_t default_context_t }:dir search;
-')
-
-
-########################################
-## <summary>
-## Read the default_contexts files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_read_default_contexts',`
- gen_require(`
- type selinux_config_t, default_context_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 default_context_t:dir r_dir_perms;
- allow $1 default_context_t:file r_file_perms;
- allow $1 default_context_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read the file_contexts files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_read_file_contexts',`
- gen_require(`
- type selinux_config_t, file_context_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir r_dir_perms;
- allow $1 file_context_t:file r_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read and write the file_contexts files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_rw_file_contexts',`
- gen_require(`
- type selinux_config_t, file_context_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir r_dir_perms;
- allow $1 file_context_t:file rw_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the file_contexts files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_manage_file_contexts',`
- gen_require(`
- type selinux_config_t, file_context_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search_dir_perms;
- allow $1 file_context_t:dir rw_dir_perms;
- allow $1 file_context_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Read the SELinux binary policy.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_read_bin_policy',`
- gen_require(`
- type selinux_config_t, policy_config_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir r_dir_perms;
- allow $1 policy_config_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create the SELinux binary policy.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_create_bin_policy',`
- gen_require(`
-# attribute can_write_binary_policy;
- type selinux_config_t, policy_config_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir ra_dir_perms;
- allow $1 policy_config_t:file { getattr create write };
-# typeattribute $1 can_write_binary_policy;
-')
-
-########################################
-## <summary>
-## Allow the caller to relabel a file to the binary policy type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_relabelto_bin_policy',`
- gen_require(`
- attribute can_relabelto_binary_policy;
- type policy_config_t;
- ')
-
- allow $1 policy_config_t:file relabelto;
- typeattribute $1 can_relabelto_binary_policy;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the SELinux
-## binary policy.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_manage_bin_policy',`
- gen_require(`
- attribute can_write_binary_policy;
- type selinux_config_t, policy_config_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir rw_dir_perms;
- allow $1 policy_config_t:file create_file_perms;
- typeattribute $1 can_write_binary_policy;
-')
-
-########################################
-## <summary>
-## Read SELinux policy source files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_read_src_policy',`
- gen_require(`
- type selinux_config_t, policy_src_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir r_dir_perms;
- allow $1 policy_src_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete SELinux
-## policy source files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_manage_src_policy',`
- gen_require(`
- type selinux_config_t, policy_src_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir create_dir_perms;
- allow $1 policy_src_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run semanage.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`seutil_domtrans_semanage',`
- gen_require(`
- type semanage_t, semanage_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domain_auto_trans($1,semanage_exec_t,semanage_t)
-
- allow $1 semanage_t:fd use;
- allow semanage_t $1:fd use;
- allow semanage_t $1:fifo_file rw_file_perms;
- allow semanage_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute semanage in the semanage domain, and
-## allow the specified role the semanage domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the checkpolicy domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the semanage domain to use.
-## </summary>
-## </param>
-#
-interface(`seutil_run_semanage',`
- gen_require(`
- type semanage_t;
- ')
-
- seutil_domtrans_semanage($1)
- role $2 types semanage_t;
- allow semanage_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Full management of the semanage
-## module store.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_manage_module_store',`
- gen_require(`
- type selinux_config_t, semanage_store_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir rw_dir_perms;
- type_transition $1 selinux_config_t:dir semanage_store_t;
-
- allow $1 semanage_store_t:dir create_dir_perms;
- allow $1 semanage_store_t:file create_file_perms;
-')
-
-#######################################
-## <summary>
-## Get read lock on module store
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_get_semanage_read_lock',`
- gen_require(`
- type selinux_config_t, semanage_read_lock_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search_dir_perms;
- allow $1 semanage_read_lock_t:file rw_file_perms;
-')
-
-#######################################
-## <summary>
-## Get trans lock on module store
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_get_semanage_trans_lock',`
- gen_require(`
- type selinux_config_t, semanage_trans_lock_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search_dir_perms;
- allow $1 semanage_trans_lock_t:file rw_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
deleted file mode 100644
index 05aea9f..0000000
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ /dev/null
@@ -1,666 +0,0 @@
-
-policy_module(selinuxutil,1.2.8)
-
-gen_require(`
- bool secure_mode;
-')
-
-########################################
-#
-# Declarations
-#
-
-attribute can_write_binary_policy;
-attribute can_relabelto_binary_policy;
-
-#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
-#
-# cjp: this is out of order due to rules
-# in the domain_type interface
-# (fix dup decl)
-type selinux_config_t;
-files_type(selinux_config_t)
-
-type checkpolicy_t, can_write_binary_policy;
-domain_type(checkpolicy_t)
-role system_r types checkpolicy_t;
-
-type checkpolicy_exec_t;
-domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
-
-#
-# default_context_t is the type applied to
-# /etc/selinux/*/contexts/*
-#
-type default_context_t;
-files_type(default_context_t)
-
-#
-# file_context_t is the type applied to
-# /etc/selinux/*/contexts/files
-#
-type file_context_t;
-files_type(file_context_t)
-
-type load_policy_t;
-domain_type(load_policy_t)
-role system_r types load_policy_t;
-
-type load_policy_exec_t;
-domain_entry_file(load_policy_t,load_policy_exec_t)
-
-type newrole_t;
-domain_role_change_exemption(newrole_t)
-domain_obj_id_change_exemption(newrole_t)
-domain_type(newrole_t)
-domain_interactive_fd(newrole_t)
-
-type newrole_exec_t;
-domain_entry_file(newrole_t,newrole_exec_t)
-
-#
-# policy_config_t is the type of /etc/security/selinux/*
-# the security server policy configuration.
-#
-type policy_config_t;
-files_type(policy_config_t)
-
-neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
-#neverallow ~can_write_binary_policy policy_config_t:file { write append };
-
-#
-# policy_src_t is the type of the policy source
-# files.
-#
-type policy_src_t;
-files_type(policy_src_t)
-
-type restorecon_t, can_relabelto_binary_policy;
-type restorecon_exec_t;
-domain_obj_id_change_exemption(restorecon_t)
-init_system_domain(restorecon_t,restorecon_exec_t)
-role system_r types restorecon_t;
-
-type restorecond_t;
-type restorecond_exec_t;
-init_daemon_domain(restorecond_t,restorecond_exec_t)
-domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
-
-type restorecond_var_run_t;
-files_pid_file(restorecond_var_run_t)
-
-# real declaration moved to mls until
-# range transitions work in modules
-gen_require(`
- type run_init_t;
-')
-type run_init_exec_t;
-domain_type(run_init_t)
-domain_entry_file(run_init_t,run_init_exec_t)
-domain_system_change_exemption(run_init_t)
-
-type semanage_t;
-domain_type(semanage_t)
-
-type semanage_exec_t;
-domain_entry_file(semanage_t, semanage_exec_t)
-role system_r types semanage_t;
-
-type semanage_store_t;
-files_type(semanage_store_t)
-
-type semanage_read_lock_t;
-files_type(semanage_read_lock_t)
-
-type semanage_tmp_t;
-files_tmp_file(semanage_tmp_t)
-
-type semanage_trans_lock_t;
-files_type(semanage_trans_lock_t)
-
-type setfiles_t, can_relabelto_binary_policy;
-domain_obj_id_change_exemption(setfiles_t)
-domain_type(setfiles_t)
-role system_r types setfiles_t;
-
-type setfiles_exec_t;
-domain_entry_file(setfiles_t,setfiles_exec_t)
-
-ifdef(`distro_redhat',`
- init_system_domain(setfiles_t,setfiles_exec_t)
-')
-
-########################################
-#
-# Checkpolicy local policy
-#
-
-allow checkpolicy_t self:capability dac_override;
-
-# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:file create_file_perms;
-
-# allow test policies to be created in src directories
-allow checkpolicy_t policy_src_t:dir rw_dir_perms;
-type_transition checkpolicy_t policy_src_t:file policy_config_t;
-
-# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:file r_file_perms;
-allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
-allow checkpolicy_t selinux_config_t:dir search;
-
-fs_getattr_xattr_fs(checkpolicy_t)
-
-term_use_console(checkpolicy_t)
-
-domain_use_interactive_fds(checkpolicy_t)
-
-files_list_usr(checkpolicy_t)
-# directory search permissions for path to source and binary policy files
-files_search_etc(checkpolicy_t)
-
-init_use_fds(checkpolicy_t)
-init_use_script_ptys(checkpolicy_t)
-
-libs_use_ld_so(checkpolicy_t)
-libs_use_shared_libs(checkpolicy_t)
-
-userdom_use_all_users_fds(checkpolicy_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(checkpolicy_t)
- term_use_unallocated_ttys(checkpolicy_t)
-')
-
-########################################
-#
-# Load_policy local policy
-#
-
-allow load_policy_t self:capability dac_override;
-
-# only allow read of policy config files
-allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:file r_file_perms;
-allow load_policy_t policy_config_t:lnk_file r_file_perms;
-
-allow load_policy_t selinux_config_t:dir r_dir_perms;
-allow load_policy_t selinux_config_t:file r_file_perms;
-allow load_policy_t selinux_config_t:lnk_file r_file_perms;
-
-domain_use_interactive_fds(load_policy_t)
-
-# for mcs.conf
-files_read_etc_files(load_policy_t)
-files_read_etc_runtime_files(load_policy_t)
-
-fs_getattr_xattr_fs(load_policy_t)
-
-mls_file_read_up(load_policy_t)
-
-selinux_get_fs_mount(load_policy_t)
-selinux_load_policy(load_policy_t)
-selinux_set_boolean(load_policy_t)
-
-term_use_console(load_policy_t)
-term_list_ptys(load_policy_t)
-
-init_use_script_fds(load_policy_t)
-init_use_script_ptys(load_policy_t)
-
-libs_use_ld_so(load_policy_t)
-libs_use_shared_libs(load_policy_t)
-
-miscfiles_read_localization(load_policy_t)
-
-userdom_use_all_users_fds(load_policy_t)
-
-ifdef(`hide_broken_symptoms',`
- # cjp: cover up stray file descriptors.
- dontaudit load_policy_t selinux_config_t:file write;
- optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(load_policy_t)
- term_use_generic_ptys(load_policy_t)
-')
-
-########################################
-#
-# Newrole local policy
-#
-
-allow newrole_t self:capability { fowner setuid setgid dac_override };
-allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow newrole_t self:process setexec;
-allow newrole_t self:fd use;
-allow newrole_t self:fifo_file rw_file_perms;
-allow newrole_t self:sock_file r_file_perms;
-allow newrole_t self:shm create_shm_perms;
-allow newrole_t self:sem create_sem_perms;
-allow newrole_t self:msgq create_msgq_perms;
-allow newrole_t self:msg { send receive };
-allow newrole_t self:unix_dgram_socket sendto;
-allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-
-allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
-allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
-allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
-
-kernel_read_system_state(newrole_t)
-kernel_read_kernel_sysctls(newrole_t)
-
-dev_read_urand(newrole_t)
-
-fs_getattr_xattr_fs(newrole_t)
-fs_search_auto_mountpoints(newrole_t)
-
-mls_file_read_up(newrole_t)
-mls_file_write_down(newrole_t)
-mls_file_upgrade(newrole_t)
-mls_file_downgrade(newrole_t)
-mls_process_set_level(newrole_t)
-
-selinux_get_fs_mount(newrole_t)
-selinux_validate_context(newrole_t)
-selinux_compute_access_vector(newrole_t)
-selinux_compute_create_context(newrole_t)
-selinux_compute_relabel_context(newrole_t)
-selinux_compute_user_contexts(newrole_t)
-
-term_use_all_user_ttys(newrole_t)
-term_use_all_user_ptys(newrole_t)
-term_relabel_all_user_ttys(newrole_t)
-term_relabel_all_user_ptys(newrole_t)
-term_getattr_unallocated_ttys(newrole_t)
-term_dontaudit_use_unallocated_ttys(newrole_t)
-
-auth_domtrans_chk_passwd(newrole_t)
-
-corecmd_list_bin(newrole_t)
-corecmd_read_bin_symlinks(newrole_t)
-
-domain_use_interactive_fds(newrole_t)
-# for when the user types "exec newrole" at the command line:
-domain_sigchld_interactive_fds(newrole_t)
-
-# Write to utmp.
-init_rw_utmp(newrole_t)
-
-files_read_etc_files(newrole_t)
-files_read_var_files(newrole_t)
-files_read_var_symlinks(newrole_t)
-
-libs_use_ld_so(newrole_t)
-libs_use_shared_libs(newrole_t)
-
-logging_send_syslog_msg(newrole_t)
-
-miscfiles_read_localization(newrole_t)
-
-userdom_use_unpriv_users_fds(newrole_t)
-# for some PAM modules and for cwd
-userdom_dontaudit_search_all_users_home_content(newrole_t)
-
-ifdef(`strict_policy',`
- # if secure mode is enabled, then newrole
- # can only transition to unprivileged users
- if(secure_mode) {
- userdom_spec_domtrans_unpriv_users(newrole_t)
- } else {
- userdom_spec_domtrans_all_users(newrole_t)
- }
-')
-
-optional_policy(`
- nis_use_ypbind(newrole_t)
-')
-
-optional_policy(`
- nscd_socket_use(newrole_t)
-')
-
-########################################
-#
-# Restorecon local policy
-#
-
-allow restorecon_t self:capability { dac_override dac_read_search fowner };
-allow restorecon_t self:fifo_file rw_file_perms;
-
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
-
-kernel_use_fds(restorecon_t)
-kernel_rw_pipes(restorecon_t)
-kernel_read_system_state(restorecon_t)
-kernel_rw_unix_dgram_sockets(restorecon_t)
-kernel_relabelfrom_unlabeled_dirs(restorecon_t)
-kernel_relabelfrom_unlabeled_files(restorecon_t)
-kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
-kernel_relabelfrom_unlabeled_pipes(restorecon_t)
-kernel_relabelfrom_unlabeled_sockets(restorecon_t)
-
-dev_relabel_all_dev_nodes(restorecon_t)
-# cjp: why is this needed?
-dev_rw_generic_files(restorecon_t)
-
-fs_getattr_xattr_fs(restorecon_t)
-fs_search_auto_mountpoints(restorecon_t)
-
-mls_file_read_up(restorecon_t)
-mls_file_write_down(restorecon_t)
-mls_file_upgrade(restorecon_t)
-mls_file_downgrade(restorecon_t)
-
-selinux_get_fs_mount(restorecon_t)
-selinux_validate_context(restorecon_t)
-selinux_compute_access_vector(restorecon_t)
-selinux_compute_create_context(restorecon_t)
-selinux_compute_relabel_context(restorecon_t)
-selinux_compute_user_contexts(restorecon_t)
-
-term_use_unallocated_ttys(restorecon_t)
-term_use_all_user_ttys(restorecon_t)
-term_use_all_user_ptys(restorecon_t)
-
-init_use_fds(restorecon_t)
-init_use_script_ptys(restorecon_t)
-
-domain_use_interactive_fds(restorecon_t)
-domain_dontaudit_search_all_domains_state(restorecon_t)
-
-files_read_etc_runtime_files(restorecon_t)
-files_read_etc_files(restorecon_t)
-
-libs_use_ld_so(restorecon_t)
-libs_use_shared_libs(restorecon_t)
-
-logging_send_syslog_msg(restorecon_t)
-
-userdom_use_all_users_fds(restorecon_t)
-
-files_relabel_all_files(restorecon_t)
-fs_relabelfrom_noxattr_fs(restorecon_t)
-
-files_list_all(restorecon_t)
-# this is to satisfy the assertion:
-auth_relabelto_shadow(restorecon_t)
-
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(restorecon_t)
- fs_rw_tmpfs_blk_files(restorecon_t)
- fs_relabel_tmpfs_blk_file(restorecon_t)
- fs_relabel_tmpfs_chr_file(restorecon_t)
-')
-
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(restorecon_t)
- ')
-')
-
-optional_policy(`
- hotplug_use_fds(restorecon_t)
-')
-
-########################################
-#
-# Restorecond local policy
-#
-
-allow restorecond_t self:capability { dac_override dac_read_search fowner };
-allow restorecond_t self:fifo_file rw_file_perms;
-
-allow restorecond_t restorecond_var_run_t:file create_file_perms;
-files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
-
-auth_relabel_all_files_except_shadow(restorecond_t )
-auth_read_all_files_except_shadow(restorecond_t)
-fs_relabelfrom_noxattr_fs(restorecond_t)
-
-kernel_use_fds(restorecond_t)
-kernel_rw_pipes(restorecond_t)
-kernel_read_system_state(restorecond_t)
-
-fs_getattr_xattr_fs(restorecond_t)
-fs_list_inotifyfs(restorecond_t)
-
-selinux_get_fs_mount(restorecond_t)
-selinux_validate_context(restorecond_t)
-selinux_compute_access_vector(restorecond_t)
-selinux_compute_create_context(restorecond_t)
-selinux_compute_relabel_context(restorecond_t)
-selinux_compute_user_contexts(restorecond_t)
-
-term_dontaudit_use_generic_ptys(restorecond_t)
-
-init_use_fds(restorecond_t)
-
-libs_use_ld_so(restorecond_t)
-libs_use_shared_libs(restorecond_t)
-
-logging_send_syslog_msg(restorecond_t)
-
-miscfiles_read_localization(restorecond_t)
-
-#################################
-#
-# Run_init local policy
-#
-
-selinux_get_fs_mount(run_init_t)
-selinux_validate_context(run_init_t)
-selinux_compute_access_vector(run_init_t)
-selinux_compute_create_context(run_init_t)
-selinux_compute_relabel_context(run_init_t)
-selinux_compute_user_contexts(run_init_t)
-
-mls_rangetrans_source(run_init_t)
-
-ifdef(`direct_sysadm_daemon',`',`
- ifdef(`distro_gentoo',`
- # Gentoo integrated run_init:
- init_script_file_entry_type(run_init_t)
- ')
-')
-
-ifdef(`targeted_policy',`',`
- allow run_init_t self:process setexec;
- allow run_init_t self:capability setuid;
- allow run_init_t self:fifo_file rw_file_perms;
- allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
- # often the administrator runs such programs from a directory that is owned
- # by a different user or has restrictive SE permissions, do not want to audit
- # the failed access to the current directory
- dontaudit run_init_t self:capability { dac_override dac_read_search };
-
- fs_getattr_xattr_fs(run_init_t)
-
- dev_dontaudit_list_all_dev_nodes(run_init_t)
-
- term_dontaudit_list_ptys(run_init_t)
-
- auth_domtrans_chk_passwd(run_init_t)
- auth_dontaudit_read_shadow(run_init_t)
-
- corecmd_exec_bin(run_init_t)
- corecmd_exec_shell(run_init_t)
-
- domain_use_interactive_fds(run_init_t)
-
- files_read_etc_files(run_init_t)
- files_dontaudit_search_all_dirs(run_init_t)
-
- init_domtrans_script(run_init_t)
- # for utmp
- init_rw_utmp(run_init_t)
-
- libs_use_ld_so(run_init_t)
- libs_use_shared_libs(run_init_t)
-
- seutil_read_config(run_init_t)
- seutil_read_default_contexts(run_init_t)
-
- miscfiles_read_localization(run_init_t)
-
- logging_send_syslog_msg(run_init_t)
-
- optional_policy(`
- daemontools_domtrans_start(run_init_t)
- ')
-
- optional_policy(`
- nscd_socket_use(run_init_t)
- ')
-
-') dnl end ifdef targeted policy
-
-########################################
-#
-# semodule local policy
-#
-
-allow semanage_t self:capability dac_override;
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file { read write };
-
-allow semanage_t semanage_tmp_t:dir create_dir_perms;
-allow semanage_t semanage_tmp_t:file create_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-corecmd_exec_sbin(semanage_t)
-
-dev_read_urand(semanage_t)
-
-files_read_etc_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-
-mls_file_write_down(semanage_t)
-mls_rangetrans_target(semanage_t)
-mls_file_read_up(semanage_t)
-
-selinux_get_enforce_mode(semanage_t)
-# for setsebool:
-selinux_set_boolean(semanage_t)
-
-term_use_all_terms(semanage_t)
-
-libs_use_ld_so(semanage_t)
-libs_use_shared_libs(semanage_t)
-libs_use_lib_files(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-
-seutil_search_default_contexts(semanage_t)
-seutil_manage_file_contexts(semanage_t)
-seutil_manage_selinux_config(semanage_t)
-seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_read_config(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
-
-userdom_search_sysadm_home_dirs(semanage_t)
-
-ifdef(`targeted_policy',`
-# Handle pp files created in homedir and /tmp
- files_read_generic_tmp_files(semanage_t)
- userdom_read_generic_user_home_content_files(semanage_t)
-')
-
-optional_policy(`
- nscd_socket_use(semanage_t)
-')
-
-########################################
-#
-# Setfiles local policy
-#
-
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-allow setfiles_t self:fifo_file rw_file_perms;
-
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
-
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-
-mls_file_read_up(setfiles_t)
-mls_file_write_down(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-
-selinux_get_fs_mount(setfiles_t)
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-
-term_use_all_user_ttys(setfiles_t)
-term_use_all_user_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-
-libs_use_ld_so(setfiles_t)
-libs_use_shared_libs(setfiles_t)
-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
-
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_all_users_home_content_files(setfiles_t)
diff --git a/refpolicy/policy/modules/system/setrans.fc b/refpolicy/policy/modules/system/setrans.fc
deleted file mode 100644
index 71c374f..0000000
--- a/refpolicy/policy/modules/system/setrans.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
-
-/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
diff --git a/refpolicy/policy/modules/system/setrans.if b/refpolicy/policy/modules/system/setrans.if
deleted file mode 100644
index 9547503..0000000
--- a/refpolicy/policy/modules/system/setrans.if
+++ /dev/null
@@ -1,25 +0,0 @@
-## <summary>SELinux MLS/MCS label translation service.</summary>
-
-#######################################
-## <summary>
-## Allow a domain to translate contexts.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`setrans_translate_context',`
- gen_require(`
- type setrans_t, setrans_var_run_t;
- ')
-
- allow $1 self:unix_stream_socket create_stream_socket_perms;
-
- allow $1 setrans_t:unix_stream_socket connectto;
- allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
- allow $1 setrans_var_run_t:sock_file rw_file_perms;
- allow $1 setrans_var_run_t:dir search_dir_perms;
- files_list_pids($1)
-')
diff --git a/refpolicy/policy/modules/system/setrans.te b/refpolicy/policy/modules/system/setrans.te
deleted file mode 100644
index 4ef391e..0000000
--- a/refpolicy/policy/modules/system/setrans.te
+++ /dev/null
@@ -1,70 +0,0 @@
-
-policy_module(setrans,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type setrans_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type setrans_exec_t;
-')
-init_daemon_domain(setrans_t, setrans_exec_t)
-
-type setrans_var_run_t;
-files_pid_file(setrans_var_run_t)
-mls_trusted_object(setrans_var_run_t)
-
-########################################
-#
-# setrans local policy
-#
-
-allow setrans_t self:capability sys_resource;
-allow setrans_t self:process { setrlimit setcap signal_perms };
-allow setrans_t self:unix_stream_socket create_stream_socket_perms;
-allow setrans_t self:unix_dgram_socket create_socket_perms;
-allow setrans_t self:netlink_selinux_socket create_socket_perms;
-
-can_exec(setrans_t, setrans_exec_t)
-corecmd_search_sbin(setrans_t)
-
-# create unix domain socket in /var
-allow setrans_t setrans_var_run_t:sock_file manage_file_perms;
-allow setrans_t setrans_var_run_t:file manage_file_perms;
-allow setrans_t setrans_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(setrans_t,setrans_var_run_t,file)
-
-kernel_read_kernel_sysctls(setrans_t)
-kernel_read_proc_symlinks(setrans_t)
-
-# allow performing getpidcon() on all processes
-domain_read_all_domains_state(setrans_t)
-domain_getattr_all_domains(setrans_t)
-domain_getsession_all_domains(setrans_t)
-
-files_read_etc_runtime_files(setrans_t)
-
-mls_file_read_up(setrans_t)
-mls_file_write_down(setrans_t)
-mls_net_receive_all_levels(setrans_t)
-mls_rangetrans_target(setrans_t)
-
-selinux_compute_access_vector(setrans_t)
-
-term_dontaudit_use_generic_ptys(setrans_t)
-
-init_use_fds(setrans_t)
-init_dontaudit_use_script_ptys(setrans_t)
-
-libs_use_ld_so(setrans_t)
-libs_use_shared_libs(setrans_t)
-
-logging_send_syslog_msg(setrans_t)
-
-miscfiles_read_localization(setrans_t)
-
-seutil_read_config(setrans_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
deleted file mode 100644
index f58df4f..0000000
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ /dev/null
@@ -1,56 +0,0 @@
-
-#
-# /bin
-#
-/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
-#
-# /etc
-#
-/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-
-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-
-ifdef(`distro_redhat',`
-/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-')
-
-#
-# /sbin
-#
-/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
-#
-# /usr
-#
-/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
-/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
-/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
-
-/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
deleted file mode 100644
index be11fc0..0000000
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ /dev/null
@@ -1,562 +0,0 @@
-## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
-
-#######################################
-## <summary>
-## Execute dhcp client in dhcpc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_domtrans_dhcpc',`
- gen_require(`
- type dhcpc_t, dhcpc_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
-
- allow $1 dhcpc_t:fd use;
- allow dhcpc_t $1:fd use;
- allow dhcpc_t $1:fifo_file rw_file_perms;
- allow dhcpc_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute DHCP clients in the dhcpc domain, and
-## allow the specified role the dhcpc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the clock domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the clock domain to use.
-## </summary>
-## </param>
-#
-interface(`sysnet_run_dhcpc',`
- gen_require(`
- type dhcpc_t;
- ')
-
- sysnet_domtrans_dhcpc($1)
- role $2 types dhcpc_t;
- allow dhcpc_t $3:chr_file { getattr read write ioctl };
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to the dhcp client.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain sending the SIGCHLD.
-## </summary>
-## </param>
-#
-interface(`sysnet_sigchld_dhcpc',`
- gen_require(`
- type dhcpc_t;
- ')
-
- allow $1 dhcpc_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a kill signal to the dhcp client.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain sending the SIGKILL.
-## </summary>
-## </param>
-#
-interface(`sysnet_kill_dhcpc',`
- gen_require(`
- type dhcpc_t;
- ')
-
- allow $1 dhcpc_t:process sigkill;
-')
-
-########################################
-## <summary>
-## Send a SIGSTOP signal to the dhcp client.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain sending the SIGSTOP.
-## </summary>
-## </param>
-#
-interface(`sysnet_sigstop_dhcpc',`
- gen_require(`
- type dhcpc_t;
- ')
-
- allow $1 dhcpc_t:process sigstop;
-')
-
-########################################
-## <summary>
-## Send a null signal to the dhcp client.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain sending the null signal.
-## </summary>
-## </param>
-#
-interface(`sysnet_signull_dhcpc',`
- gen_require(`
- type dhcpc_t;
- ')
-
- allow $1 dhcpc_t:process signull;
-')
-
-########################################
-## <summary>
-## Send a generic signal to the dhcp client.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain sending the signal.
-## </summary>
-## </param>
-#
-interface(`sysnet_signal_dhcpc',`
- gen_require(`
- type dhcpc_t;
- ')
-
- allow $1 dhcpc_t:process signal;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## dhcpc over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_dbus_chat_dhcpc',`
- gen_require(`
- type dhcpc_t;
- class dbus send_msg;
- ')
-
- allow $1 dhcpc_t:dbus send_msg;
- allow dhcpc_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Read and write dhcp configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_rw_dhcp_config',`
- gen_require(`
- type dhcp_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 dhcp_etc_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Read dhcp client state files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_read_dhcpc_state',`
- gen_require(`
- type dhcpc_state_t;
- ')
-
- allow $1 dhcpc_state_t:file { getattr read };
-')
-
-#######################################
-## <summary>
-## Allow network init to read network config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_read_config',`
- gen_require(`
- type net_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Do not audit attempts to read network config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`sysnet_dontaudit_read_config',`
- gen_require(`
- type net_conf_t;
- ')
-
- dontaudit $1 net_conf_t:file r_file_perms;
-')
-
-#######################################
-## <summary>
-## Create files in /etc with the type used for
-## the network config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_etc_filetrans_config',`
- gen_require(`
- type net_conf_t;
- ')
-
- files_etc_filetrans($1,net_conf_t,file)
-')
-
-#######################################
-## <summary>
-## Create, read, write, and delete network config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_manage_config',`
- gen_require(`
- type net_conf_t;
- ')
-
- allow $1 net_conf_t:file create_file_perms;
-')
-
-#######################################
-## <summary>
-## Read the dhcp client pid file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_read_dhcpc_pid',`
- gen_require(`
- type dhcpc_var_run_t;
- ')
-
- files_list_pids($1)
- allow $1 dhcpc_var_run_t:file { getattr read };
-')
-
-#######################################
-## <summary>
-## Delete the dhcp client pid file.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_delete_dhcpc_pid',`
- gen_require(`
- type dhcpc_var_run_t;
- ')
-
- allow $1 dhcpc_var_run_t:file unlink;
-')
-
-#######################################
-## <summary>
-## Execute ifconfig in the ifconfig domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`sysnet_domtrans_ifconfig',`
- gen_require(`
- type ifconfig_t, ifconfig_exec_t;
- ')
-
- corecmd_search_sbin($1)
- domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
-
- allow $1 ifconfig_t:fd use;
- allow ifconfig_t $1:fd use;
- allow ifconfig_t $1:fifo_file rw_file_perms;
- allow ifconfig_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute ifconfig in the ifconfig domain, and
-## allow the specified role the ifconfig domain,
-## and use the caller's terminal.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the ifconfig domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the ifconfig domain to use.
-## </summary>
-## </param>
-#
-interface(`sysnet_run_ifconfig',`
- gen_require(`
- type ifconfig_t;
- ')
-
- corecmd_search_sbin($1)
- sysnet_domtrans_ifconfig($1)
- role $2 types ifconfig_t;
- allow ifconfig_t $3:chr_file rw_term_perms;
-')
-
-#######################################
-## <summary>
-## Execute ifconfig in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_exec_ifconfig',`
- gen_require(`
- type ifconfig_exec_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,ifconfig_exec_t)
-')
-
-########################################
-## <summary>
-## Read the DHCP configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_read_dhcp_config',`
- gen_require(`
- type dhcp_etc_t;
- ')
-
- files_search_etc($1)
- allow $1 dhcp_etc_t:dir search;
- allow $1 dhcp_etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Search the DHCP state data directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_search_dhcp_state',`
- gen_require(`
- type dhcp_state_t;
- ')
-
- files_search_var_lib($1)
- allow $1 dhcp_state_t:dir search;
-')
-
-########################################
-## <summary>
-## Create DHCP state data.
-## </summary>
-## <desc>
-## <p>
-## Create DHCP state data.
-## </p>
-## <p>
-## This is added for DHCP server, as
-## the server and client put their state
-## files in the same directory.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-#
-interface(`sysnet_dhcp_state_filetrans',`
- gen_require(`
- type dhcp_state_t;
- ')
-
- files_search_var_lib($1)
- allow $1 dhcp_state_t:dir rw_dir_perms;
- type_transition $1 dhcp_state_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Perform a DNS name resolution.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_dns_name_resolve',`
- gen_require(`
- type net_conf_t;
- ')
-
- allow $1 self:tcp_socket create_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_dns_port($1)
- corenet_udp_sendrecv_dns_port($1)
- corenet_tcp_connect_dns_port($1)
- corenet_sendrecv_dns_client_packets($1)
-
- files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Connect and use a LDAP server.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_use_ldap',`
- gen_require(`
- type net_conf_t;
- ')
-
- allow $1 self:tcp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_ldap_port($1)
- corenet_tcp_connect_ldap_port($1)
- corenet_sendrecv_ldap_client_packets($1)
-
- files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Connect and use remote port mappers.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`sysnet_use_portmap',`
- gen_require(`
- type net_conf_t;
- ')
-
- allow $1 self:tcp_socket create_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_non_ipsec_sendrecv($1)
- corenet_tcp_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_portmap_port($1)
- corenet_udp_sendrecv_portmap_port($1)
- corenet_tcp_connect_portmap_port($1)
- corenet_sendrecv_portmap_client_packets($1)
-
- files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
deleted file mode 100644
index 2404432..0000000
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ /dev/null
@@ -1,354 +0,0 @@
-
-policy_module(sysnetwork,1.1.8)
-
-########################################
-#
-# Declarations
-#
-
-# this is shared between dhcpc and dhcpd:
-type dhcp_etc_t;
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-files_config_file(dhcp_etc_t)
-
-# this is shared between dhcpc and dhcpd:
-type dhcp_state_t;
-files_type(dhcp_state_t)
-
-type dhcpc_t;
-type dhcpc_exec_t;
-init_daemon_domain(dhcpc_t,dhcpc_exec_t)
-role system_r types dhcpc_t;
-
-type dhcpc_state_t;
-files_type(dhcpc_state_t)
-
-type dhcpc_tmp_t;
-files_tmp_file(dhcpc_tmp_t)
-
-type dhcpc_var_run_t;
-files_pid_file(dhcpc_var_run_t)
-
-type ifconfig_t;
-type ifconfig_exec_t;
-init_system_domain(ifconfig_t, ifconfig_exec_t)
-role system_r types ifconfig_t;
-
-type net_conf_t alias resolv_conf_t;
-files_type(net_conf_t)
-
-########################################
-#
-# DHCP client local policy
-#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
-allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-allow dhcpc_t self:udp_socket create_socket_perms;
-allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-
-allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
-allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
-allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
-
-allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
-allow dhcpc_t dhcp_state_t:file { getattr read };
-allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
-allow dhcpc_t dhcpc_state_t:file create_file_perms;
-type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
-
-# create pid file
-allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
-allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file)
-
-# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
-# in /etc created by dhcpcd will be labelled net_conf_t.
-allow dhcpc_t net_conf_t:file create_file_perms;
-files_etc_filetrans(dhcpc_t,net_conf_t,file)
-
-# create temp files
-allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
-allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
-files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
-
-can_exec(dhcpc_t, dhcpc_exec_t)
-
-# transition to ifconfig
-domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
-allow dhcpc_t ifconfig_t:fd use;
-allow ifconfig_t dhcpc_t:fd use;
-allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
-allow ifconfig_t dhcpc_t:process sigchld;
-
-kernel_read_system_state(dhcpc_t)
-kernel_read_network_state(dhcpc_t)
-kernel_read_kernel_sysctls(dhcpc_t)
-kernel_use_fds(dhcpc_t)
-
-corenet_non_ipsec_sendrecv(dhcpc_t)
-corenet_tcp_sendrecv_all_if(dhcpc_t)
-corenet_raw_sendrecv_all_if(dhcpc_t)
-corenet_udp_sendrecv_all_if(dhcpc_t)
-corenet_tcp_sendrecv_all_nodes(dhcpc_t)
-corenet_raw_sendrecv_all_nodes(dhcpc_t)
-corenet_udp_sendrecv_all_nodes(dhcpc_t)
-corenet_tcp_sendrecv_all_ports(dhcpc_t)
-corenet_udp_sendrecv_all_ports(dhcpc_t)
-corenet_tcp_bind_all_nodes(dhcpc_t)
-corenet_udp_bind_all_nodes(dhcpc_t)
-corenet_udp_bind_dhcpc_port(dhcpc_t)
-corenet_tcp_connect_all_ports(dhcpc_t)
-corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
-corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
-
-dev_read_sysfs(dhcpc_t)
-# for SSP:
-dev_read_urand(dhcpc_t)
-
-fs_getattr_all_fs(dhcpc_t)
-fs_search_auto_mountpoints(dhcpc_t)
-
-term_dontaudit_use_console(dhcpc_t)
-term_dontaudit_use_all_user_ttys(dhcpc_t)
-term_dontaudit_use_all_user_ptys(dhcpc_t)
-term_dontaudit_use_unallocated_ttys(dhcpc_t)
-term_dontaudit_use_generic_ptys(dhcpc_t)
-
-corecmd_exec_bin(dhcpc_t)
-corecmd_exec_sbin(dhcpc_t)
-corecmd_exec_shell(dhcpc_t)
-
-domain_use_interactive_fds(dhcpc_t)
-domain_dontaudit_list_all_domains_state(dhcpc_t)
-
-files_read_etc_files(dhcpc_t)
-files_read_etc_runtime_files(dhcpc_t)
-files_search_home(dhcpc_t)
-files_search_var_lib(dhcpc_t)
-files_dontaudit_search_locks(dhcpc_t)
-
-init_use_fds(dhcpc_t)
-init_use_script_ptys(dhcpc_t)
-init_rw_utmp(dhcpc_t)
-
-logging_send_syslog_msg(dhcpc_t)
-
-libs_use_ld_so(dhcpc_t)
-libs_use_shared_libs(dhcpc_t)
-
-miscfiles_read_localization(dhcpc_t)
-
-modutils_domtrans_insmod(dhcpc_t)
-
-userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
-
-ifdef(`distro_redhat', `
- files_exec_etc_files(dhcpc_t)
-')
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(dhcpc_t)
- term_dontaudit_use_generic_ptys(dhcpc_t)
- files_dontaudit_read_root_files(dhcpc_t)
-')
-
-optional_policy(`
- consoletype_domtrans(dhcpc_t)
-')
-
-optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow dhcpc_t self:dbus send_msg;
-
- init_dbus_chat_script(dhcpc_t)
-
- dbus_system_bus_client_template(dhcpc,dhcpc_t)
- dbus_connect_system_bus(dhcpc_t)
- dbus_send_system_bus(dhcpc_t)
-
- optional_policy(`
- networkmanager_dbus_chat(dhcpc_t)
- ')
-')
-
-optional_policy(`
- hostname_domtrans(dhcpc_t)
-')
-
-optional_policy(`
- hotplug_getattr_config_dirs(dhcpc_t)
- hotplug_search_config(dhcpc_t)
-
- ifdef(`distro_redhat',`
- logging_domtrans_syslog(dhcpc_t)
- ')
-')
-
-# for the dhcp client to run ping to check IP addresses
-optional_policy(`
- netutils_domtrans_ping(dhcpc_t)
- netutils_domtrans(dhcpc_t)
-',`
- allow dhcpc_t self:capability setuid;
- allow dhcpc_t self:rawip_socket create_socket_perms;
-')
-
-optional_policy(`
- nis_use_ypbind(dhcpc_t)
- nis_signal_ypbind(dhcpc_t)
- nis_read_ypbind_pid(dhcpc_t)
- nis_delete_ypbind_pid(dhcpc_t)
-
- # dhclient sometimes starts ypbind
- init_exec_script_files(dhcpc_t)
- nis_domtrans_ypbind(dhcpc_t)
-')
-
-optional_policy(`
- nscd_domtrans(dhcpc_t)
- nscd_read_pid(dhcpc_t)
-')
-
-optional_policy(`
- # dhclient sometimes starts ntpd
- init_exec_script_files(dhcpc_t)
- ntp_domtrans(dhcpc_t)
-')
-
-optional_policy(`
- pcmcia_stub(dhcpc_t)
- dev_rw_cardmgr(dhcpc_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(dhcpc_t)
- seutil_dontaudit_search_config(dhcpc_t)
-')
-
-optional_policy(`
- udev_read_db(dhcpc_t)
-')
-
-optional_policy(`
- userdom_use_all_users_fds(dhcpc_t)
-')
-
-optional_policy(`
- kernel_read_xen_state(dhcpc_t)
- kernel_write_xen_state(dhcpc_t)
- xen_append_log(dhcpc_t)
- xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
-')
-
-########################################
-#
-# Ifconfig local policy
-#
-
-allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
-dontaudit ifconfig_t self:capability sys_module;
-
-allow ifconfig_t self:fd use;
-allow ifconfig_t self:fifo_file rw_file_perms;
-allow ifconfig_t self:sock_file r_file_perms;
-allow ifconfig_t self:socket create_socket_perms;
-allow ifconfig_t self:unix_dgram_socket create_socket_perms;
-allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
-allow ifconfig_t self:unix_dgram_socket sendto;
-allow ifconfig_t self:unix_stream_socket connectto;
-allow ifconfig_t self:shm create_shm_perms;
-allow ifconfig_t self:sem create_sem_perms;
-allow ifconfig_t self:msgq create_msgq_perms;
-allow ifconfig_t self:msg { send receive };
-
-# Create UDP sockets, necessary when called from dhcpc
-allow ifconfig_t self:udp_socket create_socket_perms;
-
-# for /sbin/ip
-allow ifconfig_t self:packet_socket create_socket_perms;
-allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-allow ifconfig_t self:tcp_socket { create ioctl };
-files_read_etc_files(ifconfig_t);
-
-kernel_use_fds(ifconfig_t)
-kernel_read_system_state(ifconfig_t)
-kernel_read_network_state(ifconfig_t)
-kernel_search_network_sysctl(ifconfig_t)
-kernel_rw_net_sysctls(ifconfig_t)
-
-corenet_rw_tun_tap_dev(ifconfig_t)
-
-dev_read_sysfs(ifconfig_t)
-# for IPSEC setup:
-dev_read_urand(ifconfig_t)
-
-fs_getattr_xattr_fs(ifconfig_t)
-fs_search_auto_mountpoints(ifconfig_t)
-
-term_dontaudit_use_all_user_ttys(ifconfig_t)
-term_dontaudit_use_all_user_ptys(ifconfig_t)
-
-domain_use_interactive_fds(ifconfig_t)
-
-files_dontaudit_read_root_files(ifconfig_t)
-
-init_use_fds(ifconfig_t)
-init_use_script_ptys(ifconfig_t)
-
-libs_use_ld_so(ifconfig_t)
-libs_use_shared_libs(ifconfig_t)
-libs_read_lib_files(ifconfig_t)
-
-logging_send_syslog_msg(ifconfig_t)
-
-miscfiles_read_localization(ifconfig_t)
-
-modutils_domtrans_insmod(ifconfig_t)
-
-seutil_use_runinit_fds(ifconfig_t)
-
-userdom_use_all_users_fds(ifconfig_t)
-
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- dev_dontaudit_rw_cardmgr(ifconfig_t)
- ')
-
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(ifconfig_t)
- ')
-')
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(ifconfig_t)
- term_use_unallocated_ttys(ifconfig_t)
-')
-
-optional_policy(`
- netutils_domtrans(dhcpc_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ifconfig_t)
-')
-
-optional_policy(`
- ppp_use_fds(ifconfig_t)
-')
-
-optional_policy(`
- kernel_read_xen_state(ifconfig_t)
- kernel_write_xen_state(ifconfig_t)
- xen_append_log(ifconfig_t)
- xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
-')
diff --git a/refpolicy/policy/modules/system/udev.fc b/refpolicy/policy/modules/system/udev.fc
deleted file mode 100644
index 1a6c288..0000000
--- a/refpolicy/policy/modules/system/udev.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-# udev
-
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-
-/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
-
-/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
deleted file mode 100644
index 6aa57ce..0000000
--- a/refpolicy/policy/modules/system/udev.if
+++ /dev/null
@@ -1,143 +0,0 @@
-## <summary>Policy for udev.</summary>
-
-########################################
-## <summary>
-## Execute udev in the udev domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`udev_domtrans',`
- gen_require(`
- type udev_t, udev_exec_t;
- ')
-
- domain_auto_trans($1, udev_exec_t, udev_t)
-
- allow $1 udev_t:fd use;
- allow udev_t $1:fd use;
- allow udev_t $1:fifo_file rw_file_perms;
- allow udev_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute a udev helper in the udev domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`udev_helper_domtrans',`
- gen_require(`
- type udev_t, udev_helper_exec_t;
- ')
-
- domain_auto_trans($1, udev_helper_exec_t, udev_t)
-
- allow $1 udev_t:fd use;
- allow udev_t $1:fd use;
- allow udev_t $1:fifo_file rw_file_perms;
- allow udev_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow process to read udev process state.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`udev_read_state',`
- gen_require(`
- type udev_t;
- ')
-
- kernel_search_proc($1)
- allow $1 udev_t:file r_file_perms;
- allow $1 udev_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit a
-## udev file descriptor.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`udev_dontaudit_use_fds',`
- gen_require(`
- type udev_t;
- ')
-
- dontaudit $1 udev_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## to a udev unix datagram socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`udev_dontaudit_rw_dgram_sockets',`
- gen_require(`
- type udev_t;
- ')
-
- dontaudit $1 udev_t:unix_dgram_socket { read write };
-')
-
-########################################
-## <summary>
-## Allow process to read list of devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`udev_read_db',`
- gen_require(`
- type udev_tdb_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow process to modify list of devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`udev_rw_db',`
- gen_require(`
- type udev_tdb_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file rw_file_perms;
-')
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
deleted file mode 100644
index 06dec28..0000000
--- a/refpolicy/policy/modules/system/udev.te
+++ /dev/null
@@ -1,201 +0,0 @@
-
-policy_module(udev,1.3.3)
-
-########################################
-#
-# Declarations
-#
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type udev_exec_t;
-')
-
-type udev_t;
-type udev_helper_exec_t;
-kernel_domtrans_to(udev_t,udev_exec_t)
-domain_obj_id_change_exemption(udev_t)
-domain_entry_file(udev_t,udev_helper_exec_t)
-domain_interactive_fd(udev_t)
-init_daemon_domain(udev_t,udev_exec_t)
-
-type udev_etc_t alias etc_udev_t;
-files_config_file(udev_etc_t)
-
-# udev_runtime_t is the type of the udev table file
-# cjp: this is probably a copy of udev_tbl_t and can be removed
-type udev_runtime_t;
-files_type(udev_runtime_t)
-
-type udev_tbl_t alias udev_tdb_t;
-files_type(udev_tbl_t)
-
-type udev_var_run_t;
-files_pid_file(udev_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow udev_t self:process { execmem setfscreate };
-allow udev_t self:fd use;
-allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:sock_file r_file_perms;
-allow udev_t self:shm create_shm_perms;
-allow udev_t self:sem create_sem_perms;
-allow udev_t self:msgq create_msgq_perms;
-allow udev_t self:msg { send receive };
-allow udev_t self:unix_stream_socket { listen accept };
-allow udev_t self:unix_dgram_socket sendto;
-allow udev_t self:unix_stream_socket connectto;
-allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow udev_t self:rawip_socket create_socket_perms;
-
-allow udev_t udev_exec_t:file write;
-can_exec(udev_t, udev_exec_t)
-
-allow udev_t udev_helper_exec_t:dir r_dir_perms;
-
-# read udev config
-allow udev_t udev_etc_t:file r_file_perms;
-
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file create_file_perms;
-dev_filetrans(udev_t,udev_tbl_t,file)
-
-allow udev_t udev_var_run_t:file create_file_perms;
-allow udev_t udev_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(udev_t,udev_var_run_t,file)
-
-kernel_read_system_state(udev_t)
-kernel_getattr_core_if(udev_t)
-kernel_use_fds(udev_t)
-kernel_read_device_sysctls(udev_t)
-kernel_read_hotplug_sysctls(udev_t)
-kernel_read_modprobe_sysctls(udev_t)
-kernel_read_kernel_sysctls(udev_t)
-kernel_rw_hotplug_sysctls(udev_t)
-kernel_rw_unix_dgram_sockets(udev_t)
-kernel_dgram_send(udev_t)
-kernel_signal(udev_t)
-
-dev_rw_sysfs(udev_t)
-dev_manage_all_dev_nodes(udev_t)
-dev_rw_generic_files(udev_t)
-dev_delete_generic_files(udev_t)
-
-fs_getattr_all_fs(udev_t)
-fs_list_inotifyfs(udev_t)
-
-selinux_get_fs_mount(udev_t)
-selinux_validate_context(udev_t)
-selinux_compute_access_vector(udev_t)
-selinux_compute_create_context(udev_t)
-selinux_compute_relabel_context(udev_t)
-selinux_compute_user_contexts(udev_t)
-
-auth_use_nsswitch(udev_t)
-
-corecmd_exec_all_executables(udev_t)
-
-domain_read_all_domains_state(udev_t)
-
-files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
-files_exec_etc_files(udev_t)
-files_dontaudit_search_isid_type_dirs(udev_t)
-files_getattr_generic_locks(udev_t)
-files_search_mnt(udev_t)
-
-init_use_fds(udev_t)
-init_read_utmp(udev_t)
-init_dontaudit_write_utmp(udev_t)
-
-libs_use_ld_so(udev_t)
-libs_use_shared_libs(udev_t)
-
-logging_search_logs(udev_t)
-logging_send_syslog_msg(udev_t)
-
-miscfiles_read_localization(udev_t)
-
-mls_file_read_up(udev_t)
-mls_file_write_down(udev_t)
-mls_file_upgrade(udev_t)
-mls_file_downgrade(udev_t)
-mls_process_write_down(udev_t)
-
-modutils_domtrans_insmod(udev_t)
-
-seutil_read_config(udev_t)
-seutil_read_default_contexts(udev_t)
-seutil_read_file_contexts(udev_t)
-seutil_domtrans_restorecon(udev_t)
-
-sysnet_domtrans_ifconfig(udev_t)
-
-userdom_use_sysadm_ttys(udev_t)
-userdom_dontaudit_search_all_users_home_content(udev_t)
-
-ifdef(`distro_redhat',`
- fs_manage_tmpfs_dirs(udev_t)
- fs_manage_tmpfs_files(udev_t)
- fs_manage_tmpfs_symlinks(udev_t)
- fs_manage_tmpfs_sockets(udev_t)
- fs_manage_tmpfs_blk_files(udev_t)
- fs_manage_tmpfs_chr_files(udev_t)
- fs_relabel_tmpfs_blk_file(udev_t)
- fs_relabel_tmpfs_chr_file(udev_t)
-
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(udev_t)
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(udev_t)
- term_dontaudit_use_generic_ptys(udev_t)
-
- unconfined_domain(udev_t)
-')
-
-optional_policy(`
- auth_read_pam_console_data(udev_t)
- auth_domtrans_pam_console(udev_t)
-')
-
-optional_policy(`
- consoletype_exec(udev_t)
-')
-
-optional_policy(`
- dbus_system_bus_client_template(udev,udev_t)
-')
-
-optional_policy(`
- hal_dgram_send(udev_t)
-')
-
-optional_policy(`
- hotplug_read_config(udev_t)
-')
-
-optional_policy(`
- nis_use_ypbind(udev_t)
-')
-
-optional_policy(`
- nscd_socket_use(udev_t)
-')
-
-optional_policy(`
- sysnet_domtrans_dhcpc(udev_t)
-')
-
-optional_policy(`
- xserver_read_xdm_pid(udev_t)
-')
diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc
deleted file mode 100644
index 08643f9..0000000
--- a/refpolicy/policy/modules/system/unconfined.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-
-ifdef(`targeted_policy',`
-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
deleted file mode 100644
index e2f4bc5..0000000
--- a/refpolicy/policy/modules/system/unconfined.if
+++ /dev/null
@@ -1,507 +0,0 @@
-## <summary>The unconfined domain.</summary>
-
-########################################
-## <summary>
-## Make the specified domain unconfined.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to make unconfined.
-## </summary>
-## </param>
-#
-interface(`unconfined_domain_noaudit',`
- gen_require(`
- class dbus all_dbus_perms;
- class nscd all_nscd_perms;
- class passwd all_passwd_perms;
- ')
-
- # Use any Linux capability.
- allow $1 self:capability *;
- allow $1 self:fifo_file create_file_perms;
-
- # Transition to myself, to make get_ordered_context_list happy.
- allow $1 self:process transition;
-
- # Write access is for setting attributes under /proc/self/attr.
- allow $1 self:file rw_file_perms;
-
- # Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
-
- kernel_unconfined($1)
- corenet_unconfined($1)
- dev_unconfined($1)
- domain_unconfined($1)
- domain_dontaudit_read_all_domains_state($1)
- files_unconfined($1)
- fs_unconfined($1)
- selinux_unconfined($1)
-
- tunable_policy(`allow_execheap',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execheap;
- ')
-
- tunable_policy(`allow_execmem',`
- # Allow making anonymous memory executable, e.g.
- # for runtime-code generation or executable stack.
- allow $1 self:process execmem;
- ')
-
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execstack;
-# auditallow $1 self:process execstack;
- ')
-
-
- optional_policy(`
- auth_unconfined($1)
- ')
-
- optional_policy(`
- # Communicate via dbusd.
- dbus_system_bus_unconfined($1)
- ')
-
- optional_policy(`
- # this is to handle execmod on shared
- # libs with text relocations
- libs_use_shared_libs($1)
- ')
-
- optional_policy(`
- nscd_unconfined($1)
- ')
-
- optional_policy(`
- seutil_create_bin_policy($1)
- seutil_relabelto_bin_policy($1)
- ')
-
- optional_policy(`
- storage_unconfined($1)
- ')
-')
-
-########################################
-## <summary>
-## Make the specified domain unconfined and
-## audit executable memory and executable heap
-## usage.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to make unconfined.
-## </summary>
-## </param>
-#
-interface(`unconfined_domain',`
- unconfined_domain_noaudit($1)
-
- tunable_policy(`allow_execheap',`
- auditallow $1 self:process execheap;
- ')
-
-# Turn off this audit for FC5
-# tunable_policy(`allow_execmem',`
-# auditallow $1 self:process execmem;
-# ')
-')
-
-########################################
-## <summary>
-## Transition to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_domtrans',`
- gen_require(`
- type unconfined_t, unconfined_exec_t;
- ')
-
- domain_auto_trans($1,unconfined_exec_t,unconfined_t)
-
- allow $1 unconfined_t:fd use;
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute specified programs in the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the unconfined domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the unconfined domain to use.
-## </summary>
-## </param>
-#
-interface(`unconfined_run',`
- gen_require(`
- type unconfined_t;
- ')
-
- unconfined_domtrans($1)
- role $2 types unconfined_t;
- allow unconfined_t $3:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Transition to the unconfined domain by executing a shell.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_shell_domtrans',`
- gen_require(`
- type unconfined_t;
- ')
-
- corecmd_shell_domtrans($1,unconfined_t)
-')
-
-########################################
-## <summary>
-## Allow unconfined to execute the specified program in
-## the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Allow unconfined to execute the specified program in
-## the specified domain.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Domain entry point file.
-## </summary>
-## </param>
-#
-interface(`unconfined_domtrans_to',`
- gen_require(`
- type unconfined_t;
- ')
-
- domain_auto_trans(unconfined_t,$2,$1)
- allow $1 unconfined_t:fd use;
- allow $1 unconfined_t:fifo_file rw_file_perms;
- allow $1 unconfined_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit file descriptors from the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_use_fds',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_sigchld',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a SIGNULL signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_signull',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process signull;
-')
-
-########################################
-## <summary>
-## Send generic signals to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_signal',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process signal;
-')
-
-########################################
-## <summary>
-## Read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_read_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_read_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:fifo_file read;
-')
-
-########################################
-## <summary>
-## Read and write unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_rw_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Connect to the unconfined domain using
-## a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_stream_connect',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## unconfined domain tcp sockets.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read or write
-## unconfined domain tcp sockets.
-## </p>
-## <p>
-## This interface was added due to a broken
-## symptom in ldconfig.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_tcp_sockets',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Create keys for the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_create_keys',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:key create;
-')
-
-########################################
-## <summary>
-## Send messages to the unconfined domain over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_send',`
- gen_require(`
- type unconfined_t;
- class dbus send_msg;
- ')
-
- allow $1 unconfined_t:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## unconfined_t over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_chat',`
- gen_require(`
- type unconfined_t;
- class dbus send_msg;
- ')
-
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Add an alias type to the unconfined domain.
-## </summary>
-## <desc>
-## <p>
-## Add an alias type to the unconfined domain.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## New alias of the unconfined domain.
-## </summary>
-## </param>
-#
-interface(`unconfined_alias_domain',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_t;
- ')
-
- typealias unconfined_t alias $1;
- ',`
- errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
- ')
-')
-
-########################################
-## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_connect',`
- gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
- ')
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
deleted file mode 100644
index 887ac68..0000000
--- a/refpolicy/policy/modules/system/unconfined.te
+++ /dev/null
@@ -1,198 +0,0 @@
-
-policy_module(unconfined,1.3.12)
-
-########################################
-#
-# Declarations
-#
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
- type unconfined_t;
-')
-type unconfined_exec_t;
-init_system_domain(unconfined_t,unconfined_exec_t)
-
-ifdef(`targeted_policy',`
- type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
-')
-
-########################################
-#
-# Local policy
-#
-
-unconfined_domain(unconfined_t)
-
-logging_send_syslog_msg(unconfined_t)
-
-ifdef(`targeted_policy',`
- allow unconfined_t self:system syslog_read;
- dontaudit unconfined_t self:capability sys_module;
-
- domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
-
- files_create_boot_flag(unconfined_t)
-
- init_domtrans_script(unconfined_t)
-
- libs_domtrans_ldconfig(unconfined_t)
-
- logging_domtrans_auditctl(unconfined_t)
-
- mount_domtrans_unconfined(unconfined_t)
-
- seutil_domtrans_restorecon(unconfined_t)
- seutil_domtrans_semanage(unconfined_t)
-
- userdom_unconfined(unconfined_t)
- userdom_priveleged_home_dir_manager(unconfined_t)
-
- optional_policy(`
- ada_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- amanda_domtrans_recover(unconfined_t)
- ')
-
- optional_policy(`
- apache_domtrans_helper(unconfined_t)
- ')
-
- optional_policy(`
- bind_domtrans_ndc(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_domtrans_helper(unconfined_t)
- ')
-
- optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
- ')
-
- optional_policy(`
- dmidecode_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- firstboot_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- ftp_domtrans_ftpdctl(unconfined_t)
- ')
-
- optional_policy(`
- inn_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- java_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- lpd_domtrans_checkpc(unconfined_t)
- ')
-
- optional_policy(`
- modutils_domtrans_update_mods(unconfined_t)
- ')
-
- optional_policy(`
- mono_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- prelink_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- portmap_domtrans_helper(unconfined_t)
- ')
-
- optional_policy(`
- postfix_domtrans_map(unconfined_t)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
- ')
-
- optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
- ')
-
- optional_policy(`
- rpm_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- samba_domtrans_net(unconfined_t)
- samba_domtrans_winbind_helper(unconfined_t)
- ')
-
- optional_policy(`
- sendmail_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- sysnet_domtrans_dhcpc(unconfined_t)
- sysnet_dbus_chat_dhcpc(unconfined_t)
- ')
-
- optional_policy(`
- usermanage_domtrans_admin_passwd(unconfined_t)
- ')
-
- optional_policy(`
- vpn_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- webalizer_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- wine_domtrans(unconfined_t)
- ')
-
- optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
- ')
-')
-
-########################################
-#
-# Unconfined Execmem Local policy
-#
-
-ifdef(`targeted_policy',`
- allow unconfined_execmem_t self:process { execstack execmem };
- unconfined_domain_noaudit(unconfined_execmem_t)
-')
diff --git a/refpolicy/policy/modules/system/userdomain.fc b/refpolicy/policy/modules/system/userdomain.fc
deleted file mode 100644
index 58d0e2d..0000000
--- a/refpolicy/policy/modules/system/userdomain.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
-HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
-HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-',`
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
-')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
deleted file mode 100644
index bb6212b..0000000
--- a/refpolicy/policy/modules/system/userdomain.if
+++ /dev/null
@@ -1,4791 +0,0 @@
-## <summary>Policy for user domains</summary>
-
-#######################################
-## <summary>
-## The template containing rules common to unprivileged
-## users and administrative users.
-## </summary>
-## <desc>
-## <p>
-## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
-## </p>
-## <p>
-## This generally should not be used, rather the
-## unpriv_user_template or admin_user_template should
-## be used.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`base_user_template',`
-
- attribute $1_file_type;
-
- type $1_t, userdomain;
- domain_type($1_t)
- corecmd_shell_entry_type($1_t)
- corecmd_bin_entry_type($1_t)
- corecmd_sbin_entry_type($1_t)
- domain_user_exemption_target($1_t)
- role $1_r types $1_t;
- allow system_r $1_r;
-
- # user pseudoterminal
- type $1_devpts_t;
- term_user_pty($1_t,$1_devpts_t)
- files_type($1_devpts_t)
-
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
-
- type $1_tmp_t, $1_file_type;
- files_tmp_file($1_tmp_t)
-
- type $1_tmpfs_t;
- files_tmpfs_file($1_tmpfs_t)
-
- # types for network-obtained content
- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
- files_type($1_untrusted_content_t)
- files_poly_member($1_untrusted_content_t)
-
- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
- files_tmp_file($1_untrusted_content_tmp_t)
-
- type $1_tty_device_t;
- term_tty($1_t,$1_tty_device_t)
-
- ##############################
- #
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- ##############################
- #
- # User domain Local policy
- #
-
- allow $1_t self:capability { setgid chown fowner };
- dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_t self:process { ptrace setfscreate };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- dontaudit $1_t self:socket create;
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket { create_socket_perms sendto recvfrom };
-
- # evolution and gnome-session try to create a netlink socket
- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-
- # execute files in the home directory
- can_exec($1_t,$1_home_t)
-
- # full control of the home directory
- allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
- allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
- allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
- allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
- type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
- files_search_home($1_t)
-
- can_exec($1_t,$1_tmp_t)
-
- # user temporary files
- allow $1_t $1_tmp_t:file create_file_perms;
- allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmp_t:dir create_dir_perms;
- allow $1_t $1_tmp_t:sock_file create_file_perms;
- allow $1_t $1_tmp_t:fifo_file create_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
- # Bind to a Unix domain socket in /tmp.
- # cjp: this is combination is not checked and should be removed
- allow $1_t $1_tmp_t:unix_stream_socket name_bind;
-
- allow $1_t $1_tmpfs_t:dir rw_dir_perms;
- allow $1_t $1_tmpfs_t:file create_file_perms;
- allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmpfs_t:sock_file create_file_perms;
- allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
-
- allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
- # Allow user to relabel untrusted content
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
-
- allow $1_t unpriv_userdomain:fd use;
-
- kernel_read_kernel_sysctls($1_t)
- kernel_read_net_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
- # Very permissive allowing every domain to see every type:
- kernel_get_sysvipc_info($1_t)
- # Find CDROM devices:
- kernel_read_device_sysctls($1_t)
-
- dev_rw_power_management($1_t)
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
-
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_udp_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_udp_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_bind_all_nodes($1_t)
- corenet_udp_bind_all_nodes($1_t)
- corenet_udp_bind_generic_port($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-
- dev_read_input($1_t)
- dev_read_misc($1_t)
- dev_write_misc($1_t)
- dev_write_sound($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
- dev_read_rand($1_t)
- dev_read_urand($1_t)
- # open office is looking for the following
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
-
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
-
- # cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
-
- # for eject
- storage_getattr_fixed_disk_dev($1_t)
-
- auth_read_login_records($1_t)
- auth_dontaudit_write_login_records($1_t)
- auth_search_pam_console_data($1_t)
- auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-
- corecmd_exec_bin($1_t)
- corecmd_exec_sbin($1_t)
- corecmd_exec_ls($1_t)
-
- domain_use_interactive_fds($1_t)
- # When the user domain runs ps, there will be a number of access
- # denials when ps tries to search /proc. Do not audit these denials.
- domain_dontaudit_read_all_domains_state($1_t)
- domain_dontaudit_getattr_all_domains($1_t)
- domain_dontaudit_getsession_all_domains($1_t)
-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
- # Check to see if cdrom is mounted
- files_search_mnt($1_t)
- # old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
- files_dontaudit_getattr_non_security_blk_files($1_t)
- files_dontaudit_getattr_non_security_chr_files($1_t)
-
- # Caused by su - init scripts
- init_dontaudit_use_script_ptys($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
- libs_exec_lib_files($1_t)
-
- logging_dontaudit_getattr_all_logs($1_t)
-
- miscfiles_read_localization($1_t)
- # for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
-
- seutil_read_file_contexts($1_t)
- seutil_read_default_contexts($1_t)
- seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
-
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
- ')
-
- tunable_policy(`read_default_t',`
- files_list_default($1_t)
- files_read_default_files($1_t)
- files_read_default_symlinks($1_t)
- files_read_default_sockets($1_t)
- files_read_default_pipes($1_t)
- ',`
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
- ',`
- dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
- dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_t)
- fs_manage_nfs_files($1_t)
- fs_manage_nfs_symlinks($1_t)
- fs_manage_nfs_named_sockets($1_t)
- fs_manage_nfs_named_pipes($1_t)
- fs_exec_nfs_files($1_t)
- ',`
- fs_dontaudit_manage_nfs_dirs($1_t)
- fs_dontaudit_manage_nfs_files($1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_t)
- fs_manage_cifs_files($1_t)
- fs_manage_cifs_symlinks($1_t)
- fs_manage_cifs_named_sockets($1_t)
- fs_manage_cifs_named_pipes($1_t)
- fs_exec_cifs_files($1_t)
- ',`
- fs_dontaudit_manage_cifs_dirs($1_t)
- fs_dontaudit_manage_cifs_files($1_t)
- ')
-
- tunable_policy(`user_direct_mouse',`
- dev_read_mouse($1_t)
- ')
-
- tunable_policy(`user_ttyfile_stat',`
- term_getattr_all_user_ttys($1_t)
- ')
-
- optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
- ')
-
- optional_policy(`
- canna_stream_connect($1_t)
- ')
-
- optional_policy(`
- cups_stream_connect_ptal($1_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1,$1_t)
-
- optional_policy(`
- cups_dbus_chat_config($1_t)
- ')
-
- optional_policy(`
- hal_dbus_chat($1_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
- dictd_tcp_connect($1_t)
- ')
-
- optional_policy(`
- tunable_policy(`ftpd_is_daemon',`
- ftp_tcp_connect($1_t)
- ')
- ')
-
- optional_policy(`
- finger_tcp_connect($1_t)
- ')
-
- optional_policy(`
- i18n_use($1_t)
- ')
-
- optional_policy(`
- inetd_tcp_connect($1_t)
- inetd_udp_send($1_t)
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
- ')
-
- optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
- ')
-
- optional_policy(`
- jabber_tcp_connect($1_t)
- ')
-
- optional_policy(`
- mta_rw_spool($1_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_t)
- ')
-
- optional_policy(`
- ifdef(`strict_policy',`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
- ')
- ')
- ')
-
- optional_policy(`
- nessus_tcp_connect($1_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_t)
- ')
-
- optional_policy(`
- # to allow monitoring of pcmcia status
- pcmcia_read_pid($1_t)
- ')
-
- optional_policy(`
- perdition_tcp_connect($1_t)
- ')
-
- optional_policy(`
- portmap_tcp_connect($1_t)
- ')
-
- optional_policy(`
- quota_dontaudit_getattr_db($1_t)
- ')
-
- optional_policy(`
- resmgr_stream_connect($1_t)
- ')
-
- optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
- ')
-
- optional_policy(`
- files_getattr_var_lib_dirs($1_t)
- files_search_var_lib($1_t)
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind($1_t)
- ')
-
- optional_policy(`
- slrnpull_search_spool($1_t)
- ')
-
- optional_policy(`
- soundserver_tcp_connect($1_t)
- ')
-
- optional_policy(`
- squid_use($1_t)
- ')
-
- optional_policy(`
- usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- ')
-
- optional_policy(`
- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- ')
-
- optional_policy(`
- dev_rw_xserver_misc($1_t)
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
- # certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
- # gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
- ')
-')
-
-#######################################
-## <summary>
-## The template for creating a unprivileged user.
-## </summary>
-## <desc>
-## <p>
-## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`unpriv_user_template', `
- ##############################
- #
- # Declarations
- #
-
- # Inherit rules for ordinary users.
- base_user_template($1)
-
- typeattribute $1_t unpriv_userdomain;
- domain_interactive_fd($1_t)
-
- typeattribute $1_devpts_t user_ptynode;
-
- typeattribute $1_home_dir_t user_home_dir_type;
- files_poly($1_home_dir_t)
-
- typeattribute $1_home_t user_home_type;
- files_poly_member($1_home_t)
-
- typeattribute $1_tmp_t user_tmpfile;
- typeattribute $1_tty_device_t user_ttynode;
-
- ##############################
- #
- # Local policy
- #
-
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- # Rules used to associate a homedir as a mountpoint
- allow $1_home_t self:filesystem associate;
- allow $1_file_type $1_home_t:filesystem associate;
-
- # privileged home directory writers
- allow privhome $1_home_t:file create_file_perms;
- allow privhome $1_home_t:lnk_file create_lnk_perms;
- allow privhome $1_home_t:dir create_dir_perms;
- allow privhome $1_home_t:sock_file create_file_perms;
- allow privhome $1_home_t:fifo_file create_file_perms;
- type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
-
- dev_read_sysfs($1_t)
-
- corecmd_exec_all_executables($1_t)
-
- # port access is audited even if dac would not have allowed it, so dontaudit it here
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_list_home($1_t)
- files_read_usr_files($1_t)
- files_exec_usr_files($1_t)
- # Read directories and files with the readable_t type.
- # This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
-
- init_read_utmp($1_t)
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
- init_dontaudit_write_utmp($1_t)
- # Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
-
- miscfiles_read_man_pages($1_t)
-
- seutil_read_config($1_t)
- # Allow users to execute checkpolicy without a domain transition
- # so it can be used without privilege to write real binary policy file
- seutil_exec_checkpolicy($1_t)
-
- ifdef(`enable_polyinstantiation',`
- type_member $1_t $1_home_dir_t:dir $1_home_t;
- files_poly_member_tmp($1_t,$1_tmp_t)
- ')
-
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
- ')
-
- # Allow users to rw usb devices
- tunable_policy(`user_rw_usb',`
- dev_rw_usbfs($1_t)
- ',`
- dev_read_usbfs($1_t)
- ')
-
- # Allow users to run TCP servers (bind to ports and accept connection from
- # the same domain and outside users) disabling this forces FTP passive mode
- # and may change other protocols
- tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_generic_port($1_t)
- ')
-
- optional_policy(`
- dbus_stub($1_t)
-
- optional_policy(`
- bluetooth_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
- kerberos_use($1_t)
- ')
-
- optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
- ')
-
- # for running depmod as part of the kernel packaging process
- optional_policy(`
- modutils_read_module_config($1_t)
- ')
-
- optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- ')
-
- # Run pppd in pppd_t by default for user
- optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- ')
-
- optional_policy(`
- # for when the network connection is killed
- seutil_dontaudit_signal_newrole($1_t)
- ')
-
- # Need the following rule to allow users to run vpnc
- optional_policy(`
- corenet_tcp_bind_xserver_port($1_t)
- ')
-
- ifdef(`TODO',`
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- create_dir_file($1_t, noexattrfile)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- # cjp: what does this have to do with removable devices?
- allow $1_t usbtty_device_t:chr_file write;
- ',`
- fs_read_noxattr_files($1_t)
- r_dir_file($1_t, noexattrfile)
- allow $1_t removable_device_t:blk_file r_file_perms;
- ')
- ')
-
- dontaudit $1_t boot_t:lnk_file read;
- dontaudit $1_t boot_t:file read;
-
- # do not audit read on disk devices
- dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-
- ifdef(`xdm.te', `
- allow xdm_t $1_home_t:lnk_file read;
- allow xdm_t $1_home_t:dir search;
- #
- # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
- #
- dontaudit xdm_t $1_home_t:file rw_file_perms;
- ')
-
- ifdef(`ftpd.te', `
- tunable_policy(`ftp_home_dir',`
- file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
- ')
- ')
-
- ifdef(`useradd.te', `
- # Useradd relabels /etc/skel files so needs these privs
- allow useradd_t $1_file_type:dir create_dir_perms;
- allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
- ')
-
- # Stat lost+found.
- allow $1_t lost_found_t:dir getattr;
-
- # Read /var, /var/spool, /var/run.
- r_dir_file($1_t, var_t)
- # what about pipes and sockets under /var/spool?
- r_dir_file($1_t, var_spool_t)
- r_dir_file($1_t, var_run_t)
- allow $1_t var_lib_t:dir r_dir_perms;
- allow $1_t var_lib_t:file { getattr read };
-
- # Do not audit write denials to /etc/ld.so.cache.
- dontaudit $1_t ld_so_cache_t:file write;
-
- dontaudit $1_t sysadm_home_t:file { read append };
-
- allow $1_t initrc_t:fifo_file write;
- ') dnl end TODO
-')
-
-#######################################
-## <summary>
-## The template for creating an administrative user.
-## </summary>
-## <desc>
-## <p>
-## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
-## </p>
-## <p>
-## The privileges given to administrative users are:
-## <ul>
-## <li>Raw disk access</li>
-## <li>Set all sysctls</li>
-## <li>All kernel ring buffer controls</li>
-## <li>Create, read, write, and delete all files but shadow</li>
-## <li>Manage source and binary format SELinux policy</li>
-## <li>Run insmod</li>
-## </ul>
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., sysadm
-## is the prefix for sysadm_t).
-## </summary>
-## </param>
-#
-template(`admin_user_template',`
- gen_require(`
- class passwd { passwd chfn chsh rootok crontab };
- ')
-
- ##############################
- #
- # Declarations
- #
-
- # Inherit rules for ordinary users.
- base_user_template($1)
-
- typeattribute $1_t privhome;
- domain_obj_id_change_exemption($1_t)
- role system_r types $1_t;
-
- ifdef(`direct_sysadm_daemon',`
- domain_system_change_exemption($1_t)
- ')
-
- typeattribute $1_devpts_t admin_terminal;
-
- typeattribute $1_tty_device_t admin_terminal;
-
- ##############################
- #
- # $1_t local policy
- #
-
- allow $1_t self:capability ~sys_module;
- allow $1_t self:process { setexec setfscreate };
-
- # Set password information for other users.
- allow $1_t self:passwd { passwd chfn chsh };
-
- # Skip authentication when pam_rootok is specified.
- allow $1_t self:passwd rootok;
-
- # Manipulate other users crontab.
- allow $1_t self:passwd crontab;
-
- # for the administrator to run TCP servers directly
- allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
-
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_software_raid_state($1_t)
- kernel_getattr_core_if($1_t)
- kernel_getattr_message_if($1_t)
- kernel_change_ring_buffer_level($1_t)
- kernel_clear_ring_buffer($1_t)
- kernel_read_ring_buffer($1_t)
- kernel_get_sysvipc_info($1_t)
- kernel_rw_all_sysctls($1_t)
- # signal unlabeled processes:
- kernel_kill_unlabeled($1_t)
- kernel_signal_unlabeled($1_t)
- kernel_sigstop_unlabeled($1_t)
- kernel_signull_unlabeled($1_t)
- kernel_sigchld_unlabeled($1_t)
- # for the administrator to run TCP servers directly
- kernel_tcp_recvfrom($1_t)
-
- corenet_tcp_bind_generic_port($1_t)
- # allow setting up tunnels
- corenet_rw_tun_tap_dev($1_t)
-
- dev_getattr_generic_blk_files($1_t)
- dev_getattr_generic_chr_files($1_t)
- dev_getattr_all_blk_files($1_t)
- dev_getattr_all_chr_files($1_t)
-
- fs_getattr_all_fs($1_t)
- fs_set_all_quotas($1_t)
- fs_exec_noxattr($1_t)
-
- # Get security policy decisions:
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
-
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
-
- term_use_console($1_t)
- term_use_unallocated_ttys($1_t)
- term_use_all_user_ptys($1_t)
- term_use_all_user_ttys($1_t)
-
- auth_getattr_shadow($1_t)
- # Manage almost all files
- auth_manage_all_files_except_shadow($1_t)
- # Relabel almost all files
- auth_relabel_all_files_except_shadow($1_t)
-
- domain_setpriority_all_domains($1_t)
- domain_read_all_domains_state($1_t)
- domain_getattr_all_domains($1_t)
- domain_dontaudit_ptrace_all_domains($1_t)
- # signal all domains:
- domain_kill_all_domains($1_t)
- domain_signal_all_domains($1_t)
- domain_signull_all_domains($1_t)
- domain_sigstop_all_domains($1_t)
- domain_sigstop_all_domains($1_t)
- domain_sigchld_all_domains($1_t)
- # for lsof
- domain_getattr_all_sockets($1_t)
-
- files_exec_usr_src_files($1_t)
-
- init_rw_initctl($1_t)
-
- logging_send_syslog_msg($1_t)
-
- modutils_domtrans_insmod($1_t)
-
- seutil_read_config($1_t)
- # The following rule is temporary until such time that a complete
- # policy management infrastructure is in place so that an administrator
- # cannot directly manipulate policy files with arbitrary programs.
- seutil_manage_src_policy($1_t)
- # Violates the goal of limiting write access to checkpolicy.
- # But presently necessary for installing the file_contexts file.
- seutil_manage_bin_policy($1_t)
-
- optional_policy(`
- cron_admin_template($1,$1_t,$1_r)
- ')
-
- optional_policy(`
- ethereal_admin_template($1,$1_t,$1_r)
- ')
-
- optional_policy(`
- lpr_admin_template($1,$1_t,$1_r)
- ')
-
- optional_policy(`
- mta_admin_template($1,$1_t,$1_r)
- ')
-
- ifdef(`TODO',`
-
- # for lsof
- allow $1_t mtrr_device_t:file getattr;
- allow $1_t eventpollfs_t:file getattr;
-
- allow $1_t serial_device:chr_file setattr;
-
- allow $1_t ptyfile:chr_file getattr;
-
- # Run admin programs that require different permissions in their own domain.
- # These rules were moved into the appropriate program domain file.
-
- ifdef(`xserver.te', `
- # Create files in /tmp/.X11-unix with our X servers derived
- # tmp type rather than user_xserver_tmp_t.
- file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
- ')
-
-
- ifdef(`xdm.te', `
- tunable_policy(`xdm_sysadm_login',`
- allow xdm_t $1_home_t:lnk_file read;
- allow xdm_t $1_home_t:dir search;
- ')
- can_pipe_xdm($1_t)
- ')
-
- # Allow MAKEDEV to work
- allow $1_t device_t:dir rw_dir_perms;
- allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
- allow $1_t device_t:lnk_file { create read };
-
- #
- # A user who is authorized for sysadm_t may nonetheless have
- # a home directory labeled with user_home_t if the user is expected
- # to login in either user_t or sysadm_t. Hence, the derived domains
- # for programs need to be able to access user_home_t.
- #
-
- # Allow our gph domain to write to .xsession-errors.
- ifdef(`gnome-pty-helper.te', `
- allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
- allow $1_gph_t user_home_type:file create_file_perms;
- ')
-
- # Run programs from staff home directories.
- # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
- can_exec($1_t, staff_home_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- create_dir_file($1_t, noexattrfile)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- # cjp: what does this have to do with removable devices?
- allow $1_t usbtty_device_t:chr_file write;
- ',`
- r_dir_file($1_t, noexattrfile)
- storage_raw_read_removable_device($1_t)
- ')
- ') dnl endif TODO
-')
-
-########################################
-## <summary>
-## Make the specified type usable in a
-## user home directory.
-## </summary>
-## <desc>
-## <p>
-## Make the specified type usable in a
-## user home directory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="type">
-## <summary>
-## Type to be used as a file in the
-## user home directory.
-## </summary>
-## </param>
-#
-template(`userdom_user_home_content',`
- gen_require(`
- attribute $1_file_type;
- ')
-
- typeattribute $2 $1_file_type;
- files_type($2)
-')
-
-########################################
-## <summary>
-## Set the attributes of a user pty.
-## </summary>
-## <desc>
-## <p>
-## Set the attributes of a user pty.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_setattr_user_ptys',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- allow $2 $1_devpts_t:chr_file setattr;
- ')
-')
-
-########################################
-## <summary>
-## Create a user pty.
-## </summary>
-## <desc>
-## <p>
-## Create a user pty.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_create_user_pty',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- term_create_pty($2,$1_devpts_t)
- ')
-')
-
-########################################
-## <summary>
-## Search user home directories.
-## </summary>
-## <desc>
-## <p>
-## Search user home directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_search_user_home_dirs',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir { getattr search };
-')
-
-########################################
-## <summary>
-## List user home directories.
-## </summary>
-## <desc>
-## <p>
-## List user home directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_list_user_home_dirs',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do a domain transition to the specified
-## domain when executing a program in the
-## user home directory.
-## </summary>
-## <desc>
-## <p>
-## Do a domain transition to the specified
-## domain when executing a program in the
-## user home directory.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="source_domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## Domain to transition to.
-## </summary>
-## </param>
-#
-template(`userdom_user_home_domtrans',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- domain_auto_trans($2,$1_home_t,$3)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list user home subdirectories.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to list user home subdirectories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_home_dirs',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- dontaudit $2 $1_home_dir_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## in a user home subdirectory.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete directories
-## in a user home subdirectory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_dirs',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir rw_dir_perms;
- allow $2 $1_home_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to set the
-## attributes of user home files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to set the
-## attributes of user home files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_setattr_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:file setattr;
-')
-
-########################################
-## <summary>
-## Read user home files.
-## </summary>
-## <desc>
-## <p>
-## Read user home files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir search_dir_perms;
- allow $2 $1_home_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read user home files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read user home files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
- type $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:dir r_dir_perms;
- dontaudit $2 $1_home_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write user home files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to write user home files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_write_user_home_content_files',`
- gen_require(`
- type $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:file write;
-')
-
-########################################
-## <summary>
-## Read user home subdirectory symbolic links.
-## </summary>
-## <desc>
-## <p>
-## Read user home subdirectory symbolic links.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_home_content_symlinks',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir search;
- allow $2 $1_home_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute user home files.
-## </summary>
-## <desc>
-## <p>
-## Execute user home files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_exec_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir search;
- can_exec($2,$1_home_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to execute user home files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to execute user home files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_exec_user_home_content_files',`
- gen_require(`
- type $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:file execute;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## in a user home subdirectory.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete files
-## in a user home subdirectory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read, write, and delete directories
-## in a user home subdirectory.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to create, read, write, and delete directories
-## in a user home subdirectory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_manage_user_home_content_dirs',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links
-## in a user home subdirectory.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete symbolic links
-## in a user home subdirectory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_symlinks',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete named pipes
-## in a user home subdirectory.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete named pipes
-## in a user home subdirectory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_pipes',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:fifo_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete named sockets
-## in a user home subdirectory.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete named sockets
-## in a user home subdirectory.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_sockets',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:sock_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create objects in a user home directory
-## with an automatic type transition to
-## a specified private type.
-## </summary>
-## <desc>
-## <p>
-## Create objects in a user home directory
-## with an automatic type transition to
-## a specified private type.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to create.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created. If not
-## specified, file is used.
-## </summary>
-## </param>
-#
-template(`userdom_user_home_dir_filetrans',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir rw_dir_perms;
- type_transition $2 $1_home_dir_t:$4 $3;
-')
-
-########################################
-## <summary>
-## Create objects in a user home directory
-## with an automatic type transition to
-## the user home file type.
-## </summary>
-## <desc>
-## <p>
-## Create objects in a user home directory
-## with an automatic type transition to
-## the user home file type.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created. If not
-## specified, file is used.
-## </summary>
-## </param>
-#
-template(`userdom_user_home_dir_filetrans_user_home_content',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir rw_dir_perms;
- type_transition $2 $1_home_dir_t:$3 $1_home_t;
-')
-
-########################################
-## <summary>
-## Write to user temporary named sockets.
-## </summary>
-## <desc>
-## <p>
-## Write to user temporary named sockets.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_write_user_tmp_sockets',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:sock_file write;
-')
-
-########################################
-## <summary>
-## List user temporary directories.
-## </summary>
-## <desc>
-## <p>
-## List user temporary directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_list_user_tmp',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list user
-## temporary directories.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to list user
-## temporary directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_tmp',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to manage users
-## temporary directories.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to manage users
-## temporary directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_manage_user_tmp_dirs',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Read user temporary files.
-## </summary>
-## <desc>
-## <p>
-## Read user temporary files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
- allow $2 $1_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read users
-## temporary files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read users
-## temporary files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to append users
-## temporary files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to append users
-## temporary files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_append_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:file append;
-')
-
-########################################
-## <summary>
-## Read and write user temporary files.
-## </summary>
-## <desc>
-## <p>
-## Read and write user temporary files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_rw_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
- allow $2 $1_tmp_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to manage users
-## temporary files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to manage users
-## temporary files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_manage_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Read user
-## temporary symbolic links.
-## </summary>
-## <desc>
-## <p>
-## Read user
-## temporary symbolic links.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_tmp_symlinks',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
- allow $2 $1_tmp_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete user
-## temporary directories.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete user
-## temporary directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_dirs',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete user
-## temporary files.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete user
-## temporary files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete user
-## temporary symbolic links.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete user
-## temporary symbolic links.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_symlinks',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete user
-## temporary named pipes.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete user
-## temporary named pipes.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_pipes',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:fifo_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete user
-## temporary named sockets.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete user
-## temporary named sockets.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_sockets',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:sock_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read user tmpfs files.
-## </summary>
-## <desc>
-## <p>
-## Read user tmpfs files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_rw_user_tmpfs_files',`
- gen_require(`
- type $1_tmpfs_t;
- ')
-
- fs_search_tmpfs($2)
- allow $2 $1_tmpfs_t:dir list_dir_perms;
- allow $2 $1_tmpfs_t:file rw_file_perms;
- allow $2 $1_tmpfs_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## List users untrusted directories.
-## </summary>
-## <desc>
-## <p>
-## List users untrusted directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_list_user_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list user
-## untrusted directories.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read user
-## untrusted directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read user untrusted files.
-## </summary>
-## <desc>
-## <p>
-## Read user untrusted files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Manage user untrusted files.
-## </summary>
-## <desc>
-## <p>
-## Create, read, write, and delete untrusted files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_manage_user_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_untrusted_content_tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read users
-## untrusted files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read users
-## untrusted files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- dontaudit $2 $1_untrusted_content_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read user untrusted symbolic links.
-## </summary>
-## <desc>
-## <p>
-## Read user untrusted symbolic links.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_untrusted_content_symlinks',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## List users temporary untrusted directories.
-## </summary>
-## <desc>
-## <p>
-## List users temporary untrusted directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_list_user_tmp_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list user
-## temporary untrusted directories.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to list user
-## temporary directories.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read user temporary untrusted files.
-## </summary>
-## <desc>
-## <p>
-## Read user temporary untrusted files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_tmp_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read users
-## temporary untrusted files.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read users
-## temporary untrusted files.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read user temporary untrusted symbolic links.
-## </summary>
-## <desc>
-## <p>
-## Read user temporary untrusted symbolic links.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_read_user_tmp_untrusted_content_symlinks',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read all user untrusted content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_all_untrusted_content',`
- gen_require(`
- attribute untrusted_content_type;
- ')
-
- allow $1 untrusted_content_type:dir r_dir_perms;
- allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Read all user temporary untrusted content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_all_tmp_untrusted_content',`
- gen_require(`
- attribute untrusted_content_tmp_type;
- ')
-
- allow $1 untrusted_content_tmp_type:dir r_dir_perms;
- allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Set the attributes of a user domain tty.
-## </summary>
-## <desc>
-## <p>
-## Set the attributes of a user domain tty.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_setattr_user_ttys',`
- ifdef(`targeted_policy',`
- term_setattr_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file setattr;
- ')
-')
-
-########################################
-## <summary>
-## Read and write a user domain tty.
-## </summary>
-## <desc>
-## <p>
-## Read and write a user domain tty.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_use_user_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
- ')
-')
-
-########################################
-## <summary>
-## Read and write a user domain tty and pty.
-## </summary>
-## <desc>
-## <p>
-## Read and write a user domain tty and pty.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_use_user_terminals',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- term_use_generic_ptys($2)
- ',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
- allow $2 $1_devpts_t:chr_file rw_term_perms;
- term_list_ptys($2)
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## a user domain tty and pty.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read and write
-## a user domain tty and pty.
-## </p>
-## <p>
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`userdom_dontaudit_use_user_terminals',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- dontaudit $2 $1_tty_device_t:chr_file rw_term_perms;
- dontaudit $2 $1_devpts_t:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Execute a shell in all user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- corecmd_shell_spec_domtrans($1,userdomain)
- allow $1 userdomain:fd use;
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute an Xserver session in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_xsession_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- xserver_xsession_spec_domtrans($1,userdomain)
- allow $1 userdomain:fd use;
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute a shell in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- corecmd_shell_spec_domtrans($1,unpriv_userdomain)
- allow $1 unpriv_userdomain:fd use;
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute an Xserver session in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- xserver_xsession_spec_domtrans($1,unpriv_userdomain)
- allow $1 unpriv_userdomain:fd use;
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Manage unpriviledged user SysV sempaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:sem create_sem_perms;
-')
-
-########################################
-## <summary>
-## Manage unpriviledged user SysV shared
-## memory segments.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:shm create_shm_perms;
-')
-
-########################################
-## <summary>
-## Execute bin_t in the unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_bin_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- corecmd_bin_spec_domtrans($1,unpriv_userdomain)
-
- allow $1 unpriv_userdomain:fd use;
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute generic sbin programs in all unprivileged user
-## domains. This is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_sbin_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
-
- allow $1 unpriv_userdomain:fd use;
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute all entrypoint files in unprivileged user
-## domains. This is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_entry_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- domain_entry_file_spec_domtrans($1,unpriv_userdomain)
-
- allow $1 unpriv_userdomain:fd use;
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute a shell in the sysadm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_shell_domtrans_sysadm',`
- ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_shell_domtrans($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_shell_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
- ')
-')
-
-########################################
-## <summary>
-## Execute a generic bin program in the sysadm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_bin_spec_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_bin_spec_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute a generic sbin program in the sysadm domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_sbin_spec_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_sbin_spec_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Execute all entrypoint files in the sysadm domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_entry_spec_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- domain_entry_file_spec_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow sysadm to execute a generic bin program in
-## a specified domain. This is an explicit transition,
-## requiring the caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Allow sysadm to execute a generic bin program in
-## a specified domain.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-#
-interface(`userdom_sysadm_bin_spec_domtrans_to',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_bin_spec_domtrans(sysadm_t,$1)
-
- allow sysadm_t $1:fd use;
- allow $1 sysadm_t:fd use;
- allow $1 sysadm_t:fifo_file rw_file_perms;
- allow $1 sysadm_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow sysadm to execute a generic sbin program in
-## a specified domain. This is an explicit transition,
-## requiring the caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Allow sysadm to execute a generic sbin program in
-## a specified domain.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-#
-interface(`userdom_sysadm_sbin_spec_domtrans_to',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_sbin_spec_domtrans(sysadm_t, $1)
-
- allow sysadm_t $1:fd use;
- allow $1 sysadm_t:fd use;
- allow $1 sysadm_t:fifo_file rw_file_perms;
- allow $1 sysadm_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow sysadm to execute all entrypoint files
-## in the specified domain. This is an explicit
-## transition, requiring the caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Allow sysadm to execute all entrypoint files
-## in the specified domain. This is an explicit
-## transition, requiring the caller to use setexeccon().
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-#
-interface(`userdom_sysadm_entry_spec_domtrans_to',`
- gen_require(`
- type sysadm_t;
- ')
-
- domain_entry_file_spec_domtrans(sysadm_t, $1)
-
- allow sysadm_t $1:fd use;
- allow $1 sysadm_t:fd use;
- allow $1 sysadm_t:fifo_file rw_file_perms;
- allow $1 sysadm_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Search the staff users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_search_staff_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the staff
-## users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_search_staff_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- dontaudit $1 staff_home_dir_t:dir search;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete staff
-## home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_staff_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir manage_dir_perms;
- ',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir manage_dir_perms;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to append to the staff
-## users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_append_staff_home_content_files',`
- gen_require(`
- type staff_home_t;
- ')
-
- dontaudit $1 staff_home_t:file append;
-')
-
-########################################
-## <summary>
-## Read files in the staff users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_staff_home_content_files',`
- gen_require(`
- type staff_home_dir_t, staff_home_t;
- ')
-
- files_search_home($1)
- allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
- allow $1 staff_home_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to sysadm users.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_sigchld_sysadm',`
- ifdef(`targeted_policy',`
- unconfined_sigchld($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:process sigchld;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attepts to get the attributes
-## of sysadm ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_getattr_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_getattr_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file getattr;
- ')
-')
-
-########################################
-## <summary>
-## Read and write sysadm ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use sysadm ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file { read write };
- ')
-')
-
-########################################
-## <summary>
-## Read and write sysadm ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_sysadm_ptys',`
- ifdef(`targeted_policy',`
- term_use_generic_ptys($1)
- ',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_devpts_t:chr_file rw_term_perms;
- ')
-')
-
-########################################
-## <summary>
-## Dont audit attempts to read and write sysadm ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_sysadm_ptys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dontaudit $1 sysadm_devpts_t:chr_file { read write };
- ')
-')
-
-########################################
-## <summary>
-## Read and write sysadm ttys and ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_sysadm_terms',`
- userdom_use_sysadm_ttys($1)
- userdom_use_sysadm_ptys($1)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use sysadm ttys and ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_sysadm_terms',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute admin_terminal;
- ')
-
- dontaudit $1 admin_terminal:chr_file { read write };
- ')
-')
-
-########################################
-## <summary>
-## Inherit and use sysadm file descriptors
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_sysadm_fds',`
- ifdef(`targeted_policy',`
- unconfined_use_fds($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fd use;
- ')
-')
-
-########################################
-## <summary>
-## Read and write sysadm user unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_rw_sysadm_pipes',`
- ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_rw_pipes($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fifo_file rw_file_perms;
- ')
-')
-
-########################################
-## <summary>
-## Get the attributes of the sysadm users
-## home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_getattr_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the sysadm users
-## home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir getattr;
- ', `
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir getattr;
- ')
-')
-
-########################################
-## <summary>
-## Search the sysadm users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_search_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the sysadm
-## users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_search_sysadm_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
- ',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- ')
-')
-
-########################################
-## <summary>
-## List the sysadm users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_list_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list the sysadm
-## users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_list_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the sysadm
-## users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_read_sysadm_home_content_files',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
- dontaudit $1 user_home_t:file r_file_perms;
- ',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir r_file_perms;
- ')
-')
-
-########################################
-## <summary>
-## Create objects in sysadm home directories
-## with automatic file type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## If not specified, file is used.
-## </summary>
-## </param>
-#
-interface(`userdom_sysadm_home_dir_filetrans',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir rw_dir_perms;
- type_transition $1 sysadm_home_dir_t:$3 $2;
-')
-
-########################################
-## <summary>
-## Search the sysadm users home sub directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_search_sysadm_home_content_dirs',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files in the sysadm users home directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_sysadm_home_content_files',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
- allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Search all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_search_all_users_home_dirs',`
- gen_require(`
- attribute home_dir_type;
- ')
-
- files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_list_all_users_home_dirs',`
- gen_require(`
- attribute home_dir_type;
- ')
-
- files_list_home($1)
- allow $1 home_dir_type:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Search all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_search_all_users_home_content',`
- gen_require(`
- attribute home_dir_type, home_type;
- ')
-
- files_list_home($1)
- allow $1 { home_dir_type home_type }:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_search_all_users_home_content',`
- gen_require(`
- attribute home_dir_type, home_type;
- ')
-
- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read all files in all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_all_users_home_content_files',`
- gen_require(`
- attribute home_type;
- ')
-
- files_list_home($1)
- allow $1 home_type:dir r_dir_perms;
- allow $1 home_type:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all directories
-## in all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_all_users_home_content_dirs',`
- gen_require(`
- attribute home_type;
- ')
-
- files_list_home($1)
- allow $1 home_type:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all files
-## in all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_all_users_home_content_files',`
- gen_require(`
- attribute home_type;
- ')
-
- files_list_home($1)
- allow $1 home_type:dir rw_dir_perms;
- allow $1 home_type:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all symlinks
-## in all users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_all_users_home_content_symlinks',`
- gen_require(`
- attribute home_type;
- ')
-
- files_list_home($1)
- allow $1 home_type:dir rw_dir_perms;
- allow $1 home_type:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Make the specified domain a privileged
-## home directory manager.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain a privileged
-## home directory manager. This domain will be
-## able to manage the contents of all users
-## general home directory content, and create
-## files with the correct context.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_priveleged_home_dir_manager',`
- gen_require(`
- attribute privhome;
- ')
-
- files_list_home($1)
- typeattribute $1 privhome;
-')
-
-########################################
-## <summary>
-## Send general signals to unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_signal_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:process signal;
-')
-
-########################################
-## <summary>
-## Inherit the file descriptors from unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_unpriv_users_fds',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit the
-## file descriptors from all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_unpriv_user_fds',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- dontaudit $1 unpriv_userdomain:fd use;
-')
-
-########################################
-## <summary>
-## Create generic user home directories
-## with automatic file type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_home_filetrans_generic_user_home_dir',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_home_filetrans($1,user_home_dir_t,dir)
-')
-
-########################################
-## <summary>
-## Search generic user home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_search_generic_user_home_dirs',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- allow $1 user_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Create objects in generic user home directories
-## with automatic file type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## If not specified, file is used.
-## </summary>
-## </param>
-#
-interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir rw_dir_perms;
- type_transition $1 user_home_dir_t:$2 user_home_t;
-')
-
-########################################
-## <summary>
-## Don't audit search on the user home subdirectory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_search_generic_user_home_dirs',`
- gen_require(`
- type user_home_t;
- ')
-
- dontaudit $1 user_home_t:dir search;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## subdirectories of generic user
-## home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_generic_user_home_content_dirs',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files in generic user home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_generic_user_home_content_files',`
- gen_require(`
- type user_home_t, user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir r_dir_perms;
- allow $1 user_home_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## in generic user home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_generic_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic
-## links in generic user home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_generic_user_home_content_symlinks',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete named
-## pipes in generic user home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_generic_user_home_content_pipes',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:fifo_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete named
-## sockets in generic user home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_generic_user_home_content_sockets',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:sock_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Search all unprivileged users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_search_unpriv_users_home_dirs',`
- gen_require(`
- attribute user_home_dir_type;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read all unprivileged users home directory
-## files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_unpriv_users_home_content_files',`
- gen_require(`
- attribute user_home_dir_type, user_home_type;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
- allow $1 user_home_type:dir r_dir_perms;
- allow $1 user_home_type:lnk_file { getattr read };
- allow $1 user_home_type:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories in
-## unprivileged users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_users_home_content_dirs',`
- gen_require(`
- attribute user_home_dir_type, user_home_type;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
- allow $1 user_home_type:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in
-## unprivileged users home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_users_home_content_files',`
- gen_require(`
- attribute user_home_dir_type, user_home_type;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
- allow $1 user_home_type:dir rw_dir_perms;
- allow $1 user_home_type:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Set the attributes of user ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_setattr_unpriv_users_ptys',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- allow $1 user_ptynode:chr_file setattr;
-')
-
-########################################
-## <summary>
-## Read and write unprivileged user ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_unpriv_users_ptys',`
- ifdef(`targeted_policy',`
- term_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- term_search_ptys($1)
- allow $1 user_ptynode:chr_file rw_file_perms;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use unprivileged
-## user ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_unpriv_users_ptys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- dontaudit $1 user_ptynode:chr_file rw_file_perms;
- ')
-')
-
-########################################
-## <summary>
-## Relabel files to unprivileged user pty types.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_relabelto_unpriv_users_ptys',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- allow $1 user_ptynode:chr_file relabelto;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to relabel files from
-## unprivileged user pty types.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- dontaudit $1 user_ptynode:chr_file relabelfrom;
-')
-
-########################################
-## <summary>
-## Read all unprivileged users temporary directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_list_unpriv_users_tmp',`
- ifdef(`targeted_policy',`
- files_list_tmp($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:dir list_dir_perms;
- ')
-')
-
-########################################
-## <summary>
-## Read all unprivileged users temporary files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_unpriv_users_tmp_files',`
- ifdef(`targeted_policy',`
- files_read_generic_tmp_files($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:file { read getattr };
- ')
-')
-
-########################################
-## <summary>
-## Read all unprivileged users temporary symbolic links.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_unpriv_users_tmp_symlinks',`
- ifdef(`targeted_policy',`
- files_read_generic_tmp_symlinks($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:lnk_file { getattr read };
- ')
-')
-
-########################################
-## <summary>
-## Write all unprivileged users files in /tmp
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_write_unpriv_users_tmp_files',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:file { getattr write append };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use unprivileged
-## user ttys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
- ')
-')
-
-########################################
-## <summary>
-## Read the process state of all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_read_all_users_state',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:dir search_dir_perms;
- allow $1 userdomain:file r_file_perms;
- kernel_search_proc($1)
-')
-
-########################################
-## <summary>
-## Get the attributes of all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_getattr_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:process getattr;
-')
-
-########################################
-## <summary>
-## Inherit the file descriptors from all user domains
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_use_all_users_fds',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit the file
-## descriptors from any user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`userdom_dontaudit_use_all_users_fds',`
- gen_require(`
- attribute userdomain;
- ')
-
- dontaudit $1 userdomain:fd use;
-')
-
-########################################
-## <summary>
-## Send general signals to all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_signal_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:process signal;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_sigchld_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:process sigchld;
-')
-
-########################################
-## <summary>
-## Create keys for all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_create_all_users_keys',`
- ifdef(`strict_policy',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:key create;
- ',`
- unconfined_create_keys($1)
- ')
-')
-
-########################################
-## <summary>
-## Send a dbus message to all user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_dbus_send_all_users',`
- gen_require(`
- attribute userdomain;
- class dbus send_msg;
- ')
-
- allow $1 userdomain:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Unconfined access to user domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_unconfined',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- allow $1 user_home_dir_t:dir create_dir_perms;
- files_home_filetrans($1,user_home_dir_t,dir)
-')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
deleted file mode 100644
index cdec392..0000000
--- a/refpolicy/policy/modules/system/userdomain.te
+++ /dev/null
@@ -1,501 +0,0 @@
-
-policy_module(userdomain,1.3.29)
-
-gen_require(`
- role sysadm_r, staff_r, user_r;
-
- ifdef(`enable_mls',`
- role secadm_r;
- role auditadm_r;
- ')
-')
-
-########################################
-#
-# Declarations
-#
-
-# admin users terminals (tty and pty)
-attribute admin_terminal;
-
-# users home directory
-attribute home_dir_type;
-
-# users home directory contents
-attribute home_type;
-
-# The privhome attribute identifies every domain that can create files under
-# regular user home directories in the regular context (IE act on behalf of
-# a user in writing regular files)
-attribute privhome;
-
-# all unprivileged users home directories
-attribute user_home_dir_type;
-attribute user_home_type;
-
-# all unprivileged users ptys
-attribute user_ptynode;
-
-# all unprivileged users tmp files
-attribute user_tmpfile;
-
-# all unprivileged users ttys
-attribute user_ttynode;
-
-# all user domains
-attribute userdomain;
-
-# unprivileged user domains
-attribute unpriv_userdomain;
-
-attribute untrusted_content_type;
-attribute untrusted_content_tmp_type;
-
-########################################
-#
-# Local policy
-#
-
-define(`role_change',`
- allow $1_r $2_r;
- type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
- type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
- # avoid annoying messages on terminal hangup
- dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # macros and domains from the "strict" policy.
- unconfined_alias_domain(secadm_t)
- unconfined_alias_domain(auditadm_t)
- unconfined_alias_domain(sysadm_t)
-
- # User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-
- # compatibility for switching from strict
-# dominance { role secadm_r { role system_r; }}
-# dominance { role auditadm_r { role system_r; }}
-# dominance { role sysadm_r { role system_r; }}
-# dominance { role user_r { role system_r; }}
-# dominance { role staff_r { role system_r; }}
-
- # dont need to use the full role_change()
- allow sysadm_r system_r;
- allow sysadm_r user_r;
- allow user_r system_r;
- allow user_r sysadm_r;
- allow system_r sysadm_r;
- allow system_r sysadm_r;
-
- allow privhome user_home_t:dir manage_dir_perms;
- allow privhome user_home_t:file create_file_perms;
- allow privhome user_home_t:lnk_file create_lnk_perms;
- allow privhome user_home_t:fifo_file create_file_perms;
- allow privhome user_home_t:sock_file create_file_perms;
- allow privhome user_home_dir_t:dir rw_dir_perms;
- type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
- files_search_home(privhome)
-
- ifdef(`enable_mls',`
- allow secadm_r system_r;
- allow auditadm_r system_r;
- allow secadm_r user_r;
- allow staff_r secadm_r;
- allow staff_r auditadm_r;
- ')
-
- optional_policy(`
- samba_per_userdomain_template(user)
- ')
-',`
- admin_user_template(sysadm)
- unpriv_user_template(staff)
- unpriv_user_template(user)
-
- # user role change rules:
- # sysadm_r can change to user roles
- role_change(sysadm, user)
- role_change(sysadm, staff)
-
- # only staff_r can change to sysadm_r
- role_change(staff, sysadm)
-
- ifdef(`enable_mls',`
- unpriv_user_template(secadm)
- unpriv_user_template(auditadm)
-
- role_change(staff,auditadm)
- role_change(staff,secadm)
-
- role_change(sysadm,secadm)
- role_change(sysadm,auditadm)
-
- role_change(auditadm,secadm)
- role_change(auditadm,sysadm)
-
- role_change(secadm,auditadm)
- role_change(secadm,sysadm)
- ')
-
- # this should be tunable_policy, but
- # currently type_change and RBAC allow
- # do not work in conditionals
- ifdef(`user_canbe_sysadm',`
- role_change(user,sysadm)
- ')
-
- allow privhome home_root_t:dir { getattr search };
-
- ########################################
- #
- # Sysadm local policy
- #
-
- # for su
- allow sysadm_t userdomain:fd use;
-
- # Add/remove user home directories
- allow sysadm_t user_home_dir_t:dir create_dir_perms;
- files_home_filetrans(sysadm_t,user_home_dir_t,dir)
-
- corecmd_exec_shell(sysadm_t)
-
- mls_process_read_up(sysadm_t)
-
- init_exec(sysadm_t)
-
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
- ')
- ',`
- ifdef(`distro_gentoo',`
- optional_policy(`
- seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
- ')
-
- ifdef(`enable_mls',`
- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-
- allow secadm_t self:capability dac_override;
- corecmd_exec_shell(secadm_t)
- domain_obj_id_change_exemption(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_read_up(secadm_t)
- mls_file_write_down(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
- auth_relabel_all_files_except_shadow(secadm_t)
- auth_relabel_shadow(secadm_t)
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- ', `
- logging_manage_audit_log(sysadm_t)
- logging_manage_audit_config(sysadm_t)
- logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- tunable_policy(`allow_ptrace',`
- domain_ptrace_all_domains(sysadm_t)
- ')
-
- optional_policy(`
- amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
- #apache_run_all_scripts(sysadm_t,sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
- ')
-
- optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
- ')
-
- optional_policy(`
- apt_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- backup_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- bootloader_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- consoletype_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- clock_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- cvs_exec(sysadm_t)
- ')
-
- optional_policy(`
- consoletype_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- consoletype_exec(secadm_t)
- consoletype_exec(auditadm_t)
- ')
- ')
-
- optional_policy(`
- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- dmesg_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- dmesg_exec(secadm_t)
- dmesg_exec(auditadm_t)
- ')
- ')
-
- optional_policy(`
- dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- dpkg_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
- ')
-
- optional_policy(`
- fstools_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- hostname_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
- ')
-
- optional_policy(`
- iptables_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- lvm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- logrotate_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- kudzu_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- mount_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- mysql_stream_connect(sysadm_t)
- ')
-
- optional_policy(`
- netutils_run(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
- ')
-
- optional_policy(`
- munin_stream_connect(sysadm_t)
- ')
-
- optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
- ')
-
- optional_policy(`
- oav_run_update(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- portage_run(sysadm_t,sysadm_r,admin_terminal)
- portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- quota_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- radius_use(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- rpm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- rsync_exec(sysadm_t)
- ')
-
- optional_policy(`
- samba_run_net(sysadm_t,sysadm_r,admin_terminal)
- samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
-
- ifdef(`enable_mls',`
- selinux_set_enforce_mode(secadm_t)
- selinux_set_boolean(secadm_t)
- selinux_set_parameters(secadm_t)
-
- seutil_manage_bin_policy(secadm_t)
- seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
- seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
- seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
- ', `
- selinux_set_enforce_mode(sysadm_t)
- selinux_set_boolean(sysadm_t)
- selinux_set_parameters(sysadm_t)
-
- seutil_manage_bin_policy(sysadm_t)
- seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
-
- optional_policy(`
- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- vpn_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- webalizer_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- yam_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-')
diff --git a/refpolicy/policy/modules/system/xen.fc b/refpolicy/policy/modules/system/xen.fc
deleted file mode 100644
index 339e7a9..0000000
--- a/refpolicy/policy/modules/system/xen.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
-/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
-
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
-/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
-
-/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
-/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
-/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
-
-/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
-/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
-/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
-/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
-/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-
-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/refpolicy/policy/modules/system/xen.if b/refpolicy/policy/modules/system/xen.if
deleted file mode 100644
index bfdc355..0000000
--- a/refpolicy/policy/modules/system/xen.if
+++ /dev/null
@@ -1,129 +0,0 @@
-## <summary>Xen hypervisor</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run xend.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`xen_domtrans',`
- gen_require(`
- type xend_t, xend_exec_t;
- ')
-
- domain_auto_trans($1,xend_exec_t,xend_t)
-
- allow $1 xend_t:fd use;
- allow xend_t $1:fd use;
- allow xend_t $1:fifo_file rw_file_perms;
- allow xend_t $1:process sigchld;
-')
-
-
-########################################
-## <summary>
-## Allow the specified domain to append
-## xend log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`xen_append_log',`
- gen_require(`
- type var_log_t, xend_var_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 xend_var_log_t:file { getattr append };
- dontaudit $1 xend_var_log_t:file write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## Xen unix domain stream sockets. These
-## are leaked file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`xen_dontaudit_rw_unix_stream_sockets',`
- gen_require(`
- type xend_t;
- ')
-
- dontaudit $1 xend_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Connect to xenstored over an unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xen_stream_connect_xenstore',`
- gen_require(`
- type xenstored_t, xenstored_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 xenstored_var_run_t:dir search;
- allow $1 xenstored_var_run_t:sock_file { getattr write };
- allow $1 xenstored_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Connect to xend over an unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xen_stream_connect',`
- gen_require(`
- type xend_t, xend_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 xend_var_run_t:dir search;
- allow $1 xend_var_run_t:sock_file { getattr write };
- allow $1 xend_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run xm.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`xen_domtrans_xm',`
- gen_require(`
- type xm_t, xm_exec_t;
- ')
-
- domain_auto_trans($1,xm_exec_t,xm_t)
- allow xm_t $1:fd use;
- allow xm_t $1:fifo_file rw_file_perms;
- allow xm_t $1:process sigchld;
-')
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
deleted file mode 100644
index 4f80cc0..0000000
--- a/refpolicy/policy/modules/system/xen.te
+++ /dev/null
@@ -1,302 +0,0 @@
-
-policy_module(xen,1.0.7)
-
-########################################
-#
-# Declarations
-#
-
-# console ptys
-type xen_devpts_t;
-term_pty(xen_devpts_t);
-files_type(xen_devpts_t);
-
-# Xen Image files
-type xen_image_t; # customizable
-files_type(xen_image_t)
-
-type xend_t;
-type xend_exec_t;
-domain_type(xend_t)
-init_daemon_domain(xend_t, xend_exec_t)
-
-# var/lib files
-type xend_var_lib_t;
-files_type(xend_var_lib_t)
-# for mounting an NFS store
-files_mountpoint(xend_var_lib_t)
-
-# log files
-type xend_var_log_t;
-logging_log_file(xend_var_log_t)
-
-# pid files
-type xend_var_run_t;
-files_pid_file(xend_var_run_t)
-
-type xenstored_t;
-type xenstored_exec_t;
-domain_type(xenstored_t)
-domain_entry_file(xenstored_t,xenstored_exec_t)
-role system_r types xenstored_t;
-
-# var/lib files
-type xenstored_var_lib_t;
-files_type(xenstored_var_lib_t)
-
-# pid files
-type xenstored_var_run_t;
-files_pid_file(xenstored_var_run_t)
-
-type xenconsoled_t;
-type xenconsoled_exec_t;
-domain_type(xenconsoled_t)
-domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
-role system_r types xenconsoled_t;
-
-# pid files
-type xenconsoled_var_run_t;
-files_pid_file(xenconsoled_var_run_t)
-
-type xm_t;
-type xm_exec_t;
-domain_type(xm_t)
-init_daemon_domain(xm_t, xm_exec_t)
-
-########################################
-#
-# xend local policy
-#
-
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
-allow xend_t self:process { signal sigkill };
-# internal communication is often done using fifo and unix sockets.
-allow xend_t self:fifo_file rw_file_perms;
-allow xend_t self:unix_stream_socket create_stream_socket_perms;
-allow xend_t self:unix_dgram_socket create_socket_perms;
-allow xend_t self:netlink_route_socket r_netlink_socket_perms;
-allow xend_t self:tcp_socket create_stream_socket_perms;
-allow xend_t self:packet_socket create_socket_perms;
-
-allow xend_t xen_image_t:dir r_dir_perms;
-allow xend_t xen_image_t:file r_file_perms;
-
-# pid file
-allow xend_t xend_var_run_t:file manage_file_perms;
-allow xend_t xend_var_run_t:sock_file manage_file_perms;
-allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
-
-# log files
-allow xend_t xend_var_log_t:file create_file_perms;
-allow xend_t xend_var_log_t:sock_file create_file_perms;
-allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
-
-# var/lib files for xend
-allow xend_t xend_var_lib_t:file create_file_perms;
-allow xend_t xend_var_lib_t:sock_file create_file_perms;
-allow xend_t xend_var_lib_t:fifo_file create_file_perms;
-allow xend_t xend_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
-
-# transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
-
-# transition to console
-domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-allow xenconsoled_t xend_t:fd use;
-
-kernel_read_kernel_sysctls(xend_t)
-kernel_read_system_state(xend_t)
-kernel_write_xen_state(xend_t)
-kernel_read_xen_state(xend_t)
-kernel_rw_net_sysctls(xend_t)
-kernel_read_network_state(xend_t)
-
-corecmd_exec_sbin(xend_t)
-corecmd_exec_bin(xend_t)
-corecmd_exec_shell(xend_t)
-
-corenet_non_ipsec_sendrecv(xend_t)
-corenet_tcp_sendrecv_all_if(xend_t)
-corenet_tcp_sendrecv_all_nodes(xend_t)
-corenet_tcp_sendrecv_all_ports(xend_t)
-corenet_tcp_bind_all_nodes(xend_t)
-corenet_tcp_bind_xen_port(xend_t)
-corenet_tcp_bind_soundd_port(xend_t)
-corenet_sendrecv_xen_server_packets(xend_t)
-corenet_sendrecv_soundd_server_packets(xend_t)
-
-dev_read_urand(xend_t)
-dev_manage_xen(xend_t)
-dev_filetrans_xen(xend_t)
-dev_rw_sysfs(xend_t)
-
-domain_read_all_domains_state(xend_t)
-domain_dontaudit_read_all_domains_state(xend_t)
-
-files_read_etc_files(xend_t)
-files_read_kernel_symbol_table(xend_t)
-files_read_kernel_img(xend_t)
-files_manage_etc_runtime_files(xend_t)
-files_etc_filetrans_etc_runtime(xend_t,file)
-
-storage_raw_read_fixed_disk(xend_t)
-
-term_dontaudit_getattr_all_user_ptys(xend_t)
-term_dontaudit_use_generic_ptys(xend_t)
-
-init_use_fds(xend_t)
-
-libs_use_ld_so(xend_t)
-libs_use_shared_libs(xend_t)
-
-logging_send_syslog_msg(xend_t)
-
-miscfiles_read_localization(xend_t)
-
-sysnet_domtrans_dhcpc(xend_t)
-sysnet_signal_dhcpc(xend_t)
-sysnet_domtrans_ifconfig(xend_t)
-sysnet_dns_name_resolve(xend_t)
-sysnet_delete_dhcpc_pid(xend_t)
-sysnet_read_dhcpc_pid(xend_t)
-
-xen_stream_connect_xenstore(xend_t)
-
-netutils_domtrans(xend_t)
-
-optional_policy(`
- consoletype_domtrans(xend_t)
-')
-
-########################################
-#
-# Xen console local policy
-#
-
-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
-allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
-
-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-
-# pid file
-allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
-allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
-allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
-
-kernel_read_kernel_sysctls(xenconsoled_t)
-kernel_write_xen_state(xenconsoled_t)
-kernel_read_xen_state(xenconsoled_t)
-
-term_create_pty(xenconsoled_t,xen_devpts_t);
-term_dontaudit_use_generic_ptys(xenconsoled_t)
-term_use_console(xenconsoled_t)
-
-init_use_fds(xenconsoled_t)
-
-libs_use_ld_so(xenconsoled_t)
-libs_use_shared_libs(xenconsoled_t)
-
-miscfiles_read_localization(xenconsoled_t)
-
-xen_append_log(xenconsoled_t)
-xen_stream_connect_xenstore(xenconsoled_t)
-
-########################################
-#
-# Xen store local policy
-#
-
-allow xenstored_t self:capability { dac_override mknod ipc_lock };
-allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
-allow xenstored_t self:unix_dgram_socket create_socket_perms;
-
-# pid file
-allow xenstored_t xenstored_var_run_t:file manage_file_perms;
-allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
-allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
-
-# var/lib files for xenstored
-allow xenstored_t xenstored_var_lib_t:file create_file_perms;
-allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
-allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
-
-kernel_write_xen_state(xenstored_t)
-kernel_read_xen_state(xenstored_t)
-
-dev_create_generic_dirs(xenstored_t)
-dev_manage_xen(xenconsoled_t)
-dev_filetrans_xen(xenstored_t)
-dev_rw_xen(xenstored_t)
-
-term_dontaudit_use_generic_ptys(xenstored_t)
-term_dontaudit_use_console(xenconsoled_t)
-
-init_use_fds(xenstored_t)
-
-libs_use_ld_so(xenstored_t)
-libs_use_shared_libs(xenstored_t)
-
-logging_send_syslog_msg(xenstored_t)
-
-miscfiles_read_localization(xenstored_t)
-
-xen_append_log(xenstored_t)
-
-########################################
-#
-# xm local policy
-#
-
-allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-
-# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
-allow xm_t self:unix_stream_socket create_stream_socket_perms;
-
-allow xm_t xend_var_lib_t:dir rw_dir_perms;
-allow xm_t xend_var_lib_t:fifo_file create_file_perms;
-allow xm_t xend_var_lib_t:file create_file_perms;
-files_search_var_lib(xm_t)
-
-allow xm_t xen_image_t:dir rw_dir_perms;
-allow xm_t xen_image_t:file r_file_perms;
-
-kernel_read_system_state(xm_t)
-kernel_read_kernel_sysctls(xm_t)
-kernel_read_xen_state(xm_t)
-kernel_write_xen_state(xm_t)
-
-corecmd_exec_bin(xm_t)
-corecmd_exec_sbin(xm_t)
-
-dev_read_urand(xm_t)
-
-files_read_etc_runtime_files(xm_t)
-files_read_usr_files(xm_t)
-files_list_mnt(xm_t)
-# Some common macros (you might be able to remove some)
-files_read_etc_files(xm_t)
-
-term_use_all_terms(xm_t)
-
-init_rw_script_stream_sockets(xm_t)
-init_use_fds(xm_t)
-
-libs_use_ld_so(xm_t)
-libs_use_shared_libs(xm_t)
-
-miscfiles_read_localization(xm_t)
-
-xen_append_log(xm_t)
-xen_stream_connect(xm_t)
-xen_stream_connect_xenstore(xm_t)
diff --git a/refpolicy/policy/rolemap b/refpolicy/policy/rolemap
deleted file mode 100644
index 3e8d368..0000000
--- a/refpolicy/policy/rolemap
+++ /dev/null
@@ -1,20 +0,0 @@
-#
-# This file contains the mappings
-# used for per-userdomain template
-# infrastructure. Each line describes
-# the prefix and user domain type
-# corresponding to each role.
-#
-# syntax: role prefix user_domain
-#
-
-ifdef(`strict_policy',`
- user_r user user_t
- staff_r staff staff_t
- sysadm_r sysadm sysadm_t
-
- ifdef(`enable_mls',`
- secadm_r secadm secadm_t
- auditadm_r auditadm auditadm_t
- ')
-')
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
deleted file mode 100644
index b30be16..0000000
--- a/refpolicy/policy/support/loadable_module.spt
+++ /dev/null
@@ -1,170 +0,0 @@
-########################################
-#
-# Macros for switching between source policy
-# and loadable policy module support
-#
-
-##############################
-#
-# For adding the module statement
-#
-define(`policy_module',`
- ifndef(`self_contained_policy',`
- module $1 $2;
-
- require {
- role system_r;
- all_kernel_class_perms
- }
- ')
-')
-
-##############################
-#
-# For use in interfaces, to optionally insert a require block
-#
-define(`gen_require',`
- ifdef(`self_contained_policy',`
- ifdef(`__in_optional_policy',`
- require {
- $1
- } # end require
- ')
- ',`
- require {
- $1
- } # end require
- ')
-')
-
-# helper function, since m4 wont expand macros
-# if a line is a comment (#):
-define(`policy_m4_comment',`
-##### $2 depth: $1
-')dnl
-
-##############################
-#
-# In the future interfaces should be in loadable modules
-#
-# template(name,rules)
-#
-define(`template',` dnl
- ifdef(`$1',`errprint(__file__:__line__`: duplicate definition of $1(). Original definition on '$1. __endline__) define(`__if_error')',`define(`$1',__line__)') dnl
- `define(`$1',` dnl
- define(`policy_temp',incr(policy_call_depth)) dnl
- pushdef(`policy_call_depth',policy_temp) dnl
- undefine(`policy_temp') dnl
- policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
- $2 dnl
- define(`policy_temp',decr(policy_call_depth)) dnl
- pushdef(`policy_call_depth',policy_temp) dnl
- undefine(`policy_temp') dnl
- policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
- '')
-')
-
-##############################
-#
-# In the future interfaces should be in loadable modules
-#
-# interface(name,rules)
-#
-define(`interface',` dnl
- ifdef(`$1',`errprint(__file__:__line__`: duplicate definition of $1(). Original definition on '$1. __endline__) define(`__if_error')',`define(`$1',__line__)') dnl
- `define(`$1',` dnl
- define(`policy_temp',incr(policy_call_depth)) dnl
- pushdef(`policy_call_depth',policy_temp) dnl
- undefine(`policy_temp') dnl
- policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
- $2
- define(`policy_temp',decr(policy_call_depth)) dnl
- pushdef(`policy_call_depth',policy_temp) dnl
- undefine(`policy_temp') dnl
- policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
- '')
-')
-
-define(`policy_call_depth',0)
-
-##############################
-#
-# Optional policy handling
-#
-define(`optional_policy',`
- ifelse(regexp(`$1',`\W'),`-1',`
- errprint(__file__:__line__`: deprecated use of module name ($1) as first parameter of optional_policy() block.' __endline__)
- optional_policy(shift($*))
- ',`
- optional {`'pushdef(`__in_optional_policy')
- $1
- ifelse(`$2',`',`',`} else {
- $2
- ')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional')
- ')
-')
-
-##############################
-#
-# Determine if we should use the default
-# tunable value as specified by the policy
-# or if the override value should be used
-#
-define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
-
-##############################
-#
-# Extract booleans out of an expression.
-# This needs to be reworked so expressions
-# with parentheses can work.
-
-define(`delcare_required_symbols',`
-ifelse(regexp($1, `\w'), -1, `', `dnl
-bool regexp($1, `\(\w+\)', `\1');
-delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
-') dnl
-')
-
-##############################
-#
-# Tunable declaration
-#
-define(`gen_tunable',`
- ifdef(`self_contained_policy',`
- bool $1 dflt_or_overr(`$1'_conf,$2);
- ',`
- # loadable module tunable
- # declaration will go here
- # instead of bool when
- # loadable modules support
- # tunables
- bool $1 dflt_or_overr(`$1'_conf,$2);
- ')
-')
-
-##############################
-#
-# Tunable policy handling
-#
-define(`tunable_policy',`
- ifdef(`self_contained_policy',`
- if (`$1') {
- $2
- ifelse(`$3',`',`',`} else {
- $3
- ')}
- ',`
- # structure for tunables
- # will go here instead of a
- # conditional when loadable
- # modules support tunables
- gen_require(`
- delcare_required_symbols(`$1')
- ')
- if (`$1') {
- $2
- ifelse(`$3',`',`',`} else {
- $3
- ')}
- ')
-')
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
deleted file mode 100644
index 3471b66..0000000
--- a/refpolicy/policy/support/misc_macros.spt
+++ /dev/null
@@ -1,61 +0,0 @@
-
-########################################
-#
-# Helper macros
-#
-
-#
-# shiftn(num,list...)
-#
-# shift the list num times
-#
-define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
-
-#
-# ifndef(expr,true_block,false_block)
-#
-# m4 does not have this.
-#
-define(`ifndef',`ifdef(`$1',`$3',`$2')')
-
-#
-# __endline__
-#
-# dummy macro to insert a newline. used for
-# errprint, so the close parentheses can be
-# indented correctly.
-#
-define(`__endline__',`
-')
-
-########################################
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
-#
-define(`gen_user',`dnl
-ifdef(`users_extra',`dnl
-ifelse(`$2',,,`user $1 prefix $2;')
-',`dnl
-user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
-')dnl
-')
-
-########################################
-#
-# gen_context(context,mls_sensitivity,[mcs_categories])
-#
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
-
-########################################
-#
-# can_exec(domain,executable)
-#
-define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
-
-########################################
-#
-# gen_bool(name,default_value)
-#
-define(`gen_bool',`
- bool $1 dflt_or_overr(`$1'_conf,$2);
-')
diff --git a/refpolicy/policy/support/obj_perm_sets.spt b/refpolicy/policy/support/obj_perm_sets.spt
deleted file mode 100644
index eea1598..0000000
--- a/refpolicy/policy/support/obj_perm_sets.spt
+++ /dev/null
@@ -1,226 +0,0 @@
-########################################
-#
-# Support macros for sets of object classes and permissions
-#
-# This file should only have object class and permission set macros - they
-# can only reference object classes and/or permissions.
-
-#
-# All directory and file classes
-#
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# All non-directory file classes.
-#
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# Non-device file classes.
-#
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-
-#
-# Device file classes.
-#
-define(`devfile_class_set', `{ chr_file blk_file }')
-
-#
-# All socket classes.
-#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
-
-#
-# Datagram socket classes.
-#
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-
-#
-# Stream socket classes.
-#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-
-#
-# Unprivileged socket classes (exclude rawip, netlink, packet).
-#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-########################################
-#
-# Macros for sets of permissions
-#
-
-#
-# Permissions for getting file attributes.
-#
-define(`stat_file_perms', `{ getattr }')
-
-#
-# Permissions for executing files.
-#
-define(`x_file_perms', `{ getattr execute }')
-
-#
-# Permissions for reading files and their attributes.
-#
-define(`r_file_perms', `{ read getattr lock ioctl }')
-
-#
-# Permissions for reading and executing files.
-#
-define(`rx_file_perms', `{ read getattr lock execute ioctl }')
-
-#
-# Permissions for reading and appending to files.
-#
-define(`ra_file_perms', `{ ioctl read getattr lock append }')
-
-#
-# Permissions for linking, unlinking and renaming files.
-#
-define(`link_file_perms', `{ getattr link unlink rename }')
-
-#
-# Permissions for creating lnk_files.
-#
-define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
-
-#
-# Permissions for creating and using files.
-#
-define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
-
-#
-# Permissions for reading directories and their attributes.
-#
-define(`r_dir_perms', `{ read getattr lock search ioctl }')
-
-#
-# Permissions for reading and writing directories and their attributes.
-#
-define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
-
-#
-# Permissions for reading and adding names to directories.
-#
-define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
-
-
-#
-# Permissions for creating and using directories.
-#
-define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
-
-#
-# Permissions to mount and unmount file systems.
-#
-define(`mount_fs_perms', `{ mount remount unmount getattr }')
-
-#
-# Permissions for using sockets.
-#
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`create_socket_perms', `{ create rw_socket_perms }')
-
-#
-# Permissions for using stream sockets.
-#
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-
-#
-# Permissions for creating and using stream sockets.
-#
-define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
-
-
-#
-# Permissions for creating and using netlink sockets.
-#
-define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that modify state.
-#
-define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that observe state.
-#
-define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
-
-#
-# Permissions for sending all signals.
-#
-define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
-
-#
-# Permissions for sending and receiving network packets.
-#
-define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
-
-#
-# Permissions for using System V IPC
-#
-define(`r_sem_perms', `{ associate getattr read unix_read }')
-define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
-define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
-define(`r_msgq_perms', `{ associate getattr read unix_read }')
-define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
-define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
-define(`r_shm_perms', `{ associate getattr read unix_read }')
-define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
-define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
-
-########################################
-#
-# New permission sets
-#
-
-#
-# Directory
-#
-define(`search_dir_perms',`{ getattr search }')
-define(`getattr_dir_perms',`{ getattr }')
-define(`setattr_dir_perms',`{ setattr }')
-define(`list_dir_perms',`{ getattr search read lock ioctl }')
-define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
-define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
-define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
-
-#
-# File
-#
-define(`getattr_file_perms',`{ getattr }')
-define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`append_file_perms',`{ getattr append lock ioctl }')
-define(`write_file_perms',`{ getattr write append lock ioctl }')
-define(`rw_file_perms',`{ getattr read write append ioctl lock }')
-define(`delete_file_perms',`{ getattr unlink }')
-define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
-
-#
-# Use (read and write) terminals
-#
-define(`rw_term_perms', `{ getattr read write ioctl }')
-
-#
-# Sockets
-#
-define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
-define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
deleted file mode 100644
index fecd3c3..0000000
--- a/refpolicy/policy/users
+++ /dev/null
@@ -1,51 +0,0 @@
-
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
-#
-ifdef(`targeted_policy',`
-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
-',`
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
-')
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-ifdef(`targeted_policy',`
- gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
-',`
- ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
- ',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
- ')
-')
diff --git a/refpolicy/support/Makefile.devel b/refpolicy/support/Makefile.devel
deleted file mode 100644
index 0163f2f..0000000
--- a/refpolicy/support/Makefile.devel
+++ /dev/null
@@ -1,192 +0,0 @@
-
-# helper tools
-AWK ?= gawk
-INSTALL ?= install
-M4 ?= m4
-SED ?= sed
-EINFO ?= echo
-PYTHON ?= python
-
-NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-SHAREDIR ?= /usr/share/selinux
-HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
-
-include $(HEADERDIR)/build.conf
-
-# executables
-PREFIX := /usr
-BINDIR := $(PREFIX)/bin
-SBINDIR := $(PREFIX)/sbin
-CHECKMODULE := $(BINDIR)/checkmodule
-SEMODULE := $(SBINDIR)/semodule
-SEMOD_PKG := $(BINDIR)/semodule_package
-XMLLINT := $(BINDIR)/xmllint
-
-# set default build options if missing
-TYPE ?= strict
-DIRECT_INITRC ?= n
-POLY ?= n
-QUIET ?= y
-
-genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
-
-docs = doc
-polxml = $(docs)/policy.xml
-xmldtd = $(HEADERDIR)/support/policy.dtd
-layerxml = metadata.xml
-
-globaltun = $(HEADERDIR)/global_tunables.xml
-globalbool = $(HEADERDIR)/global_booleans.xml
-
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
-# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
- M4PARAM += -D enable_mls
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
- M4PARAM += -D enable_mcs
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
- M4PARAM += -D distro_$(DISTRO)
-endif
-
-# enable polyinstantiation
-ifeq ($(POLY),y)
- M4PARAM += -D enable_polyinstantiation
-endif
-
-ifeq ($(DIRECT_INITRC),y)
- M4PARAM += -D direct_sysadm_daemon
-endif
-
-ifeq ($(QUIET),y)
- verbose := @
-endif
-
-M4PARAM += -D hide_broken_symptoms
-
-# policy headers
-m4support = $(wildcard $(HEADERDIR)/support/*.spt)
-all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
-all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
-rolemap = $(HEADERDIR)/rolemap
-
-detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
-3rd_party_mods = $(wildcard *.te)
-detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
-detected_ifs = $(detected_mods:.te=.if)
-detected_fcs = $(detected_mods:.te=.fc)
-all_packages = $(notdir $(detected_mods:.te=.pp))
-
-vpath %.te $(detected_layers)
-vpath %.if $(detected_layers)
-vpath %.fc $(detected_layers)
-
-# if there are modules in the current directory, add them into the third party layer
-ifneq "$(3rd_party_mods)" ""
- genxml += -3 .
-endif
-
-########################################
-#
-# Functions
-#
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# peruser-expansion modulename,outputfile
-define peruser-expansion
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-endef
-
-.PHONY: clean all xml
-.SUFFIXES:
-.SUFFIXES: .pp
-# broken in make 3.81:
-#.SECONDARY:
-
-########################################
-#
-# Main targets
-#
-
-all: $(all_packages)
-
-xml: $(polxml)
-
-########################################
-#
-# Build module packages
-#
-tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
- @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
- @test -d tmp || mkdir -p tmp
- $(call peruser-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-tmp/%.mod.fc: $(m4support) %.fc
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-%.pp: tmp/%.mod tmp/%.mod.fc
- @echo "Creating $(NAME) $(@F) policy package"
- $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-
-tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
- @test -d tmp || mkdir -p tmp
- $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-# so users dont have to make empty .fc and .if files
-$(detected_ifs) $(detected_fcs):
- @touch $@
-
-########################################
-#
-# Documentation generation
-#
-
-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change. Also use all .if files here, rather then just the
-# enabled modules.
-$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
- @echo "Creating $@"
- @mkdir -p doc
- $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
- $(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
- $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
- $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
- $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
- fi
-
-########################################
-#
-# Clean the environment
-#
-
-clean:
- rm -fR tmp
- rm -f *.pp
diff --git a/refpolicy/support/comment_move_decl.sed b/refpolicy/support/comment_move_decl.sed
deleted file mode 100644
index 1d098d5..0000000
--- a/refpolicy/support/comment_move_decl.sed
+++ /dev/null
@@ -1,13 +0,0 @@
-# comment out lines that are moved by the build
-# process, so line numbers provided by m4 are preserved.
-
-# lines in require and optional blocks are not moved
-/require \{/,/} # end require/b nextline
-/optional \{/,/} # end optional/b nextline
-
-/^[[:blank:]]*(attribute|type(alias)?) / s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
-
-:nextline
diff --git a/refpolicy/support/fc_sort.c b/refpolicy/support/fc_sort.c
deleted file mode 100644
index 6c43035..0000000
--- a/refpolicy/support/fc_sort.c
+++ /dev/null
@@ -1,558 +0,0 @@
-/* Copyright 2005, Tresys Technology
- *
- * Some parts of this came from matchpathcon.c in libselinux
- */
-
-/* PURPOSE OF THIS PROGRAM
- * The original setfiles sorting algorithm did not take into
- * account regular expression specificity. With the current
- * strict and targeted policies this is not an issue because
- * the file contexts are partially hand sorted and concatenated
- * in the right order so that the matches are generally correct.
- * The way reference policy and loadable policy modules handle
- * file contexts makes them come out in an unpredictable order
- * and therefore setfiles (or this standalone tool) need to sort
- * the regular expressions in a deterministic and stable way.
- */
-
-#define BUF_SIZE 4096;
-#define _GNU_SOURCE
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-typedef unsigned char bool_t;
-
-/* file_context_node
- * A node used in a linked list of file contexts.c
- * Each node contains the regular expression, the type and
- * the context, as well as information about the regular
- * expression. The regular expression data (meta, stem_len
- * and str_len) can be filled in by using the fc_fill_data
- * function after the regular expression has been loaded.
- * next points to the next node in the linked list.
- */
-typedef struct file_context_node {
- char *path;
- char *file_type;
- char *context;
- bool_t meta;
- int stem_len;
- int str_len;
- struct file_context_node *next;
-} file_context_node_t;
-
-void file_context_node_destroy(file_context_node_t *x)
-{
- free(x->path);
- free(x->file_type);
- free(x->context);
-}
-
-
-
-/* file_context_bucket
- * A node used in a linked list of buckets that contain
- * file_context_node's.
- * Each node contains a pointer to a file_context_node which
- * is the header of its linked list. This linked list is the
- * content of this bucket.
- * next points to the next bucket in the linked list.
- */
-typedef struct file_context_bucket {
- file_context_node_t *data;
- struct file_context_bucket *next;
-} file_context_bucket_t;
-
-
-
-/* fc_compare
- * Compares two file contexts' regular expressions and returns:
- * -1 if a is less specific than b
- * 0 if a and be are equally specific
- * 1 if a is more specific than b
- * The comparison is based on the following statements,
- * in order from most important to least important, given a and b:
- * If a is a regular expression and b is not,
- * -> a is less specific than b.
- * If a's stem length is shorter than b's stem length,
- * -> a is less specific than b.
- * If a's string length is shorter than b's string length,
- * -> a is less specific than b.
- * If a does not have a specified type and b does not,
- * -> a is less specific than b.
- */
-int fc_compare(file_context_node_t *a, file_context_node_t *b)
-{
- /* Check to see if either a or b have meta characters
- * and the other doesn't. */
- if (a->meta && !b->meta)
- return -1;
- if (b->meta && !a->meta)
- return 1;
-
- /* Check to see if either a or b have a shorter stem
- * length than the other. */
- if (a->stem_len < b->stem_len)
- return -1;
- if (b->stem_len < a->stem_len)
- return 1;
-
- /* Check to see if either a or b have a shorter string
- * length than the other. */
- if (a->str_len < b->str_len)
- return -1;
- if (b->str_len < a->str_len)
- return 1;
-
- /* Check to see if either a or b has a specified type
- * and the other doesn't. */
- if (!a->file_type && b->file_type)
- return -1;
- if (!b->file_type && a->file_type)
- return 1;
-
- /* If none of the above conditions were satisfied,
- * then a and b are equally specific. */
- return 0;
-}
-
-
-
-/* fc_merge
- * Merges two sorted file context linked lists into one
- * sorted one.
- * Pass two lists a and b, and after the completion of fc_merge,
- * the final list is contained in a, and b is empty.
- */
-file_context_node_t *fc_merge(file_context_node_t *a,
- file_context_node_t *b)
-{
- file_context_node_t *a_current;
- file_context_node_t *b_current;
- file_context_node_t *temp;
- file_context_node_t *jumpto;
-
-
-
- /* If a is a empty list, and b is not,
- * set a as b and proceed to the end. */
- if (!a && b)
- a = b;
- /* If b is an empty list, leave a as it is. */
- else if (!b) {
- } else {
- /* Make it so the list a has the lesser
- * first element always. */
- if (fc_compare(a, b) == 1) {
- temp = a;
- a = b;
- b = temp;
- }
- a_current = a;
- b_current = b;
-
- /* Merge by inserting b's nodes in between a's nodes. */
- while (a_current->next && b_current) {
- jumpto = a_current->next;
-
- /* Insert b's nodes in between the current a node
- * and the next a node.*/
- while (b_current && a_current->next &&
- fc_compare(a_current->next,
- b_current) != -1) {
-
-
- temp = a_current->next;
- a_current->next = b_current;
- b_current = b_current->next;
- a_current->next->next = temp;
- a_current = a_current->next;
- }
-
- /* Skip all the inserted node from b to the
- * next node in the original a. */
- a_current = jumpto;
- }
-
-
- /* if there is anything left in b to be inserted,
- put it on the end */
- if (b_current) {
- a_current->next = b_current;
- }
- }
-
- return a;
-}
-
-
-
-/* fc_merge_sort
- * Sorts file contexts from least specific to more specific.
- * The bucket linked list is passed and after the completion
- * of the fc_merge_sort function, there is only one bucket
- * (pointed to by master) that contains a linked list
- * of all the file contexts, in sorted order.
- * Explanation of the algorithm:
- * The algorithm implemented in fc_merge_sort is an iterative
- * implementation of merge sort.
- * At first, each bucket has a linked list of file contexts
- * that are 1 element each.
- * Each pass, each odd numbered bucket is merged into the bucket
- * before it. This halves the number of buckets each pass.
- * It will continue passing over the buckets (as described above)
- * until there is only one bucket left, containing the list of
- * file contexts, sorted.
- */
-void fc_merge_sort(file_context_bucket_t *master)
-{
-
-
- file_context_bucket_t *current;
- file_context_bucket_t *temp;
-
- /* Loop until master is the only bucket left
- * so that this will stop when master contains
- * the sorted list. */
- while (master->next) {
- current = master;
-
- /* This loop merges buckets two-by-two. */
- while (current) {
-
- if (current->next) {
-
- current->data =
- fc_merge(current->data,
- current->next->data);
-
-
-
- temp = current->next;
- current->next = current->next->next;
-
- free(temp);
-
- }
-
-
- current = current->next;
- }
- }
-
-
-}
-
-
-
-/* fc_fill_data
- * This processes a regular expression in a file context
- * and sets the data held in file_context_node, namely
- * meta, str_len and stem_len.
- * The following changes are made to fc_node after the
- * the completion of the function:
- * fc_node->meta = 1 if path has a meta character, 0 if not.
- * fc_node->str_len = The string length of the entire path
- * fc_node->stem_len = The number of characters up until
- * the first meta character.
- */
-void fc_fill_data(file_context_node_t *fc_node)
-{
- int c = 0;
-
- fc_node->meta = 0;
- fc_node->stem_len = 0;
- fc_node->str_len = 0;
-
- /* Process until the string termination character
- * has been reached.
- * Note: this while loop has been adapted from
- * spec_hasMetaChars in matchpathcon.c from
- * libselinux-1.22. */
- while (fc_node->path[c] != '\0') {
- switch (fc_node->path[c]) {
- case '.':
- case '^':
- case '$':
- case '?':
- case '*':
- case '+':
- case '|':
- case '[':
- case '(':
- case '{':
- /* If a meta character is found,
- * set meta to one */
- fc_node->meta = 1;
- break;
- case '\\':
- /* If a escape character is found,
- * skip the next character. */
- c++;
- default:
- /* If no meta character has been found yet,
- * add one to the stem length. */
- if (!fc_node->meta)
- fc_node->stem_len++;
- break;
- }
-
- fc_node->str_len++;
- c++;
- }
-}
-
-/* main
- * This program takes in two arguments, the input filename and the
- * output filename. The input file should be syntactically correct.
- * Overall what is done in the main is read in the file and store each
- * line of code, sort it, then output it to the output file.
- */
-int main(int argc, char *argv[])
-{
- int lines;
- size_t start, finish, regex_len, context_len;
- size_t line_len, buf_len, i, j;
- char *input_name, *output_name, *line_buf;
-
- file_context_node_t *temp;
- file_context_node_t *head;
- file_context_node_t *current;
- file_context_bucket_t *master;
- file_context_bucket_t *bcurrent;
-
- FILE *in_file, *out_file;
-
-
- /* Check for the correct number of command line arguments. */
- if (argc != 3) {
- fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]);
- return 1;
- }
-
- input_name = argv[1];
- output_name = argv[2];
-
- i = j = lines = 0;
-
- /* Open the input file. */
- if (!(in_file = fopen(input_name, "r"))) {
- fprintf(stderr, "Error: failure opening input file for read.\n");
- return 1;
- }
-
- /* Initialize the head of the linked list. */
- head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
-
- /* Parse the file into a file_context linked list. */
- line_buf = NULL;
-
- while ( getline(&line_buf, &buf_len, in_file) != -1 ){
- line_len = strlen(line_buf);
- if( line_len == 0 || line_len == 1)
- continue;
- /* Get rid of whitespace from the front of the line. */
- for (i = 0; i < line_len; i++) {
- if (!isspace(line_buf[i]))
- break;
- }
-
-
- if (i >= line_len)
- continue;
- /* Check if the line isn't empty and isn't a comment */
- if (line_buf[i] == '#')
- continue;
-
- /* We have a valid line - allocate a new node. */
- temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
- if (!temp) {
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
- temp->next = NULL;
- memset(temp, 0, sizeof(file_context_node_t));
-
- /* Parse out the regular expression from the line. */
- start = i;
-
-
- while (i < line_len && (!isspace(line_buf[i])))
- i++;
- finish = i;
-
-
- regex_len = finish - start;
-
- if (regex_len == 0) {
- file_context_node_destroy(temp);
- free(temp);
-
-
- continue;
- }
-
- temp->path = (char*)strndup(&line_buf[start], regex_len);
- if (!temp->path) {
- file_context_node_destroy(temp);
- free(temp);
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
-
- /* Get rid of whitespace after the regular expression. */
- for (; i < line_len; i++) {
-
- if (!isspace(line_buf[i]))
- break;
- }
-
- if (i == line_len) {
- file_context_node_destroy(temp);
- free(temp);
- continue;
- }
-
- /* Parse out the type from the line (if it
- * is there). */
- if (line_buf[i] == '-') {
- temp->file_type = (char *)malloc(sizeof(char) * 3);
- if (!(temp->file_type)) {
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
-
- if( i + 2 >= line_len ) {
- file_context_node_destroy(temp);
- free(temp);
-
- continue;
- }
-
- /* Fill the type into the array. */
- temp->file_type[0] = line_buf[i];
- temp->file_type[1] = line_buf[i + 1];
- i += 2;
- temp->file_type[2] = 0;
-
- /* Get rid of whitespace after the type. */
- for (; i < line_len; i++) {
- if (!isspace(line_buf[i]))
- break;
- }
-
- if (i == line_len) {
-
- file_context_node_destroy(temp);
- free(temp);
- continue;
- }
- }
-
- /* Parse out the context from the line. */
- start = i;
- while (i < line_len && (!isspace(line_buf[i])))
- i++;
- finish = i;
-
- context_len = finish - start;
-
- temp->context = (char*)strndup(&line_buf[start], context_len);
- if (!temp->context) {
- file_context_node_destroy(temp);
- free(temp);
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
-
- /* Set all the data about the regular
- * expression. */
- fc_fill_data(temp);
-
- /* Link this line of code at the end of
- * the linked list. */
- current->next = temp;
- current = current->next;
- lines++;
-
-
- free(line_buf);
- line_buf = NULL;
- }
- fclose(in_file);
-
- /* Create the bucket linked list from the earlier linked list. */
- current = head->next;
- bcurrent = master =
- (file_context_bucket_t *)
- malloc(sizeof(file_context_bucket_t));
-
- /* Go until all the nodes have been put in individual buckets. */
- while (current) {
- /* Copy over the file context line into the bucket. */
- bcurrent->data = current;
- current = current->next;
-
- /* Detatch the node in the bucket from the old list. */
- bcurrent->data->next = NULL;
-
- /* If there should be another bucket, put one at the end. */
- if (current) {
- bcurrent->next =
- (file_context_bucket_t *)
- malloc(sizeof(file_context_bucket_t));
- if (!(bcurrent->next)) {
- printf
- ("Error: failure allocating memory.\n");
- return -1;
- }
-
- /* Make sure the new bucket thinks it's the end of the
- * list. */
- bcurrent->next->next = NULL;
-
- bcurrent = bcurrent->next;
- }
-
- }
-
- /* Sort the bucket list. */
- fc_merge_sort(master);
-
- /* Open the output file. */
- if (!(out_file = fopen(argv[2], "w"))) {
- printf("Error: failure opening output file for write.\n");
- return -1;
- }
-
- /* Output the sorted file_context linked list to the output file. */
- current = master->data;
- while (current) {
- /* Output the path. */
- fprintf(out_file, "%s\t\t", current->path);
-
- /* Output the type, if there is one. */
- if (current->file_type) {
- fprintf(out_file, "%s\t", current->file_type);
- }
-
- /* Output the context. */
- fprintf(out_file, "%s\n", current->context);
-
- /* Remove the node. */
- temp = current;
- current = current->next;
-
- file_context_node_destroy(temp);
- free(temp);
-
- }
- free(master);
-
- fclose(out_file);
-
- return 0;
-}
diff --git a/refpolicy/support/genclassperms.py b/refpolicy/support/genclassperms.py
deleted file mode 100755
index 732d645..0000000
--- a/refpolicy/support/genclassperms.py
+++ /dev/null
@@ -1,308 +0,0 @@
-#!/usr/bin/python
-
-# Author: Donald Miner <dminer@tresys.com>
-#
-# Copyright (C) 2005 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-
-"""
- This script generates an object class perm definition file.
-"""
-
-import sys
-
-USERSPACE_CLASS = "userspace"
-
-class Class:
- """
- This object stores an access vector class.
- """
-
- def __init__(self, name, perms, common):
- # The name of the class.
- self.name = name
-
- # A list of permissions the class contains.
- self.perms = perms
-
- # True if the class is declared as common, False if not.
- self.common = common
-
-def get_perms(name, av_db, common):
- """
- Returns the list of permissions contained within an access vector
- class that is stored in the access vector database av_db.
- Returns an empty list if the object name is not found.
- Specifiy whether get_perms is to return the class or the
- common set of permissions with the boolean value 'common',
- which is important in the case of having duplicate names (such as
- class file and common file).
- """
-
- # Traverse through the access vector database and try to find the
- # object with the name passed.
- for obj in av_db:
- if obj.name == name and obj.common == common:
- return obj.perms
-
- return []
-
-def get_av_db(file_name):
- """
- Returns an access vector database generated from the file file_name.
- """
- # This function takes a file, reads the data, parses it and returns
- # a list of access vector classes.
- # Reading into av_data:
- # The file specified will be read line by line. Each line will have
- # its comments removed. Once comments are removed, each 'word' (text
- # seperated by whitespace) and braces will be split up into seperate
- # strings and appended to the av_data list, in the order they were
- # read.
- # Parsing av_data:
- # Parsing is done using a queue implementation of the av_data list.
- # Each time a word is used, it is dequeued afterwards. Each loop in
- # the while loop below will read in key words and dequeue expected
- # words and values. At the end of each loop, a Class containing the
- # name, permissions and whether it is a common or not will be appended
- # to the database. Lots of errors are caught here, almost all checking
- # if a token is expected but EOF is reached.
- # Now the list of Class objects is returned.
-
- av_file = open(file_name, "r")
- av_data = []
- # Read the file and strip out comments on the way.
- # At the end of the loop, av_data will contain a list of individual
- # words. i.e. ['common', 'file', '{', ...]. All comments and whitespace
- # will be gone.
- while True:
- av_line = av_file.readline()
-
- # If EOF has been reached:
- if not av_line:
- break
-
- # Check if there is a comment, and if there is, remove it.
- comment_index = av_line.find("#")
- if comment_index != -1:
- av_line = av_line[:comment_index]
-
- # Pad the braces with whitespace so that they are split into
- # their own word. It doesn't matter if there will be extra
- # white space, it'll get thrown away when the string is split.
- av_line.replace("{"," { ")
- av_line.replace("}"," } ")
-
- # Split up the words on the line and add it to av_data.
- av_data += av_line.split()
-
- av_file.close()
-
- # Parsing the file:
- # The implementation of this parse is a queue. We use the list of words
- # from av_data and use the front element, then dequeue it. Each
- # loop of this while is a common or class declaration. Several
- # expected tokens are parsed and dequeued out of av_data for each loop.
- # At the end of the loop, database will contain a list of Class objects.
- # i.e. [Class('name',['perm1','perm2',...],'True'), ...]
- # Dequeue from the beginning of the list until av_data is empty:
- database = []
- while len(av_data) != 0:
- # At the beginning of every loop, the next word should be
- # "common" or "class", meaning that each loop is a common
- # or class declaration.
- # av_data = av_data[1:] removes the first element in the
- # list, this is what is dequeueing data.
-
- # Figure out whether the next class will be a common or a class.
- if av_data[0] == "class":
- common = False
- elif av_data[0] == "common":
- common = True
- else:
- error("Unexpected token in file " + file_name + ": "\
- + av_data[0] + ".")
-
- # Dequeue the "class" or "common" key word.
- av_data = av_data[1:]
-
- if len(av_data) == 0:
- error("Missing token in file " + file_name + ".")
-
- # Get and dequeue the name of the class or common.
- name = av_data[0]
- av_data = av_data[1:]
-
- # Retrieve the permissions inherited from a common set:
- perms = []
- # If the object we are working with is a class, since only
- # classes inherit:
- if common == False:
- if len(av_data) == 0:
- error("Missing token in file " + file_name + ".")
-
- # If the class inherits from something else:
- if av_data[0] == "inherits":
- # Dequeue the "inherits" key word.
- av_data = av_data[1:]
-
- if len(av_data) == 0:
- error("Missing token in file "\
- + file_name + " for " +\
- keyword + " " + name + ".")
-
- # av_data[0] is the name of the parent.
- # Append the permissions of the parent to
- # the current class' permissions.
- perms += get_perms(av_data[0], database, True)
-
- # Dequeue the name of the parent.
- av_data = av_data[1:]
-
- # Retrieve the permissions defined with this set.
- if len(av_data) > 0 and av_data[0] == "{":
- # Dequeue the "{"
- av_data = av_data[1:]
-
- # Keep appending permissions until a close brace is
- # found.
- while av_data[0] != "}":
- if av_data[0] == "{":
- error("Extra '{' in file " +\
- file_name + ".")
-
- # Add the permission name.
- perms.append(av_data[0])
-
- # Dequeue the permission name.
- av_data = av_data[1:]
-
- if len(av_data) == 0:
- error("Missing token '}' in file "\
- + file_name + ".")
-
- # Dequeue the "}"
- av_data = av_data[1:]
-
- # Add the new access vector class to the database.
- database.append(Class(name, perms, common))
-
- return database
-
-def get_sc_db(file_name):
- """
- Returns a security class database generated from the file file_name.
- """
-
- # Read the file then close it.
- sc_file = open(file_name)
- sc_data = sc_file.readlines()
- sc_file.close()
-
- # For each line in the security classes file, add the name of the class
- # and whether it is a userspace class or not to the security class
- # database.
- database = []
- for line in sc_data:
- line = line.lstrip()
- # If the line is empty or the entire line is a comment, skip.
- if line == "" or line[0] == "#":
- continue
-
- # Check if the comment to the right of the permission matches
- # USERSPACE_CLASS.
- comment_index = line.find("#")
- if comment_index != -1 and line[comment_index+1:].strip() == USERSPACE_CLASS:
- userspace = True
- else:
- userspace = False
-
- # All lines should be in the format "class NAME", meaning
- # it should have two tokens and the first token should be
- # "class".
- split_line = line.split()
- if len(split_line) < 2 or split_line[0] != "class":
- error("Wrong syntax: " + line)
-
- # Add the class's name (split_line[1]) and whether it is a
- # userspace class or not to the database.
- # This is appending a tuple of (NAME,USERSPACE), where NAME is
- # the name of the security class and USERSPACE is True if
- # if it has "# USERSPACE_CLASS" on the end of the line, False
- # if not.
- database.append((split_line[1], userspace))
-
- return database
-
-def gen_class_perms(av_db, sc_db):
- """
- Generates a class permissions document and returns it.
- """
-
- # Define class template:
- class_perms_line = "define(`all_%s_perms',`{ %s}')\n"
-
- # Generate the defines for the individual class permissions.
- class_perms = ""
- for obj in av_db:
- # Don't output commons
- if obj.common == True:
- continue
-
- # Get the list of permissions from the specified class.
- perms = get_perms(obj.name, av_db, False)
-
- # Merge all the permissions into one string with one space
- # padding.
- perm_str = ""
- for perm in perms:
- perm_str += perm + " "
-
- # Add the line to the class_perms
- class_perms += class_perms_line % (obj.name, perm_str)
- class_perms += "\n"
-
- # Generate the kernel_class_perms and userspace_class_perms sets.
- class_line = "\tclass %s all_%s_perms;\n"
- kernel_class_perms = "define(`all_kernel_class_perms',`\n"
- userspace_class_perms = "define(`all_userspace_class_perms',`\n"
- # For each (NAME,USERSPACE) tuple, add the class to the appropriate
- # class permission set.
- for name, userspace in sc_db:
- if userspace:
- userspace_class_perms += class_line % (name, name)
- else:
- kernel_class_perms += class_line % (name, name)
- kernel_class_perms += "')\n\n"
- userspace_class_perms += "')\n"
-
- # Throw all the strings together and return the string.
- return class_perms + kernel_class_perms + userspace_class_perms
-
-def error(error):
- """
- Print an error message and exit.
- """
-
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-# MAIN PROGRAM
-app_name = sys.argv[0]
-
-if len(sys.argv) != 3:
- error("Incorrect input.\nUsage: " + sys.argv[0] + " access_vectors security_classes" )
-
-# argv[1] is the access vector file.
-av_file = sys.argv[1]
-
-# argv[2] is the security class file.
-sc_file = sys.argv[2]
-
-# Output the class permissions document.
-sys.stdout.write(gen_class_perms(get_av_db(av_file), get_sc_db(sc_file)))
diff --git a/refpolicy/support/genhomedircon b/refpolicy/support/genhomedircon
deleted file mode 100755
index 7c4c44c..0000000
--- a/refpolicy/support/genhomedircon
+++ /dev/null
@@ -1,481 +0,0 @@
-#! /usr/bin/env python
-# Copyright (C) 2004 Tresys Technology, LLC
-# see file 'COPYING' for use and warranty information
-#
-# genhomedircon - this script is used to generate file context
-# configuration entries for user home directories based on their
-# default roles and is run when building the policy. Specifically, we
-# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
-# generic and user-specific values.
-#
-# Based off original script by Dan Walsh, <dwalsh@redhat.com>
-#
-# ASSUMPTIONS:
-#
-# The file CONTEXTDIR/files/homedir_template exists. This file is used to
-# set up the home directory context for each real user.
-#
-# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
-# the first role in the list.
-#
-# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
-# are always "real" (including root, in the default configuration).
-#
-#
-# Old ASSUMPTIONS:
-#
-# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
-# the first role in the list.
-#
-# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
-# the user's home dir will be found in one of the HOME_ROOTs.
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
-# are always "real" (including root, in the default configuration).
-#
-
-import commands, sys, os, pwd, string, getopt, re
-
-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
-
-def getStartingUID():
- starting_uid = sys.maxint
- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
- if rc[0] == 0:
- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- uid_min = uid_min.split("#")[0]
- uid_min = uid_min.strip()
- if int(uid_min) < starting_uid:
- starting_uid = int(uid_min)
- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
- if rc[0] == 0:
- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
- lu_uidnumber = lu_uidnumber.split("#")[0]
- lu_uidnumber = lu_uidnumber.strip()
- if int(lu_uidnumber) < starting_uid:
- starting_uid = int(lu_uidnumber)
- if starting_uid == sys.maxint:
- starting_uid = 500
- return starting_uid
-
-#############################################################################
-#
-# This section is just for backwards compatability
-#
-#############################################################################
-def getPrefixes():
- ulist = pwd.getpwall()
- STARTING_UID=getStartingUID()
- prefixes = {}
- for u in ulist:
- if u[2] >= STARTING_UID and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- prefix = u[5][:string.rfind(u[5], "/")]
- if not prefixes.has_key(prefix):
- prefixes[prefix] = ""
- return prefixes
-
-def getUsers(filecontextdir):
- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
- udict = {}
- if rc[0] == 0:
- ulist = rc[1].strip().split("\n")
- for u in ulist:
- user = u.split()
- try:
- if user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
-def update(filecontext, user, prefs):
- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("grep/sed error ", rc[1]))
- return rc
-
-def oldgenhomedircon(filecontextdir, filecontext):
- sys.stderr.flush()
-
- if os.path.isdir(filecontextdir) == 0:
- sys.stderr.write("New usage is the following\n")
- usage()
- #We are going to define home directory used by libuser and show-utils as a home directory root
- prefixes = {}
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
-
-
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
-
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
- #is any regex that would match it which does not end with .*$ or .+$ since those are general
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
- #[pattern]
- potential_prefixes = getPrefixes()
- prefix_regex = {}
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- for potential in potential_prefixes.keys():
- addme = 1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, potential, 0):
- addme = 0
- if addme == 1:
- if not prefixes.has_key(potential):
- prefixes[potential] = ""
-
-
- if prefixes.__eq__({}):
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
- sys.stderr.write("Assuming /home is the root of home directories\n")
- sys.stderr.flush()
- prefixes["/home"] = ""
-
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
-
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("sed error ", rc[1]))
-
- users = getUsers(filecontextdir)
- print "\n#\n# User-specific file contexts\n#\n"
-
- # Fill in HOME and ROLE for users that are defined
- for u in users.keys():
- update(filecontext, u, users[u])
-
-#############################################################################
-#
-# End of backwards compatability section
-#
-#############################################################################
-
-def getDefaultHomeDir():
- ret = []
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
- sys.stderr.flush()
- if ret == []:
- ret.append("/home")
- return ret
-
-def getSELinuxType(directory):
- rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
- if rc[0]==0:
- return rc[1].split("=")[-1].strip()
- return "targeted"
-
-def usage(error = ""):
- if error != "":
- sys.stderr.write("%s\n" % error)
- sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
- sys.stderr.flush()
- sys.exit(1)
-
-def warning(warning = ""):
- sys.stderr.write("%s\n" % warning)
- sys.stderr.flush()
-
-def errorExit(error):
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-class selinuxConfig:
- def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
- self.type=type
- self.selinuxdir=selinuxdir +"/"
- self.contextdir="/contexts"
- self.filecontextdir=self.contextdir+"/files"
- self.usepwd=usepwd
-
- def getFileContextDir(self):
- return self.selinuxdir+self.type+self.filecontextdir
-
- def getFileContextFile(self):
- return self.getFileContextDir()+"/file_contexts"
-
- def getContextDir(self):
- return self.selinuxdir+self.type+self.contextdir
-
- def getHomeDirTemplate(self):
- return self.getFileContextDir()+"/homedir_template"
-
- def getHomeRootContext(self, homedir):
- rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
- if rc[0] == 0:
- return rc[1]+"\n"
- else:
- errorExit(string.join("sed error ", rc[1]))
-
- def getUsersFile(self):
- return self.selinuxdir+self.type+"/users/local.users"
-
- def getSystemUsersFile(self):
- return self.selinuxdir+self.type+"/users/system.users"
-
- def heading(self):
- ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
- return ret
-
- def getUsers(self):
- users=""
- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
- if rc[0] == 0:
- users+=rc[1]+"\n"
- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
- if rc[0] == 0:
- users+=rc[1]
- udict = {}
- prefs = {}
- if users != "":
- ulist = users.split("\n")
- for u in ulist:
- user = u.split()
- try:
- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
- def getHomeDirContext(self, user, home, role):
- ret="\n\n#\n# Context for user %s\n#\n\n" % user
- rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
- return ret + rc[1] + "\n"
-
- def genHomeDirContext(self):
- users = self.getUsers()
- ret=""
- # Fill in HOME and ROLE for users that are defined
- for u in users.keys():
- ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
- return ret+"\n"
-
- def checkExists(self, home):
- if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
- return 0
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- exists=1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, home, 0):
- exists = 0
- break
- if exists == 1:
- return 1
- else:
- return 0
-
-
- def getHomeDirs(self):
- homedirs = []
- homedirs = homedirs + getDefaultHomeDir()
- starting_uid=getStartingUID()
- if self.usepwd==0:
- return homedirs
- ulist = pwd.getpwall()
- for u in ulist:
- if u[2] >= starting_uid and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- homedir = u[5][:string.rfind(u[5], "/")]
- if not homedir in homedirs:
- if self.checkExists(homedir)==0:
- warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0]))
- else:
- homedirs.append(homedir)
-
- homedirs.sort()
- return homedirs
-
- def genoutput(self):
- ret= self.heading()
- for h in self.getHomeDirs():
- ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
- ret += self.getHomeRootContext(h)
- ret += self.genHomeDirContext()
- return ret
-
- def printout(self):
- print self.genoutput()
-
- def write(self):
- try:
- fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
- fd.write(self.genoutput())
- fd.close()
- except IOError, error:
- sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
-
-
-
-#
-# This script will generate home dir file context
-# based off the homedir_template file, entries in the password file, and
-#
-try:
- usepwd=1
- directory="/etc/selinux"
- type=None
- gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
- 'type=',
- 'nopasswd',
- 'dir='])
- for o,a in gopts:
- if o == '--type' or o == "-t":
- type=a
- if o == '--nopasswd' or o == "-n":
- usepwd=0
- if o == '--dir' or o == "-d":
- directory=a
- if o == '--help':
- usage()
-
-
- if type==None:
- type=getSELinuxType(directory)
-
- if len(cmds) == 2:
- oldgenhomedircon(cmds[0], cmds[1])
- sys.exit(0)
-
- if len(cmds) != 0:
- usage()
- selconf=selinuxConfig(directory, type, usepwd)
- selconf.write()
-
-except getopt.error, error:
- errorExit(string.join("Options Error ", error))
-except ValueError, error:
- errorExit(string.join("ValueError ", error))
-except IndexError, error:
- errorExit("IndexError")
diff --git a/refpolicy/support/gennetfilter.py b/refpolicy/support/gennetfilter.py
deleted file mode 100644
index 1821b62..0000000
--- a/refpolicy/support/gennetfilter.py
+++ /dev/null
@@ -1,163 +0,0 @@
-#!/usr/bin/python
-
-# Author: Chris PeBenito <cpebenito@tresys.com>
-#
-# Copyright (C) 2006 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-import sys,string,getopt,re
-
-NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
-
-DEFAULT_INPUT_PACKET = "server_packet_t"
-DEFAULT_OUTPUT_PACKET = "client_packet_t"
-DEFAULT_MCS = "s0"
-DEFAULT_MLS = "s0"
-
-PACKET_INPUT = "_server_packet_t"
-PACKET_OUTPUT = "_client_packet_t"
-
-class Port:
- def __init__(self, proto, num, mls_sens, mcs_cats=""):
- # protocol of the port
- self.proto = proto
-
- # port number
- self.num = num
-
- # MLS sensitivity
- self.mls_sens = mls_sens
-
- # MCS categories
- # not currently supported, so we always get s0
- self.mcs_cats = DEFAULT_MCS
-
-class Packet:
- def __init__(self, prefix, ports):
- # prefix
- self.prefix = prefix
-
- # A list of Ports
- self.ports = ports
-
-def print_input_rules(packets,mls,mcs):
- line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
- if mls:
- line += ":"+DEFAULT_MLS
- elif mcs:
- line += ":"+DEFAULT_MCS
-
- print line
-
- for i in packets:
- for j in i.ports:
- line="-A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
- if mls:
- line += ":"+j.mls_sens
- elif mcs:
- line += ":"+j.mcs_cats
- print line
-
- print "-A selinux_new_input -j CONNSECMARK --save"
- print "-A selinux_new_input -j RETURN"
-
-def print_output_rules(packets,mls,mcs):
- line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
- if mls:
- line += ":"+DEFAULT_MLS
- elif mcs:
- line += ":"+DEFAULT_MCS
- print line
-
- for i in packets:
- for j in i.ports:
- line = "-A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
- if mls:
- line += ":"+j.mls_sens
- elif mcs:
- line += ":"+j.mcs_cats
- print line
-
- print "-A selinux_new_output -j CONNSECMARK --save"
- print "-A selinux_new_output -j RETURN"
-
-def parse_corenet(file_name):
- packets = []
-
- corenet_te_in = open(file_name, "r")
-
- while True:
- corenet_line = corenet_te_in.readline()
-
- # If EOF has been reached:
- if not corenet_line:
- break
-
- if NETPORT.match(corenet_line):
- corenet_line = corenet_line.strip();
-
- # parse out the parameters
- openparen = string.find(corenet_line,'(')+1
- closeparen = string.find(corenet_line,')',openparen)
- parms = re.split('\W+',corenet_line[openparen:closeparen])
- name = parms[0]
- del parms[0];
-
- ports = []
- while len(parms) > 0:
- # add a port combination.
- ports.append(Port(parms[0],parms[1],parms[2]))
- del parms[:3]
-
- packets.append(Packet(name,ports))
-
- corenet_te_in.close()
-
- return packets
-
-def print_netfilter_config(packets,mls,mcs):
- print "*mangle"
- print ":PREROUTING ACCEPT [0:0]"
- print ":INPUT ACCEPT [0:0]"
- print ":FORWARD ACCEPT [0:0]"
- print ":OUTPUT ACCEPT [0:0]"
- print ":POSTROUTING ACCEPT [0:0]"
- print ":selinux_input - [0:0]"
- print ":selinux_output - [0:0]"
- print ":selinux_new_input - [0:0]"
- print ":selinux_new_output - [0:0]"
- print "-A INPUT -j selinux_input"
- print "-A OUTPUT -j selinux_output"
- print "-A selinux_input -m state --state NEW -j selinux_new_input"
- print "-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
- print "-A selinux_output -m state --state NEW -j selinux_new_output"
- print "-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
- print_input_rules(packets,mls,mcs)
- print_output_rules(packets,mls,mcs)
- print "COMMIT"
-
-mls = False
-mcs = False
-
-try:
- opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
-except getopt.GetoptError, error:
- print "Invalid options."
- sys.exit(1)
-
-for o, a in opts:
- if o in ("-c","--mcs"):
- mcs = True
- if o in ("-m","--mls"):
- mls = True
-
-if len(paths) == 0:
- sys.stderr.write("Need a path for corenetwork.te.in!\n")
- sys.exit(1)
-elif len(paths) > 1:
- sys.stderr.write("Ignoring extra specified paths\n")
-
-packets=parse_corenet(paths[0])
-print_netfilter_config(packets,mls,mcs)
diff --git a/refpolicy/support/get_type_attr_decl.sed b/refpolicy/support/get_type_attr_decl.sed
deleted file mode 100644
index 52a11ab..0000000
--- a/refpolicy/support/get_type_attr_decl.sed
+++ /dev/null
@@ -1,13 +0,0 @@
-#n
-# print out type and attribute declarations that
-# are not inside require and optional blocks.
-
-/require \{/,/} # end require/b nextline
-/optional \{/,/} # end optional/b nextline
-
-/^[[:blank:]]*(attribute|type(alias)?) /{
- s/^[[:blank:]]+//
- p
-}
-
-:nextline
diff --git a/refpolicy/support/pyplate.py b/refpolicy/support/pyplate.py
deleted file mode 100755
index c7532cc..0000000
--- a/refpolicy/support/pyplate.py
+++ /dev/null
@@ -1,364 +0,0 @@
-"""PyPlate : a simple Python-based templating program
-
-PyPlate parses a file and replaces directives (in double square brackets [[ ... ]])
-by various means using a given dictionary of variables. Arbitrary Python code
-can be run inside many of the directives, making this system highly flexible.
-
-Usage:
-# Load and parse template file
-template = pyplate.Template("output") (filename or string)
-# Execute it with a dictionary of variables
-template.execute_file(output_stream, locals())
-
-PyPlate defines the following directives:
- [[...]] evaluate the arbitrary Python expression and insert the
- result into the output
-
- [[# ... #]] comment.
-
- [[exec ...]] execute arbitrary Python code in the sandbox namespace
-
- [[if ...]] conditional expressions with usual Python semantics
- [[elif ...]]
- [[else]]
- [[end]]
-
- [[for ... in ...]] for-loop with usual Python semantics
- [[end]]
-
- [[def ...(...)]] define a "function" out of other templating elements
- [[end]]
-
- [[call ...]] call a templating function (not a regular Python function)
-"""
-
-#
-# Copyright (C) 2002 Michael Droettboom
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-
-from __future__ import nested_scopes
-import sys, string, re, cStringIO
-
-re_directive = re.compile("\[\[(.*)\]\]")
-re_for_loop = re.compile("for (.*) in (.*)")
-re_if = re.compile("if (.*)")
-re_elif = re.compile("elif (.*)")
-re_def = re.compile("def (.*?)\((.*)\)")
-re_call = re.compile("call (.*?)\((.*)\)")
-re_exec = re.compile("exec (.*)")
-re_comment = re.compile("#(.*)#")
-
-############################################################
-# Template parser
-class ParserException(Exception):
- def __init__(self, lineno, s):
- Exception.__init__(self, "line %d: %s" % (lineno, s))
-
-class Template:
- def __init__(self, filename=None):
- if filename != None:
- try:
- self.parse_file(filename)
- except:
- self.parse_string(filename)
-
- def parse_file(self, filename):
- file = open(filename, 'r')
- self.parse(file)
- file.close()
-
- def parse_string(self, template):
- file = cStringIO.StringIO(template)
- self.parse(file)
- file.close()
-
- def parse(self, file):
- self.file = file
- self.line = self.file.read()
- self.lineno = 0
- self.functions = {}
- self.tree = TopLevelTemplateNode(self)
-
- def parser_get(self):
- if self.line == '':
- return None
- return self.line
-
- def parser_eat(self, chars):
- self.lineno = self.lineno + self.line[:chars].count("\n")
- self.line = self.line[chars:]
-
- def parser_exception(self, s):
- raise ParserException(self.lineno, s)
-
- def execute_file(self, filename, data):
- file = open(filename, 'w')
- self.execute(file, data)
- file.close()
-
- def execute_string(self, data):
- s = cStringIO.StringIO()
- self.execute(s, data)
- return s.getvalue()
-
- def execute_stdout(self, data):
- self.execute(sys.stdout, data)
-
- def execute(self, stream=sys.stdout, data={}):
- self.tree.execute(stream, data)
-
- def __repr__(self):
- return repr(self.tree)
-
-
-############################################################
-# NODES
-class TemplateNode:
- def __init__(self, parent, s):
- self.parent = parent
- self.s = s
- self.node_list = []
- while 1:
- new_node = TemplateNodeFactory(parent)
- if self.add_node(new_node):
- break
-
- def add_node(self, node):
- if node == 'end':
- return 1
- elif node != None:
- self.node_list.append(node)
- else:
- raise self.parent.parser_exception(
- "[[%s]] does not have a matching [[end]]" % self.s)
-
- def execute(self, stream, data):
- for node in self.node_list:
- node.execute(stream, data)
-
- def __repr__(self):
- r = "<" + self.__class__.__name__ + " "
- for i in self.node_list:
- r = r + repr(i)
- r = r + ">"
- return r
-
-class TopLevelTemplateNode(TemplateNode):
- def __init__(self, parent):
- TemplateNode.__init__(self, parent, '')
-
- def add_node(self, node):
- if node != None:
- self.node_list.append(node)
- else:
- return 1
-
-class ForTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- TemplateNode.__init__(self, parent, s)
- match = re_for_loop.match(s)
- if match == None:
- raise self.parent.parser_exception(
- "[[%s]] is not a valid for-loop expression" % self.s)
- else:
- self.vars_temp = match.group(1).split(",")
- self.vars = []
- for v in self.vars_temp:
- self.vars.append(v.strip())
- #print self.vars
- self.expression = match.group(2)
-
- def execute(self, stream, data):
- remember_vars = {}
- for var in self.vars:
- if data.has_key(var):
- remember_vars[var] = data[var]
- for list in eval(self.expression, globals(), data):
- if is_sequence(list):
- for index, value in enumerate(list):
- data[self.vars[index]] = value
- else:
- data[self.vars[0]] = list
- TemplateNode.execute(self, stream, data)
- for key, value in remember_vars.items():
- data[key] = value
-
-class IfTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- self.else_node = None
- TemplateNode.__init__(self, parent, s)
- match = re_if.match(s)
- if match == None:
- raise self.parent.parser_exception(
- "[[%s]] is not a valid if expression" % self.s)
- else:
- self.expression = match.group(1)
-
- def add_node(self, node):
- if node == 'end':
- return 1
- elif isinstance(node, ElseTemplateNode):
- self.else_node = node
- return 1
- elif isinstance(node, ElifTemplateNode):
- self.else_node = node
- return 1
- elif node != None:
- self.node_list.append(node)
- else:
- raise self.parent.parser_exception(
- "[[%s]] does not have a matching [[end]]" % self.s)
-
- def execute(self, stream, data):
- if eval(self.expression, globals(), data):
- TemplateNode.execute(self, stream, data)
- elif self.else_node != None:
- self.else_node.execute(stream, data)
-
-class ElifTemplateNode(IfTemplateNode):
- def __init__(self, parent, s):
- self.else_node = None
- TemplateNode.__init__(self, parent, s)
- match = re_elif.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid elif expression" % self.s)
- else:
- self.expression = match.group(1)
-
-class ElseTemplateNode(TemplateNode):
- pass
-
-class FunctionTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- TemplateNode.__init__(self, parent, s)
- match = re_def.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid function definition" % self.s)
- self.function_name = match.group(1)
- self.vars_temp = match.group(2).split(",")
- self.vars = []
- for v in self.vars_temp:
- self.vars.append(v.strip())
- #print self.vars
- self.parent.functions[self.function_name] = self
-
- def execute(self, stream, data):
- pass
-
- def call(self, args, stream, data):
- remember_vars = {}
- for index, var in enumerate(self.vars):
- if data.has_key(var):
- remember_vars[var] = data[var]
- data[var] = args[index]
- TemplateNode.execute(self, stream, data)
- for key, value in remember_vars.items():
- data[key] = value
-
-class LeafTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- self.parent = parent
- self.s = s
-
- def execute(self, stream, data):
- stream.write(self.s)
-
- def __repr__(self):
- return "<" + self.__class__.__name__ + ">"
-
-class CommentTemplateNode(LeafTemplateNode):
- def execute(self, stream, data):
- pass
-
-class ExpressionTemplateNode(LeafTemplateNode):
- def execute(self, stream, data):
- stream.write(str(eval(self.s, globals(), data)))
-
-class ExecTemplateNode(LeafTemplateNode):
- def __init__(self, parent, s):
- LeafTemplateNode.__init__(self, parent, s)
- match = re_exec.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid statement" % self.s)
- self.s = match.group(1)
-
- def execute(self, stream, data):
- exec(self.s, globals(), data)
- pass
-
-class CallTemplateNode(LeafTemplateNode):
- def __init__(self, parent, s):
- LeafTemplateNode.__init__(self, parent, s)
- match = re_call.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid function call" % self.s)
- self.function_name = match.group(1)
- self.vars = "(" + match.group(2).strip() + ",)"
-
- def execute(self, stream, data):
- self.parent.functions[self.function_name].call(
- eval(self.vars, globals(), data), stream, data)
-
-
-############################################################
-# Node factory
-template_factory_type_map = {
- 'if' : IfTemplateNode,
- 'for' : ForTemplateNode,
- 'elif' : ElifTemplateNode,
- 'else' : ElseTemplateNode,
- 'def' : FunctionTemplateNode,
- 'call' : CallTemplateNode,
- 'exec' : ExecTemplateNode }
-template_factory_types = template_factory_type_map.keys()
-
-def TemplateNodeFactory(parent):
- src = parent.parser_get()
-
- if src == None:
- return None
- match = re_directive.search(src)
- if match == None:
- parent.parser_eat(len(src))
- return LeafTemplateNode(parent, src)
- elif src == '' or match.start() != 0:
- parent.parser_eat(match.start())
- return LeafTemplateNode(parent, src[:match.start()])
- else:
- directive = match.group()[2:-2].strip()
- parent.parser_eat(match.end())
- if directive == 'end':
- return 'end'
- elif re_comment.match(directive):
- return CommentTemplateNode(parent, directive)
- else:
- for i in template_factory_types:
- if directive[0:len(i)] == i:
- return template_factory_type_map[i](parent, directive)
- return ExpressionTemplateNode(parent, directive)
-
-def is_sequence(object):
- try:
- test = object[0:0]
- except:
- return False
- else:
- return True
diff --git a/refpolicy/support/sedoctool.py b/refpolicy/support/sedoctool.py
deleted file mode 100755
index 55eee3b..0000000
--- a/refpolicy/support/sedoctool.py
+++ /dev/null
@@ -1,739 +0,0 @@
-#!/usr/bin/python
-
-# Author: Joshua Brindle <jbrindle@tresys.com>
-#
-# Copyright (C) 2005 - 2006 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-"""
- This module generates configuration files and documentation from the
- SELinux reference policy XML format.
-"""
-
-import sys
-import getopt
-import pyplate
-import os
-import string
-from xml.dom.minidom import parse, parseString
-
-#modules enabled and disabled values
-MOD_BASE = "base"
-MOD_ENABLED = "module"
-MOD_DISABLED = "off"
-
-#booleans enabled and disabled values
-BOOL_ENABLED = "true"
-BOOL_DISABLED = "false"
-
-#tunables enabled and disabled values
-TUN_ENABLED = "true"
-TUN_DISABLED = "false"
-
-
-def read_policy_xml(filename):
- """
- Takes in XML from a file and returns a parsed file.
- """
-
- try:
- xml_fh = open(filename)
- except:
- error("error opening " + filename)
-
- try:
- doc = parseString(xml_fh.read())
- except:
- xml_fh.close()
- error("Error while parsing xml")
-
- xml_fh.close()
- return doc
-
-def gen_booleans_conf(doc, file_name, namevalue_list):
- """
- Generates the booleans configuration file using the XML provided and the
- previous booleans configuration.
- """
-
- for node in doc.getElementsByTagName("bool"):
- for desc in node.getElementsByTagName("desc"):
- bool_desc = format_txt_desc(desc)
- s = string.split(bool_desc, "\n")
- file_name.write("#\n")
- for line in s:
- file_name.write("# %s\n" % line)
-
- bool_name = bool_val = None
- for (name, value) in node.attributes.items():
- if name == "name":
- bool_name = value
- elif name == "dftval":
- bool_val = value
-
- if [bool_name,BOOL_ENABLED] in namevalue_list:
- bool_val = BOOL_ENABLED
- elif [bool_name,BOOL_DISABLED] in namevalue_list:
- bool_val = BOOL_DISABLED
-
- if bool_name and bool_val:
- file_name.write("%s = %s\n\n" % (bool_name, bool_val))
- bool_name = bool_val = None
-
- # tunables are currently implemented as booleans
- for node in doc.getElementsByTagName("tunable"):
- for desc in node.getElementsByTagName("desc"):
- bool_desc = format_txt_desc(desc)
- s = string.split(bool_desc, "\n")
- file_name.write("#\n")
- for line in s:
- file_name.write("# %s\n" % line)
-
- bool_name = bool_val = None
- for (name, value) in node.attributes.items():
- if name == "name":
- bool_name = value
- elif name == "dftval":
- bool_val = value
-
- if [bool_name,BOOL_ENABLED] in namevalue_list:
- bool_val = BOOL_ENABLED
- elif [bool_name,BOOL_DISABLED] in namevalue_list:
- bool_val = BOOL_DISABLED
-
- if bool_name and bool_val:
- file_name.write("%s = %s\n\n" % (bool_name, bool_val))
- bool_name = bool_val = None
-
-def gen_module_conf(doc, file_name, namevalue_list):
- """
- Generates the module configuration file using the XML provided and the
- previous module configuration.
- """
- # If file exists, preserve settings and modify if needed.
- # Otherwise, create it.
-
- file_name.write("#\n# This file contains a listing of available modules.\n")
- file_name.write("# To prevent a module from being used in policy\n")
- file_name.write("# creation, set the module name to \"%s\".\n#\n" % MOD_DISABLED)
- file_name.write("# For monolithic policies, modules set to \"%s\" and \"%s\"\n" % (MOD_BASE, MOD_ENABLED))
- file_name.write("# will be built into the policy.\n#\n")
- file_name.write("# For modular policies, modules set to \"%s\" will be\n" % MOD_BASE)
- file_name.write("# included in the base module. \"%s\" will be compiled\n" % MOD_ENABLED)
- file_name.write("# as individual loadable modules.\n#\n\n")
-
- # For required in [True,False] is present so that the requiered modules
- # are at the top of the config file.
- for required in [True,False]:
- for node in doc.getElementsByTagName("module"):
- mod_req = False
- for req in node.getElementsByTagName("required"):
- if req.getAttribute("val") == "true":
- mod_req = True
-
- # Skip if we arnt working on the right set of modules.
- if mod_req and not required or not mod_req and required:
- continue
-
-
- mod_name = mod_layer = None
-
- mod_name = node.getAttribute("name")
- mod_layer = node.parentNode.getAttribute("name")
-
- if mod_name and mod_layer:
- file_name.write("# Layer: %s\n# Module: %s\n" % (mod_layer,mod_name))
- if required:
- file_name.write("# Required in base\n")
- file_name.write("#\n")
-
- for desc in node.getElementsByTagName("summary"):
- if not desc.parentNode == node:
- continue
- s = string.split(format_txt_desc(desc), "\n")
- for line in s:
- file_name.write("# %s\n" % line)
-
- # If the module is set as disabled.
- if [mod_name, MOD_DISABLED] in namevalue_list:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_DISABLED))
- # If the module is set as enabled.
- elif [mod_name, MOD_ENABLED] in namevalue_list:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
- # If the module is set as base.
- elif [mod_name, MOD_BASE] in namevalue_list:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
- # If the module is a new module.
- else:
- # Set the module to base if it is marked as required.
- if mod_req:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
- # Set the module to enabled if it is not required.
- else:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
-
-def get_conf(conf):
- """
- Returns a list of [name, value] pairs from a config file with the format
- name = value
- """
-
- conf_lines = conf.readlines()
-
- namevalue_list = []
- for i in range(0,len(conf_lines)):
- line = conf_lines[i]
- if line.strip() != '' and line.strip()[0] != "#":
- namevalue = line.strip().split("=")
- if len(namevalue) != 2:
- warning("line %d: \"%s\" is not a valid line, skipping"\
- % (i, line.strip()))
- continue
-
- namevalue[0] = namevalue[0].strip()
- if len(namevalue[0].split()) > 1:
- warning("line %d: \"%s\" is not a valid line, skipping"\
- % (i, line.strip()))
- continue
-
- namevalue[1] = namevalue[1].strip()
- if len(namevalue[1].split()) > 1:
- warning("line %d: \"%s\" is not a valid line, skipping"\
- % (i, line.strip()))
- continue
-
- namevalue_list.append(namevalue)
-
- return namevalue_list
-
-def first_cmp(a, b):
- """
- Compares the two first elements of a list instead of the entire list.
- """
-
- return cmp(a[0], b[0])
-
-def int_cmp(a, b):
- """
- Compares two interfaces.
- """
-
- return cmp(a["interface_name"], b["interface_name"])
-
-def temp_cmp(a, b):
- """
- Compares two templates.
- """
-
- return cmp(a["template_name"], b["template_name"])
-
-def tun_cmp(a, b):
- """
- Compares two tunables.
- """
-
- return cmp(a["tun_name"], b["tun_name"])
-def bool_cmp(a, b):
- """
- Compares two booleans.
- """
-
- return cmp(a["bool_name"], b["bool_name"])
-
-def gen_doc_menu(mod_layer, module_list):
- """
- Generates the HTML document menu.
- """
-
- menu = []
- for layer, value in module_list.iteritems():
- cur_menu = (layer, [])
- menu.append(cur_menu)
- if layer != mod_layer and mod_layer != None:
- continue
- #we are in our layer so fill in the other modules or we want them all
- for mod, desc in value.iteritems():
- cur_menu[1].append((mod, desc))
-
- menu.sort(first_cmp)
- for x in menu:
- x[1].sort(first_cmp)
- return menu
-
-def format_html_desc(node):
- """
- Formats a XML node into a HTML format.
- """
-
- desc_buf = ''
- for desc in node.childNodes:
- if desc.nodeName == "#text":
- if desc.data is not '':
- if desc.parentNode.nodeName != "p":
- desc_buf += "<p>" + desc.data + "</p>"
- else:
- desc_buf += desc.data
- else:
- desc_buf += "<" + desc.nodeName + ">" \
- + format_html_desc(desc) \
- + "</" + desc.nodeName +">"
-
- return desc_buf
-
-def format_txt_desc(node):
- """
- Formats a XML node into a plain text format.
- """
-
- desc_buf = ''
- for desc in node.childNodes:
- if desc.nodeName == "#text":
- desc_buf += desc.data + "\n"
- elif desc.nodeName == "p":
- desc_buf += desc.firstChild.data + "\n"
- for chld in desc.childNodes:
- if chld.nodeName == "ul":
- desc_buf += "\n"
- for li in chld.getElementsByTagName("li"):
- desc_buf += "\t -" + li.firstChild.data + "\n"
-
- return desc_buf.strip() + "\n"
-
-def gen_docs(doc, working_dir, templatedir):
- """
- Generates all the documentation.
- """
-
- try:
- #get the template data ahead of time so we don't reopen them over and over
- bodyfile = open(templatedir + "/header.html", "r")
- bodydata = bodyfile.read()
- bodyfile.close()
- intfile = open(templatedir + "/interface.html", "r")
- intdata = intfile.read()
- intfile.close()
- templatefile = open(templatedir + "/template.html", "r")
- templatedata = templatefile.read()
- templatefile.close()
- menufile = open(templatedir + "/menu.html", "r")
- menudata = menufile.read()
- menufile.close()
- indexfile = open(templatedir + "/module_list.html","r")
- indexdata = indexfile.read()
- indexfile.close()
- modulefile = open(templatedir + "/module.html","r")
- moduledata = modulefile.read()
- modulefile.close()
- intlistfile = open(templatedir + "/int_list.html", "r")
- intlistdata = intlistfile.read()
- intlistfile.close()
- templistfile = open(templatedir + "/temp_list.html", "r")
- templistdata = templistfile.read()
- templistfile.close()
- boollistfile = open(templatedir + "/global_bool_list.html", "r")
- boollistdata = boollistfile.read()
- boollistfile.close()
- tunlistfile = open(templatedir + "/global_tun_list.html", "r")
- tunlistdata = tunlistfile.read()
- tunlistfile.close()
- except:
- error("Could not open templates")
-
-
- try:
- os.chdir(working_dir)
- except:
- error("Could not chdir to target directory")
-
-
-#arg, i have to go through this dom tree ahead of time to build up the menus
- module_list = {}
- for node in doc.getElementsByTagName("module"):
- mod_name = mod_layer = interface_buf = ''
-
- mod_name = node.getAttribute("name")
- mod_layer = node.parentNode.getAttribute("name")
-
- for desc in node.getElementsByTagName("summary"):
- if desc.parentNode == node and desc:
- mod_summary = format_html_desc(desc)
- if not module_list.has_key(mod_layer):
- module_list[mod_layer] = {}
-
- module_list[mod_layer][mod_name] = mod_summary
-
-#generate index pages
- main_content_buf = ''
- for mod_layer,modules in module_list.iteritems():
- menu = gen_doc_menu(mod_layer, module_list)
-
- layer_summary = None
- for desc in doc.getElementsByTagName("summary"):
- if desc.parentNode.getAttribute("name") == mod_layer:
- layer_summary = format_html_desc(desc)
-
- menu_args = { "menulist" : menu,
- "mod_layer" : mod_layer,
- "layer_summary" : layer_summary }
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string(menu_args)
-
- content_tpl = pyplate.Template(indexdata)
- content_buf = content_tpl.execute_string(menu_args)
-
- main_content_buf += content_buf
-
- body_args = { "menu" : menu_buf,
- "content" : content_buf }
-
- index_file = mod_layer + ".html"
- index_fh = open(index_file, "w")
- body_tpl = pyplate.Template(bodydata)
- body_tpl.execute(index_fh, body_args)
- index_fh.close()
-
- menu = gen_doc_menu(None, module_list)
- menu_args = { "menulist" : menu,
- "mod_layer" : None }
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string(menu_args)
-
- body_args = { "menu" : menu_buf,
- "content" : main_content_buf }
-
- index_file = "index.html"
- index_fh = open(index_file, "w")
- body_tpl = pyplate.Template(bodydata)
- body_tpl.execute(index_fh, body_args)
- index_fh.close()
-#now generate the individual module pages
-
- all_interfaces = []
- all_templates = []
- for node in doc.getElementsByTagName("module"):
- mod_name = mod_layer = mod_desc = interface_buf = ''
-
- mod_name = node.getAttribute("name")
- mod_layer = node.parentNode.getAttribute("name")
-
- mod_req = None
- for req in node.getElementsByTagName("required"):
- if req.getAttribute("val") == "true":
- mod_req = True
-
- for desc in node.getElementsByTagName("summary"):
- if desc.parentNode == node:
- mod_summary = format_html_desc(desc)
- for desc in node.getElementsByTagName("desc"):
- if desc.parentNode == node:
- mod_desc = format_html_desc(desc)
-
- interfaces = []
- for interface in node.getElementsByTagName("interface"):
- interface_parameters = []
- interface_desc = interface_summary = None
- interface_name = interface.getAttribute("name")
- interface_line = interface.getAttribute("lineno")
- for desc in interface.childNodes:
- if desc.nodeName == "desc":
- interface_desc = format_html_desc(desc)
- elif desc.nodeName == "summary":
- interface_summary = format_html_desc(desc)
-
- for args in interface.getElementsByTagName("param"):
- for desc in args.getElementsByTagName("summary"):
- paramdesc = format_html_desc(desc)
- paramname = args.getAttribute("name")
- if args.getAttribute("optional") == "true":
- paramopt = "Yes"
- else:
- paramopt = "No"
- parameter = { "name" : paramname,
- "desc" : paramdesc,
- "optional" : paramopt }
- interface_parameters.append(parameter)
- interfaces.append( { "interface_name" : interface_name,
- "interface_summary" : interface_summary,
- "interface_desc" : interface_desc,
- "interface_parameters" : interface_parameters })
- #all_interfaces is for the main interface index with all interfaces
- all_interfaces.append( { "interface_name" : interface_name,
- "interface_summary" : interface_summary,
- "interface_desc" : interface_desc,
- "interface_parameters" : interface_parameters,
- "mod_name": mod_name,
- "mod_layer" : mod_layer })
- interfaces.sort(int_cmp)
- interface_tpl = pyplate.Template(intdata)
- interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
-
-
-# now generate individual template pages
- templates = []
- for template in node.getElementsByTagName("template"):
- template_parameters = []
- template_desc = template_summary = None
- template_name = template.getAttribute("name")
- template_line = template.getAttribute("lineno")
- for desc in template.childNodes:
- if desc.nodeName == "desc":
- template_desc = format_html_desc(desc)
- elif desc.nodeName == "summary":
- template_summary = format_html_desc(desc)
-
- for args in template.getElementsByTagName("param"):
- for desc in args.getElementsByTagName("summary"):
- paramdesc = format_html_desc(desc)
- paramname = args.getAttribute("name")
- if args.getAttribute("optional") == "true":
- paramopt = "Yes"
- else:
- paramopt = "No"
- parameter = { "name" : paramname,
- "desc" : paramdesc,
- "optional" : paramopt }
- template_parameters.append(parameter)
- templates.append( { "template_name" : template_name,
- "template_summary" : template_summary,
- "template_desc" : template_desc,
- "template_parameters" : template_parameters })
- #all_templates is for the main interface index with all templates
- all_templates.append( { "template_name" : template_name,
- "template_summary" : template_summary,
- "template_desc" : template_desc,
- "template_parameters" : template_parameters,
- "mod_name": mod_name,
- "mod_layer" : mod_layer })
-
- templates.sort(temp_cmp)
- template_tpl = pyplate.Template(templatedata)
- template_buf = template_tpl.execute_string({"templates" : templates})
-
-
- menu = gen_doc_menu(mod_layer, module_list)
-
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string({ "menulist" : menu })
-
-
- # pyplate's execute_string gives us a line of whitespace in
- # template_buf or interface_buf if there are no interfaces or
- # templates for this module. This is problematic because the
- # HTML templates use a conditional if on interface_buf or
- # template_buf being 'None' to decide if the "Template:" or
- # "Interface:" headers need to be printed in the module pages.
- # This detects if either of these are just whitespace, and sets
- # their values to 'None' so that when applying it to the
- # templates, they are properly recognized as not existing.
- if not interface_buf.strip():
- interface_buf = None
- if not template_buf.strip():
- template_buf = None
-
- module_args = { "mod_layer" : mod_layer,
- "mod_name" : mod_name,
- "mod_summary" : mod_summary,
- "mod_desc" : mod_desc,
- "mod_req" : mod_req,
- "interfaces" : interface_buf,
- "templates": template_buf }
-
- module_tpl = pyplate.Template(moduledata)
- module_buf = module_tpl.execute_string(module_args)
-
- body_args = { "menu" : menu_buf,
- "content" : module_buf }
-
- module_file = mod_layer + "_" + mod_name + ".html"
- module_fh = open(module_file, "w")
- body_tpl = pyplate.Template(bodydata)
- body_tpl.execute(module_fh, body_args)
- module_fh.close()
-
-
- menu = gen_doc_menu(None, module_list)
- menu_args = { "menulist" : menu,
- "mod_layer" : None }
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string(menu_args)
-
- #build the interface index
- all_interfaces.sort(int_cmp)
- interface_tpl = pyplate.Template(intlistdata)
- interface_buf = interface_tpl.execute_string({"interfaces" : all_interfaces})
- int_file = "interfaces.html"
- int_fh = open(int_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : interface_buf }
-
- body_tpl.execute(int_fh, body_args)
- int_fh.close()
-
-
- #build the template index
- all_templates.sort(temp_cmp)
- template_tpl = pyplate.Template(templistdata)
- template_buf = template_tpl.execute_string({"templates" : all_templates})
- temp_file = "templates.html"
- temp_fh = open(temp_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : template_buf }
-
- body_tpl.execute(temp_fh, body_args)
- temp_fh.close()
-
-
- #build the global tunable index
- global_tun_buf = []
- for tunable in doc.getElementsByTagName("tunable"):
- if tunable.parentNode.nodeName == "policy":
- tunable_name = tunable.getAttribute("name")
- default_value = tunable.getAttribute("dftval")
- for desc in tunable.getElementsByTagName("desc"):
- description = format_html_desc(desc)
- global_tun_buf.append( { "tun_name" : tunable_name,
- "def_val" : default_value,
- "desc" : description } )
- global_tun_buf.sort(tun_cmp)
- global_tun_tpl = pyplate.Template(tunlistdata)
- global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
- global_tun_file = "global_tunables.html"
- global_tun_fh = open(global_tun_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : global_tun_buf }
-
- body_tpl.execute(global_tun_fh, body_args)
- global_tun_fh.close()
-
-
- #build the global boolean index
- global_bool_buf = []
- for boolean in doc.getElementsByTagName("bool"):
- if boolean.parentNode.nodeName == "policy":
- bool_name = boolean.getAttribute("name")
- default_value = boolean.getAttribute("dftval")
- for desc in boolean.getElementsByTagName("desc"):
- description = format_html_desc(desc)
- global_bool_buf.append( { "bool_name" : bool_name,
- "def_val" : default_value,
- "desc" : description } )
- global_bool_buf.sort(bool_cmp)
- global_bool_tpl = pyplate.Template(boollistdata)
- global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
- global_bool_file = "global_booleans.html"
- global_bool_fh = open(global_bool_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : global_bool_buf }
-
- body_tpl.execute(global_bool_fh, body_args)
- global_bool_fh.close()
-
-
-
-def error(error):
- """
- Print an error message and exit.
- """
-
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-def warning(warn):
- """
- Print a warning message.
- """
-
- sys.stderr.write("%s warning: " % sys.argv[0])
- sys.stderr.write("%s\n" % warn)
-
-def usage():
- """
- Describes the proper usage of this tool.
- """
-
- sys.stdout.write("%s [-tmdT] -x <xmlfile>\n\n" % sys.argv[0])
- sys.stdout.write("Options:\n")
- sys.stdout.write("-b --booleans <file> -- write boolean config to <file>\n")
- sys.stdout.write("-m --modules <file> -- write module config to <file>\n")
- sys.stdout.write("-d --docs <dir> -- write interface documentation to <dir>\n")
- sys.stdout.write("-x --xml <file> -- filename to read xml data from\n")
- sys.stdout.write("-T --templates <dir> -- template directory for documents\n")
-
-
-# MAIN PROGRAM
-try:
- opts, args = getopt.getopt(sys.argv[1:], "b:m:d:x:T:", ["booleans","modules","docs","xml", "templates"])
-except getopt.GetoptError:
- usage()
- sys.exit(1)
-
-booleans = modules = docsdir = None
-templatedir = "templates/"
-xmlfile = "policy.xml"
-
-for opt, val in opts:
- if opt in ("-b", "--booleans"):
- booleans = val
- if opt in ("-m", "--modules"):
- modules = val
- if opt in ("-d", "--docs"):
- docsdir = val
- if opt in ("-x", "--xml"):
- xmlfile = val
- if opt in ("-T", "--templates"):
- templatedir = val
-
-doc = read_policy_xml(xmlfile)
-
-if booleans:
- namevalue_list = []
- if os.path.exists(booleans):
- try:
- conf = open(booleans, 'r')
- except:
- error("Could not open booleans file for reading")
-
- namevalue_list = get_conf(conf)
-
- conf.close()
-
- try:
- conf = open(booleans, 'w')
- except:
- error("Could not open booleans file for writing")
-
- gen_booleans_conf(doc, conf, namevalue_list)
- conf.close()
-
-
-if modules:
- namevalue_list = []
- if os.path.exists(modules):
- try:
- conf = open(modules, 'r')
- except:
- error("Could not open modules file for reading")
- namevalue_list = get_conf(conf)
- conf.close()
-
- try:
- conf = open(modules, 'w')
- except:
- error("Could not open modules file for writing")
- gen_module_conf(doc, conf, namevalue_list)
- conf.close()
-
-if docsdir:
- gen_docs(doc, docsdir, templatedir)
diff --git a/refpolicy/support/segenxml.py b/refpolicy/support/segenxml.py
deleted file mode 100755
index 10cc8bd..0000000
--- a/refpolicy/support/segenxml.py
+++ /dev/null
@@ -1,475 +0,0 @@
-#!/usr/bin/python
-
-# Author(s): Donald Miner <dminer@tresys.com>
-# Dave Sugar <dsugar@tresys.com>
-# Brian Williams <bwilliams@tresys.com>
-#
-# Copyright (C) 2005 - 2006 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-"""
- This script generates XML documentation information for layers specified
- by the user.
-"""
-
-import sys
-import os
-import glob
-import re
-
-# GLOBALS
-
-# Default values of command line arguments:
-warn = False
-meta = "metadata"
-third_party = "third-party"
-layers = {}
-tunable_files = []
-bool_files = []
-xml_tunable_files = []
-xml_bool_files = []
-output_dir = ""
-
-# Pre compiled regular expressions:
-
-# Matches either an interface or a template declaration. Will give the tuple:
-# ("interface" or "template", name)
-# Some examples:
-# "interface(`kernel_read_system_state',`"
-# -> ("interface", "kernel_read_system_state")
-# "template(`base_user_template',`"
-# -> ("template", "base_user_template")
-INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
-
-# Matches either a gen_bool or a gen_tunable statement. Will give the tuple:
-# ("tunable" or "bool", name, "true" or "false")
-# Some examples:
-# "gen_bool(secure_mode, false)"
-# -> ("bool", "secure_mode", "false")
-# "gen_tunable(allow_kerberos, false)"
-# -> ("tunable", "allow_kerberos", "false")
-BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
-
-# Matches a XML comment in the policy, which is defined as any line starting
-# with two # and at least one character of white space. Will give the single
-# valued tuple:
-# ("comment")
-# Some Examples:
-# "## <summary>"
-# -> ("<summary>")
-# "## The domain allowed access. "
-# -> ("The domain allowed access.")
-XML_COMMENT = re.compile("^##\s+(.*?)\s*$")
-
-
-# FUNCTIONS
-def getModuleXML(file_name):
- '''
- Returns the XML data for a module in a list, one line per list item.
- '''
-
- # Try to open the file, if it cant, just ignore it.
- try:
- module_file = open(file_name, "r")
- module_code = module_file.readlines()
- module_file.close()
- except:
- warning("cannot open file %s for read, skipping" % file_name)
- return []
-
- module_buf = []
-
- # Infer the module name, which is the base of the file name.
- module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
- % (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
-
- temp_buf = []
- interface = None
-
- # finding_header is a flag to denote whether we are still looking
- # for the XML documentation at the head of the file.
- finding_header = True
-
- # Get rid of whitespace at top of file
- while(module_code and module_code[0].isspace()):
- module_code = module_code[1:]
-
- # Go line by line and figure out what to do with it.
- line_num = 0
- for line in module_code:
- line_num += 1
- if finding_header:
- # If there is a XML comment, add it to the temp buffer.
- comment = XML_COMMENT.match(line)
- if comment:
- temp_buf.append(comment.group(1) + "\n")
- continue
-
- # Once a line that is not an XML comment is reached,
- # either put the XML out to module buffer as the
- # module's documentation, or attribute it to an
- # interface/template.
- elif temp_buf:
- finding_header = False
- interface = INTERFACE.match(line)
- if not interface:
- module_buf += temp_buf
- temp_buf = []
- continue
-
- # Skip over empty lines
- if line.isspace():
- continue
-
- # Grab a comment and add it to the temprorary buffer, if it
- # is there.
- comment = XML_COMMENT.match(line)
- if comment:
- temp_buf.append(comment.group(1) + "\n")
- continue
-
- # Grab the interface information. This is only not true when
- # the interface is at the top of the file and there is no
- # documentation for the module.
- if not interface:
- interface = INTERFACE.match(line)
- if interface:
- # Add the opening tag for the interface/template
- groups = interface.groups()
- module_buf.append("<%s name=\"%s\" lineno=\"%s\">\n" % (groups[0], groups[1], line_num))
-
- # Add all the comments attributed to this interface to
- # the module buffer.
- if temp_buf:
- module_buf += temp_buf
- temp_buf = []
-
- # Add default summaries and parameters so that the
- # DTD is happy.
- else:
- warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
- module_buf.append("<summary>\n")
- module_buf.append("Summary is missing!\n")
- module_buf.append("</summary>\n")
- module_buf.append("<param name=\"?\">\n")
- module_buf.append("<summary>\n")
- module_buf.append("Parameter descriptions are missing!\n")
- module_buf.append("</summary>\n")
- module_buf.append("</param>\n")
-
- # Close the interface/template tag.
- module_buf.append("</%s>\n" % interface.group(1))
-
- interface = None
- continue
-
-
-
- # If the file just had a header, add the comments to the module buffer.
- if finding_header:
- module_buf += temp_buf
- # Otherwise there are some lingering XML comments at the bottom, warn
- # the user.
- elif temp_buf:
- warning("orphan XML comments at bottom of file %s" % file_name)
-
- module_buf.append("</module>\n")
-
- return module_buf
-
-def getLayerXML (layerName, directories):
- '''
- Returns the XML documentation for a layer.
- '''
-
- layer_buf = []
-
- # Infer the layer name from the directory name.
- layer_buf.append("<layer name=\"%s\">\n" % layerName)
-
- # Try to file the metadata file for this layer and if it exists,
- # append the contents to the buffer.
- bFoundMeta = False
- for directory in directories:
- metafile = directory + "/" + meta
-
- if not bFoundMeta and os.path.isfile (metafile):
- layer_meta = open (metafile, "r")
- layer_buf += layer_meta.readlines ()
- layer_meta.close()
- bFoundMeta = True
-
- # force the metadata for the third party layer
- if not bFoundMeta:
- if layerName == third_party:
- layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n")
- bFoundMeta = True
-
- # didn't find meta data for this layer - oh well
- if not bFoundMeta:
- layer_buf.append ("<summary>Summary is missing!.</summary>\n")
- warning ("unable to find %s for layer %s" % (meta, layerName))
-
- # For each module file in the layer, add its XML.
- for directory in directories:
- modules = glob.glob("%s/*.if" % directory)
- modules.sort()
- for module in modules:
- layer_buf += getModuleXML(module)
-
- layer_buf.append("</layer>\n")
-
- return layer_buf
-
-def getTunableXML(file_name, kind):
- '''
- Return all the XML for the tunables/bools in the file specified.
- '''
-
- # Try to open the file, if it cant, just ignore it.
- try:
- tunable_file = open(file_name, "r")
- tunable_code = tunable_file.readlines()
- tunable_file.close()
- except:
- warning("cannot open file %s for read, skipping" % file_name)
- return []
-
- tunable_buf = []
- temp_buf = []
-
- # Find tunables and booleans line by line and use the comments above
- # them.
- for line in tunable_code:
- # If it is an XML comment, add it to the buffer and go on.
- comment = XML_COMMENT.match(line)
- if comment:
- temp_buf.append(comment.group(1) + "\n")
- continue
-
- # Get the boolean/tunable data.
- boolean = BOOLEAN.match(line)
-
- # If we reach a boolean/tunable declaration, attribute all XML
- # in the temp buffer to it and add XML to the tunable buffer.
- if boolean:
- # If there is a gen_bool in a tunable file or a
- # gen_tunable in a boolean file, error and exit.
- if boolean.group(1) != kind:
- error("%s in a %s file." % (boolean.group(1), kind))
-
- tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
- tunable_buf += temp_buf
- temp_buf = []
- tunable_buf.append("</%s>\n" % boolean.group(1))
-
- # If there are XML comments at the end of the file, they arn't
- # attributed to anything. These are ignored.
- if len(temp_buf):
- warning("orphan XML comments at bottom of file %s" % file_name)
-
-
- # If the caller requested a the global_tunables and global_booleans to be
- # output to a file output them now
- if len(output_dir) > 0:
- xmlfile = os.path.split(file_name)[1] + ".xml"
-
- try:
- xml_outfile = open(output_dir + "/" + xmlfile, "w")
- for tunable_line in tunable_buf:
- xml_outfile.write (tunable_line)
- xml_outfile.close()
- except:
- warning ("cannot write to file %s, skipping creation" % xmlfile)
-
- return tunable_buf
-
-def getXMLFileContents (file_name):
- '''
- Return all the XML in the file specified.
- '''
-
- tunable_buf = []
- # Try to open the xml file for this type of file
- # append the contents to the buffer.
- try:
- tunable_xml = open(file_name, "r")
- tunable_buf += tunable_xml.readlines()
- tunable_xml.close()
- except:
- warning("cannot open file %s for read, assuming no data" % file_name)
-
- return tunable_buf
-
-def getPolicyXML():
- '''
- Return the compelete reference policy XML documentation through a list,
- one line per item.
- '''
-
- policy_buf = []
- policy_buf.append("<policy>\n")
-
- # Add to the XML each layer specified by the user.
- for layer in layers.keys ():
- policy_buf += getLayerXML(layer, layers[layer])
-
- # Add to the XML each tunable file specified by the user.
- for tunable_file in tunable_files:
- policy_buf += getTunableXML(tunable_file, "tunable")
-
- # Add to the XML each XML tunable file specified by the user.
- for tunable_file in xml_tunable_files:
- policy_buf += getXMLFileContents (tunable_file)
-
- # Add to the XML each bool file specified by the user.
- for bool_file in bool_files:
- policy_buf += getTunableXML(bool_file, "bool")
-
- # Add to the XML each XML bool file specified by the user.
- for bool_file in xml_bool_files:
- policy_buf += getXMLFileContents (bool_file)
-
- policy_buf.append("</policy>\n")
-
- return policy_buf
-
-def usage():
- """
- Displays a message describing the proper usage of this script.
- """
-
- sys.stdout.write("usage: %s [-w] [-m file] "\
- % sys.argv[0])
-
- sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
-
- sys.stdout.write("Options:\n")
-
- sys.stdout.write ("-h --help -- "+\
- "show command line options\n")
-
- sys.stdout.write("-w --warn -- "+\
- "show warnings\n")
-
- sys.stdout.write("-m --meta <file> -- "+\
- "the filename of the metadata in each layer\n")
-
- sys.stdout.write("-t --tunable <file> -- "+\
- "A file containing tunable declarations\n")
-
- sys.stdout.write("-b --bool <file> -- "+\
- "A file containing bool declarations\n")
-
- sys.stdout.write("-o --output-dir <directory> -- "+\
- "A directory to output global_tunables.xml and global_booleans.xml\n")
-
- sys.stdout.write("--tunables-xml <file> -- "+\
- "A file containing tunable declarations already in XML format\n")
-
- sys.stdout.write("--booleans-xml <file> -- "+\
- "A file containing bool declarations already in XML format\n")
-
- sys.stdout.write ("-3 --third-party <directory> -- "+\
- "Look for 3rd Party modules in directory.\n")
-
-def warning(description):
- '''
- Warns the user of a non-critical error.
- '''
-
- if warn:
- sys.stderr.write("%s: " % sys.argv[0] )
- sys.stderr.write("warning: " + description + "\n")
-
-def error(description):
- '''
- Describes an error and exists the program.
- '''
-
- sys.stderr.write("%s: " % sys.argv[0] )
- sys.stderr.write("error: " + description + "\n")
- sys.stderr.flush()
- sys.exit(1)
-
-
-
-# MAIN PROGRAM
-# Check that there are command line arguments.
-if len(sys.argv) <= 1:
- usage()
- sys.exit(1)
-
-
-# Parse the command line arguments
-for i in range(1, len(sys.argv)):
- if sys.argv[i-1] in ("-m", "--meta",\
- "-t", "--tunable", "-b", "--bool",\
- "-o", "--output-dir", "-3", "--third-party", \
- "--tunables-xml", "--booleans-xml"):
- continue
- elif sys.argv[i] in ("-w", "--warn"):
- warn = True
- elif sys.argv[i] in ("-m", "--meta"):
- if i < len(sys.argv)-1:
- meta = sys.argv[i+1]
- else:
- usage()
- elif sys.argv[i] in ("-t", "--tunable"):
- if i < len(sys.argv)-1:
- tunable_files.append(sys.argv[i+1])
- else:
- usage()
- elif sys.argv[i] in ("-b", "--bool"):
- if i < len(sys.argv)-1:
- bool_files.append(sys.argv[i+1])
- else:
- usage()
-
- elif sys.argv[i] == "--tunables-xml":
- if i < len(sys.argv)-1:
- xml_bool_files.append (sys.argv[i+1])
- else:
- usage ()
-
- elif sys.argv[i] == "--booleans-xml":
- if i < len(sys.argv)-1:
- xml_tunable_files.append (sys.argv[i+1])
- else:
- usage ()
-
- elif sys.argv[i] in ("-o", "--output-dir"):
- if i < len(sys.argv)-1:
- output_dir = sys.argv[i+1]
- else:
- usage ()
-
- elif sys.argv[i] in ("-3", "--third-party"):
- if i < len(sys.argv) -1:
- if layers.has_key (third_party):
- layers[third_party].append (sys.argv[i+1])
- else:
- layers[third_party] = [sys.argv[i+1]]
- else:
- usage ()
-
- elif sys.argv[i] in ("-h", "--help"):
- usage ()
- sys.exit (1)
-
- else:
- # store directories in hash stored by layer name
- splitlayer = os.path.split(sys.argv[i])
- if layers.has_key (splitlayer[1]):
- layers[splitlayer[1]].append (sys.argv[i])
- else:
- layers[splitlayer[1]] = [sys.argv[i]]
-
-
-# Generate the XML and output it to a file
-lines = getPolicyXML()
-for s in lines:
- sys.stdout.write(s)
-
diff --git a/refpolicy/support/selinux-policy-refpolicy.spec b/refpolicy/support/selinux-policy-refpolicy.spec
deleted file mode 100644
index 4ceaf73..0000000
--- a/refpolicy/support/selinux-policy-refpolicy.spec
+++ /dev/null
@@ -1,432 +0,0 @@
-%define distro redhat
-%define direct_initrc y
-%define monolithic n
-%define polname1 targeted
-%define type1 targeted-mcs
-%define polname2 strict
-%define type2 strict-mcs
-Summary: SELinux policy configuration
-Name: selinux-policy
-Version: 20051019
-Release: 1
-License: GPL
-Group: System Environment/Base
-Source: refpolicy-%{version}.tar.bz2
-Url: http://serefpolicy.sourceforge.net
-BuildRoot: %{_tmppath}/refpolicy-buildroot
-BuildArch: noarch
-# FIXME Need to ensure these have correct versions
-BuildRequires: checkpolicy m4 policycoreutils python make gcc
-PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
-Obsoletes: policy
-
-%description
-SELinux Reference Policy - modular.
-
-%prep
-%setup -q
-make conf
-
-%build
-
-%install
-%{__rm} -fR $RPM_BUILD_ROOT
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
-%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/policy
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/contexts/files
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/local.users
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/system.users
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
-%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/policy
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/contexts/files
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/local.users
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/system.users
-
-%clean
-%{__rm} -fR $RPM_BUILD_ROOT
-
-%files
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_sysconfdir}/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/*.pp
-#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
-%dir %{_sysconfdir}/selinux/*
-%ghost %config %{_sysconfdir}/selinux/*/booleans
-%dir %{_sysconfdir}/selinux/*/policy
-#%ghost %config %{_sysconfdir}/selinux/*/policy/policy.*
-%dir %{_sysconfdir}/selinux/*/contexts
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/customizable_types
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_contexts
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_type
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/failsafe_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context
-%dir %{_sysconfdir}/selinux/*/contexts/files
-#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts
-#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/homedir_template
-#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts.homedirs
-%config %{_sysconfdir}/selinux/*/contexts/files/media
-%dir %{_sysconfdir}/selinux/*/users
-%config %{_sysconfdir}/selinux/*/users/system.users
-%config %{_sysconfdir}/selinux/*/users/local.users
-#%ghost %dir %{_sysconfdir}/selinux/*/modules
-
-%pre
-
-%post
-
-%package base-targeted
-Summary: SELinux %{polname1} base policy
-Group: System Environment/Base
-Provides: selinux-policy-base
-
-%description base-targeted
-SELinux Reference policy targeted base module.
-
-%files base-targeted
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/%{polname1}
-%dir %{_usr}/share/selinux/%{polname1}/%{type1}
-%config %{_usr}/share/selinux/%{polname1}/%{type1}/base.pp
-%dir %{_sysconfdir}/selinux
-#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
-%dir %{_sysconfdir}/selinux/%{polname1}
-%ghost %config %{_sysconfdir}/selinux/%{polname1}/booleans
-%dir %{_sysconfdir}/selinux/%{polname1}/policy
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/policy/policy.*
-%dir %{_sysconfdir}/selinux/%{polname1}/contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/customizable_types
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_type
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/failsafe_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context
-%dir %{_sysconfdir}/selinux/%{polname1}/contexts/files
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/homedir_template
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts.homedirs
-%config %{_sysconfdir}/selinux/%{polname1}/contexts/files/media
-%dir %{_sysconfdir}/selinux/%{polname1}/users
-%config %{_sysconfdir}/selinux/%{polname1}/users/system.users
-%config %{_sysconfdir}/selinux/%{polname1}/users/local.users
-#%ghost %dir %{_sysconfdir}/selinux/%{polname1}/modules
-
-%post base-targeted
-semodule -b /usr/share/selinux/%{polname1}/%{type1}/base.pp -s %{_sysconfdir}/selinux/%{polname1}
-for file in $(ls /usr/share/selinux/%{polname1}/%{type1} | grep -v base.pp)
-do semodule -i /usr/share/selinux/%{polname1}/%{type1}/$file -s %{_sysconfdir}/selinux/%{polname1}
-done
-
-%package base-strict
-Summary: SELinux %{polname2} base policy
-Group: System Environment/Base
-Provides: selinux-policy-base
-
-%description base-strict
-SELinux Reference policy strict base module.
-
-%files base-strict
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/%{polname2}
-%dir %{_usr}/share/selinux/%{polname2}/%{type2}
-%config %{_usr}/share/selinux/%{polname2}/%{type2}/base.pp
-%dir %{_sysconfdir}/selinux
-#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
-%dir %{_sysconfdir}/selinux/%{polname2}
-%ghost %config %{_sysconfdir}/selinux/%{polname2}/booleans
-%dir %{_sysconfdir}/selinux/%{polname2}/policy
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/policy/policy.*
-%dir %{_sysconfdir}/selinux/%{polname2}/contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/customizable_types
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_type
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/failsafe_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context
-%dir %{_sysconfdir}/selinux/%{polname2}/contexts/files
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/homedir_template
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts.homedirs
-%config %{_sysconfdir}/selinux/%{polname2}/contexts/files/media
-%dir %{_sysconfdir}/selinux/%{polname2}/users
-%config %{_sysconfdir}/selinux/%{polname2}/users/system.users
-%config %{_sysconfdir}/selinux/%{polname2}/users/local.users
-#%ghost %dir %{_sysconfdir}/selinux/%{polname2}/modules
-
-%post base-strict
-semodule -b /usr/share/selinux/%{polname2}/%{type2}/base.pp -s %{_sysconfdir}/selinux/%{polname2}
-for file in $(ls /usr/share/selinux/%{polname2}/%{type2} | grep -v base.pp)
-do semodule -i /usr/share/selinux/%{polname2}/%{type2}/$file -s %{_sysconfdir}/selinux/%{polname2}
-done
-
-%package apache
-Summary: SELinux apache policy
-Group: System Environment/Base
-Requires: selinux-policy-base
-
-%description apache
-SELinux Reference policy apache module.
-
-%files apache
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/apache.pp
-
-%post apache
-if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ] ; then
-semodule -n -i %{_usr}/share/selinux/%{polname1}/%{type1}/apache.pp -s %{_sysconfdir}/selinux/%{polname1}
-fi
-if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ] ; then
-semodule -i %{_usr}/share/selinux/%{polname2}/%{type2}/apache.pp -s %{_sysconfdir}/selinux/%{polname2}
-fi
-
-%preun apache
-if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ]
-then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname1}
-fi
-if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ]
-then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname2}
-fi
-
-%package bind
-Summary: SELinux bind policy
-Group: System Environment/Base
-
-%description bind
-SELinux Reference policy bind module.
-
-%files bind
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/bind.pp
-
-%post bind
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/bind.pp
-
-%preun bind
-semodule -r bind
-
-%package dhcp
-Summary: SELinux dhcp policy
-Group: System Environment/Base
-
-%description dhcp
-SELinux Reference policy dhcp module.
-
-%files dhcp
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/dhcp.pp
-
-%post dhcp
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/dhcp.pp
-
-%preun dhcp
-semodule -r dhcp
-
-%package ldap
-Summary: SELinux ldap policy
-Group: System Environment/Base
-
-%description ldap
-SELinux Reference policy ldap module.
-
-%files ldap
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/ldap.pp
-
-%post ldap
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/ldap.pp
-
-%preun ldap
-semodule -r ldap
-
-%package mailman
-Summary: SELinux mailman policy
-Group: System Environment/Base
-
-%description mailman
-SELinux Reference policy mailman module.
-
-%files mailman
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/mailman.pp
-
-%post mailman
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/mailman.pp
-
-%preun mailman
-semodule -r mailman
-
-%package mysql
-Summary: SELinux mysql policy
-Group: System Environment/Base
-
-%description mysql
-SELinux Reference policy mysql module.
-
-%files mysql
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/mysql.pp
-
-%post mysql
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcsmysql.pp
-
-%preun mysql
-semodule -r mysql
-
-%package portmap
-Summary: SELinux portmap policy
-Group: System Environment/Base
-
-%description portmap
-SELinux Reference policy portmap module.
-
-%files portmap
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/portmap.pp
-
-%post portmap
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/portmap.pp
-
-%preun portmap
-semodule -r portmap
-
-%package postgresql
-Summary: SELinux postgresql policy
-Group: System Environment/Base
-
-%description postgresql
-SELinux Reference policy postgresql module.
-
-%files postgresql
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/postgresql.pp
-
-%post postgresql
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/postgresql.pp
-
-%preun postgresql
-semodule -r postgresql
-
-%package samba
-Summary: SELinux samba policy
-Group: System Environment/Base
-
-%description samba
-SELinux Reference policy samba module.
-
-%files samba
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/samba.pp
-
-%post samba
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/samba.pp
-
-%preun samba
-semodule -r samba
-
-%package snmp
-Summary: SELinux snmp policy
-Group: System Environment/Base
-
-%description snmp
-SELinux Reference policy snmp module.
-
-%files snmp
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/snmp.pp
-
-%post snmp
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/snmp.pp
-
-%preun snmp
-semodule -r snmp
-
-%package squid
-Summary: SELinux squid policy
-Group: System Environment/Base
-
-%description squid
-SELinux Reference policy squid module.
-
-%files squid
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/squid.pp
-
-%post squid
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/squid.pp
-
-%preun squid
-semodule -r squid
-
-%package webalizer
-Summary: SELinux webalizer policy
-Group: System Environment/Base
-
-%description webalizer
-SELinux Reference policy webalizer module.
-
-%files webalizer
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/webalizer.pp
-
-%post webalizer
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/webalizer.pp
-
-%preun webalizer
-semodule -r webalizer
-
-%changelog
diff --git a/refpolicy/support/selinux-refpolicy-sources.spec.skel b/refpolicy/support/selinux-refpolicy-sources.spec.skel
deleted file mode 100644
index 6b4b739..0000000
--- a/refpolicy/support/selinux-refpolicy-sources.spec.skel
+++ /dev/null
@@ -1,85 +0,0 @@
-%define type refpolicy
-%define POLICYDIR /etc/selinux/%{type}
-%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
-%define FC_PRE ${FILE_CON}.pre
-
-Summary: SELinux Reference Policy configuration source files
-Name: selinux-refpolicy-sources
-Version: REFPOL_VERSION
-Release: 1
-License: GPL
-Group: System Environment/Base
-PreReq: m4 make policycoreutils kernel gcc
-Requires: checkpolicy >= 1.20
-Requires: python
-BuildRequires: make m4 python
-Obsoletes: policy-sources
-Source: refpolicy-%{version}.tar.bz2
-Url: http://serefpolicy.sourceforge.net
-BuildArch: noarch
-BuildRoot: /tmp/rpmbuild/%{name}
-
-%description
-This subpackage includes the SELinux Reference Policy
-source files, which can be used to build a targeted policy
-or strict policy configuration.
-
-%prep
-%setup -q -n refpolicy
-
-%build
-sed -i -e '/^TYPE/s/strict/targeted/' Makefile
-sed -i -e 's/^#DISTRO/DISTRO/' Makefile
-sed -i -e '/^DIRECT_INITRC/s/n/y/' Makefile
-make conf
-make clean
-rm -f support/*.pyc
-
-%install
-rm -fR $RPM_BUILD_ROOT
-make DESTDIR=$RPM_BUILD_ROOT install-src
-
-%clean
-rm -fR $RPM_BUILD_ROOT
-
-%files
-%defattr(0600,root,root,0700)
-%dir %{_sysconfdir}/selinux/%{type}/src/policy
-%config %{_sysconfdir}/selinux/%{type}/src/policy/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/doc
-%config %{_sysconfdir}/selinux/%{type}/src/policy/doc/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/doc/templates
-%config %{_sysconfdir}/selinux/%{type}/src/policy/doc/templates/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/support
-%config %{_sysconfdir}/selinux/%{type}/src/policy/support/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/config
-%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/config/local.users
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-targeted
-%config %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-targeted/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-strict
-%config %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-strict/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy
-%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/policy/users
-%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules.conf
-%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/policy/booleans.conf
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/mls
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/mcs
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/global_booleans
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/global_tunables
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/flask
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/flask/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/kernel
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/kernel/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/apps
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/apps/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/services
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/services/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/system
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/system/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/admin
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/admin/*
-%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/support
-%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/support/*
-
-%changelog
diff --git a/refpolicy/support/set_bools_tuns.awk b/refpolicy/support/set_bools_tuns.awk
deleted file mode 100644
index cedc19b..0000000
--- a/refpolicy/support/set_bools_tuns.awk
+++ /dev/null
@@ -1,11 +0,0 @@
-# Read booleans.conf and output M4 directives to
-# override default settings in global_booleans
-
-BEGIN {
- FS="="
-}
-
-/^[[:blank:]]*[[:alpha:]]+/{
- gsub(/[[:blank:]]*/,"")
- print "define(`"$1"_conf',`"$2"')"
-}
diff --git a/support/Makefile.devel b/support/Makefile.devel
new file mode 100644
index 0000000..0163f2f
--- /dev/null
+++ b/support/Makefile.devel
@@ -0,0 +1,192 @@
+
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# set default build options if missing
+TYPE ?= strict
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
+
+docs = doc
+polxml = $(docs)/policy.xml
+xmldtd = $(HEADERDIR)/support/policy.dtd
+layerxml = metadata.xml
+
+globaltun = $(HEADERDIR)/global_tunables.xml
+globalbool = $(HEADERDIR)/global_booleans.xml
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+ M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq ($(QUIET),y)
+ verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms
+
+# policy headers
+m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
+all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
+rolemap = $(HEADERDIR)/rolemap
+
+detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+3rd_party_mods = $(wildcard *.te)
+detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_ifs = $(detected_mods:.te=.if)
+detected_fcs = $(detected_mods:.te=.fc)
+all_packages = $(notdir $(detected_mods:.te=.pp))
+
+vpath %.te $(detected_layers)
+vpath %.if $(detected_layers)
+vpath %.fc $(detected_layers)
+
+# if there are modules in the current directory, add them into the third party layer
+ifneq "$(3rd_party_mods)" ""
+ genxml += -3 .
+endif
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+.PHONY: clean all xml
+.SUFFIXES:
+.SUFFIXES: .pp
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+ @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
+ @test -d tmp || mkdir -p tmp
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+# so users dont have to make empty .fc and .if files
+$(detected_ifs) $(detected_fcs):
+ @touch $@
+
+########################################
+#
+# Documentation generation
+#
+
+# minimal dependencies here, because we don't want to rebuild
+# this and its dependents every time the dependencies
+# change. Also use all .if files here, rather then just the
+# enabled modules.
+$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+ @echo "Creating $@"
+ @mkdir -p doc
+ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
+ $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+ rm -fR tmp
+ rm -f *.pp
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
new file mode 100644
index 0000000..1d098d5
--- /dev/null
+++ b/support/comment_move_decl.sed
@@ -0,0 +1,13 @@
+# comment out lines that are moved by the build
+# process, so line numbers provided by m4 are preserved.
+
+# lines in require and optional blocks are not moved
+/require \{/,/} # end require/b nextline
+/optional \{/,/} # end optional/b nextline
+
+/^[[:blank:]]*(attribute|type(alias)?) / s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
+
+:nextline
diff --git a/support/fc_sort.c b/support/fc_sort.c
new file mode 100644
index 0000000..6c43035
--- /dev/null
+++ b/support/fc_sort.c
@@ -0,0 +1,558 @@
+/* Copyright 2005, Tresys Technology
+ *
+ * Some parts of this came from matchpathcon.c in libselinux
+ */
+
+/* PURPOSE OF THIS PROGRAM
+ * The original setfiles sorting algorithm did not take into
+ * account regular expression specificity. With the current
+ * strict and targeted policies this is not an issue because
+ * the file contexts are partially hand sorted and concatenated
+ * in the right order so that the matches are generally correct.
+ * The way reference policy and loadable policy modules handle
+ * file contexts makes them come out in an unpredictable order
+ * and therefore setfiles (or this standalone tool) need to sort
+ * the regular expressions in a deterministic and stable way.
+ */
+
+#define BUF_SIZE 4096;
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+typedef unsigned char bool_t;
+
+/* file_context_node
+ * A node used in a linked list of file contexts.c
+ * Each node contains the regular expression, the type and
+ * the context, as well as information about the regular
+ * expression. The regular expression data (meta, stem_len
+ * and str_len) can be filled in by using the fc_fill_data
+ * function after the regular expression has been loaded.
+ * next points to the next node in the linked list.
+ */
+typedef struct file_context_node {
+ char *path;
+ char *file_type;
+ char *context;
+ bool_t meta;
+ int stem_len;
+ int str_len;
+ struct file_context_node *next;
+} file_context_node_t;
+
+void file_context_node_destroy(file_context_node_t *x)
+{
+ free(x->path);
+ free(x->file_type);
+ free(x->context);
+}
+
+
+
+/* file_context_bucket
+ * A node used in a linked list of buckets that contain
+ * file_context_node's.
+ * Each node contains a pointer to a file_context_node which
+ * is the header of its linked list. This linked list is the
+ * content of this bucket.
+ * next points to the next bucket in the linked list.
+ */
+typedef struct file_context_bucket {
+ file_context_node_t *data;
+ struct file_context_bucket *next;
+} file_context_bucket_t;
+
+
+
+/* fc_compare
+ * Compares two file contexts' regular expressions and returns:
+ * -1 if a is less specific than b
+ * 0 if a and be are equally specific
+ * 1 if a is more specific than b
+ * The comparison is based on the following statements,
+ * in order from most important to least important, given a and b:
+ * If a is a regular expression and b is not,
+ * -> a is less specific than b.
+ * If a's stem length is shorter than b's stem length,
+ * -> a is less specific than b.
+ * If a's string length is shorter than b's string length,
+ * -> a is less specific than b.
+ * If a does not have a specified type and b does not,
+ * -> a is less specific than b.
+ */
+int fc_compare(file_context_node_t *a, file_context_node_t *b)
+{
+ /* Check to see if either a or b have meta characters
+ * and the other doesn't. */
+ if (a->meta && !b->meta)
+ return -1;
+ if (b->meta && !a->meta)
+ return 1;
+
+ /* Check to see if either a or b have a shorter stem
+ * length than the other. */
+ if (a->stem_len < b->stem_len)
+ return -1;
+ if (b->stem_len < a->stem_len)
+ return 1;
+
+ /* Check to see if either a or b have a shorter string
+ * length than the other. */
+ if (a->str_len < b->str_len)
+ return -1;
+ if (b->str_len < a->str_len)
+ return 1;
+
+ /* Check to see if either a or b has a specified type
+ * and the other doesn't. */
+ if (!a->file_type && b->file_type)
+ return -1;
+ if (!b->file_type && a->file_type)
+ return 1;
+
+ /* If none of the above conditions were satisfied,
+ * then a and b are equally specific. */
+ return 0;
+}
+
+
+
+/* fc_merge
+ * Merges two sorted file context linked lists into one
+ * sorted one.
+ * Pass two lists a and b, and after the completion of fc_merge,
+ * the final list is contained in a, and b is empty.
+ */
+file_context_node_t *fc_merge(file_context_node_t *a,
+ file_context_node_t *b)
+{
+ file_context_node_t *a_current;
+ file_context_node_t *b_current;
+ file_context_node_t *temp;
+ file_context_node_t *jumpto;
+
+
+
+ /* If a is a empty list, and b is not,
+ * set a as b and proceed to the end. */
+ if (!a && b)
+ a = b;
+ /* If b is an empty list, leave a as it is. */
+ else if (!b) {
+ } else {
+ /* Make it so the list a has the lesser
+ * first element always. */
+ if (fc_compare(a, b) == 1) {
+ temp = a;
+ a = b;
+ b = temp;
+ }
+ a_current = a;
+ b_current = b;
+
+ /* Merge by inserting b's nodes in between a's nodes. */
+ while (a_current->next && b_current) {
+ jumpto = a_current->next;
+
+ /* Insert b's nodes in between the current a node
+ * and the next a node.*/
+ while (b_current && a_current->next &&
+ fc_compare(a_current->next,
+ b_current) != -1) {
+
+
+ temp = a_current->next;
+ a_current->next = b_current;
+ b_current = b_current->next;
+ a_current->next->next = temp;
+ a_current = a_current->next;
+ }
+
+ /* Skip all the inserted node from b to the
+ * next node in the original a. */
+ a_current = jumpto;
+ }
+
+
+ /* if there is anything left in b to be inserted,
+ put it on the end */
+ if (b_current) {
+ a_current->next = b_current;
+ }
+ }
+
+ return a;
+}
+
+
+
+/* fc_merge_sort
+ * Sorts file contexts from least specific to more specific.
+ * The bucket linked list is passed and after the completion
+ * of the fc_merge_sort function, there is only one bucket
+ * (pointed to by master) that contains a linked list
+ * of all the file contexts, in sorted order.
+ * Explanation of the algorithm:
+ * The algorithm implemented in fc_merge_sort is an iterative
+ * implementation of merge sort.
+ * At first, each bucket has a linked list of file contexts
+ * that are 1 element each.
+ * Each pass, each odd numbered bucket is merged into the bucket
+ * before it. This halves the number of buckets each pass.
+ * It will continue passing over the buckets (as described above)
+ * until there is only one bucket left, containing the list of
+ * file contexts, sorted.
+ */
+void fc_merge_sort(file_context_bucket_t *master)
+{
+
+
+ file_context_bucket_t *current;
+ file_context_bucket_t *temp;
+
+ /* Loop until master is the only bucket left
+ * so that this will stop when master contains
+ * the sorted list. */
+ while (master->next) {
+ current = master;
+
+ /* This loop merges buckets two-by-two. */
+ while (current) {
+
+ if (current->next) {
+
+ current->data =
+ fc_merge(current->data,
+ current->next->data);
+
+
+
+ temp = current->next;
+ current->next = current->next->next;
+
+ free(temp);
+
+ }
+
+
+ current = current->next;
+ }
+ }
+
+
+}
+
+
+
+/* fc_fill_data
+ * This processes a regular expression in a file context
+ * and sets the data held in file_context_node, namely
+ * meta, str_len and stem_len.
+ * The following changes are made to fc_node after the
+ * the completion of the function:
+ * fc_node->meta = 1 if path has a meta character, 0 if not.
+ * fc_node->str_len = The string length of the entire path
+ * fc_node->stem_len = The number of characters up until
+ * the first meta character.
+ */
+void fc_fill_data(file_context_node_t *fc_node)
+{
+ int c = 0;
+
+ fc_node->meta = 0;
+ fc_node->stem_len = 0;
+ fc_node->str_len = 0;
+
+ /* Process until the string termination character
+ * has been reached.
+ * Note: this while loop has been adapted from
+ * spec_hasMetaChars in matchpathcon.c from
+ * libselinux-1.22. */
+ while (fc_node->path[c] != '\0') {
+ switch (fc_node->path[c]) {
+ case '.':
+ case '^':
+ case '$':
+ case '?':
+ case '*':
+ case '+':
+ case '|':
+ case '[':
+ case '(':
+ case '{':
+ /* If a meta character is found,
+ * set meta to one */
+ fc_node->meta = 1;
+ break;
+ case '\\':
+ /* If a escape character is found,
+ * skip the next character. */
+ c++;
+ default:
+ /* If no meta character has been found yet,
+ * add one to the stem length. */
+ if (!fc_node->meta)
+ fc_node->stem_len++;
+ break;
+ }
+
+ fc_node->str_len++;
+ c++;
+ }
+}
+
+/* main
+ * This program takes in two arguments, the input filename and the
+ * output filename. The input file should be syntactically correct.
+ * Overall what is done in the main is read in the file and store each
+ * line of code, sort it, then output it to the output file.
+ */
+int main(int argc, char *argv[])
+{
+ int lines;
+ size_t start, finish, regex_len, context_len;
+ size_t line_len, buf_len, i, j;
+ char *input_name, *output_name, *line_buf;
+
+ file_context_node_t *temp;
+ file_context_node_t *head;
+ file_context_node_t *current;
+ file_context_bucket_t *master;
+ file_context_bucket_t *bcurrent;
+
+ FILE *in_file, *out_file;
+
+
+ /* Check for the correct number of command line arguments. */
+ if (argc != 3) {
+ fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]);
+ return 1;
+ }
+
+ input_name = argv[1];
+ output_name = argv[2];
+
+ i = j = lines = 0;
+
+ /* Open the input file. */
+ if (!(in_file = fopen(input_name, "r"))) {
+ fprintf(stderr, "Error: failure opening input file for read.\n");
+ return 1;
+ }
+
+ /* Initialize the head of the linked list. */
+ head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
+
+ /* Parse the file into a file_context linked list. */
+ line_buf = NULL;
+
+ while ( getline(&line_buf, &buf_len, in_file) != -1 ){
+ line_len = strlen(line_buf);
+ if( line_len == 0 || line_len == 1)
+ continue;
+ /* Get rid of whitespace from the front of the line. */
+ for (i = 0; i < line_len; i++) {
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+
+ if (i >= line_len)
+ continue;
+ /* Check if the line isn't empty and isn't a comment */
+ if (line_buf[i] == '#')
+ continue;
+
+ /* We have a valid line - allocate a new node. */
+ temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
+ if (!temp) {
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+ temp->next = NULL;
+ memset(temp, 0, sizeof(file_context_node_t));
+
+ /* Parse out the regular expression from the line. */
+ start = i;
+
+
+ while (i < line_len && (!isspace(line_buf[i])))
+ i++;
+ finish = i;
+
+
+ regex_len = finish - start;
+
+ if (regex_len == 0) {
+ file_context_node_destroy(temp);
+ free(temp);
+
+
+ continue;
+ }
+
+ temp->path = (char*)strndup(&line_buf[start], regex_len);
+ if (!temp->path) {
+ file_context_node_destroy(temp);
+ free(temp);
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+
+ /* Get rid of whitespace after the regular expression. */
+ for (; i < line_len; i++) {
+
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+ if (i == line_len) {
+ file_context_node_destroy(temp);
+ free(temp);
+ continue;
+ }
+
+ /* Parse out the type from the line (if it
+ * is there). */
+ if (line_buf[i] == '-') {
+ temp->file_type = (char *)malloc(sizeof(char) * 3);
+ if (!(temp->file_type)) {
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+
+ if( i + 2 >= line_len ) {
+ file_context_node_destroy(temp);
+ free(temp);
+
+ continue;
+ }
+
+ /* Fill the type into the array. */
+ temp->file_type[0] = line_buf[i];
+ temp->file_type[1] = line_buf[i + 1];
+ i += 2;
+ temp->file_type[2] = 0;
+
+ /* Get rid of whitespace after the type. */
+ for (; i < line_len; i++) {
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+ if (i == line_len) {
+
+ file_context_node_destroy(temp);
+ free(temp);
+ continue;
+ }
+ }
+
+ /* Parse out the context from the line. */
+ start = i;
+ while (i < line_len && (!isspace(line_buf[i])))
+ i++;
+ finish = i;
+
+ context_len = finish - start;
+
+ temp->context = (char*)strndup(&line_buf[start], context_len);
+ if (!temp->context) {
+ file_context_node_destroy(temp);
+ free(temp);
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+
+ /* Set all the data about the regular
+ * expression. */
+ fc_fill_data(temp);
+
+ /* Link this line of code at the end of
+ * the linked list. */
+ current->next = temp;
+ current = current->next;
+ lines++;
+
+
+ free(line_buf);
+ line_buf = NULL;
+ }
+ fclose(in_file);
+
+ /* Create the bucket linked list from the earlier linked list. */
+ current = head->next;
+ bcurrent = master =
+ (file_context_bucket_t *)
+ malloc(sizeof(file_context_bucket_t));
+
+ /* Go until all the nodes have been put in individual buckets. */
+ while (current) {
+ /* Copy over the file context line into the bucket. */
+ bcurrent->data = current;
+ current = current->next;
+
+ /* Detatch the node in the bucket from the old list. */
+ bcurrent->data->next = NULL;
+
+ /* If there should be another bucket, put one at the end. */
+ if (current) {
+ bcurrent->next =
+ (file_context_bucket_t *)
+ malloc(sizeof(file_context_bucket_t));
+ if (!(bcurrent->next)) {
+ printf
+ ("Error: failure allocating memory.\n");
+ return -1;
+ }
+
+ /* Make sure the new bucket thinks it's the end of the
+ * list. */
+ bcurrent->next->next = NULL;
+
+ bcurrent = bcurrent->next;
+ }
+
+ }
+
+ /* Sort the bucket list. */
+ fc_merge_sort(master);
+
+ /* Open the output file. */
+ if (!(out_file = fopen(argv[2], "w"))) {
+ printf("Error: failure opening output file for write.\n");
+ return -1;
+ }
+
+ /* Output the sorted file_context linked list to the output file. */
+ current = master->data;
+ while (current) {
+ /* Output the path. */
+ fprintf(out_file, "%s\t\t", current->path);
+
+ /* Output the type, if there is one. */
+ if (current->file_type) {
+ fprintf(out_file, "%s\t", current->file_type);
+ }
+
+ /* Output the context. */
+ fprintf(out_file, "%s\n", current->context);
+
+ /* Remove the node. */
+ temp = current;
+ current = current->next;
+
+ file_context_node_destroy(temp);
+ free(temp);
+
+ }
+ free(master);
+
+ fclose(out_file);
+
+ return 0;
+}
diff --git a/support/genclassperms.py b/support/genclassperms.py
new file mode 100755
index 0000000..732d645
--- /dev/null
+++ b/support/genclassperms.py
@@ -0,0 +1,308 @@
+#!/usr/bin/python
+
+# Author: Donald Miner <dminer@tresys.com>
+#
+# Copyright (C) 2005 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+
+"""
+ This script generates an object class perm definition file.
+"""
+
+import sys
+
+USERSPACE_CLASS = "userspace"
+
+class Class:
+ """
+ This object stores an access vector class.
+ """
+
+ def __init__(self, name, perms, common):
+ # The name of the class.
+ self.name = name
+
+ # A list of permissions the class contains.
+ self.perms = perms
+
+ # True if the class is declared as common, False if not.
+ self.common = common
+
+def get_perms(name, av_db, common):
+ """
+ Returns the list of permissions contained within an access vector
+ class that is stored in the access vector database av_db.
+ Returns an empty list if the object name is not found.
+ Specifiy whether get_perms is to return the class or the
+ common set of permissions with the boolean value 'common',
+ which is important in the case of having duplicate names (such as
+ class file and common file).
+ """
+
+ # Traverse through the access vector database and try to find the
+ # object with the name passed.
+ for obj in av_db:
+ if obj.name == name and obj.common == common:
+ return obj.perms
+
+ return []
+
+def get_av_db(file_name):
+ """
+ Returns an access vector database generated from the file file_name.
+ """
+ # This function takes a file, reads the data, parses it and returns
+ # a list of access vector classes.
+ # Reading into av_data:
+ # The file specified will be read line by line. Each line will have
+ # its comments removed. Once comments are removed, each 'word' (text
+ # seperated by whitespace) and braces will be split up into seperate
+ # strings and appended to the av_data list, in the order they were
+ # read.
+ # Parsing av_data:
+ # Parsing is done using a queue implementation of the av_data list.
+ # Each time a word is used, it is dequeued afterwards. Each loop in
+ # the while loop below will read in key words and dequeue expected
+ # words and values. At the end of each loop, a Class containing the
+ # name, permissions and whether it is a common or not will be appended
+ # to the database. Lots of errors are caught here, almost all checking
+ # if a token is expected but EOF is reached.
+ # Now the list of Class objects is returned.
+
+ av_file = open(file_name, "r")
+ av_data = []
+ # Read the file and strip out comments on the way.
+ # At the end of the loop, av_data will contain a list of individual
+ # words. i.e. ['common', 'file', '{', ...]. All comments and whitespace
+ # will be gone.
+ while True:
+ av_line = av_file.readline()
+
+ # If EOF has been reached:
+ if not av_line:
+ break
+
+ # Check if there is a comment, and if there is, remove it.
+ comment_index = av_line.find("#")
+ if comment_index != -1:
+ av_line = av_line[:comment_index]
+
+ # Pad the braces with whitespace so that they are split into
+ # their own word. It doesn't matter if there will be extra
+ # white space, it'll get thrown away when the string is split.
+ av_line.replace("{"," { ")
+ av_line.replace("}"," } ")
+
+ # Split up the words on the line and add it to av_data.
+ av_data += av_line.split()
+
+ av_file.close()
+
+ # Parsing the file:
+ # The implementation of this parse is a queue. We use the list of words
+ # from av_data and use the front element, then dequeue it. Each
+ # loop of this while is a common or class declaration. Several
+ # expected tokens are parsed and dequeued out of av_data for each loop.
+ # At the end of the loop, database will contain a list of Class objects.
+ # i.e. [Class('name',['perm1','perm2',...],'True'), ...]
+ # Dequeue from the beginning of the list until av_data is empty:
+ database = []
+ while len(av_data) != 0:
+ # At the beginning of every loop, the next word should be
+ # "common" or "class", meaning that each loop is a common
+ # or class declaration.
+ # av_data = av_data[1:] removes the first element in the
+ # list, this is what is dequeueing data.
+
+ # Figure out whether the next class will be a common or a class.
+ if av_data[0] == "class":
+ common = False
+ elif av_data[0] == "common":
+ common = True
+ else:
+ error("Unexpected token in file " + file_name + ": "\
+ + av_data[0] + ".")
+
+ # Dequeue the "class" or "common" key word.
+ av_data = av_data[1:]
+
+ if len(av_data) == 0:
+ error("Missing token in file " + file_name + ".")
+
+ # Get and dequeue the name of the class or common.
+ name = av_data[0]
+ av_data = av_data[1:]
+
+ # Retrieve the permissions inherited from a common set:
+ perms = []
+ # If the object we are working with is a class, since only
+ # classes inherit:
+ if common == False:
+ if len(av_data) == 0:
+ error("Missing token in file " + file_name + ".")
+
+ # If the class inherits from something else:
+ if av_data[0] == "inherits":
+ # Dequeue the "inherits" key word.
+ av_data = av_data[1:]
+
+ if len(av_data) == 0:
+ error("Missing token in file "\
+ + file_name + " for " +\
+ keyword + " " + name + ".")
+
+ # av_data[0] is the name of the parent.
+ # Append the permissions of the parent to
+ # the current class' permissions.
+ perms += get_perms(av_data[0], database, True)
+
+ # Dequeue the name of the parent.
+ av_data = av_data[1:]
+
+ # Retrieve the permissions defined with this set.
+ if len(av_data) > 0 and av_data[0] == "{":
+ # Dequeue the "{"
+ av_data = av_data[1:]
+
+ # Keep appending permissions until a close brace is
+ # found.
+ while av_data[0] != "}":
+ if av_data[0] == "{":
+ error("Extra '{' in file " +\
+ file_name + ".")
+
+ # Add the permission name.
+ perms.append(av_data[0])
+
+ # Dequeue the permission name.
+ av_data = av_data[1:]
+
+ if len(av_data) == 0:
+ error("Missing token '}' in file "\
+ + file_name + ".")
+
+ # Dequeue the "}"
+ av_data = av_data[1:]
+
+ # Add the new access vector class to the database.
+ database.append(Class(name, perms, common))
+
+ return database
+
+def get_sc_db(file_name):
+ """
+ Returns a security class database generated from the file file_name.
+ """
+
+ # Read the file then close it.
+ sc_file = open(file_name)
+ sc_data = sc_file.readlines()
+ sc_file.close()
+
+ # For each line in the security classes file, add the name of the class
+ # and whether it is a userspace class or not to the security class
+ # database.
+ database = []
+ for line in sc_data:
+ line = line.lstrip()
+ # If the line is empty or the entire line is a comment, skip.
+ if line == "" or line[0] == "#":
+ continue
+
+ # Check if the comment to the right of the permission matches
+ # USERSPACE_CLASS.
+ comment_index = line.find("#")
+ if comment_index != -1 and line[comment_index+1:].strip() == USERSPACE_CLASS:
+ userspace = True
+ else:
+ userspace = False
+
+ # All lines should be in the format "class NAME", meaning
+ # it should have two tokens and the first token should be
+ # "class".
+ split_line = line.split()
+ if len(split_line) < 2 or split_line[0] != "class":
+ error("Wrong syntax: " + line)
+
+ # Add the class's name (split_line[1]) and whether it is a
+ # userspace class or not to the database.
+ # This is appending a tuple of (NAME,USERSPACE), where NAME is
+ # the name of the security class and USERSPACE is True if
+ # if it has "# USERSPACE_CLASS" on the end of the line, False
+ # if not.
+ database.append((split_line[1], userspace))
+
+ return database
+
+def gen_class_perms(av_db, sc_db):
+ """
+ Generates a class permissions document and returns it.
+ """
+
+ # Define class template:
+ class_perms_line = "define(`all_%s_perms',`{ %s}')\n"
+
+ # Generate the defines for the individual class permissions.
+ class_perms = ""
+ for obj in av_db:
+ # Don't output commons
+ if obj.common == True:
+ continue
+
+ # Get the list of permissions from the specified class.
+ perms = get_perms(obj.name, av_db, False)
+
+ # Merge all the permissions into one string with one space
+ # padding.
+ perm_str = ""
+ for perm in perms:
+ perm_str += perm + " "
+
+ # Add the line to the class_perms
+ class_perms += class_perms_line % (obj.name, perm_str)
+ class_perms += "\n"
+
+ # Generate the kernel_class_perms and userspace_class_perms sets.
+ class_line = "\tclass %s all_%s_perms;\n"
+ kernel_class_perms = "define(`all_kernel_class_perms',`\n"
+ userspace_class_perms = "define(`all_userspace_class_perms',`\n"
+ # For each (NAME,USERSPACE) tuple, add the class to the appropriate
+ # class permission set.
+ for name, userspace in sc_db:
+ if userspace:
+ userspace_class_perms += class_line % (name, name)
+ else:
+ kernel_class_perms += class_line % (name, name)
+ kernel_class_perms += "')\n\n"
+ userspace_class_perms += "')\n"
+
+ # Throw all the strings together and return the string.
+ return class_perms + kernel_class_perms + userspace_class_perms
+
+def error(error):
+ """
+ Print an error message and exit.
+ """
+
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+# MAIN PROGRAM
+app_name = sys.argv[0]
+
+if len(sys.argv) != 3:
+ error("Incorrect input.\nUsage: " + sys.argv[0] + " access_vectors security_classes" )
+
+# argv[1] is the access vector file.
+av_file = sys.argv[1]
+
+# argv[2] is the security class file.
+sc_file = sys.argv[2]
+
+# Output the class permissions document.
+sys.stdout.write(gen_class_perms(get_av_db(av_file), get_sc_db(sc_file)))
diff --git a/support/genhomedircon b/support/genhomedircon
new file mode 100755
index 0000000..7c4c44c
--- /dev/null
+++ b/support/genhomedircon
@@ -0,0 +1,481 @@
+#! /usr/bin/env python
+# Copyright (C) 2004 Tresys Technology, LLC
+# see file 'COPYING' for use and warranty information
+#
+# genhomedircon - this script is used to generate file context
+# configuration entries for user home directories based on their
+# default roles and is run when building the policy. Specifically, we
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
+# generic and user-specific values.
+#
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
+#
+# ASSUMPTIONS:
+#
+# The file CONTEXTDIR/files/homedir_template exists. This file is used to
+# set up the home directory context for each real user.
+#
+# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
+# the first role in the list.
+#
+# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+# or equal STARTING_UID (usually 500) and whose login is not a member of
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
+# are always "real" (including root, in the default configuration).
+#
+#
+# Old ASSUMPTIONS:
+#
+# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
+# the first role in the list.
+#
+# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
+# the user's home dir will be found in one of the HOME_ROOTs.
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+# or equal STARTING_UID (usually 500) and whose login is not a member of
+# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
+# are always "real" (including root, in the default configuration).
+#
+
+import commands, sys, os, pwd, string, getopt, re
+
+EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+
+def getStartingUID():
+ starting_uid = sys.maxint
+ rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
+ if rc[0] == 0:
+ uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
+ #stip any comment from the end of the line
+ uid_min = uid_min.split("#")[0]
+ uid_min = uid_min.strip()
+ if int(uid_min) < starting_uid:
+ starting_uid = int(uid_min)
+ rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
+ if rc[0] == 0:
+ lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
+ #stip any comment from the end of the line
+ lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
+ lu_uidnumber = lu_uidnumber.split("#")[0]
+ lu_uidnumber = lu_uidnumber.strip()
+ if int(lu_uidnumber) < starting_uid:
+ starting_uid = int(lu_uidnumber)
+ if starting_uid == sys.maxint:
+ starting_uid = 500
+ return starting_uid
+
+#############################################################################
+#
+# This section is just for backwards compatability
+#
+#############################################################################
+def getPrefixes():
+ ulist = pwd.getpwall()
+ STARTING_UID=getStartingUID()
+ prefixes = {}
+ for u in ulist:
+ if u[2] >= STARTING_UID and \
+ not u[6] in EXCLUDE_LOGINS and \
+ u[5] != "/" and \
+ string.count(u[5], "/") > 1:
+ prefix = u[5][:string.rfind(u[5], "/")]
+ if not prefixes.has_key(prefix):
+ prefixes[prefix] = ""
+ return prefixes
+
+def getUsers(filecontextdir):
+ rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
+ udict = {}
+ if rc[0] == 0:
+ ulist = rc[1].strip().split("\n")
+ for u in ulist:
+ user = u.split()
+ try:
+ if user[1] == "user_u" or user[1] == "system_u":
+ continue
+ # !!! chooses first role in the list to use in the file context !!!
+ role = user[3]
+ if role == "{":
+ role = user[4]
+ role = role.split("_r")[0]
+ home = pwd.getpwnam(user[1])[5]
+ if home == "/":
+ continue
+ prefs = {}
+ prefs["role"] = role
+ prefs["home"] = home
+ udict[user[1]] = prefs
+ except KeyError:
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+ return udict
+
+def update(filecontext, user, prefs):
+ rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
+ if rc[0] == 0:
+ print rc[1]
+ else:
+ errorExit(string.join("grep/sed error ", rc[1]))
+ return rc
+
+def oldgenhomedircon(filecontextdir, filecontext):
+ sys.stderr.flush()
+
+ if os.path.isdir(filecontextdir) == 0:
+ sys.stderr.write("New usage is the following\n")
+ usage()
+ #We are going to define home directory used by libuser and show-utils as a home directory root
+ prefixes = {}
+ rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ if not prefixes.has_key(homedir):
+ prefixes[homedir] = ""
+ else:
+ #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+ if rc[0] != 256:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+ sys.stderr.flush()
+
+
+ rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
+ if not prefixes.has_key(homedir):
+ prefixes[homedir] = ""
+
+ #the idea is that we need to find all of the home_root_t directories we do this by just accepting
+ #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
+ #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
+ #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
+ #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
+ #is any regex that would match it which does not end with .*$ or .+$ since those are general
+ #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
+ #[pattern]
+ potential_prefixes = getPrefixes()
+ prefix_regex = {}
+ #this works by grepping the file_contexts for
+ # 1. ^/ makes sure this is not a comment
+ # 2. prints only the regex in the first column first cut on \t then on space
+ rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
+ if rc[0] == 0:
+ prefix_regex = rc[1].split("\n")
+ else:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
+ sys.stderr.flush()
+ for potential in potential_prefixes.keys():
+ addme = 1
+ for regex in prefix_regex:
+ #match a trailing (/*)? which is actually a bug in rpc_pipefs
+ regex = re.sub("\(/\*\)\?$", "", regex)
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ #match a trailing .*
+ regex = re.sub("\.\*$", "", regex)
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ if re.search(regex, potential, 0):
+ addme = 0
+ if addme == 1:
+ if not prefixes.has_key(potential):
+ prefixes[potential] = ""
+
+
+ if prefixes.__eq__({}):
+ sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
+ sys.stderr.write("HOME= not set in /etc/default/useradd\n")
+ sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
+ sys.stderr.write("Assuming /home is the root of home directories\n")
+ sys.stderr.flush()
+ prefixes["/home"] = ""
+
+ # There may be a more elegant sed script to expand a macro to multiple lines, but this works
+ sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
+ sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
+
+ # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+ rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
+ if rc[0] == 0:
+ print rc[1]
+ else:
+ errorExit(string.join("sed error ", rc[1]))
+
+ users = getUsers(filecontextdir)
+ print "\n#\n# User-specific file contexts\n#\n"
+
+ # Fill in HOME and ROLE for users that are defined
+ for u in users.keys():
+ update(filecontext, u, users[u])
+
+#############################################################################
+#
+# End of backwards compatability section
+#
+#############################################################################
+
+def getDefaultHomeDir():
+ ret = []
+ rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ if not homedir in ret:
+ ret.append(homedir)
+ else:
+ #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+ if rc[0] != 256:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+ sys.stderr.flush()
+ rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ if not homedir in ret:
+ ret.append(homedir)
+ else:
+ #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+ if rc[0] != 256:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
+ sys.stderr.flush()
+ if ret == []:
+ ret.append("/home")
+ return ret
+
+def getSELinuxType(directory):
+ rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
+ if rc[0]==0:
+ return rc[1].split("=")[-1].strip()
+ return "targeted"
+
+def usage(error = ""):
+ if error != "":
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
+ sys.stderr.flush()
+ sys.exit(1)
+
+def warning(warning = ""):
+ sys.stderr.write("%s\n" % warning)
+ sys.stderr.flush()
+
+def errorExit(error):
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+class selinuxConfig:
+ def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
+ self.type=type
+ self.selinuxdir=selinuxdir +"/"
+ self.contextdir="/contexts"
+ self.filecontextdir=self.contextdir+"/files"
+ self.usepwd=usepwd
+
+ def getFileContextDir(self):
+ return self.selinuxdir+self.type+self.filecontextdir
+
+ def getFileContextFile(self):
+ return self.getFileContextDir()+"/file_contexts"
+
+ def getContextDir(self):
+ return self.selinuxdir+self.type+self.contextdir
+
+ def getHomeDirTemplate(self):
+ return self.getFileContextDir()+"/homedir_template"
+
+ def getHomeRootContext(self, homedir):
+ rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
+ if rc[0] == 0:
+ return rc[1]+"\n"
+ else:
+ errorExit(string.join("sed error ", rc[1]))
+
+ def getUsersFile(self):
+ return self.selinuxdir+self.type+"/users/local.users"
+
+ def getSystemUsersFile(self):
+ return self.selinuxdir+self.type+"/users/system.users"
+
+ def heading(self):
+ ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
+ ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
+ return ret
+
+ def getUsers(self):
+ users=""
+ rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
+ if rc[0] == 0:
+ users+=rc[1]+"\n"
+ rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
+ if rc[0] == 0:
+ users+=rc[1]
+ udict = {}
+ prefs = {}
+ if users != "":
+ ulist = users.split("\n")
+ for u in ulist:
+ user = u.split()
+ try:
+ if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
+ continue
+ # !!! chooses first role in the list to use in the file context !!!
+ role = user[3]
+ if role == "{":
+ role = user[4]
+ role = role.split("_r")[0]
+ home = pwd.getpwnam(user[1])[5]
+ if home == "/":
+ continue
+ prefs = {}
+ prefs["role"] = role
+ prefs["home"] = home
+ udict[user[1]] = prefs
+ except KeyError:
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+ return udict
+
+ def getHomeDirContext(self, user, home, role):
+ ret="\n\n#\n# Context for user %s\n#\n\n" % user
+ rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
+ return ret + rc[1] + "\n"
+
+ def genHomeDirContext(self):
+ users = self.getUsers()
+ ret=""
+ # Fill in HOME and ROLE for users that are defined
+ for u in users.keys():
+ ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
+ return ret+"\n"
+
+ def checkExists(self, home):
+ if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
+ return 0
+ #this works by grepping the file_contexts for
+ # 1. ^/ makes sure this is not a comment
+ # 2. prints only the regex in the first column first cut on \t then on space
+ rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
+ if rc[0] == 0:
+ prefix_regex = rc[1].split("\n")
+ else:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
+ sys.stderr.flush()
+ exists=1
+ for regex in prefix_regex:
+ #match a trailing (/*)? which is actually a bug in rpc_pipefs
+ regex = re.sub("\(/\*\)\?$", "", regex)
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ #match a trailing .*
+ regex = re.sub("\.\*$", "", regex)
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ if re.search(regex, home, 0):
+ exists = 0
+ break
+ if exists == 1:
+ return 1
+ else:
+ return 0
+
+
+ def getHomeDirs(self):
+ homedirs = []
+ homedirs = homedirs + getDefaultHomeDir()
+ starting_uid=getStartingUID()
+ if self.usepwd==0:
+ return homedirs
+ ulist = pwd.getpwall()
+ for u in ulist:
+ if u[2] >= starting_uid and \
+ not u[6] in EXCLUDE_LOGINS and \
+ u[5] != "/" and \
+ string.count(u[5], "/") > 1:
+ homedir = u[5][:string.rfind(u[5], "/")]
+ if not homedir in homedirs:
+ if self.checkExists(homedir)==0:
+ warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0]))
+ else:
+ homedirs.append(homedir)
+
+ homedirs.sort()
+ return homedirs
+
+ def genoutput(self):
+ ret= self.heading()
+ for h in self.getHomeDirs():
+ ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
+ ret += self.getHomeRootContext(h)
+ ret += self.genHomeDirContext()
+ return ret
+
+ def printout(self):
+ print self.genoutput()
+
+ def write(self):
+ try:
+ fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
+ fd.write(self.genoutput())
+ fd.close()
+ except IOError, error:
+ sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
+
+
+
+#
+# This script will generate home dir file context
+# based off the homedir_template file, entries in the password file, and
+#
+try:
+ usepwd=1
+ directory="/etc/selinux"
+ type=None
+ gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
+ 'type=',
+ 'nopasswd',
+ 'dir='])
+ for o,a in gopts:
+ if o == '--type' or o == "-t":
+ type=a
+ if o == '--nopasswd' or o == "-n":
+ usepwd=0
+ if o == '--dir' or o == "-d":
+ directory=a
+ if o == '--help':
+ usage()
+
+
+ if type==None:
+ type=getSELinuxType(directory)
+
+ if len(cmds) == 2:
+ oldgenhomedircon(cmds[0], cmds[1])
+ sys.exit(0)
+
+ if len(cmds) != 0:
+ usage()
+ selconf=selinuxConfig(directory, type, usepwd)
+ selconf.write()
+
+except getopt.error, error:
+ errorExit(string.join("Options Error ", error))
+except ValueError, error:
+ errorExit(string.join("ValueError ", error))
+except IndexError, error:
+ errorExit("IndexError")
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
new file mode 100644
index 0000000..1821b62
--- /dev/null
+++ b/support/gennetfilter.py
@@ -0,0 +1,163 @@
+#!/usr/bin/python
+
+# Author: Chris PeBenito <cpebenito@tresys.com>
+#
+# Copyright (C) 2006 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+import sys,string,getopt,re
+
+NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
+
+DEFAULT_INPUT_PACKET = "server_packet_t"
+DEFAULT_OUTPUT_PACKET = "client_packet_t"
+DEFAULT_MCS = "s0"
+DEFAULT_MLS = "s0"
+
+PACKET_INPUT = "_server_packet_t"
+PACKET_OUTPUT = "_client_packet_t"
+
+class Port:
+ def __init__(self, proto, num, mls_sens, mcs_cats=""):
+ # protocol of the port
+ self.proto = proto
+
+ # port number
+ self.num = num
+
+ # MLS sensitivity
+ self.mls_sens = mls_sens
+
+ # MCS categories
+ # not currently supported, so we always get s0
+ self.mcs_cats = DEFAULT_MCS
+
+class Packet:
+ def __init__(self, prefix, ports):
+ # prefix
+ self.prefix = prefix
+
+ # A list of Ports
+ self.ports = ports
+
+def print_input_rules(packets,mls,mcs):
+ line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
+ if mls:
+ line += ":"+DEFAULT_MLS
+ elif mcs:
+ line += ":"+DEFAULT_MCS
+
+ print line
+
+ for i in packets:
+ for j in i.ports:
+ line="-A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
+ if mls:
+ line += ":"+j.mls_sens
+ elif mcs:
+ line += ":"+j.mcs_cats
+ print line
+
+ print "-A selinux_new_input -j CONNSECMARK --save"
+ print "-A selinux_new_input -j RETURN"
+
+def print_output_rules(packets,mls,mcs):
+ line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
+ if mls:
+ line += ":"+DEFAULT_MLS
+ elif mcs:
+ line += ":"+DEFAULT_MCS
+ print line
+
+ for i in packets:
+ for j in i.ports:
+ line = "-A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
+ if mls:
+ line += ":"+j.mls_sens
+ elif mcs:
+ line += ":"+j.mcs_cats
+ print line
+
+ print "-A selinux_new_output -j CONNSECMARK --save"
+ print "-A selinux_new_output -j RETURN"
+
+def parse_corenet(file_name):
+ packets = []
+
+ corenet_te_in = open(file_name, "r")
+
+ while True:
+ corenet_line = corenet_te_in.readline()
+
+ # If EOF has been reached:
+ if not corenet_line:
+ break
+
+ if NETPORT.match(corenet_line):
+ corenet_line = corenet_line.strip();
+
+ # parse out the parameters
+ openparen = string.find(corenet_line,'(')+1
+ closeparen = string.find(corenet_line,')',openparen)
+ parms = re.split('\W+',corenet_line[openparen:closeparen])
+ name = parms[0]
+ del parms[0];
+
+ ports = []
+ while len(parms) > 0:
+ # add a port combination.
+ ports.append(Port(parms[0],parms[1],parms[2]))
+ del parms[:3]
+
+ packets.append(Packet(name,ports))
+
+ corenet_te_in.close()
+
+ return packets
+
+def print_netfilter_config(packets,mls,mcs):
+ print "*mangle"
+ print ":PREROUTING ACCEPT [0:0]"
+ print ":INPUT ACCEPT [0:0]"
+ print ":FORWARD ACCEPT [0:0]"
+ print ":OUTPUT ACCEPT [0:0]"
+ print ":POSTROUTING ACCEPT [0:0]"
+ print ":selinux_input - [0:0]"
+ print ":selinux_output - [0:0]"
+ print ":selinux_new_input - [0:0]"
+ print ":selinux_new_output - [0:0]"
+ print "-A INPUT -j selinux_input"
+ print "-A OUTPUT -j selinux_output"
+ print "-A selinux_input -m state --state NEW -j selinux_new_input"
+ print "-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print "-A selinux_output -m state --state NEW -j selinux_new_output"
+ print "-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print_input_rules(packets,mls,mcs)
+ print_output_rules(packets,mls,mcs)
+ print "COMMIT"
+
+mls = False
+mcs = False
+
+try:
+ opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
+except getopt.GetoptError, error:
+ print "Invalid options."
+ sys.exit(1)
+
+for o, a in opts:
+ if o in ("-c","--mcs"):
+ mcs = True
+ if o in ("-m","--mls"):
+ mls = True
+
+if len(paths) == 0:
+ sys.stderr.write("Need a path for corenetwork.te.in!\n")
+ sys.exit(1)
+elif len(paths) > 1:
+ sys.stderr.write("Ignoring extra specified paths\n")
+
+packets=parse_corenet(paths[0])
+print_netfilter_config(packets,mls,mcs)
diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
new file mode 100644
index 0000000..52a11ab
--- /dev/null
+++ b/support/get_type_attr_decl.sed
@@ -0,0 +1,13 @@
+#n
+# print out type and attribute declarations that
+# are not inside require and optional blocks.
+
+/require \{/,/} # end require/b nextline
+/optional \{/,/} # end optional/b nextline
+
+/^[[:blank:]]*(attribute|type(alias)?) /{
+ s/^[[:blank:]]+//
+ p
+}
+
+:nextline
diff --git a/support/pyplate.py b/support/pyplate.py
new file mode 100755
index 0000000..c7532cc
--- /dev/null
+++ b/support/pyplate.py
@@ -0,0 +1,364 @@
+"""PyPlate : a simple Python-based templating program
+
+PyPlate parses a file and replaces directives (in double square brackets [[ ... ]])
+by various means using a given dictionary of variables. Arbitrary Python code
+can be run inside many of the directives, making this system highly flexible.
+
+Usage:
+# Load and parse template file
+template = pyplate.Template("output") (filename or string)
+# Execute it with a dictionary of variables
+template.execute_file(output_stream, locals())
+
+PyPlate defines the following directives:
+ [[...]] evaluate the arbitrary Python expression and insert the
+ result into the output
+
+ [[# ... #]] comment.
+
+ [[exec ...]] execute arbitrary Python code in the sandbox namespace
+
+ [[if ...]] conditional expressions with usual Python semantics
+ [[elif ...]]
+ [[else]]
+ [[end]]
+
+ [[for ... in ...]] for-loop with usual Python semantics
+ [[end]]
+
+ [[def ...(...)]] define a "function" out of other templating elements
+ [[end]]
+
+ [[call ...]] call a templating function (not a regular Python function)
+"""
+
+#
+# Copyright (C) 2002 Michael Droettboom
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+
+from __future__ import nested_scopes
+import sys, string, re, cStringIO
+
+re_directive = re.compile("\[\[(.*)\]\]")
+re_for_loop = re.compile("for (.*) in (.*)")
+re_if = re.compile("if (.*)")
+re_elif = re.compile("elif (.*)")
+re_def = re.compile("def (.*?)\((.*)\)")
+re_call = re.compile("call (.*?)\((.*)\)")
+re_exec = re.compile("exec (.*)")
+re_comment = re.compile("#(.*)#")
+
+############################################################
+# Template parser
+class ParserException(Exception):
+ def __init__(self, lineno, s):
+ Exception.__init__(self, "line %d: %s" % (lineno, s))
+
+class Template:
+ def __init__(self, filename=None):
+ if filename != None:
+ try:
+ self.parse_file(filename)
+ except:
+ self.parse_string(filename)
+
+ def parse_file(self, filename):
+ file = open(filename, 'r')
+ self.parse(file)
+ file.close()
+
+ def parse_string(self, template):
+ file = cStringIO.StringIO(template)
+ self.parse(file)
+ file.close()
+
+ def parse(self, file):
+ self.file = file
+ self.line = self.file.read()
+ self.lineno = 0
+ self.functions = {}
+ self.tree = TopLevelTemplateNode(self)
+
+ def parser_get(self):
+ if self.line == '':
+ return None
+ return self.line
+
+ def parser_eat(self, chars):
+ self.lineno = self.lineno + self.line[:chars].count("\n")
+ self.line = self.line[chars:]
+
+ def parser_exception(self, s):
+ raise ParserException(self.lineno, s)
+
+ def execute_file(self, filename, data):
+ file = open(filename, 'w')
+ self.execute(file, data)
+ file.close()
+
+ def execute_string(self, data):
+ s = cStringIO.StringIO()
+ self.execute(s, data)
+ return s.getvalue()
+
+ def execute_stdout(self, data):
+ self.execute(sys.stdout, data)
+
+ def execute(self, stream=sys.stdout, data={}):
+ self.tree.execute(stream, data)
+
+ def __repr__(self):
+ return repr(self.tree)
+
+
+############################################################
+# NODES
+class TemplateNode:
+ def __init__(self, parent, s):
+ self.parent = parent
+ self.s = s
+ self.node_list = []
+ while 1:
+ new_node = TemplateNodeFactory(parent)
+ if self.add_node(new_node):
+ break
+
+ def add_node(self, node):
+ if node == 'end':
+ return 1
+ elif node != None:
+ self.node_list.append(node)
+ else:
+ raise self.parent.parser_exception(
+ "[[%s]] does not have a matching [[end]]" % self.s)
+
+ def execute(self, stream, data):
+ for node in self.node_list:
+ node.execute(stream, data)
+
+ def __repr__(self):
+ r = "<" + self.__class__.__name__ + " "
+ for i in self.node_list:
+ r = r + repr(i)
+ r = r + ">"
+ return r
+
+class TopLevelTemplateNode(TemplateNode):
+ def __init__(self, parent):
+ TemplateNode.__init__(self, parent, '')
+
+ def add_node(self, node):
+ if node != None:
+ self.node_list.append(node)
+ else:
+ return 1
+
+class ForTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ TemplateNode.__init__(self, parent, s)
+ match = re_for_loop.match(s)
+ if match == None:
+ raise self.parent.parser_exception(
+ "[[%s]] is not a valid for-loop expression" % self.s)
+ else:
+ self.vars_temp = match.group(1).split(",")
+ self.vars = []
+ for v in self.vars_temp:
+ self.vars.append(v.strip())
+ #print self.vars
+ self.expression = match.group(2)
+
+ def execute(self, stream, data):
+ remember_vars = {}
+ for var in self.vars:
+ if data.has_key(var):
+ remember_vars[var] = data[var]
+ for list in eval(self.expression, globals(), data):
+ if is_sequence(list):
+ for index, value in enumerate(list):
+ data[self.vars[index]] = value
+ else:
+ data[self.vars[0]] = list
+ TemplateNode.execute(self, stream, data)
+ for key, value in remember_vars.items():
+ data[key] = value
+
+class IfTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ self.else_node = None
+ TemplateNode.__init__(self, parent, s)
+ match = re_if.match(s)
+ if match == None:
+ raise self.parent.parser_exception(
+ "[[%s]] is not a valid if expression" % self.s)
+ else:
+ self.expression = match.group(1)
+
+ def add_node(self, node):
+ if node == 'end':
+ return 1
+ elif isinstance(node, ElseTemplateNode):
+ self.else_node = node
+ return 1
+ elif isinstance(node, ElifTemplateNode):
+ self.else_node = node
+ return 1
+ elif node != None:
+ self.node_list.append(node)
+ else:
+ raise self.parent.parser_exception(
+ "[[%s]] does not have a matching [[end]]" % self.s)
+
+ def execute(self, stream, data):
+ if eval(self.expression, globals(), data):
+ TemplateNode.execute(self, stream, data)
+ elif self.else_node != None:
+ self.else_node.execute(stream, data)
+
+class ElifTemplateNode(IfTemplateNode):
+ def __init__(self, parent, s):
+ self.else_node = None
+ TemplateNode.__init__(self, parent, s)
+ match = re_elif.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid elif expression" % self.s)
+ else:
+ self.expression = match.group(1)
+
+class ElseTemplateNode(TemplateNode):
+ pass
+
+class FunctionTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ TemplateNode.__init__(self, parent, s)
+ match = re_def.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid function definition" % self.s)
+ self.function_name = match.group(1)
+ self.vars_temp = match.group(2).split(",")
+ self.vars = []
+ for v in self.vars_temp:
+ self.vars.append(v.strip())
+ #print self.vars
+ self.parent.functions[self.function_name] = self
+
+ def execute(self, stream, data):
+ pass
+
+ def call(self, args, stream, data):
+ remember_vars = {}
+ for index, var in enumerate(self.vars):
+ if data.has_key(var):
+ remember_vars[var] = data[var]
+ data[var] = args[index]
+ TemplateNode.execute(self, stream, data)
+ for key, value in remember_vars.items():
+ data[key] = value
+
+class LeafTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ self.parent = parent
+ self.s = s
+
+ def execute(self, stream, data):
+ stream.write(self.s)
+
+ def __repr__(self):
+ return "<" + self.__class__.__name__ + ">"
+
+class CommentTemplateNode(LeafTemplateNode):
+ def execute(self, stream, data):
+ pass
+
+class ExpressionTemplateNode(LeafTemplateNode):
+ def execute(self, stream, data):
+ stream.write(str(eval(self.s, globals(), data)))
+
+class ExecTemplateNode(LeafTemplateNode):
+ def __init__(self, parent, s):
+ LeafTemplateNode.__init__(self, parent, s)
+ match = re_exec.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid statement" % self.s)
+ self.s = match.group(1)
+
+ def execute(self, stream, data):
+ exec(self.s, globals(), data)
+ pass
+
+class CallTemplateNode(LeafTemplateNode):
+ def __init__(self, parent, s):
+ LeafTemplateNode.__init__(self, parent, s)
+ match = re_call.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid function call" % self.s)
+ self.function_name = match.group(1)
+ self.vars = "(" + match.group(2).strip() + ",)"
+
+ def execute(self, stream, data):
+ self.parent.functions[self.function_name].call(
+ eval(self.vars, globals(), data), stream, data)
+
+
+############################################################
+# Node factory
+template_factory_type_map = {
+ 'if' : IfTemplateNode,
+ 'for' : ForTemplateNode,
+ 'elif' : ElifTemplateNode,
+ 'else' : ElseTemplateNode,
+ 'def' : FunctionTemplateNode,
+ 'call' : CallTemplateNode,
+ 'exec' : ExecTemplateNode }
+template_factory_types = template_factory_type_map.keys()
+
+def TemplateNodeFactory(parent):
+ src = parent.parser_get()
+
+ if src == None:
+ return None
+ match = re_directive.search(src)
+ if match == None:
+ parent.parser_eat(len(src))
+ return LeafTemplateNode(parent, src)
+ elif src == '' or match.start() != 0:
+ parent.parser_eat(match.start())
+ return LeafTemplateNode(parent, src[:match.start()])
+ else:
+ directive = match.group()[2:-2].strip()
+ parent.parser_eat(match.end())
+ if directive == 'end':
+ return 'end'
+ elif re_comment.match(directive):
+ return CommentTemplateNode(parent, directive)
+ else:
+ for i in template_factory_types:
+ if directive[0:len(i)] == i:
+ return template_factory_type_map[i](parent, directive)
+ return ExpressionTemplateNode(parent, directive)
+
+def is_sequence(object):
+ try:
+ test = object[0:0]
+ except:
+ return False
+ else:
+ return True
diff --git a/support/sedoctool.py b/support/sedoctool.py
new file mode 100755
index 0000000..55eee3b
--- /dev/null
+++ b/support/sedoctool.py
@@ -0,0 +1,739 @@
+#!/usr/bin/python
+
+# Author: Joshua Brindle <jbrindle@tresys.com>
+#
+# Copyright (C) 2005 - 2006 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+"""
+ This module generates configuration files and documentation from the
+ SELinux reference policy XML format.
+"""
+
+import sys
+import getopt
+import pyplate
+import os
+import string
+from xml.dom.minidom import parse, parseString
+
+#modules enabled and disabled values
+MOD_BASE = "base"
+MOD_ENABLED = "module"
+MOD_DISABLED = "off"
+
+#booleans enabled and disabled values
+BOOL_ENABLED = "true"
+BOOL_DISABLED = "false"
+
+#tunables enabled and disabled values
+TUN_ENABLED = "true"
+TUN_DISABLED = "false"
+
+
+def read_policy_xml(filename):
+ """
+ Takes in XML from a file and returns a parsed file.
+ """
+
+ try:
+ xml_fh = open(filename)
+ except:
+ error("error opening " + filename)
+
+ try:
+ doc = parseString(xml_fh.read())
+ except:
+ xml_fh.close()
+ error("Error while parsing xml")
+
+ xml_fh.close()
+ return doc
+
+def gen_booleans_conf(doc, file_name, namevalue_list):
+ """
+ Generates the booleans configuration file using the XML provided and the
+ previous booleans configuration.
+ """
+
+ for node in doc.getElementsByTagName("bool"):
+ for desc in node.getElementsByTagName("desc"):
+ bool_desc = format_txt_desc(desc)
+ s = string.split(bool_desc, "\n")
+ file_name.write("#\n")
+ for line in s:
+ file_name.write("# %s\n" % line)
+
+ bool_name = bool_val = None
+ for (name, value) in node.attributes.items():
+ if name == "name":
+ bool_name = value
+ elif name == "dftval":
+ bool_val = value
+
+ if [bool_name,BOOL_ENABLED] in namevalue_list:
+ bool_val = BOOL_ENABLED
+ elif [bool_name,BOOL_DISABLED] in namevalue_list:
+ bool_val = BOOL_DISABLED
+
+ if bool_name and bool_val:
+ file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+ bool_name = bool_val = None
+
+ # tunables are currently implemented as booleans
+ for node in doc.getElementsByTagName("tunable"):
+ for desc in node.getElementsByTagName("desc"):
+ bool_desc = format_txt_desc(desc)
+ s = string.split(bool_desc, "\n")
+ file_name.write("#\n")
+ for line in s:
+ file_name.write("# %s\n" % line)
+
+ bool_name = bool_val = None
+ for (name, value) in node.attributes.items():
+ if name == "name":
+ bool_name = value
+ elif name == "dftval":
+ bool_val = value
+
+ if [bool_name,BOOL_ENABLED] in namevalue_list:
+ bool_val = BOOL_ENABLED
+ elif [bool_name,BOOL_DISABLED] in namevalue_list:
+ bool_val = BOOL_DISABLED
+
+ if bool_name and bool_val:
+ file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+ bool_name = bool_val = None
+
+def gen_module_conf(doc, file_name, namevalue_list):
+ """
+ Generates the module configuration file using the XML provided and the
+ previous module configuration.
+ """
+ # If file exists, preserve settings and modify if needed.
+ # Otherwise, create it.
+
+ file_name.write("#\n# This file contains a listing of available modules.\n")
+ file_name.write("# To prevent a module from being used in policy\n")
+ file_name.write("# creation, set the module name to \"%s\".\n#\n" % MOD_DISABLED)
+ file_name.write("# For monolithic policies, modules set to \"%s\" and \"%s\"\n" % (MOD_BASE, MOD_ENABLED))
+ file_name.write("# will be built into the policy.\n#\n")
+ file_name.write("# For modular policies, modules set to \"%s\" will be\n" % MOD_BASE)
+ file_name.write("# included in the base module. \"%s\" will be compiled\n" % MOD_ENABLED)
+ file_name.write("# as individual loadable modules.\n#\n\n")
+
+ # For required in [True,False] is present so that the requiered modules
+ # are at the top of the config file.
+ for required in [True,False]:
+ for node in doc.getElementsByTagName("module"):
+ mod_req = False
+ for req in node.getElementsByTagName("required"):
+ if req.getAttribute("val") == "true":
+ mod_req = True
+
+ # Skip if we arnt working on the right set of modules.
+ if mod_req and not required or not mod_req and required:
+ continue
+
+
+ mod_name = mod_layer = None
+
+ mod_name = node.getAttribute("name")
+ mod_layer = node.parentNode.getAttribute("name")
+
+ if mod_name and mod_layer:
+ file_name.write("# Layer: %s\n# Module: %s\n" % (mod_layer,mod_name))
+ if required:
+ file_name.write("# Required in base\n")
+ file_name.write("#\n")
+
+ for desc in node.getElementsByTagName("summary"):
+ if not desc.parentNode == node:
+ continue
+ s = string.split(format_txt_desc(desc), "\n")
+ for line in s:
+ file_name.write("# %s\n" % line)
+
+ # If the module is set as disabled.
+ if [mod_name, MOD_DISABLED] in namevalue_list:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_DISABLED))
+ # If the module is set as enabled.
+ elif [mod_name, MOD_ENABLED] in namevalue_list:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
+ # If the module is set as base.
+ elif [mod_name, MOD_BASE] in namevalue_list:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
+ # If the module is a new module.
+ else:
+ # Set the module to base if it is marked as required.
+ if mod_req:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
+ # Set the module to enabled if it is not required.
+ else:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
+
+def get_conf(conf):
+ """
+ Returns a list of [name, value] pairs from a config file with the format
+ name = value
+ """
+
+ conf_lines = conf.readlines()
+
+ namevalue_list = []
+ for i in range(0,len(conf_lines)):
+ line = conf_lines[i]
+ if line.strip() != '' and line.strip()[0] != "#":
+ namevalue = line.strip().split("=")
+ if len(namevalue) != 2:
+ warning("line %d: \"%s\" is not a valid line, skipping"\
+ % (i, line.strip()))
+ continue
+
+ namevalue[0] = namevalue[0].strip()
+ if len(namevalue[0].split()) > 1:
+ warning("line %d: \"%s\" is not a valid line, skipping"\
+ % (i, line.strip()))
+ continue
+
+ namevalue[1] = namevalue[1].strip()
+ if len(namevalue[1].split()) > 1:
+ warning("line %d: \"%s\" is not a valid line, skipping"\
+ % (i, line.strip()))
+ continue
+
+ namevalue_list.append(namevalue)
+
+ return namevalue_list
+
+def first_cmp(a, b):
+ """
+ Compares the two first elements of a list instead of the entire list.
+ """
+
+ return cmp(a[0], b[0])
+
+def int_cmp(a, b):
+ """
+ Compares two interfaces.
+ """
+
+ return cmp(a["interface_name"], b["interface_name"])
+
+def temp_cmp(a, b):
+ """
+ Compares two templates.
+ """
+
+ return cmp(a["template_name"], b["template_name"])
+
+def tun_cmp(a, b):
+ """
+ Compares two tunables.
+ """
+
+ return cmp(a["tun_name"], b["tun_name"])
+def bool_cmp(a, b):
+ """
+ Compares two booleans.
+ """
+
+ return cmp(a["bool_name"], b["bool_name"])
+
+def gen_doc_menu(mod_layer, module_list):
+ """
+ Generates the HTML document menu.
+ """
+
+ menu = []
+ for layer, value in module_list.iteritems():
+ cur_menu = (layer, [])
+ menu.append(cur_menu)
+ if layer != mod_layer and mod_layer != None:
+ continue
+ #we are in our layer so fill in the other modules or we want them all
+ for mod, desc in value.iteritems():
+ cur_menu[1].append((mod, desc))
+
+ menu.sort(first_cmp)
+ for x in menu:
+ x[1].sort(first_cmp)
+ return menu
+
+def format_html_desc(node):
+ """
+ Formats a XML node into a HTML format.
+ """
+
+ desc_buf = ''
+ for desc in node.childNodes:
+ if desc.nodeName == "#text":
+ if desc.data is not '':
+ if desc.parentNode.nodeName != "p":
+ desc_buf += "<p>" + desc.data + "</p>"
+ else:
+ desc_buf += desc.data
+ else:
+ desc_buf += "<" + desc.nodeName + ">" \
+ + format_html_desc(desc) \
+ + "</" + desc.nodeName +">"
+
+ return desc_buf
+
+def format_txt_desc(node):
+ """
+ Formats a XML node into a plain text format.
+ """
+
+ desc_buf = ''
+ for desc in node.childNodes:
+ if desc.nodeName == "#text":
+ desc_buf += desc.data + "\n"
+ elif desc.nodeName == "p":
+ desc_buf += desc.firstChild.data + "\n"
+ for chld in desc.childNodes:
+ if chld.nodeName == "ul":
+ desc_buf += "\n"
+ for li in chld.getElementsByTagName("li"):
+ desc_buf += "\t -" + li.firstChild.data + "\n"
+
+ return desc_buf.strip() + "\n"
+
+def gen_docs(doc, working_dir, templatedir):
+ """
+ Generates all the documentation.
+ """
+
+ try:
+ #get the template data ahead of time so we don't reopen them over and over
+ bodyfile = open(templatedir + "/header.html", "r")
+ bodydata = bodyfile.read()
+ bodyfile.close()
+ intfile = open(templatedir + "/interface.html", "r")
+ intdata = intfile.read()
+ intfile.close()
+ templatefile = open(templatedir + "/template.html", "r")
+ templatedata = templatefile.read()
+ templatefile.close()
+ menufile = open(templatedir + "/menu.html", "r")
+ menudata = menufile.read()
+ menufile.close()
+ indexfile = open(templatedir + "/module_list.html","r")
+ indexdata = indexfile.read()
+ indexfile.close()
+ modulefile = open(templatedir + "/module.html","r")
+ moduledata = modulefile.read()
+ modulefile.close()
+ intlistfile = open(templatedir + "/int_list.html", "r")
+ intlistdata = intlistfile.read()
+ intlistfile.close()
+ templistfile = open(templatedir + "/temp_list.html", "r")
+ templistdata = templistfile.read()
+ templistfile.close()
+ boollistfile = open(templatedir + "/global_bool_list.html", "r")
+ boollistdata = boollistfile.read()
+ boollistfile.close()
+ tunlistfile = open(templatedir + "/global_tun_list.html", "r")
+ tunlistdata = tunlistfile.read()
+ tunlistfile.close()
+ except:
+ error("Could not open templates")
+
+
+ try:
+ os.chdir(working_dir)
+ except:
+ error("Could not chdir to target directory")
+
+
+#arg, i have to go through this dom tree ahead of time to build up the menus
+ module_list = {}
+ for node in doc.getElementsByTagName("module"):
+ mod_name = mod_layer = interface_buf = ''
+
+ mod_name = node.getAttribute("name")
+ mod_layer = node.parentNode.getAttribute("name")
+
+ for desc in node.getElementsByTagName("summary"):
+ if desc.parentNode == node and desc:
+ mod_summary = format_html_desc(desc)
+ if not module_list.has_key(mod_layer):
+ module_list[mod_layer] = {}
+
+ module_list[mod_layer][mod_name] = mod_summary
+
+#generate index pages
+ main_content_buf = ''
+ for mod_layer,modules in module_list.iteritems():
+ menu = gen_doc_menu(mod_layer, module_list)
+
+ layer_summary = None
+ for desc in doc.getElementsByTagName("summary"):
+ if desc.parentNode.getAttribute("name") == mod_layer:
+ layer_summary = format_html_desc(desc)
+
+ menu_args = { "menulist" : menu,
+ "mod_layer" : mod_layer,
+ "layer_summary" : layer_summary }
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string(menu_args)
+
+ content_tpl = pyplate.Template(indexdata)
+ content_buf = content_tpl.execute_string(menu_args)
+
+ main_content_buf += content_buf
+
+ body_args = { "menu" : menu_buf,
+ "content" : content_buf }
+
+ index_file = mod_layer + ".html"
+ index_fh = open(index_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+ body_tpl.execute(index_fh, body_args)
+ index_fh.close()
+
+ menu = gen_doc_menu(None, module_list)
+ menu_args = { "menulist" : menu,
+ "mod_layer" : None }
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string(menu_args)
+
+ body_args = { "menu" : menu_buf,
+ "content" : main_content_buf }
+
+ index_file = "index.html"
+ index_fh = open(index_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+ body_tpl.execute(index_fh, body_args)
+ index_fh.close()
+#now generate the individual module pages
+
+ all_interfaces = []
+ all_templates = []
+ for node in doc.getElementsByTagName("module"):
+ mod_name = mod_layer = mod_desc = interface_buf = ''
+
+ mod_name = node.getAttribute("name")
+ mod_layer = node.parentNode.getAttribute("name")
+
+ mod_req = None
+ for req in node.getElementsByTagName("required"):
+ if req.getAttribute("val") == "true":
+ mod_req = True
+
+ for desc in node.getElementsByTagName("summary"):
+ if desc.parentNode == node:
+ mod_summary = format_html_desc(desc)
+ for desc in node.getElementsByTagName("desc"):
+ if desc.parentNode == node:
+ mod_desc = format_html_desc(desc)
+
+ interfaces = []
+ for interface in node.getElementsByTagName("interface"):
+ interface_parameters = []
+ interface_desc = interface_summary = None
+ interface_name = interface.getAttribute("name")
+ interface_line = interface.getAttribute("lineno")
+ for desc in interface.childNodes:
+ if desc.nodeName == "desc":
+ interface_desc = format_html_desc(desc)
+ elif desc.nodeName == "summary":
+ interface_summary = format_html_desc(desc)
+
+ for args in interface.getElementsByTagName("param"):
+ for desc in args.getElementsByTagName("summary"):
+ paramdesc = format_html_desc(desc)
+ paramname = args.getAttribute("name")
+ if args.getAttribute("optional") == "true":
+ paramopt = "Yes"
+ else:
+ paramopt = "No"
+ parameter = { "name" : paramname,
+ "desc" : paramdesc,
+ "optional" : paramopt }
+ interface_parameters.append(parameter)
+ interfaces.append( { "interface_name" : interface_name,
+ "interface_summary" : interface_summary,
+ "interface_desc" : interface_desc,
+ "interface_parameters" : interface_parameters })
+ #all_interfaces is for the main interface index with all interfaces
+ all_interfaces.append( { "interface_name" : interface_name,
+ "interface_summary" : interface_summary,
+ "interface_desc" : interface_desc,
+ "interface_parameters" : interface_parameters,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ interfaces.sort(int_cmp)
+ interface_tpl = pyplate.Template(intdata)
+ interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
+
+
+# now generate individual template pages
+ templates = []
+ for template in node.getElementsByTagName("template"):
+ template_parameters = []
+ template_desc = template_summary = None
+ template_name = template.getAttribute("name")
+ template_line = template.getAttribute("lineno")
+ for desc in template.childNodes:
+ if desc.nodeName == "desc":
+ template_desc = format_html_desc(desc)
+ elif desc.nodeName == "summary":
+ template_summary = format_html_desc(desc)
+
+ for args in template.getElementsByTagName("param"):
+ for desc in args.getElementsByTagName("summary"):
+ paramdesc = format_html_desc(desc)
+ paramname = args.getAttribute("name")
+ if args.getAttribute("optional") == "true":
+ paramopt = "Yes"
+ else:
+ paramopt = "No"
+ parameter = { "name" : paramname,
+ "desc" : paramdesc,
+ "optional" : paramopt }
+ template_parameters.append(parameter)
+ templates.append( { "template_name" : template_name,
+ "template_summary" : template_summary,
+ "template_desc" : template_desc,
+ "template_parameters" : template_parameters })
+ #all_templates is for the main interface index with all templates
+ all_templates.append( { "template_name" : template_name,
+ "template_summary" : template_summary,
+ "template_desc" : template_desc,
+ "template_parameters" : template_parameters,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+
+ templates.sort(temp_cmp)
+ template_tpl = pyplate.Template(templatedata)
+ template_buf = template_tpl.execute_string({"templates" : templates})
+
+
+ menu = gen_doc_menu(mod_layer, module_list)
+
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string({ "menulist" : menu })
+
+
+ # pyplate's execute_string gives us a line of whitespace in
+ # template_buf or interface_buf if there are no interfaces or
+ # templates for this module. This is problematic because the
+ # HTML templates use a conditional if on interface_buf or
+ # template_buf being 'None' to decide if the "Template:" or
+ # "Interface:" headers need to be printed in the module pages.
+ # This detects if either of these are just whitespace, and sets
+ # their values to 'None' so that when applying it to the
+ # templates, they are properly recognized as not existing.
+ if not interface_buf.strip():
+ interface_buf = None
+ if not template_buf.strip():
+ template_buf = None
+
+ module_args = { "mod_layer" : mod_layer,
+ "mod_name" : mod_name,
+ "mod_summary" : mod_summary,
+ "mod_desc" : mod_desc,
+ "mod_req" : mod_req,
+ "interfaces" : interface_buf,
+ "templates": template_buf }
+
+ module_tpl = pyplate.Template(moduledata)
+ module_buf = module_tpl.execute_string(module_args)
+
+ body_args = { "menu" : menu_buf,
+ "content" : module_buf }
+
+ module_file = mod_layer + "_" + mod_name + ".html"
+ module_fh = open(module_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+ body_tpl.execute(module_fh, body_args)
+ module_fh.close()
+
+
+ menu = gen_doc_menu(None, module_list)
+ menu_args = { "menulist" : menu,
+ "mod_layer" : None }
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string(menu_args)
+
+ #build the interface index
+ all_interfaces.sort(int_cmp)
+ interface_tpl = pyplate.Template(intlistdata)
+ interface_buf = interface_tpl.execute_string({"interfaces" : all_interfaces})
+ int_file = "interfaces.html"
+ int_fh = open(int_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : interface_buf }
+
+ body_tpl.execute(int_fh, body_args)
+ int_fh.close()
+
+
+ #build the template index
+ all_templates.sort(temp_cmp)
+ template_tpl = pyplate.Template(templistdata)
+ template_buf = template_tpl.execute_string({"templates" : all_templates})
+ temp_file = "templates.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : template_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
+
+
+ #build the global tunable index
+ global_tun_buf = []
+ for tunable in doc.getElementsByTagName("tunable"):
+ if tunable.parentNode.nodeName == "policy":
+ tunable_name = tunable.getAttribute("name")
+ default_value = tunable.getAttribute("dftval")
+ for desc in tunable.getElementsByTagName("desc"):
+ description = format_html_desc(desc)
+ global_tun_buf.append( { "tun_name" : tunable_name,
+ "def_val" : default_value,
+ "desc" : description } )
+ global_tun_buf.sort(tun_cmp)
+ global_tun_tpl = pyplate.Template(tunlistdata)
+ global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
+ global_tun_file = "global_tunables.html"
+ global_tun_fh = open(global_tun_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : global_tun_buf }
+
+ body_tpl.execute(global_tun_fh, body_args)
+ global_tun_fh.close()
+
+
+ #build the global boolean index
+ global_bool_buf = []
+ for boolean in doc.getElementsByTagName("bool"):
+ if boolean.parentNode.nodeName == "policy":
+ bool_name = boolean.getAttribute("name")
+ default_value = boolean.getAttribute("dftval")
+ for desc in boolean.getElementsByTagName("desc"):
+ description = format_html_desc(desc)
+ global_bool_buf.append( { "bool_name" : bool_name,
+ "def_val" : default_value,
+ "desc" : description } )
+ global_bool_buf.sort(bool_cmp)
+ global_bool_tpl = pyplate.Template(boollistdata)
+ global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
+ global_bool_file = "global_booleans.html"
+ global_bool_fh = open(global_bool_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : global_bool_buf }
+
+ body_tpl.execute(global_bool_fh, body_args)
+ global_bool_fh.close()
+
+
+
+def error(error):
+ """
+ Print an error message and exit.
+ """
+
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+def warning(warn):
+ """
+ Print a warning message.
+ """
+
+ sys.stderr.write("%s warning: " % sys.argv[0])
+ sys.stderr.write("%s\n" % warn)
+
+def usage():
+ """
+ Describes the proper usage of this tool.
+ """
+
+ sys.stdout.write("%s [-tmdT] -x <xmlfile>\n\n" % sys.argv[0])
+ sys.stdout.write("Options:\n")
+ sys.stdout.write("-b --booleans <file> -- write boolean config to <file>\n")
+ sys.stdout.write("-m --modules <file> -- write module config to <file>\n")
+ sys.stdout.write("-d --docs <dir> -- write interface documentation to <dir>\n")
+ sys.stdout.write("-x --xml <file> -- filename to read xml data from\n")
+ sys.stdout.write("-T --templates <dir> -- template directory for documents\n")
+
+
+# MAIN PROGRAM
+try:
+ opts, args = getopt.getopt(sys.argv[1:], "b:m:d:x:T:", ["booleans","modules","docs","xml", "templates"])
+except getopt.GetoptError:
+ usage()
+ sys.exit(1)
+
+booleans = modules = docsdir = None
+templatedir = "templates/"
+xmlfile = "policy.xml"
+
+for opt, val in opts:
+ if opt in ("-b", "--booleans"):
+ booleans = val
+ if opt in ("-m", "--modules"):
+ modules = val
+ if opt in ("-d", "--docs"):
+ docsdir = val
+ if opt in ("-x", "--xml"):
+ xmlfile = val
+ if opt in ("-T", "--templates"):
+ templatedir = val
+
+doc = read_policy_xml(xmlfile)
+
+if booleans:
+ namevalue_list = []
+ if os.path.exists(booleans):
+ try:
+ conf = open(booleans, 'r')
+ except:
+ error("Could not open booleans file for reading")
+
+ namevalue_list = get_conf(conf)
+
+ conf.close()
+
+ try:
+ conf = open(booleans, 'w')
+ except:
+ error("Could not open booleans file for writing")
+
+ gen_booleans_conf(doc, conf, namevalue_list)
+ conf.close()
+
+
+if modules:
+ namevalue_list = []
+ if os.path.exists(modules):
+ try:
+ conf = open(modules, 'r')
+ except:
+ error("Could not open modules file for reading")
+ namevalue_list = get_conf(conf)
+ conf.close()
+
+ try:
+ conf = open(modules, 'w')
+ except:
+ error("Could not open modules file for writing")
+ gen_module_conf(doc, conf, namevalue_list)
+ conf.close()
+
+if docsdir:
+ gen_docs(doc, docsdir, templatedir)
diff --git a/support/segenxml.py b/support/segenxml.py
new file mode 100755
index 0000000..10cc8bd
--- /dev/null
+++ b/support/segenxml.py
@@ -0,0 +1,475 @@
+#!/usr/bin/python
+
+# Author(s): Donald Miner <dminer@tresys.com>
+# Dave Sugar <dsugar@tresys.com>
+# Brian Williams <bwilliams@tresys.com>
+#
+# Copyright (C) 2005 - 2006 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+"""
+ This script generates XML documentation information for layers specified
+ by the user.
+"""
+
+import sys
+import os
+import glob
+import re
+
+# GLOBALS
+
+# Default values of command line arguments:
+warn = False
+meta = "metadata"
+third_party = "third-party"
+layers = {}
+tunable_files = []
+bool_files = []
+xml_tunable_files = []
+xml_bool_files = []
+output_dir = ""
+
+# Pre compiled regular expressions:
+
+# Matches either an interface or a template declaration. Will give the tuple:
+# ("interface" or "template", name)
+# Some examples:
+# "interface(`kernel_read_system_state',`"
+# -> ("interface", "kernel_read_system_state")
+# "template(`base_user_template',`"
+# -> ("template", "base_user_template")
+INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
+
+# Matches either a gen_bool or a gen_tunable statement. Will give the tuple:
+# ("tunable" or "bool", name, "true" or "false")
+# Some examples:
+# "gen_bool(secure_mode, false)"
+# -> ("bool", "secure_mode", "false")
+# "gen_tunable(allow_kerberos, false)"
+# -> ("tunable", "allow_kerberos", "false")
+BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
+
+# Matches a XML comment in the policy, which is defined as any line starting
+# with two # and at least one character of white space. Will give the single
+# valued tuple:
+# ("comment")
+# Some Examples:
+# "## <summary>"
+# -> ("<summary>")
+# "## The domain allowed access. "
+# -> ("The domain allowed access.")
+XML_COMMENT = re.compile("^##\s+(.*?)\s*$")
+
+
+# FUNCTIONS
+def getModuleXML(file_name):
+ '''
+ Returns the XML data for a module in a list, one line per list item.
+ '''
+
+ # Try to open the file, if it cant, just ignore it.
+ try:
+ module_file = open(file_name, "r")
+ module_code = module_file.readlines()
+ module_file.close()
+ except:
+ warning("cannot open file %s for read, skipping" % file_name)
+ return []
+
+ module_buf = []
+
+ # Infer the module name, which is the base of the file name.
+ module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
+ % (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
+
+ temp_buf = []
+ interface = None
+
+ # finding_header is a flag to denote whether we are still looking
+ # for the XML documentation at the head of the file.
+ finding_header = True
+
+ # Get rid of whitespace at top of file
+ while(module_code and module_code[0].isspace()):
+ module_code = module_code[1:]
+
+ # Go line by line and figure out what to do with it.
+ line_num = 0
+ for line in module_code:
+ line_num += 1
+ if finding_header:
+ # If there is a XML comment, add it to the temp buffer.
+ comment = XML_COMMENT.match(line)
+ if comment:
+ temp_buf.append(comment.group(1) + "\n")
+ continue
+
+ # Once a line that is not an XML comment is reached,
+ # either put the XML out to module buffer as the
+ # module's documentation, or attribute it to an
+ # interface/template.
+ elif temp_buf:
+ finding_header = False
+ interface = INTERFACE.match(line)
+ if not interface:
+ module_buf += temp_buf
+ temp_buf = []
+ continue
+
+ # Skip over empty lines
+ if line.isspace():
+ continue
+
+ # Grab a comment and add it to the temprorary buffer, if it
+ # is there.
+ comment = XML_COMMENT.match(line)
+ if comment:
+ temp_buf.append(comment.group(1) + "\n")
+ continue
+
+ # Grab the interface information. This is only not true when
+ # the interface is at the top of the file and there is no
+ # documentation for the module.
+ if not interface:
+ interface = INTERFACE.match(line)
+ if interface:
+ # Add the opening tag for the interface/template
+ groups = interface.groups()
+ module_buf.append("<%s name=\"%s\" lineno=\"%s\">\n" % (groups[0], groups[1], line_num))
+
+ # Add all the comments attributed to this interface to
+ # the module buffer.
+ if temp_buf:
+ module_buf += temp_buf
+ temp_buf = []
+
+ # Add default summaries and parameters so that the
+ # DTD is happy.
+ else:
+ warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
+ module_buf.append("<summary>\n")
+ module_buf.append("Summary is missing!\n")
+ module_buf.append("</summary>\n")
+ module_buf.append("<param name=\"?\">\n")
+ module_buf.append("<summary>\n")
+ module_buf.append("Parameter descriptions are missing!\n")
+ module_buf.append("</summary>\n")
+ module_buf.append("</param>\n")
+
+ # Close the interface/template tag.
+ module_buf.append("</%s>\n" % interface.group(1))
+
+ interface = None
+ continue
+
+
+
+ # If the file just had a header, add the comments to the module buffer.
+ if finding_header:
+ module_buf += temp_buf
+ # Otherwise there are some lingering XML comments at the bottom, warn
+ # the user.
+ elif temp_buf:
+ warning("orphan XML comments at bottom of file %s" % file_name)
+
+ module_buf.append("</module>\n")
+
+ return module_buf
+
+def getLayerXML (layerName, directories):
+ '''
+ Returns the XML documentation for a layer.
+ '''
+
+ layer_buf = []
+
+ # Infer the layer name from the directory name.
+ layer_buf.append("<layer name=\"%s\">\n" % layerName)
+
+ # Try to file the metadata file for this layer and if it exists,
+ # append the contents to the buffer.
+ bFoundMeta = False
+ for directory in directories:
+ metafile = directory + "/" + meta
+
+ if not bFoundMeta and os.path.isfile (metafile):
+ layer_meta = open (metafile, "r")
+ layer_buf += layer_meta.readlines ()
+ layer_meta.close()
+ bFoundMeta = True
+
+ # force the metadata for the third party layer
+ if not bFoundMeta:
+ if layerName == third_party:
+ layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n")
+ bFoundMeta = True
+
+ # didn't find meta data for this layer - oh well
+ if not bFoundMeta:
+ layer_buf.append ("<summary>Summary is missing!.</summary>\n")
+ warning ("unable to find %s for layer %s" % (meta, layerName))
+
+ # For each module file in the layer, add its XML.
+ for directory in directories:
+ modules = glob.glob("%s/*.if" % directory)
+ modules.sort()
+ for module in modules:
+ layer_buf += getModuleXML(module)
+
+ layer_buf.append("</layer>\n")
+
+ return layer_buf
+
+def getTunableXML(file_name, kind):
+ '''
+ Return all the XML for the tunables/bools in the file specified.
+ '''
+
+ # Try to open the file, if it cant, just ignore it.
+ try:
+ tunable_file = open(file_name, "r")
+ tunable_code = tunable_file.readlines()
+ tunable_file.close()
+ except:
+ warning("cannot open file %s for read, skipping" % file_name)
+ return []
+
+ tunable_buf = []
+ temp_buf = []
+
+ # Find tunables and booleans line by line and use the comments above
+ # them.
+ for line in tunable_code:
+ # If it is an XML comment, add it to the buffer and go on.
+ comment = XML_COMMENT.match(line)
+ if comment:
+ temp_buf.append(comment.group(1) + "\n")
+ continue
+
+ # Get the boolean/tunable data.
+ boolean = BOOLEAN.match(line)
+
+ # If we reach a boolean/tunable declaration, attribute all XML
+ # in the temp buffer to it and add XML to the tunable buffer.
+ if boolean:
+ # If there is a gen_bool in a tunable file or a
+ # gen_tunable in a boolean file, error and exit.
+ if boolean.group(1) != kind:
+ error("%s in a %s file." % (boolean.group(1), kind))
+
+ tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
+ tunable_buf += temp_buf
+ temp_buf = []
+ tunable_buf.append("</%s>\n" % boolean.group(1))
+
+ # If there are XML comments at the end of the file, they arn't
+ # attributed to anything. These are ignored.
+ if len(temp_buf):
+ warning("orphan XML comments at bottom of file %s" % file_name)
+
+
+ # If the caller requested a the global_tunables and global_booleans to be
+ # output to a file output them now
+ if len(output_dir) > 0:
+ xmlfile = os.path.split(file_name)[1] + ".xml"
+
+ try:
+ xml_outfile = open(output_dir + "/" + xmlfile, "w")
+ for tunable_line in tunable_buf:
+ xml_outfile.write (tunable_line)
+ xml_outfile.close()
+ except:
+ warning ("cannot write to file %s, skipping creation" % xmlfile)
+
+ return tunable_buf
+
+def getXMLFileContents (file_name):
+ '''
+ Return all the XML in the file specified.
+ '''
+
+ tunable_buf = []
+ # Try to open the xml file for this type of file
+ # append the contents to the buffer.
+ try:
+ tunable_xml = open(file_name, "r")
+ tunable_buf += tunable_xml.readlines()
+ tunable_xml.close()
+ except:
+ warning("cannot open file %s for read, assuming no data" % file_name)
+
+ return tunable_buf
+
+def getPolicyXML():
+ '''
+ Return the compelete reference policy XML documentation through a list,
+ one line per item.
+ '''
+
+ policy_buf = []
+ policy_buf.append("<policy>\n")
+
+ # Add to the XML each layer specified by the user.
+ for layer in layers.keys ():
+ policy_buf += getLayerXML(layer, layers[layer])
+
+ # Add to the XML each tunable file specified by the user.
+ for tunable_file in tunable_files:
+ policy_buf += getTunableXML(tunable_file, "tunable")
+
+ # Add to the XML each XML tunable file specified by the user.
+ for tunable_file in xml_tunable_files:
+ policy_buf += getXMLFileContents (tunable_file)
+
+ # Add to the XML each bool file specified by the user.
+ for bool_file in bool_files:
+ policy_buf += getTunableXML(bool_file, "bool")
+
+ # Add to the XML each XML bool file specified by the user.
+ for bool_file in xml_bool_files:
+ policy_buf += getXMLFileContents (bool_file)
+
+ policy_buf.append("</policy>\n")
+
+ return policy_buf
+
+def usage():
+ """
+ Displays a message describing the proper usage of this script.
+ """
+
+ sys.stdout.write("usage: %s [-w] [-m file] "\
+ % sys.argv[0])
+
+ sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
+
+ sys.stdout.write("Options:\n")
+
+ sys.stdout.write ("-h --help -- "+\
+ "show command line options\n")
+
+ sys.stdout.write("-w --warn -- "+\
+ "show warnings\n")
+
+ sys.stdout.write("-m --meta <file> -- "+\
+ "the filename of the metadata in each layer\n")
+
+ sys.stdout.write("-t --tunable <file> -- "+\
+ "A file containing tunable declarations\n")
+
+ sys.stdout.write("-b --bool <file> -- "+\
+ "A file containing bool declarations\n")
+
+ sys.stdout.write("-o --output-dir <directory> -- "+\
+ "A directory to output global_tunables.xml and global_booleans.xml\n")
+
+ sys.stdout.write("--tunables-xml <file> -- "+\
+ "A file containing tunable declarations already in XML format\n")
+
+ sys.stdout.write("--booleans-xml <file> -- "+\
+ "A file containing bool declarations already in XML format\n")
+
+ sys.stdout.write ("-3 --third-party <directory> -- "+\
+ "Look for 3rd Party modules in directory.\n")
+
+def warning(description):
+ '''
+ Warns the user of a non-critical error.
+ '''
+
+ if warn:
+ sys.stderr.write("%s: " % sys.argv[0] )
+ sys.stderr.write("warning: " + description + "\n")
+
+def error(description):
+ '''
+ Describes an error and exists the program.
+ '''
+
+ sys.stderr.write("%s: " % sys.argv[0] )
+ sys.stderr.write("error: " + description + "\n")
+ sys.stderr.flush()
+ sys.exit(1)
+
+
+
+# MAIN PROGRAM
+# Check that there are command line arguments.
+if len(sys.argv) <= 1:
+ usage()
+ sys.exit(1)
+
+
+# Parse the command line arguments
+for i in range(1, len(sys.argv)):
+ if sys.argv[i-1] in ("-m", "--meta",\
+ "-t", "--tunable", "-b", "--bool",\
+ "-o", "--output-dir", "-3", "--third-party", \
+ "--tunables-xml", "--booleans-xml"):
+ continue
+ elif sys.argv[i] in ("-w", "--warn"):
+ warn = True
+ elif sys.argv[i] in ("-m", "--meta"):
+ if i < len(sys.argv)-1:
+ meta = sys.argv[i+1]
+ else:
+ usage()
+ elif sys.argv[i] in ("-t", "--tunable"):
+ if i < len(sys.argv)-1:
+ tunable_files.append(sys.argv[i+1])
+ else:
+ usage()
+ elif sys.argv[i] in ("-b", "--bool"):
+ if i < len(sys.argv)-1:
+ bool_files.append(sys.argv[i+1])
+ else:
+ usage()
+
+ elif sys.argv[i] == "--tunables-xml":
+ if i < len(sys.argv)-1:
+ xml_bool_files.append (sys.argv[i+1])
+ else:
+ usage ()
+
+ elif sys.argv[i] == "--booleans-xml":
+ if i < len(sys.argv)-1:
+ xml_tunable_files.append (sys.argv[i+1])
+ else:
+ usage ()
+
+ elif sys.argv[i] in ("-o", "--output-dir"):
+ if i < len(sys.argv)-1:
+ output_dir = sys.argv[i+1]
+ else:
+ usage ()
+
+ elif sys.argv[i] in ("-3", "--third-party"):
+ if i < len(sys.argv) -1:
+ if layers.has_key (third_party):
+ layers[third_party].append (sys.argv[i+1])
+ else:
+ layers[third_party] = [sys.argv[i+1]]
+ else:
+ usage ()
+
+ elif sys.argv[i] in ("-h", "--help"):
+ usage ()
+ sys.exit (1)
+
+ else:
+ # store directories in hash stored by layer name
+ splitlayer = os.path.split(sys.argv[i])
+ if layers.has_key (splitlayer[1]):
+ layers[splitlayer[1]].append (sys.argv[i])
+ else:
+ layers[splitlayer[1]] = [sys.argv[i]]
+
+
+# Generate the XML and output it to a file
+lines = getPolicyXML()
+for s in lines:
+ sys.stdout.write(s)
+
diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
new file mode 100644
index 0000000..4ceaf73
--- /dev/null
+++ b/support/selinux-policy-refpolicy.spec
@@ -0,0 +1,432 @@
+%define distro redhat
+%define direct_initrc y
+%define monolithic n
+%define polname1 targeted
+%define type1 targeted-mcs
+%define polname2 strict
+%define type2 strict-mcs
+Summary: SELinux policy configuration
+Name: selinux-policy
+Version: 20051019
+Release: 1
+License: GPL
+Group: System Environment/Base
+Source: refpolicy-%{version}.tar.bz2
+Url: http://serefpolicy.sourceforge.net
+BuildRoot: %{_tmppath}/refpolicy-buildroot
+BuildArch: noarch
+# FIXME Need to ensure these have correct versions
+BuildRequires: checkpolicy m4 policycoreutils python make gcc
+PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
+Obsoletes: policy
+
+%description
+SELinux Reference Policy - modular.
+
+%prep
+%setup -q
+make conf
+
+%build
+
+%install
+%{__rm} -fR $RPM_BUILD_ROOT
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
+%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/policy
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/contexts/files
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/local.users
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/system.users
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
+%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/policy
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/contexts/files
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/local.users
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/system.users
+
+%clean
+%{__rm} -fR $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_sysconfdir}/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/*.pp
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/*
+%ghost %config %{_sysconfdir}/selinux/*/booleans
+%dir %{_sysconfdir}/selinux/*/policy
+#%ghost %config %{_sysconfdir}/selinux/*/policy/policy.*
+%dir %{_sysconfdir}/selinux/*/contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context
+%dir %{_sysconfdir}/selinux/*/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/*/contexts/files/media
+%dir %{_sysconfdir}/selinux/*/users
+%config %{_sysconfdir}/selinux/*/users/system.users
+%config %{_sysconfdir}/selinux/*/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/*/modules
+
+%pre
+
+%post
+
+%package base-targeted
+Summary: SELinux %{polname1} base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+
+%description base-targeted
+SELinux Reference policy targeted base module.
+
+%files base-targeted
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/%{polname1}
+%dir %{_usr}/share/selinux/%{polname1}/%{type1}
+%config %{_usr}/share/selinux/%{polname1}/%{type1}/base.pp
+%dir %{_sysconfdir}/selinux
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/%{polname1}
+%ghost %config %{_sysconfdir}/selinux/%{polname1}/booleans
+%dir %{_sysconfdir}/selinux/%{polname1}/policy
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/policy/policy.*
+%dir %{_sysconfdir}/selinux/%{polname1}/contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context
+%dir %{_sysconfdir}/selinux/%{polname1}/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/%{polname1}/contexts/files/media
+%dir %{_sysconfdir}/selinux/%{polname1}/users
+%config %{_sysconfdir}/selinux/%{polname1}/users/system.users
+%config %{_sysconfdir}/selinux/%{polname1}/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/%{polname1}/modules
+
+%post base-targeted
+semodule -b /usr/share/selinux/%{polname1}/%{type1}/base.pp -s %{_sysconfdir}/selinux/%{polname1}
+for file in $(ls /usr/share/selinux/%{polname1}/%{type1} | grep -v base.pp)
+do semodule -i /usr/share/selinux/%{polname1}/%{type1}/$file -s %{_sysconfdir}/selinux/%{polname1}
+done
+
+%package base-strict
+Summary: SELinux %{polname2} base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+
+%description base-strict
+SELinux Reference policy strict base module.
+
+%files base-strict
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/%{polname2}
+%dir %{_usr}/share/selinux/%{polname2}/%{type2}
+%config %{_usr}/share/selinux/%{polname2}/%{type2}/base.pp
+%dir %{_sysconfdir}/selinux
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/%{polname2}
+%ghost %config %{_sysconfdir}/selinux/%{polname2}/booleans
+%dir %{_sysconfdir}/selinux/%{polname2}/policy
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/policy/policy.*
+%dir %{_sysconfdir}/selinux/%{polname2}/contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context
+%dir %{_sysconfdir}/selinux/%{polname2}/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/%{polname2}/contexts/files/media
+%dir %{_sysconfdir}/selinux/%{polname2}/users
+%config %{_sysconfdir}/selinux/%{polname2}/users/system.users
+%config %{_sysconfdir}/selinux/%{polname2}/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/%{polname2}/modules
+
+%post base-strict
+semodule -b /usr/share/selinux/%{polname2}/%{type2}/base.pp -s %{_sysconfdir}/selinux/%{polname2}
+for file in $(ls /usr/share/selinux/%{polname2}/%{type2} | grep -v base.pp)
+do semodule -i /usr/share/selinux/%{polname2}/%{type2}/$file -s %{_sysconfdir}/selinux/%{polname2}
+done
+
+%package apache
+Summary: SELinux apache policy
+Group: System Environment/Base
+Requires: selinux-policy-base
+
+%description apache
+SELinux Reference policy apache module.
+
+%files apache
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/apache.pp
+
+%post apache
+if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ] ; then
+semodule -n -i %{_usr}/share/selinux/%{polname1}/%{type1}/apache.pp -s %{_sysconfdir}/selinux/%{polname1}
+fi
+if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ] ; then
+semodule -i %{_usr}/share/selinux/%{polname2}/%{type2}/apache.pp -s %{_sysconfdir}/selinux/%{polname2}
+fi
+
+%preun apache
+if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ]
+then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname1}
+fi
+if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ]
+then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname2}
+fi
+
+%package bind
+Summary: SELinux bind policy
+Group: System Environment/Base
+
+%description bind
+SELinux Reference policy bind module.
+
+%files bind
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/bind.pp
+
+%post bind
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/bind.pp
+
+%preun bind
+semodule -r bind
+
+%package dhcp
+Summary: SELinux dhcp policy
+Group: System Environment/Base
+
+%description dhcp
+SELinux Reference policy dhcp module.
+
+%files dhcp
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/dhcp.pp
+
+%post dhcp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/dhcp.pp
+
+%preun dhcp
+semodule -r dhcp
+
+%package ldap
+Summary: SELinux ldap policy
+Group: System Environment/Base
+
+%description ldap
+SELinux Reference policy ldap module.
+
+%files ldap
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/ldap.pp
+
+%post ldap
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/ldap.pp
+
+%preun ldap
+semodule -r ldap
+
+%package mailman
+Summary: SELinux mailman policy
+Group: System Environment/Base
+
+%description mailman
+SELinux Reference policy mailman module.
+
+%files mailman
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/mailman.pp
+
+%post mailman
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/mailman.pp
+
+%preun mailman
+semodule -r mailman
+
+%package mysql
+Summary: SELinux mysql policy
+Group: System Environment/Base
+
+%description mysql
+SELinux Reference policy mysql module.
+
+%files mysql
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/mysql.pp
+
+%post mysql
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcsmysql.pp
+
+%preun mysql
+semodule -r mysql
+
+%package portmap
+Summary: SELinux portmap policy
+Group: System Environment/Base
+
+%description portmap
+SELinux Reference policy portmap module.
+
+%files portmap
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/portmap.pp
+
+%post portmap
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/portmap.pp
+
+%preun portmap
+semodule -r portmap
+
+%package postgresql
+Summary: SELinux postgresql policy
+Group: System Environment/Base
+
+%description postgresql
+SELinux Reference policy postgresql module.
+
+%files postgresql
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/postgresql.pp
+
+%post postgresql
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/postgresql.pp
+
+%preun postgresql
+semodule -r postgresql
+
+%package samba
+Summary: SELinux samba policy
+Group: System Environment/Base
+
+%description samba
+SELinux Reference policy samba module.
+
+%files samba
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/samba.pp
+
+%post samba
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/samba.pp
+
+%preun samba
+semodule -r samba
+
+%package snmp
+Summary: SELinux snmp policy
+Group: System Environment/Base
+
+%description snmp
+SELinux Reference policy snmp module.
+
+%files snmp
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/snmp.pp
+
+%post snmp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/snmp.pp
+
+%preun snmp
+semodule -r snmp
+
+%package squid
+Summary: SELinux squid policy
+Group: System Environment/Base
+
+%description squid
+SELinux Reference policy squid module.
+
+%files squid
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/squid.pp
+
+%post squid
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/squid.pp
+
+%preun squid
+semodule -r squid
+
+%package webalizer
+Summary: SELinux webalizer policy
+Group: System Environment/Base
+
+%description webalizer
+SELinux Reference policy webalizer module.
+
+%files webalizer
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/webalizer.pp
+
+%post webalizer
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/webalizer.pp
+
+%preun webalizer
+semodule -r webalizer
+
+%changelog
diff --git a/support/selinux-refpolicy-sources.spec.skel b/support/selinux-refpolicy-sources.spec.skel
new file mode 100644
index 0000000..6b4b739
--- /dev/null
+++ b/support/selinux-refpolicy-sources.spec.skel
@@ -0,0 +1,85 @@
+%define type refpolicy
+%define POLICYDIR /etc/selinux/%{type}
+%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
+%define FC_PRE ${FILE_CON}.pre
+
+Summary: SELinux Reference Policy configuration source files
+Name: selinux-refpolicy-sources
+Version: REFPOL_VERSION
+Release: 1
+License: GPL
+Group: System Environment/Base
+PreReq: m4 make policycoreutils kernel gcc
+Requires: checkpolicy >= 1.20
+Requires: python
+BuildRequires: make m4 python
+Obsoletes: policy-sources
+Source: refpolicy-%{version}.tar.bz2
+Url: http://serefpolicy.sourceforge.net
+BuildArch: noarch
+BuildRoot: /tmp/rpmbuild/%{name}
+
+%description
+This subpackage includes the SELinux Reference Policy
+source files, which can be used to build a targeted policy
+or strict policy configuration.
+
+%prep
+%setup -q -n refpolicy
+
+%build
+sed -i -e '/^TYPE/s/strict/targeted/' Makefile
+sed -i -e 's/^#DISTRO/DISTRO/' Makefile
+sed -i -e '/^DIRECT_INITRC/s/n/y/' Makefile
+make conf
+make clean
+rm -f support/*.pyc
+
+%install
+rm -fR $RPM_BUILD_ROOT
+make DESTDIR=$RPM_BUILD_ROOT install-src
+
+%clean
+rm -fR $RPM_BUILD_ROOT
+
+%files
+%defattr(0600,root,root,0700)
+%dir %{_sysconfdir}/selinux/%{type}/src/policy
+%config %{_sysconfdir}/selinux/%{type}/src/policy/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/doc
+%config %{_sysconfdir}/selinux/%{type}/src/policy/doc/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/doc/templates
+%config %{_sysconfdir}/selinux/%{type}/src/policy/doc/templates/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/support
+%config %{_sysconfdir}/selinux/%{type}/src/policy/support/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/config
+%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/config/local.users
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-targeted
+%config %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-targeted/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-strict
+%config %{_sysconfdir}/selinux/%{type}/src/policy/config/appconfig-strict/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy
+%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/policy/users
+%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules.conf
+%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/policy/booleans.conf
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/mls
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/mcs
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/global_booleans
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/global_tunables
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/flask
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/flask/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/kernel
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/kernel/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/apps
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/apps/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/services
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/services/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/system
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/system/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/admin
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/modules/admin/*
+%dir %{_sysconfdir}/selinux/%{type}/src/policy/policy/support
+%config %{_sysconfdir}/selinux/%{type}/src/policy/policy/support/*
+
+%changelog
diff --git a/support/set_bools_tuns.awk b/support/set_bools_tuns.awk
new file mode 100644
index 0000000..cedc19b
--- /dev/null
+++ b/support/set_bools_tuns.awk
@@ -0,0 +1,11 @@
+# Read booleans.conf and output M4 directives to
+# override default settings in global_booleans
+
+BEGIN {
+ FS="="
+}
+
+/^[[:blank:]]*[[:alpha:]]+/{
+ gsub(/[[:blank:]]*/,"")
+ print "define(`"$1"_conf',`"$2"')"
+}