diff --git a/mls/COPYING b/mls/COPYING
new file mode 100644
index 0000000..5b6e7c6
--- /dev/null
+++ b/mls/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/mls/ChangeLog b/mls/ChangeLog
new file mode 100644
index 0000000..a2f029b
--- /dev/null
+++ b/mls/ChangeLog
@@ -0,0 +1,434 @@
+1.27.3 2005-11-17
+ * Removed the seuser policy as suggested by Kevin Carr.
+ * Removed unnecessary allow rule concerning tmpfs_t in the squid
+ policy as suggested by Russell Coker.
+ * Merged a patch from Jonathan Kim which modified the restorecon policy
+ to use the secadmin attribute.
+ * Merged a patch from Dan Walsh. Added avahi, exim, and yppasswdd
+ policies. Added the unconfinedtrans attribute for domains that
+ can transistion to unconfined_t. Added httpd_enable_ftp_server,
+ allow_postgresql_use_pam, pppd_can_insmod, and allow_gssd_read_tmp
+ booleans. Created a $1_disable_trans boolean used in the
+ init_service_domain macro to specify whether init should
+ transition to a new domain when executing. Included Chad Hanson's
+ patch which adds the mls* attributes to more domains and makes
+ other changes to support MLS. Included Russell Coker's patch
+ which makes many changes to the sendmail policy. Added rules to
+ allow initscripts to execute scripts that they generate. Added
+ dbus support to the named policy. Made other fixes and cleanups
+ to various policies including amanda, apache, bluetooth, pegasus,
+ postfix, pppd, and slapd. Removed sendmail policy from targeted.
+1.27.2 2005-10-20
+ * Merged patch from Chad Hanson. Modified MLS constraints.
+ Provided comments for the MLS attributes.
+ * Merged two patches from Thomas Bleher which made some minor
+ fixes and cleanups.
+ * Merged patches from Russell Coker. Added comments to some of the
+ MLS attributes. Added the secure_mode_insmod boolean to determine
+ whether the system permits loading policy, setting enforcing mode,
+ and changing boolean values. Made minor fixes for the cdrecord_domain
+ macro, application_domain, newrole_domain, and daemon_base_domain
+ macros. Added rules to allow the mail server to access the user
+ home directories in the targeted policy and allows the postfix
+ showq program to do DNS lookups. Minor fixes for the MCS
+ policy. Made other minor fixes and cleanups.
+ * Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
+ and roundup policies. Created can_access_pty macro to handle pty
+ output. Created nsswithch_domain macro for domains using
+ nsswitch. Added mcs transition rules. Removed mqueue and added
+ capifs genfscon entries. Added dhcpd and pegasus ports. Added
+ domain transitions from login domains to pam_console and alsa
+ domains. Added rules to allow the httpd and squid domains to
+ relay more protocols. For the targeted policy, removed sysadm_r
+ role from unconfined_t. Made other fixes and cleanups.
+1.27.1 2005-09-15
+ * Merged small patches from Russell Coker for the apostrophe,
+ dhcpc, fsadm, and setfiles policy.
+ * Merged a patch from Russell Coker with some minor fixes to a
+ multitude of policy files.
+ * Merged patch from Dan Walsh from August 15th. Adds certwatch
+ policy. Adds mcs support to Makefile. Adds mcs file which
+ defines sensitivities and categories for the MSC policy. Creates
+ an authentication_domain macro in global_macros.te for domains
+ that use pam_authentication. Creates the anonymous_domain macro
+ so that the ftpd, rsync, httpd, and smbd domains can share the
+ ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
+ start isolating individual ethernet devices. Changes vpnc from a
+ daemon to an application_domain. Adds audit_control capability to
+ crond_t. Adds dac_override and dac_read_search capabilities to
+ fsadm_t to allow the manipulation of removable media. Adds
+ read_sysctl macro to the base_passwd_domain macro. Adds rules to
+ allow alsa_t to communicate with userspace. Allows networkmanager
+ to communicate with isakmp_port and to use vpnc. For targeted
+ policy, removes transitions of sysadm_t to apm_t, backup_t,
+ bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
+ Makes other minor cleanups and fixes.
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.4 2005-08-10
+ * Merged small patches from Russell Coker for the restorecon,
+ kudzu, lvm, radvd, and spamassasin policies.
+ * Added fs_use_trans rule for mqueue from Mark Gebhart to support
+ the work he has done on providing SELinux support for mqueue.
+ * Merged a patch from Dan Walsh. Removes the user_can_mount
+ tunable. Adds disable_evolution_trans and disable_thunderbird_trans
+ booleans. Adds the nscd_client_domain attribute to insmod_t.
+ Removes the user_ping boolean from targeted policy. Adds
+ hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
+ Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
+ Allows getty to run sbin_t for pppd. Allows initrc to write to
+ default_t for booting. Allows Hotplug_t sys_rawio for prism54
+ card at boot. Other minor fixes.
+
+1.25.3 2005-07-18
+ * Merged patch from Dan Walsh. Adds auth_bool attribute to allow
+ domains to have read access to shadow_t. Creates pppd_can_insmod
+ boolean to control the loading of modem kernel modules. Allows
+ nfs to export noexattrfile types. Allows unix_chpwd to access
+ cert files and random devices for encryption purposes. Other
+ minor cleanups and fixes.
+
+1.25.2 2005-07-11
+ * Merged patch from Dan Walsh. Added allow_ptrace boolean to
+ allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
+ audit_control and audit_write capabilities. Stops targeted policy
+ from transitioning from unconfined_t to netutils. Allows cupsd to
+ audit messages. Gives prelink the execheap, execmem, and execstack
+ permissions by default. Adds can_winbind boolean and functions to
+ better handle samba and winbind communications. Eliminates
+ allow_execmod checks around texrel_shlib_t libraries. Other minor
+ cleanups and fixes.
+
+1.25.1 2005-07-05
+ * Moved role_tty_type_change, reach_sysadm, and priv_user macros
+ from user.te to user_macros.te as suggested by Steve.
+ * Modified admin_domain macro so autrace would work and removed
+ privuser attribute for dhcpc as suggested by Russell Coker.
+ * Merged rather large patch from Dan Walsh. Moves
+ targeted/strict/mls policies closer together. Adds local.te for
+ users to customize. Includes minor fixes to auditd, cups,
+ cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
+ that defines all ports in network.te. Ports are always defined
+ now, no ifdefs are used in network.te. Also includes Ivan
+ Gyurdiev's user home directory policy patches. These patches add
+ alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
+ iceauth, orbit, and thunderbird policy. They create read_content,
+ write_trusted, and write_untrusted macros in content.te. They
+ create network_home, write_network_home, read_network_home,
+ base_domain_ro_access, home_domain_access, home_domain, and
+ home_domain_ro macros in home_macros.te. They also create
+ $3_read_content, $3_write_content, and write_untrusted booleans.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.18 2005-05-31
+ * Merged minor fixes to pppd.fc and courier.te by Russell Coker.
+ * Removed devfsd policy as suggested by Russell Coker.
+ * Merged patch from Dan Walsh. Includes beginnings of Ivan
+ Gyurdiev's Font Config policy. Don't transition to fsadm_t from
+ unconfined_t (sysadm_t) in targeted policy. Add support for
+ debugfs in modutil. Allow automount to create and delete
+ directories in /root and /home dirs. Move can_ypbind to
+ chkpwd_macro.te. Allow useradd to create additional files and
+ types via the skell mechanism. Other minor cleanups and fixes.
+
+1.23.17 2005-05-23
+ * Merged minor fixes by Petre Rodan to the daemontools, dante,
+ gpg, kerberos, and ucspi-tcp policies.
+ * Merged minor fixes by Russell Coker to the bluetooth, crond,
+ initrc, postfix, and udev policies. Modifies constraints so that
+ newaliases can be run. Modifies types.fc so that objects in
+ lost+found directories will not be relabled.
+ * Modified fc rules for nvidia.
+ * Added Chad Sellers policy for polyinstantiation support, which
+ creates the polydir, polyparent, and polymember attributes. Also
+ added the support_polyinstantiation tunable.
+ * Merged patch from Dan Walsh. Includes mount_point attribute,
+ read_font macros and some other policy fixes from Ivan Gyurdiev.
+ Adds privkmsg and secadmfile attributes and ddcprobe policy.
+ Removes the use_syslogng boolean. Many other minor fixes.
+
+1.23.16 2005-05-13
+ * Added rdisc policy from Russell Coker.
+ * Merged minor fix to named policy by Petre Rodan.
+ * Merged minor fixes to policy from Russell Coker for kudzu,
+ named, screen, setfiles, telnet, and xdm.
+ * Merged minor fix to Makefile from Russell Coker.
+
+1.23.15 2005-05-06
+ * Added tripwire and yam policy from David Hampton.
+ * Merged minor fixes to amavid and a clarification to the
+ httpdcontent attribute comments from David Hampton.
+ * Merged patch from Dan Walsh. Includes fixes for restorecon,
+ games, and postfix from Russell Coker. Adds support for debugfs.
+ Restores support for reiserfs. Allows udev to work with tmpfs_t
+ before /dev is labled. Removes transition from sysadm_t
+ (unconfined_t) to ifconfig_t for the targeted policy. Other minor
+ cleanups and fixes.
+
+1.23.14 2005-04-29
+ * Added afs policy from Andrew Reisse.
+ * Merged patch from Lorenzo Hernández García-Hierro which defines
+ execstack and execheap permissions. The patch excludes these
+ permissions from general_domain_access and updates the macros for
+ X, legacy binaries, users, and unconfined domains.
+ * Added nlmsg_relay permisison where netlink_audit_socket class is
+ used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
+ * Merged some minor cleanups from Russell Coker and David Hampton.
+ * Merged patch from Dan Walsh. Many changes made to allow
+ targeted policy to run closer to strict and now almost all of
+ non-userspace is protected via SELinux. Kernel is now in
+ unconfined_domain for targeted and runs as root:system_r:kernel_t.
+ Added transitionbool to daemon_sub_domain, mainly to turn off
+ httpd_suexec transitioning. Implemented web_client_domain
+ name_connect rules. Added yp support for cups. Now the real
+ hotplug, udev, initial_sid_contexts are used for the targeted
+ policy. Other minor cleanups and fixes. Auditd fixes by Paul
+ Moore.
+
+1.23.13 2005-04-22
+ * Merged more changes from Dan Walsh to initrc_t for removal of
+ unconfined_domain.
+ * Merged Dan Walsh's split of auditd policy into auditd_t for the
+ audit daemon and auditctl_t for the autoctl program.
+ * Added use of name_connect to uncond_can_ypbind macro by Dan
+ Walsh.
+ * Merged other cleanup and fixes by Dan Walsh.
+
+1.23.12 2005-04-20
+ * Merged Dan Walsh's Netlink changes to handle new auditing pam
+ modules.
+ * Merged Dan Walsh's patch removing the sysadmfile attribute from
+ policy files to separate sysadm_t from secadm_t.
+ * Added CVS and uucpd policy from Dan Walsh.
+ * Cleanup by Dan Walsh to handle turning off unlimitedRC.
+ * Merged Russell Coker's fixes to ntpd, postgrey, and named
+ policy.
+ * Cleanup of chkpwd_domain and added permissions to su_domain
+ macro due to pam changes to support audit.
+ * Added nlmsg_relay and nlmsg_readpriv permissions to the
+ netlink_audit_socket class.
+
+1.23.11 2005-04-14
+ * Merged Dan Walsh's separation of the security manager and system
+ administrator.
+ * Removed screensaver.te as suggested by Thomas Bleher
+ * Cleanup of typealiases that are no longer used by Thomas Bleher.
+ * Cleanup of fc files and additional rules for SuSE by Thomas
+ Bleher.
+ * Merged changes to auditd and named policy by Russell Coker.
+ * Merged MLS change from Darrel Goeddel to support the policy
+ hierarchy patch.
+
+1.23.10 2005-04-08
+ * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
+
+1.23.9 2005-04-07
+ * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
+ of x_client apps.
+ * Added dmidecode policy from Ivan Gyurdiev.
+
+1.23.8 2005-04-05
+ * Added netlink_kobject_uevent_socket class.
+ * Removed empty files pump.te and pump.fc.
+ * Added NetworkManager policy from Dan Walsh.
+ * Merged Dan Walsh's major restructuring of Apache's policy.
+
+1.23.7 2005-04-04
+ * Merged David Hampton's amavis and clamav cleanups.
+ * Added David Hampton's dcc, pyzor, and razor policy.
+
+1.23.6 2005-04-01
+ * Merged cleanup of the Makefile and other stuff from Dan Walsh.
+ Dan's patch includes some desktop changes from Ivan Gyurdiev.
+ * Merged Thomas Bleher's patches which increase the usage of
+ lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
+ DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
+ possible.
+ * Merged Greg Norris's cleanup of fetchmail.
+
+1.23.5 2005-03-23
+ * Added name_connect support from Dan Walsh.
+ * Added httpd_unconfined_t from Dan Walsh.
+ * Merged cleanup of assert.te to allow unresticted full access
+ from Dan Walsh.
+
+1.23.4 2005-03-21
+ * Merged diffs from Dan Walsh:
+ * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
+ Gyurdiev.
+ * Added syslogng support to syslog.te.
+
+1.23.3 2005-03-15
+ * Added policy for nx_server from Thomas Bleher.
+ * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
+ publicfile from Petre Rodan.
+
+1.23.2 2005-03-14
+ * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
+ gift policy.
+ * Made sysadm_r the first role for root, so root's home will be labled
+ as sysadm_home_dir_t instead of staff_home_dir_t.
+ * Modified fs_use and Makefile to reflect jfs now supporting security
+ xattrs.
+
+1.23.1 2005-03-10
+ * Merged diffs from Dan Walsh. Dan's patch includes Ivan
+ Gyurdiev's cleanup of homedir macros and more extensive use of
+ read_sysctl()
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21 2005-02-24
+ * Added secure_file_type attribute from Dan Walsh
+ * Added access_terminal() macro from Ivan Gyurdiev
+ * Updated capability access vector for audit capabilities.
+ * Added mlsconvert Makefile target to help generate MLS policies
+ (see selinux-doc/README.MLS for instructions).
+ * Changed policy Makefile to still generate policy.18 as well,
+ and use it for make load if the kernel doesn't support 19.
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+ * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
+ * Merged man pages from Dan Walsh.
+
+1.20 2005-01-04
+ * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
+ Petre Rodan.
+ * Merged can_create() macro used for file_type_{,auto_}trans()
+ from Thomas Bleher.
+ * Merged dante and stunnel policy by Petre Rodan.
+ * Merged $1_file_type attribute from Thomas Bleher.
+ * Merged network_macros from Dan Walsh.
+
+1.18 2004-10-25
+ * Merged diffs from Russell Coker and Dan Walsh.
+ * Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
+ * Added reserved_port_t type and portcon entries to map all other
+ reserved ports to this type.
+ * Added distro_ prefix to distro tunables to avoid conflicts.
+ * Merged diffs from Russell Coker.
+
+1.16 2004-08-16
+ * Added nscd definitions.
+ * Converted many tunables to policy booleans.
+ * Added crontab permission.
+ * Merged diffs from Dan Walsh.
+ This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
+ * Merged diffs from Russell Coker.
+ * Adjusted constraints for crond restart.
+ * Merged dbus/userspace object manager policy from Colin Walters.
+ * Merged dbus definitions from Matthew Rickard.
+ * Merged dnsmasq policy from Greg Norris.
+ * Merged gpg-agent policy from Thomas Bleher.
+
+1.14 2004-06-28
+ * Removed vmware-config.pl from vmware.fc.
+ * Added crond entry to root_default_contexts.
+ * Merged patch from Dan Walsh.
+ * Merged mdadm and postfix changes from Colin Walters.
+ * Merged reiserfs and rpm changes from Russell Coker.
+ * Merged runaway .* glob fix from Valdis Kletnieks.
+ * Merged diff from Dan Walsh.
+ * Merged fine-grained netlink classes and permissions.
+ * Merged changes for new /etc/selinux layout.
+ * Changed mkaccess_vector.sh to provide stable order.
+ * Merged diff from Dan Walsh.
+ * Fix restorecon path in restorecon.fc.
+ * Merged pax class and access vector definition from Joshua Brindle.
+
+1.12 2004-05-12
+ * Added targeted policy.
+ * Merged atd/at into crond/crontab domains.
+ * Exclude bind mounts from relabeling to avoid aliasing.
+ * Removed some obsolete types and remapped their initial SIDs to unlabeled.
+ * Added SE-X related security classes and policy framework.
+ * Added devnull initial SID and context.
+ * Merged diffs from Fedora policy.
+
+1.10 2004-04-07
+ * Merged ipv6 support from James Morris of RedHat.
+ * Merged policy diffs from Dan Walsh.
+ * Updated call to genhomedircon to reflect new usage.
+ * Merged policy diffs from Dan Walsh and Russell Coker.
+ * Removed config-users and config-services per Dan's request.
+
+1.8 2004-03-09
+ * Merged genhomedircon patch from Karl MacMillan of Tresys.
+ * Added restorecon domain.
+ * Added unconfined_domain macro.
+ * Added default_t for /.* file_contexts entry and replaced some
+ uses of file_t with default_t in the policy.
+ * Added su_restricted_domain() macro and use it for initrc_t.
+ * Merged policy diffs from Dan Walsh and Russell Coker.
+ These included a merge of an earlier patch by Chris PeBenito
+ to rename the etc types to be consistent with other types.
+
+1.6 2004-02-18
+ * Merged xfs support from Chris PeBenito.
+ * Merged conditional rules for ping.te.
+ * Defined setbool permission, added can_setbool macro.
+ * Partial network policy cleanup.
+ * Merged with Russell Coker's policy.
+ * Renamed netscape macro and domain to mozilla and renamed
+ ipchains domain to iptables for consistency with Russell.
+ * Merged rhgb macro and domain from Russell Coker.
+ * Merged tunable.te from Russell Coker.
+ Only define direct_sysadm_daemon by default in our copy.
+ * Added rootok permission to passwd class.
+ * Merged Makefile change from Dan Walsh to generate /home
+ file_contexts entries for staff users.
+ * Added automatic role and domain transitions for init scripts and
+ daemons. Added an optional third argument (nosysadm) to
+ daemon_domain to omit the direct transition from sysadm_r when
+ the same executable is also used as an application, in which
+ case the daemon must be restarted via the init script to obtain
+ the proper security context. Added system_r to the authorized roles
+ for admin users at least until support for automatic user identity
+ transitions exist so that a transition to system_u can be provided
+ transparently.
+ * Added support to su domain for using pam_selinux.
+ Added entries to default_contexts for the su domains to
+ provide reasonable defaults. Removed user_su_t.
+ * Tighten restriction on user identity and role transitions in constraints.
+ * Merged macro for newrole-like domains from Russell Coker.
+ * Merged stub dbusd domain from Russell Coker.
+ * Merged stub prelink domain from Dan Walsh.
+ * Merged updated userhelper and config tool domains from Dan Walsh.
+ * Added send_msg/recv_msg permissions to can_network macro.
+ * Merged patch by Chris PeBenito for sshd subsystems.
+ * Merged patch by Chris PeBenito for passing class to var_run_domain.
+ * Merged patch by Yuichi Nakamura for append_log_domain macros.
+ * Merged patch by Chris PeBenito for rpc_pipefs labeling.
+ * Merged patch by Colin Walters to apply m4 once so that
+ source file info is preserved for checkpolicy.
+
+1.4 2003-12-01
+ * Merged patches from Russell Coker.
+ * Revised networking permissions.
+ * Added new node_bind permission.
+ * Added new siginh, rlimitinh, and setrlimit permissions.
+ * Added proc_t:file read permission for new is_selinux_enabled logic.
+ * Added failsafe_context configuration file to appconfig.
+ * Moved newrules.pl to policycoreutils, renamed to audit2allow.
+ * Merged newrules.pl patch from Yuichi Nakamura.
+
+1.2 2003-09-30
+ * More policy merging with Russell Coker.
+ * Transferred newrules.pl script from the old SELinux.
+ * Merged MLS configuration patch from Karl MacMillan of Tresys.
+ * Limit staff_t to reading /proc entries for unpriv_userdomain.
+ * Updated Makefile and spec file to allow non-root builds,
+ based on patch by Paul Nasrat.
+
+1.1 2003-08-13
+ * Merged Makefile check-all and te-includes patches from Colin Walters.
+ * Merged x-debian-packages.patch from Colin Walters.
+ * Folded read permission into domain_trans.
+
+1.0 2003-07-11
+ * Initial public release.
+
diff --git a/mls/Makefile b/mls/Makefile
new file mode 100644
index 0000000..933e3d5
--- /dev/null
+++ b/mls/Makefile
@@ -0,0 +1,356 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# relabel - relabel filesystems based on the file contexts configuration.
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'install'.
+#
+
+# Set to y if MLS is enabled in the policy.
+MLS=y
+
+# Set to y if MCS is enabled in the policy
+MCS=n
+
+FLASKDIR = flask/
+PREFIX = /usr
+BINDIR = $(PREFIX)/bin
+SBINDIR = $(PREFIX)/sbin
+LOADPOLICY = $(SBINDIR)/load_policy
+CHECKPOLICY = $(BINDIR)/checkpolicy
+GENHOMEDIRCON = $(SBINDIR)/genhomedircon
+SETFILES = $(SBINDIR)/setfiles
+VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+PREVERS := 20
+KERNVERS := $(shell cat /selinux/policyvers)
+MLSENABLED := $(shell cat /selinux/mls)
+POLICYVER := policy.$(VERS)
+TOPDIR = $(DESTDIR)/etc/selinux
+TYPE=mls
+
+INSTALLDIR = $(TOPDIR)/$(TYPE)
+POLICYPATH = $(INSTALLDIR)/policy
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+LOADPATH = $(POLICYPATH)/$(POLICYVER)
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
+ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
+ALL_TYPES := $(wildcard types/*.te)
+ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
+ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
+TE_RBAC_FILES := $(ALLTEFILES) rbac
+ALL_TUNABLES := $(wildcard tunables/*.tun )
+USER_FILES := users
+POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
+ifeq ($(MLS),y)
+POLICYFILES += mls
+CHECKPOLMLS += -M
+endif
+ifeq ($(MCS), y)
+POLICYFILES += mcs
+CHECKPOLMLS += -M
+endif
+DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
+POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
+POLICYFILES += $(USER_FILES)
+POLICYFILES += constraints
+POLICYFILES += $(DEFCONTEXTFILES)
+CONTEXTFILES = $(DEFCONTEXTFILES)
+POLICY_DIRS = domains domains/program domains/misc macros macros/program
+
+UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
+
+FC = file_contexts/file_contexts
+HOMEDIR_TEMPLATE = file_contexts/homedir_template
+FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
+CONTEXTFILES += $(FCFILES)
+
+APPDIR=$(CONTEXTPATH)
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
+CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
+
+ROOTFILES = $(addprefix $(APPDIR)/users/,root)
+
+all: policy
+
+tmp/valid_fc: $(LOADPATH) $(FC)
+ @echo "Validating file contexts files ..."
+ $(SETFILES) -q -c $(LOADPATH) $(FC)
+ @touch tmp/valid_fc
+
+install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
+
+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+ @mkdir -p $(USERPATH)
+ @echo "# " > tmp/system.users
+ @echo "# Do not edit this file. " >> tmp/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
+ @echo "# Please edit local.users to make local changes." >> tmp/system.users
+ @echo "#" >> tmp/system.users
+ @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ install -m 644 tmp/system.users $@
+
+$(USERPATH)/local.users: local.users
+ @mkdir -p $(USERPATH)
+ install -b -m 644 $< $@
+
+$(CONTEXTPATH)/files/media: appconfig/media
+ @mkdir -p $(CONTEXTPATH)/files/
+ install -m 644 $< $@
+
+$(APPDIR)/default_contexts: appconfig/default_contexts
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/removable_context: appconfig/removable_context
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/customizable_types: policy.conf
+ @mkdir -p $(APPDIR)
+ @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ install -m 644 tmp/customizable_types $@
+
+$(APPDIR)/port_types: policy.conf
+ @mkdir -p $(APPDIR)
+ @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
+ install -m 644 tmp/port_types $@
+
+$(APPDIR)/default_type: appconfig/default_type
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/userhelper_context: appconfig/userhelper_context
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/initrc_context: appconfig/initrc_context
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/failsafe_context: appconfig/failsafe_context
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/users/root: appconfig/root_default_contexts
+ @mkdir -p $(APPDIR)/users
+ install -m 644 $< $@
+
+$(LOADPATH): policy.conf $(CHECKPOLICY)
+ @echo "Compiling policy ..."
+ @mkdir -p $(POLICYPATH)
+ $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ifneq ($(VERS),$(PREVERS))
+ $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
+endif
+
+# Note: Can't use install, so not sure how to deal with mode, user, and group
+# other than by default.
+
+policy: $(POLICYVER)
+
+$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
+ $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ @echo "Validating file contexts files ..."
+ $(SETFILES) -q -c $(POLICYVER) $(FC)
+
+reload tmp/load: $(LOADPATH)
+ @echo "Loading Policy ..."
+ $(LOADPOLICY)
+ touch tmp/load
+
+load: tmp/load $(FCPATH)
+
+enableaudit: policy.conf
+ grep -v dontaudit policy.conf > policy.audit
+ mv policy.audit policy.conf
+
+policy.conf: $(POLICYFILES) $(POLICY_DIRS)
+ @echo "Building policy.conf ..."
+ @mkdir -p tmp
+ m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
+ @mv $@.tmp $@
+
+install-src:
+ rm -rf $(SRCPATH)/policy.old
+ -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
+ @mkdir -p $(SRCPATH)/policy
+ cp -R . $(SRCPATH)/policy
+
+tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
+ @mkdir -p tmp
+ ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
+ ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
+ mv $@.tmp $@
+
+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
+
+checklabels: $(SETFILES)
+ $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
+
+restorelabels: $(SETFILES)
+ $(SETFILES) -v $(FC) $(FILESYSTEMS)
+
+relabel: $(FC) $(SETFILES)
+ $(SETFILES) $(FC) $(FILESYSTEMS)
+
+file_contexts/misc:
+ @mkdir -p file_contexts/misc
+
+$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
+ @echo "Installing file contexts files..."
+ @mkdir -p $(CONTEXTPATH)/files
+ install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+ install -m 644 $(FC) $(FCPATH)
+ @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
+
+$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
+ @echo "Building file contexts files..."
+ @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
+ @grep -v -e HOME -e ROLE -e USER $@.tmp > $@
+ @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
+ @-rm $@.tmp
+
+# Create a tags-file for the policy:
+# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
+pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
+CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
+ifeq ($(strip $(CTAGS)),)
+CTAGS := $(call pathsearch,ctags) # suse naming scheme
+endif
+
+tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
+ @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+ @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
+ --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
+ --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+ --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
+ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
+
+clean:
+ rm -f policy.conf $(POLICYVER)
+ rm -f tags
+ rm -f tmp/*
+ rm -f $(FC)
+ rm -f flask/*.h
+# for the policy regression tester
+ find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
+
+# Policy regression tester.
+# Written by Colin Walters <walters@debian.org>
+cur_te = $(filter-out %/,$(subst /,/ ,$@))
+
+TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
+
+define compute_depends
+ export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
+endef
+
+
+ifeq ($(TE_DEPENDS_DEFINED),)
+ifeq ($(MAKECMDGOALS),check-all)
+ GENRULES := $(TESTED_TE_FILES)
+ export TE_DEPENDS_DEFINED := yes
+else
+ # Handle the case where checkunused/blah.te is run directly.
+ ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
+ GENRULES := $(TESTED_TE_FILES)
+ export TE_DEPENDS_DEFINED := yes
+ endif
+endif
+endif
+
+# Test for a new enough version of GNU Make.
+$(eval have_eval := yes)
+ifneq ($(GENRULES),)
+ ifeq ($(have_eval),)
+$(error Need GNU Make 3.80 or better!)
+Need GNU Make 3.80 or better
+ endif
+endif
+$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
+
+PHONIES :=
+
+define compute_presymlinks
+PHONIES += presymlink/$(1)
+presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
+ @if ! test -L domains/program/$(1); then \
+ cd domains/program && ln -s unused/$(1) .; \
+ fi
+endef
+
+# Compute dependencies.
+$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
+
+PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
+$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
+ @$(MAKE) -s clean
+
+$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
+ @if test -n "$(TE_DEPENDS_$(cur_te))"; then \
+ echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
+ fi
+ @echo "Testing $(cur_te)...";
+ @if ! make -s policy 1>/dev/null; then \
+ echo "Testing $(cur_te)...FAILED"; \
+ exit 1; \
+ fi;
+ @echo "Testing $(cur_te)...success."; \
+
+check-all:
+ @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
+ $(MAKE) --no-print-directory $$goal; \
+ done
+
+.PHONY: clean $(PHONIES)
+
+mlsconvert:
+ @for file in $(CONTEXTFILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+ @for file in $(USER_FILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+ @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+ @echo "Enabling MLS in the Makefile"
+ @sed "s/MLS=y/MLS=y/" Makefile > Makefile.new
+ @mv Makefile.new Makefile
+ @echo "Done"
+
+mcsconvert:
+ @for file in $(CONTEXTFILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+ @for file in $(USER_FILES); do \
+ echo "Converting $$file"; \
+ sed -r -e 's/\;/ level s0 range s0;/' $$file | \
+ sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
+ mv $$file.new $$file; \
+ done
+ @echo "Enabling MCS in the Makefile"
+ @sed "s/MCS=n/MCS=y/" Makefile > Makefile.new
+ @mv Makefile.new Makefile
+ @echo "Done"
+
diff --git a/mls/README b/mls/README
new file mode 100644
index 0000000..6818b66
--- /dev/null
+++ b/mls/README
@@ -0,0 +1,125 @@
+The Makefile targets are:
+policy - compile the policy configuration.
+install - compile and install the policy configuration.
+load - compile, install, and load the policy configuration.
+relabel - relabel the filesystem.
+check-all - check individual additional policy files in domains/program/unused.
+checkunused/FILE.te - check individual file FILE from domains/program/unused.
+
+If you have configured MLS into your module, then set MLS=y in the
+Makefile prior to building the policy. Of course, you must have also
+built checkpolicy with MLS enabled.
+
+Three of the configuration files are independent of the particular
+security policy:
+1) flask/security_classes -
+ This file has a simple declaration for each security class.
+ The corresponding symbol definitions are in the automatically
+ generated header file <selinux/flask.h>.
+
+2) flask/initial_sids -
+ This file has a simple declaration for each initial SID.
+ The corresponding symbol definitions are in the automatically
+ generated header file <selinux/flask.h>.
+
+3) access_vectors -
+ This file defines the access vectors. Common prefixes for
+ access vectors may be defined at the beginning of the file.
+ After the common prefixes are defined, an access vector
+ may be defined for each security class.
+ The corresponding symbol definitions are in the automatically
+ generated header file <selinux/av_permissions.h>.
+
+In addition to being read by the security server, these configuration
+files are used during the kernel build to automatically generate
+symbol definitions used by the kernel for security classes, initial
+SIDs and permissions. Since the symbol definitions generated from
+these files are used during the kernel build, the values of existing
+security classes and permissions may not be modified by load_policy.
+However, new classes may be appended to the list of classes and new
+permissions may be appended to the list of permissions associated with
+each access vector definition.
+
+The policy-dependent configuration files are:
+1) tmp/all.te -
+ This file defines the Type Enforcement (TE) configuration.
+ This file is automatically generated from a collection of files.
+
+ The macros subdirectory contains a collection of m4 macro definitions
+ used by the TE configuration. The global_macros.te file contains global
+ macros used throughout the configuration for common groupings of classes
+ and permissions and for common sets of rules. The user_macros.te file
+ contains macros used in defining user domains. The admin_macros.te file
+ contains macros used in defining admin domains. The macros/program
+ subdirectory contains macros that are used to instantiate derived domains
+ for certain programs that encode information about both the calling user
+ domain and the program, permitting the policy to maintain separation
+ between different instances of the program.
+
+ The types subdirectory contains several files with declarations for
+ general types (types not associated with a particular domain) and
+ some rules defining relationships among those types. Related types
+ are grouped together into each file in this directory, e.g. all
+ device type declarations are in the device.te file.
+
+ The domains subdirectory contains several files and directories
+ with declarations and rules for each domain. User domains are defined in
+ user.te. Administrator domains are defined in admin.te. Domains for
+ specific programs, including both system daemons and other programs, are
+ in the .te files within the domains/program subdirectory. The domains/misc
+ subdirectory is for miscellaneous domains such as the kernel domain and
+ the kernel module loader domain.
+
+ The assert.te file contains assertions that are checked after evaluating
+ the entire TE configuration.
+
+2) rbac -
+ This file defines the Role-Based Access Control (RBAC) configuration.
+
+3) mls -
+ This file defines the Multi-Level Security (MLS) configuration.
+
+4) users -
+ This file defines the users recognized by the security policy.
+
+5) constraints -
+ This file defines additional constraints on permissions
+ in the form of boolean expressions that must be satisfied in order
+ for specified permissions to be granted. These constraints
+ are used to further refine the type enforcement tables and
+ the role allow rules. Typically, these constraints are used
+ to restrict changes in user identity or role to certain domains.
+
+6) initial_sid_contexts -
+ This file defines the security context for each initial SID.
+ A security context consists of a user identity, a role, a type and
+ optionally a MLS range if the MLS policy is enabled. If left unspecified,
+ the high MLS level defaults to the low MLS level. The syntax of a valid
+ security context is:
+
+ user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
+
+7) fs_use -
+ This file defines the labeling behavior for inodes in particular
+ filesystem types.
+
+8) genfs_contexts -
+ This file defines security contexts for files in filesystems that
+ cannot support persistent label mappings or use one of the fixed
+ labeling schemes specified in fs_use.
+
+8) net_contexts -
+ This file defines the security contexts of network objects
+ such as ports, interfaces, and nodes.
+
+9) file_contexts/{types.fc,program/*.fc}
+ These files define the security contexts for persistent files.
+
+It is possible to test the security server functions on a given policy
+configuration by running the checkpolicy program with the -d option.
+This program is built from the same sources as the security server
+component of the kernel, so it may be used both to verify that a
+policy configuration will load successfully and to determine how the
+security server would respond if it were using that policy
+configuration. A menu-based interface is provided for calling any of
+the security server functions after the policy is loaded.
diff --git a/mls/VERSION b/mls/VERSION
new file mode 100644
index 0000000..3bae520
--- /dev/null
+++ b/mls/VERSION
@@ -0,0 +1 @@
+1.27.3
diff --git a/mls/appconfig/dbus_contexts b/mls/appconfig/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/mls/appconfig/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/mls/appconfig/default_contexts b/mls/appconfig/default_contexts
new file mode 100644
index 0000000..5024209
--- /dev/null
+++ b/mls/appconfig/default_contexts
@@ -0,0 +1,12 @@
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/mls/appconfig/default_type b/mls/appconfig/default_type
new file mode 100644
index 0000000..af878bd
--- /dev/null
+++ b/mls/appconfig/default_type
@@ -0,0 +1,4 @@
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
diff --git a/mls/appconfig/failsafe_context b/mls/appconfig/failsafe_context
new file mode 100644
index 0000000..999abd9
--- /dev/null
+++ b/mls/appconfig/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/mls/appconfig/initrc_context b/mls/appconfig/initrc_context
new file mode 100644
index 0000000..30ab971
--- /dev/null
+++ b/mls/appconfig/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0
diff --git a/mls/appconfig/media b/mls/appconfig/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/mls/appconfig/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/mls/appconfig/removable_context b/mls/appconfig/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/mls/appconfig/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/mls/appconfig/root_default_contexts b/mls/appconfig/root_default_contexts
new file mode 100644
index 0000000..e9d95e8
--- /dev/null
+++ b/mls/appconfig/root_default_contexts
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/mls/appconfig/userhelper_context b/mls/appconfig/userhelper_context
new file mode 100644
index 0000000..dc37a69
--- /dev/null
+++ b/mls/appconfig/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/mls/assert.te b/mls/assert.te
new file mode 100644
index 0000000..02b2878
--- /dev/null
+++ b/mls/assert.te
@@ -0,0 +1,156 @@
+##############################
+#
+# Assertions for the type enforcement (TE) configuration.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+##################################
+#
+# Access vector assertions.
+#
+# An access vector assertion specifies permissions that should not be in
+# an access vector based on a source type, a target type, and a class.
+# If any of the specified permissions are in the corresponding access
+# vector, then the policy compiler will reject the policy configuration.
+# Currently, there is only one kind of access vector assertion, neverallow,
+# but support for the other kinds of vectors could be easily added. Access
+# vector assertions use the same syntax as access vector rules.
+#
+
+#
+# Verify that every type that can be entered by
+# a domain is also tagged as a domain.
+#
+neverallow domain ~domain:process { transition dyntransition };
+
+#
+# Verify that only the insmod_t and kernel_t domains
+# have the sys_module capability.
+#
+neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
+
+#
+# Verify that executable types, the system dynamic loaders, and the
+# system shared libraries can only be modified by administrators.
+#
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
+neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
+
+#
+# Verify that only appropriate domains can access /etc/shadow
+neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
+
+#
+# Verify that only appropriate domains can write to /etc (IE mess with
+# /etc/passwd)
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
+
+#
+# Verify that other system software can only be modified by administrators.
+#
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
+neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
+
+#
+# Verify that only certain domains have access to the raw disk devices.
+#
+neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
+
+#
+# Verify that only the X server and klogd have access to memory devices.
+#
+neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
+
+#
+# Verify that only domains with the privlog attribute can actually syslog
+#
+neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
+
+#
+# Verify that /proc/kmsg is only accessible to klogd.
+#
+neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
+
+#
+# Verify that /proc/kcore is inaccessible.
+#
+
+neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
+
+#
+# Verify that sysctl variables are only changeable
+# by initrc and administrators.
+#
+neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
+neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
+neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
+
+#
+# Verify that certain domains are limited to only being
+# entered by their entrypoint types and to only executing
+# the dynamic loader without a transition to another domain.
+#
+
+define(`assert_execute', `
+ ifelse($#, 0, ,
+ $#, 1,
+ ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
+ `assert_execute($1) assert_execute(shift($@))')')
+
+ifdef(`getty.te', `assert_execute(getty)')
+ifdef(`klogd.te', `assert_execute(klogd)')
+ifdef(`tcpd.te', `assert_execute(tcpd)')
+ifdef(`portmap.te', `assert_execute(portmap)')
+ifdef(`syslogd.te', `assert_execute(syslogd)')
+ifdef(`rpcd.te', `assert_execute(rpcd)')
+ifdef(`rlogind.te', `assert_execute(rlogind)')
+ifdef(`ypbind.te', `assert_execute(ypbind)')
+ifdef(`xfs.te', `assert_execute(xfs)')
+ifdef(`gpm.te', `assert_execute(gpm)')
+ifdef(`ifconfig.te', `assert_execute(ifconfig)')
+ifdef(`iptables.te', `assert_execute(iptables)')
+
+ifdef(`login.te', `
+neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
+neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
+')
+
+#
+# Verify that the passwd domain can only be entered by its
+# entrypoint type and can only execute the dynamic loader
+# and the ordinary passwd program without a transition to another domain.
+#
+ifdef(`passwd.te', `
+neverallow passwd_t ~passwd_exec_t:file entrypoint;
+neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
+neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
+')
+
+#
+# Verify that only the admin domains and initrc_t have setenforce.
+#
+neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
+
+#
+# Verify that only the kernel and load_policy_t have load_policy.
+#
+
+neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
+
+#
+# for gross mistakes in policy
+neverallow * domain:dir ~r_dir_perms;
+neverallow * domain:file_class_set ~rw_file_perms;
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/mls/attrib.te b/mls/attrib.te
new file mode 100644
index 0000000..44e2f70
--- /dev/null
+++ b/mls/attrib.te
@@ -0,0 +1,562 @@
+#
+# Declarations for type attributes.
+#
+
+# A type attribute can be used to identify a set of types with a similar
+# property. Each type can have any number of attributes, and each
+# attribute can be associated with any number of types. Attributes are
+# explicitly declared here, and can then be associated with particular
+# types in type declarations. Attribute names can then be used throughout
+# the configuration to express the set of types that are associated with
+# the attribute. Attributes have no implicit meaning to SELinux. The
+# meaning of all attributes are completely defined through their
+# usage within the configuration, but should be documented here as
+# comments preceding the attribute declaration.
+
+#####################
+# Attributes for MLS:
+#
+
+# Common Terminology
+# MLS Range: low-high
+# low referred to as "Effective Sensitivity Label (SL)"
+# high referred to as "Clearance SL"
+
+
+#
+# File System MLS attributes/privileges
+#
+# Grant MLS read access to files not dominated by the process Effective SL
+attribute mlsfileread;
+# Grant MLS read access to files dominated by the process Clearance SL
+attribute mlsfilereadtoclr;
+# Grant MLS write access to files not equal to the Effective SL
+attribute mlsfilewrite;
+# Grant MLS write access to files which dominate the process Effective SL
+# and are dominated by the process Clearance SL
+attribute mlsfilewritetoclr;
+# Grant MLS ability to change file label to a new label which dominates
+# the old label
+attribute mlsfileupgrade;
+# Grant MLS ability to change file label to a new label which is
+# dominated by or incomparable to the old label
+attribute mlsfiledowngrade;
+
+#
+# Network MLS attributes/privileges
+#
+# Grant MLS read access to packets not dominated by the process Effective SL
+attribute mlsnetread;
+# Grant MLS read access to packets dominated by the process Clearance SL
+attribute mlsnetreadtoclr;
+# Grant MLS write access to packets not equal to the Effective SL
+attribute mlsnetwrite;
+# Grant MLS write access to packets which dominate the Effective SL
+# and are dominated by the process Clearance SL
+attribute mlsnetwritetoclr;
+# Grant MLS read access to packets from hosts or interfaces which dominate
+# or incomparable to the process Effective SL
+attribute mlsnetrecvall;
+# Grant MLS ability to change socket label to a new label which dominates
+# the old label
+attribute mlsnetupgrade;
+# Grant MLS ability to change socket label to a new label which is
+# dominated by or incomparable to the old label
+attribute mlsnetdowngrade;
+
+#
+# IPC MLS attributes/privileges
+#
+# Grant MLS read access to IPC objects not dominated by the process Effective SL
+attribute mlsipcread;
+# Grant MLS read access to IPC objects dominated by the process Clearance SL
+attribute mlsipcreadtoclr;
+# Grant MLS write access to IPC objects not equal to the process Effective SL
+attribute mlsipcwrite;
+# Grant MLS write access to IPC objects which dominate the process Effective SL
+# and are dominated by the process Clearance SL
+attribute mlsipcwritetoclr;
+
+#
+# Process MLS attributes/privileges
+#
+# Grant MLS read access to processes not dominated by the process Effective SL
+attribute mlsprocread;
+# Grant MLS read access to processes dominated by the process Clearance SL
+attribute mlsprocreadtoclr;
+# Grant MLS write access to processes not equal to the Effective SL
+attribute mlsprocwrite;
+# Grant MLS write access to processes which dominate the process Effective SL
+# and are dominated by the process Clearance SL
+attribute mlsprocwritetoclr;
+# Grant MLS ability to change Effective SL or Clearance SL of process to a
+# label dominated by the Clearance SL
+attribute mlsprocsetsl;
+
+#
+# X Window MLS attributes/privileges
+#
+# Grant MLS read access to X objects not dominated by the process Effective SL
+attribute mlsxwinread;
+# Grant MLS read access to X objects dominated by the process Clearance SL
+attribute mlsxwinreadtoclr;
+# Grant MLS write access to X objects not equal to the process Effective SL
+attribute mlsxwinwrite;
+# Grant MLS write access to X objects which dominate the process Effective SL
+# and are dominated by the process Clearance SL
+attribute mlsxwinwritetoclr;
+# Grant MLS read access to X properties not dominated by
+# the process Effective SL
+attribute mlsxwinreadproperty;
+# Grant MLS write access to X properties not equal to the process Effective SL
+attribute mlsxwinwriteproperty;
+# Grant MLS read access to X colormaps not dominated by
+# the process Effective SL
+attribute mlsxwinreadcolormap;
+# Grant MLS write access to X colormaps not equal to the process Effective SL
+attribute mlsxwinwritecolormap;
+# Grant MLS write access to X xinputs not equal to the process Effective SL
+attribute mlsxwinwritexinput;
+
+# Grant MLS read/write access to objects which internally arbitrate MLS
+attribute mlstrustedobject;
+
+#
+# Both of the following attributes are needed for a range transition to succeed
+#
+# Grant ability for the current domain to change SL upon process transition
+attribute privrangetrans;
+# Grant ability for the new process domain to change SL upon process transition
+attribute mlsrangetrans;
+
+#########################
+# Attributes for domains:
+#
+
+# The domain attribute identifies every type that can be
+# assigned to a process. This attribute is used in TE rules
+# that should be applied to all domains, e.g. permitting
+# init to kill all processes.
+attribute domain;
+
+# The daemon attribute identifies domains for system processes created via
+# the daemon_domain, daemon_base_domain, and init_service_domain macros.
+attribute daemon;
+
+# The privuser attribute identifies every domain that can
+# change its SELinux user identity. This attribute is used
+# in the constraints configuration. NOTE: This attribute
+# is not required for domains that merely change the Linux
+# uid attributes, only for domains that must change the
+# SELinux user identity. Also note that this attribute makes
+# no sense without the privrole attribute.
+attribute privuser;
+
+# The privrole attribute identifies every domain that can
+# change its SELinux role. This attribute is used in the
+# constraints configuration.
+attribute privrole;
+
+# The userspace_objmgr attribute identifies every domain
+# which enforces its own policy.
+attribute userspace_objmgr;
+
+# The priv_system_role attribute identifies every domain that can
+# change role from a user role to system_r role, and identity from a user
+# identity to system_u. It is used in the constraints configuration.
+attribute priv_system_role;
+
+# The privowner attribute identifies every domain that can
+# assign a different SELinux user identity to a file, or that
+# can create a file with an identity that is not the same as the
+# process identity. This attribute is used in the constraints
+# configuration.
+attribute privowner;
+
+# The privlog attribute identifies every domain that can
+# communicate with syslogd through its Unix domain socket.
+# There is an assertion that other domains can not do it,
+# and an allow rule to permit it
+attribute privlog;
+
+# The privmodule attribute identifies every domain that can run
+# modprobe, there is an assertion that other domains can not do it,
+# and an allow rule to permit it
+attribute privmodule;
+
+# The privsysmod attribute identifies every domain that can have the
+# sys_module capability
+attribute privsysmod;
+
+# The privmem attribute identifies every domain that can
+# access kernel memory devices.
+# This attribute is used in the TE assertions to verify
+# that such access is limited to domains that are explicitly
+# tagged with this attribute.
+attribute privmem;
+
+# The privkmsg attribute identifies every domain that can
+# read kernel messages (/proc/kmsg)
+# This attribute is used in the TE assertions to verify
+# that such access is limited to domains that are explicitly
+# tagged with this attribute.
+attribute privkmsg;
+
+# The privfd attribute identifies every domain that should have
+# file handles inherited widely (IE sshd_t and getty_t).
+attribute privfd;
+
+# The privhome attribute identifies every domain that can create files under
+# regular user home directories in the regular context (IE act on behalf of
+# a user in writing regular files)
+attribute privhome;
+
+# The auth attribute identifies every domain that needs
+# to read /etc/shadow, and grants the permission.
+attribute auth;
+
+# The auth_bool attribute identifies every domain that can
+# read /etc/shadow if its boolean is set;
+attribute auth_bool;
+
+# The auth_write attribute identifies every domain that can have write or
+# relabel access to /etc/shadow, but does not grant it.
+attribute auth_write;
+
+# The auth_chkpwd attribute identifies every system domain that can
+# authenticate users by running unix_chkpwd
+attribute auth_chkpwd;
+
+# The change_context attribute identifies setfiles_t, restorecon_t, and other
+# system domains that change the context of most/all files on the system
+attribute change_context;
+
+# The etc_writer attribute identifies every domain that can write to etc_t
+attribute etc_writer;
+
+# The sysctl_kernel_writer attribute identifies domains that can write to
+# sysctl_kernel_t, in addition the admin attribute is permitted write access
+attribute sysctl_kernel_writer;
+
+# the sysctl_net_writer attribute identifies domains that can write to
+# sysctl_net_t files.
+attribute sysctl_net_writer;
+
+# The sysctl_type attribute identifies every type that is assigned
+# to a sysctl entry. This can be used in allow rules to grant
+# permissions to all sysctl entries without enumerating each individual
+# type, but should be used with care.
+attribute sysctl_type;
+
+# The admin attribute identifies every administrator domain.
+# It is used in TE assertions when verifying that only administrator
+# domains have certain permissions.
+# This attribute is presently associated with sysadm_t and
+# certain administrator utility domains.
+# XXX The use of this attribute should be reviewed for consistency.
+# XXX Might want to partition into several finer-grained attributes
+# XXX used in different assertions within assert.te.
+attribute admin;
+
+# The secadmin attribute identifies every security administrator domain.
+# It is used in TE assertions when verifying that only administrator
+# domains have certain permissions.
+# This attribute is presently associated with sysadm_t and secadm_t
+attribute secadmin;
+
+# The userdomain attribute identifies every user domain, presently
+# user_t and sysadm_t. It is used in TE rules that should be applied
+# to all user domains.
+attribute userdomain;
+
+# for a small domain that can only be used for newrole
+attribute user_mini_domain;
+
+# pty for the mini domain
+attribute mini_pty_type;
+
+# pty created by a server such as sshd
+attribute server_pty;
+
+# attribute for all non-administrative devpts types
+attribute userpty_type;
+
+# The user_tty_type identifies every type for a tty or pty owned by an
+# unpriviledged user
+attribute user_tty_type;
+
+# The admin_tty_type identifies every type for a tty or pty owned by a
+# priviledged user
+attribute admin_tty_type;
+
+# The user_crond_domain attribute identifies every user_crond domain, presently
+# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
+# applied to all user domains.
+attribute user_crond_domain;
+
+# The unpriv_userdomain identifies non-administrative users (default user_t)
+attribute unpriv_userdomain;
+
+# This attribute is for the main user home directory for unpriv users
+attribute user_home_dir_type;
+
+# The gphdomain attribute identifies every gnome-pty-helper derived
+# domain. It is used in TE rules to permit inheritance and use of
+# descriptors created by these domains.
+attribute gphdomain;
+
+# The fs_domain identifies every domain that may directly access a fixed disk
+attribute fs_domain;
+
+# This attribute is for all domains for the userhelper program.
+attribute userhelperdomain;
+
+############################
+# Attributes for file types:
+#
+
+# The file_type attribute identifies all types assigned to files
+# in persistent filesystems. It is used in TE rules to permit
+# the association of all such file types with persistent filesystem
+# types, and to permit certain domains to access all such types as
+# appropriate.
+attribute file_type;
+
+# The secure_file_type attribute identifies files
+# which will be treated with a higer level of security.
+# Most domains will be prevented from manipulating files in this domain
+attribute secure_file_type;
+
+# The device_type attribute identifies all types assigned to device nodes
+attribute device_type;
+
+# The proc_fs attribute identifies all types that may be assigned to
+# files under /proc.
+attribute proc_fs;
+
+# The dev_fs attribute identifies all types that may be assigned to
+# files, sockets, or pipes under /dev.
+attribute dev_fs;
+
+# The sysadmfile attribute identifies all types assigned to files
+# that should be completely accessible to administrators. It is used
+# in TE rules to grant such access for administrator domains.
+attribute sysadmfile;
+
+# The secadmfile attribute identifies all types assigned to files
+# that should be only accessible to security administrators. It is used
+# in TE rules to grant such access for security administrator domains.
+attribute secadmfile;
+
+# The fs_type attribute identifies all types assigned to filesystems
+# (not limited to persistent filesystems).
+# It is used in TE rules to permit certain domains to mount
+# any filesystem and to permit most domains to obtain the
+# overall filesystem statistics.
+attribute fs_type;
+
+# The mount_point attribute identifies all types that can serve
+# as a mount point (for the mount binary). It is used in the mount
+# policy to grant mounton permission, and in other domains to grant
+# getattr permission over all the mount points.
+attribute mount_point;
+
+# The exec_type attribute identifies all types assigned
+# to entrypoint executables for domains. This attribute is
+# used in TE rules and assertions that should be applied to all
+# such executables.
+attribute exec_type;
+
+# The tmpfile attribute identifies all types assigned to temporary
+# files. This attribute is used in TE rules to grant certain
+# domains the ability to remove all such files (e.g. init, crond).
+attribute tmpfile;
+
+# The user_tmpfile attribute identifies all types associated with temporary
+# files for unpriv_userdomain domains.
+attribute user_tmpfile;
+
+# for the user_xserver_tmp_t etc
+attribute xserver_tmpfile;
+
+# The tmpfsfile attribute identifies all types defined for tmpfs
+# type transitions.
+# It is used in TE rules to grant certain domains the ability to
+# access all such files.
+attribute tmpfsfile;
+
+# The home_type attribute identifies all types assigned to home
+# directories. This attribute is used in TE rules to grant certain
+# domains the ability to access all home directory types.
+attribute home_type;
+
+# This attribute is for the main user home directory /home/user, to
+# distinguish it from sub-dirs. Often you want a process to be able to
+# read the user home directory but not read the regular directories under it.
+attribute home_dir_type;
+
+# The ttyfile attribute identifies all types assigned to ttys.
+# It is used in TE rules to grant certain domains the ability to
+# access all ttys.
+attribute ttyfile;
+
+# The ptyfile attribute identifies all types assigned to ptys.
+# It is used in TE rules to grant certain domains the ability to
+# access all ptys.
+attribute ptyfile;
+
+# The pidfile attribute identifies all types assigned to pid files.
+# It is used in TE rules to grant certain domains the ability to
+# access all such files.
+attribute pidfile;
+
+
+############################
+# Attributes for network types:
+#
+
+# The socket_type attribute identifies all types assigned to
+# kernel-created sockets. Ordinary sockets are assigned the
+# domain of the creating process.
+# XXX This attribute is unused. Remove?
+attribute socket_type;
+
+# Identifies all types assigned to port numbers to control binding.
+attribute port_type;
+
+# Identifies all types assigned to reserved port (<1024) numbers to control binding.
+attribute reserved_port_type;
+
+# Identifies all types assigned to network interfaces to control
+# operations on the interface (XXX obsolete, not supported via LSM)
+# and to control traffic sent or received on the interface.
+attribute netif_type;
+
+# Identifies all default types assigned to packets received
+# on network interfaces.
+attribute netmsg_type;
+
+# Identifies all types assigned to network nodes/hosts to control
+# traffic sent to or received from the node.
+attribute node_type;
+
+# Identifier for log files or directories that only exist for log files.
+attribute logfile;
+
+# Identifier for lock files (/var/lock/*) or directories that only exist for
+# lock files.
+attribute lockfile;
+
+
+
+##############################
+# Attributes for security policy types:
+#
+
+# The login_contexts attribute idenitifies the files used
+# to define default contexts for login types (e.g., login, cron).
+attribute login_contexts;
+
+# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
+# sysadm_mail_t, etc)
+attribute user_mail_domain;
+
+# Identifies domains that can transition to system_mail_t
+attribute privmail;
+
+# Type for non-sysadm home directory
+attribute user_home_type;
+
+# For domains that are part of a mail server and need to read user files and
+# fifos, and inherit file handles to enable user email to get to the mail
+# spool
+attribute mta_user_agent;
+
+# For domains that are part of a mail server for delivering messages to the
+# user
+attribute mta_delivery_agent;
+
+# For domains that make outbound TCP port 25 connections to send mail from the
+# mail server.
+attribute mail_server_sender;
+
+# For a mail server process that takes TCP connections on port 25
+attribute mail_server_domain;
+
+# For web clients such as netscape and squid
+attribute web_client_domain;
+
+# For X Window System server domains
+attribute xserver;
+
+# For X Window System client domains
+attribute xclient;
+
+# For X Window System protocol extensions
+attribute xextension;
+
+# For X Window System property types
+attribute xproperty;
+
+#
+# For file systems that do not have extended attributes but need to be
+# r/w by users
+#
+attribute noexattrfile;
+
+#
+# For filetypes that the usercan read
+#
+attribute usercanread;
+
+#
+# For serial devices
+#
+attribute serial_device;
+
+# Attribute to designate unrestricted access
+attribute unrestricted;
+
+# Attribute to designate can transition to unconfined_t
+attribute unconfinedtrans;
+
+# For clients of nscd.
+attribute nscd_client_domain;
+
+# For clients of nscd that can use shmem interface.
+attribute nscd_shmem_domain;
+
+# For labeling of content for httpd. This attribute is only used by
+# the httpd_unified domain, which says treat all httpdcontent the
+# same. If you want content to be served in a "non-unified" system
+# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
+# your policy.
+attribute httpdcontent;
+
+# For labeling of domains whos transition can be disabled
+attribute transitionbool;
+
+# For labelling daemons that should not have a range transition to "s0"
+# included in the daemon_base_domain macro
+attribute no_daemon_range_trans;
+
+# For labeling of file_context domains which users can change files to rather
+# then the default file context. These file_context can survive a relabeling
+# of the file system.
+attribute customizable;
+
+##############################
+# Attributes for polyinstatiation support:
+#
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
diff --git a/mls/constraints b/mls/constraints
new file mode 100644
index 0000000..46a9875
--- /dev/null
+++ b/mls/constraints
@@ -0,0 +1,83 @@
+#
+# Define m4 macros for the constraints
+#
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# validatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for validatetrans)
+# | r3 op names (NOTE: this is only available for validatetrans)
+# | t3 op names (NOTE: this is only available for validatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name#
+#
+
+#
+# Restrict the ability to transition to other users
+# or roles to a few privileged types.
+#
+
+constrain process transition
+ ( u1 == u2 or ( t1 == privuser and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
+')
+ifdef(`userhelper.te',
+ `or (t1 == userhelperdomain)')
+ or (t1 == priv_system_role and u2 == system_u )
+ );
+
+constrain process transition
+ ( r1 == r2 or ( t1 == privrole and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and t2 == user_crond_domain)
+')
+ifdef(`userhelper.te',
+ `or (t1 == userhelperdomain)')
+ifdef(`postfix.te', `
+ifdef(`direct_sysadm_daemon',
+ `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+')
+ or (t1 == priv_system_role and r2 == system_r )
+ );
+
+constrain process dyntransition
+ ( u1 == u2 and r1 == r2);
+
+#
+# Restrict the ability to label objects with other
+# user identities to a few privileged types.
+#
+
+constrain dir_file_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == privowner );
+
+constrain socket_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == privowner );
diff --git a/mls/domains/admin.te b/mls/domains/admin.te
new file mode 100644
index 0000000..464cc91
--- /dev/null
+++ b/mls/domains/admin.te
@@ -0,0 +1,43 @@
+#DESC Admin - Domains for administrators.
+#
+#################################
+
+# sysadm_t is the system administrator domain.
+type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
+ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')
+; dnl end of sysadm_t type declaration
+
+allow privhome home_root_t:dir { getattr search };
+
+# system_r is authorized for sysadm_t for single-user mode.
+role system_r types sysadm_t;
+
+general_proc_read_access(sysadm_t)
+
+# sysadm_t is also granted permissions specific to administrator domains.
+admin_domain(sysadm)
+
+# for su
+allow sysadm_t userdomain:fd use;
+
+ifdef(`separate_secadm', `', `
+security_manager_domain(sysadm_t)
+')
+
+# Add/remove user home directories
+file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+limited_user_role(secadm)
+typeattribute secadm_t admin;
+role secadm_r types secadm_t;
+security_manager_domain(secadm_t)
+r_dir_file(secadm_t, { var_t var_log_t })
+
+typeattribute secadm_tty_device_t admin_tty_type;
+typeattribute secadm_devpts_t admin_tty_type;
+
+bool allow_ptrace false;
+
+if (allow_ptrace) {
+can_ptrace(sysadm_t, domain)
+}
diff --git a/mls/domains/misc/auth-net.te b/mls/domains/misc/auth-net.te
new file mode 100644
index 0000000..e954a9b
--- /dev/null
+++ b/mls/domains/misc/auth-net.te
@@ -0,0 +1,3 @@
+#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
+
+can_network(auth)
diff --git a/mls/domains/misc/fcron.te b/mls/domains/misc/fcron.te
new file mode 100644
index 0000000..57209be
--- /dev/null
+++ b/mls/domains/misc/fcron.te
@@ -0,0 +1,30 @@
+#DESC fcron - additions to cron policy for a more powerful cron program
+#
+# Domain for fcron, a more powerful cron program.
+#
+# Needs cron.te installed.
+#
+# Author: Russell Coker <russell@coker.com.au>
+
+# Use capabilities.
+allow crond_t self:capability { dac_override dac_read_search };
+
+# differences between r_dir_perms and rw_dir_perms
+allow crond_t cron_spool_t:dir { add_name remove_name write };
+
+ifdef(`mta.te', `
+# not sure why we need write access, but Postfix does not work without it
+# I will have to change fcron to avoid the need for this
+allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
+')
+
+ifdef(`distro_debian', `
+can_exec(dpkg_t, crontab_exec_t)
+file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
+')
+
+rw_dir_create_file(crond_t, cron_spool_t)
+can_setfscreate(crond_t)
+
+# for /var/run/fcron.fifo
+file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)
diff --git a/mls/domains/misc/kernel.te b/mls/domains/misc/kernel.te
new file mode 100644
index 0000000..5b13c0f
--- /dev/null
+++ b/mls/domains/misc/kernel.te
@@ -0,0 +1,75 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#################################
+#
+# Rules for the kernel_t domain.
+#
+
+#
+# kernel_t is the domain of kernel threads.
+# It is also the target type when checking permissions in the system class.
+#
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
+role system_r types kernel_t;
+general_domain_access(kernel_t)
+general_proc_read_access(kernel_t)
+base_file_read_access(kernel_t)
+uses_shlib(kernel_t)
+can_exec(kernel_t, shell_exec_t)
+
+# Use capabilities.
+allow kernel_t self:capability *;
+
+r_dir_file(kernel_t, sysfs_t)
+allow kernel_t { usbfs_t usbdevfs_t }:dir search;
+
+# Run init in the init_t domain.
+domain_auto_trans(kernel_t, init_exec_t, init_t)
+
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+')
+
+# Share state with the init process.
+allow kernel_t init_t:process share;
+
+# Mount and unmount file systems.
+allow kernel_t fs_type:filesystem mount_fs_perms;
+
+# Send signal to any process.
+allow kernel_t domain:process signal;
+allow kernel_t domain:dir search;
+
+# Access the console.
+allow kernel_t device_t:dir search;
+allow kernel_t console_device_t:chr_file rw_file_perms;
+
+# Access the initrd filesystem.
+allow kernel_t file_t:chr_file rw_file_perms;
+can_exec(kernel_t, file_t)
+ifdef(`chroot.te', `
+can_exec(kernel_t, chroot_exec_t)
+')
+allow kernel_t self:capability sys_chroot;
+
+allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
+allow kernel_t file_t:dir rw_dir_perms;
+allow kernel_t file_t:blk_file create_file_perms;
+allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
+
+# Lookup the policy.
+allow kernel_t policy_config_t:dir r_dir_perms;
+
+# Load the policy configuration.
+can_loadpol(kernel_t)
+
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+can_exec(kernel_t, bin_t)
+
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
diff --git a/mls/domains/misc/local.te b/mls/domains/misc/local.te
new file mode 100644
index 0000000..cedba3c
--- /dev/null
+++ b/mls/domains/misc/local.te
@@ -0,0 +1,5 @@
+# Local customization of existing policy should be done in this file.
+# If you are creating brand new policy for a new "target" domain, you
+# need to create a type enforcement (.te) file in domains/program
+# and a file context (.fc) file in file_context/program.
+
diff --git a/mls/domains/misc/startx.te b/mls/domains/misc/startx.te
new file mode 100644
index 0000000..16c4910
--- /dev/null
+++ b/mls/domains/misc/startx.te
@@ -0,0 +1,7 @@
+#DESC startx - policy for running an X server from a user domain
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+# Everything is in the macro files
+
diff --git a/mls/domains/misc/userspace_objmgr.te b/mls/domains/misc/userspace_objmgr.te
new file mode 100644
index 0000000..ae3b205
--- /dev/null
+++ b/mls/domains/misc/userspace_objmgr.te
@@ -0,0 +1,13 @@
+#DESC Userspace Object Managers
+#
+#################################
+
+# Get our own security context.
+can_getcon(userspace_objmgr)
+# Get security decisions via selinuxfs.
+can_getsecurity(userspace_objmgr)
+# Read /etc/selinux
+r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
+# Receive notifications of policy reloads and enforcing status changes.
+allow userspace_objmgr self:netlink_selinux_socket { create bind read };
+
diff --git a/mls/domains/misc/xclient.te b/mls/domains/misc/xclient.te
new file mode 100644
index 0000000..ae4552f
--- /dev/null
+++ b/mls/domains/misc/xclient.te
@@ -0,0 +1,14 @@
+#
+# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
+#
+
+#######################################
+#
+# Domains for the SELinux-enabled X Window System
+#
+
+#
+# Domain for all non-local X clients
+#
+type remote_xclient_t, domain;
+in_user_role(remote_xclient_t)
diff --git a/mls/domains/program/NetworkManager.te b/mls/domains/program/NetworkManager.te
new file mode 100644
index 0000000..922b4f5
--- /dev/null
+++ b/mls/domains/program/NetworkManager.te
@@ -0,0 +1,122 @@
+#DESC NetworkManager -
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon.
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+ifdef(`named.te', `
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow named_t NetworkManager_t:netlink_route_socket { read write };
+allow NetworkManager_t named_t:process signal;
+allow named_t NetworkManager_t:packet_socket { read write };
+')
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t self:dbus send_msg;
+ifdef(`hald.te', `
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t initrc_t:dbus send_msg;
+allow initrc_t NetworkManager_t:dbus send_msg;
+ifdef(`targeted_policy', `
+allow NetworkManager_t unconfined_t:dbus send_msg;
+allow unconfined_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t userdomain:dbus send_msg;
+allow userdomain NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+r_dir_file(NetworkManager_t, proc_net_t)
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+ifdef(`modutil.te', `
+if (!secure_mode_insmod) {
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
+}
+')
+
+allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+# allow vpnc connections
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
+
+domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
+domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`vpnc.te', `
+domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
+')
+
+ifdef(`dhcpc.te', `
+allow NetworkManager_t dhcp_state_t:dir search;
+allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
+')
+allow NetworkManager_t var_lib_t:dir search;
+dontaudit NetworkManager_t user_tty_type:chr_file { read write };
+dontaudit NetworkManager_t security_t:dir search;
+
+ifdef(`consoletype.te', `
+can_exec(NetworkManager_t, consoletype_exec_t)
+')
+
diff --git a/mls/domains/program/acct.te b/mls/domains/program/acct.te
new file mode 100644
index 0000000..bbb4fdc
--- /dev/null
+++ b/mls/domains/program/acct.te
@@ -0,0 +1,66 @@
+#DESC Acct - BSD process accounting
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: acct
+#
+
+#################################
+#
+# Rules for the acct_t domain.
+#
+# acct_exec_t is the type of the acct executable.
+#
+daemon_base_domain(acct)
+ifdef(`crond.te', `
+system_crond_entry(acct_exec_t, acct_t)
+
+# for monthly cron job
+file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
+')
+
+# for SSP
+allow acct_t urandom_device_t:chr_file read;
+
+type acct_data_t, file_type, logfile, sysadmfile;
+
+# not sure why we need this, the command "last" is reported as using it
+dontaudit acct_t self:capability kill;
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability { chown fsetid sys_pacct };
+
+allow acct_t var_t:dir { getattr search };
+rw_dir_create_file(acct_t, acct_data_t)
+
+can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
+allow acct_t { bin_t sbin_t }:dir search;
+allow acct_t bin_t:lnk_file read;
+
+read_locale(acct_t)
+
+allow acct_t fs_t:filesystem getattr;
+
+allow acct_t self:unix_stream_socket create_socket_perms;
+
+allow acct_t self:fifo_file { read write getattr };
+
+allow acct_t { self proc_t }:file { read getattr };
+
+read_sysctl(acct_t)
+
+dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
+
+# for nscd
+dontaudit acct_t var_run_t:dir search;
+
+
+allow acct_t devtty_t:chr_file { read write };
+
+allow acct_t { etc_t etc_runtime_t }:file { read getattr };
+
+ifdef(`logrotate.te', `
+domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+rw_dir_create_file(logrotate_t, acct_data_t)
+can_exec(logrotate_t, acct_data_t)
+')
+
diff --git a/mls/domains/program/alsa.te b/mls/domains/program/alsa.te
new file mode 100644
index 0000000..ab80475
--- /dev/null
+++ b/mls/domains/program/alsa.te
@@ -0,0 +1,24 @@
+#DESC ainit - configuration tool for ALSA
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+#
+type alsa_t, domain, privlog, daemon;
+type alsa_exec_t, file_type, sysadmfile, exec_type;
+uses_shlib(alsa_t)
+allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
+allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
+allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
+
+type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+allow alsa_t self:capability { setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
+allow alsa_t devpts_t:chr_file { read write };
+allow alsa_t etc_t:file { getattr read };
+domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
+role system_r types alsa_t;
+read_locale(alsa_t)
diff --git a/mls/domains/program/amanda.te b/mls/domains/program/amanda.te
new file mode 100644
index 0000000..4b63f5f
--- /dev/null
+++ b/mls/domains/program/amanda.te
@@ -0,0 +1,284 @@
+#DESC Amanda - Automated backup program
+#
+# This policy file sets the rigths for amanda client started by inetd_t
+# and amrecover
+#
+# X-Debian-Packages: amanda-common amanda-server
+# Depends: inetd.te
+# Author : Carsten Grohmann <carstengrohmann@gmx.de>
+#
+# License : GPL
+#
+# last change: 27. August 2002
+#
+# state : complete and tested
+#
+# Hints :
+# - amanda.fc is the appendant file context file
+# - If you use amrecover please extract the files and directories to the
+# directory speficified in amanda.fc as type amanda_recover_dir_t.
+# - The type amanda_user_exec_t is defined to label the files but not used.
+# This configuration works only as an client and a amanda client does not need
+# this programs.
+#
+# Enhancements/Corrections:
+# - set tighter permissions to /bin/tar instead bin_t
+
+##############################################################################
+# AMANDA CLIENT DECLARATIONS
+##############################################################################
+
+# General declarations
+######################
+
+type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
+role system_r types amanda_t;
+
+# type for the amanda executables
+type amanda_exec_t, file_type, sysadmfile, exec_type;
+
+# type for the amanda executables started by inetd
+type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
+
+# type for amanda configurations files
+type amanda_config_t, file_type, sysadmfile;
+
+# type for files in /usr/lib/amanda
+type amanda_usr_lib_t, file_type, sysadmfile;
+
+# type for all files in /var/lib/amanda
+type amanda_var_lib_t, file_type, sysadmfile;
+
+# type for all files in /var/lib/amanda/gnutar-lists/
+type amanda_gnutarlists_t, file_type, sysadmfile;
+
+# type for user startable files
+type amanda_user_exec_t, file_type, sysadmfile, exec_type;
+
+# type for same awk and other scripts
+type amanda_script_exec_t, file_type, sysadmfile, exec_type;
+
+# type for the shell configuration files
+type amanda_shellconfig_t, file_type, sysadmfile;
+
+tmp_domain(amanda)
+
+# type for /etc/amandates
+type amanda_amandates_t, file_type, sysadmfile;
+
+# type for /etc/dumpdates
+type amanda_dumpdates_t, file_type, sysadmfile;
+
+# type for amanda data
+type amanda_data_t, file_type, sysadmfile;
+
+# Domain transitions
+####################
+
+domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
+
+
+##################
+# File permissions
+##################
+
+# configuration files -> read only
+allow amanda_t amanda_config_t:file { getattr read };
+
+# access to amanda_amandates_t
+allow amanda_t amanda_amandates_t:file { getattr lock read write };
+
+# access to amanda_dumpdates_t
+allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
+
+# access to amandas data structure
+allow amanda_t amanda_data_t:dir { read search write };
+allow amanda_t amanda_data_t:file { read write };
+
+# access to proc_t
+allow amanda_t proc_t:file { getattr read };
+
+# access to etc_t and similar
+allow amanda_t etc_t:file { getattr read };
+allow amanda_t etc_runtime_t:file { getattr read };
+
+# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
+
+# access to device_t and similar
+allow amanda_t devtty_t:chr_file { read write };
+
+# access to fs_t
+allow amanda_t fs_t:filesystem getattr;
+
+# access to sysctl_kernel_t ( proc/sys/kernel/* )
+read_sysctl(amanda_t)
+
+#####################
+# process permissions
+#####################
+
+# Allow to use shared libs
+uses_shlib(amanda_t)
+
+# Allow to execute a amanda executable file
+allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
+
+# Allow to run a shell
+allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
+
+# access to bin_t (tar)
+allow amanda_t bin_t:file { execute execute_no_trans };
+
+allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:process { fork sigchld setpgid signal };
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
+
+
+###################################
+# Network and process communication
+###################################
+
+can_network_server(amanda_t);
+can_ypbind(amanda_t);
+can_exec(amanda_t, sbin_t);
+
+allow amanda_t self:fifo_file { getattr read write ioctl lock };
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
+
+
+##########################
+# Communication with inetd
+##########################
+
+allow amanda_t inetd_t:udp_socket { read write };
+
+
+###################
+# inetd permissions
+###################
+
+allow inetd_t amanda_usr_lib_t:dir search;
+
+
+########################
+# Access to to save data
+########################
+
+# access to user_home_t
+allow amanda_t user_home_type:file { getattr read };
+
+##############################################################################
+# AMANDA RECOVER DECLARATIONS
+##############################################################################
+
+
+# General declarations
+######################
+
+# type for amrecover
+type amanda_recover_t, domain;
+role sysadm_r types amanda_recover_t;
+role system_r types amanda_recover_t;
+
+# exec types for amrecover
+type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
+
+# type for recover files ( restored data )
+type amanda_recover_dir_t, file_type, sysadmfile;
+file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
+
+# domain transsition
+domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
+
+# file type auto trans to write debug messages
+file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
+
+
+# amanda recover process permissions
+####################################
+
+uses_shlib(amanda_recover_t)
+allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+can_exec(amanda_recover_t, shell_exec_t)
+allow amanda_recover_t privfd:fd use;
+
+
+# amrecover network and process communication
+#############################################
+
+can_network(amanda_recover_t);
+allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
+can_ypbind(amanda_recover_t);
+read_locale(amanda_recover_t);
+
+allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_recover_t var_log_t:dir search;
+rw_dir_create_file(amanda_recover_t, amanda_log_t)
+
+# amrecover file permissions
+############################
+
+# access to etc_t and similar
+allow amanda_recover_t etc_t:dir search;
+allow amanda_recover_t etc_t:file { getattr read };
+allow amanda_recover_t etc_runtime_t:file { getattr read };
+
+# access to amanda_recover_dir_t
+allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
+allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
+
+# access to var_t and var_run_t
+allow amanda_recover_t var_t:dir search;
+allow amanda_recover_t var_run_t:dir search;
+
+# access to proc_t
+allow amanda_recover_t proc_t:dir search;
+allow amanda_recover_t proc_t:file { getattr read };
+
+# access to sysctl_kernel_t
+read_sysctl(amanda_recover_t)
+
+# access to dev_t and similar
+allow amanda_recover_t device_t:dir search;
+allow amanda_recover_t devtty_t:chr_file { read write };
+allow amanda_recover_t null_device_t:chr_file { getattr write };
+
+# access to bin_t
+allow amanda_recover_t bin_t:file { execute execute_no_trans };
+
+# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
+# in the sysadm home directory
+allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
+
+# access to use sysadm_tty_device_t (/dev/tty?)
+allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
+
+# access to amanda_tmp_t and tmp_t
+allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
+allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
+allow amanda_recover_t tmp_t:dir search;
+
+#
+# Rules to allow amanda to be run as a service in xinetd
+#
+allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
+
+#amanda needs to look at fs_type directories to decide whether it should backup
+allow amanda_t { fs_type file_type }:dir {getattr read search };
+allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+allow amanda_t device_type:{ blk_file chr_file } getattr;
+allow amanda_t fixed_disk_device_t:blk_file read;
+domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
+allow amanda_t file_type:sock_file getattr;
+logdir_domain(amanda)
+
+dontaudit amanda_t proc_t:lnk_file read;
+dontaudit amanda_t unlabeled_t:file getattr;
+#amanda wants to check attributes on fifo_files
+allow amanda_t file_type:fifo_file getattr;
diff --git a/mls/domains/program/anaconda.te b/mls/domains/program/anaconda.te
new file mode 100644
index 0000000..175947d
--- /dev/null
+++ b/mls/domains/program/anaconda.te
@@ -0,0 +1,48 @@
+#DESC Anaconda - Red Hat Installation program
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the anaconda_t domain.
+#
+# anaconda_t is the domain of the installation program
+#
+type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
+role system_r types anaconda_t;
+unconfined_domain(anaconda_t)
+
+role system_r types ldconfig_t;
+domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
+
+# Run other rc scripts in the anaconda_t domain.
+domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
+
+ifdef(`dmesg.te', `
+domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
+')
+
+ifdef(`distro_redhat', `
+file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
+')
+
+ifdef(`rpm.te', `
+# Access /var/lib/rpm.
+domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
+')
+
+file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
+
+ifdef(`udev.te', `
+domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
+')
+
+ifdef(`ssh-agent.te', `
+role system_r types sysadm_ssh_agent_t;
+domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+')
+ifdef(`passwd.te', `
+domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
+')
diff --git a/mls/domains/program/apache.te b/mls/domains/program/apache.te
new file mode 100644
index 0000000..1b9cab6
--- /dev/null
+++ b/mls/domains/program/apache.te
@@ -0,0 +1,415 @@
+#DESC Apache - Web server
+#
+# X-Debian-Packages: apache2-common apache
+#
+###############################################################################
+#
+# Policy file for running the Apache web server
+#
+# NOTES:
+# This policy will work with SUEXEC enabled as part of the Apache
+# configuration. However, the user CGI scripts will run under the
+# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
+# of the creating user.
+#
+# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+# type, and the directory containing the scripts should also be labeled
+# with these types. This policy allows user_r role to perform that
+# relabeling. If it is desired that only sysadm_r should be able to relabel
+# the user CGI scripts, then relabel rule for user_r should be removed.
+#
+###############################################################################
+
+define(`httpd_home_dirs', `
+r_dir_file(httpd_t, $1)
+r_dir_file(httpd_suexec_t, $1)
+can_exec(httpd_suexec_t, $1)
+')
+
+bool httpd_unified false;
+
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
+# Allow httpd cgi support
+bool httpd_enable_cgi false;
+
+# Allow httpd to read home directories
+bool httpd_enable_homedirs false;
+
+# Run SSI execs in system CGI script domain.
+bool httpd_ssi_exec false;
+
+# Allow http daemon to communicate with the TTY
+bool httpd_tty_comm false;
+
+# Allow http daemon to tcp connect
+bool httpd_can_network_connect false;
+
+#########################################################
+# Apache types
+#########################################################
+# httpd_config_t is the type given to the configuration
+# files for apache /etc/httpd/conf
+#
+type httpd_config_t, file_type, sysadmfile;
+
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+#
+type httpd_modules_t, file_type, sysadmfile;
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+#
+type httpd_cache_t, file_type, sysadmfile;
+
+# httpd_exec_t is the type give to the httpd executable.
+#
+daemon_domain(httpd, `, privmail, nscd_client_domain')
+
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file read;
+
+# For /etc/init.d/apache2 reload
+can_tcp_connect(httpd_t, httpd_t)
+
+can_tcp_connect(web_client_domain, httpd_t)
+
+can_exec(httpd_t, httpd_exec_t)
+file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
+
+general_domain_access(httpd_t)
+
+allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+
+read_sysctl(httpd_t)
+
+allow httpd_t crypt_device_t:chr_file rw_file_perms;
+
+# for modules that want to access /etc/mtab and /proc/meminfo
+allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
+
+uses_shlib(httpd_t)
+allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
+allow httpd_t usr_t:lnk_file { getattr read };
+
+# for apache2 memory mapped files
+var_lib_domain(httpd)
+
+# for tomcat
+r_dir_file(httpd_t, var_lib_t)
+
+# execute perl
+allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
+can_exec(httpd_t, { bin_t sbin_t })
+allow httpd_t bin_t:lnk_file read;
+
+########################################
+# Set up networking
+########################################
+
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
+nsswitch_domain(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+# allow httpd to connect to mysql/posgresql
+allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
+# allow httpd to work as a relay
+allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
+
+if (httpd_can_network_connect) {
+can_network_client(httpd_t)
+allow httpd_t port_type:tcp_socket name_connect;
+}
+
+##########################################
+# Legacy: remove when it's fixed #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
+#########################################
+# Allow httpd to search users directories
+#########################################
+allow httpd_t home_root_t:dir { getattr search };
+dontaudit httpd_t sysadm_home_dir_t:dir getattr;
+
+############################################################################
+# Allow the httpd_t the capability to bind to a port and various other stuff
+############################################################################
+allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+dontaudit httpd_t self:capability net_admin;
+
+#################################################
+# Allow the httpd_t to read the web servers config files
+###################################################
+r_dir_file(httpd_t, httpd_config_t)
+# allow logrotate to read the config files for restart
+ifdef(`logrotate.te', `
+r_dir_file(logrotate_t, httpd_config_t)
+domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
+allow logrotate_t httpd_t:process signull;
+')
+r_dir_file(initrc_t, httpd_config_t)
+##################################################
+
+###############################
+# Allow httpd_t to put files in /var/cache/httpd etc
+##############################
+create_dir_file(httpd_t, httpd_cache_t)
+
+###############################
+# Allow httpd_t to access the tmpfs file system
+##############################
+tmpfs_domain(httpd)
+
+#####################
+# Allow httpd_t to access
+# libraries for its modules
+###############################
+allow httpd_t httpd_modules_t:file rx_file_perms;
+allow httpd_t httpd_modules_t:dir r_dir_perms;
+allow httpd_t httpd_modules_t:lnk_file r_file_perms;
+
+######################################################################
+# Allow initrc_t to access the Apache modules directory.
+######################################################################
+allow initrc_t httpd_modules_t:dir r_dir_perms;
+
+##############################################
+# Allow httpd_t to have access to files
+# such as nisswitch.conf
+# need ioctl for php
+###############################################
+allow httpd_t etc_t:file { read getattr ioctl };
+allow httpd_t etc_t:lnk_file { getattr read };
+
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
+# Run SSI execs in system CGI script domain.
+if (httpd_ssi_exec) {
+domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
+}
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+##################################################
+#
+# PHP Directives
+##################################################
+
+type httpd_php_exec_t, file_type, sysadmfile, exec_type;
+type httpd_php_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# The system role is authorized for this domain.
+role system_r types httpd_php_t;
+
+general_domain_access(httpd_php_t)
+uses_shlib(httpd_php_t)
+can_exec(httpd_php_t, lib_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file ra_file_perms;
+
+# access to /tmp
+tmp_domain(httpd)
+tmp_domain(httpd_php)
+
+# Creation of lock files for apache2
+lock_domain(httpd)
+
+# Allow apache to used public_content_t
+anonymous_domain(httpd)
+
+# connect to mysql
+ifdef(`mysqld.te', `
+can_unix_connect(httpd_php_t, mysqld_t)
+can_unix_connect(httpd_t, mysqld_t)
+can_unix_connect(httpd_sys_script_t, mysqld_t)
+allow httpd_php_t mysqld_var_run_t:dir search;
+allow httpd_php_t mysqld_var_run_t:sock_file write;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
+allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
+')
+allow httpd_t bin_t:dir search;
+allow httpd_t sbin_t:dir search;
+allow httpd_t httpd_log_t:dir remove_name;
+
+read_fonts(httpd_t)
+
+allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+
+allow httpd_t autofs_t:dir { search getattr };
+
+if (use_nfs_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(nfs_t)
+}
+if (use_samba_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(cifs_t)
+}
+
+#
+# Allow users to mount additional directories as http_source
+#
+allow httpd_t mnt_t:dir r_dir_perms;
+
+ifdef(`targeted_policy', `
+domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)
+typealias httpd_sys_content_t alias httpd_user_content_t;
+typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+
+if (httpd_enable_homedirs) {
+allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
+}
+') dnl targeted policy
+
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
+ifdef(`distro_redhat', `
+#
+# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
+# This is a bug but it still exists in FC2
+#
+typealias httpd_log_t alias httpd_runtime_t;
+allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
+dontaudit httpd_t httpd_runtime_t:file ioctl;
+') dnl distro_redhat
+#
+# Customer reported the following
+#
+ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir search;
+dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
+', `
+dontaudit httpd_t usr_t:dir write;
+')
+
+application_domain(httpd_helper)
+role system_r types httpd_helper_t;
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+allow httpd_helper_t httpd_config_t:file { getattr read };
+allow httpd_helper_t httpd_log_t:file { append };
+
+########################################
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+
+if (httpd_tty_comm) {
+allow { httpd_t httpd_helper_t } devpts_t:dir search;
+ifdef(`targeted_policy', `
+allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
+')
+allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
+}
+
+read_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_lib_t:dir search;
+dontaudit httpd_t selinux_config_t:dir search;
+r_dir_file(httpd_t, cert_t)
+
+#
+# unconfined domain for apache scripts. Only to be used as a last resort
+#
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
+type httpd_unconfined_script_t, domain, nscd_client_domain;
+role system_r types httpd_unconfined_script_t;
+unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+if (httpd_enable_cgi && httpd_unified) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+')
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+}
+if (httpd_enable_cgi) {
+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+}
+
+#
+# Types for squirrelmail
+#
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+bool httpd_enable_ftp_server false;
+if (httpd_enable_ftp_server) {
+allow httpd_t ftp_port_t:tcp_socket name_bind;
+}
+
diff --git a/mls/domains/program/apmd.te b/mls/domains/program/apmd.te
new file mode 100644
index 0000000..82b4a4d
--- /dev/null
+++ b/mls/domains/program/apmd.te
@@ -0,0 +1,157 @@
+#DESC Apmd - Automatic Power Management daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: apmd
+#
+
+#################################
+#
+# Rules for the apmd_t domain.
+#
+daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain')
+
+# for SSP
+allow apmd_t urandom_device_t:chr_file read;
+
+type apm_t, domain, privlog;
+type apm_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
+')
+uses_shlib(apm_t)
+allow apm_t privfd:fd use;
+allow apm_t admin_tty_type:chr_file rw_file_perms;
+allow apm_t device_t:dir search;
+allow apm_t self:capability { dac_override sys_admin };
+allow apm_t proc_t:dir search;
+allow apm_t proc_t:file r_file_perms;
+allow apm_t fs_t:filesystem getattr;
+allow apm_t apm_bios_t:chr_file rw_file_perms;
+role sysadm_r types apm_t;
+role system_r types apm_t;
+
+allow apmd_t device_t:lnk_file read;
+allow apmd_t proc_t:file { getattr read write };
+can_sysctl(apmd_t)
+allow apmd_t sysfs_t:file write;
+
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+allow apmd_t self:fifo_file rw_file_perms;
+allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
+allow apmd_t etc_t:lnk_file read;
+
+# acpid wants a socket
+file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
+
+# acpid also has a logfile
+log_domain(apmd)
+tmp_domain(apmd)
+
+ifdef(`distro_suse', `
+var_lib_domain(apmd)
+')
+
+allow apmd_t self:file { getattr read ioctl };
+allow apmd_t self:process getsession;
+
+# Use capabilities.
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
+
+# controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability mknod;
+
+# Access /dev/apm_bios.
+allow apmd_t apm_bios_t:chr_file rw_file_perms;
+
+# Run helper programs.
+can_exec_any(apmd_t)
+
+# apmd calls hwclock.sh on suspend and resume
+allow apmd_t clock_device_t:chr_file r_file_perms;
+ifdef(`hwclock.te', `
+domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
+allow apmd_t adjtime_t:file rw_file_perms;
+allow hwclock_t apmd_log_t:file append;
+allow hwclock_t apmd_t:unix_stream_socket { read write };
+')
+
+
+# to quiet fuser and ps
+# setuid for fuser, dac* for ps
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
+dontaudit apmd_t domain:socket_class_set getattr;
+dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
+dontaudit apmd_t device_type:devfile_class_set getattr;
+dontaudit apmd_t home_type:dir { search getattr };
+dontaudit apmd_t domain:key_socket getattr;
+dontaudit apmd_t domain:dir search;
+
+ifdef(`distro_redhat', `
+can_exec(apmd_t, apmd_var_run_t)
+# for /var/lock/subsys/network
+lock_domain(apmd)
+
+# ifconfig_exec_t needs to be run in its own domain for Red Hat
+ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
+ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
+ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
+', `
+# for ifconfig which is run all the time
+dontaudit apmd_t sysctl_t:dir search;
+')
+
+ifdef(`udev.te', `
+allow apmd_t udev_t:file { getattr read };
+allow apmd_t udev_t:lnk_file { getattr read };
+')
+#
+# apmd tells the machine to shutdown requires the following
+#
+allow apmd_t initctl_t:fifo_file write;
+allow apmd_t initrc_var_run_t:file { read write lock };
+
+#
+# Allow it to run killof5 and pidof
+#
+typeattribute apmd_t unrestricted;
+r_dir_file(apmd_t, domain)
+
+# Same for apm/acpid scripts
+domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
+ifdef(`consoletype.te', `
+allow consoletype_t apmd_t:fd use;
+allow consoletype_t apmd_t:fifo_file write;
+')
+ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
+ifdef(`crond.te', `
+domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
+allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+')
+
+# for a find /dev operation that gets /dev/shm
+dontaudit apmd_t tmpfs_t:dir r_dir_perms;
+dontaudit apmd_t selinux_config_t:dir search;
+allow apmd_t user_tty_type:chr_file rw_file_perms;
+# Access /dev/apm_bios.
+allow initrc_t apm_bios_t:chr_file { setattr getattr read };
+
+ifdef(`logrotate.te', `
+allow apmd_t logrotate_t:fd use;
+')dnl end if logrotate.te
+allow apmd_t devpts_t:dir { getattr search };
+allow apmd_t security_t:dir search;
+allow apmd_t usr_t:dir search;
+r_dir_file(apmd_t, hwdata_t)
+ifdef(`targeted_policy', `
+unconfined_domain(apmd_t)
+')
+
+ifdef(`NetworkManager.te', `
+ifdef(`dbusd.te', `
+allow apmd_t NetworkManager_t:dbus send_msg;
+allow NetworkManager_t apmd_t:dbus send_msg;
+')
+')
diff --git a/mls/domains/program/arpwatch.te b/mls/domains/program/arpwatch.te
new file mode 100644
index 0000000..3065800
--- /dev/null
+++ b/mls/domains/program/arpwatch.te
@@ -0,0 +1,48 @@
+#DESC arpwatch - keep track of ethernet/ip address pairings
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the arpwatch_t domain.
+#
+# arpwatch_exec_t is the type of the arpwatch executable.
+#
+daemon_domain(arpwatch, `, privmail')
+
+# for files created by arpwatch
+type arpwatch_data_t, file_type, sysadmfile;
+create_dir_file(arpwatch_t,arpwatch_data_t)
+tmp_domain(arpwatch)
+
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+
+can_network_server(arpwatch_t)
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+allow arpwatch_t { sbin_t var_lib_t }:dir search;
+allow arpwatch_t sbin_t:lnk_file read;
+r_dir_file(arpwatch_t, etc_t)
+r_dir_file(arpwatch_t, usr_t)
+can_ypbind(arpwatch_t)
+
+ifdef(`qmail.te', `
+allow arpwatch_t bin_t:dir search;
+')
+
+ifdef(`distro_gentoo', `
+allow initrc_t arpwatch_data_t:dir { add_name write };
+allow initrc_t arpwatch_data_t:file create;
+')dnl end distro_gentoo
+
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
diff --git a/mls/domains/program/auditd.te b/mls/domains/program/auditd.te
new file mode 100644
index 0000000..69b105a
--- /dev/null
+++ b/mls/domains/program/auditd.te
@@ -0,0 +1,76 @@
+#DESC auditd - System auditing daemon
+#
+# Authors: Colin Walters <walters@verbum.org>
+#
+# Some fixes by Paul Moore <paul.moore@hp.com>
+#
+define(`audit_manager_domain', `
+allow $1 auditd_etc_t:file rw_file_perms;
+create_dir_file($1, auditd_log_t)
+domain_auto_trans($1, auditctl_exec_t, auditctl_t)
+')
+
+daemon_domain(auditd)
+
+ifdef(`mls_policy', `
+# run at the highest MLS level
+typeattribute auditd_t mlsrangetrans;
+range_transition initrc_t auditd_exec_t s15:c0.c255;
+')
+
+allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+allow auditd_t self:process setsched;
+allow auditd_t self:file { getattr read write };
+allow auditd_t etc_t:file { getattr read };
+
+# Do not use logdir_domain since this is a security file
+type auditd_log_t, file_type, secure_file_type;
+allow auditd_t var_log_t:dir search;
+rw_dir_create_file(auditd_t, auditd_log_t)
+
+can_exec(auditd_t, init_exec_t)
+allow auditd_t initctl_t:fifo_file write;
+
+ifdef(`targeted_policy', `
+dontaudit auditd_t unconfined_t:fifo_file read;
+')
+
+type auditctl_t, domain, privlog;
+type auditctl_exec_t, file_type, exec_type, sysadmfile;
+uses_shlib(auditctl_t)
+allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t etc_t:file { getattr read };
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+
+type auditd_etc_t, file_type, secure_file_type;
+allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
+allow initrc_t auditd_etc_t:file r_file_perms;
+
+role secadm_r types auditctl_t;
+role sysadm_r types auditctl_t;
+audit_manager_domain(secadm_t)
+
+ifdef(`targeted_policy', `', `
+ifdef(`separate_secadm', `', `
+audit_manager_domain(sysadm_t)
+')
+')
+
+role system_r types auditctl_t;
+domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
+
+dontaudit auditctl_t local_login_t:fd use;
+allow auditctl_t proc_t:dir search;
+allow auditctl_t sysctl_kernel_t:dir search;
+allow auditctl_t sysctl_kernel_t:file { getattr read };
+dontaudit auditctl_t init_t:fd use;
+allow auditctl_t initrc_devpts_t:chr_file { read write };
+allow auditctl_t privfd:fd use;
+
+
+allow auditd_t sbin_t:dir search;
+can_exec(auditd_t, sbin_t)
+allow auditd_t self:fifo_file rw_file_perms;
diff --git a/mls/domains/program/automount.te b/mls/domains/program/automount.te
new file mode 100644
index 0000000..d1bb20e
--- /dev/null
+++ b/mls/domains/program/automount.te
@@ -0,0 +1,79 @@
+#DESC Automount - Automount daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
+# Modified by Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: amd am-utils autofs
+#
+
+#################################
+#
+# Rules for the automount_t domain.
+#
+daemon_domain(automount)
+
+etc_domain(automount)
+
+# for SSP
+allow automount_t urandom_device_t:chr_file read;
+
+# for if the mount point is not labelled
+allow automount_t file_t:dir getattr;
+allow automount_t default_t:dir getattr;
+
+allow automount_t autofs_t:dir { create_dir_perms ioctl };
+allow automount_t fs_type:dir getattr;
+
+allow automount_t { etc_t etc_runtime_t }:file { getattr read };
+allow automount_t proc_t:file { getattr read };
+allow automount_t self:process { getpgid setpgid setsched };
+allow automount_t self:capability { sys_nice dac_override };
+allow automount_t self:unix_stream_socket create_socket_perms;
+allow automount_t self:unix_dgram_socket create_socket_perms;
+
+# because config files can be shell scripts
+can_exec(automount_t, { etc_t automount_etc_t })
+
+can_network_server(automount_t)
+can_resolve(automount_t)
+can_ypbind(automount_t)
+can_ldap(automount_t)
+
+ifdef(`fsadm.te', `
+domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
+')
+
+lock_domain(automount)
+
+tmp_domain(automount)
+allow automount_t self:fifo_file rw_file_perms;
+
+# Run mount in the mount_t domain.
+domain_auto_trans(automount_t, mount_exec_t, mount_t)
+allow mount_t autofs_t:dir { search mounton read };
+allow mount_t automount_tmp_t:dir mounton;
+
+ifdef(`apmd.te',
+`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
+can_exec(automount_t, bin_t)')
+
+allow automount_t { bin_t sbin_t }:dir search;
+can_exec(automount_t, mount_exec_t)
+can_exec(automount_t, shell_exec_t)
+
+allow mount_t autofs_t:dir getattr;
+dontaudit automount_t var_t:dir write;
+
+allow userdomain autofs_t:dir r_dir_perms;
+allow kernel_t autofs_t:dir { getattr ioctl read search };
+
+allow automount_t { boot_t home_root_t }:dir getattr;
+allow automount_t mnt_t:dir { getattr search };
+
+can_exec(initrc_t, automount_etc_t)
+
+# Allow automount to create and delete directories in / and /home
+file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
+
+allow automount_t var_lib_t:dir search;
+allow automount_t var_lib_nfs_t:dir search;
+
diff --git a/mls/domains/program/avahi.te b/mls/domains/program/avahi.te
new file mode 100644
index 0000000..861559d
--- /dev/null
+++ b/mls/domains/program/avahi.te
@@ -0,0 +1,31 @@
+#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+daemon_domain(avahi, `, privsysmod')
+r_dir_file(avahi_t, proc_net_t)
+can_network_server(avahi_t)
+can_ypbind(avahi_t)
+allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow avahi_t self:unix_dgram_socket create_socket_perms;
+allow avahi_t self:capability { dac_override setgid chown kill setuid };
+allow avahi_t urandom_device_t:chr_file r_file_perms;
+allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind;
+allow avahi_t self:fifo_file { read write };
+allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
+allow avahi_t self:process setrlimit;
+allow avahi_t etc_t:file { getattr read };
+allow avahi_t initrc_t:process { signal signull };
+allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow avahi_t avahi_var_run_t:dir setattr;
+allow avahi_t avahi_var_run_t:sock_file create_file_perms;
+
+ifdef(`dbusd.te', `
+dbusd_client(system, avahi)
+ifdef(`targeted_policy', `
+allow avahi_t unconfined_t:dbus send_msg;
+allow unconfined_t avahi_t:dbus send_msg;
+')
+')
+
diff --git a/mls/domains/program/bluetooth.te b/mls/domains/program/bluetooth.te
new file mode 100644
index 0000000..c6c5631
--- /dev/null
+++ b/mls/domains/program/bluetooth.te
@@ -0,0 +1,116 @@
+#DESC Bluetooth
+#
+# Authors: Dan Walsh
+# RH-Packages: Bluetooth
+#
+
+#################################
+#
+# Rules for the bluetooth_t domain.
+#
+daemon_domain(bluetooth)
+
+file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
+file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+
+tmp_domain(bluetooth)
+var_lib_domain(bluetooth)
+
+# Use capabilities.
+allow bluetooth_t self:file read;
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:process getsched;
+allow bluetooth_t proc_t:file { getattr read };
+
+allow bluetooth_t self:shm create_shm_perms;
+
+lock_domain(bluetooth)
+
+# Use the network.
+can_network(bluetooth_t)
+can_ypbind(bluetooth_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, bluetooth)
+allow bluetooth_t system_dbusd_t:dbus send_msg;
+')
+allow bluetooth_t self:socket create_stream_socket_perms;
+
+allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+
+dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
+
+# bluetooth_conf_t is the type of the /etc/bluetooth dir.
+type bluetooth_conf_t, file_type, sysadmfile;
+type bluetooth_conf_rw_t, file_type, sysadmfile;
+
+# Read /etc/bluetooth
+allow bluetooth_t bluetooth_conf_t:dir search;
+allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+#/usr/sbin/hid2hci causes the following
+allow initrc_t usbfs_t:file { getattr read };
+allow bluetooth_t usbfs_t:dir r_dir_perms;
+allow bluetooth_t usbfs_t:file rw_file_perms;
+allow bluetooth_t bin_t:dir search;
+can_exec(bluetooth_t, { bin_t shell_exec_t })
+allow bluetooth_t bin_t:lnk_file read;
+
+#Handle bluetooth serial devices
+allow bluetooth_t tty_device_t:chr_file rw_file_perms;
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(bluetooth_t, fonts_t)
+allow bluetooth_t urandom_device_t:chr_file r_file_perms;
+allow bluetooth_t usr_t:file { getattr read };
+
+application_domain(bluetooth_helper, `, nscd_client_domain')
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+role system_r types bluetooth_helper_t;
+read_locale(bluetooth_helper_t)
+typeattribute bluetooth_helper_t unrestricted;
+r_dir_file(bluetooth_helper_t, domain)
+allow bluetooth_helper_t bin_t:dir { getattr search };
+can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
+allow bluetooth_helper_t bin_t:lnk_file read;
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:process { fork getsched sigchld };
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(bluetooth_helper_t, fonts_t)
+r_dir_file(bluetooth_helper_t, proc_t)
+read_sysctl(bluetooth_helper_t)
+allow bluetooth_helper_t tmp_t:dir search;
+allow bluetooth_helper_t usr_t:file { getattr read };
+allow bluetooth_helper_t home_dir_type:dir search;
+ifdef(`xserver.te', `
+allow bluetooth_helper_t xserver_log_t:dir search;
+allow bluetooth_helper_t xserver_log_t:file { getattr read };
+')
+ifdef(`targeted_policy', `
+allow bluetooth_helper_t tmp_t:sock_file { read write };
+allow bluetooth_helper_t tmpfs_t:file { read write };
+allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+allow bluetooth_t unconfined_t:dbus send_msg;
+allow unconfined_t bluetooth_t:dbus send_msg;
+', `
+ifdef(`xdm.te', `
+allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
+')
+allow bluetooth_t unpriv_userdomain:dbus send_msg;
+allow unpriv_userdomain bluetooth_t:dbus send_msg;
+')
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_helper_t self:unix_stream_socket connectto;
+tmp_domain(bluetooth_helper)
+allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
+
+dontaudit bluetooth_helper_t default_t:dir { read search };
+dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
+dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
+ifdef(`xserver.te', `
+allow bluetooth_helper_t xserver_log_t:dir search;
+allow bluetooth_helper_t xserver_log_t:file { getattr read };
+')
diff --git a/mls/domains/program/bonobo.te b/mls/domains/program/bonobo.te
new file mode 100644
index 0000000..c23f1d2
--- /dev/null
+++ b/mls/domains/program/bonobo.te
@@ -0,0 +1,9 @@
+# DESC - Bonobo Activation Server
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type bonobo_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/bonobo_macros.te
diff --git a/mls/domains/program/bootloader.te b/mls/domains/program/bootloader.te
new file mode 100644
index 0000000..37e1c19
--- /dev/null
+++ b/mls/domains/program/bootloader.te
@@ -0,0 +1,167 @@
+#DESC Bootloader - Lilo boot loader/manager
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: lilo
+#
+
+#################################
+#
+# Rules for the bootloader_t domain.
+#
+# bootloader_exec_t is the type of the bootloader executable.
+#
+type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
+type bootloader_exec_t, file_type, sysadmfile, exec_type;
+etc_domain(bootloader)
+
+role sysadm_r types bootloader_t;
+role system_r types bootloader_t;
+
+allow bootloader_t var_t:dir search;
+create_append_log_file(bootloader_t, var_log_t)
+allow bootloader_t var_log_t:file write;
+
+# for nscd
+dontaudit bootloader_t var_run_t:dir search;
+
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
+')
+allow bootloader_t { initrc_t privfd }:fd use;
+
+tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
+
+read_locale(bootloader_t)
+
+# for tune2fs
+file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
+
+# for /vmlinuz sym link
+allow bootloader_t root_t:lnk_file read;
+
+# lilo would need read access to get BIOS data
+allow bootloader_t proc_kcore_t:file getattr;
+
+allow bootloader_t { etc_t device_t }:dir r_dir_perms;
+allow bootloader_t etc_t:file r_file_perms;
+allow bootloader_t etc_t:lnk_file read;
+allow bootloader_t initctl_t:fifo_file getattr;
+uses_shlib(bootloader_t)
+
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+allow bootloader_t usr_t:lnk_file read;
+allow bootloader_t tmpfs_t:dir r_dir_perms;
+allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+allow bootloader_t var_lib_t:dir search;
+allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+allow bootloader_t dpkg_var_lib_t:file { getattr read };
+# for /usr/share/initrd-tools/scripts
+can_exec(bootloader_t, usr_t)
+')
+
+allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
+allow bootloader_t device_t:lnk_file { getattr read };
+
+# LVM2 / Device Mapper's /dev/mapper/control
+# maybe we should change the labeling for this
+ifdef(`lvm.te', `
+allow bootloader_t lvm_control_t:chr_file rw_file_perms;
+domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+allow lvm_t bootloader_tmp_t:file rw_file_perms;
+r_dir_file(bootloader_t, lvm_etc_t)
+')
+
+# uncomment the following line if you use "lilo -p"
+#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
+
+can_exec_any(bootloader_t)
+allow bootloader_t shell_exec_t:lnk_file read;
+allow bootloader_t { bin_t sbin_t }:dir search;
+allow bootloader_t { bin_t sbin_t }:lnk_file read;
+
+allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
+allow bootloader_t modules_object_t:dir r_dir_perms;
+ifdef(`distro_redhat', `
+allow bootloader_t modules_object_t:lnk_file { getattr read };
+')
+
+# for ldd
+ifdef(`fsadm.te', `
+allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
+')
+ifdef(`modutil.te', `
+allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
+')
+
+dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+
+allow bootloader_t boot_t:dir { create rw_dir_perms };
+allow bootloader_t boot_t:file create_file_perms;
+allow bootloader_t boot_t:lnk_file create_lnk_perms;
+
+allow bootloader_t load_policy_exec_t:file { getattr read };
+
+allow bootloader_t random_device_t:chr_file { getattr read };
+
+ifdef(`distro_redhat', `
+# for mke2fs
+domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
+allow mount_t bootloader_tmp_t:dir mounton;
+
+# new file system defaults to file_t, granting file_t access is still bad.
+allow bootloader_t file_t:dir create_dir_perms;
+allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
+allow bootloader_t file_t:lnk_file create_lnk_perms;
+allow bootloader_t self:unix_stream_socket create_socket_perms;
+allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+# for memlock
+allow bootloader_t zero_device_t:chr_file { getattr read };
+allow bootloader_t self:capability ipc_lock;
+')
+
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+# allow bootloader to get attributes of any device node
+allow bootloader_t { device_type ttyfile }:chr_file getattr;
+allow bootloader_t device_type:blk_file getattr;
+dontaudit bootloader_t devpts_t:dir create_dir_perms;
+
+allow bootloader_t self:process { fork signal_perms };
+allow bootloader_t self:lnk_file read;
+allow bootloader_t self:dir search;
+allow bootloader_t self:file { getattr read };
+allow bootloader_t self:fifo_file rw_file_perms;
+
+allow bootloader_t fs_t:filesystem getattr;
+
+allow bootloader_t proc_t:dir { getattr search };
+allow bootloader_t proc_t:file r_file_perms;
+allow bootloader_t proc_t:lnk_file { getattr read };
+allow bootloader_t proc_mdstat_t:file r_file_perms;
+allow bootloader_t self:dir { getattr search read };
+read_sysctl(bootloader_t)
+allow bootloader_t etc_runtime_t:file r_file_perms;
+
+allow bootloader_t devtty_t:chr_file rw_file_perms;
+allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow bootloader_t initrc_t:fifo_file { read write };
+
+# for reading BIOS data
+allow bootloader_t memory_device_t:chr_file r_file_perms;
+
+allow bootloader_t policy_config_t:dir { search read };
+allow bootloader_t policy_config_t:file { getattr read };
+
+allow bootloader_t lib_t:file { getattr read };
+allow bootloader_t sysfs_t:dir getattr;
+allow bootloader_t urandom_device_t:chr_file read;
+allow bootloader_t { usr_t var_t }:file { getattr read };
+r_dir_file(bootloader_t, src_t)
+dontaudit bootloader_t selinux_config_t:dir search;
+dontaudit bootloader_t sysctl_t:dir search;
diff --git a/mls/domains/program/canna.te b/mls/domains/program/canna.te
new file mode 100644
index 0000000..feb4e52
--- /dev/null
+++ b/mls/domains/program/canna.te
@@ -0,0 +1,46 @@
+#DESC canna - A Japanese character set input system.
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the canna_t domain.
+#
+daemon_domain(canna)
+
+file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
+
+logdir_domain(canna)
+var_lib_domain(canna)
+
+allow canna_t self:capability { setgid setuid net_bind_service };
+allow canna_t tmp_t:dir { search };
+allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
+allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+allow canna_t etc_t:file { getattr read };
+allow canna_t usr_t:file { getattr read };
+
+allow canna_t proc_t:file r_file_perms;
+allow canna_t etc_runtime_t:file r_file_perms;
+allow canna_t canna_var_lib_t:dir create;
+
+rw_dir_create_file(canna_t, canna_var_lib_t)
+
+can_network_tcp(canna_t)
+allow canna_t port_type:tcp_socket name_connect;
+can_ypbind(canna_t)
+
+allow userdomain canna_var_run_t:dir search;
+allow userdomain canna_var_run_t:sock_file write;
+can_unix_connect(userdomain, canna_t)
+
+ifdef(`i18n_input.te', `
+allow i18n_input_t canna_var_run_t:dir search;
+allow i18n_input_t canna_var_run_t:sock_file write;
+can_unix_connect(i18n_input_t, canna_t)
+')
+
+dontaudit canna_t kernel_t:fd use;
+dontaudit canna_t root_t:file read;
diff --git a/mls/domains/program/cardmgr.te b/mls/domains/program/cardmgr.te
new file mode 100644
index 0000000..8f78988
--- /dev/null
+++ b/mls/domains/program/cardmgr.te
@@ -0,0 +1,90 @@
+#DESC Cardmgr - PCMCIA control programs
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: pcmcia-cs
+#
+
+#################################
+#
+# Rules for the cardmgr_t domain.
+#
+daemon_domain(cardmgr, `, privmodule')
+
+# for SSP
+allow cardmgr_t urandom_device_t:chr_file read;
+
+type cardctl_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
+')
+role sysadm_r types cardmgr_t;
+allow cardmgr_t admin_tty_type:chr_file { read write };
+
+allow cardmgr_t sysfs_t:dir search;
+allow cardmgr_t home_root_t:dir search;
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+
+# for /etc/resolv.conf
+file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
+
+allow cardmgr_t etc_runtime_t:file { getattr read };
+
+allow cardmgr_t modules_object_t:dir search;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+allow cardmgr_t self:fifo_file rw_file_perms;
+
+# Create stab file
+var_lib_domain(cardmgr)
+
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+allow cardmgr_t var_lib_t:file { getattr read };
+
+# Create device files in /tmp.
+type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
+file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
+
+# Create symbolic links in /dev.
+type cardmgr_lnk_t, file_type, sysadmfile;
+file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
+
+# Run a shell, normal commands, /etc/pcmcia scripts.
+can_exec_any(cardmgr_t)
+allow cardmgr_t etc_t:lnk_file read;
+
+# Run ifconfig.
+domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
+allow ifconfig_t cardmgr_t:fd use;
+
+allow cardmgr_t proc_t:file { getattr read ioctl };
+
+# Read /proc/PID directories for all domains (for fuser).
+can_ps(cardmgr_t, domain -unrestricted)
+dontaudit cardmgr_t unrestricted:dir search;
+
+allow cardmgr_t device_type:{ chr_file blk_file } getattr;
+allow cardmgr_t ttyfile:chr_file getattr;
+dontaudit cardmgr_t ptyfile:chr_file getattr;
+dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
+dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
+dontaudit cardmgr_t proc_kmsg_t:file getattr;
+
+allow cardmgr_t tty_device_t:chr_file rw_file_perms;
+
+ifdef(`apmd.te', `
+domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+')
+
+ifdef(`hide_broken_symptoms', `
+dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
+dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
+')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
+allow cardmgr_t device_t:lnk_file { getattr read };
diff --git a/mls/domains/program/cdrecord.te b/mls/domains/program/cdrecord.te
new file mode 100644
index 0000000..6460090
--- /dev/null
+++ b/mls/domains/program/cdrecord.te
@@ -0,0 +1,10 @@
+# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+# Type for the cdrecord excutable.
+type cdrecord_exec_t, file_type, sysadmfile, exec_type;
+
+# everything else is in the cdrecord_domain macros in
+# macros/program/cdrecord_macros.te.
+
diff --git a/mls/domains/program/certwatch.te b/mls/domains/program/certwatch.te
new file mode 100644
index 0000000..2abb168
--- /dev/null
+++ b/mls/domains/program/certwatch.te
@@ -0,0 +1,11 @@
+#DESC certwatch - generate SSL certificate expiry warnings
+#
+# Domains for the certwatch process
+# Authors: Dan Walsh <dwalsh@redhat.com>,
+#
+application_domain(certwatch)
+role system_r types certwatch_t;
+r_dir_file(certwatch_t, cert_t)
+can_exec(certwatch_t, httpd_modules_t)
+system_crond_entry(certwatch_exec_t, certwatch_t)
+read_locale(certwatch_t)
diff --git a/mls/domains/program/checkpolicy.te b/mls/domains/program/checkpolicy.te
new file mode 100644
index 0000000..0cfa5a0
--- /dev/null
+++ b/mls/domains/program/checkpolicy.te
@@ -0,0 +1,64 @@
+#DESC Checkpolicy - SELinux policy compliler
+#
+# Authors: Frank Mayer, mayerf@tresys.com
+# X-Debian-Packages: checkpolicy
+#
+
+###########################
+#
+# checkpolicy_t is the domain type for checkpolicy
+# checkpolicy_exec_t if file type for the executable
+
+type checkpolicy_t, domain;
+role sysadm_r types checkpolicy_t;
+role system_r types checkpolicy_t;
+role secadm_r types checkpolicy_t;
+
+type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
+
+##########################
+#
+# Rules
+
+domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
+
+# able to create and modify binary policy files
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
+
+###########################
+# constrain what checkpolicy can use as source files
+#
+
+# only allow read of policy source files
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
+
+# allow test policies to be created in src directories
+file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+
+# directory search permissions for path to source and binary policy files
+allow checkpolicy_t root_t:dir search;
+allow checkpolicy_t etc_t:dir search;
+
+# Read the devpts root directory.
+allow checkpolicy_t devpts_t:dir r_dir_perms;
+ifdef(`sshd.te',
+`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
+
+# Other access
+allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
+uses_shlib(checkpolicy_t)
+allow checkpolicy_t self:capability dac_override;
+
+##########################
+# Allow users to execute checkpolicy without a domain transition
+# so it can be used without privilege to write real binary policy file
+can_exec(unpriv_userdomain, checkpolicy_exec_t)
+
+allow checkpolicy_t { userdomain privfd }:fd use;
+
+allow checkpolicy_t fs_t:filesystem getattr;
+allow checkpolicy_t console_device_t:chr_file { read write };
+allow checkpolicy_t init_t:fd use;
+allow checkpolicy_t selinux_config_t:dir search;
diff --git a/mls/domains/program/chkpwd.te b/mls/domains/program/chkpwd.te
new file mode 100644
index 0000000..22ac7f2
--- /dev/null
+++ b/mls/domains/program/chkpwd.te
@@ -0,0 +1,18 @@
+#DESC Chkpwd - PAM password checking programs
+# X-Debian-Packages: libpam-modules
+#
+# Domains for the /sbin/.*_chkpwd utilities.
+#
+
+#
+# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
+#
+type chkpwd_exec_t, file_type, sysadmfile, exec_type;
+
+chkpwd_domain(system)
+dontaudit system_chkpwd_t privfd:fd use;
+role sysadm_r types system_chkpwd_t;
+in_user_role(system_chkpwd_t)
+
+# Everything else is in the chkpwd_domain macro in
+# macros/program/chkpwd_macros.te.
diff --git a/mls/domains/program/chroot.te b/mls/domains/program/chroot.te
new file mode 100644
index 0000000..8992c66
--- /dev/null
+++ b/mls/domains/program/chroot.te
@@ -0,0 +1,21 @@
+#DESC Chroot - Establish chroot environments
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages:
+#
+type chroot_exec_t, file_type, sysadmfile, exec_type;
+
+# For a chroot environment named potato that can be entered from user_t (so
+# the user can run an old version of Debian in a chroot), with the possibility
+# of user_devpts_t or user_tty_device_t being the controlling tty type for
+# administration. This also defines a mount_domain for the user (so they can
+# mount file systems).
+#chroot(user, potato)
+# For a chroot environment named apache that can be entered from initrc_t for
+# running a different version of apache.
+# initrc is a special case, uses the system_r role (usually appends "_r" to
+# the base name of the parent domain), and has sysadm_devpts_t and
+# sysadm_tty_device_t for the controlling terminal
+#chroot(initrc, apache)
+
+# the main code is in macros/program/chroot_macros.te
diff --git a/mls/domains/program/comsat.te b/mls/domains/program/comsat.te
new file mode 100644
index 0000000..cd0e3f9
--- /dev/null
+++ b/mls/domains/program/comsat.te
@@ -0,0 +1,20 @@
+#DESC comsat - biff server
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the comsat_t domain.
+#
+# comsat_exec_t is the type of the comsat executable.
+#
+
+inetd_child_domain(comsat, udp)
+allow comsat_t initrc_var_run_t:file r_file_perms;
+dontaudit comsat_t initrc_var_run_t:file write;
+allow comsat_t mail_spool_t:dir r_dir_perms;
+allow comsat_t mail_spool_t:lnk_file read;
+allow comsat_t var_spool_t:dir search;
+dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
diff --git a/mls/domains/program/consoletype.te b/mls/domains/program/consoletype.te
new file mode 100644
index 0000000..b1cc126
--- /dev/null
+++ b/mls/domains/program/consoletype.te
@@ -0,0 +1,65 @@
+#DESC consoletype - determine the type of a console device
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the consoletype_t domain.
+#
+# consoletype_t is the domain for the consoletype program.
+# consoletype_exec_t is the type of the corresponding program.
+#
+type consoletype_t, domain, mlsfileread, mlsfilewrite;
+type consoletype_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types consoletype_t;
+
+uses_shlib(consoletype_t)
+general_domain_access(consoletype_t)
+
+ifdef(`targeted_policy', `', `
+domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
+
+ifdef(`xdm.te', `
+domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
+allow consoletype_t xdm_tmp_t:file { read write };
+')
+
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
+')
+')
+
+allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
+
+allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
+
+# Use capabilities.
+allow consoletype_t self:capability sys_admin;
+
+allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
+allow consoletype_t initrc_t:fifo_file write;
+allow consoletype_t nfs_t:file write;
+allow consoletype_t sysadm_t:fifo_file rw_file_perms;
+
+ifdef(`lpd.te', `
+allow consoletype_t printconf_t:file { getattr read };
+')
+
+ifdef(`pam.te', `
+allow consoletype_t pam_var_run_t:file { getattr read };
+')
+ifdef(`distro_redhat', `
+allow consoletype_t tmpfs_t:chr_file rw_file_perms;
+')
+ifdef(`firstboot.te', `
+allow consoletype_t firstboot_t:fifo_file write;
+')
+dontaudit consoletype_t proc_t:dir search;
+dontaudit consoletype_t proc_t:file read;
+dontaudit consoletype_t root_t:file read;
+allow consoletype_t crond_t:fifo_file { read getattr ioctl };
+allow consoletype_t system_crond_t:fd use;
+allow consoletype_t fs_t:filesystem getattr;
diff --git a/mls/domains/program/cpucontrol.te b/mls/domains/program/cpucontrol.te
new file mode 100644
index 0000000..23a13b7
--- /dev/null
+++ b/mls/domains/program/cpucontrol.te
@@ -0,0 +1,17 @@
+#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+type cpucontrol_conf_t, file_type, sysadmfile;
+
+daemon_base_domain(cpucontrol)
+
+# Access cpu devices.
+allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
+allow cpucontrol_t device_t:lnk_file { getattr read };
+allow initrc_t cpu_device_t:chr_file getattr;
+
+allow cpucontrol_t self:capability sys_rawio;
+
+r_dir_file(cpucontrol_t, cpucontrol_conf_t)
diff --git a/mls/domains/program/cpuspeed.te b/mls/domains/program/cpuspeed.te
new file mode 100644
index 0000000..b80f705
--- /dev/null
+++ b/mls/domains/program/cpuspeed.te
@@ -0,0 +1,17 @@
+#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# Thomas Bleher <ThomasBleher@gmx.de>
+#
+
+daemon_base_domain(cpuspeed)
+read_locale(cpuspeed_t)
+
+allow cpuspeed_t sysfs_t:dir search;
+allow cpuspeed_t sysfs_t:file rw_file_perms;
+allow cpuspeed_t proc_t:dir r_dir_perms;
+allow cpuspeed_t proc_t:file { getattr read };
+allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
+
+allow cpuspeed_t self:process setsched;
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
diff --git a/mls/domains/program/crack.te b/mls/domains/program/crack.te
new file mode 100644
index 0000000..1706f6e
--- /dev/null
+++ b/mls/domains/program/crack.te
@@ -0,0 +1,48 @@
+#DESC Crack - Password cracking application
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: crack
+#
+
+#################################
+#
+# Rules for the crack_t domain.
+#
+# crack_exec_t is the type of the crack executable.
+#
+system_domain(crack)
+ifdef(`crond.te', `
+system_crond_entry(crack_exec_t, crack_t)
+')
+
+# for SSP
+allow crack_t urandom_device_t:chr_file read;
+
+type crack_db_t, file_type, sysadmfile, usercanread;
+allow crack_t var_t:dir search;
+rw_dir_create_file(crack_t, crack_db_t)
+
+allow crack_t device_t:dir search;
+allow crack_t devtty_t:chr_file rw_file_perms;
+allow crack_t self:fifo_file { read write getattr };
+
+tmp_domain(crack)
+
+# for dictionaries
+allow crack_t usr_t:file { getattr read };
+
+can_exec(crack_t, bin_t)
+allow crack_t { bin_t sbin_t }:dir search;
+
+allow crack_t self:process { fork signal_perms };
+
+allow crack_t proc_t:dir { read search };
+allow crack_t proc_t:file { read getattr };
+
+# read config files
+allow crack_t { etc_t etc_runtime_t }:file { getattr read };
+allow crack_t etc_t:dir r_dir_perms;
+
+allow crack_t fs_t:filesystem getattr;
+
+dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
diff --git a/mls/domains/program/crond.te b/mls/domains/program/crond.te
new file mode 100644
index 0000000..4649348
--- /dev/null
+++ b/mls/domains/program/crond.te
@@ -0,0 +1,214 @@
+#DESC Crond - Crond daemon
+#
+# Domains for the top-level crond daemon process and
+# for system cron jobs. The domains for user cron jobs
+# are in macros/program/crond_macros.te.
+#
+# X-Debian-Packages: cron
+# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
+# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+# NB The constraints file has some entries for crond_t, this makes it
+# different from all other domains...
+
+# Domain for crond. It needs auth_chkpwd to check for locked accounts.
+daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
+
+# This domain is granted permissions common to most domains (including can_net)
+general_domain_access(crond_t)
+
+# Type for the anacron executable.
+type anacron_exec_t, file_type, sysadmfile, exec_type;
+
+# Type for temporary files.
+tmp_domain(crond)
+
+crond_domain(system)
+
+allow system_crond_t proc_mdstat_t:file { getattr read };
+allow system_crond_t proc_t:lnk_file read;
+allow system_crond_t proc_t:filesystem getattr;
+allow system_crond_t usbdevfs_t:filesystem getattr;
+
+ifdef(`mta.te', `
+allow mta_user_agent system_crond_t:fd use;
+')
+
+# read files in /etc
+allow system_crond_t etc_t:file r_file_perms;
+allow system_crond_t etc_runtime_t:file { getattr read };
+
+allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
+
+read_locale(crond_t)
+
+# Use capabilities.
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
+dontaudit crond_t self:capability sys_resource;
+
+# Get security policy decisions.
+can_getsecurity(crond_t)
+
+# for finding binaries and /bin/sh
+allow crond_t { bin_t sbin_t }:dir search;
+allow crond_t { bin_t sbin_t }:lnk_file read;
+
+# Read from /var/spool/cron.
+allow crond_t var_lib_t:dir search;
+allow crond_t var_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:file r_file_perms;
+
+# Read /etc/security/default_contexts.
+r_dir_file(crond_t, default_context_t)
+
+allow crond_t etc_t:file { getattr read };
+allow crond_t etc_t:lnk_file read;
+
+allow crond_t default_t:dir search;
+
+# crond tries to search /root. Not sure why.
+allow crond_t sysadm_home_dir_t:dir r_dir_perms;
+
+# to search /home
+allow crond_t home_root_t:dir { getattr search };
+allow crond_t user_home_dir_type:dir r_dir_perms;
+
+# Run a shell.
+can_exec(crond_t, shell_exec_t)
+
+ifdef(`distro_redhat', `
+# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+# via redirection of standard out.
+ifdef(`rpm.te', `
+allow crond_t rpm_log_t: file create_file_perms;
+
+system_crond_entry(rpm_exec_t, rpm_t)
+allow system_crond_t rpm_log_t:file create_file_perms;
+#read ahead wants to read this
+allow initrc_t system_cron_spool_t:file { getattr read };
+')
+')
+
+allow system_crond_t var_log_t:file r_file_perms;
+
+
+# Set exec context.
+can_setexec(crond_t)
+
+# Transition to this domain for anacron as well.
+# Still need to study anacron.
+domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
+
+# Inherit and use descriptors from init for anacron.
+allow system_crond_t init_t:fd use;
+
+# Inherit and use descriptors from initrc for anacron.
+allow system_crond_t initrc_t:fd use;
+can_access_pty(system_crond_t, initrc)
+
+# Use capabilities.
+allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+
+allow crond_t urandom_device_t:chr_file { getattr read };
+
+# Read the system crontabs.
+allow system_crond_t system_cron_spool_t:file r_file_perms;
+
+allow crond_t system_cron_spool_t:dir r_dir_perms;
+allow crond_t system_cron_spool_t:file r_file_perms;
+
+# Read from /var/spool/cron.
+allow system_crond_t cron_spool_t:dir r_dir_perms;
+allow system_crond_t cron_spool_t:file r_file_perms;
+
+# Write to /var/lib/slocate.db.
+allow system_crond_t var_lib_t:dir rw_dir_perms;
+allow system_crond_t var_lib_t:file create_file_perms;
+
+# Update whatis files.
+allow system_crond_t man_t:dir create_dir_perms;
+allow system_crond_t man_t:file create_file_perms;
+allow system_crond_t man_t:lnk_file read;
+
+# Write /var/lock/makewhatis.lock.
+lock_domain(system_crond)
+
+# for if /var/mail is a symlink
+allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
+allow crond_t mail_spool_t:dir search;
+
+ifdef(`mta.te', `
+r_dir_file(system_mail_t, crond_tmp_t)
+')
+
+# Stat any file and search any directory for find.
+allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
+allow system_crond_t device_type:{ chr_file blk_file } getattr;
+allow system_crond_t file_type:dir { read search getattr };
+
+# Create temporary files.
+type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
+file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
+
+# /sbin/runlevel ask for w access to utmp, but will operate
+# correctly without it. Do not audit write denials to utmp.
+# /sbin/runlevel needs lock access however
+dontaudit system_crond_t initrc_var_run_t:file write;
+allow system_crond_t initrc_var_run_t:file { getattr read lock };
+
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+allow system_crond_t var_spool_t:file create_file_perms;
+allow system_crond_t var_spool_t:dir rw_dir_perms;
+
+# Do not audit attempts to search unlabeled directories (e.g. slocate).
+dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
+dontaudit system_crond_t unlabeled_t:file r_file_perms;
+
+#
+# reading /var/spool/cron/mailman
+#
+allow crond_t var_spool_t:file { getattr read };
+allow system_crond_t devpts_t:filesystem getattr;
+allow system_crond_t sysfs_t:filesystem getattr;
+allow system_crond_t tmpfs_t:filesystem getattr;
+allow system_crond_t rpc_pipefs_t:filesystem getattr;
+
+#
+# These rules are here to allow system cron jobs to su
+#
+ifdef(`su.te', `
+su_restricted_domain(system_crond,system)
+role system_r types system_crond_su_t;
+allow system_crond_su_t crond_t:fifo_file ioctl;
+')
+allow system_crond_t self:passwd rootok;
+#
+# prelink tells init to restart it self, we either need to allow or dontaudit
+#
+allow system_crond_t initctl_t:fifo_file write;
+dontaudit userdomain system_crond_t:fd use;
+
+r_dir_file(crond_t, selinux_config_t)
+
+# Allow system cron jobs to relabel filesystem for restoring file contexts.
+bool cron_can_relabel false;
+if (cron_can_relabel) {
+domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
+} else {
+r_dir_file(system_crond_t, file_context_t)
+can_getsecurity(system_crond_t)
+}
+dontaudit system_crond_t removable_t:filesystem getattr;
+#
+# Required for webalizer
+#
+dontaudit crond_t self:capability sys_tty_config;
+ifdef(`apache.te', `
+allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
+')
diff --git a/mls/domains/program/crontab.te b/mls/domains/program/crontab.te
new file mode 100644
index 0000000..48b5fcc
--- /dev/null
+++ b/mls/domains/program/crontab.te
@@ -0,0 +1,12 @@
+#DESC Crontab - Crontab manipulation programs
+#
+# Domains for the crontab program.
+#
+# X-Debian-Packages: cron
+#
+
+# Type for the crontab executable.
+type crontab_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the crontab_domain macro in
+# macros/program/crontab_macros.te.
diff --git a/mls/domains/program/cups.te b/mls/domains/program/cups.te
new file mode 100644
index 0000000..6bc5106
--- /dev/null
+++ b/mls/domains/program/cups.te
@@ -0,0 +1,321 @@
+#DESC Cups - Common Unix Printing System
+#
+# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
+# Depends: lpd.te lpr.te
+
+#################################
+#
+# Rules for the cupsd_t domain.
+#
+# cupsd_t is the domain of cupsd.
+# cupsd_exec_t is the type of the cupsd executable.
+#
+daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
+etcdir_domain(cupsd)
+type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
+
+can_network(cupsd_t)
+allow cupsd_t port_type:tcp_socket name_connect;
+logdir_domain(cupsd)
+
+tmp_domain(cupsd, `', { file dir fifo_file })
+
+allow cupsd_t devpts_t:dir search;
+
+allow cupsd_t device_t:lnk_file read;
+allow cupsd_t printer_device_t:chr_file rw_file_perms;
+allow cupsd_t urandom_device_t:chr_file { getattr read };
+dontaudit cupsd_t random_device_t:chr_file ioctl;
+
+# temporary solution, we need something better
+allow cupsd_t serial_device:chr_file rw_file_perms;
+
+r_dir_file(cupsd_t, usbdevfs_t)
+r_dir_file(cupsd_t, usbfs_t)
+
+ifdef(`logrotate.te', `
+domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
+')
+
+ifdef(`inetd.te', `
+allow inetd_t printer_port_t:tcp_socket name_bind;
+domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
+')
+
+# write to spool
+allow cupsd_t var_spool_t:dir search;
+
+# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
+file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file })
+allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
+allow cupsd_t cupsd_etc_t:file setattr;
+allow cupsd_t cupsd_etc_t:dir setattr;
+
+allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
+can_exec(cupsd_t, initrc_exec_t)
+allow cupsd_t proc_t:file r_file_perms;
+allow cupsd_t proc_t:dir r_dir_perms;
+allow cupsd_t self:file { getattr read };
+read_sysctl(cupsd_t)
+allow cupsd_t sysctl_dev_t:dir search;
+allow cupsd_t sysctl_dev_t:file { getattr read };
+
+# for /etc/printcap
+dontaudit cupsd_t etc_t:file write;
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t reserved_port_t:tcp_socket name_bind;
+dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
+
+allow cupsd_t self:unix_stream_socket create_socket_perms;
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:fifo_file rw_file_perms;
+
+# Use capabilities.
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+dontaudit cupsd_t self:capability net_admin;
+
+#
+# /usr/lib/cups/backend/serial needs sys_admin
+# Need new context to run under???
+allow cupsd_t self:capability sys_admin;
+
+allow cupsd_t self:process setsched;
+
+# for /var/lib/defoma
+allow cupsd_t var_lib_t:dir search;
+r_dir_file(cupsd_t, readable_t)
+
+# Bind to the cups/ipp port (631).
+allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
+
+can_tcp_connect(web_client_domain, cupsd_t)
+can_tcp_connect(cupsd_t, cupsd_t)
+
+# Send to portmap.
+ifdef(`portmap.te', `
+can_udp_send(cupsd_t, portmap_t)
+can_udp_send(portmap_t, cupsd_t)
+')
+
+# Write to /var/spool/cups.
+allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
+allow cupsd_t print_spool_t:file create_file_perms;
+allow cupsd_t print_spool_t:file rw_file_perms;
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+allow cupsd_t { bin_t sbin_t }:dir { search getattr };
+allow cupsd_t bin_t:lnk_file read;
+can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
+
+# They will also invoke ghostscript, which needs to read fonts
+read_fonts(cupsd_t)
+
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+allow cupsd_t lib_t:file { read getattr };
+
+# read python modules
+allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
+
+#
+# lots of errors generated requiring the following
+#
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+
+#
+# Satisfy readahead
+#
+allow initrc_t cupsd_log_t:file { getattr read };
+r_dir_file(cupsd_t, var_t)
+
+r_dir_file(cupsd_t, usercanread)
+ifdef(`samba.te', `
+rw_dir_file(cupsd_t, samba_var_t)
+allow smbd_t cupsd_etc_t:dir search;
+')
+
+ifdef(`pam.te', `
+dontaudit cupsd_t pam_var_run_t:file { getattr read };
+')
+dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+# PTAL
+daemon_domain(ptal)
+etcdir_domain(ptal)
+
+file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
+allow ptal_t self:capability { chown sys_rawio };
+allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ptal_t self:unix_stream_socket { listen accept };
+can_network_server_tcp(ptal_t)
+allow ptal_t ptal_port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
+allow ptal_t self:fifo_file rw_file_perms;
+allow ptal_t device_t:dir read;
+allow ptal_t printer_device_t:chr_file rw_file_perms;
+allow initrc_t printer_device_t:chr_file getattr;
+allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(ptal_t, usbdevfs_t)
+rw_dir_file(ptal_t, usbfs_t)
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
+allow cupsd_t ptal_t:unix_stream_socket connectto;
+allow cupsd_t ptal_var_run_t:dir search;
+dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+
+allow initrc_t ptal_var_run_t:dir rmdir;
+allow initrc_t ptal_var_run_t:fifo_file unlink;
+
+
+# HPLIP
+daemon_domain(hplip)
+etcdir_domain(hplip)
+allow hplip_t etc_t:file r_file_perms;
+allow hplip_t etc_runtime_t:file { read getattr };
+allow hplip_t printer_device_t:chr_file rw_file_perms;
+allow cupsd_t hplip_var_run_t:file { read getattr };
+allow hplip_t cupsd_etc_t:dir search;
+can_network(hplip_t)
+allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
+allow hplip_t hplip_port_t:tcp_socket name_bind;
+
+# Uses networking to talk to the daemons
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
+
+# for python
+can_exec(hplip_t, bin_t)
+allow hplip_t { sbin_t bin_t }:dir search;
+allow hplip_t self:file { getattr read };
+allow hplip_t proc_t:file r_file_perms;
+allow hplip_t urandom_device_t:chr_file { getattr read };
+allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+allow hplip_t devpts_t:dir search;
+allow hplip_t devpts_t:chr_file { getattr ioctl };
+
+
+dontaudit cupsd_t selinux_config_t:dir search;
+dontaudit cupsd_t selinux_config_t:file { getattr read };
+
+allow cupsd_t printconf_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, cupsd)
+allow cupsd_t system_dbusd_t:dbus send_msg;
+allow cupsd_t userdomain:dbus send_msg;
+')
+
+# CUPS configuration daemon
+daemon_domain(cupsd_config, `, nscd_client_domain')
+
+allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
+
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+')
+allow cupsd_config_t initrc_exec_t:file getattr;
+')dnl end distro_redhat
+
+allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
+allow cupsd_config_t self:file { getattr read };
+
+allow cupsd_config_t proc_t:file { getattr read };
+allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+allow cupsd_config_t cupsd_t:process { signal };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+can_ps(cupsd_config_t, cupsd_t)
+
+allow cupsd_config_t self:capability { chown sys_tty_config };
+
+rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
+allow cupsd_config_t var_t:lnk_file read;
+
+can_network_tcp(cupsd_config_t)
+can_ypbind(cupsd_config_t)
+allow cupsd_config_t port_type:tcp_socket name_connect;
+can_tcp_connect(cupsd_config_t, cupsd_t)
+allow cupsd_config_t self:fifo_file rw_file_perms;
+
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+ifdef(`dbusd.te', `
+dbusd_client(system, cupsd_config)
+allow cupsd_config_t userdomain:dbus send_msg;
+allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow userdomain cupsd_config_t:dbus send_msg;
+')dnl end if dbusd.te
+
+ifdef(`hald.te', `
+
+ifdef(`dbusd.te', `
+allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
+allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
+')dnl end if dbusd.te
+
+allow hald_t cupsd_config_t:process signal;
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
+') dnl end if hald.te
+
+
+can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
+ifdef(`hostname.te', `
+can_exec(cupsd_t, hostname_exec_t)
+can_exec(cupsd_config_t, hostname_exec_t)
+')
+allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
+allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
+# killall causes the following
+dontaudit cupsd_config_t domain:dir { getattr search };
+dontaudit cupsd_config_t selinux_config_t:dir search;
+
+can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+allow cupsd_config_t usr_t:file { getattr read };
+allow cupsd_config_t var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+allow cupsd_config_t printconf_t:file { getattr read };
+
+allow cupsd_config_t urandom_device_t:chr_file { getattr read };
+
+ifdef(`logrotate.te', `
+allow cupsd_config_t logrotate_t:fd use;
+')dnl end if logrotate.te
+allow cupsd_config_t system_crond_t:fd use;
+allow cupsd_config_t crond_t:fifo_file r_file_perms;
+allow cupsd_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fd use;
+
+# Alternatives asks for this
+allow cupsd_config_t initrc_exec_t:file getattr;
+ifdef(`targeted_policy', `
+can_unix_connect(cupsd_t, initrc_t)
+allow cupsd_t initrc_t:dbus send_msg;
+allow initrc_t cupsd_t:dbus send_msg;
+allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+allow unconfined_t cupsd_config_t:dbus send_msg;
+allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+')
+typealias printer_port_t alias cupsd_lpd_port_t;
+inetd_child_domain(cupsd_lpd)
+allow inetd_t printer_port_t:tcp_socket name_bind;
+r_dir_file(cupsd_lpd_t, cupsd_etc_t)
+r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
+allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+ifdef(`use_mcs', `
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+')
+
diff --git a/mls/domains/program/cvs.te b/mls/domains/program/cvs.te
new file mode 100644
index 0000000..503c809
--- /dev/null
+++ b/mls/domains/program/cvs.te
@@ -0,0 +1,30 @@
+#DESC cvs - Concurrent Versions System
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the cvs_t domain.
+#
+# cvs_exec_t is the type of the cvs executable.
+#
+
+inetd_child_domain(cvs, tcp)
+typeattribute cvs_t privmail;
+typeattribute cvs_t auth_chkpwd;
+
+type cvs_data_t, file_type, sysadmfile, customizable;
+create_dir_file(cvs_t, cvs_data_t)
+can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t bin_t:dir search;
+allow cvs_t { bin_t sbin_t }:lnk_file read;
+allow cvs_t etc_runtime_t:file { getattr read };
+allow system_mail_t cvs_data_t:file { getattr read };
+dontaudit cvs_t devtty_t:chr_file { read write };
+ifdef(`kerberos.te', `
+# Allow kerberos to work
+allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
+dontaudit cvs_t krb5_conf_t:file write;
+')
diff --git a/mls/domains/program/cyrus.te b/mls/domains/program/cyrus.te
new file mode 100644
index 0000000..13b2f66
--- /dev/null
+++ b/mls/domains/program/cyrus.te
@@ -0,0 +1,60 @@
+#DESC cyrus-imapd
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+
+# cyrusd_exec_t is the type of the cyrusd executable.
+# cyrusd_key_t is the type of the cyrus private key files
+daemon_domain(cyrus)
+
+general_domain_access(cyrus_t)
+file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
+
+type cyrus_var_lib_t, file_type, sysadmfile;
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow cyrus_t self:process setrlimit;
+
+can_network(cyrus_t)
+allow cyrus_t port_type:tcp_socket name_connect;
+can_ypbind(cyrus_t)
+can_exec(cyrus_t, bin_t)
+allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
+allow cyrus_t etc_t:file { getattr read };
+allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
+read_locale(cyrus_t)
+read_sysctl(cyrus_t)
+tmp_domain(cyrus)
+allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
+allow cyrus_t proc_t:dir search;
+allow cyrus_t proc_t:file { getattr read };
+allow cyrus_t sysadm_devpts_t:chr_file { read write };
+
+allow cyrus_t var_lib_t:dir search;
+
+allow cyrus_t etc_runtime_t:file { read getattr };
+ifdef(`crond.te', `
+system_crond_entry(cyrus_exec_t, cyrus_t)
+allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
+allow system_crond_t cyrus_var_lib_t:file create_file_perms;
+')
+create_dir_file(cyrus_t, mail_spool_t)
+allow cyrus_t var_spool_t:dir search;
+
+ifdef(`saslauthd.te', `
+allow cyrus_t saslauthd_var_run_t:dir search;
+allow cyrus_t saslauthd_var_run_t:sock_file { read write };
+allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
+')
+
+r_dir_file(cyrus_t, cert_t)
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
+
+ifdef(`postfix.te', `
+allow postfix_master_t cyrus_t:unix_stream_socket connectto;
+allow postfix_master_t var_lib_t:dir search;
+allow postfix_master_t cyrus_var_lib_t:dir search;
+allow postfix_master_t cyrus_var_lib_t:sock_file write;
+')
+
diff --git a/mls/domains/program/dbskkd.te b/mls/domains/program/dbskkd.te
new file mode 100644
index 0000000..e75d90b
--- /dev/null
+++ b/mls/domains/program/dbskkd.te
@@ -0,0 +1,14 @@
+#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the dbskkd_t domain.
+#
+# dbskkd_exec_t is the type of the dbskkd executable.
+#
+# Depends: inetd.te
+
+inetd_child_domain(dbskkd)
diff --git a/mls/domains/program/dbusd.te b/mls/domains/program/dbusd.te
new file mode 100644
index 0000000..acad4de
--- /dev/null
+++ b/mls/domains/program/dbusd.te
@@ -0,0 +1,27 @@
+#DESC dbus-daemon-1 server for dbus desktop bus protocol
+#
+# Author: Russell Coker <russell@coker.com.au>
+
+dbusd_domain(system)
+
+allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
+
+ifdef(`pamconsole.te', `
+r_dir_file(system_dbusd_t, pam_var_console_t)
+')
+
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+allow system_dbusd_t self:capability { dac_override setgid setuid };
+nsswitch_domain(system_dbusd_t)
+
+# I expect we need more than this
+
+allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+
+can_exec(system_dbusd_t, sbin_t)
+allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/mls/domains/program/ddcprobe.te b/mls/domains/program/ddcprobe.te
new file mode 100644
index 0000000..4087126
--- /dev/null
+++ b/mls/domains/program/ddcprobe.te
@@ -0,0 +1,42 @@
+#DESC ddcprobe - output ddcprobe results from kudzu
+#
+# Author: dan walsh <dwalsh@redhat.com>
+#
+
+type ddcprobe_t, domain, privmem;
+type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types ddcprobe_t;
+role system_r types ddcprobe_t;
+domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
+
+uses_shlib(ddcprobe_t)
+
+# Allow terminal access
+access_terminal(ddcprobe_t, sysadm)
+
+# Allow ddcprobe to read /dev/mem
+allow ddcprobe_t memory_device_t:chr_file read;
+allow ddcprobe_t memory_device_t:chr_file { execute write };
+allow ddcprobe_t self:process execmem;
+allow ddcprobe_t zero_device_t:chr_file { execute read };
+
+allow ddcprobe_t proc_t:dir search;
+allow ddcprobe_t proc_t:file { getattr read };
+can_exec(ddcprobe_t, sbin_t)
+allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
+allow ddcprobe_t userdomain:fd use;
+read_sysctl(ddcprobe_t)
+allow ddcprobe_t urandom_device_t:chr_file { getattr read };
+allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+
+allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
+allow ddcprobe_t kudzu_exec_t:file getattr;
+allow ddcprobe_t lib_t:file { getattr read };
+read_locale(ddcprobe_t)
+allow ddcprobe_t modules_object_t:dir search;
+allow ddcprobe_t modules_dep_t:file { getattr read };
+allow ddcprobe_t usr_t:file { getattr read };
+allow ddcprobe_t kernel_t:system syslog_console;
diff --git a/mls/domains/program/dhcpc.te b/mls/domains/program/dhcpc.te
new file mode 100644
index 0000000..83cbe81
--- /dev/null
+++ b/mls/domains/program/dhcpc.te
@@ -0,0 +1,169 @@
+#DESC DHCPC - DHCP client
+#
+# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: pump dhcp-client udhcpc
+#
+
+#################################
+#
+# Rules for the dhcpc_t domain.
+#
+# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
+# network configurator daemon started by /etc/sysconfig/network-scripts
+# rc scripts, runs in this domain.
+# dhcpc_exec_t is the type of the dhcpcd executable.
+# The dhcpc_t can be used for other DHCPC related files as well.
+#
+daemon_domain(dhcpc)
+
+# for SSP
+allow dhcpc_t urandom_device_t:chr_file read;
+
+can_network(dhcpc_t)
+allow dhcpc_t port_type:tcp_socket name_connect;
+can_ypbind(dhcpc_t)
+allow dhcpc_t self:unix_dgram_socket create_socket_perms;
+allow dhcpc_t self:unix_stream_socket create_socket_perms;
+allow dhcpc_t self:fifo_file rw_file_perms;
+
+allow dhcpc_t devpts_t:dir search;
+
+# for localization
+allow dhcpc_t lib_t:file { getattr read };
+
+ifdef(`consoletype.te', `
+domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
+')
+ifdef(`nscd.te', `
+domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+allow dhcpc_t nscd_var_run_t:file { getattr read };
+')
+ifdef(`cardmgr.te', `
+domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
+allow cardmgr_t dhcpc_var_run_t:file { getattr read };
+allow cardmgr_t dhcpc_t:process signal_perms;
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
+')
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
+allow hotplug_t dhcpc_t:process signal_perms;
+allow hotplug_t dhcpc_var_run_t:file { getattr read };
+allow hotplug_t dhcp_etc_t:file rw_file_perms;
+allow dhcpc_t hotplug_etc_t:dir { getattr search };
+ifdef(`distro_redhat', `
+domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
+')
+')dnl end hotplug.te
+
+# for the dhcp client to run ping to check IP addresses
+ifdef(`ping.te', `
+domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
+ifdef(`hotplug.te', `
+allow ping_t hotplug_t:fd use;
+') dnl end if hotplug
+ifdef(`cardmgr.te', `
+allow ping_t cardmgr_t:fd use;
+') dnl end if cardmgr
+', `
+allow dhcpc_t self:capability setuid;
+allow dhcpc_t self:rawip_socket create_socket_perms;
+') dnl end if ping
+
+ifdef(`dhcpd.te', `', `
+type dhcp_state_t, file_type, sysadmfile;
+type dhcp_etc_t, file_type, sysadmfile, usercanread;
+')
+type dhcpc_state_t, file_type, sysadmfile;
+
+allow dhcpc_t etc_t:lnk_file read;
+allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
+allow dhcpc_t proc_net_t:dir search;
+allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
+allow dhcpc_t self:file { getattr read };
+read_sysctl(dhcpc_t)
+allow dhcpc_t userdomain:fd use;
+ifdef(`run_init.te', `
+allow dhcpc_t run_init_t:fd use;
+')
+
+# Use capabilities
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+
+# for udp port 68
+allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
+
+# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+# in /etc created by dhcpcd will be labelled net_conf_t.
+file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
+
+# Allow access to the dhcpc file types
+r_dir_file(dhcpc_t, dhcp_etc_t)
+allow dhcpc_t sbin_t:dir search;
+can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
+ifdef(`distro_redhat', `
+can_exec(dhcpc_t, etc_t)
+allow initrc_t dhcp_etc_t:file rw_file_perms;
+')
+ifdef(`ifconfig.te', `
+domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+
+tmp_domain(dhcpc)
+
+# Allow dhcpc_t to use packet sockets
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t var_lib_t:dir search;
+file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+rw_dir_create_file(dhcpc_t, dhcpc_state_t)
+allow dhcpc_t dhcp_state_t:file { getattr read };
+
+allow dhcpc_t bin_t:dir { getattr search };
+allow dhcpc_t bin_t:lnk_file read;
+can_exec(dhcpc_t, { bin_t shell_exec_t })
+
+ifdef(`hostname.te', `
+domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
+')
+dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
+allow dhcpc_t { userdomain kernel_t }:fd use;
+
+allow dhcpc_t home_root_t:dir search;
+allow initrc_t dhcpc_state_t:file { getattr read };
+dontaudit dhcpc_t var_lock_t:dir search;
+allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit dhcpc_t domain:dir getattr;
+allow dhcpc_t initrc_var_run_t:file rw_file_perms;
+#
+# dhclient sometimes starts ypbind and ntdp
+#
+can_exec(dhcpc_t, initrc_exec_t)
+ifdef(`ypbind.te', `
+domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
+allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+allow dhcpc_t ypbind_t:process signal;
+')
+ifdef(`ntpd.te', `
+domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
+')
+role sysadm_r types dhcpc_t;
+domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
+allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow dhcpc_t self:dbus send_msg;
+allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+ifdef(`unconfined.te', `
+allow unconfined_t dhcpc_t:dbus send_msg;
+allow dhcpc_t unconfined_t:dbus send_msg;
+')dnl end ifdef unconfined.te
+')
+ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
+allow dhcpc_t locale_t:file write;
diff --git a/mls/domains/program/dhcpd.te b/mls/domains/program/dhcpd.te
new file mode 100644
index 0000000..137fbbf
--- /dev/null
+++ b/mls/domains/program/dhcpd.te
@@ -0,0 +1,79 @@
+#DESC DHCPD - DHCP server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# based on the dhcpc_t policy from:
+# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
+# X-Debian-Packages: dhcp dhcp3-server
+#
+
+#################################
+#
+# Rules for the dhcpd_t domain.
+#
+# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
+# server daemon rc scripts, runs in this domain.
+# dhcpd_exec_t is the type of the dhcpdd executable.
+# The dhcpd_t can be used for other DHCPC related files as well.
+#
+daemon_domain(dhcpd, `, nscd_client_domain')
+
+# for UDP port 4011
+allow dhcpd_t pxe_port_t:udp_socket name_bind;
+
+type dhcp_etc_t, file_type, sysadmfile, usercanread;
+
+# Use the network.
+can_network(dhcpd_t)
+allow dhcpd_t port_type:tcp_socket name_connect;
+allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
+can_ypbind(dhcpd_t)
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow dhcpd_t var_lib_t:dir search;
+
+allow dhcpd_t devtty_t:chr_file { read write };
+
+# Use capabilities
+allow dhcpd_t self:capability { net_raw net_bind_service };
+dontaudit dhcpd_t self:capability net_admin;
+
+# Allow access to the dhcpd file types
+type dhcp_state_t, file_type, sysadmfile;
+type dhcpd_state_t, file_type, sysadmfile;
+allow dhcpd_t dhcp_etc_t:file { read getattr };
+allow dhcpd_t dhcp_etc_t:dir search;
+file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
+rw_dir_create_file(dhcpd_t, dhcpd_state_t)
+
+allow dhcpd_t etc_t:lnk_file read;
+allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
+
+# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
+can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
+
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+# allow to run utilities and scripts
+allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
+allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
+allow dhcpd_t self:fifo_file { read write getattr };
+
+# allow reading /proc
+allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
+tmp_domain(dhcpd)
+
+ifdef(`distro_gentoo', `
+allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+allow initrc_t dhcpd_state_t:file setattr;
+')
+r_dir_file(dhcpd_t, usr_t)
+allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+ifdef(`named.te', `
+allow dhcpd_t { named_conf_t named_zone_t }:dir search;
+allow dhcpd_t dnssec_t:file { getattr read };
+')
diff --git a/mls/domains/program/dictd.te b/mls/domains/program/dictd.te
new file mode 100644
index 0000000..d610d07
--- /dev/null
+++ b/mls/domains/program/dictd.te
@@ -0,0 +1,48 @@
+#DESC Dictd - Dictionary daemon
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: dictd
+#
+
+#################################
+#
+# Rules for the dictd_t domain.
+#
+# dictd_exec_t is the type of the dictd executable.
+#
+daemon_base_domain(dictd)
+type dictd_var_lib_t, file_type, sysadmfile;
+typealias dictd_var_lib_t alias var_lib_dictd_t;
+etc_domain(dictd)
+
+# for checking for nscd
+dontaudit dictd_t var_run_t:dir search;
+
+# read config files
+allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
+
+read_locale(dictd_t)
+
+allow dictd_t { var_t var_lib_t }:dir search;
+allow dictd_t dictd_var_lib_t:dir r_dir_perms;
+allow dictd_t dictd_var_lib_t:file r_file_perms;
+
+allow dictd_t self:capability { setuid setgid };
+
+allow dictd_t usr_t:file r_file_perms;
+
+allow dictd_t self:process { setpgid fork sigchld };
+
+allow dictd_t proc_t:file r_file_perms;
+
+allow dictd_t dict_port_t:tcp_socket name_bind;
+
+allow dictd_t devtty_t:chr_file rw_file_perms;
+
+allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+
+can_network_server(dictd_t)
+can_ypbind(dictd_t)
+can_tcp_connect(userdomain, dictd_t)
+
+allow dictd_t fs_t:filesystem getattr;
diff --git a/mls/domains/program/dmesg.te b/mls/domains/program/dmesg.te
new file mode 100644
index 0000000..9f9392e
--- /dev/null
+++ b/mls/domains/program/dmesg.te
@@ -0,0 +1,29 @@
+#DESC dmesg - control kernel ring buffer
+#
+# Author: Dan Walsh dwalsh@redhat.com
+#
+# X-Debian-Packages: util-linux
+
+#################################
+#
+# Rules for the dmesg_t domain.
+#
+# dmesg_exec_t is the type of the dmesg executable.
+#
+# while sysadm_t has the sys_admin capability there is no point in using
+# dmesg_t when run from sysadm_t, so we use nosysadm.
+#
+daemon_base_domain(dmesg, , `nosysadm')
+
+#
+# Rules used for dmesg
+#
+allow dmesg_t self:capability sys_admin;
+allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
+allow dmesg_t admin_tty_type:chr_file { getattr read write };
+allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
+allow dmesg_t var_log_t:file { getattr write };
+read_locale(dmesg_t)
+
+# for when /usr is not mounted
+dontaudit dmesg_t file_t:dir search;
diff --git a/mls/domains/program/dmidecode.te b/mls/domains/program/dmidecode.te
new file mode 100644
index 0000000..05b93f7
--- /dev/null
+++ b/mls/domains/program/dmidecode.te
@@ -0,0 +1,22 @@
+#DESC dmidecode - decodes DMI data for x86/ia64 bioses
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+type dmidecode_t, domain, privmem;
+type dmidecode_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types dmidecode_t;
+role system_r types dmidecode_t;
+domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
+
+uses_shlib(dmidecode_t)
+
+# Allow terminal access
+access_terminal(dmidecode_t, sysadm)
+
+# Allow dmidecode to read /dev/mem
+allow dmidecode_t memory_device_t:chr_file read;
+
+allow dmidecode_t self:capability sys_rawio;
diff --git a/mls/domains/program/dovecot.te b/mls/domains/program/dovecot.te
new file mode 100644
index 0000000..bd3873a
--- /dev/null
+++ b/mls/domains/program/dovecot.te
@@ -0,0 +1,75 @@
+#DESC Dovecot POP and IMAP servers
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
+
+#
+# Main dovecot daemon
+#
+daemon_domain(dovecot, `, privhome')
+etc_domain(dovecot);
+
+allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+type dovecot_cert_t, file_type, sysadmfile;
+type dovecot_passwd_t, file_type, sysadmfile;
+type dovecot_spool_t, file_type, sysadmfile;
+
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:process setrlimit;
+can_network_tcp(dovecot_t)
+allow dovecot_t port_type:tcp_socket name_connect;
+can_ypbind(dovecot_t)
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(dovecot_t, self)
+
+allow dovecot_t etc_t:file { getattr read };
+allow dovecot_t initrc_var_run_t:file getattr;
+allow dovecot_t bin_t:dir { getattr search };
+can_exec(dovecot_t, bin_t)
+
+allow dovecot_t pop_port_t:tcp_socket name_bind;
+allow dovecot_t urandom_device_t:chr_file { getattr read };
+allow dovecot_t cert_t:dir search;
+r_dir_file(dovecot_t, dovecot_cert_t)
+r_dir_file(dovecot_t, cert_t)
+
+allow dovecot_t { self proc_t }:file { getattr read };
+allow dovecot_t self:fifo_file rw_file_perms;
+
+can_kerberos(dovecot_t)
+
+allow dovecot_t tmp_t:dir search;
+rw_dir_create_file(dovecot_t, mail_spool_t)
+
+
+create_dir_file(dovecot_t, dovecot_spool_t)
+create_dir_file(mta_delivery_agent, dovecot_spool_t)
+allow dovecot_t mail_spool_t:lnk_file read;
+allow dovecot_t var_spool_t:dir { search };
+
+#
+# Dovecot auth daemon
+#
+daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
+can_ldap(dovecot_auth_t)
+can_ypbind(dovecot_auth_t)
+can_kerberos(dovecot_auth_t)
+can_resolve(dovecot_auth_t)
+allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+allow dovecot_auth_t self:fifo_file rw_file_perms;
+allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
+allow dovecot_auth_t etc_t:file { getattr read };
+allow dovecot_auth_t { self proc_t }:file { getattr read };
+read_locale(dovecot_auth_t)
+read_sysctl(dovecot_auth_t)
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+dontaudit dovecot_auth_t selinux_config_t:dir search;
+allow dovecot_auth_t etc_runtime_t:file { getattr read };
diff --git a/mls/domains/program/fetchmail.te b/mls/domains/program/fetchmail.te
new file mode 100644
index 0000000..225f08e
--- /dev/null
+++ b/mls/domains/program/fetchmail.te
@@ -0,0 +1,32 @@
+#DESC fetchmail - remote-mail retrieval utility
+#
+# Author: Greg Norris <haphazard@kc.rr.com>
+# X-Debian-Packages: fetchmail
+# Depends: mta.te
+#
+# Note: This policy is only required when running fetchmail in daemon mode.
+
+#################################
+#
+# Rules for the fetchmail_t domain.
+#
+daemon_domain(fetchmail);
+type fetchmail_etc_t, file_type, sysadmfile;
+type fetchmail_uidl_cache_t, file_type, sysadmfile;
+
+# misc. requirements
+allow fetchmail_t self:process setrlimit;
+
+# network-related goodies
+can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
+can_network_udp(fetchmail_t, dns_port_t)
+allow fetchmail_t port_type:tcp_socket name_connect;
+
+allow fetchmail_t self:unix_dgram_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
+
+# file access
+allow fetchmail_t etc_t:file r_file_perms;
+allow fetchmail_t fetchmail_etc_t:file r_file_perms;
+allow fetchmail_t mail_spool_t:dir search;
+file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)
diff --git a/mls/domains/program/fingerd.te b/mls/domains/program/fingerd.te
new file mode 100644
index 0000000..73fee16
--- /dev/null
+++ b/mls/domains/program/fingerd.te
@@ -0,0 +1,80 @@
+#DESC Fingerd - Finger daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
+#
+
+#################################
+#
+# Rules for the fingerd_t domain.
+#
+# fingerd_exec_t is the type of the fingerd executable.
+#
+daemon_domain(fingerd)
+
+etcdir_domain(fingerd)
+
+allow fingerd_t etc_t:lnk_file read;
+allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
+
+log_domain(fingerd)
+system_crond_entry(fingerd_exec_t, fingerd_t)
+ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
+
+allow fingerd_t fingerd_port_t:tcp_socket name_bind;
+ifdef(`inetd.te', `
+allow inetd_t fingerd_port_t:tcp_socket name_bind;
+# can be run from inetd
+domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
+allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
+')
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
+')
+
+allow fingerd_t self:capability { setgid setuid };
+# for gzip from logrotate
+dontaudit fingerd_t self:capability fsetid;
+
+# cfingerd runs shell scripts
+allow fingerd_t { bin_t sbin_t }:dir search;
+allow fingerd_t bin_t:lnk_file read;
+can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
+allow fingerd_t devtty_t:chr_file { read write };
+
+allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
+
+# Use the network.
+can_network_server(fingerd_t)
+can_ypbind(fingerd_t)
+
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+allow fingerd_t self:fifo_file { read write getattr };
+
+# allow any user domain to connect to the finger server
+can_tcp_connect(userdomain, fingerd_t)
+
+# for .finger, .plan. etc
+allow fingerd_t { home_root_t user_home_dir_type }:dir search;
+# should really have a different type for .plan etc
+allow fingerd_t user_home_type:file { getattr read };
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+dontaudit fingerd_t user_home_t:dir search;
+
+# for mail
+allow fingerd_t { var_spool_t mail_spool_t }:dir search;
+allow fingerd_t mail_spool_t:file getattr;
+allow fingerd_t mail_spool_t:lnk_file read;
+
+# see who is logged in and when users last logged in
+allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
+dontaudit fingerd_t initrc_var_run_t:file lock;
+allow fingerd_t devpts_t:dir search;
+allow fingerd_t ptyfile:chr_file getattr;
+
+allow fingerd_t proc_t:file { read getattr };
+
+# for date command
+read_sysctl(fingerd_t)
diff --git a/mls/domains/program/firstboot.te b/mls/domains/program/firstboot.te
new file mode 100644
index 0000000..e07bc43
--- /dev/null
+++ b/mls/domains/program/firstboot.te
@@ -0,0 +1,131 @@
+#DESC firstboot
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+# X-Debian-Packages: firstboot
+#
+
+#################################
+#
+# Rules for the firstboot_t domain.
+#
+# firstboot_exec_t is the type of the firstboot executable.
+#
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
+type firstboot_rw_t, file_type, sysadmfile;
+role system_r types firstboot_t;
+
+ifdef(`xserver.te', `
+domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
+')
+
+etc_domain(firstboot)
+
+allow firstboot_t proc_t:file r_file_perms;
+
+allow firstboot_t urandom_device_t:chr_file { getattr read };
+allow firstboot_t proc_t:file { getattr read write };
+
+domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
+file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
+
+can_exec_any(firstboot_t)
+ifdef(`useradd.te',`
+domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
+domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
+')
+allow firstboot_t etc_runtime_t:file { getattr read };
+
+r_dir_file(firstboot_t, etc_t)
+
+allow firstboot_t firstboot_rw_t:dir create_dir_perms;
+allow firstboot_t firstboot_rw_t:file create_file_perms;
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:process { fork sigchld };
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t initrc_exec_t:file { getattr read };
+allow firstboot_t initrc_var_run_t:file r_file_perms;
+allow firstboot_t lib_t:file { getattr read };
+allow firstboot_t local_login_t:fd use;
+read_locale(firstboot_t)
+
+allow firstboot_t proc_t:dir search;
+allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
+allow firstboot_t usr_t:file r_file_perms;
+
+allow firstboot_t etc_t:file write;
+
+# Allow write to utmp file
+allow firstboot_t initrc_var_run_t:file write;
+
+ifdef(`samba.te', `
+rw_dir_file(firstboot_t, samba_etc_t)
+')
+
+dontaudit firstboot_t shadow_t:file getattr;
+
+role system_r types initrc_t;
+#role_transition firstboot_r initrc_exec_t system_r;
+domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
+
+allow firstboot_t self:passwd rootok;
+
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+ifdef(`consoletype.te', `
+allow consoletype_t devtty_t:chr_file { read write };
+allow consoletype_t etc_t:file { getattr read };
+allow consoletype_t firstboot_t:fd use;
+')
+
+allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:dir search;
+allow firstboot_t self:file { read write };
+allow firstboot_t self:lnk_file read;
+can_setfscreate(firstboot_t)
+allow firstboot_t krb5_conf_t:file rw_file_perms;
+
+allow firstboot_t modules_conf_t:file { getattr read };
+allow firstboot_t modules_dep_t:file { getattr read };
+allow firstboot_t modules_object_t:dir search;
+allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
+allow firstboot_t proc_t:lnk_file read;
+
+can_getsecurity(firstboot_t)
+
+dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
+read_sysctl(firstboot_t)
+
+allow firstboot_t var_run_t:dir getattr;
+allow firstboot_t var_t:dir getattr;
+ifdef(`hostname.te', `
+allow hostname_t devtty_t:chr_file { read write };
+allow hostname_t firstboot_t:fd use;
+')
+ifdef(`iptables.te', `
+allow iptables_t devtty_t:chr_file { read write };
+allow iptables_t firstboot_t:fd use;
+allow iptables_t firstboot_t:fifo_file write;
+')
+can_network_server(firstboot_t)
+can_ypbind(firstboot_t)
+ifdef(`printconf.te', `
+can_exec(firstboot_t, printconf_t)
+')
+create_dir_file(firstboot_t, var_t)
+# Add/remove user home directories
+file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
+file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
+
+#
+# The big hammer
+#
+unconfined_domain(firstboot_t)
+ifdef(`targeted_policy', `
+allow firstboot_t unconfined_t:process transition;
+')
+
diff --git a/mls/domains/program/fs_daemon.te b/mls/domains/program/fs_daemon.te
new file mode 100644
index 0000000..05c98a9
--- /dev/null
+++ b/mls/domains/program/fs_daemon.te
@@ -0,0 +1,28 @@
+#DESC file system daemons
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: smartmontools
+
+daemon_domain(fsdaemon, `, fs_domain, privmail')
+allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+# for config
+allow fsdaemon_t etc_t:file { getattr read };
+
+allow fsdaemon_t device_t:dir read;
+allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
+allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+allow fsdaemon_t etc_runtime_t:file { getattr read };
+
+allow fsdaemon_t proc_mdstat_t:file { getattr read };
+
+can_exec_any(fsdaemon_t)
+allow fsdaemon_t self:fifo_file rw_file_perms;
+can_network_udp(fsdaemon_t)
+tmp_domain(fsdaemon)
+allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
+
+dontaudit fsdaemon_t devpts_t:dir search;
+allow fsdaemon_t proc_t:file { getattr read };
+dontaudit system_mail_t fixed_disk_device_t:blk_file read;
diff --git a/mls/domains/program/fsadm.te b/mls/domains/program/fsadm.te
new file mode 100644
index 0000000..0bfbb68
--- /dev/null
+++ b/mls/domains/program/fsadm.te
@@ -0,0 +1,123 @@
+#DESC Fsadm - Disk and file system administration
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
+#
+
+#################################
+#
+# Rules for the fsadm_t domain.
+#
+# fsadm_t is the domain for disk and file system
+# administration.
+# fsadm_exec_t is the type of the corresponding programs.
+#
+type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
+role system_r types fsadm_t;
+role sysadm_r types fsadm_t;
+
+general_domain_access(fsadm_t)
+
+# for swapon
+r_dir_file(fsadm_t, sysfs_t)
+
+# Read system information files in /proc.
+r_dir_file(fsadm_t, proc_t)
+
+# Read system variables in /proc/sys
+read_sysctl(fsadm_t)
+
+# for /dev/shm
+allow fsadm_t tmpfs_t:dir { getattr search };
+allow fsadm_t tmpfs_t:file { read write };
+
+base_file_read_access(fsadm_t)
+
+# Read /etc.
+r_dir_file(fsadm_t, etc_t)
+
+# Read module-related files.
+allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow fsadm_t device_t:dir r_dir_perms;
+allow fsadm_t device_t:lnk_file r_file_perms;
+
+uses_shlib(fsadm_t)
+
+type fsadm_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
+')
+tmp_domain(fsadm)
+
+# remount file system to apply changes
+allow fsadm_t fs_t:filesystem remount;
+
+allow fsadm_t fs_t:filesystem getattr;
+
+# mkreiserfs needs this
+allow fsadm_t proc_t:filesystem getattr;
+
+# mkreiserfs and other programs need this for UUID
+allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
+
+# Use capabilities. ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
+
+# Write to /etc/mtab.
+file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
+
+# Inherit and use descriptors from init.
+allow fsadm_t init_t:fd use;
+
+# Run other fs admin programs in the fsadm_t domain.
+can_exec(fsadm_t, fsadm_exec_t)
+
+# Access disk devices.
+allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
+allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
+allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
+
+# Access lost+found.
+allow fsadm_t lost_found_t:dir create_dir_perms;
+allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
+allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
+
+allow fsadm_t file_t:dir { search read getattr rmdir create };
+
+# Recreate /mnt/cdrom.
+allow fsadm_t mnt_t:dir { search read getattr rmdir create };
+
+# Recreate /dev/cdrom.
+allow fsadm_t device_t:dir rw_dir_perms;
+allow fsadm_t device_t:lnk_file { unlink create };
+
+# Enable swapping to devices and files
+allow fsadm_t swapfile_t:file { getattr swapon };
+allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
+
+# Allow console log change (updfstab)
+allow fsadm_t kernel_t:system syslog_console;
+
+# Access terminals.
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
+allow fsadm_t privfd:fd use;
+
+read_locale(fsadm_t)
+
+# for smartctl cron jobs
+system_crond_entry(fsadm_exec_t, fsadm_t)
+
+# Access to /initrd devices
+allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
+allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
+allow fsadm_t usbfs_t:dir { getattr search };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
+
+# for tune2fs
+allow fsadm_t file_type:dir { getattr search };
diff --git a/mls/domains/program/ftpd.te b/mls/domains/program/ftpd.te
new file mode 100644
index 0000000..b20252b
--- /dev/null
+++ b/mls/domains/program/ftpd.te
@@ -0,0 +1,116 @@
+#DESC Ftpd - Ftp daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
+#
+
+#################################
+#
+# Rules for the ftpd_t domain
+#
+daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
+etc_domain(ftpd)
+
+can_network(ftpd_t)
+allow ftpd_t port_type:tcp_socket name_connect;
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_socket_perms;
+allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:fifo_file rw_file_perms;
+
+allow ftpd_t bin_t:dir search;
+can_exec(ftpd_t, bin_t)
+allow ftpd_t bin_t:lnk_file read;
+read_sysctl(ftpd_t)
+
+allow ftpd_t urandom_device_t:chr_file { getattr read };
+
+ifdef(`crond.te', `
+system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
+can_exec(ftpd_t, { sbin_t shell_exec_t })
+allow ftpd_t usr_t:file { getattr read };
+ifdef(`logrotate.te', `
+can_exec(ftpd_t, logrotate_exec_t)
+')dnl end if logrotate.te
+')dnl end if crond.te
+
+allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket name_bind;
+
+# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
+type ftpd_lock_t, file_type, sysadmfile, lockfile;
+
+# Allow ftpd to run directly without inetd.
+bool ftpd_is_daemon false;
+if (ftpd_is_daemon) {
+file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
+allow ftpd_t ftp_port_t:tcp_socket name_bind;
+can_tcp_connect(userdomain, ftpd_t)
+# Allows it to check exec privs on daemon
+allow inetd_t ftpd_exec_t:file x_file_perms;
+}
+ifdef(`inetd.te', `
+if (!ftpd_is_daemon) {
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
+
+# Use sockets inherited from inetd.
+allow ftpd_t inetd_t:fd use;
+allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# Send SIGCHLD to inetd on death.
+allow ftpd_t inetd_t:process sigchld;
+}
+') dnl end inetd.te
+
+# Access shared memory tmpfs instance.
+tmpfs_domain(ftpd)
+
+# Use capabilities.
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
+
+# Append to /var/log/wtmp.
+allow ftpd_t wtmp_t:file { getattr append };
+#kerberized ftp requires the following
+allow ftpd_t wtmp_t:file { write lock };
+
+# Create and modify /var/log/xferlog.
+type xferlog_t, file_type, sysadmfile, logfile;
+file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
+
+# Execute /bin/ls (can comment this out for proftpd)
+# also may need rules to allow tar etc...
+can_exec(ftpd_t, ls_exec_t)
+
+allow initrc_t ftpd_etc_t:file { getattr read };
+allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow ftpd_t proc_t:file { getattr read };
+
+dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
+dontaudit ftpd_t selinux_config_t:dir search;
+allow ftpd_t autofs_t:dir search;
+allow ftpd_t self:file { getattr read };
+tmp_domain(ftpd)
+
+# Allow ftp to read/write files in the user home directories.
+bool ftp_home_dir false;
+
+if (ftp_home_dir) {
+# allow access to /home
+allow ftpd_t home_root_t:dir r_dir_perms;
+create_dir_file(ftpd_t, home_type)
+ifdef(`targeted_policy', `
+file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
+')
+}
+if (use_nfs_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, nfs_t)
+}
+if (use_samba_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, cifs_t)
+}
+dontaudit ftpd_t selinux_config_t:dir search;
+anonymous_domain(ftpd)
+
diff --git a/mls/domains/program/getty.te b/mls/domains/program/getty.te
new file mode 100644
index 0000000..8101b49
--- /dev/null
+++ b/mls/domains/program/getty.te
@@ -0,0 +1,61 @@
+#DESC Getty - Manage ttys
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
+#
+
+#################################
+#
+# Rules for the getty_t domain.
+#
+init_service_domain(getty, `, privfd, privmail, mlsfileread, mlsfilewrite')
+
+etcdir_domain(getty)
+
+allow getty_t console_device_t:chr_file setattr;
+
+tmp_domain(getty)
+log_domain(getty)
+
+allow getty_t { etc_t etc_runtime_t }:file { getattr read };
+allow getty_t etc_t:lnk_file read;
+allow getty_t self:process { getpgid getsession };
+allow getty_t self:unix_dgram_socket create_socket_perms;
+allow getty_t self:unix_stream_socket create_socket_perms;
+
+# Use capabilities.
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
+
+read_locale(getty_t)
+
+# Run login in local_login_t domain.
+allow getty_t { sbin_t bin_t }:dir search;
+domain_auto_trans(getty_t, login_exec_t, local_login_t)
+
+# Write to /var/run/utmp.
+allow getty_t { var_t var_run_t }:dir search;
+allow getty_t initrc_var_run_t:file rw_file_perms;
+
+# Write to /var/log/wtmp.
+allow getty_t wtmp_t:file rw_file_perms;
+
+# Chown, chmod, read and write ttys.
+allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
+allow getty_t ttyfile:chr_file { setattr rw_file_perms };
+dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
+
+# for error condition handling
+allow getty_t fs_t:filesystem getattr;
+
+lock_domain(getty)
+r_dir_file(getty_t, sysfs_t)
+# for mgetty
+var_run_domain(getty)
+allow getty_t self:capability { fowner fsetid };
+
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
diff --git a/mls/domains/program/gpg-agent.te b/mls/domains/program/gpg-agent.te
new file mode 100644
index 0000000..2942c6c
--- /dev/null
+++ b/mls/domains/program/gpg-agent.te
@@ -0,0 +1,13 @@
+#DESC gpg-agent - agent to securely store gpg-keys
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+
+# Type for the gpg-agent executable.
+type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
+
+# type for the pinentry executable
+type pinentry_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the gpg_agent_domain macro in
+# macros/program/gpg_agent_macros.te.
diff --git a/mls/domains/program/gpg.te b/mls/domains/program/gpg.te
new file mode 100644
index 0000000..b9cadb5
--- /dev/null
+++ b/mls/domains/program/gpg.te
@@ -0,0 +1,15 @@
+#DESC GPG - Gnu Privacy Guard (PGP replacement)
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: gnupg
+#
+
+# Type for gpg or pgp executables.
+type gpg_exec_t, file_type, sysadmfile, exec_type;
+type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
+
+allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
+allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+
+# Everything else is in the gpg_domain macro in
+# macros/program/gpg_macros.te.
diff --git a/mls/domains/program/gpm.te b/mls/domains/program/gpm.te
new file mode 100644
index 0000000..ff81d69
--- /dev/null
+++ b/mls/domains/program/gpm.te
@@ -0,0 +1,45 @@
+#DESC Gpm - General Purpose Mouse driver
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: gpm
+#
+
+#################################
+#
+# Rules for the gpm_t domain.
+#
+# gpm_t is the domain of the console mouse server.
+# gpm_exec_t is the type of the console mouse server program.
+# gpmctl_t is the type of the Unix domain socket or pipe created
+# by the console mouse server.
+#
+daemon_domain(gpm)
+
+type gpmctl_t, file_type, sysadmfile, dev_fs;
+
+tmp_domain(gpm)
+
+# Allow to read the /etc/gpm/ conf files
+type gpm_conf_t, file_type, sysadmfile;
+r_dir_file(gpm_t, gpm_conf_t)
+
+# Use capabilities.
+allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
+
+# Create and bind to /dev/gpmctl.
+file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
+allow gpm_t gpmctl_t:unix_stream_socket name_bind;
+allow gpm_t self:unix_dgram_socket create_socket_perms;
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+
+# Read and write ttys.
+allow gpm_t tty_device_t:chr_file rw_file_perms;
+
+# Access the mouse.
+allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+allow gpm_t device_t:lnk_file { getattr read };
+
+read_locale(gpm_t)
+
+allow initrc_t gpmctl_t:sock_file setattr;
+
diff --git a/mls/domains/program/hald.te b/mls/domains/program/hald.te
new file mode 100644
index 0000000..a51709a
--- /dev/null
+++ b/mls/domains/program/hald.te
@@ -0,0 +1,104 @@
+#DESC hald - server for device info
+#
+# Author: Russell Coker <rcoker@redhat.com>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the hald_t domain.
+#
+# hald_exec_t is the type of the hald executable.
+#
+daemon_domain(hald, `, fs_domain, nscd_client_domain')
+
+can_exec_any(hald_t)
+
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
+allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow hald_t self:unix_dgram_socket create_socket_perms;
+
+ifdef(`dbusd.te', `
+allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
+dbusd_client(system, hald)
+allow hald_t self:dbus send_msg;
+')
+
+allow hald_t self:file { getattr read };
+allow hald_t proc_t:file rw_file_perms;
+
+allow hald_t { bin_t sbin_t }:dir search;
+allow hald_t self:fifo_file rw_file_perms;
+allow hald_t usr_t:file { getattr read };
+allow hald_t bin_t:file getattr;
+
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
+can_network_server(hald_t)
+can_ypbind(hald_t)
+
+allow hald_t device_t:lnk_file read;
+allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file write;
+allow hald_t event_device_t:chr_file { getattr read ioctl };
+allow hald_t printer_device_t:chr_file rw_file_perms;
+allow hald_t urandom_device_t:chr_file read;
+allow hald_t mouse_device_t:chr_file r_file_perms;
+allow hald_t device_type:chr_file getattr;
+
+can_getsecurity(hald_t)
+
+ifdef(`updfstab.te', `
+domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
+allow updfstab_t hald_t:dbus send_msg;
+allow hald_t updfstab_t:dbus send_msg;
+')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+allow hald_t udev_tbl_t:file { getattr read };
+')
+
+ifdef(`hotplug.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
+allow hald_t fs_type:dir { search getattr };
+allow hald_t usbfs_t:dir r_dir_perms;
+allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
+allow hald_t bin_t:lnk_file read;
+r_dir_file(hald_t, { selinux_config_t default_context_t } )
+allow hald_t initrc_t:dbus send_msg;
+allow initrc_t hald_t:dbus send_msg;
+allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir create_dir_perms;
+allow hald_t device_t:chr_file create_file_perms;
+tmp_domain(hald)
+allow hald_t mnt_t:dir search;
+r_dir_file(hald_t, proc_net_t)
+
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
+
+# ??
+ifdef(`lvm.te', `
+allow hald_t lvm_control_t:chr_file r_file_perms;
+')
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
+ifdef(`mount.te', `
+domain_auto_trans(hald_t, mount_exec_t, mount_t)
+')
+r_dir_file(hald_t, hwdata_t)
diff --git a/mls/domains/program/hostname.te b/mls/domains/program/hostname.te
new file mode 100644
index 0000000..2138baf
--- /dev/null
+++ b/mls/domains/program/hostname.te
@@ -0,0 +1,28 @@
+#DESC hostname - show or set the system host name
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: hostname
+
+# for setting the hostname
+daemon_core_rules(hostname, , nosysadm)
+allow hostname_t self:capability sys_admin;
+allow hostname_t etc_t:file { getattr read };
+
+allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
+read_locale(hostname_t)
+can_resolve(hostname_t)
+allow hostname_t userdomain:fd use;
+dontaudit hostname_t kernel_t:fd use;
+allow hostname_t net_conf_t:file { getattr read };
+allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit hostname_t var_t:dir search;
+allow hostname_t fs_t:filesystem getattr;
+
+# for when /usr is not mounted
+dontaudit hostname_t file_t:dir search;
+
+ifdef(`distro_redhat', `
+allow hostname_t tmpfs_t:chr_file rw_file_perms;
+')
+can_access_pty(hostname_t, initrc)
+allow hostname_t initrc_t:fd use;
diff --git a/mls/domains/program/hotplug.te b/mls/domains/program/hotplug.te
new file mode 100644
index 0000000..d966b4b
--- /dev/null
+++ b/mls/domains/program/hotplug.te
@@ -0,0 +1,160 @@
+#DESC Hotplug - Hardware event manager
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: hotplug
+#
+
+#################################
+#
+# Rules for the hotplug_t domain.
+#
+# hotplug_exec_t is the type of the hotplug executable.
+#
+ifdef(`unlimitedUtils', `
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
+', `
+daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
+')
+
+etcdir_domain(hotplug)
+
+allow hotplug_t self:fifo_file { read write getattr ioctl };
+allow hotplug_t self:unix_dgram_socket create_socket_perms;
+allow hotplug_t self:unix_stream_socket create_socket_perms;
+allow hotplug_t self:udp_socket create_socket_perms;
+
+read_sysctl(hotplug_t)
+allow hotplug_t sysctl_net_t:dir r_dir_perms;
+allow hotplug_t sysctl_net_t:file { getattr read };
+
+# get info from /proc
+r_dir_file(hotplug_t, proc_t)
+allow hotplug_t self:file { getattr read ioctl };
+
+allow hotplug_t devtty_t:chr_file rw_file_perms;
+
+allow hotplug_t device_t:dir r_dir_perms;
+
+# for SSP
+allow hotplug_t urandom_device_t:chr_file read;
+
+allow hotplug_t { bin_t sbin_t }:dir search;
+allow hotplug_t { bin_t sbin_t }:lnk_file read;
+can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
+ifdef(`hostname.te', `
+can_exec(hotplug_t, hostname_exec_t)
+dontaudit hostname_t hotplug_t:fd use;
+')
+ifdef(`netutils.te', `
+ifdef(`distro_redhat', `
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+
+allow hotplug_t tmpfs_t:dir search;
+allow hotplug_t tmpfs_t:chr_file rw_file_perms;
+')dnl end if distro_redhat
+')dnl end if netutils.te
+
+allow initrc_t usbdevfs_t:file { getattr read ioctl };
+allow initrc_t modules_dep_t:file { getattr read ioctl };
+r_dir_file(hotplug_t, usbdevfs_t)
+allow hotplug_t usbfs_t:dir r_dir_perms;
+allow hotplug_t usbfs_t:file { getattr read };
+
+# read config files
+allow hotplug_t etc_t:dir r_dir_perms;
+allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
+
+allow hotplug_t kernel_t:process { sigchld setpgid };
+
+ifdef(`distro_redhat', `
+allow hotplug_t var_lock_t:dir search;
+allow hotplug_t var_lock_t:file getattr;
+')
+
+ifdef(`hald.te', `
+allow hotplug_t hald_t:unix_dgram_socket sendto;
+allow hald_t hotplug_etc_t:dir search;
+allow hald_t hotplug_etc_t:file { getattr read };
+')
+
+# for killall
+allow hotplug_t self:process { getsession getattr };
+allow hotplug_t self:file getattr;
+
+domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+ifdef(`mount.te', `
+domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+')
+domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`updfstab.te', `
+domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
+')
+
+# init scripts run /etc/hotplug/usb.rc
+domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
+allow initrc_t hotplug_etc_t:dir r_dir_perms;
+
+ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
+
+r_dir_file(hotplug_t, modules_object_t)
+allow hotplug_t modules_dep_t:file { getattr read ioctl };
+
+# for lsmod
+dontaudit hotplug_t self:capability { sys_module sys_admin };
+
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit hotplug_t self:capability { dac_override dac_read_search };
+
+ifdef(`fsadm.te', `
+domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
+')
+
+allow hotplug_t var_log_t:dir search;
+
+# for ps
+dontaudit hotplug_t domain:dir { getattr search };
+dontaudit hotplug_t { init_t kernel_t }:file read;
+ifdef(`initrc.te', `
+can_ps(hotplug_t, initrc_t)
+')
+
+# for when filesystems are not mounted early in the boot
+dontaudit hotplug_t file_t:dir { search getattr };
+
+# kernel threads inherit from shared descriptor table used by init
+dontaudit hotplug_t initctl_t:fifo_file { read write };
+
+# Read /usr/lib/gconv/.*
+allow hotplug_t lib_t:file { getattr read };
+
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+allow hotplug_t sysfs_t:dir { getattr read search write };
+allow hotplug_t sysfs_t:file rw_file_perms;
+allow hotplug_t sysfs_t:lnk_file { getattr read };
+r_dir_file(hotplug_t, hwdata_t)
+allow hotplug_t udev_runtime_t:file rw_file_perms;
+ifdef(`lpd.te', `
+allow hotplug_t printer_device_t:chr_file setattr;
+')
+allow hotplug_t fixed_disk_device_t:blk_file setattr;
+allow hotplug_t removable_device_t:blk_file setattr;
+allow hotplug_t sound_device_t:chr_file setattr;
+
+ifdef(`udev.te', `
+domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
+')
+
+file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
+
+can_network_server(hotplug_t)
+can_ypbind(hotplug_t)
+dbusd_client(system, hotplug)
+
+# Allow hotplug (including /sbin/ifup-local) to start/stop services
+domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
+
+allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+
+dontaudit hotplug_t selinux_config_t:dir search;
diff --git a/mls/domains/program/howl.te b/mls/domains/program/howl.te
new file mode 100644
index 0000000..ccb2fb1
--- /dev/null
+++ b/mls/domains/program/howl.te
@@ -0,0 +1,21 @@
+#DESC howl - port of Apple Rendezvous multicast DNS
+#
+# Author: Russell Coker <rcoker@redhat.com>
+#
+
+daemon_domain(howl, `, privsysmod')
+r_dir_file(howl_t, proc_net_t)
+can_network_server(howl_t)
+can_ypbind(howl_t)
+allow howl_t self:unix_dgram_socket create_socket_perms;
+allow howl_t self:capability { kill net_admin sys_module };
+
+allow howl_t self:fifo_file rw_file_perms;
+
+allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
+
+allow howl_t self:unix_dgram_socket create_socket_perms;
+
+allow howl_t etc_t:file { getattr read };
+allow howl_t initrc_var_run_t:file rw_file_perms;
+
diff --git a/mls/domains/program/hwclock.te b/mls/domains/program/hwclock.te
new file mode 100644
index 0000000..e8beb31
--- /dev/null
+++ b/mls/domains/program/hwclock.te
@@ -0,0 +1,50 @@
+#DESC Hwclock - Hardware clock manager
+#
+# Author: David A. Wheeler <dwheeler@ida.org>
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: util-linux
+#
+
+#################################
+#
+# Rules for the hwclock_t domain.
+# This domain moves time information between the "hardware clock"
+# (which runs when the system is off) and the "system clock",
+# and it stores adjustment values in /etc/adjtime so that errors in the
+# hardware clock are corrected.
+# Note that any errors from this domain are NOT recorded by the system logger,
+# because the system logger isnt running when this domain is active.
+#
+daemon_base_domain(hwclock)
+role sysadm_r types hwclock_t;
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
+')
+type adjtime_t, file_type, sysadmfile;
+
+allow hwclock_t fs_t:filesystem getattr;
+
+read_locale(hwclock_t)
+
+# Give hwclock the capabilities it requires. dac_override is a surprise,
+# but hwclock does require it.
+allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
+
+# Allow hwclock to set the hardware clock.
+allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
+
+# Allow hwclock to store & retrieve correction factors.
+allow hwclock_t adjtime_t:file { setattr rw_file_perms };
+
+# Read and write console and ttys.
+allow hwclock_t tty_device_t:chr_file rw_file_perms;
+allow hwclock_t ttyfile:chr_file rw_file_perms;
+allow hwclock_t ptyfile:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
+
+read_locale(hwclock_t)
+
+# for when /usr is not mounted
+dontaudit hwclock_t file_t:dir search;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+r_dir_file(hwclock_t, etc_t)
diff --git a/mls/domains/program/i18n_input.te b/mls/domains/program/i18n_input.te
new file mode 100644
index 0000000..cdff6ca
--- /dev/null
+++ b/mls/domains/program/i18n_input.te
@@ -0,0 +1,33 @@
+# i18n_input.te
+# Security Policy for IIIMF htt server
+# Date: 2004, 12th April (Monday)
+
+# Establish i18n_input as a daemon
+daemon_domain(i18n_input)
+
+can_exec(i18n_input_t, i18n_input_exec_t)
+can_network(i18n_input_t)
+allow i18n_input_t port_type:tcp_socket name_connect;
+can_ypbind(i18n_input_t)
+
+can_tcp_connect(userdomain, i18n_input_t)
+can_unix_connect(i18n_input_t, initrc_t)
+
+allow i18n_input_t self:fifo_file rw_file_perms;
+allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
+
+allow i18n_input_t self:capability { kill setgid setuid };
+allow i18n_input_t self:process { setsched setpgid };
+
+allow i18n_input_t { bin_t sbin_t }:dir search;
+can_exec(i18n_input_t, bin_t)
+
+allow i18n_input_t etc_t:file r_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
+allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+allow i18n_input_t usr_t:file { getattr read };
+allow i18n_input_t home_root_t:dir search;
+allow i18n_input_t etc_runtime_t:file { getattr read };
+allow i18n_input_t proc_t:file { getattr read };
diff --git a/mls/domains/program/ifconfig.te b/mls/domains/program/ifconfig.te
new file mode 100644
index 0000000..6cccc32
--- /dev/null
+++ b/mls/domains/program/ifconfig.te
@@ -0,0 +1,74 @@
+#DESC Ifconfig - Configure network interfaces
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: net-tools
+#
+
+#################################
+#
+# Rules for the ifconfig_t domain.
+#
+# ifconfig_t is the domain for the ifconfig program.
+# ifconfig_exec_t is the type of the corresponding program.
+#
+type ifconfig_t, domain, privlog, privmodule;
+type ifconfig_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types ifconfig_t;
+role sysadm_r types ifconfig_t;
+
+uses_shlib(ifconfig_t)
+general_domain_access(ifconfig_t)
+
+domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+')
+
+# for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ifconfig_t self:tcp_socket { create ioctl };
+allow ifconfig_t etc_t:file { getattr read };
+
+allow ifconfig_t self:socket create_socket_perms;
+
+# Use capabilities.
+allow ifconfig_t self:capability { net_raw net_admin };
+dontaudit ifconfig_t self:capability sys_module;
+allow ifconfig_t self:capability sys_tty_config;
+
+# Inherit and use descriptors from init.
+allow ifconfig_t { kernel_t init_t }:fd use;
+
+# Access /proc
+r_dir_file(ifconfig_t, proc_t)
+r_dir_file(ifconfig_t, proc_net_t)
+
+allow ifconfig_t privfd:fd use;
+allow ifconfig_t run_init_t:fd use;
+
+# Create UDP sockets, necessary when called from dhcpc
+allow ifconfig_t self:udp_socket create_socket_perms;
+
+# Access terminals.
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
+
+allow ifconfig_t tun_tap_device_t:chr_file { read write };
+
+# ifconfig attempts to search some sysctl entries.
+# Do not audit those attempts; comment out these rules if it is desired to
+# see the denials.
+allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
+
+allow ifconfig_t fs_t:filesystem getattr;
+
+read_locale(ifconfig_t)
+allow ifconfig_t lib_t:file { getattr read };
+
+rhgb_domain(ifconfig_t)
+allow ifconfig_t userdomain:fd use;
+dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)
diff --git a/mls/domains/program/inetd.te b/mls/domains/program/inetd.te
new file mode 100644
index 0000000..5c88ab3
--- /dev/null
+++ b/mls/domains/program/inetd.te
@@ -0,0 +1,64 @@
+#DESC Inetd - Internet services daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
+#
+
+#################################
+#
+# Rules for the inetd_t domain and
+# the inetd_child_t domain.
+#
+
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+
+can_network(inetd_t)
+allow inetd_t port_type:tcp_socket name_connect;
+allow inetd_t self:unix_dgram_socket create_socket_perms;
+allow inetd_t self:unix_stream_socket create_socket_perms;
+allow inetd_t self:fifo_file rw_file_perms;
+allow inetd_t etc_t:file { getattr read ioctl };
+allow inetd_t self:process setsched;
+
+log_domain(inetd)
+tmp_domain(inetd)
+
+# Use capabilities.
+allow inetd_t self:capability { setuid setgid net_bind_service };
+
+# allow any domain to connect to inetd
+can_tcp_connect(userdomain, inetd_t)
+
+# Run each daemon with a defined domain in its own domain.
+# These rules have been moved to the individual target domain .te files.
+
+# Run other daemons in the inetd_child_t domain.
+allow inetd_t { bin_t sbin_t }:dir search;
+allow inetd_t sbin_t:lnk_file read;
+
+# Bind to the telnet, ftp, rlogin and rsh ports.
+ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
+ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
+ifdef(`talk.te', `
+allow inetd_t talk_port_t:tcp_socket name_bind;
+allow inetd_t ntalk_port_t:tcp_socket name_bind;
+')
+
+allow inetd_t auth_port_t:tcp_socket name_bind;
+# Communicate with the portmapper.
+ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
+
+
+inetd_child_domain(inetd_child)
+allow inetd_child_t proc_net_t:dir search;
+allow inetd_child_t proc_net_t:file { getattr read };
+
+ifdef(`unconfined.te', `
+domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
+')
+
+ifdef(`unlimitedInetd', `
+unconfined_domain(inetd_t)
+')
+
diff --git a/mls/domains/program/init.te b/mls/domains/program/init.te
new file mode 100644
index 0000000..dc5c050
--- /dev/null
+++ b/mls/domains/program/init.te
@@ -0,0 +1,147 @@
+#DESC Init - Process initialization
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sysvinit
+#
+
+#################################
+#
+# Rules for the init_t domain.
+#
+# init_t is the domain of the init process.
+# init_exec_t is the type of the init program.
+# initctl_t is the type of the named pipe created
+# by init during initialization. This pipe is used
+# to communicate with init.
+#
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
+role system_r types init_t;
+uses_shlib(init_t);
+type init_exec_t, file_type, sysadmfile, exec_type;
+type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
+
+# for init to determine whether SE Linux is active so it can know whether to
+# activate it
+allow init_t security_t:dir search;
+allow init_t security_t:file { getattr read };
+
+# for mount points
+allow init_t file_t:dir search;
+
+# Use capabilities.
+allow init_t self:capability ~sys_module;
+
+# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
+domain_auto_trans(init_t, initrc_exec_t, initrc_t)
+
+# Run the shell in the sysadm_t domain for single-user mode.
+domain_auto_trans(init_t, shell_exec_t, sysadm_t)
+
+# Run /sbin/update in the init_t domain.
+can_exec(init_t, sbin_t)
+
+# Run init.
+can_exec(init_t, init_exec_t)
+
+# Run chroot from initrd scripts.
+ifdef(`chroot.te', `
+can_exec(init_t, chroot_exec_t)
+')
+
+# Create /dev/initctl.
+file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
+ifdef(`distro_redhat', `
+file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
+')
+
+# Create ioctl.save.
+file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
+
+# Update /etc/ld.so.cache
+allow init_t ld_so_cache_t:file rw_file_perms;
+
+# Allow access to log files
+allow init_t var_t:dir search;
+allow init_t var_log_t:dir search;
+allow init_t var_log_t:file rw_file_perms;
+
+read_locale(init_t)
+
+# Create unix sockets
+allow init_t self:unix_dgram_socket create_socket_perms;
+allow init_t self:unix_stream_socket create_socket_perms;
+allow init_t self:fifo_file rw_file_perms;
+
+# Permissions required for system startup
+allow init_t { bin_t sbin_t }:dir r_dir_perms;
+allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
+
+# allow init to fork
+allow init_t self:process { fork sigchld };
+
+# Modify utmp.
+allow init_t var_run_t:file rw_file_perms;
+allow init_t initrc_var_run_t:file { setattr rw_file_perms };
+can_unix_connect(init_t, initrc_t)
+
+# For /var/run/shutdown.pid.
+var_run_domain(init)
+
+# Shutdown permissions
+r_dir_file(init_t, proc_t)
+r_dir_file(init_t, self)
+allow init_t devpts_t:dir r_dir_perms;
+
+# Modify wtmp.
+allow init_t wtmp_t:file rw_file_perms;
+
+# Kill all processes.
+allow init_t domain:process signal_perms;
+
+# Allow all processes to send SIGCHLD to init.
+allow domain init_t:process { sigchld signull };
+
+# If you load a new policy that removes active domains, processes can
+# get stuck if you do not allow unlabeled processes to signal init
+# If you load an incompatible policy, you should probably reboot,
+# since you may have compromised system security.
+allow unlabeled_t init_t:process sigchld;
+
+# for loading policy
+allow init_t policy_config_t:file r_file_perms;
+
+# Set booleans.
+can_setbool(init_t)
+
+# Read and write the console and ttys.
+allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
+ifdef(`distro_redhat', `
+allow init_t tmpfs_t:chr_file rw_file_perms;
+')
+allow init_t ttyfile:chr_file rw_file_perms;
+allow init_t ptyfile:chr_file rw_file_perms;
+
+# Run system executables.
+can_exec(init_t,bin_t)
+ifdef(`consoletype.te', `
+can_exec(init_t, consoletype_exec_t)
+')
+
+# Run /etc/X11/prefdm.
+can_exec(init_t,etc_t)
+
+allow init_t lib_t:file { getattr read };
+
+allow init_t devtty_t:chr_file { read write };
+allow init_t ramfs_t:dir search;
+allow init_t ramfs_t:sock_file write;
+r_dir_file(init_t, sysfs_t)
+
+r_dir_file(init_t, selinux_config_t)
+
+# file descriptors inherited from the rootfs.
+dontaudit init_t root_t:{ file chr_file } { read write };
+ifdef(`targeted_policy', `
+unconfined_domain(init_t)
+')
+
diff --git a/mls/domains/program/initrc.te b/mls/domains/program/initrc.te
new file mode 100644
index 0000000..683e1e3
--- /dev/null
+++ b/mls/domains/program/initrc.te
@@ -0,0 +1,346 @@
+#DESC Initrc - System initialization scripts
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sysvinit policycoreutils
+#
+
+#################################
+#
+# Rules for the initrc_t domain.
+#
+# initrc_t is the domain of the init rc scripts.
+# initrc_exec_t is the type of the init program.
+#
+# do not use privmail for sendmail as it creates a type transition conflict
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans;
+
+role system_r types initrc_t;
+uses_shlib(initrc_t);
+can_network(initrc_t)
+allow initrc_t port_type:tcp_socket name_connect;
+can_ypbind(initrc_t)
+type initrc_exec_t, file_type, sysadmfile, exec_type;
+
+# for halt to down interfaces
+allow initrc_t self:udp_socket create_socket_perms;
+
+# read files in /etc/init.d
+allow initrc_t etc_t:lnk_file r_file_perms;
+
+read_locale(initrc_t)
+
+r_dir_file(initrc_t, usr_t)
+
+# Read system information files in /proc.
+r_dir_file(initrc_t, { proc_t proc_net_t })
+allow initrc_t proc_mdstat_t:file { getattr read };
+
+# Allow IPC with self
+allow initrc_t self:unix_dgram_socket create_socket_perms;
+allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow initrc_t self:fifo_file rw_file_perms;
+
+# Read the root directory of a usbdevfs filesystem, and
+# the devices and drivers files. Permit stating of the
+# device nodes, but nothing else.
+allow initrc_t usbdevfs_t:dir r_dir_perms;
+allow initrc_t usbdevfs_t:lnk_file r_file_perms;
+allow initrc_t usbdevfs_t:file getattr;
+allow initrc_t usbfs_t:dir r_dir_perms;
+allow initrc_t usbfs_t:file getattr;
+
+# allow initrc to fork and renice itself
+allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
+
+# Can create ptys for open_init_pty
+can_create_pty(initrc)
+
+tmp_domain(initrc)
+#
+# Some initscripts generate scripts that they need to execute (ldap)
+#
+can_exec(initrc_t, initrc_tmp_t)
+
+var_run_domain(initrc)
+allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
+allow initrc_t var_run_t:dir { create rmdir };
+
+ifdef(`distro_debian', `
+allow initrc_t { etc_t device_t }:dir setattr;
+
+# for storing state under /dev/shm
+allow initrc_t tmpfs_t:dir setattr;
+file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
+file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
+')
+
+allow initrc_t framebuf_device_t:chr_file r_file_perms;
+
+# Use capabilities.
+allow initrc_t self:capability ~{ sys_admin sys_module };
+
+# Use system operations.
+allow initrc_t kernel_t:system *;
+
+# Set values in /proc/sys.
+can_sysctl(initrc_t)
+
+# Run helper programs in the initrc_t domain.
+allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
+allow initrc_t {bin_t sbin_t }:lnk_file read;
+can_exec(initrc_t, etc_t)
+can_exec(initrc_t, lib_t)
+can_exec(initrc_t, bin_t)
+can_exec(initrc_t, sbin_t)
+can_exec(initrc_t, exec_type)
+#
+# These rules are here to allow init scripts to su
+#
+ifdef(`su.te', `
+su_restricted_domain(initrc,system)
+role system_r types initrc_su_t;
+')
+allow initrc_t self:passwd rootok;
+
+# read /lib/modules
+allow initrc_t modules_object_t:dir { search read };
+
+# Read conf.modules.
+allow initrc_t modules_conf_t:file r_file_perms;
+
+# Run other rc scripts in the initrc_t domain.
+can_exec(initrc_t, initrc_exec_t)
+
+# Run init (telinit) in the initrc_t domain.
+can_exec(initrc_t, init_exec_t)
+
+# Communicate with the init process.
+allow initrc_t initctl_t:fifo_file rw_file_perms;
+
+# Read /proc/PID directories for all domains.
+r_dir_file(initrc_t, domain)
+allow initrc_t domain:process { getattr getsession };
+
+# Mount and unmount file systems.
+allow initrc_t fs_type:filesystem mount_fs_perms;
+allow initrc_t file_t:dir { read search getattr mounton };
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir { write read search getattr mounton };
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
+
+# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
+file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
+
+# Update /etc/ld.so.cache.
+allow initrc_t ld_so_cache_t:file rw_file_perms;
+
+# Update /var/log/wtmp and /var/log/dmesg.
+allow initrc_t wtmp_t:file { setattr rw_file_perms };
+allow initrc_t var_log_t:dir rw_dir_perms;
+allow initrc_t var_log_t:file create_file_perms;
+allow initrc_t lastlog_t:file { setattr rw_file_perms };
+allow initrc_t logfile:file { read append };
+
+# remove old locks
+allow initrc_t lockfile:dir rw_dir_perms;
+allow initrc_t lockfile:file { getattr unlink };
+
+# Access /var/lib/random-seed.
+allow initrc_t var_lib_t:file rw_file_perms;
+allow initrc_t var_lib_t:file unlink;
+
+# Create lock file.
+allow initrc_t var_lock_t:dir create_dir_perms;
+allow initrc_t var_lock_t:file create_file_perms;
+
+# Set the clock.
+allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
+
+# Kill all processes.
+allow initrc_t domain:process signal_perms;
+
+# Write to /dev/urandom.
+allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
+
+# for cryptsetup
+allow initrc_t fixed_disk_device_t:blk_file getattr;
+
+# Set device ownerships/modes.
+allow initrc_t framebuf_device_t:chr_file setattr;
+allow initrc_t misc_device_t:devfile_class_set setattr;
+allow initrc_t device_t:devfile_class_set setattr;
+allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
+allow initrc_t removable_device_t:devfile_class_set setattr;
+allow initrc_t device_t:lnk_file read;
+allow initrc_t xconsole_device_t:fifo_file setattr;
+
+# Stat any file.
+allow initrc_t file_type:notdevfile_class_set getattr;
+allow initrc_t file_type:dir { search getattr };
+
+# Read and write console and ttys.
+allow initrc_t devtty_t:chr_file rw_file_perms;
+allow initrc_t console_device_t:chr_file rw_file_perms;
+allow initrc_t tty_device_t:chr_file rw_file_perms;
+allow initrc_t ttyfile:chr_file rw_file_perms;
+allow initrc_t ptyfile:chr_file rw_file_perms;
+
+# Reset tty labels.
+allow initrc_t ttyfile:chr_file relabelfrom;
+allow initrc_t tty_device_t:chr_file relabelto;
+
+ifdef(`distro_redhat', `
+# Create and read /boot/kernel.h and /boot/System.map.
+# Redhat systems typically create this file at boot time.
+allow initrc_t boot_t:lnk_file rw_file_perms;
+file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
+
+allow initrc_t tmpfs_t:chr_file rw_file_perms;
+allow initrc_t tmpfs_t:dir r_dir_perms;
+
+# Allow initrc domain to set the enforcing flag.
+can_setenforce(initrc_t)
+
+#
+# readahead asks for these
+#
+allow initrc_t etc_aliases_t:file { getattr read };
+allow initrc_t var_lib_nfs_t:file { getattr read };
+
+# for /halt /.autofsck and other flag files
+file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
+
+file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
+allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+allow initrc_t self:capability sys_admin;
+allow initrc_t device_t:dir create;
+# wants to delete /poweroff and other files
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
+')dnl end distro_redhat
+
+allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
+allow initrc_t var_spool_t:file rw_file_perms;
+
+# Allow access to the sysadm TTYs. Note that this will give access to the
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+allow initrc_t admin_tty_type:chr_file rw_file_perms;
+
+# Access sound device and files.
+allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
+
+# Read user home directories.
+allow initrc_t { home_root_t home_type }:dir r_dir_perms;
+allow initrc_t home_type:file r_file_perms;
+
+# Read and unlink /var/run/*.pid files.
+allow initrc_t pidfile:file { getattr read unlink };
+
+# for system start scripts
+allow initrc_t pidfile:dir { rmdir rw_dir_perms };
+allow initrc_t pidfile:sock_file unlink;
+
+rw_dir_create_file(initrc_t, var_lib_t)
+
+# allow start scripts to clean /tmp
+allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
+allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
+
+# for lsof which is used by alsa shutdown
+dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
+dontaudit initrc_t proc_kmsg_t:file getattr;
+
+#################################
+#
+# Rules for the run_init_t domain.
+#
+ifdef(`targeted_policy', `
+type run_init_exec_t, file_type, sysadmfile, exec_type;
+type run_init_t, domain;
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+typeattribute initrc_t privuser;
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+allow initrc_t unconfined_t:system syslog_mod;
+', `
+run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
+')
+allow initrc_t privfd:fd use;
+
+# Transition to system_r:initrc_t upon executing init scripts.
+ifdef(`direct_sysadm_daemon', `
+role_transition sysadm_r initrc_exec_t system_r;
+domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
+ifdef(`mls_policy', `
+typeattribute initrc_t mlsrangetrans;
+range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255;
+')
+')
+
+#
+# Shutting down xinet causes these
+#
+# Fam
+dontaudit initrc_t device_t:dir { read write };
+# Rsync
+dontaudit initrc_t mail_spool_t:lnk_file read;
+
+allow initrc_t sysfs_t:dir { getattr read search };
+allow initrc_t sysfs_t:file { getattr read write };
+allow initrc_t sysfs_t:lnk_file { getattr read };
+allow initrc_t udev_runtime_t:file rw_file_perms;
+allow initrc_t device_type:chr_file setattr;
+allow initrc_t binfmt_misc_fs_t:dir { getattr search };
+allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
+
+# for lsof in shutdown scripts
+can_kerberos(initrc_t)
+
+#
+# Wants to remove udev.tbl
+#
+allow initrc_t device_t:dir rw_dir_perms;
+allow initrc_t device_t:lnk_file unlink;
+
+r_dir_file(initrc_t,selinux_config_t)
+
+ifdef(`unlimitedRC', `
+unconfined_domain(initrc_t)
+')
+#
+# initrc script does a cat /selinux/enforce
+#
+allow initrc_t security_t:dir { getattr search };
+allow initrc_t security_t:file { getattr read };
+
+# init script state
+type initrc_state_t, file_type, sysadmfile;
+create_dir_file(initrc_t,initrc_state_t)
+
+ifdef(`distro_gentoo', `
+# Gentoo integrated run_init+open_init_pty-runscript:
+domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+')
+allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
+ifdef(`use_mcs', `
+range_transition sysadm_t initrc_exec_t s0;
+')
diff --git a/mls/domains/program/innd.te b/mls/domains/program/innd.te
new file mode 100644
index 0000000..25047df
--- /dev/null
+++ b/mls/domains/program/innd.te
@@ -0,0 +1,81 @@
+#DESC INN - InterNetNews server
+#
+# Author: Faye Coker <faye@lurking-grue.org>
+# X-Debian-Packages: inn
+#
+################################
+
+# Types for the server port and news spool.
+#
+type news_spool_t, file_type, sysadmfile;
+
+
+# need privmail attribute so innd can access system_mail_t
+daemon_domain(innd, `, privmail')
+
+# allow innd to create files and directories of type news_spool_t
+create_dir_file(innd_t, news_spool_t)
+
+# allow user domains to read files and directories these types
+r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
+
+can_exec(initrc_t, innd_etc_t)
+can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
+ifdef(`hostname.te', `
+can_exec(innd_t, hostname_exec_t)
+')
+
+allow innd_t var_spool_t:dir { getattr search };
+
+can_network(innd_t)
+allow innd_t port_type:tcp_socket name_connect;
+can_ypbind(innd_t)
+
+can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
+allow innd_t self:unix_dgram_socket create_socket_perms;
+allow innd_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(innd_t, self)
+
+allow innd_t self:fifo_file rw_file_perms;
+allow innd_t innd_port_t:tcp_socket name_bind;
+
+allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
+allow innd_t self:process setsched;
+
+allow innd_t { bin_t sbin_t }:dir search;
+allow innd_t usr_t:lnk_file read;
+allow innd_t usr_t:file { getattr read ioctl };
+allow innd_t lib_t:file ioctl;
+allow innd_t etc_t:file { getattr read };
+allow innd_t { proc_t etc_runtime_t }:file { getattr read };
+allow innd_t urandom_device_t:chr_file read;
+
+allow innd_t innd_var_run_t:sock_file create_file_perms;
+
+# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
+etcdir_domain(innd)
+
+# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
+# it can write to
+logdir_domain(innd)
+
+# allow innd read-write directory permissions to /var/lib/news.
+var_lib_domain(innd)
+
+ifdef(`crond.te', `
+system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
+')
+
+ifdef(`syslogd.te', `
+allow syslogd_t innd_log_t:dir search;
+allow syslogd_t innd_log_t:file create_file_perms;
+')
+
+allow innd_t self:file { getattr read };
+dontaudit innd_t selinux_config_t:dir { search };
+allow system_crond_t innd_etc_t:file { getattr read };
+allow innd_t bin_t:lnk_file { read };
+allow innd_t sbin_t:lnk_file { read };
diff --git a/mls/domains/program/ipsec.te b/mls/domains/program/ipsec.te
new file mode 100644
index 0000000..ea45a36
--- /dev/null
+++ b/mls/domains/program/ipsec.te
@@ -0,0 +1,229 @@
+#DESC ipsec - TCP/IP encryption
+#
+# Authors: Mark Westerman mark.westerman@westcam.com
+# massively butchered by paul krumviede <pwk@acm.org>
+# further massaged by Chris Vance <cvance@tislabs.com>
+# X-Debian-Packages: freeswan
+#
+########################################
+#
+# Rules for the ipsec_t domain.
+#
+# a domain for things that need access to the PF_KEY socket
+daemon_base_domain(ipsec, `, privlog')
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t, file_type, sysadmfile;
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t, file_type, sysadmfile;
+
+# type for runtime files, including pluto.ctl
+# lots of strange stuff for the ipsec_var_run_t - need to check it
+var_run_domain(ipsec)
+
+type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
+type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
+file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
+file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
+
+allow ipsec_mgmt_t modules_object_t:dir search;
+allow ipsec_mgmt_t modules_object_t:file getattr;
+
+allow ipsec_t self:capability { net_admin net_bind_service };
+allow ipsec_t self:process signal;
+allow ipsec_t etc_t:lnk_file read;
+
+domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
+
+# Inherit and use descriptors from init.
+# allow access (for, e.g., klipsdebug) to console
+allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
+allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
+
+# I do not know where this pesky pipe is...
+allow ipsec_t initrc_t:fifo_file write;
+
+r_dir_file(ipsec_t, ipsec_conf_file_t)
+r_dir_file(ipsec_t, ipsec_key_file_t)
+allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
+
+allow ipsec_t self:key_socket { create write read setopt };
+
+# for lsof
+allow sysadm_t ipsec_t:key_socket getattr;
+
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+can_exec(ipsec_mgmt_t, bin_t)
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
+
+# also need to run things like whack and shell scripts
+can_exec(ipsec_mgmt_t, ipsec_exec_t)
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+can_exec(ipsec_mgmt_t, shell_exec_t)
+can_exec(ipsec_t, shell_exec_t)
+can_exec(ipsec_t, bin_t)
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+# now for a icky part...
+# pluto runs an updown script (by calling popen()!); as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+
+# the default updown script wants to run route
+can_exec(ipsec_mgmt_t, sbin_t)
+allow ipsec_mgmt_t sbin_t:lnk_file read;
+allow ipsec_mgmt_t self:capability { net_admin dac_override };
+
+# need access to /proc/sys/net/ipsec/icmp
+allow ipsec_mgmt_t sysctl_t:file write;
+allow ipsec_mgmt_t sysctl_net_t:dir search;
+allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
+
+# whack needs to be able to read/write pluto.ctl
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
+# and it wants to connect to a socket...
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
+
+# allow system administrator to use the ipsec script to look
+# at things (e.g., ipsec auto --status)
+# probably should create an ipsec_admin role for this kind of thing
+can_exec(sysadm_t, ipsec_mgmt_exec_t)
+allow sysadm_t ipsec_t:unix_stream_socket connectto;
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
+
+allow ipsec_mgmt_t boot_t:dir search;
+allow ipsec_mgmt_t system_map_t:file { read getattr };
+
+# denials when ps tries to search /proc. Do not audit these denials.
+dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
+
+# suppress audit messages about unnecessary socket access
+dontaudit ipsec_mgmt_t domain:key_socket { read write };
+dontaudit ipsec_mgmt_t domain:udp_socket { read write };
+
+# from rbac
+role system_r types { ipsec_t ipsec_mgmt_t };
+
+# from initrc.te
+domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
+
+
+########## The following rules were added by cvance@tislabs.com ##########
+
+# allow pluto and startup scripts to access /dev/urandom
+allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+# allow pluto to access /proc/net/ipsec_eroute;
+general_proc_read_access(ipsec_t)
+general_proc_read_access(ipsec_mgmt_t)
+
+# allow pluto to search the root directory (not sure why, but mostly harmless)
+# Are these all really necessary?
+allow ipsec_t var_t:dir search;
+allow ipsec_t bin_t:dir search;
+allow ipsec_t device_t:dir { getattr search };
+allow ipsec_mgmt_t device_t:dir { getattr search read };
+dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
+dontaudit ipsec_mgmt_t devpts_t:dir getattr;
+allow ipsec_mgmt_t etc_t:lnk_file read;
+allow ipsec_mgmt_t var_t:dir search;
+allow ipsec_mgmt_t sbin_t:dir search;
+allow ipsec_mgmt_t bin_t:dir search;
+allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
+
+# Startup scripts
+# use libraries
+uses_shlib({ ipsec_t ipsec_mgmt_t })
+# Read and write /dev/tty
+allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
+# fork
+allow ipsec_mgmt_t self:process fork;
+# startup script runs /bin/gawk with a pipe
+allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+# read /etc/mtab Why?
+allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
+# read link for /bin/sh
+allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
+
+#
+allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
+
+# Allow read/write access to /var/run/pluto.ctl
+allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
+
+# Pluto needs network access
+can_network_server(ipsec_t)
+can_ypbind(ipsec_t)
+allow ipsec_t self:unix_dgram_socket create_socket_perms;
+
+# for sleep
+allow ipsec_mgmt_t fs_t:filesystem getattr;
+
+# for the start script
+can_exec(ipsec_mgmt_t, etc_t)
+
+# allow access to /etc/localtime
+allow ipsec_mgmt_t etc_t:file { read getattr };
+allow ipsec_t etc_t:file { read getattr };
+
+# allow access to /dev/null
+allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
+allow ipsec_t null_device_t:chr_file rw_file_perms;
+
+# Allow scripts to use /var/lock/subsys/ipsec
+lock_domain(ipsec_mgmt)
+
+# allow tncfg to create sockets
+allow ipsec_mgmt_t self:udp_socket { create ioctl };
+
+#When running ipsec auto --up <conname>
+allow ipsec_t self:process { fork sigchld };
+allow ipsec_t self:fifo_file { read getattr };
+
+# ideally it would not need this. It wants to write to /root/.rnd
+file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+
+allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
+allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
+allow ipsec_mgmt_t self:lnk_file read;
+
+allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
+read_locale(ipsec_mgmt_t)
+var_run_domain(ipsec_mgmt)
+dontaudit ipsec_mgmt_t default_t:dir getattr;
+dontaudit ipsec_mgmt_t default_t:file getattr;
+allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
+allow ipsec_mgmt_t self:key_socket { create setopt };
+can_exec(ipsec_mgmt_t, initrc_exec_t)
+allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+read_locale(ipsec_t)
+ifdef(`consoletype.te', `
+can_exec(ipsec_mgmt_t, consoletype_exec_t )
+')
+dontaudit ipsec_mgmt_t selinux_config_t:dir search;
+dontaudit ipsec_t ttyfile:chr_file { read write };
+allow ipsec_t self:capability { dac_override dac_read_search };
+allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+dontaudit ipsec_mgmt_t device_t:lnk_file read;
+allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
+allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
+rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
+rw_dir_create_file(initrc_t, ipsec_var_run_t)
+allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
diff --git a/mls/domains/program/iptables.te b/mls/domains/program/iptables.te
new file mode 100644
index 0000000..8d83280
--- /dev/null
+++ b/mls/domains/program/iptables.te
@@ -0,0 +1,63 @@
+#DESC Ipchains - IP packet filter administration
+#
+# Authors: Justin Smith <jsmith@mcs.drexel.edu>
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: ipchains iptables
+#
+
+#
+# Rules for the iptables_t domain.
+#
+daemon_base_domain(iptables, `, privmodule')
+role sysadm_r types iptables_t;
+domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
+
+ifdef(`modutil.te', `
+# for modprobe
+allow iptables_t sbin_t:dir search;
+allow iptables_t sbin_t:lnk_file read;
+')
+
+read_locale(iptables_t)
+
+# to allow rules to be saved on reboot
+allow iptables_t initrc_tmp_t:file rw_file_perms;
+
+domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
+allow iptables_t var_t:dir search;
+var_run_domain(iptables)
+
+allow iptables_t self:process { fork signal_perms };
+
+allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
+allow iptables_t sysctl_modprobe_t:file { getattr read };
+
+tmp_domain(iptables)
+
+# for iptables -L
+allow iptables_t self:unix_stream_socket create_socket_perms;
+can_resolve(iptables_t)
+can_ypbind(iptables_t)
+
+allow iptables_t iptables_exec_t:file execute_no_trans;
+allow iptables_t self:capability { net_admin net_raw };
+allow iptables_t self:rawip_socket create_socket_perms;
+
+allow iptables_t etc_t:file { getattr read };
+
+allow iptables_t fs_t:filesystem getattr;
+allow iptables_t { userdomain kernel_t }:fd use;
+
+# Access terminals.
+allow iptables_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
+
+allow iptables_t proc_t:file { getattr read };
+allow iptables_t proc_net_t:dir search;
+allow iptables_t proc_net_t:file { read getattr };
+
+# system-config-network appends to /var/log
+allow iptables_t var_log_t:file append;
+ifdef(`firstboot.te', `
+allow iptables_t firstboot_t:fifo_file write;
+')
diff --git a/mls/domains/program/irc.te b/mls/domains/program/irc.te
new file mode 100644
index 0000000..50c1122
--- /dev/null
+++ b/mls/domains/program/irc.te
@@ -0,0 +1,12 @@
+#DESC Irc - IRC client
+#
+# Domains for the irc program.
+# X-Debian-Packages: tinyirc ircii
+
+#
+# irc_exec_t is the type of the irc executable.
+#
+type irc_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the irc_domain macro in
+# macros/program/irc_macros.te.
diff --git a/mls/domains/program/irqbalance.te b/mls/domains/program/irqbalance.te
new file mode 100644
index 0000000..35be192
--- /dev/null
+++ b/mls/domains/program/irqbalance.te
@@ -0,0 +1,15 @@
+#DESC IRQBALANCE - IRQ balance daemon
+#
+# Author: Ulrich Drepper <drepper@redhat.com>
+#
+
+#################################
+#
+# Rules for the irqbalance_t domain.
+#
+daemon_domain(irqbalance)
+
+# irqbalance needs access to /proc.
+allow irqbalance_t proc_t:file { read getattr };
+allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
+allow irqbalance_t sysctl_irq_t:file rw_file_perms;
diff --git a/mls/domains/program/java.te b/mls/domains/program/java.te
new file mode 100644
index 0000000..dfd0372
--- /dev/null
+++ b/mls/domains/program/java.te
@@ -0,0 +1,14 @@
+#DESC Java VM
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# X-Debian-Packages: java
+#
+
+# Type for the netscape, java or other browser executables.
+type java_exec_t, file_type, sysadmfile, exec_type;
+
+# Allow java executable stack
+bool allow_java_execstack false;
+
+# Everything else is in the java_domain macro in
+# macros/program/java_macros.te.
diff --git a/mls/domains/program/kerberos.te b/mls/domains/program/kerberos.te
new file mode 100644
index 0000000..19cc3c4
--- /dev/null
+++ b/mls/domains/program/kerberos.te
@@ -0,0 +1,91 @@
+#DESC Kerberos5 - MIT Kerberos5
+# supports krb5kdc and kadmind daemons
+# kinit, kdestroy, klist clients
+# ksu support not complete
+#
+# includes rules for OpenSSH daemon compiled with both
+# kerberos5 and SELinux support
+#
+# Not supported : telnetd, ftpd, kprop/kpropd daemons
+#
+# Author: Kerry Thompson <kerry@crypt.gen.nz>
+# Modified by Colin Walters <walters@redhat.com>
+#
+
+#################################
+#
+# Rules for the krb5kdc_t,kadmind_t domains.
+#
+daemon_domain(krb5kdc)
+daemon_domain(kadmind)
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+can_exec(kadmind_t, kadmind_exec_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t, file_type, sysadmfile;
+type krb5kdc_principal_t, file_type, sysadmfile;
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
+allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
+
+# krb5kdc and kadmind can use network
+can_network_server( { krb5kdc_t kadmind_t } )
+can_ypbind( { krb5kdc_t kadmind_t } )
+
+# allow UDP transfer to/from any program
+can_udp_send(kerberos_port_t, krb5kdc_t)
+can_udp_send(krb5kdc_t, kerberos_port_t)
+can_tcp_connect(kerberos_port_t, krb5kdc_t)
+can_tcp_connect(kerberos_admin_port_t, kadmind_t)
+
+# Bind to the kerberos, kerberos-adm ports.
+allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
+allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
+allow kadmind_t reserved_port_t:tcp_socket name_bind;
+dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
+
+#
+# Rules for Kerberos5 KDC daemon
+allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
+allow krb5kdc_t self:unix_stream_socket create_socket_perms;
+allow kadmind_t self:unix_stream_socket create_socket_perms;
+allow krb5kdc_t krb5kdc_conf_t:dir search;
+allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
+allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
+dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+allow krb5kdc_t locale_t:file { getattr read };
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
+allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
+allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
+dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
+tmp_domain(krb5kdc)
+log_domain(krb5kdc)
+allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
+allow kadmind_t random_device_t:chr_file { getattr read };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t proc_t:dir r_dir_perms;
+allow krb5kdc_t proc_t:file { getattr read };
+
+#
+# Rules for Kerberos5 Kadmin daemon
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t krb5kdc_conf_t:dir search;
+allow kadmind_t krb5kdc_conf_t:file r_file_perms;
+allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
+read_locale(kadmind_t)
+dontaudit kadmind_t krb5kdc_conf_t:file write;
+tmp_domain(kadmind)
+log_domain(kadmind)
+
+#
+# Allow user programs to talk to KDC
+allow krb5kdc_t userdomain:udp_socket recvfrom;
+allow userdomain krb5kdc_t:udp_socket recvfrom;
+allow initrc_t krb5_conf_t:file ioctl;
diff --git a/mls/domains/program/klogd.te b/mls/domains/program/klogd.te
new file mode 100644
index 0000000..dd0b79c
--- /dev/null
+++ b/mls/domains/program/klogd.te
@@ -0,0 +1,48 @@
+#DESC Klogd - Kernel log daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: klogd
+#
+
+#################################
+#
+# Rules for the klogd_t domain.
+#
+daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
+
+tmp_domain(klogd)
+allow klogd_t proc_t:dir r_dir_perms;
+allow klogd_t proc_t:lnk_file r_file_perms;
+allow klogd_t proc_t:file { getattr read };
+allow klogd_t self:dir r_dir_perms;
+allow klogd_t self:lnk_file r_file_perms;
+
+# read /etc/nsswitch.conf
+allow klogd_t etc_t:lnk_file read;
+allow klogd_t etc_t:file r_file_perms;
+
+read_locale(klogd_t)
+
+allow klogd_t etc_runtime_t:file { getattr read };
+
+# Create unix sockets
+allow klogd_t self:unix_dgram_socket create_socket_perms;
+
+# Use the sys_admin and sys_rawio capabilities.
+allow klogd_t self:capability { sys_admin sys_rawio };
+dontaudit klogd_t self:capability sys_resource;
+
+
+# Read /proc/kmsg and /dev/mem.
+allow klogd_t proc_kmsg_t:file r_file_perms;
+allow klogd_t memory_device_t:chr_file r_file_perms;
+
+# Control syslog and console logging
+allow klogd_t kernel_t:system { syslog_mod syslog_console };
+
+# Read /boot/System.map*
+allow klogd_t system_map_t:file r_file_perms;
+allow klogd_t boot_t:dir r_dir_perms;
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
diff --git a/mls/domains/program/ktalkd.te b/mls/domains/program/ktalkd.te
new file mode 100644
index 0000000..7ae0109
--- /dev/null
+++ b/mls/domains/program/ktalkd.te
@@ -0,0 +1,14 @@
+#DESC ktalkd - KDE version of the talk server
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the ktalkd_t domain.
+#
+# ktalkd_exec_t is the type of the ktalkd executable.
+#
+
+inetd_child_domain(ktalkd, udp)
diff --git a/mls/domains/program/kudzu.te b/mls/domains/program/kudzu.te
new file mode 100644
index 0000000..9b64f98
--- /dev/null
+++ b/mls/domains/program/kudzu.te
@@ -0,0 +1,117 @@
+#DESC kudzu - Red Hat utility to recognise new hardware
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
+
+read_locale(kudzu_t)
+
+# for /etc/sysconfig/hwconf - probably need a new type
+allow kudzu_t etc_runtime_t:file rw_file_perms;
+
+# for kmodule
+if (allow_execmem) {
+allow kudzu_t self:process execmem;
+}
+allow kudzu_t zero_device_t:chr_file rx_file_perms;
+allow kudzu_t memory_device_t:chr_file { read write execute };
+
+allow kudzu_t ramfs_t:dir search;
+allow kudzu_t ramfs_t:sock_file write;
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t modules_conf_t:file { getattr read unlink rename };
+allow kudzu_t modules_object_t:dir r_dir_perms;
+allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
+allow kudzu_t mouse_device_t:chr_file { read write };
+allow kudzu_t proc_net_t:dir r_dir_perms;
+allow kudzu_t { proc_net_t proc_t }:file { getattr read };
+allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
+allow kudzu_t { bin_t sbin_t }:dir { getattr search };
+allow kudzu_t { bin_t sbin_t }:lnk_file read;
+read_sysctl(kudzu_t)
+allow kudzu_t sysctl_dev_t:dir { getattr search read };
+allow kudzu_t sysctl_dev_t:file { getattr read };
+allow kudzu_t sysctl_kernel_t:file write;
+allow kudzu_t usbdevfs_t:dir search;
+allow kudzu_t usbdevfs_t:file { getattr read };
+allow kudzu_t usbfs_t:dir search;
+allow kudzu_t usbfs_t:file { getattr read };
+var_run_domain(kudzu)
+allow kudzu_t kernel_t:system syslog_console;
+allow kudzu_t self:udp_socket { create ioctl };
+allow kudzu_t var_lock_t:dir search;
+allow kudzu_t devpts_t:dir search;
+
+# so it can write messages to the console
+allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
+
+role sysadm_r types kudzu_t;
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
+')
+ifdef(`anaconda.te', `
+domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
+')
+
+allow kudzu_t sysadm_home_dir_t:dir search;
+rw_dir_create_file(kudzu_t, etc_t)
+
+rw_dir_create_file(kudzu_t, mnt_t)
+can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
+# Read /usr/lib/gconv/gconv-modules.*
+allow kudzu_t lib_t:file { read getattr };
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+allow kudzu_t usr_t:file { read getattr };
+r_dir_file(kudzu_t, hwdata_t)
+
+# Communicate with rhgb-client.
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+
+ifdef(`rhgb.te', `
+allow kudzu_t rhgb_t:unix_stream_socket connectto;
+')
+
+allow kudzu_t self:file { getattr read };
+allow kudzu_t self:fifo_file rw_file_perms;
+ifdef(`gpm.te', `
+allow kudzu_t gpmctl_t:sock_file getattr;
+')
+
+can_exec(kudzu_t, shell_exec_t)
+
+# Write to /proc/sys/kernel/hotplug. Why?
+allow kudzu_t sysctl_hotplug_t:file { read write };
+
+allow kudzu_t sysfs_t:dir { getattr read search };
+allow kudzu_t sysfs_t:file { getattr read };
+allow kudzu_t sysfs_t:lnk_file read;
+file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
+allow kudzu_t tape_device_t:chr_file r_file_perms;
+tmp_domain(kudzu, `', `{ file dir chr_file }')
+
+# for file systems that are not yet mounted
+dontaudit kudzu_t file_t:dir search;
+ifdef(`lpd.te', `
+allow kudzu_t printconf_t:file { getattr read };
+')
+ifdef(`cups.te', `
+allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+')
+dontaudit kudzu_t src_t:dir search;
+ifdef(`xserver.te', `
+allow kudzu_t xserver_exec_t:file getattr;
+')
+
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+', `
+unconfined_domain(kudzu_t)
+')
+
+allow kudzu_t initrc_t:unix_stream_socket connectto;
+allow kudzu_t net_conf_t:file { getattr read };
+
diff --git a/mls/domains/program/ldconfig.te b/mls/domains/program/ldconfig.te
new file mode 100644
index 0000000..fbb7688
--- /dev/null
+++ b/mls/domains/program/ldconfig.te
@@ -0,0 +1,52 @@
+#DESC Ldconfig - Configure dynamic linker bindings
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: libc6
+#
+
+#################################
+#
+# Rules for the ldconfig_t domain.
+#
+type ldconfig_t, domain, privlog, etc_writer;
+type ldconfig_exec_t, file_type, sysadmfile, exec_type;
+
+role sysadm_r types ldconfig_t;
+role system_r types ldconfig_t;
+
+domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
+dontaudit ldconfig_t device_t:dir search;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
+allow ldconfig_t privfd:fd use;
+
+uses_shlib(ldconfig_t)
+
+file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
+allow ldconfig_t lib_t:dir rw_dir_perms;
+allow ldconfig_t lib_t:lnk_file create_lnk_perms;
+
+allow ldconfig_t userdomain:fd use;
+# unlink for when /etc/ld.so.cache is mislabeled
+allow ldconfig_t etc_t:file { getattr read unlink };
+allow ldconfig_t etc_t:lnk_file read;
+
+allow ldconfig_t fs_t:filesystem getattr;
+allow ldconfig_t tmp_t:dir search;
+
+ifdef(`apache.te', `
+# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+dontaudit ldconfig_t httpd_modules_t:dir search;
+')
+
+allow ldconfig_t { var_t var_lib_t }:dir search;
+allow ldconfig_t proc_t:file { getattr read };
+ifdef(`hide_broken_symptoms', `
+ifdef(`unconfined.te',`
+dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
+');
+')dnl end hide_broken_symptoms
+ifdef(`targeted_policy', `
+allow ldconfig_t lib_t:file r_file_perms;
+unconfined_domain(ldconfig_t)
+')
diff --git a/mls/domains/program/load_policy.te b/mls/domains/program/load_policy.te
new file mode 100644
index 0000000..3d43900
--- /dev/null
+++ b/mls/domains/program/load_policy.te
@@ -0,0 +1,65 @@
+#DESC LoadPolicy - SELinux policy loading utilities
+#
+# Authors: Frank Mayer, mayerf@tresys.com
+# X-Debian-Packages: policycoreutils
+#
+
+###########################
+# load_policy_t is the domain type for load_policy
+# load_policy_exec_t is the file type for the executable
+
+# boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values. Set this to true and you
+# have to reboot to set it back
+bool secure_mode_policyload false;
+
+type load_policy_t, domain;
+role sysadm_r types load_policy_t;
+role secadm_r types load_policy_t;
+role system_r types load_policy_t;
+
+type load_policy_exec_t, file_type, exec_type, sysadmfile;
+
+##########################
+#
+# Rules
+
+domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
+
+allow load_policy_t console_device_t:chr_file { read write };
+
+# Reload the policy configuration (sysadm_t no longer has this ability)
+can_loadpol(load_policy_t)
+
+# Reset policy boolean values.
+can_setbool(load_policy_t)
+
+
+###########################
+# constrain from where load_policy can load a policy, specifically
+# policy_config_t files
+#
+
+# only allow read of policy config files
+allow load_policy_t policy_src_t:dir search;
+r_dir_file(load_policy_t, policy_config_t)
+r_dir_file(load_policy_t, selinux_config_t)
+
+# directory search permissions for path to binary policy files
+allow load_policy_t root_t:dir search;
+allow load_policy_t etc_t:dir search;
+
+# for mcs.conf
+allow load_policy_t etc_t:file { getattr read };
+
+# Other access
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
+uses_shlib(load_policy_t)
+allow load_policy_t self:capability dac_override;
+
+allow load_policy_t { userdomain privfd initrc_t }:fd use;
+
+allow load_policy_t fs_t:filesystem getattr;
+
+read_locale(load_policy_t)
diff --git a/mls/domains/program/loadkeys.te b/mls/domains/program/loadkeys.te
new file mode 100644
index 0000000..0959762
--- /dev/null
+++ b/mls/domains/program/loadkeys.te
@@ -0,0 +1,45 @@
+#DESC loadkeys - for changing to unicode at login time
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+# X-Debian-Packages: console-tools
+
+#
+# loadkeys_exec_t is the type of the wrapper
+#
+type loadkeys_exec_t, file_type, sysadmfile, exec_type;
+
+can_exec(initrc_t, loadkeys_exec_t)
+
+# Derived domain based on the calling user domain and the program.
+type loadkeys_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
+
+uses_shlib(loadkeys_t)
+dontaudit loadkeys_t proc_t:dir search;
+allow loadkeys_t proc_t:file { getattr read };
+allow loadkeys_t self:process { fork sigchld };
+
+allow loadkeys_t self:fifo_file rw_file_perms;
+allow loadkeys_t bin_t:dir search;
+allow loadkeys_t bin_t:lnk_file read;
+can_exec(loadkeys_t, { shell_exec_t bin_t })
+
+read_locale(loadkeys_t)
+
+dontaudit loadkeys_t etc_runtime_t:file { getattr read };
+
+# Use capabilities.
+allow loadkeys_t self:capability { setuid sys_tty_config };
+
+allow loadkeys_t local_login_t:fd use;
+allow loadkeys_t devtty_t:chr_file rw_file_perms;
+
+# The user role is authorized for this domain.
+in_user_role(loadkeys_t)
+
+# Write to the user domain tty.
+allow loadkeys_t ttyfile:chr_file rw_file_perms;
+
diff --git a/mls/domains/program/lockdev.te b/mls/domains/program/lockdev.te
new file mode 100644
index 0000000..adb2a77
--- /dev/null
+++ b/mls/domains/program/lockdev.te
@@ -0,0 +1,11 @@
+#DESC Lockdev - libblockdev helper application
+#
+# Authors: Daniel Walsh <dwalsh@redhat.com>
+#
+
+
+# Type for the lockdev
+type lockdev_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the lockdev_domain macro in
+# macros/program/lockdev_macros.te.
diff --git a/mls/domains/program/login.te b/mls/domains/program/login.te
new file mode 100644
index 0000000..ad9fab0
--- /dev/null
+++ b/mls/domains/program/login.te
@@ -0,0 +1,234 @@
+#DESC Login - Local/remote login utilities
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Macroised by Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: login
+#
+
+#################################
+#
+# Rules for the local_login_t domain
+# and the remote_login_t domain.
+#
+
+# $1 is the name of the domain (local or remote)
+define(`login_domain', `
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
+role system_r types $1_login_t;
+
+dontaudit $1_login_t shadow_t:file { getattr read };
+
+general_domain_access($1_login_t);
+
+# Read system information files in /proc.
+r_dir_file($1_login_t, proc_t)
+
+base_file_read_access($1_login_t)
+
+# Read directories and files with the readable_t type.
+# This type is a general type for "world"-readable files.
+allow $1_login_t readable_t:dir r_dir_perms;
+allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
+
+# Read /var, /var/spool
+allow $1_login_t { var_t var_spool_t }:dir search;
+
+# for when /var/mail is a sym-link
+allow $1_login_t var_t:lnk_file read;
+
+# Read /etc.
+r_dir_file($1_login_t, etc_t)
+allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
+
+read_locale($1_login_t)
+
+# for SSP/ProPolice
+allow $1_login_t urandom_device_t:chr_file { getattr read };
+
+# Read executable types.
+allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow $1_login_t device_t:dir r_dir_perms;
+allow $1_login_t device_t:lnk_file r_file_perms;
+
+uses_shlib($1_login_t);
+
+tmp_domain($1_login)
+
+ifdef(`pam.te', `
+can_exec($1_login_t, pam_exec_t)
+')
+
+ifdef(`pamconsole.te', `
+rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
+')
+
+# Use capabilities
+allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow $1_login_t self:process setrlimit;
+dontaudit $1_login_t sysfs_t:dir search;
+
+# Set exec context.
+can_setexec($1_login_t)
+
+allow $1_login_t autofs_t:dir { search read getattr };
+allow $1_login_t mnt_t:dir r_dir_perms;
+
+if (use_nfs_home_dirs) {
+r_dir_file($1_login_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+r_dir_file($1_login_t, cifs_t)
+}
+
+# Login can polyinstantiate
+polyinstantiater($1_login_t)
+
+# FIXME: what is this for?
+ifdef(`xdm.te', `
+allow xdm_t $1_login_t:process signull;
+')
+
+ifdef(`crack.te', `
+allow $1_login_t crack_db_t:file r_file_perms;
+')
+
+# Permit login to search the user home directories.
+allow $1_login_t home_root_t:dir search;
+allow $1_login_t home_dir_type:dir search;
+
+# Write to /var/run/utmp.
+allow $1_login_t var_run_t:dir search;
+allow $1_login_t initrc_var_run_t:file rw_file_perms;
+
+# Write to /var/log/wtmp.
+allow $1_login_t var_log_t:dir search;
+allow $1_login_t wtmp_t:file rw_file_perms;
+
+# Write to /var/log/lastlog.
+allow $1_login_t lastlog_t:file rw_file_perms;
+
+# Write to /var/log/btmp
+allow $1_login_t faillog_t:file { lock append read write };
+
+# Search for mail spool file.
+allow $1_login_t mail_spool_t:dir r_dir_perms;
+allow $1_login_t mail_spool_t:file getattr;
+allow $1_login_t mail_spool_t:lnk_file read;
+
+# Get security policy decisions.
+can_getsecurity($1_login_t)
+
+# allow read access to default_contexts in /etc/security
+allow $1_login_t default_context_t:file r_file_perms;
+allow $1_login_t default_context_t:dir search;
+r_dir_file($1_login_t, selinux_config_t)
+
+allow $1_login_t mouse_device_t:chr_file { getattr setattr };
+
+ifdef(`targeted_policy',`
+unconfined_domain($1_login_t)
+domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
+')
+
+')dnl end login_domain macro
+#################################
+#
+# Rules for the local_login_t domain.
+#
+# local_login_t is the domain of a login process
+# spawned by getty.
+#
+# remote_login_t is the domain of a login process
+# spawned by rlogind.
+#
+# login_exec_t is the type of the login program
+#
+type login_exec_t, file_type, sysadmfile, exec_type;
+
+login_domain(local)
+
+# But also permit other user domains to be entered by login.
+login_spawn_domain(local_login, userdomain)
+
+# Do not audit denied attempts to access devices.
+dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
+dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
+dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
+dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
+dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
+dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
+dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
+dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
+dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
+
+# Do not audit denied attempts to access /mnt.
+dontaudit local_login_t mnt_t:dir r_dir_perms;
+
+
+# Create lock file.
+lock_domain(local_login)
+
+# Read and write ttys.
+allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
+allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
+
+# Relabel ttys.
+allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
+allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
+
+ifdef(`gpm.te',
+`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
+
+# Allow setting of attributes on sound devices.
+allow local_login_t sound_device_t:chr_file { getattr setattr };
+
+# Allow setting of attributes on power management devices.
+allow local_login_t power_device_t:chr_file { getattr setattr };
+dontaudit local_login_t init_t:fd use;
+
+#################################
+#
+# Rules for the remote_login_t domain.
+#
+
+login_domain(remote)
+
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+login_spawn_domain(remote_login, unpriv_userdomain)
+
+allow remote_login_t userpty_type:chr_file { setattr write };
+
+# Use the pty created by rlogind.
+ifdef(`rlogind.te', `
+can_access_pty(remote_login_t, rlogind)
+# Relabel ptys created by rlogind.
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
+')
+
+# Use the pty created by telnetd.
+ifdef(`telnetd.te', `
+can_access_pty(remote_login_t, telnetd)
+# Relabel ptys created by telnetd.
+allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
+')
+
+allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
+allow remote_login_t fs_t:filesystem { getattr };
+
+# Allow remote login to resolve host names (passed in via the -h switch)
+can_resolve(remote_login_t)
+
+ifdef(`use_mcs', `
+ifdef(`getty.te', `
+range_transition getty_t login_exec_t s0 - s0:c0.c127;
+')
+')
diff --git a/mls/domains/program/logrotate.te b/mls/domains/program/logrotate.te
new file mode 100644
index 0000000..9f71da6
--- /dev/null
+++ b/mls/domains/program/logrotate.te
@@ -0,0 +1,150 @@
+#DESC Logrotate - Rotate log files
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> Timothy Fraser
+# Russell Coker <rcoker@redhat.com>
+# X-Debian-Packages: logrotate
+# Depends: crond.te
+#
+
+#################################
+#
+# Rules for the logrotate_t domain.
+#
+# logrotate_t is the domain for the logrotate program.
+# logrotate_exec_t is the type of the corresponding program.
+#
+type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade;
+role system_r types logrotate_t;
+role sysadm_r types logrotate_t;
+uses_shlib(logrotate_t)
+general_domain_access(logrotate_t)
+type logrotate_exec_t, file_type, sysadmfile, exec_type;
+
+system_crond_entry(logrotate_exec_t, logrotate_t)
+allow logrotate_t cron_spool_t:dir search;
+allow crond_t logrotate_var_lib_t:dir search;
+domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
+allow logrotate_t self:unix_stream_socket create_socket_perms;
+allow logrotate_t devtty_t:chr_file rw_file_perms;
+
+ifdef(`distro_debian', `
+allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+# for savelog
+can_exec(logrotate_t, logrotate_exec_t)
+')
+
+# for perl
+allow logrotate_t usr_t:file { getattr read ioctl };
+allow logrotate_t usr_t:lnk_file read;
+
+# access files in /etc
+allow logrotate_t etc_t:file { getattr read ioctl };
+allow logrotate_t etc_t:lnk_file { getattr read };
+allow logrotate_t etc_runtime_t:file r_file_perms;
+
+# it should not require this
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
+
+# create lock files
+lock_domain(logrotate)
+
+# Create temporary files.
+tmp_domain(logrotate)
+can_exec(logrotate_t, logrotate_tmp_t)
+
+# Run helper programs.
+allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
+allow logrotate_t { bin_t sbin_t }:lnk_file read;
+can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
+
+# Read PID files.
+allow logrotate_t pidfile:file r_file_perms;
+
+# Read /proc/PID directories for all domains.
+read_sysctl(logrotate_t)
+allow logrotate_t proc_t:dir r_dir_perms;
+allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
+allow logrotate_t domain:notdevfile_class_set r_file_perms;
+allow logrotate_t domain:dir r_dir_perms;
+allow logrotate_t exec_type:file getattr;
+
+# Read /dev directories and any symbolic links.
+allow logrotate_t device_t:dir r_dir_perms;
+allow logrotate_t device_t:lnk_file r_file_perms;
+
+# Signal processes.
+allow logrotate_t domain:process signal;
+
+# Modify /var/log and other log dirs.
+allow logrotate_t var_t:dir r_dir_perms;
+allow logrotate_t logfile:dir rw_dir_perms;
+allow logrotate_t logfile:lnk_file read;
+
+# Create, rename, and truncate log files.
+allow logrotate_t logfile:file create_file_perms;
+allow logrotate_t wtmp_t:file create_file_perms;
+ifdef(`squid.te', `
+allow squid_t { system_crond_t crond_t }:fd use;
+allow squid_t crond_t:fifo_file { read write };
+allow squid_t system_crond_t:fifo_file write;
+allow squid_t self:capability kill;
+')
+
+# Set a context other than the default one for newly created files.
+can_setfscreate(logrotate_t)
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid };
+
+ifdef(`mta.te', `
+allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
+')
+
+# Access /var/run
+allow logrotate_t var_run_t:dir r_dir_perms;
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+var_lib_domain(logrotate)
+allow logrotate_t logrotate_var_lib_t:dir create;
+
+# Write to /var/spool/slrnpull - should be moved into its own type.
+create_dir_file(logrotate_t, var_spool_t)
+
+allow logrotate_t urandom_device_t:chr_file { getattr read };
+
+# Access terminals.
+allow logrotate_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
+allow logrotate_t privfd:fd use;
+
+# for /var/backups on Debian
+ifdef(`backup.te', `
+rw_dir_create_file(logrotate_t, backup_store_t)
+')
+
+read_locale(logrotate_t)
+
+allow logrotate_t fs_t:filesystem getattr;
+can_exec(logrotate_t, shell_exec_t)
+ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
+can_exec(logrotate_t,logfile)
+allow logrotate_t net_conf_t:file { getattr read };
+
+ifdef(`consoletype.te', `
+can_exec(logrotate_t, consoletype_exec_t)
+dontaudit consoletype_t logrotate_t:fd use;
+')
+
+allow logrotate_t syslogd_t:unix_dgram_socket sendto;
+
+domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
+
+# Supress libselinux initialization denials
+dontaudit logrotate_t selinux_config_t:dir search;
+dontaudit logrotate_t selinux_config_t:file { read getattr };
+
+# Allow selinux_getenforce
+allow logrotate_t security_t:dir search;
+allow logrotate_t security_t:file { getattr read };
diff --git a/mls/domains/program/lpd.te b/mls/domains/program/lpd.te
new file mode 100644
index 0000000..76cd44d
--- /dev/null
+++ b/mls/domains/program/lpd.te
@@ -0,0 +1,161 @@
+#DESC Lpd - Print server
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
+# Modified by Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: lpr
+#
+
+#################################
+#
+# Rules for the lpd_t domain.
+#
+# lpd_t is the domain of lpd.
+# lpd_exec_t is the type of the lpd executable.
+# printer_t is the type of the Unix domain socket created
+# by lpd.
+#
+daemon_domain(lpd)
+
+allow lpd_t lpd_var_run_t:sock_file create_file_perms;
+
+read_fonts(lpd_t)
+
+type printer_t, file_type, sysadmfile, dev_fs;
+
+type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
+
+tmp_domain(lpd);
+
+# for postscript include files
+allow lpd_t usr_t:{ file lnk_file } { getattr read };
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+type checkpc_t, domain, privlog;
+role system_r types checkpc_t;
+uses_shlib(checkpc_t)
+can_network_client(checkpc_t)
+allow checkpc_t port_type:tcp_socket name_connect;
+can_ypbind(checkpc_t)
+log_domain(checkpc)
+type checkpc_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
+domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
+role sysadm_r types checkpc_t;
+allow checkpc_t admin_tty_type:chr_file { read write };
+allow checkpc_t privfd:fd use;
+ifdef(`crond.te', `
+system_crond_entry(checkpc_exec_t, checkpc_t)
+')
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process { fork signal_perms };
+
+allow checkpc_t proc_t:dir search;
+allow checkpc_t proc_t:lnk_file read;
+allow checkpc_t proc_t:file { getattr read };
+r_dir_file(checkpc_t, self)
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+
+allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
+allow checkpc_t etc_t:lnk_file read;
+
+allow checkpc_t { var_t var_spool_t }:dir { getattr search };
+allow checkpc_t print_spool_t:file { rw_file_perms unlink };
+allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
+allow checkpc_t device_t:dir search;
+allow checkpc_t printer_device_t:chr_file { getattr append };
+allow checkpc_t devtty_t:chr_file rw_file_perms;
+allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
+
+# Allow access to /dev/console through the fd:
+allow checkpc_t init_t:fd use;
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+allow checkpc_t { bin_t sbin_t }:dir search;
+allow checkpc_t bin_t:lnk_file read;
+can_exec(checkpc_t, shell_exec_t)
+can_exec(checkpc_t, bin_t)
+
+# bash wants access to /proc/meminfo
+allow lpd_t proc_t:file { getattr read };
+
+# gs-gnu wants to read some sysctl entries, it seems to work without though
+dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
+
+# for defoma
+r_dir_file(lpd_t, var_lib_t)
+
+allow checkpc_t var_run_t:dir search;
+allow checkpc_t lpd_var_run_t:dir { search getattr };
+
+# This is needed to permit chown to read /var/spool/lpd/lp.
+# This is opens up security more than necessary; this means that ANYTHING
+# running in the initrc_t domain can read the printer spool directory.
+# Perhaps executing /etc/rc.d/init.d/lpd should transition
+# to domain lpd_t, instead of waiting for executing lpd.
+allow initrc_t print_spool_t:dir read;
+
+# for defoma
+r_dir_file(lpd_t, readable_t)
+
+# Use capabilities.
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+
+# Use the network.
+can_network_server(lpd_t)
+can_ypbind(lpd_t)
+allow lpd_t self:fifo_file rw_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+
+allow lpd_t self:file { getattr read };
+allow lpd_t etc_runtime_t:file { getattr read };
+
+# Bind to the printer port.
+allow lpd_t printer_port_t:tcp_socket name_bind;
+
+# Send to portmap.
+ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
+
+ifdef(`ypbind.te',
+`# Connect to ypbind.
+can_tcp_connect(lpd_t, ypbind_t)')
+
+# Create and bind to /dev/printer.
+file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
+allow lpd_t printer_t:unix_stream_socket name_bind;
+allow lpd_t printer_t:unix_dgram_socket name_bind;
+allow lpd_t printer_device_t:chr_file rw_file_perms;
+
+# Write to /var/spool/lpd.
+allow lpd_t var_spool_t:dir search;
+allow lpd_t print_spool_t:dir rw_dir_perms;
+allow lpd_t print_spool_t:file create_file_perms;
+allow lpd_t print_spool_t:file rw_file_perms;
+
+# Execute filter scripts.
+# can_exec(lpd_t, print_spool_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+allow lpd_t bin_t:dir search;
+allow lpd_t bin_t:lnk_file read;
+can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+can_exec(lpd_t, printconf_t)
+allow lpd_t printconf_t:file rx_file_perms;
+allow lpd_t printconf_t:dir { getattr search read };
+
+# config files for lpd are of type etc_t, probably should change this
+allow lpd_t etc_t:file { getattr read };
+allow lpd_t etc_t:lnk_file read;
+
+# checkpc needs similar permissions.
+allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:dir { getattr search read };
+
+# Read printconf files.
+allow initrc_t printconf_t:dir r_dir_perms;
+allow initrc_t printconf_t:file r_file_perms;
+
diff --git a/mls/domains/program/lpr.te b/mls/domains/program/lpr.te
new file mode 100644
index 0000000..d8ec0c0
--- /dev/null
+++ b/mls/domains/program/lpr.te
@@ -0,0 +1,12 @@
+#DESC Lpr - Print client
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: lpr lprng
+#
+
+
+# Type for the lpr, lpq, and lprm executables.
+type lpr_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the lpr_domain macro in
+# macros/program/lpr_macros.te.
diff --git a/mls/domains/program/lvm.te b/mls/domains/program/lvm.te
new file mode 100644
index 0000000..b2e47eb
--- /dev/null
+++ b/mls/domains/program/lvm.te
@@ -0,0 +1,139 @@
+#DESC LVM - Linux Volume Manager
+#
+# Author: Michael Kaufman <walker@screwage.com>
+# X-Debian-Packages: lvm10 lvm2 lvm-common
+#
+
+#################################
+#
+# Rules for the lvm_t domain.
+#
+# lvm_t is the domain for LVM administration.
+# lvm_exec_t is the type of the corresponding programs.
+# lvm_etc_t is for read-only LVM configuration files.
+# lvm_metadata_t is the type of LVM metadata files in /etc that are
+# modified at runtime.
+#
+type lvm_vg_t, file_type, sysadmfile;
+type lvm_metadata_t, file_type, sysadmfile;
+type lvm_control_t, device_type, dev_fs;
+etcdir_domain(lvm)
+lock_domain(lvm)
+allow lvm_t lvm_lock_t:dir rw_dir_perms;
+
+# needs privowner because it assigns the identity system_u to device nodes
+# but runs as the identity of the sysadmin
+daemon_base_domain(lvm, `, fs_domain, privowner')
+role sysadm_r types lvm_t;
+domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
+
+# LVM will complain a lot if it cannot set its priority.
+allow lvm_t self:process setsched;
+
+allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
+
+r_dir_file(lvm_t, proc_t)
+allow lvm_t self:file rw_file_perms;
+
+# Read system variables in /proc/sys
+read_sysctl(lvm_t)
+
+# Read /sys/block. Device mapper metadata is kept there.
+r_dir_file(lvm_t, sysfs_t)
+
+allow lvm_t fs_t:filesystem getattr;
+
+# Read configuration files in /etc.
+allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
+
+# LVM creates block devices in /dev/mapper or /dev/<vg>
+# depending on its version
+file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
+
+# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
+# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
+allow lvm_t device_t:dir create_dir_perms;
+allow lvm_t device_t:lnk_file create_lnk_perms;
+
+# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
+allow lvm_t lvm_exec_t:dir search;
+allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
+
+tmp_domain(lvm)
+allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+
+# DAC overrides and mknod for modifying /dev entries (vgmknodes)
+allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
+
+# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
+
+allow lvm_t lvm_metadata_t:dir rw_dir_perms;
+
+# Inherit and use descriptors from init.
+allow lvm_t init_t:fd use;
+
+# LVM is split into many individual binaries
+can_exec(lvm_t, lvm_exec_t)
+
+# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
+
+# relabel devices
+allow lvm_t { default_context_t file_context_t }:dir search;
+allow lvm_t file_context_t:file { getattr read };
+can_getsecurity(lvm_t)
+allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
+allow lvm_t device_t:lnk_file { relabelfrom relabelto };
+
+# Access terminals.
+allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow lvm_t devtty_t:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
+allow lvm_t privfd:fd use;
+allow lvm_t devpts_t:dir { search getattr read };
+
+read_locale(lvm_t)
+
+# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
+dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
+dontaudit lvm_t ttyfile:chr_file getattr;
+dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
+dontaudit lvm_t devpts_t:dir { getattr read };
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
+
+ifdef(`gpm.te', `
+dontaudit lvm_t gpmctl_t:sock_file getattr;
+')
+dontaudit lvm_t initctl_t:fifo_file getattr;
+allow lvm_t sbin_t:dir search;
+dontaudit lvm_t sbin_t:file { getattr read };
+allow lvm_t lvm_control_t:chr_file rw_file_perms;
+allow initrc_t lvm_control_t:chr_file { getattr read unlink };
+allow initrc_t device_t:chr_file create;
+var_run_domain(lvm)
+
+# for when /usr is not mounted
+dontaudit lvm_t file_t:dir search;
+
+allow lvm_t tmpfs_t:dir r_dir_perms;
+r_dir_file(lvm_t, selinux_config_t)
+
+# it has no reason to need this
+dontaudit lvm_t proc_kcore_t:file getattr;
+allow lvm_t var_t:dir { search getattr };
+allow lvm_t ramfs_t:filesystem unmount;
+
+# cluster LVM daemon
+daemon_domain(clvmd)
+can_network(clvmd_t)
+can_ypbind(clvmd_t)
+allow clvmd_t self:capability net_bind_service;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:file { getattr read };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t reserved_port_t:tcp_socket name_bind;
+dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
+dontaudit clvmd_t selinux_config_t:dir search;
diff --git a/mls/domains/program/mailman.te b/mls/domains/program/mailman.te
new file mode 100644
index 0000000..72fe6a7
--- /dev/null
+++ b/mls/domains/program/mailman.te
@@ -0,0 +1,113 @@
+#DESC Mailman - GNU Mailman mailing list manager
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: mailman
+
+type mailman_data_t, file_type, sysadmfile;
+type mailman_archive_t, file_type, sysadmfile;
+
+type mailman_log_t, file_type, sysadmfile, logfile;
+type mailman_lock_t, file_type, sysadmfile, lockfile;
+
+define(`mailman_domain', `
+type mailman_$1_t, domain, privlog $2;
+type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
+role system_r types mailman_$1_t;
+file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
+allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
+create_dir_file(mailman_$1_t, mailman_data_t)
+uses_shlib(mailman_$1_t)
+can_exec_any(mailman_$1_t)
+read_sysctl(mailman_$1_t)
+allow mailman_$1_t proc_t:dir search;
+allow mailman_$1_t proc_t:file { read getattr };
+allow mailman_$1_t var_lib_t:dir r_dir_perms;
+allow mailman_$1_t var_lib_t:lnk_file read;
+allow mailman_$1_t device_t:dir search;
+allow mailman_$1_t etc_runtime_t:file { read getattr };
+read_locale(mailman_$1_t)
+file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
+allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_$1_t fs_t:filesystem getattr;
+can_network(mailman_$1_t)
+allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
+can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+allow mailman_$1_t var_t:dir r_dir_perms;
+tmp_domain(mailman_$1)
+')
+
+mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
+can_tcp_connect(mailman_queue_t, mail_server_domain)
+
+can_exec(mailman_queue_t, su_exec_t)
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:fifo_file rw_file_perms;
+dontaudit mailman_queue_t var_run_t:dir search;
+allow mailman_queue_t proc_t:lnk_file { getattr read };
+
+# for su
+dontaudit mailman_queue_t selinux_config_t:dir search;
+allow mailman_queue_t self:dir search;
+allow mailman_queue_t self:file { getattr read };
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+allow mailman_queue_t self:lnk_file { getattr read };
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
+
+mailman_domain(mail)
+dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
+allow mailman_mail_t mta_delivery_agent:fd use;
+ifdef(`qmail.te', `
+allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
+# do we really need this?
+allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+')
+
+create_dir_file(mailman_queue_t, mailman_archive_t)
+
+ifdef(`apache.te', `
+mailman_domain(cgi)
+can_tcp_connect(mailman_cgi_t, mail_server_domain)
+
+domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
+# should have separate types for public and private archives
+r_dir_file(httpd_t, mailman_archive_t)
+create_dir_file(mailman_cgi_t, mailman_archive_t)
+allow httpd_t mailman_data_t:dir { getattr search };
+
+dontaudit mailman_cgi_t httpd_log_t:file append;
+allow httpd_t mailman_cgi_t:process signal;
+allow mailman_cgi_t httpd_t:process sigchld;
+allow mailman_cgi_t httpd_t:fd use;
+allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
+allow mailman_cgi_t httpd_sys_script_t:dir search;
+allow mailman_cgi_t devtty_t:chr_file { read write };
+allow mailman_cgi_t self:process { fork sigchld };
+allow mailman_cgi_t var_spool_t:dir search;
+')
+
+allow mta_delivery_agent mailman_data_t:dir search;
+allow mta_delivery_agent mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:dir r_dir_perms;
+domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
+ifdef(`direct_sysadm_daemon', `
+domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
+')
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
+allow mailman_queue_t devtty_t:chr_file { read write };
+allow mailman_queue_t self:process { fork signal sigchld };
+allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
+
+# so MTA can access /var/lib/mailman/mail/wrapper
+allow mta_delivery_agent var_lib_t:dir search;
+
+# Handle mailman log files
+rw_dir_create_file(logrotate_t, mailman_log_t)
+allow logrotate_t mailman_data_t:dir search;
+can_exec(logrotate_t, mailman_mail_exec_t)
diff --git a/mls/domains/program/mdadm.te b/mls/domains/program/mdadm.te
new file mode 100644
index 0000000..47f82e2
--- /dev/null
+++ b/mls/domains/program/mdadm.te
@@ -0,0 +1,43 @@
+#DESC mdadm - Linux RAID tool
+#
+# Author: Colin Walters <walters@redhat.com>
+#
+
+daemon_base_domain(mdadm, `, fs_domain, privmail')
+role sysadm_r types mdadm_t;
+
+allow initrc_t mdadm_var_run_t:file create_file_perms;
+
+# Kernel filesystem permissions
+r_dir_file(mdadm_t, proc_t)
+allow mdadm_t proc_mdstat_t:file rw_file_perms;
+read_sysctl(mdadm_t)
+r_dir_file(mdadm_t, sysfs_t)
+
+# Configuration
+allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale(mdadm_t)
+
+# Linux capabilities
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+
+# Helper program access
+can_exec(mdadm_t, { bin_t sbin_t })
+
+# RAID block device access
+allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
+allow mdadm_t device_t:lnk_file { getattr read };
+
+# Ignore attempts to read every device file
+dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
+dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
+dontaudit mdadm_t devpts_t:dir r_dir_perms;
+
+# Ignore attempts to read/write sysadmin tty
+dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;
+
+# Other random ignores
+dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
+dontaudit mdadm_t initctl_t:fifo_file getattr;
+var_run_domain(mdadm)
+allow mdadm_t var_t:dir { getattr search };
diff --git a/mls/domains/program/modutil.te b/mls/domains/program/modutil.te
new file mode 100644
index 0000000..a934534
--- /dev/null
+++ b/mls/domains/program/modutil.te
@@ -0,0 +1,243 @@
+#DESC Modutil - Dynamic module utilities
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: modutils
+#
+
+#################################
+#
+# Rules for the module utility domains.
+#
+type modules_dep_t, file_type, sysadmfile;
+type modules_conf_t, file_type, sysadmfile;
+type modules_object_t, file_type, sysadmfile;
+
+
+ifdef(`IS_INITRD', `', `
+#################################
+#
+# Rules for the depmod_t domain.
+#
+type depmod_t, domain;
+role system_r types depmod_t;
+role sysadm_r types depmod_t;
+
+uses_shlib(depmod_t)
+
+r_dir_file(depmod_t, src_t)
+
+type depmod_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
+allow depmod_t { bin_t sbin_t }:dir search;
+can_exec(depmod_t, depmod_exec_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
+')
+
+# Inherit and use descriptors from init and login programs.
+allow depmod_t { init_t privfd }:fd use;
+
+allow depmod_t { etc_t etc_runtime_t }:file { getattr read };
+allow depmod_t { device_t proc_t }:dir search;
+allow depmod_t proc_t:file { getattr read };
+allow depmod_t fs_t:filesystem getattr;
+
+# read system.map
+allow depmod_t boot_t:dir search;
+allow depmod_t boot_t:file { getattr read };
+allow depmod_t system_map_t:file { getattr read };
+
+# Read conf.modules.
+allow depmod_t modules_conf_t:file r_file_perms;
+
+# Create modules.dep.
+file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
+
+# Read module objects.
+allow depmod_t modules_object_t:dir r_dir_perms;
+allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
+allow depmod_t modules_object_t:file unlink;
+
+# Access terminals.
+can_access_pty(depmod_t, initrc)
+allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
+
+# Read System.map from home directories.
+allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
+r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
+')dnl end IS_INITRD
+
+#################################
+#
+# Rules for the insmod_t domain.
+#
+
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
+;
+role system_r types insmod_t;
+role sysadm_r types insmod_t;
+type insmod_exec_t, file_type, exec_type, sysadmfile;
+
+bool secure_mode_insmod false;
+
+can_ypbind(insmod_t)
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(insmod_t)
+')
+uses_shlib(insmod_t)
+read_locale(insmod_t)
+
+# for SSP
+allow insmod_t urandom_device_t:chr_file read;
+allow insmod_t lib_t:file { getattr read };
+
+allow insmod_t { bin_t sbin_t }:dir search;
+allow insmod_t { bin_t sbin_t }:lnk_file read;
+
+allow insmod_t self:dir search;
+allow insmod_t self:lnk_file read;
+
+allow insmod_t usr_t:file { getattr read };
+
+allow insmod_t privfd:fd use;
+can_access_pty(insmod_t, initrc)
+allow insmod_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
+
+allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
+
+allow insmod_t sound_device_t:chr_file { read ioctl write };
+allow insmod_t zero_device_t:chr_file read;
+allow insmod_t memory_device_t:chr_file rw_file_perms;
+
+# Read module config and dependency information
+allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
+
+# Read module objects.
+r_dir_file(insmod_t, modules_object_t)
+# for locking
+allow insmod_t modules_object_t:file write;
+
+allow insmod_t { var_t var_log_t }:dir search;
+ifdef(`xserver.te', `
+allow insmod_t xserver_log_t:file getattr;
+allow insmod_t xserver_misc_device_t:chr_file { read write };
+')
+rw_dir_create_file(insmod_t, var_log_ksyms_t)
+allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
+
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:unix_dgram_socket create_socket_perms;
+allow insmod_t self:unix_stream_socket create_stream_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
+allow insmod_t self:capability { dac_override kill net_raw sys_tty_config };
+allow insmod_t domain:process signal;
+allow insmod_t self:process { fork signal_perms };
+allow insmod_t device_t:dir search;
+allow insmod_t etc_runtime_t:file { getattr read };
+
+# for loading modules at boot time
+allow insmod_t { init_t initrc_t }:fd use;
+allow insmod_t initrc_t:fifo_file { getattr read write };
+
+allow insmod_t fs_t:filesystem getattr;
+allow insmod_t sysfs_t:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
+r_dir_file(insmod_t, debugfs_t)
+
+# Rules for /proc/sys/kernel/tainted
+read_sysctl(insmod_t)
+allow insmod_t proc_t:dir search;
+allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
+
+allow insmod_t proc_t:file rw_file_perms;
+allow insmod_t proc_t:lnk_file read;
+
+# Write to /proc/mtrr.
+allow insmod_t mtrr_device_t:file write;
+
+# Read /proc/sys/kernel/hotplug.
+allow insmod_t sysctl_hotplug_t:file { getattr read };
+
+allow insmod_t device_t:dir read;
+allow insmod_t devpts_t:dir { getattr search };
+
+if (!secure_mode_insmod) {
+domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
+allow insmod_t self:capability sys_module;
+}dnl end if !secure_mode_insmod
+
+can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
+allow insmod_t devtty_t:chr_file rw_file_perms;
+allow insmod_t privmodule:process sigchld;
+dontaudit sysadm_t self:capability sys_module;
+
+ifdef(`mount.te', `
+# Run mount in the mount_t domain.
+domain_auto_trans(insmod_t, mount_exec_t, mount_t)
+')
+# for when /var is not mounted early in the boot
+dontaudit insmod_t file_t:dir search;
+
+# for nscd
+dontaudit insmod_t var_run_t:dir search;
+
+ifdef(`crond.te', `
+rw_dir_create_file(system_crond_t, var_log_ksyms_t)
+')
+
+ifdef(`IS_INITRD', `', `
+#################################
+#
+# Rules for the update_modules_t domain.
+#
+type update_modules_t, domain, privlog;
+type update_modules_exec_t, file_type, exec_type, sysadmfile;
+
+role system_r types update_modules_t;
+role sysadm_r types update_modules_t;
+
+domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
+allow update_modules_t privfd:fd use;
+allow update_modules_t init_t:fd use;
+
+allow update_modules_t device_t:dir { getattr search };
+allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
+can_access_pty(update_modules_t, initrc)
+allow update_modules_t admin_tty_type:chr_file rw_file_perms;
+
+can_exec(update_modules_t, insmod_exec_t)
+allow update_modules_t urandom_device_t:chr_file { getattr read };
+
+dontaudit update_modules_t sysadm_home_dir_t:dir search;
+
+uses_shlib(update_modules_t)
+read_locale(update_modules_t)
+allow update_modules_t lib_t:file { getattr read };
+allow update_modules_t self:process { fork sigchld };
+allow update_modules_t self:fifo_file rw_file_perms;
+allow update_modules_t self:file { getattr read };
+allow update_modules_t modules_dep_t:file rw_file_perms;
+file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file)
+domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
+can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
+allow update_modules_t { sbin_t bin_t }:lnk_file read;
+allow update_modules_t { sbin_t bin_t }:dir search;
+allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
+allow update_modules_t etc_t:lnk_file read;
+allow update_modules_t fs_t:filesystem getattr;
+
+allow update_modules_t proc_t:dir search;
+allow update_modules_t proc_t:file r_file_perms;
+allow update_modules_t { self proc_t }:lnk_file read;
+read_sysctl(update_modules_t)
+allow update_modules_t self:dir search;
+allow update_modules_t self:unix_stream_socket create_socket_perms;
+
+file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
+
+tmp_domain(update_modules)
+')dnl end IS_INITRD
diff --git a/mls/domains/program/mount.te b/mls/domains/program/mount.te
new file mode 100644
index 0000000..b76bf52
--- /dev/null
+++ b/mls/domains/program/mount.te
@@ -0,0 +1,90 @@
+#DESC Mount - Filesystem mount utilities
+#
+# Macros for mount
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# X-Debian-Packages: mount
+#
+# based on the work of:
+# Mark Westerman mark.westerman@csoconline.com
+#
+
+type mount_exec_t, file_type, sysadmfile, exec_type;
+
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
+mount_loopback_privs(sysadm, mount)
+role sysadm_r types mount_t;
+role system_r types mount_t;
+
+can_access_pty(mount_t, initrc)
+allow mount_t console_device_t:chr_file { read write };
+
+domain_auto_trans(initrc_t, mount_exec_t, mount_t)
+allow mount_t init_t:fd use;
+allow mount_t privfd:fd use;
+
+allow mount_t self:capability { dac_override ipc_lock sys_tty_config };
+allow mount_t self:process { fork signal_perms };
+
+allow mount_t file_type:dir search;
+
+# Access disk devices.
+allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
+allow mount_t removable_device_t:devfile_class_set rw_file_perms;
+allow mount_t device_t:lnk_file read;
+
+# for when /etc/mtab loses its type
+allow mount_t file_t:file { getattr read unlink };
+
+# Mount, remount and unmount file systems.
+allow mount_t fs_type:filesystem mount_fs_perms;
+allow mount_t mount_point:dir mounton;
+allow mount_t nfs_t:dir search;
+allow mount_t sysctl_t:dir search;
+
+allow mount_t root_t:filesystem unmount;
+
+can_portmap(mount_t)
+
+ifdef(`portmap.te', `
+# for nfs
+can_network(mount_t)
+allow mount_t port_type:tcp_socket name_connect;
+can_ypbind(mount_t)
+allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
+allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+can_udp_send(mount_t, portmap_t)
+can_udp_send(portmap_t, mount_t)
+allow mount_t rpc_pipefs_t:dir search;
+')
+dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
+
+#
+# required for mount.smbfs
+#
+allow mount_t sbin_t:lnk_file { getattr read };
+
+rhgb_domain(mount_t)
+
+# for localization
+allow mount_t lib_t:file { getattr read };
+allow mount_t autofs_t:dir read;
+allow mount_t fs_type:filesystem relabelfrom;
+#
+# This rule needs to be generalized. Only admin, initrc should have it.
+#
+allow mount_t file_type:filesystem { unmount mount relabelto };
+
+allow mount_t mnt_t:dir getattr;
+dontaudit mount_t kernel_t:fd use;
+allow mount_t userdomain:fd use;
+can_exec(mount_t, { sbin_t bin_t })
+allow mount_t device_t:dir r_dir_perms;
+allow mount_t tmpfs_t:chr_file { read write };
+
+# tries to read /init
+dontaudit mount_t root_t:file { getattr read };
+
+allow kernel_t mount_t:tcp_socket { read write };
+allow mount_t self:capability { setgid setuid };
+allow mount_t proc_t:lnk_file read;
diff --git a/mls/domains/program/mrtg.te b/mls/domains/program/mrtg.te
new file mode 100644
index 0000000..e44889d
--- /dev/null
+++ b/mls/domains/program/mrtg.te
@@ -0,0 +1,100 @@
+#DESC MRTG - Network traffic graphing
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: mrtg
+#
+
+#################################
+#
+# Rules for the mrtg_t domain.
+#
+# mrtg_exec_t is the type of the mrtg executable.
+#
+daemon_base_domain(mrtg)
+
+allow mrtg_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(mrtg_exec_t, mrtg_t)
+allow system_crond_t mrtg_log_t:dir rw_dir_perms;
+allow system_crond_t mrtg_log_t:file { create append getattr };
+')
+
+allow mrtg_t usr_t:{ file lnk_file } { getattr read };
+dontaudit mrtg_t usr_t:file ioctl;
+
+logdir_domain(mrtg)
+etcdir_domain(mrtg)
+typealias mrtg_etc_t alias etc_mrtg_t;
+type mrtg_var_lib_t, file_type, sysadmfile;
+typealias mrtg_var_lib_t alias var_lib_mrtg_t;
+type mrtg_lock_t, file_type, sysadmfile, lockfile;
+r_dir_file(mrtg_t, lib_t)
+
+# Use the network.
+can_network_client(mrtg_t)
+allow mrtg_t port_type:tcp_socket name_connect;
+can_ypbind(mrtg_t)
+
+allow mrtg_t self:fifo_file { getattr read write ioctl };
+allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms;
+allow mrtg_t urandom_device_t:chr_file { getattr read };
+allow mrtg_t self:unix_stream_socket create_socket_perms;
+ifdef(`apache.te', `
+rw_dir_create_file(mrtg_t, httpd_sys_content_t)
+')
+
+can_exec(mrtg_t, { shell_exec_t bin_t sbin_t })
+allow mrtg_t { bin_t sbin_t }:dir { getattr search };
+allow mrtg_t bin_t:lnk_file read;
+allow mrtg_t var_t:dir { getattr search };
+
+ifdef(`snmpd.te', `
+can_udp_send(mrtg_t, snmpd_t)
+can_udp_send(snmpd_t, mrtg_t)
+r_dir_file(mrtg_t, snmpd_var_lib_t)
+')
+
+allow mrtg_t proc_net_t:dir search;
+allow mrtg_t { proc_t proc_net_t }:file { read getattr };
+dontaudit mrtg_t proc_t:file ioctl;
+
+allow mrtg_t { var_lock_t var_lib_t }:dir search;
+rw_dir_create_file(mrtg_t, mrtg_var_lib_t)
+rw_dir_create_file(mrtg_t, mrtg_lock_t)
+ifdef(`distro_redhat', `
+file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
+')
+
+# read config files
+allow mrtg_t etc_t:file { read getattr };
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+read_locale(mrtg_t)
+
+# for /.autofsck
+dontaudit mrtg_t root_t:file getattr;
+
+dontaudit mrtg_t security_t:dir getattr;
+
+read_sysctl(mrtg_t)
+
+# for uptime
+allow mrtg_t var_run_t:dir search;
+allow mrtg_t initrc_var_run_t:file { getattr read };
+dontaudit mrtg_t initrc_var_run_t:file { write lock };
+allow mrtg_t etc_runtime_t:file { getattr read };
+
+allow mrtg_t tmp_t:dir getattr;
+
+# should not need this!
+dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+ifdef(`quota.te', `
+dontaudit mrtg_t quota_db_t:file getattr;
+')
+dontaudit mrtg_t root_t:lnk_file getattr;
+
+allow mrtg_t self:capability { setgid setuid };
+ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
+allow mrtg_t var_spool_t:dir search;
diff --git a/mls/domains/program/mta.te b/mls/domains/program/mta.te
new file mode 100644
index 0000000..55e7ca9
--- /dev/null
+++ b/mls/domains/program/mta.te
@@ -0,0 +1,81 @@
+#DESC MTA - Mail agents
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: postfix exim sendmail sendmail-wide
+#
+# policy for all mail servers, including allowing user to send mail from the
+# command-line and for cron jobs to use sendmail -t
+
+#
+# sendmail_exec_t is the type of /usr/sbin/sendmail
+#
+# define sendmail_exec_t if sendmail.te does not do it for us
+ifdef(`sendmail.te', `', `
+type sendmail_exec_t, file_type, exec_type, sysadmfile;
+')
+
+# create a system_mail_t domain for daemons, init scripts, etc when they run
+# "mail user@domain"
+mail_domain(system)
+
+ifdef(`targeted_policy', `
+# rules are currently defined in sendmail.te, but it is not included in
+# targeted policy. We could move these rules permanantly here.
+ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
+allow system_mail_t self:dir search;
+allow system_mail_t self:lnk_file read;
+r_dir_file(system_mail_t, { proc_t proc_net_t })
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t { var_t var_spool_t }:dir getattr;
+create_dir_file(system_mail_t, mqueue_spool_t)
+create_dir_file(system_mail_t, mail_spool_t)
+allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+allow system_mail_t etc_mail_t:file { getattr read };
+
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t)
+', `
+ifdef(`sendmail.te', `
+# sendmail has an ugly design, the one process parses input from the user and
+# then does system things with it. But the sendmail_launch_t domain works
+# around this.
+domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
+')
+allow initrc_t sendmail_exec_t:lnk_file { getattr read };
+
+# allow the sysadmin to do "mail someone < /home/user/whatever"
+allow sysadm_mail_t user_home_dir_type:dir search;
+r_dir_file(sysadm_mail_t, user_home_type)
+')
+# for a mail server process that does things in response to a user command
+allow mta_user_agent userdomain:process sigchld;
+allow mta_user_agent { userdomain privfd }:fd use;
+ifdef(`crond.te', `
+allow mta_user_agent crond_t:process sigchld;
+')
+allow mta_user_agent sysadm_t:fifo_file { read write };
+
+allow { system_mail_t mta_user_agent } privmail:fd use;
+allow { system_mail_t mta_user_agent } privmail:process sigchld;
+allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
+allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
+
+allow mta_delivery_agent home_root_t:dir { getattr search };
+
+# for /var/spool/mail
+ra_dir_create_file(mta_delivery_agent, mail_spool_t)
+
+# for piping mail to a command
+can_exec(mta_delivery_agent, shell_exec_t)
+allow mta_delivery_agent bin_t:dir search;
+allow mta_delivery_agent bin_t:lnk_file read;
+allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
+allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
+
+allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ifdef(`targeted_policy', `
+typealias system_mail_t alias sysadm_mail_t;
+')
+
diff --git a/mls/domains/program/mysqld.te b/mls/domains/program/mysqld.te
new file mode 100644
index 0000000..637359f
--- /dev/null
+++ b/mls/domains/program/mysqld.te
@@ -0,0 +1,94 @@
+#DESC Mysqld - Database server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: mysql-server
+#
+
+#################################
+#
+# Rules for the mysqld_t domain.
+#
+# mysqld_exec_t is the type of the mysqld executable.
+#
+daemon_domain(mysqld, `, nscd_client_domain')
+
+allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
+
+allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
+
+etcdir_domain(mysqld)
+type mysqld_db_t, file_type, sysadmfile;
+
+log_domain(mysqld)
+
+# for temporary tables
+tmp_domain(mysqld)
+
+allow mysqld_t usr_t:file { getattr read };
+
+allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow initrc_t mysqld_t:unix_stream_socket connectto;
+allow initrc_t mysqld_var_run_t:sock_file write;
+
+allow initrc_t mysqld_log_t:file { write append setattr ioctl };
+
+allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource };
+allow mysqld_t self:process { setrlimit setsched getsched };
+
+allow mysqld_t proc_t:file { getattr read };
+
+# Allow access to the mysqld databases
+create_dir_file(mysqld_t, mysqld_db_t)
+file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
+
+can_network(mysqld_t)
+can_ypbind(mysqld_t)
+
+# read config files
+r_dir_file(initrc_t, mysqld_etc_t)
+allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
+
+allow mysqld_t etc_t:dir search;
+
+read_sysctl(mysqld_t)
+
+can_unix_connect(sysadm_t, mysqld_t)
+
+# for /root/.my.cnf - should not be needed
+allow mysqld_t sysadm_home_dir_t:dir search;
+allow mysqld_t sysadm_home_t:file { read getattr };
+
+ifdef(`logrotate.te', `
+r_dir_file(logrotate_t, mysqld_etc_t)
+allow logrotate_t mysqld_db_t:dir search;
+allow logrotate_t mysqld_var_run_t:dir search;
+allow logrotate_t mysqld_var_run_t:sock_file write;
+can_unix_connect(logrotate_t, mysqld_t)
+')
+
+ifdef(`daemontools.te', `
+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
+allow svc_start_t mysqld_t:process signal;
+svc_ipc_domain(mysqld_t)
+')dnl end ifdef daemontools
+
+ifdef(`distro_redhat', `
+allow initrc_t mysqld_db_t:dir create_dir_perms;
+
+# because Fedora has the sock_file in the database directory
+file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
+ifdef(`targeted_policy', `', `
+bool allow_user_mysql_connect false;
+
+if (allow_user_mysql_connect) {
+allow userdomain mysqld_var_run_t:dir search;
+allow userdomain mysqld_var_run_t:sock_file write;
+}
+')
+
+ifdef(`crond.te', `
+allow system_crond_t mysqld_etc_t:file { getattr read };
+')
+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/mls/domains/program/named.te b/mls/domains/program/named.te
new file mode 100644
index 0000000..5a42877
--- /dev/null
+++ b/mls/domains/program/named.te
@@ -0,0 +1,184 @@
+#DESC BIND - Name server
+#
+# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
+# Russell Coker
+# X-Debian-Packages: bind bind9
+#
+#
+
+#################################
+#
+# Rules for the named_t domain.
+#
+
+daemon_domain(named, `, nscd_client_domain')
+tmp_domain(named)
+
+type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
+
+# For /var/run/ndc used in BIND 8
+file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
+
+# ndc_t is the domain for the ndc program
+type ndc_t, domain, privlog, nscd_client_domain;
+role sysadm_r types ndc_t;
+role system_r types ndc_t;
+
+ifdef(`targeted_policy', `
+dontaudit ndc_t root_t:file { getattr read };
+dontaudit ndc_t unlabeled_t:file { getattr read };
+')
+
+can_exec(named_t, named_exec_t)
+allow named_t sbin_t:dir search;
+
+allow named_t self:process { setsched setcap setrlimit };
+
+# A type for configuration files of named.
+type named_conf_t, file_type, sysadmfile, mount_point;
+
+# for primary zone files
+type named_zone_t, file_type, sysadmfile;
+
+# for secondary zone files
+type named_cache_t, file_type, sysadmfile;
+
+# for DNSSEC key files
+type dnssec_t, file_type, sysadmfile, secure_file_type;
+allow { ndc_t named_t } dnssec_t:file { getattr read };
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
+
+allow named_t etc_t:file { getattr read };
+allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
+
+#Named can use network
+can_network(named_t)
+allow named_t port_type:tcp_socket name_connect;
+can_ypbind(named_t)
+# allow UDP transfer to/from any program
+can_udp_send(domain, named_t)
+can_udp_send(named_t, domain)
+can_tcp_connect(domain, named_t)
+log_domain(named)
+
+# Bind to the named port.
+allow named_t dns_port_t:udp_socket name_bind;
+allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
+
+bool named_write_master_zones false;
+
+#read configuration files
+r_dir_file(named_t, named_conf_t)
+
+if (named_write_master_zones) {
+#create and modify zone files
+create_dir_file(named_t, named_zone_t)
+}
+#read zone files
+r_dir_file(named_t, named_zone_t)
+
+#write cache for secondary zones
+rw_dir_create_file(named_t, named_cache_t)
+
+allow named_t self:unix_stream_socket create_stream_socket_perms;
+allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
+
+# Read sysctl kernel variables.
+read_sysctl(named_t)
+
+# Read /proc/cpuinfo and /proc/net
+r_dir_file(named_t, proc_t)
+r_dir_file(named_t, proc_net_t)
+
+# Read /dev/random.
+allow named_t device_t:dir r_dir_perms;
+allow named_t random_device_t:chr_file r_file_perms;
+
+# Use a pipe created by self.
+allow named_t self:fifo_file rw_file_perms;
+
+# Enable named dbus support:
+ifdef(`dbusd.te', `
+dbusd_client(system, named)
+domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
+allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow named_t self:dbus send_msg;
+allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
+allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
+ifdef(`unconfined.te', `
+allow unconfined_t named_t:dbus send_msg;
+allow named_t unconfined_t:dbus send_msg;
+')
+')
+
+
+# Set own capabilities.
+#A type for /usr/sbin/ndc
+type ndc_exec_t, file_type,sysadmfile, exec_type;
+domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
+uses_shlib(ndc_t)
+can_network_client_tcp(ndc_t)
+allow ndc_t rndc_port_t:tcp_socket name_connect;
+can_ypbind(ndc_t)
+can_resolve(ndc_t)
+read_locale(ndc_t)
+can_tcp_connect(ndc_t, named_t)
+
+ifdef(`distro_redhat', `
+# for /etc/rndc.key
+allow { ndc_t initrc_t } named_conf_t:dir search;
+# Allow init script to cp localtime to named_conf_t
+allow initrc_t named_conf_t:file { setattr write };
+allow initrc_t named_conf_t:dir create_dir_perms;
+allow initrc_t var_run_t:lnk_file create_file_perms;
+ifdef(`automount.te', `
+# automount has no need to search the /proc file system for the named chroot
+dontaudit automount_t named_zone_t:dir search;
+')dnl end ifdef automount.te
+')dnl end ifdef distro_redhat
+
+allow { ndc_t initrc_t } named_conf_t:file { getattr read };
+
+allow ndc_t etc_t:dir r_dir_perms;
+allow ndc_t etc_t:file r_file_perms;
+allow ndc_t self:unix_stream_socket create_stream_socket_perms;
+allow ndc_t self:unix_stream_socket connect;
+allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t var_t:dir search;
+allow ndc_t var_run_t:dir search;
+allow ndc_t named_var_run_t:sock_file rw_file_perms;
+allow ndc_t named_t:unix_stream_socket connectto;
+allow ndc_t { privfd init_t }:fd use;
+# seems to need read as well for some reason
+allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
+allow ndc_t fs_t:filesystem getattr;
+
+# Read sysctl kernel variables.
+read_sysctl(ndc_t)
+
+allow ndc_t self:process { fork signal_perms };
+allow ndc_t self:fifo_file { read write getattr ioctl };
+allow ndc_t named_zone_t:dir search;
+
+# for chmod in start script
+dontaudit initrc_t named_var_run_t:dir setattr;
+
+# for ndc_t to be used for restart shell scripts
+ifdef(`ndc_shell_script', `
+system_crond_entry(ndc_exec_t, ndc_t)
+allow ndc_t devtty_t:chr_file { read write ioctl };
+allow ndc_t etc_runtime_t:file { getattr read };
+allow ndc_t proc_t:dir search;
+allow ndc_t proc_t:file { getattr read };
+can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
+allow ndc_t named_var_run_t:file getattr;
+allow ndc_t named_zone_t:dir { read getattr };
+allow ndc_t named_zone_t:file getattr;
+dontaudit ndc_t sysadm_home_t:dir { getattr search read };
+')
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
diff --git a/mls/domains/program/netutils.te b/mls/domains/program/netutils.te
new file mode 100644
index 0000000..8dcbdf1
--- /dev/null
+++ b/mls/domains/program/netutils.te
@@ -0,0 +1,64 @@
+#DESC Netutils - Network utilities
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
+# X-Debian-Packages: netbase iputils arping tcpdump
+#
+
+#
+# Rules for the netutils_t domain.
+# This domain is for network utilities that require access to
+# special protocol families.
+#
+type netutils_t, domain, privlog;
+type netutils_exec_t, file_type, sysadmfile, exec_type;
+role system_r types netutils_t;
+role sysadm_r types netutils_t;
+
+uses_shlib(netutils_t)
+can_network(netutils_t)
+allow netutils_t port_type:tcp_socket name_connect;
+can_ypbind(netutils_t)
+tmp_domain(netutils)
+
+domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+')
+
+# Inherit and use descriptors from init.
+allow netutils_t { userdomain init_t }:fd use;
+
+allow netutils_t self:process { fork signal_perms };
+
+# Perform network administration operations and have raw access to the network.
+allow netutils_t self:capability { net_admin net_raw setuid setgid };
+
+# Create and use netlink sockets.
+allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+
+# Create and use packet sockets.
+allow netutils_t self:packet_socket create_socket_perms;
+
+# Create and use UDP sockets.
+allow netutils_t self:udp_socket create_socket_perms;
+
+# Create and use TCP sockets.
+allow netutils_t self:tcp_socket create_socket_perms;
+
+allow netutils_t self:unix_stream_socket create_socket_perms;
+
+# Read certain files in /etc
+allow netutils_t etc_t:file r_file_perms;
+read_locale(netutils_t)
+
+allow netutils_t fs_t:filesystem getattr;
+
+# Access terminals.
+allow netutils_t privfd:fd use;
+can_access_pty(netutils_t, initrc)
+allow netutils_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
+allow netutils_t proc_t:dir search;
+
+# for nscd
+dontaudit netutils_t var_t:dir search;
diff --git a/mls/domains/program/newrole.te b/mls/domains/program/newrole.te
new file mode 100644
index 0000000..207274d
--- /dev/null
+++ b/mls/domains/program/newrole.te
@@ -0,0 +1,24 @@
+#DESC Newrole - SELinux utility to run a shell with a new role
+#
+# Authors: Anthony Colatrella (NSA)
+# Maintained by Stephen Smalley <sds@epoch.ncsc.mil>
+# X-Debian-Packages: policycoreutils
+#
+
+# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t
+bool secure_mode false;
+
+type newrole_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(userdomain, newrole_exec_t, newrole_t)
+
+newrole_domain(newrole)
+
+# Write to utmp.
+allow newrole_t var_run_t:dir r_dir_perms;
+allow newrole_t initrc_var_run_t:file rw_file_perms;
+
+role secadm_r types newrole_t;
+
+ifdef(`targeted_policy', `
+typeattribute newrole_t unconfinedtrans;
+')
diff --git a/mls/domains/program/nscd.te b/mls/domains/program/nscd.te
new file mode 100644
index 0000000..8e899c7
--- /dev/null
+++ b/mls/domains/program/nscd.te
@@ -0,0 +1,79 @@
+#DESC NSCD - Name service cache daemon cache lookup of user-name
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: nscd
+#
+define(`nscd_socket_domain', `
+can_unix_connect($1, nscd_t)
+allow $1 nscd_var_run_t:sock_file rw_file_perms;
+allow $1 { var_run_t var_t }:dir search;
+allow $1 nscd_t:nscd { getpwd getgrp gethost };
+dontaudit $1 nscd_t:fd use;
+dontaudit $1 nscd_var_run_t:dir { search getattr };
+dontaudit $1 nscd_var_run_t:file { getattr read };
+dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+')
+#################################
+#
+# Rules for the nscd_t domain.
+#
+# nscd is both the client program and the daemon.
+daemon_domain(nscd, `, userspace_objmgr')
+
+allow nscd_t etc_t:file r_file_perms;
+allow nscd_t etc_t:lnk_file read;
+can_network_client(nscd_t)
+allow nscd_t port_type:tcp_socket name_connect;
+can_ypbind(nscd_t)
+
+file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
+
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+
+nscd_socket_domain(nscd_client_domain)
+nscd_socket_domain(daemon)
+
+# Clients that are allowed to map the database via a fd obtained from nscd.
+nscd_socket_domain(nscd_shmem_domain)
+allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
+allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
+# Receive fd from nscd and map the backing file with read access.
+allow nscd_shmem_domain nscd_t:fd use;
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
+allow nscd_t self:nscd { admin getstat };
+allow nscd_t admin_tty_type:chr_file rw_file_perms;
+
+read_sysctl(nscd_t)
+allow nscd_t self:process { getattr setsched };
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:fifo_file { read write };
+allow nscd_t self:capability { kill setgid setuid net_bind_service };
+
+# for when /etc/passwd has just been updated and has the wrong type
+allow nscd_t shadow_t:file getattr;
+
+dontaudit nscd_t sysadm_home_dir_t:dir search;
+
+ifdef(`winbind.te', `
+#
+# Handle winbind for samba, Might only be needed for targeted policy
+#
+allow nscd_t winbind_var_run_t:sock_file { read write getattr };
+can_unix_connect(nscd_t, winbind_t)
+allow nscd_t samba_var_t:dir search;
+allow nscd_t winbind_var_run_t:dir { getattr search };
+')
+
+r_dir_file(nscd_t, selinux_config_t)
+can_getsecurity(nscd_t)
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t tmp_t:dir { search getattr };
+allow nscd_t tmp_t:lnk_file read;
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+log_domain(nscd)
+r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/mls/domains/program/ntpd.te b/mls/domains/program/ntpd.te
new file mode 100644
index 0000000..23042c4
--- /dev/null
+++ b/mls/domains/program/ntpd.te
@@ -0,0 +1,88 @@
+#DESC NTPD - Time synchronisation daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: ntp ntp-simple
+#
+
+#################################
+#
+# Rules for the ntpd_t domain.
+#
+daemon_domain(ntpd, `, nscd_client_domain')
+type ntp_drift_t, file_type, sysadmfile;
+
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
+logdir_domain(ntpd)
+
+allow ntpd_t var_lib_t:dir r_dir_perms;
+allow ntpd_t usr_t:file r_file_perms;
+# reading /usr/share/ssl/cert.pem requires
+allow ntpd_t usr_t:lnk_file read;
+allow ntpd_t ntp_drift_t:dir rw_dir_perms;
+allow ntpd_t ntp_drift_t:file create_file_perms;
+
+# for SSP
+allow ntpd_t urandom_device_t:chr_file { getattr read };
+
+# sys_resource and setrlimit is for locking memory
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { fsetid net_admin };
+allow ntpd_t self:process { setcap setsched setrlimit };
+# ntpdate wants sys_nice
+
+# for some reason it creates a file in /tmp
+tmp_domain(ntpd)
+
+allow ntpd_t etc_t:dir r_dir_perms;
+allow ntpd_t etc_t:file { read getattr };
+
+# Use the network.
+can_network(ntpd_t)
+allow ntpd_t ntp_port_t:tcp_socket name_connect;
+can_ypbind(ntpd_t)
+allow ntpd_t ntp_port_t:udp_socket name_bind;
+allow sysadm_t ntp_port_t:udp_socket name_bind;
+allow ntpd_t self:unix_dgram_socket create_socket_perms;
+allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
+
+# so the start script can change firewall entries
+allow initrc_t net_conf_t:file { getattr read ioctl };
+
+# for cron jobs
+# system_crond_t is not right, cron is not doing what it should
+ifdef(`crond.te', `
+system_crond_entry(ntpdate_exec_t, ntpd_t)
+')
+
+can_exec(ntpd_t, initrc_exec_t)
+allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t etc_runtime_t:file r_file_perms;
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
+allow ntpd_t { sbin_t bin_t }:dir search;
+allow ntpd_t bin_t:lnk_file read;
+read_sysctl(ntpd_t);
+allow ntpd_t proc_t:file r_file_perms;
+allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
+allow ntpd_t self:file { getattr read };
+dontaudit ntpd_t domain:dir search;
+ifdef(`logrotate.te', `
+can_exec(ntpd_t, logrotate_exec_t)
+')
+
+allow ntpd_t devtty_t:chr_file rw_file_perms;
+
+can_udp_send(ntpd_t, sysadm_t)
+can_udp_send(sysadm_t, ntpd_t)
+can_udp_send(ntpd_t, ntpd_t)
+ifdef(`firstboot.te', `
+dontaudit ntpd_t firstboot_t:fd use;
+')
+ifdef(`winbind.te', `
+allow ntpd_t winbind_var_run_t:dir r_dir_perms;
+allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
+')
+# For clock devices like wwvb1
+allow ntpd_t device_t:lnk_file read;
diff --git a/mls/domains/program/openct.te b/mls/domains/program/openct.te
new file mode 100644
index 0000000..244fc2f
--- /dev/null
+++ b/mls/domains/program/openct.te
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for openct
+#
+
+daemon_domain(openct)
+#
+# openct asks for these
+#
+rw_dir_file(openct_t, usbfs_t)
+allow openct_t etc_t:file r_file_perms;
diff --git a/mls/domains/program/orbit.te b/mls/domains/program/orbit.te
new file mode 100644
index 0000000..dad353b
--- /dev/null
+++ b/mls/domains/program/orbit.te
@@ -0,0 +1,7 @@
+#
+# ORBit related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in orbit_macros.te
diff --git a/mls/domains/program/pam.te b/mls/domains/program/pam.te
new file mode 100644
index 0000000..2d71222
--- /dev/null
+++ b/mls/domains/program/pam.te
@@ -0,0 +1,45 @@
+#DESC Pam - PAM
+# X-Debian-Packages:
+#
+# /sbin/pam_timestamp_check
+type pam_exec_t, file_type, exec_type, sysadmfile;
+type pam_t, domain, privlog, nscd_client_domain;
+general_domain_access(pam_t);
+
+type pam_var_run_t, file_type, sysadmfile;
+allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
+allow pam_t pam_var_run_t:file { getattr read unlink };
+
+role system_r types pam_t;
+in_user_role(pam_t)
+domain_auto_trans(userdomain, pam_exec_t, pam_t)
+
+uses_shlib(pam_t)
+# Read the devpts root directory.
+allow pam_t devpts_t:dir r_dir_perms;
+
+# Access terminals.
+allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+
+allow pam_t proc_t:dir search;
+allow pam_t proc_t:{ lnk_file file } { getattr read };
+
+# Read the /etc/nsswitch file
+allow pam_t etc_t:file r_file_perms;
+
+# Read /var/run.
+allow pam_t { var_t var_run_t }:dir r_dir_perms;
+tmp_domain(pam)
+
+allow pam_t local_login_t:fd use;
+dontaudit pam_t self:capability sys_tty_config;
+
+allow initrc_t pam_var_run_t:dir rw_dir_perms;
+allow initrc_t pam_var_run_t:file { getattr read unlink };
+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
+
+# Supress xdm denial
+ifdef(`xdm.te', `
+dontaudit pam_t xdm_t:fd use;
+') dnl ifdef
diff --git a/mls/domains/program/pamconsole.te b/mls/domains/program/pamconsole.te
new file mode 100644
index 0000000..0610063
--- /dev/null
+++ b/mls/domains/program/pamconsole.te
@@ -0,0 +1,52 @@
+#DESC Pamconsole - PAM console
+# X-Debian-Packages:
+#
+# pam_console_apply
+
+daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread, mlsfilewrite')
+
+type pam_var_console_t, file_type, sysadmfile;
+
+allow pam_console_t etc_t:file { getattr read ioctl };
+allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
+
+# Read /etc/mtab
+allow pam_console_t etc_runtime_t:file { read getattr };
+
+# Read /proc/meminfo
+allow pam_console_t proc_t:file { read getattr };
+
+allow pam_console_t self:capability { chown fowner fsetid };
+
+# Allow access to /dev/console through the fd:
+allow pam_console_t console_device_t:chr_file { read write setattr };
+allow pam_console_t { kernel_t init_t }:fd use;
+
+# for /var/run/console.lock checking
+allow pam_console_t { var_t var_run_t }:dir search;
+r_dir_file(pam_console_t, pam_var_console_t)
+dontaudit pam_console_t pam_var_console_t:file write;
+
+# Allow to set attributes on /dev entries
+allow pam_console_t device_t:dir { getattr read };
+allow pam_console_t device_t:lnk_file { getattr read };
+# mouse_device_t is for joy sticks
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
+
+allow pam_console_t mnt_t:dir r_dir_perms;
+
+ifdef(`gpm.te', `
+allow pam_console_t gpmctl_t:sock_file { getattr setattr };
+')
+ifdef(`hotplug.te', `
+dontaudit pam_console_t hotplug_etc_t:dir search;
+allow pam_console_t hotplug_t:fd use;
+')
+ifdef(`xdm.te', `
+allow pam_console_t xdm_var_run_t:file { getattr read };
+')
+allow initrc_t pam_var_console_t:dir rw_dir_perms;
+allow initrc_t pam_var_console_t:file unlink;
+allow pam_console_t file_context_t:file { getattr read };
+nsswitch_domain(pam_console_t)
diff --git a/mls/domains/program/passwd.te b/mls/domains/program/passwd.te
new file mode 100644
index 0000000..e002c09
--- /dev/null
+++ b/mls/domains/program/passwd.te
@@ -0,0 +1,157 @@
+#DESC Passwd - Password utilities
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: passwd
+#
+
+#################################
+#
+# Rules for the passwd_t domain.
+#
+define(`base_passwd_domain', `
+type $1_t, domain, privlog, $2;
+
+# for SSP
+allow $1_t urandom_device_t:chr_file read;
+
+allow $1_t self:process setrlimit;
+
+general_domain_access($1_t);
+uses_shlib($1_t);
+
+# Inherit and use descriptors from login.
+allow $1_t privfd:fd use;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
+
+read_locale($1_t)
+
+allow $1_t fs_t:filesystem getattr;
+
+# allow checking if a shell is executable
+allow $1_t shell_exec_t:file execute;
+
+# Obtain contexts
+can_getsecurity($1_t)
+
+allow $1_t etc_t:file create_file_perms;
+
+# read /etc/mtab
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Allow etc_t symlinks for /etc/alternatives on Debian.
+allow $1_t etc_t:lnk_file read;
+
+# Use capabilities.
+allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
+
+# Access terminals.
+allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
+allow $1_t devtty_t:chr_file rw_file_perms;
+
+dontaudit $1_t devpts_t:dir getattr;
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+dontaudit $1_t initrc_var_run_t:file { read write };
+
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
+
+# When the wrong current passwd is entered, passwd, for some reason,
+# attempts to access /proc and /dev, but handles failure appropriately. So
+# do not audit those denials.
+dontaudit $1_t { proc_t device_t }:dir { search read };
+
+allow $1_t device_t:dir getattr;
+read_sysctl($1_t)
+')
+
+#################################
+#
+# Rules for the passwd_t domain.
+#
+define(`passwd_domain', `
+base_passwd_domain($1, `auth_write, privowner')
+# Update /etc/shadow and /etc/passwd
+file_type_auto_trans($1_t, etc_t, shadow_t, file)
+allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
+can_setfscreate($1_t)
+')
+
+passwd_domain(passwd)
+passwd_domain(sysadm_passwd)
+base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
+can_setfscreate(chfn_t)
+
+# can exec /sbin/unix_chkpwd
+allow chfn_t { bin_t sbin_t }:dir search;
+
+# uses unix_chkpwd for checking passwords
+dontaudit chfn_t shadow_t:file read;
+allow chfn_t etc_t:dir rw_dir_perms;
+allow chfn_t etc_t:file create_file_perms;
+allow chfn_t proc_t:file { getattr read };
+allow chfn_t self:file write;
+
+in_user_role(passwd_t)
+in_user_role(chfn_t)
+role sysadm_r types passwd_t;
+role sysadm_r types sysadm_passwd_t;
+role sysadm_r types chfn_t;
+role system_r types passwd_t;
+role system_r types chfn_t;
+
+type admin_passwd_exec_t, file_type, sysadmfile;
+type passwd_exec_t, file_type, sysadmfile, exec_type;
+type chfn_exec_t, file_type, sysadmfile, exec_type;
+
+domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
+domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
+domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
+
+dontaudit chfn_t var_t:dir search;
+
+ifdef(`crack.te', `
+allow passwd_t var_t:dir search;
+dontaudit passwd_t var_run_t:dir search;
+allow passwd_t crack_db_t:dir r_dir_perms;
+allow passwd_t crack_db_t:file r_file_perms;
+', `
+dontaudit passwd_t var_t:dir search;
+')
+
+# allow vipw to exec the editor
+allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
+allow sysadm_passwd_t bin_t:lnk_file read;
+can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
+r_dir_file(sysadm_passwd_t, usr_t)
+
+# allow vipw to create temporary files under /var/tmp/vi.recover
+allow sysadm_passwd_t var_t:dir search;
+tmp_domain(sysadm_passwd)
+# for vipw - vi looks in the root home directory for config
+dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
+# for /etc/alternatives/vi
+allow sysadm_passwd_t etc_t:lnk_file read;
+
+# for nscd lookups
+dontaudit sysadm_passwd_t var_run_t:dir search;
+
+# for /proc/meminfo
+allow sysadm_passwd_t proc_t:file { getattr read };
+
+dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
+dontaudit sysadm_passwd_t devpts_t:dir search;
+
+# make sure that getcon succeeds
+allow passwd_t userdomain:dir search;
+allow passwd_t userdomain:file { getattr read };
+allow passwd_t userdomain:process getattr;
+
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+')
diff --git a/mls/domains/program/pegasus.te b/mls/domains/program/pegasus.te
new file mode 100644
index 0000000..3272074
--- /dev/null
+++ b/mls/domains/program/pegasus.te
@@ -0,0 +1,36 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
+#
+# Author: Jason Vas Dias <jvdias@redhat.com>
+# Package: tog-pegasus
+#
+#################################
+#
+# Rules for the pegasus domain
+#
+daemon_domain(pegasus, `, nscd_client_domain, auth_chkpwd')
+type pegasus_data_t, file_type, sysadmfile;
+type pegasus_conf_t, file_type, sysadmfile;
+typealias sbin_t alias pegasus_conf_exec_t;
+type pegasus_mof_t, file_type, sysadmfile;
+allow pegasus_t self:capability { dac_override net_bind_service audit_write };
+can_network_tcp(pegasus_t);
+nsswitch_domain(pegasus_t);
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t self:file { read getattr };
+allow pegasus_t self:fifo_file rw_file_perms;
+allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
+allow pegasus_t proc_t:file { getattr read };
+allow pegasus_t sysctl_vm_t:dir search;
+allow pegasus_t initrc_var_run_t:file { read write lock };
+allow pegasus_t urandom_device_t:chr_file { getattr read };
+r_dir_file(pegasus_t, etc_t)
+r_dir_file(pegasus_t, var_lib_t)
+r_dir_file(pegasus_t, pegasus_mof_t)
+allow pegasus_t pegasus_conf_t:file { link unlink };
+r_dir_file(pegasus_t, pegasus_conf_t)
+file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
+dontaudit pegasus_t selinux_config_t:dir search;
diff --git a/mls/domains/program/ping.te b/mls/domains/program/ping.te
new file mode 100644
index 0000000..0a0d94c
--- /dev/null
+++ b/mls/domains/program/ping.te
@@ -0,0 +1,63 @@
+#DESC Ping - Send ICMP messages to network hosts
+#
+# Author: David A. Wheeler <dwheeler@ida.org>
+# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
+#
+
+#################################
+#
+# Rules for the ping_t domain.
+#
+# ping_t is the domain for the ping program.
+# ping_exec_t is the type of the corresponding program.
+#
+type ping_t, domain, privlog, nscd_client_domain;
+role sysadm_r types ping_t;
+role system_r types ping_t;
+in_user_role(ping_t)
+type ping_exec_t, file_type, sysadmfile, exec_type;
+
+ifdef(`targeted_policy', `
+ allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
+', `
+bool user_ping false;
+
+if (user_ping) {
+ domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
+ # allow access to the terminal
+ allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
+ ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
+}
+')
+
+# Transition into this domain when you run this program.
+domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
+domain_auto_trans(initrc_t, ping_exec_t, ping_t)
+
+uses_shlib(ping_t)
+can_network_client(ping_t)
+can_resolve(ping_t)
+can_ypbind(ping_t)
+allow ping_t etc_t:file { getattr read };
+allow ping_t self:unix_stream_socket create_socket_perms;
+
+# Let ping create raw ICMP packets.
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+
+# Use capabilities.
+allow ping_t self:capability { net_raw setuid };
+
+# Access the terminal.
+allow ping_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
+allow ping_t privfd:fd use;
+dontaudit ping_t fs_t:filesystem getattr;
+
+# it tries to access /var/run
+dontaudit ping_t var_t:dir search;
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms', `
+dontaudit ping_t init_t:fd use;
+')
+
diff --git a/mls/domains/program/portmap.te b/mls/domains/program/portmap.te
new file mode 100644
index 0000000..54cad6f
--- /dev/null
+++ b/mls/domains/program/portmap.te
@@ -0,0 +1,71 @@
+#DESC Portmap - Maintain RPC program number map
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: portmap
+#
+
+
+
+#################################
+#
+# Rules for the portmap_t domain.
+#
+daemon_domain(portmap, `, nscd_client_domain')
+
+can_network(portmap_t)
+allow portmap_t port_type:tcp_socket name_connect;
+can_ypbind(portmap_t)
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+
+tmp_domain(portmap)
+
+allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
+
+# portmap binds to arbitary ports
+allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+
+allow portmap_t etc_t:file { getattr read };
+
+# Send to ypbind, initrc, rpc.statd, xinetd.
+ifdef(`ypbind.te',
+`can_udp_send(portmap_t, ypbind_t)')
+can_udp_send(portmap_t, { initrc_t init_t })
+can_udp_send(init_t, portmap_t)
+ifdef(`rpcd.te',
+`can_udp_send(portmap_t, rpcd_t)')
+ifdef(`inetd.te',
+`can_udp_send(portmap_t, inetd_t)')
+ifdef(`lpd.te',
+`can_udp_send(portmap_t, lpd_t)')
+ifdef(`tcpd.te', `
+can_udp_send(tcpd_t, portmap_t)
+')
+can_udp_send(portmap_t, kernel_t)
+can_udp_send(kernel_t, portmap_t)
+can_udp_send(sysadm_t, portmap_t)
+can_udp_send(portmap_t, sysadm_t)
+
+# Use capabilities
+allow portmap_t self:capability { net_bind_service setuid setgid };
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+
+application_domain(portmap_helper)
+role system_r types portmap_helper_t;
+domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
+dontaudit portmap_helper_t self:capability { net_admin };
+allow portmap_helper_t self:capability { net_bind_service };
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
+file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+can_network(portmap_helper_t)
+allow portmap_helper_t port_type:tcp_socket name_connect;
+can_ypbind(portmap_helper_t)
+dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
+allow portmap_helper_t etc_t:file { getattr read };
+dontaudit portmap_helper_t { userdomain privfd }:fd use;
+allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/mls/domains/program/postfix.te b/mls/domains/program/postfix.te
new file mode 100644
index 0000000..4f85e81
--- /dev/null
+++ b/mls/domains/program/postfix.te
@@ -0,0 +1,373 @@
+#DESC Postfix - Mail server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: postfix
+# Depends: mta.te
+#
+
+# Type for files created during execution of postfix.
+type postfix_var_run_t, file_type, sysadmfile, pidfile;
+
+type postfix_etc_t, file_type, sysadmfile;
+type postfix_exec_t, file_type, sysadmfile, exec_type;
+type postfix_public_t, file_type, sysadmfile;
+type postfix_private_t, file_type, sysadmfile;
+type postfix_spool_t, file_type, sysadmfile;
+type postfix_spool_maildrop_t, file_type, sysadmfile;
+type postfix_spool_flush_t, file_type, sysadmfile;
+type postfix_prng_t, file_type, sysadmfile;
+
+# postfix needs this for newaliases
+allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
+
+#################################
+#
+# Rules for the postfix_$1_t domain.
+#
+# postfix_$1_exec_t is the type of the postfix_$1 executables.
+#
+define(`postfix_domain', `
+daemon_core_rules(postfix_$1, `$2')
+allow postfix_$1_t self:process setpgid;
+allow postfix_$1_t postfix_master_t:process sigchld;
+allow postfix_master_t postfix_$1_t:process signal;
+
+allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
+allow postfix_$1_t postfix_etc_t:file r_file_perms;
+read_locale(postfix_$1_t)
+allow postfix_$1_t etc_t:file { getattr read };
+allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_$1_t self:unix_stream_socket connectto;
+
+allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
+allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
+allow postfix_$1_t shell_exec_t:file rx_file_perms;
+allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
+allow postfix_$1_t postfix_exec_t:file rx_file_perms;
+allow postfix_$1_t devtty_t:chr_file rw_file_perms;
+allow postfix_$1_t etc_runtime_t:file r_file_perms;
+allow postfix_$1_t proc_t:dir r_dir_perms;
+allow postfix_$1_t proc_t:file r_file_perms;
+allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
+allow postfix_$1_t fs_t:filesystem getattr;
+allow postfix_$1_t proc_net_t:dir search;
+allow postfix_$1_t proc_net_t:file { getattr read };
+can_exec(postfix_$1_t, postfix_$1_exec_t)
+r_dir_file(postfix_$1_t, cert_t)
+allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
+
+allow postfix_$1_t tmp_t:dir getattr;
+
+file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
+
+read_sysctl(postfix_$1_t)
+
+')dnl end postfix_domain
+
+ifdef(`crond.te',
+`allow system_mail_t crond_t:tcp_socket { read write create };')
+
+postfix_domain(master, `, mail_server_domain')
+rhgb_domain(postfix_master_t)
+
+# for a find command
+dontaudit postfix_master_t security_t:dir search;
+
+read_sysctl(postfix_master_t)
+
+ifdef(`targeted_policy', `
+bool postfix_disable_trans false;
+if (!postfix_disable_trans) {
+')
+domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
+allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
+
+domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
+allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
+ifdef(`targeted_policy', `', `
+role_transition sysadm_r postfix_master_exec_t system_r;
+')
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+dontaudit postfix_master_t admin_tty_type:chr_file { read write };
+allow postfix_master_t devpts_t:dir search;
+
+domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
+allow system_mail_t sysadm_t:process sigchld;
+allow system_mail_t privfd:fd use;
+
+ifdef(`pppd.te', `
+domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
+')
+
+ifdef(`targeted_policy', `
+}
+')
+
+allow postfix_master_t privfd:fd use;
+ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
+allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
+
+# postfix does a "find" on startup for some reason - keep it quiet
+dontaudit postfix_master_t selinux_config_t:dir search;
+can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
+ifdef(`distro_redhat', `
+# compatability for old default main.cf
+file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
+# for newer main.cf that uses /etc/aliases
+file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
+')
+file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
+allow postfix_master_t sendmail_exec_t:file r_file_perms;
+allow postfix_master_t sbin_t:lnk_file { getattr read };
+
+can_exec(postfix_master_t, { ls_exec_t sbin_t })
+allow postfix_master_t self:fifo_file rw_file_perms;
+allow postfix_master_t usr_t:file r_file_perms;
+can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
+allow postfix_master_t postfix_public_t:sock_file create_file_perms;
+allow postfix_master_t postfix_public_t:dir rw_dir_perms;
+allow postfix_master_t postfix_private_t:dir rw_dir_perms;
+allow postfix_master_t postfix_private_t:sock_file create_file_perms;
+allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
+can_network(postfix_master_t)
+allow postfix_master_t port_type:tcp_socket name_connect;
+can_ypbind(postfix_master_t)
+allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
+allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
+allow postfix_master_t postfix_prng_t:file getattr;
+allow postfix_master_t privfd:fd use;
+allow postfix_master_t etc_aliases_t:file rw_file_perms;
+allow postfix_master_t var_lib_t:dir search;
+
+ifdef(`saslauthd.te',`
+allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
+allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
+can_unix_connect(postfix_smtpd_t,saslauthd_t)
+')
+
+create_dir_file(postfix_master_t, postfix_spool_flush_t)
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+# for ls to get the current context
+allow postfix_master_t self:file { getattr read };
+
+# allow access to deferred queue and allow removing bogus incoming entries
+allow postfix_master_t postfix_spool_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_t:file create_file_perms;
+
+dontaudit postfix_master_t man_t:dir search;
+
+define(`postfix_server_domain', `
+postfix_domain($1, `$2')
+domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow postfix_$1_t self:capability { setuid setgid dac_override };
+can_network_client(postfix_$1_t)
+allow postfix_$1_t port_type:tcp_socket name_connect;
+can_ypbind(postfix_$1_t)
+')
+
+postfix_server_domain(smtp, `, mail_server_sender')
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
+allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
+# if you have two different mail servers on the same host let them talk via
+# SMTP, also if one mail server wants to talk to itself then allow it and let
+# the SMTP protocol sort it out (SE Linux is not to prevent mail server
+# misconfiguration)
+can_tcp_connect(postfix_smtp_t, mail_server_domain)
+
+postfix_server_domain(smtpd)
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
+allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
+# for OpenSSL certificates
+r_dir_file(postfix_smtpd_t,usr_t)
+allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
+allow postfix_smtpd_t self:file { getattr read };
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+
+allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+
+postfix_server_domain(local, `, mta_delivery_agent')
+ifdef(`procmail.te', `
+domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
+# for a bug in the postfix local program
+dontaudit procmail_t postfix_local_t:tcp_socket { read write };
+dontaudit procmail_t postfix_master_t:fd use;
+')
+allow postfix_local_t etc_aliases_t:file r_file_perms;
+allow postfix_local_t self:fifo_file rw_file_perms;
+allow postfix_local_t self:process { setsched setrlimit };
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+# for .forward - maybe we need a new type for it?
+allow postfix_local_t postfix_private_t:dir search;
+allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
+allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_local_t postfix_public_t:dir search;
+allow postfix_local_t postfix_public_t:sock_file write;
+tmp_domain(postfix_local)
+can_exec(postfix_local_t,{ shell_exec_t bin_t })
+ifdef(`spamc.te', `
+can_exec(postfix_local_t, spamc_exec_t)
+')
+allow postfix_local_t mail_spool_t:dir { remove_name };
+allow postfix_local_t mail_spool_t:file { unlink };
+# For reading spamassasin
+r_dir_file(postfix_local_t, etc_mail_t)
+
+define(`postfix_public_domain',`
+postfix_server_domain($1)
+allow postfix_$1_t postfix_public_t:dir search;
+')
+
+postfix_public_domain(cleanup)
+create_dir_file(postfix_cleanup_t, postfix_spool_t)
+allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
+allow postfix_cleanup_t postfix_private_t:dir search;
+allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
+allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+allow postfix_cleanup_t self:process setrlimit;
+
+allow user_mail_domain postfix_spool_t:dir r_dir_perms;
+allow user_mail_domain postfix_etc_t:dir r_dir_perms;
+allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
+allow user_mail_domain self:capability dac_override;
+
+define(`postfix_user_domain', `
+postfix_domain($1, `$2')
+domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
+in_user_role(postfix_$1_t)
+role sysadm_r types postfix_$1_t;
+allow postfix_$1_t userdomain:process sigchld;
+allow postfix_$1_t userdomain:fifo_file { write getattr };
+allow postfix_$1_t { userdomain privfd }:fd use;
+allow postfix_$1_t self:capability dac_override;
+')
+
+postfix_user_domain(postqueue)
+allow postfix_postqueue_t postfix_public_t:dir search;
+allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+allow postfix_postqueue_t initrc_t:process sigchld;
+allow postfix_postqueue_t initrc_t:fd use;
+
+# to write the mailq output, it really should not need read access!
+allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
+ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
+
+# wants to write to /var/spool/postfix/public/showq
+allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
+# write to /var/spool/postfix/public/qmgr
+allow postfix_postqueue_t postfix_public_t:fifo_file write;
+dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
+
+postfix_user_domain(showq)
+# the following auto_trans is usually in postfix server domain
+domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+can_resolve(postfix_showq_t)
+r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
+domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+allow postfix_showq_t postfix_spool_t:file r_file_perms;
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
+dontaudit postfix_showq_t net_conf_t:file r_file_perms;
+
+postfix_user_domain(postdrop, `, mta_user_agent')
+can_resolve(postfix_postdrop_t)
+allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
+allow postfix_postdrop_t postfix_public_t:dir search;
+allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
+dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
+dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
+allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+ifdef(`crond.te',
+`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
+allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+
+postfix_public_domain(pickup)
+allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_pickup_t postfix_private_t:dir search;
+allow postfix_pickup_t postfix_private_t:sock_file write;
+allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+postfix_public_domain(qmgr)
+allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_qmgr_t postfix_public_t:sock_file write;
+allow postfix_qmgr_t postfix_private_t:dir search;
+allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
+allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
+
+# for /var/spool/postfix/active
+create_dir_file(postfix_qmgr_t, postfix_spool_t)
+
+postfix_public_domain(bounce)
+type postfix_spool_bounce_t, file_type, sysadmfile;
+create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
+create_dir_file(postfix_bounce_t, postfix_spool_t)
+allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr;
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
+
+postfix_public_domain(pipe)
+allow postfix_pipe_t postfix_spool_t:dir search;
+allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
+allow postfix_pipe_t self:fifo_file { read write };
+allow postfix_pipe_t postfix_private_t:dir search;
+allow postfix_pipe_t postfix_private_t:sock_file write;
+ifdef(`procmail.te', `
+domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
+')
+ifdef(`sendmail.te', `
+r_dir_file(sendmail_t, postfix_etc_t)
+allow sendmail_t postfix_spool_t:dir search;
+')
+
+# Program for creating database files
+application_domain(postfix_map)
+base_file_read_access(postfix_map_t)
+allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
+tmp_domain(postfix_map)
+create_dir_file(postfix_map_t, postfix_etc_t)
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit postfix_map_t proc_t:dir { getattr read search };
+dontaudit postfix_map_t local_login_t:fd use;
+allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
+read_locale(postfix_map_t)
+allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+dontaudit postfix_map_t var_t:dir search;
+can_network_server(postfix_map_t)
+allow postfix_map_t port_type:tcp_socket name_connect;
diff --git a/mls/domains/program/postgresql.te b/mls/domains/program/postgresql.te
new file mode 100644
index 0000000..8ab14d0
--- /dev/null
+++ b/mls/domains/program/postgresql.te
@@ -0,0 +1,145 @@
+#DESC Postgresql - Database server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: postgresql
+#
+
+#################################
+#
+# Rules for the postgresql_t domain.
+#
+# postgresql_exec_t is the type of the postgresql executable.
+#
+daemon_domain(postgresql)
+allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
+
+allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
+
+ifdef(`distro_debian', `
+can_exec(postgresql_t, initrc_exec_t)
+# gross hack
+domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
+can_exec(postgresql_t, dpkg_exec_t)
+')
+
+dontaudit postgresql_t sysadm_home_dir_t:dir search;
+
+# quiet ps and killall
+dontaudit postgresql_t domain:dir { getattr search };
+
+# for currect directory of scripts
+allow postgresql_t { var_spool_t cron_spool_t }:dir search;
+
+# capability kill is for shutdown script
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
+dontaudit postgresql_t self:capability sys_admin;
+
+etcdir_domain(postgresql)
+type postgresql_db_t, file_type, sysadmfile;
+
+logdir_domain(postgresql)
+
+ifdef(`crond.te', `
+# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+allow crond_t postgresql_db_t:dir search;
+system_crond_entry(postgresql_exec_t, postgresql_t)
+')
+
+tmp_domain(postgresql, `', `{ dir file sock_file }')
+file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
+
+# Use the network.
+can_network(postgresql_t)
+allow postgresql_t self:fifo_file { getattr read write ioctl };
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(postgresql_t, self)
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+
+allow postgresql_t self:shm create_shm_perms;
+
+ifdef(`targeted_policy', `', `
+bool allow_user_postgresql_connect false;
+
+if (allow_user_postgresql_connect) {
+# allow any user domain to connect to the database server
+can_tcp_connect(userdomain, postgresql_t)
+allow userdomain postgresql_t:unix_stream_socket connectto;
+allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
+}
+')
+ifdef(`consoletype.te', `
+can_exec(postgresql_t, consoletype_exec_t)
+')
+
+ifdef(`hostname.te', `
+can_exec(postgresql_t, hostname_exec_t)
+')
+
+allow postgresql_t postgresql_port_t:tcp_socket name_bind;
+allow postgresql_t auth_port_t:tcp_socket name_connect;
+
+allow postgresql_t { proc_t self }:file { getattr read };
+
+# Allow access to the postgresql databases
+create_dir_file(postgresql_t, postgresql_db_t)
+file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
+allow postgresql_t var_lib_t:dir { getattr search };
+
+# because postgresql start scripts are broken and put the pid file in the DB
+# directory
+rw_dir_file(initrc_t, postgresql_db_t)
+
+# read config files
+allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
+r_dir_file(initrc_t, postgresql_etc_t)
+
+allow postgresql_t etc_t:dir rw_dir_perms;
+
+read_sysctl(postgresql_t)
+
+allow postgresql_t devtty_t:chr_file { read write };
+allow postgresql_t devpts_t:dir search;
+
+allow postgresql_t { bin_t sbin_t }:dir search;
+allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+
+allow postgresql_t self:sem create_sem_perms;
+
+allow postgresql_t initrc_var_run_t:file { getattr read lock };
+dontaudit postgresql_t selinux_config_t:dir search;
+allow postgresql_t mail_spool_t:dir search;
+lock_domain(postgresql)
+can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
+ifdef(`apache.te', `
+#
+# Allow httpd to work with postgresql
+#
+allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
+can_unix_connect(httpd_t, postgresql_t)
+')
+
+ifdef(`distro_gentoo', `
+# "su - postgres ..." is called from initrc_t
+allow initrc_su_t postgresql_db_t:dir search;
+allow postgresql_t initrc_su_t:process sigchld;
+dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
+')
+
+dontaudit postgresql_t home_root_t:dir search;
+allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+if (allow_execmem) {
+allow postgresql_t self:process execmem;
+}
+
+authentication_domain(postgresql_t)
+#
+# postgresql has pam support
+#
+bool allow_postgresql_use_pam false;
+if (allow_postgresql_use_pam) {
+domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t)
+}
diff --git a/mls/domains/program/pppd.te b/mls/domains/program/pppd.te
new file mode 100644
index 0000000..33b9b8f
--- /dev/null
+++ b/mls/domains/program/pppd.te
@@ -0,0 +1,153 @@
+#DESC PPPD - PPP daemon
+#
+# Author: Russell Coker
+# X-Debian-Packages: ppp
+#
+
+#################################
+#
+# Rules for the pppd_t domain, et al.
+#
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+# pppd_secret_t is the type of the pap and chap password files
+#
+bool pppd_for_user false;
+
+daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
+type pppd_secret_t, file_type, sysadmfile;
+
+# Define a separate type for /etc/ppp
+etcdir_domain(pppd)
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t, file_type, sysadmfile;
+# Automatically label newly created files under /etc/ppp with this type
+file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+# for SSP
+allow pppd_t urandom_device_t:chr_file read;
+
+allow pppd_t sysfs_t:dir search;
+
+log_domain(pppd)
+
+# Use the network.
+can_network_server(pppd_t)
+can_ypbind(pppd_t)
+
+# Use capabilities.
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
+lock_domain(pppd)
+
+# Access secret files
+allow pppd_t pppd_secret_t:file r_file_perms;
+
+ifdef(`postfix.te', `
+allow pppd_t postfix_etc_t:dir search;
+allow pppd_t postfix_etc_t:file r_file_perms;
+allow pppd_t postfix_master_exec_t:file { getattr read };
+allow postfix_postqueue_t pppd_t:fd use;
+allow postfix_postqueue_t pppd_t:process sigchld;
+')
+
+# allow running ip-up and ip-down scripts and running chat.
+can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+allow pppd_t { bin_t sbin_t }:dir search;
+allow pppd_t { sbin_t bin_t }:lnk_file read;
+allow ifconfig_t pppd_t:fd use;
+
+# Access /dev/ppp.
+allow pppd_t ppp_device_t:chr_file rw_file_perms;
+allow pppd_t devtty_t:chr_file { read write };
+
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+
+allow pppd_t proc_t:dir search;
+allow pppd_t proc_t:{ file lnk_file } r_file_perms;
+allow pppd_t proc_net_t:dir { read search };
+allow pppd_t proc_net_t:file r_file_perms;
+
+allow pppd_t etc_runtime_t:file r_file_perms;
+
+allow pppd_t self:socket create_socket_perms;
+
+allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
+
+allow pppd_t devpts_t:dir search;
+allow pppd_t devpts_t:chr_file ioctl;
+
+# for scripts
+allow pppd_t self:fifo_file rw_file_perms;
+allow pppd_t etc_t:lnk_file read;
+
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+
+in_user_role(pppd_t)
+if (pppd_for_user) {
+# Run pppd in pppd_t by default for user
+domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
+allow unpriv_userdomain pppd_t:process signal;
+}
+
+# for pppoe
+can_create_pty(pppd)
+allow pppd_t self:file { read getattr };
+
+allow pppd_t self:packet_socket create_socket_perms;
+
+file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
+tmp_domain(pppd)
+allow pppd_t sysctl_net_t:dir search;
+allow pppd_t sysctl_net_t:file r_file_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t initrc_var_run_t:file r_file_perms;
+dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+ifdef(`modutil.te', `
+bool pppd_can_insmod false;
+typeattribute ifconfig_t privsysmod;
+
+if (pppd_can_insmod && !secure_mode_insmod) {
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+allow ifconfig_t self:capability sys_module;
+}
+
+')
+
+daemon_domain(pptp, `, nscd_client_domain')
+can_network_client_tcp(pptp_t)
+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
+can_exec(pptp_t, hostname_exec_t)
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+allow pptp_t devpts_t:dir search;
+allow pptp_t pppd_devpts_t:chr_file rw_file_perms;
+allow pptp_t devpts_t:chr_file ioctl;
+r_dir_file(pptp_t, pppd_etc_rw_t)
+r_dir_file(pptp_t, pppd_etc_t)
+allow pppd_t pptp_t:process signal;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t ptmx_t:chr_file rw_file_perms;
+log_domain(pptp)
+
+# Fix sockets
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append;
+
+ifdef(`named.te', `
+dontaudit ndc_t pppd_t:fd use;
+')
+
+# Allow /etc/ppp/ip-{up,down} to run most anything
+type pppd_script_exec_t, file_type, sysadmfile;
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:process noatsecure;
diff --git a/mls/domains/program/prelink.te b/mls/domains/program/prelink.te
new file mode 100644
index 0000000..3ffa0d7
--- /dev/null
+++ b/mls/domains/program/prelink.te
@@ -0,0 +1,50 @@
+#DESC PRELINK - Security Enhanced version of the GNU Prelink
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the prelink_t domain.
+#
+# prelink_exec_t is the type of the prelink executable.
+#
+daemon_base_domain(prelink, `, admin, privowner')
+
+allow prelink_t self:process { execheap execmem execstack };
+allow prelink_t texrel_shlib_t:file execmod;
+allow prelink_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(prelink_exec_t, prelink_t)
+allow system_crond_t prelink_log_t:dir rw_dir_perms;
+allow system_crond_t prelink_log_t:file create_file_perms;
+allow system_crond_t prelink_cache_t:file { getattr read unlink };
+allow prelink_t crond_log_t:file append;
+')
+
+logdir_domain(prelink)
+type etc_prelink_t, file_type, sysadmfile;
+type var_lock_prelink_t, file_type, sysadmfile, lockfile;
+
+allow prelink_t etc_prelink_t:file { getattr read };
+allow prelink_t file_type:dir rw_dir_perms;
+allow prelink_t file_type:lnk_file r_file_perms;
+allow prelink_t file_type:file getattr;
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t ld_so_t:file execute_no_trans;
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:fifo_file rw_file_perms;
+allow prelink_t self:file { getattr read };
+dontaudit prelink_t sysctl_kernel_t:dir search;
+dontaudit prelink_t sysctl_t:dir search;
+allow prelink_t etc_runtime_t:file { getattr read };
+read_locale(prelink_t)
+allow prelink_t urandom_device_t:chr_file read;
+allow prelink_t proc_t:file { getattr read };
+#
+# prelink_cache_t is the type of /etc/prelink.cache.
+#
+type prelink_cache_t, file_type, sysadmfile;
+file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file)
diff --git a/mls/domains/program/privoxy.te b/mls/domains/program/privoxy.te
new file mode 100644
index 0000000..b8a522d
--- /dev/null
+++ b/mls/domains/program/privoxy.te
@@ -0,0 +1,27 @@
+#DESC privoxy - privacy enhancing proxy
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the privoxy_t domain.
+#
+daemon_domain(privoxy, `, web_client_domain')
+
+logdir_domain(privoxy)
+
+# Use capabilities.
+allow privoxy_t self:capability net_bind_service;
+
+# Use the network.
+can_network_tcp(privoxy_t)
+can_ypbind(privoxy_t)
+can_resolve(privoxy_t)
+allow privoxy_t http_cache_port_t:tcp_socket name_bind;
+allow privoxy_t etc_t:file { getattr read };
+allow privoxy_t self:capability { setgid setuid };
+allow privoxy_t self:unix_stream_socket create_socket_perms ;
+allow privoxy_t admin_tty_type:chr_file { read write };
+
diff --git a/mls/domains/program/procmail.te b/mls/domains/program/procmail.te
new file mode 100644
index 0000000..7616e34
--- /dev/null
+++ b/mls/domains/program/procmail.te
@@ -0,0 +1,92 @@
+#DESC Procmail - Mail delivery agent for mail servers
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: procmail
+#
+
+#################################
+#
+# Rules for the procmail_t domain.
+#
+# procmail_exec_t is the type of the procmail executable.
+#
+# privhome only works until we define a different type for maildir
+type procmail_t, domain, privlog, privhome, nscd_client_domain;
+type procmail_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types procmail_t;
+
+uses_shlib(procmail_t)
+allow procmail_t device_t:dir search;
+can_network(procmail_t)
+nsswitch_domain(procmail_t)
+allow procmail_t spamd_port_t:tcp_socket name_connect;
+
+allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+
+allow procmail_t etc_t:dir r_dir_perms;
+allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
+allow procmail_t etc_t:lnk_file read;
+read_locale(procmail_t)
+read_sysctl(procmail_t)
+
+allow procmail_t sysctl_t:dir search;
+
+allow procmail_t self:process { setsched fork sigchld signal };
+dontaudit procmail_t sbin_t:dir { getattr search };
+can_exec(procmail_t, { bin_t shell_exec_t })
+allow procmail_t bin_t:dir { getattr search };
+allow procmail_t bin_t:lnk_file read;
+allow procmail_t self:fifo_file rw_file_perms;
+
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+
+# for /var/mail
+rw_dir_create_file(procmail_t, mail_spool_t)
+
+allow procmail_t var_t:dir { getattr search };
+allow procmail_t var_spool_t:dir r_dir_perms;
+
+allow procmail_t fs_t:filesystem getattr;
+allow procmail_t { self proc_t }:dir search;
+allow procmail_t proc_t:file { getattr read };
+allow procmail_t { self proc_t }:lnk_file read;
+
+# for if /var/mail is a symlink to /var/spool/mail
+#allow procmail_t mail_spool_t:lnk_file r_file_perms;
+
+# for spamassasin
+allow procmail_t usr_t:file { getattr ioctl read };
+ifdef(`spamassassin.te', `
+can_exec(procmail_t, spamassassin_exec_t)
+allow procmail_t port_t:udp_socket name_bind;
+allow procmail_t tmp_t:dir getattr;
+')
+ifdef(`spamc.te', `
+can_exec(procmail_t, spamc_exec_t)
+')
+
+ifdef(`targeted_policy', `
+allow procmail_t port_t:udp_socket name_bind;
+allow procmail_t tmp_t:dir getattr;
+')
+
+# Search /var/run.
+allow procmail_t var_run_t:dir { getattr search };
+
+# Do not audit attempts to access /root.
+dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
+
+allow procmail_t devtty_t:chr_file { read write };
+
+allow procmail_t urandom_device_t:chr_file { getattr read };
+
+ifdef(`sendmail.te', `
+r_dir_file(procmail_t, etc_mail_t)
+allow procmail_t sendmail_t:tcp_socket { read write };
+')
+
+ifdef(`hide_broken_symptoms', `
+dontaudit procmail_t mqueue_spool_t:file { getattr read write };
+')
diff --git a/mls/domains/program/quota.te b/mls/domains/program/quota.te
new file mode 100644
index 0000000..7374053
--- /dev/null
+++ b/mls/domains/program/quota.te
@@ -0,0 +1,59 @@
+#DESC Quota - File system quota management utilities
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: quota quotatool
+#
+
+#################################
+#
+# Rules for the quota_t domain.
+#
+# needs auth attribute because it has read access to shadow_t because checkquota
+# is buggy
+daemon_base_domain(quota, `, auth, fs_domain')
+
+# so the administrator can run quotacheck
+domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
+role sysadm_r types quota_t;
+allow quota_t admin_tty_type:chr_file { read write };
+
+type quota_flag_t, file_type, sysadmfile;
+type quota_db_t, file_type, sysadmfile;
+
+rw_dir_create_file(initrc_t, quota_flag_t)
+
+allow quota_t fs_t:filesystem { getattr quotaget quotamod remount };
+# quotacheck creates new quota_db_t files
+file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
+# for some reason it wants dac_override not dac_read_search
+allow quota_t self:capability { sys_admin dac_override };
+allow quota_t file_type:{ fifo_file sock_file } getattr;
+allow quota_t file_t:file quotaon;
+
+# for quotacheck
+allow quota_t file_type:dir r_dir_perms;
+# The following line is apparently necessary, although read and
+# ioctl seem to be more than should be required.
+allow quota_t file_type:file { getattr read ioctl };
+allow quota_t file_type:{ fifo_file sock_file } getattr;
+allow quota_t file_type:lnk_file { read getattr };
+allow quota_t device_type:{ chr_file blk_file } getattr;
+
+allow quota_t fixed_disk_device_t:blk_file { getattr read };
+
+# for /quota.*
+allow quota_t quota_db_t:file { read write };
+dontaudit unpriv_userdomain quota_db_t:file getattr;
+allow quota_t quota_db_t:file quotaon;
+
+# Read /etc/mtab.
+allow quota_t etc_runtime_t:file { read getattr };
+
+allow quota_t device_t:dir r_dir_perms;
+allow quota_t fixed_disk_device_t:blk_file getattr;
+allow quota_t boot_t:dir r_dir_perms;
+allow quota_t sysctl_t:dir { getattr search };
+
+allow quota_t initrc_devpts_t:chr_file rw_file_perms;
+
+allow quota_t proc_t:file getattr;
diff --git a/mls/domains/program/radius.te b/mls/domains/program/radius.te
new file mode 100644
index 0000000..57eccc2
--- /dev/null
+++ b/mls/domains/program/radius.te
@@ -0,0 +1,67 @@
+#DESC RADIUS - Radius server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius
+#
+
+#################################
+#
+# Rules for the radiusd_t domain.
+#
+# radiusd_exec_t is the type of the radiusd executable.
+#
+daemon_domain(radiusd, `, auth_chkpwd')
+
+etcdir_domain(radiusd)
+
+system_crond_entry(radiusd_exec_t, radiusd_t)
+
+allow radiusd_t self:process setsched;
+
+allow radiusd_t proc_t:file { read getattr };
+
+dontaudit radiusd_t sysadm_home_dir_t:dir getattr;
+
+# allow pthreads to read kernel version
+read_sysctl(radiusd_t)
+
+# read config files
+allow radiusd_t etc_t:dir r_dir_perms;
+allow radiusd_t { etc_t etc_runtime_t }:file { read getattr };
+allow radiusd_t etc_t:lnk_file read;
+
+# write log files
+logdir_domain(radiusd)
+allow radiusd_t radiusd_log_t:dir create;
+
+allow radiusd_t usr_t:file r_file_perms;
+
+can_exec(radiusd_t, lib_t)
+can_exec(radiusd_t, { bin_t shell_exec_t })
+allow radiusd_t { bin_t sbin_t }:dir search;
+allow radiusd_t bin_t:lnk_file read;
+
+allow radiusd_t devtty_t:chr_file { read write };
+allow radiusd_t self:fifo_file rw_file_perms;
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+
+can_network_server(radiusd_t)
+can_ypbind(radiusd_t)
+allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
+
+# for RADIUS proxy port
+allow radiusd_t port_t:udp_socket name_bind;
+
+ifdef(`snmpd.te', `
+can_tcp_connect(radiusd_t, snmpd_t)
+')
+ifdef(`logrotate.te', `
+can_exec(radiusd_t, logrotate_exec_t)
+')
+can_udp_send(sysadm_t, radiusd_t)
+can_udp_send(radiusd_t, sysadm_t)
+
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t urandom_device_t:chr_file { getattr read };
diff --git a/mls/domains/program/radvd.te b/mls/domains/program/radvd.te
new file mode 100644
index 0000000..868ef8b
--- /dev/null
+++ b/mls/domains/program/radvd.te
@@ -0,0 +1,30 @@
+#DESC Radv - IPv6 route advisory daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: radvd
+#
+
+#################################
+#
+# Rules for the radvd_t domain.
+#
+daemon_domain(radvd)
+
+etc_domain(radvd)
+allow radvd_t etc_t:file { getattr read };
+
+allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
+
+allow radvd_t self:capability { setgid setuid net_raw };
+allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+
+can_network_server(radvd_t)
+can_ypbind(radvd_t)
+
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
+allow radvd_t etc_t:lnk_file read;
+
+allow radvd_t sysctl_net_t:file r_file_perms;
+allow radvd_t sysctl_net_t:dir r_dir_perms;
diff --git a/mls/domains/program/rdisc.te b/mls/domains/program/rdisc.te
new file mode 100644
index 0000000..79331fa
--- /dev/null
+++ b/mls/domains/program/rdisc.te
@@ -0,0 +1,13 @@
+#DESC rdisc - network router discovery daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+
+daemon_base_domain(rdisc)
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:capability net_raw;
+
+can_network_udp(rdisc_t)
+
+allow rdisc_t etc_t:file { getattr read };
diff --git a/mls/domains/program/readahead.te b/mls/domains/program/readahead.te
new file mode 100644
index 0000000..dde8e37
--- /dev/null
+++ b/mls/domains/program/readahead.te
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for readahead
+#
+
+daemon_domain(readahead)
+#
+# readahead asks for these
+#
+allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
+allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
+dontaudit readahead_t shadow_t:file { getattr read };
+allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
+dontaudit readahead_t file_type:sock_file getattr;
+allow readahead_t proc_t:file { getattr read };
+dontaudit readahead_t device_type:blk_file read;
diff --git a/mls/domains/program/restorecon.te b/mls/domains/program/restorecon.te
new file mode 100644
index 0000000..27a012b
--- /dev/null
+++ b/mls/domains/program/restorecon.te
@@ -0,0 +1,69 @@
+#DESC restorecon - Restore or check the context of a file
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: policycoreutils
+#
+
+#################################
+#
+# Rules for the restorecon_t domain.
+#
+# restorecon_exec_t is the type of the restorecon executable.
+#
+# needs auth_write attribute because it has relabelfrom/relabelto
+# access to shadow_t
+type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
+type restorecon_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types restorecon_t;
+role sysadm_r types restorecon_t;
+role secadm_r types restorecon_t;
+
+can_access_pty(restorecon_t, initrc)
+allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
+
+domain_auto_trans({ initrc_t secadmin }, restorecon_exec_t, restorecon_t)
+allow restorecon_t { userdomain init_t privfd }:fd use;
+
+uses_shlib(restorecon_t)
+allow restorecon_t self:capability { dac_override dac_read_search fowner };
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that restorecon can not be run!
+allow restorecon_t lib_t:file { read execute };
+
+# Get security policy decisions.
+can_getsecurity(restorecon_t)
+
+r_dir_file(restorecon_t, policy_config_t)
+
+allow restorecon_t file_type:dir r_dir_perms;
+allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
+allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
+allow restorecon_t unlabeled_t:dir read;
+allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
+ifdef(`distro_redhat', `
+allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+')
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
+
+allow restorecon_t ptyfile:chr_file getattr;
+
+allow restorecon_t fs_t:filesystem getattr;
+
+allow restorecon_t etc_runtime_t:file { getattr read };
+allow restorecon_t etc_t:file { getattr read };
+allow restorecon_t proc_t:file { getattr read };
+dontaudit restorecon_t proc_t:lnk_file { getattr read };
+
+allow restorecon_t device_t:file { read write };
+allow restorecon_t kernel_t:fd use;
+allow restorecon_t kernel_t:fifo_file { read write };
+allow restorecon_t kernel_t:unix_dgram_socket { read write };
+r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
+allow restorecon_t autofs_t:dir r_dir_perms;
+allow restorecon_t devpts_t:chr_file getattr;
+# need to restorecon /dev/pts during boot (from /etc/rc.d/rc.sysinit)
+allow restorecon_t devpts_t:dir { relabelfrom relabelto };
diff --git a/mls/domains/program/rlogind.te b/mls/domains/program/rlogind.te
new file mode 100644
index 0000000..88af4e4
--- /dev/null
+++ b/mls/domains/program/rlogind.te
@@ -0,0 +1,40 @@
+#DESC Rlogind - Remote login daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: rsh-client rsh-redone-client
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the rlogind_t domain.
+#
+remote_login_daemon(rlogind)
+typeattribute rlogind_t auth_chkpwd;
+
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t)
+')
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+# Use capabilities.
+allow rlogind_t self:capability { net_bind_service };
+
+# Run login in remote_login_t.
+allow remote_login_t inetd_t:fd use;
+allow remote_login_t inetd_t:tcp_socket rw_file_perms;
+
+# Send SIGCHLD to inetd on death.
+allow rlogind_t inetd_t:process sigchld;
+
+allow rlogind_t home_dir_type:dir search;
+allow rlogind_t home_type:file { getattr read };
+allow rlogind_t self:file { getattr read };
+allow rlogind_t default_t:dir search;
+typealias rlogind_port_t alias rlogin_port_t;
+read_sysctl(rlogind_t);
+ifdef(`kerberos.te', `
+allow rlogind_t krb5_keytab_t:file { getattr read };
+')
diff --git a/mls/domains/program/roundup.te b/mls/domains/program/roundup.te
new file mode 100644
index 0000000..4c3e97a
--- /dev/null
+++ b/mls/domains/program/roundup.te
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
+# Authors: W. Michael Petullo <redhat@flyn.org
+#
+daemon_domain(roundup)
+var_lib_domain(roundup)
+can_network(roundup_t)
+allow roundup_t http_cache_port_t:tcp_socket name_bind;
+allow roundup_t smtp_port_t:tcp_socket name_connect;
+
+# execute python
+allow roundup_t bin_t:dir r_dir_perms;
+can_exec(roundup_t, bin_t)
+allow roundup_t bin_t:lnk_file read;
+
+allow roundup_t self:capability { setgid setuid };
+
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+
+ifdef(`mysqld.te', `
+allow roundup_t mysqld_db_t:dir search;
+allow roundup_t mysqld_var_run_t:sock_file write;
+allow roundup_t mysqld_t:unix_stream_socket connectto;
+')
+
+# /usr/share/mysql/charsets/Index.xml
+allow roundup_t usr_t:file { getattr read };
+allow roundup_t urandom_device_t:chr_file { getattr read };
+allow roundup_t etc_t:file { getattr read };
diff --git a/mls/domains/program/rpcd.te b/mls/domains/program/rpcd.te
new file mode 100644
index 0000000..8efa09c
--- /dev/null
+++ b/mls/domains/program/rpcd.te
@@ -0,0 +1,167 @@
+#DESC Rpcd - RPC daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# Depends: portmap.te
+# X-Debian-Packages: nfs-common
+#
+
+#################################
+#
+# Rules for the rpcd_t and nfsd_t domain.
+#
+define(`rpc_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `, transitionbool')
+', `
+daemon_base_domain($1)
+')
+can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
+can_ypbind($1_t)
+allow $1_t { etc_runtime_t etc_t }:file { getattr read };
+read_locale($1_t)
+allow $1_t self:capability net_bind_service;
+dontaudit $1_t self:capability net_admin;
+
+allow $1_t var_t:dir { getattr search };
+allow $1_t var_lib_t:dir search;
+allow $1_t var_lib_nfs_t:dir create_dir_perms;
+allow $1_t var_lib_nfs_t:file create_file_perms;
+# do not log when it tries to bind to a port belonging to another domain
+dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+# bind to arbitary unused ports
+allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
+allow $1_t sysctl_rpc_t:dir search;
+allow $1_t sysctl_rpc_t:file rw_file_perms;
+')
+
+type exports_t, file_type, sysadmfile;
+dontaudit userdomain exports_t:file getattr;
+
+# rpcd_t is the domain of rpc daemons.
+# rpcd_exec_t is the type of rpc daemon programs.
+#
+rpc_domain(rpcd)
+var_run_domain(rpcd)
+allow rpcd_t rpcd_var_run_t:dir setattr;
+
+# for rpc.rquotad
+allow rpcd_t sysctl_t:dir r_dir_perms;
+allow rpcd_t self:fifo_file rw_file_perms;
+
+# rpcd_t needs to talk to the portmap_t domain
+can_udp_send(rpcd_t, portmap_t)
+
+allow initrc_t exports_t:file r_file_perms;
+ifdef(`distro_redhat', `
+allow rpcd_t self:capability { chown dac_override setgid setuid };
+# for /etc/rc.d/init.d/nfs to create /etc/exports
+allow initrc_t exports_t:file write;
+')
+
+allow rpcd_t self:file { getattr read };
+
+# nfs kernel server needs kernel UDP access. It is less risky and painful
+# to just give it everything.
+can_network_server(kernel_t)
+#can_udp_send(kernel_t, rpcd_t)
+#can_udp_send(rpcd_t, kernel_t)
+
+rpc_domain(nfsd)
+domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
+role sysadm_r types nfsd_t;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+allow nfsd_t proc_t:file r_file_perms;
+allow nfsd_t proc_net_t:dir search;
+allow nfsd_t exports_t:file { getattr read };
+
+allow nfsd_t nfsd_fs_t:filesystem mount;
+allow nfsd_t nfsd_fs_t:dir search;
+allow nfsd_t nfsd_fs_t:file rw_file_perms;
+allow initrc_t sysctl_rpc_t:dir search;
+allow initrc_t sysctl_rpc_t:file rw_file_perms;
+
+type nfsd_rw_t, file_type, sysadmfile, usercanread;
+type nfsd_ro_t, file_type, sysadmfile, usercanread;
+
+bool nfs_export_all_rw false;
+
+if(nfs_export_all_rw) {
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
+create_dir_file(kernel_t,{ file_type -shadow_t })
+}
+
+dontaudit kernel_t shadow_t:file getattr;
+
+bool nfs_export_all_ro false;
+
+if(nfs_export_all_ro) {
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
+}
+
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+create_dir_file(kernel_t, nfsd_rw_t);
+r_dir_file(kernel_t, nfsd_ro_t);
+
+allow kernel_t nfsd_t:udp_socket rw_socket_perms;
+can_udp_send(kernel_t, nfsd_t)
+can_udp_send(nfsd_t, kernel_t)
+
+# does not really need this, but it is easier to just allow it
+allow nfsd_t var_run_t:dir search;
+
+allow nfsd_t self:capability { sys_admin sys_resource };
+allow nfsd_t fs_type:filesystem getattr;
+
+can_udp_send(nfsd_t, portmap_t)
+can_udp_send(portmap_t, nfsd_t)
+
+can_tcp_connect(nfsd_t, portmap_t)
+
+# for exportfs and rpc.mountd
+allow nfsd_t tmp_t:dir getattr;
+
+r_dir_file(rpcd_t, rpc_pipefs_t)
+allow rpcd_t rpc_pipefs_t:sock_file { read write };
+dontaudit rpcd_t selinux_config_t:dir { search };
+allow rpcd_t proc_net_t:dir search;
+
+
+rpc_domain(gssd)
+can_kerberos(gssd_t)
+ifdef(`kerberos.te', `
+allow gssd_t krb5_keytab_t:file r_file_perms;
+')
+allow gssd_t urandom_device_t:chr_file { getattr read };
+r_dir_file(gssd_t, tmp_t)
+tmp_domain(gssd)
+allow gssd_t self:fifo_file { read write };
+r_dir_file(gssd_t, proc_net_t)
+allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+allow gssd_t rpc_pipefs_t:sock_file { read write };
+allow gssd_t rpc_pipefs_t:file r_file_perms;
+allow gssd_t self:capability { dac_override dac_read_search setuid };
+allow nfsd_t devtty_t:chr_file rw_file_perms;
+allow rpcd_t devtty_t:chr_file rw_file_perms;
+
+bool allow_gssd_read_tmp true;
+if (allow_gssd_read_tmp) {
+#
+#needs to be able to udpate the kerberos ticket file
+#
+ifdef(`targeted_policy', `
+r_dir_file(gssd_t, tmp_t)
+allow gssd_t tmp_t:file write;
+', `
+r_dir_file(gssd_t, user_tmpfile)
+allow gssd_t user_tmpfile:file write;
+')
+}
diff --git a/mls/domains/program/rpm.te b/mls/domains/program/rpm.te
new file mode 100644
index 0000000..d772da7
--- /dev/null
+++ b/mls/domains/program/rpm.te
@@ -0,0 +1,260 @@
+#DESC RPM - Red Hat package management
+#
+# X-Debian-Packages:
+#################################
+#
+# Rules for running the Redhat Package Manager (RPM) tools.
+#
+# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
+# rpm_exec_t is the type of the rpm executables.
+# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
+# rpm_var_lib_t is the type for rpm files in /var/lib
+#
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade;
+role system_r types rpm_t;
+uses_shlib(rpm_t)
+type rpm_exec_t, file_type, sysadmfile, exec_type;
+
+general_domain_access(rpm_t)
+can_ps(rpm_t, domain)
+allow rpm_t self:process setrlimit;
+system_crond_entry(rpm_exec_t, rpm_t)
+role sysadm_r types rpm_t;
+domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
+
+type rpm_file_t, file_type, sysadmfile;
+
+tmp_domain(rpm)
+
+tmpfs_domain(rpm)
+
+log_domain(rpm)
+
+can_network(rpm_t)
+allow rpm_t port_type:tcp_socket name_connect;
+can_ypbind(rpm_t)
+
+# Allow the rpm domain to execute other programs
+can_exec_any(rpm_t)
+
+# Capabilties needed by rpm utils
+allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
+
+# Access /var/lib/rpm files
+var_lib_domain(rpm)
+allow userdomain var_lib_t:dir { getattr search };
+r_dir_file(userdomain, rpm_var_lib_t)
+r_dir_file(rpm_t, proc_t)
+
+allow rpm_t sysfs_t:dir r_dir_perms;
+allow rpm_t usbdevfs_t:dir r_dir_perms;
+
+# for installing kernel packages
+allow rpm_t fixed_disk_device_t:blk_file { getattr read };
+
+# Access terminals.
+allow rpm_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
+allow rpm_t privfd:fd use;
+allow rpm_t devtty_t:chr_file rw_file_perms;
+
+domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
+domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
+
+ifdef(`cups.te', `
+r_dir_file(cupsd_t, rpm_var_lib_t)
+allow cupsd_t initrc_exec_t:file { getattr read };
+domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
+')
+
+# for a bug in rm
+dontaudit initrc_t pidfile:file write;
+
+# bash tries to access a block device in the initrd
+dontaudit initrc_t unlabeled_t:blk_file getattr;
+
+# bash tries ioctl for some reason
+dontaudit initrc_t pidfile:file ioctl;
+
+allow rpm_t autofs_t:dir { search getattr };
+allow rpm_t autofs_t:filesystem getattr;
+allow rpm_script_t autofs_t:dir { search getattr };
+allow rpm_t devpts_t:dir { setattr r_dir_perms };
+allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
+dontaudit rpm_t security_t:filesystem getattr;
+can_getcon(rpm_t)
+can_setfscreate(rpm_t)
+can_setexec(rpm_t)
+read_sysctl(rpm_t)
+general_domain_access(rpm_script_t)
+
+# read/write/create any files in the system
+allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
+allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
+allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
+allow rpm_t sysfs_t:filesystem getattr;
+allow rpm_t tmpfs_t:filesystem getattr;
+dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+# needs rw permission to the directory for an rpm package that includes a mount
+# point
+allow rpm_t fs_type:dir { setattr rw_dir_perms };
+allow rpm_t fs_type:filesystem getattr;
+
+# allow compiling and loading new policy
+create_dir_file(rpm_t, { policy_src_t policy_config_t })
+
+can_getsecurity({ rpm_t rpm_script_t })
+dontaudit rpm_t shadow_t:file { getattr read };
+allow rpm_t urandom_device_t:chr_file read;
+allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
+allow rpm_t ttyfile:chr_file unlink;
+allow rpm_script_t tty_device_t:chr_file getattr;
+allow rpm_script_t devpts_t:dir search;
+allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
+
+allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
+
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privmail, privrole, priv_system_role, mlsfileread, mlsfilewrite;
+# policy for rpm scriptlet
+role system_r types rpm_script_t;
+uses_shlib(rpm_script_t)
+read_locale(rpm_script_t)
+
+can_ps(rpm_script_t, domain)
+
+ifdef(`lpd.te', `
+can_exec(rpm_script_t, printconf_t)
+')
+
+read_sysctl(rpm_script_t)
+
+type rpm_script_exec_t, file_type, sysadmfile, exec_type;
+
+role sysadm_r types rpm_script_t;
+domain_trans(rpm_t, shell_exec_t, rpm_script_t)
+ifdef(`hide_broken_symptoms', `
+ifdef(`pamconsole.te', `
+domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
+')
+')
+
+tmp_domain(rpm_script)
+
+tmpfs_domain(rpm_script)
+
+# Allow the rpm domain to execute other programs
+can_exec_any(rpm_script_t)
+
+# Capabilties needed by rpm scripts utils
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+
+# ideally we would not need this
+allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
+allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
+allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms;
+
+# for kernel package installation
+ifdef(`mount.te', `
+allow mount_t rpm_t:fifo_file rw_file_perms;
+')
+
+# Commonly used from postinst scripts
+ifdef(`consoletype.te', `
+allow consoletype_t rpm_t:fifo_file r_file_perms;
+')
+ifdef(`crond.te', `
+allow crond_t rpm_t:fifo_file r_file_perms;
+')
+
+allow rpm_script_t proc_t:dir r_dir_perms;
+allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
+
+allow rpm_script_t devtty_t:chr_file rw_file_perms;
+allow rpm_script_t devpts_t:dir r_dir_perms;
+allow rpm_script_t admin_tty_type:chr_file rw_file_perms;
+allow rpm_script_t etc_runtime_t:file { getattr read };
+allow rpm_script_t privfd:fd use;
+allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
+
+allow rpm_script_t urandom_device_t:chr_file read;
+
+ifdef(`ssh-agent.te', `
+domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+')
+
+ifdef(`useradd.te', `
+domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
+domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
+role system_r types { useradd_t groupadd_t };
+allow { useradd_t groupadd_t } rpm_t:fd use;
+allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
+')
+
+domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
+
+domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
+domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+role sysadm_r types initrc_t;
+domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
+ifdef(`bootloader.te', `
+domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
+allow bootloader_t rpm_t:fifo_file rw_file_perms;
+')
+
+domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t)
+
+rw_dir_file(rpm_script_t, nfs_t)
+allow rpm_script_t nfs_t:filesystem getattr;
+
+allow rpm_script_t fs_t:filesystem { getattr mount unmount };
+allow rpm_script_t rpm_script_tmp_t:dir mounton;
+can_exec(rpm_script_t, usr_t)
+can_exec(rpm_script_t, sbin_t)
+
+allow rpm_t mount_t:tcp_socket write;
+create_dir_file(rpm_t, nfs_t)
+allow rpm_t { removable_t nfs_t }:filesystem getattr;
+
+allow rpm_script_t userdomain:fd use;
+
+allow domain rpm_t:fifo_file r_file_perms;
+allow domain rpm_t:fd use;
+
+ifdef(`ssh.te', `
+allow sshd_t rpm_script_t:fd use;
+allow sshd_t rpm_t:fd use;
+')
+
+dontaudit rpm_script_t shadow_t:file getattr;
+allow rpm_script_t sysfs_t:dir r_dir_perms;
+
+ifdef(`prelink.te', `
+domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
+')
+
+allow rpm_t rpc_pipefs_t:dir search;
+allow rpm_script_t init_t:dir search;
+
+type rpmbuild_exec_t, file_type, sysadmfile, exec_type;
+type rpmbuild_t, domain;
+allow rpmbuild_t policy_config_t:dir search;
+allow rpmbuild_t policy_src_t:dir search;
+allow rpmbuild_t policy_src_t:file { getattr read };
+can_getsecurity(rpmbuild_t)
+
+allow rpm_script_t domain:process { signal signull };
+
+# Access /var/lib/rpm.
+allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
+allow initrc_t rpm_var_lib_t:file create_file_perms;
+
+ifdef(`unlimitedRPM', `
+typeattribute rpm_t auth_write;
+unconfined_domain(rpm_t)
+typeattribute rpm_script_t auth_write;
+unconfined_domain(rpm_script_t)
+')
+if (allow_execmem) {
+allow rpm_script_t self:process execmem;
+}
+
diff --git a/mls/domains/program/rshd.te b/mls/domains/program/rshd.te
new file mode 100644
index 0000000..39976c5
--- /dev/null
+++ b/mls/domains/program/rshd.te
@@ -0,0 +1,65 @@
+#DESC RSHD - RSH daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: rsh-server rsh-redone-server
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the rshd_t domain.
+#
+daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
+
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
+')
+
+# Use sockets inherited from inetd.
+allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# Use capabilities.
+allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
+
+# Use the network.
+can_network_server(rshd_t)
+allow rshd_t rsh_port_t:tcp_socket name_bind;
+
+allow rshd_t etc_t:file { getattr read };
+read_locale(rshd_t)
+allow rshd_t self:unix_dgram_socket create_socket_perms;
+allow rshd_t self:unix_stream_socket create_stream_socket_perms;
+allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
+can_kerberos(rshd_t)
+allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
+allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
+ifdef(`rlogind.te', `
+allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
+allow rshd_t urandom_device_t:chr_file { getattr read };
+
+# Read the user's .rhosts file.
+allow rshd_t home_type:file r_file_perms ;
+
+# Random reasons
+can_getsecurity(rshd_t)
+can_setexec(rshd_t)
+r_dir_file(rshd_t, selinux_config_t)
+r_dir_file(rshd_t, default_context_t)
+read_sysctl(rshd_t);
+
+if (use_nfs_home_dirs) {
+r_dir_file(rshd_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+r_dir_file(rshd_t, cifs_t)
+}
+
+allow rshd_t self:process { fork signal setsched setpgid };
+allow rshd_t self:fifo_file rw_file_perms;
+
+ifdef(`targeted_policy', `
+unconfined_domain(rshd_t)
+domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
+')
diff --git a/mls/domains/program/rsync.te b/mls/domains/program/rsync.te
new file mode 100644
index 0000000..bed52a3
--- /dev/null
+++ b/mls/domains/program/rsync.te
@@ -0,0 +1,18 @@
+#DESC rsync - flexible replacement for rcp
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the rsync_t domain.
+#
+# rsync_exec_t is the type of the rsync executable.
+#
+
+inetd_child_domain(rsync)
+type rsync_data_t, file_type, sysadmfile;
+r_dir_file(rsync_t, rsync_data_t)
+anonymous_domain(rsync)
+allow rsync_t self:capability sys_chroot;
diff --git a/mls/domains/program/samba.te b/mls/domains/program/samba.te
new file mode 100644
index 0000000..2e7b587
--- /dev/null
+++ b/mls/domains/program/samba.te
@@ -0,0 +1,226 @@
+#DESC SAMBA - SMB file server
+#
+# Author: Ryan Bergauer (bergauer@rice.edu)
+# X-Debian-Packages: samba
+#
+
+#################################
+#
+# Declarations for Samba
+#
+
+daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
+daemon_domain(nmbd)
+type samba_etc_t, file_type, sysadmfile, usercanread;
+type samba_log_t, file_type, sysadmfile, logfile;
+type samba_var_t, file_type, sysadmfile;
+type samba_share_t, file_type, sysadmfile, customizable;
+type samba_secrets_t, file_type, sysadmfile;
+
+# for /var/run/samba/messages.tdb
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t self:process setrlimit;
+
+# not sure why it needs this
+tmp_domain(smbd)
+
+# Allow samba to search mnt_t for potential mounted dirs
+allow smbd_t mnt_t:dir r_dir_perms;
+
+ifdef(`crond.te', `
+allow system_crond_t samba_etc_t:file { read getattr lock };
+allow system_crond_t samba_log_t:file { read getattr lock };
+#allow system_crond_t samba_secrets_t:file { read getattr lock };
+')
+
+#################################
+#
+# Rules for the smbd_t domain.
+#
+
+# Permissions normally found in every_domain.
+general_domain_access(smbd_t)
+general_proc_read_access(smbd_t)
+
+allow smbd_t smbd_port_t:tcp_socket name_bind;
+
+# Use capabilities.
+allow smbd_t self:capability { fowner setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
+
+# Use the network.
+can_network(smbd_t)
+nsswitch_domain(smbd_t)
+can_kerberos(smbd_t)
+allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
+
+allow smbd_t urandom_device_t:chr_file { getattr read };
+
+# Permissions for Samba files in /etc/samba
+# either allow read access to the directory or allow the auto_trans rule to
+# allow creation of the secrets.tdb file and the MACHINE.SID file
+#allow smbd_t samba_etc_t:dir { search getattr };
+file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
+
+allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
+
+# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
+allow smbd_t var_lib_t:dir search;
+create_dir_file(smbd_t, samba_var_t)
+
+# Needed for shared printers
+allow smbd_t var_spool_t:dir search;
+
+# Permissions to write log files.
+allow smbd_t samba_log_t:file { create ra_file_perms };
+allow smbd_t var_log_t:dir search;
+allow smbd_t samba_log_t:dir ra_dir_perms;
+dontaudit smbd_t samba_log_t:dir remove_name;
+
+ifdef(`hide_broken_symptoms', `
+dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
+allow smbd_t fs_t:filesystem quotaget;
+
+allow smbd_t usr_t:file { getattr read };
+
+# Access Samba shares.
+create_dir_file(smbd_t, samba_share_t)
+
+anonymous_domain(smbd)
+
+ifdef(`logrotate.te', `
+# the application should be changed
+can_exec(logrotate_t, samba_log_t)
+')
+#################################
+#
+# Rules for the nmbd_t domain.
+#
+
+# Permissions normally found in every_domain.
+general_domain_access(nmbd_t)
+general_proc_read_access(nmbd_t)
+
+allow nmbd_t nmbd_port_t:udp_socket name_bind;
+
+# Use capabilities.
+allow nmbd_t self:capability net_bind_service;
+
+# Use the network.
+can_network_server(nmbd_t)
+
+# Permissions for Samba files in /etc/samba
+allow nmbd_t samba_etc_t:file { getattr read };
+allow nmbd_t samba_etc_t:dir { search getattr };
+
+# Permissions for Samba cache files in /var/cache/samba
+allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
+allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
+
+allow nmbd_t usr_t:file { getattr read };
+
+# Permissions to write log files.
+allow nmbd_t samba_log_t:file { create ra_file_perms };
+allow nmbd_t var_log_t:dir search;
+allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t etc_t:file { getattr read };
+ifdef(`cups.te', `
+allow smbd_t cupsd_rw_etc_t:file { getattr read };
+')
+# Needed for winbindd
+allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
+
+# Support Samba sharing of home directories
+bool samba_enable_home_dirs false;
+
+ifdef(`mount.te', `
+#
+# Domain for running smbmount
+#
+
+# Derive from app. domain. Transition from mount.
+application_domain(smbmount, `, fs_domain, nscd_client_domain')
+domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+
+# Capabilities
+# FIXME: is all of this really necessary?
+allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+# Access samba config
+allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow initrc_t samba_etc_t:file rw_file_perms;
+
+# Write samba log
+allow smbmount_t samba_log_t:file create_file_perms;
+allow smbmount_t samba_log_t:dir r_dir_perms;
+
+# Write stuff in var
+allow smbmount_t var_log_t:dir r_dir_perms;
+rw_dir_create_file(smbmount_t, samba_var_t)
+
+# Access mtab
+file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
+
+# Read nsswitch.conf
+allow smbmount_t etc_t:file r_file_perms;
+
+# Networking
+can_network(smbmount_t)
+allow smbmount_t port_type:tcp_socket name_connect;
+can_ypbind(smbmount_t)
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+allow kernel_t smbmount_t:tcp_socket { read write };
+allow userdomain smbmount_t:tcp_socket write;
+
+# Proc
+# FIXME: is this necessary?
+r_dir_file(smbmount_t, proc_t)
+
+# Fork smbmnt
+allow smbmount_t bin_t:dir r_dir_perms;
+can_exec(smbmount_t, smbmount_exec_t)
+allow smbmount_t self:process { fork signal_perms };
+
+# Mount
+allow smbmount_t cifs_t:filesystem mount_fs_perms;
+allow smbmount_t cifs_t:dir r_dir_perms;
+allow smbmount_t mnt_t:dir r_dir_perms;
+allow smbmount_t mnt_t:dir mounton;
+
+# Terminal
+read_locale(smbmount_t)
+access_terminal(smbmount_t, sysadm)
+allow smbmount_t userdomain:fd use;
+allow smbmount_t local_login_t:fd use;
+')
+# Derive from app. domain. Transition from mount.
+application_domain(samba_net, `, nscd_client_domain')
+role system_r types samba_net_t;
+in_user_role(samba_net_t)
+file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+read_locale(samba_net_t)
+allow samba_net_t samba_etc_t:file r_file_perms;
+r_dir_file(samba_net_t, samba_var_t)
+can_network_udp(samba_net_t)
+access_terminal(samba_net_t, sysadm)
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+rw_dir_create_file(samba_net_t, samba_var_t)
+allow samba_net_t etc_t:file { getattr read };
+can_network_client(samba_net_t)
+allow samba_net_t smbd_port_t:tcp_socket name_connect;
+can_ldap(samba_net_t)
+can_kerberos(samba_net_t)
+allow samba_net_t urandom_device_t:chr_file r_file_perms;
+allow samba_net_t proc_t:dir search;
+allow samba_net_t proc_t:lnk_file read;
+allow samba_net_t self:dir search;
+allow samba_net_t self:file read;
+allow samba_net_t self:process signal;
+tmp_domain(samba_net)
+dontaudit samba_net_t sysadm_home_dir_t:dir search;
+allow samba_net_t privfd:fd use;
diff --git a/mls/domains/program/saslauthd.te b/mls/domains/program/saslauthd.te
new file mode 100644
index 0000000..f614094
--- /dev/null
+++ b/mls/domains/program/saslauthd.te
@@ -0,0 +1,42 @@
+#DESC saslauthd - Authentication daemon for SASL
+#
+# Author: Colin Walters <walters@verbum.org>
+#
+
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
+
+allow saslauthd_t self:fifo_file { read write };
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
+allow saslauthd_t var_lib_t:dir search;
+
+allow saslauthd_t etc_t:dir { getattr search };
+allow saslauthd_t etc_t:file r_file_perms;
+allow saslauthd_t net_conf_t:file r_file_perms;
+
+allow saslauthd_t self:file r_file_perms;
+allow saslauthd_t proc_t:file { getattr read };
+
+allow saslauthd_t urandom_device_t:chr_file { getattr read };
+
+# Needs investigation
+dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}
+dontaudit saslauthd_t selinux_config_t:dir search;
+dontaudit saslauthd_t selinux_config_t:file { getattr read };
+
+
+dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
+ifdef(`mysqld.te', `
+allow saslauthd_t mysqld_db_t:dir search;
+allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
+')
+dontaudit saslauthd_t self:capability setuid;
diff --git a/mls/domains/program/screen.te b/mls/domains/program/screen.te
new file mode 100644
index 0000000..e9be1a0
--- /dev/null
+++ b/mls/domains/program/screen.te
@@ -0,0 +1,13 @@
+#DESC screen - Program to detach sessions
+#
+# X-Debian-Packages: screen
+# Domains for the screen program.
+
+#
+# screen_exec_t is the type of the screen executable.
+#
+type screen_exec_t, file_type, sysadmfile, exec_type;
+type screen_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the screen_domain macro in
+# macros/program/screen_macros.te.
diff --git a/mls/domains/program/sendmail.te b/mls/domains/program/sendmail.te
new file mode 100644
index 0000000..f3f9b71
--- /dev/null
+++ b/mls/domains/program/sendmail.te
@@ -0,0 +1,136 @@
+#DESC Sendmail - Mail server
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sendmail sendmail-wide
+# Depends: mta.te
+#
+
+#################################
+#
+# Rules for the sendmail_t domain.
+#
+# sendmail_t is the domain for the sendmail
+# daemon started by the init rc scripts.
+#
+
+daemon_base_domain(sendmail_launch)
+
+allow sendmail_launch_t { etc_t proc_t etc_runtime_t self }:file { getattr read };
+allow sendmail_launch_t { bin_t sbin_t etc_t }:lnk_file { getattr read };
+allow sendmail_launch_t { bin_t sbin_t }:dir search;
+can_exec(sendmail_launch_t, { etc_t bin_t sbin_t shell_exec_t })
+access_terminal(sendmail_launch_t, sysadm)
+ifdef(`consoletype.te', `
+domain_auto_trans(sendmail_launch_t, consoletype_exec_t, consoletype_t)
+')
+read_locale(sendmail_launch_t)
+r_dir_file(sendmail_launch_t, etc_mail_t)
+allow sendmail_launch_t self:fifo_file rw_file_perms;
+allow sendmail_launch_t self:capability { chown kill sys_nice };
+allow sendmail_launch_t self:unix_stream_socket create_stream_socket_perms;
+can_ps(sendmail_launch_t, sendmail_t)
+dontaudit sendmail_launch_t domain:dir search;
+allow sendmail_launch_t sendmail_t:process signal;
+ifdef(`distro_redhat', `
+lock_domain(sendmail_launch)
+')
+dontaudit sendmail_launch_t mnt_t:dir search;
+allow sendmail_launch_t devpts_t:dir search;
+
+file_type_auto_trans(sendmail_launch_t, var_run_t, sendmail_var_run_t, file)
+
+daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender')
+
+# stuff from daemon_domain and daemon_base_domain because we can not have an
+# automatic transition from initrc_t
+rhgb_domain(sendmail_t)
+read_sysctl(sendmail_t)
+domain_auto_trans(sendmail_launch_t, sendmail_exec_t, sendmail_t)
+allow sendmail_t privfd:fd use;
+allow { sendmail_t sendmail_launch_t } var_t:dir { getattr search };
+var_run_domain(sendmail)
+allow sendmail_t { ttyfile devtty_t }:chr_file rw_file_perms;
+dontaudit { sendmail_t sendmail_launch_t } sysadm_home_dir_t:dir search;
+read_locale(sendmail_t)
+allow sendmail_t fs_t:filesystem getattr;
+
+
+tmp_domain(sendmail)
+logdir_domain(sendmail)
+
+# Use capabilities
+allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
+
+# Use the network.
+can_network(sendmail_t)
+allow sendmail_t port_type:tcp_socket name_connect;
+can_ypbind(sendmail_t)
+
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:fifo_file rw_file_perms;
+
+# Bind to the SMTP port.
+allow sendmail_t smtp_port_t:tcp_socket name_bind;
+
+allow sendmail_t etc_t:file { getattr read };
+
+# Write to /etc/aliases and /etc/mail.
+allow sendmail_t etc_aliases_t:file { setattr rw_file_perms };
+
+allow sendmail_t etc_mail_t:dir rw_dir_perms;
+allow sendmail_t etc_mail_t:file create_file_perms;
+
+# Write to /var/spool/mail and /var/spool/mqueue.
+allow sendmail_t var_spool_t:dir { getattr search };
+allow sendmail_t mail_spool_t:dir rw_dir_perms;
+allow sendmail_t mail_spool_t:file create_file_perms;
+allow sendmail_t mqueue_spool_t:dir rw_dir_perms;
+allow sendmail_t mqueue_spool_t:file create_file_perms;
+allow sendmail_t urandom_device_t:chr_file { getattr read };
+
+# Read /usr/lib/sasl2/.*
+allow sendmail_t lib_t:file { getattr read };
+
+# When sendmail runs as user_mail_domain, it needs some extra permissions
+# to update /etc/mail/statistics.
+allow user_mail_domain etc_mail_t:file rw_file_perms;
+
+# Silently deny attempts to access /root.
+dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+
+# Run procmail in its own domain, if defined.
+ifdef(`procmail.te',`
+domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t)
+domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
+allow sendmail_t bin_t:dir { getattr search };
+')
+
+read_sysctl(sendmail_t)
+read_sysctl(system_mail_t)
+
+allow system_mail_t etc_mail_t:dir { getattr search };
+allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t proc_t:dir search;
+allow system_mail_t proc_t:file { getattr read };
+allow system_mail_t proc_t:lnk_file read;
+dontaudit system_mail_t proc_net_t:dir search;
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t self:dir { getattr search };
+allow system_mail_t var_t:dir getattr;
+allow system_mail_t var_spool_t:dir getattr;
+dontaudit system_mail_t userpty_type:chr_file { getattr read write };
+
+# sendmail -q
+allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
+allow system_mail_t mqueue_spool_t:file create_file_perms;
+
+ifdef(`crond.te', `
+dontaudit system_mail_t system_crond_tmp_t:file append;
+')
+dontaudit sendmail_t admin_tty_type:chr_file rw_file_perms;
+
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+allow sendmail_t initrc_var_run_t:file { getattr read };
+dontaudit sendmail_t initrc_var_run_t:file { lock write };
+
diff --git a/mls/domains/program/setfiles.te b/mls/domains/program/setfiles.te
new file mode 100644
index 0000000..85bcd4c
--- /dev/null
+++ b/mls/domains/program/setfiles.te
@@ -0,0 +1,66 @@
+#DESC Setfiles - SELinux filesystem labeling utilities
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: policycoreutils
+#
+
+#################################
+#
+# Rules for the setfiles_t domain.
+#
+# setfiles_exec_t is the type of the setfiles executable.
+#
+# needs auth_write attribute because it has relabelfrom/relabelto
+# access to shadow_t
+type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
+type setfiles_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types setfiles_t;
+role sysadm_r types setfiles_t;
+role secadm_r types setfiles_t;
+
+ifdef(`distro_redhat', `
+domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
+')
+can_access_pty(hostname_t, initrc)
+allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
+
+allow setfiles_t self:unix_dgram_socket create_socket_perms;
+
+domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
+allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
+
+uses_shlib(setfiles_t)
+allow setfiles_t self:capability { dac_override dac_read_search fowner };
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that setfiles can not be run!
+allow setfiles_t lib_t:file { read execute };
+
+# Get security policy decisions.
+can_getsecurity(setfiles_t)
+
+r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
+
+allow setfiles_t file_type:dir r_dir_perms;
+allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
+allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
+allow setfiles_t unlabeled_t:dir read;
+allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
+allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
+# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
+dontaudit setfiles_t ttyfile:chr_file relabelfrom;
+
+allow setfiles_t fs_t:filesystem getattr;
+allow setfiles_t fs_type:dir r_dir_perms;
+
+read_locale(setfiles_t)
+
+allow setfiles_t etc_runtime_t:file { getattr read };
+allow setfiles_t etc_t:file { getattr read };
+allow setfiles_t proc_t:file { getattr read };
+dontaudit setfiles_t proc_t:lnk_file { getattr read };
+
+# for config files in a home directory
+allow setfiles_t home_type:file r_file_perms;
+dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;
diff --git a/mls/domains/program/slapd.te b/mls/domains/program/slapd.te
new file mode 100644
index 0000000..4983870
--- /dev/null
+++ b/mls/domains/program/slapd.te
@@ -0,0 +1,78 @@
+#DESC Slapd - OpenLDAP server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: slapd
+#
+
+#################################
+#
+# Rules for the slapd_t domain.
+#
+# slapd_exec_t is the type of the slapd executable.
+#
+daemon_domain(slapd)
+
+allow slapd_t ldap_port_t:tcp_socket name_bind;
+
+etc_domain(slapd)
+type slapd_db_t, file_type, sysadmfile;
+type slapd_replog_t, file_type, sysadmfile;
+
+tmp_domain(slapd)
+
+# Use the network.
+can_network(slapd_t)
+allow slapd_t port_type:tcp_socket name_connect;
+can_ypbind(slapd_t)
+allow slapd_t self:fifo_file rw_file_perms;
+allow slapd_t self:unix_stream_socket create_stream_socket_perms;
+file_type_auto_trans(slapd_t,var_run_t,slapd_var_run_t,sock_file)
+allow slapd_t self:unix_dgram_socket create_socket_perms;
+# allow any domain to connect to the LDAP server
+can_tcp_connect(domain, slapd_t)
+
+# Use capabilities should not need kill...
+allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
+allow slapd_t self:process setsched;
+
+allow slapd_t proc_t:file r_file_perms;
+
+# Allow access to the slapd databases
+create_dir_file(slapd_t, slapd_db_t)
+allow initrc_t slapd_db_t:dir r_dir_perms;
+allow slapd_t var_lib_t:dir r_dir_perms;
+
+# Allow access to write the replication log (should tighten this)
+create_dir_file(slapd_t, slapd_replog_t)
+
+# read config files
+allow slapd_t etc_t:{ file lnk_file } { getattr read };
+allow slapd_t etc_runtime_t:file { getattr read };
+
+# for startup script
+allow initrc_t slapd_etc_t:file { getattr read };
+
+allow slapd_t etc_t:dir r_dir_perms;
+
+read_sysctl(slapd_t)
+
+allow slapd_t usr_t:{ lnk_file file } { read getattr };
+allow slapd_t urandom_device_t:chr_file { getattr read ioctl };
+allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+r_dir_file(slapd_t, cert_t)
+
+
+type slapd_cert_t, file_type, sysadmfile;
+allow slapd_t bin_t:dir search;
+can_exec(slapd_t, bin_t)
+r_dir_file(slapd_t, proc_net_t)
+allow slapd_t self:capability { chown sys_nice };
+allow slapd_t self:file { getattr read };
+allow slapd_t self:process { execstack getsched };
+allow slapd_t sysctl_net_t:dir r_dir_perms;
+lock_domain(slapd)
+create_dir_file(slapd_t, slapd_lock_t)
+dontaudit slapd_t devpts_t:dir search;
+rw_dir_create_file(slapd_t, slapd_cert_t)
+allow slapd_t usr_t:dir { add_name write };
+allow slapd_t usr_t:file { create write };
diff --git a/mls/domains/program/slocate.te b/mls/domains/program/slocate.te
new file mode 100644
index 0000000..8512aab
--- /dev/null
+++ b/mls/domains/program/slocate.te
@@ -0,0 +1,77 @@
+#DESC LOCATE - Security Enhanced version of the GNU Locate
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the locate_t domain.
+#
+# locate_exec_t is the type of the locate executable.
+#
+daemon_base_domain(locate)
+role system_r types locate_t;
+role sysadm_r types locate_t;
+allow locate_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(locate_exec_t, locate_t)
+allow system_crond_t locate_log_t:dir rw_dir_perms;
+allow system_crond_t locate_log_t:file { create append getattr };
+allow system_crond_t locate_etc_t:file { getattr read };
+')
+
+allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
+
+allow locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit locate_t sysctl_t:dir getattr;
+allow locate_t file_type:lnk_file r_file_perms;
+allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
+dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
+dontaudit locate_t security_t:dir getattr;
+dontaudit locate_t shadow_t:file getattr;
+
+allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
+allow locate_t unlabeled_t:dir_file_class_set getattr;
+allow locate_t unlabeled_t:dir read;
+
+logdir_domain(locate)
+etcdir_domain(locate)
+
+type locate_var_lib_t, file_type, sysadmfile;
+typealias locate_var_lib_t alias var_lib_locate_t;
+
+create_dir_file(locate_t, locate_var_lib_t)
+dontaudit locate_t sysadmfile:file getattr;
+
+allow locate_t proc_t:file { getattr read };
+allow locate_t self:unix_stream_socket create_socket_perms;
+#
+# Need to be able to exec renice
+#
+can_exec(locate_t, bin_t)
+
+dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
+dontaudit locate_t rpc_pipefs_t:file getattr;
+
+#
+# Read Mtab file
+#
+allow locate_t etc_runtime_t:file { getattr read };
+
+#
+# Read nsswitch file
+#
+allow locate_t etc_t:file { getattr read };
+dontaudit locate_t self:capability dac_override;
+allow locate_t self:capability dac_read_search;
+
+# sysadm_t runs locate in his own domain.
+# We use a type alias to simplify the rest of the policy,
+# which often refers to $1_locate_t for the user domains.
+typealias sysadm_t alias sysadm_locate_t;
+
+allow locate_t userdomain:fd use;
+ifdef(`cardmgr.te', `
+allow locate_t cardmgr_var_run_t:chr_file getattr;
+')
diff --git a/mls/domains/program/slrnpull.te b/mls/domains/program/slrnpull.te
new file mode 100644
index 0000000..25edb93
--- /dev/null
+++ b/mls/domains/program/slrnpull.te
@@ -0,0 +1,24 @@
+#DESC slrnpull
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the slrnpull_t domain.
+#
+# slrnpull_exec_t is the type of the slrnpull executable.
+#
+daemon_domain(slrnpull)
+type slrnpull_spool_t, file_type, sysadmfile;
+
+log_domain(slrnpull)
+
+ifdef(`logrotate.te', `
+create_dir_file(logrotate_t, slrnpull_spool_t)
+')
+system_crond_entry(slrnpull_exec_t, slrnpull_t)
+allow userdomain slrnpull_spool_t:dir search;
+rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
+allow slrnpull_t var_spool_t:dir search;
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --git a/mls/domains/program/snmpd.te b/mls/domains/program/snmpd.te
new file mode 100644
index 0000000..ea75c8d
--- /dev/null
+++ b/mls/domains/program/snmpd.te
@@ -0,0 +1,85 @@
+#DESC SNMPD - Simple Network Management Protocol daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: snmpd
+#
+
+#################################
+#
+# Rules for the snmpd_t domain.
+#
+daemon_domain(snmpd, `, nscd_client_domain')
+
+#temp
+allow snmpd_t var_t:dir getattr;
+
+can_network_server(snmpd_t)
+can_ypbind(snmpd_t)
+
+allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
+
+etc_domain(snmpd)
+
+# for the .index file
+var_lib_domain(snmpd)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
+file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
+
+log_domain(snmpd)
+# for /usr/share/snmp/mibs
+allow snmpd_t usr_t:file { getattr read };
+
+can_udp_send(sysadm_t, snmpd_t)
+can_udp_send(snmpd_t, sysadm_t)
+
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t etc_t:lnk_file read;
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
+allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
+
+allow snmpd_t proc_t:dir search;
+allow snmpd_t proc_t:file r_file_perms;
+allow snmpd_t self:file { getattr read };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t { bin_t sbin_t }:dir search;
+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
+
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+r_dir_file(snmpd_t, rpm_var_lib_t)
+dontaudit snmpd_t rpm_var_lib_t:dir write;
+dontaudit snmpd_t rpm_var_lib_t:file write;
+')
+')
+
+allow snmpd_t home_root_t:dir search;
+allow snmpd_t initrc_var_run_t:file r_file_perms;
+dontaudit snmpd_t initrc_var_run_t:file write;
+dontaudit snmpd_t rpc_pipefs_t:dir getattr;
+allow snmpd_t rpc_pipefs_t:dir getattr;
+read_sysctl(snmpd_t)
+allow snmpd_t sysctl_net_t:dir search;
+allow snmpd_t sysctl_net_t:file { getattr read };
+
+dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
+allow snmpd_t sysfs_t:dir { getattr read search };
+ifdef(`amanda.te', `
+dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
+')
+ifdef(`cupsd.te', `
+allow snmpd_t cupsd_rw_etc_t:file { getattr read };
+')
+allow snmpd_t var_lib_nfs_t:dir search;
+
+# needed in order to retrieve net traffic data
+allow snmpd_t proc_net_t:dir search;
+allow snmpd_t proc_net_t:file r_file_perms;
+
+allow snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:file { getattr read };
+allow snmpd_t domain:process signull;
+
+dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/mls/domains/program/sound.te b/mls/domains/program/sound.te
new file mode 100644
index 0000000..01f7355
--- /dev/null
+++ b/mls/domains/program/sound.te
@@ -0,0 +1,26 @@
+#DESC Sound - Sound utilities
+#
+# Authors: Mark Westerman <mark.westerman@.com>
+# X-Debian-Packages: esound
+#
+#################################
+#
+# Rules for the sound_t domain.
+#
+daemon_base_domain(sound)
+type sound_file_t, file_type, sysadmfile;
+allow initrc_t sound_file_t:file { getattr read };
+allow sound_t sound_file_t:file rw_file_perms;
+
+# Use capabilities.
+# Commented out by default.
+#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override };
+dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override };
+
+# Read and write the sound device.
+allow sound_t sound_device_t:chr_file rw_file_perms;
+
+# Read and write ttys.
+allow sound_t sysadm_tty_device_t:chr_file rw_file_perms;
+read_locale(sound_t)
+allow initrc_t sound_file_t:file { setattr write };
diff --git a/mls/domains/program/spamassassin.te b/mls/domains/program/spamassassin.te
new file mode 100644
index 0000000..d08eaa3
--- /dev/null
+++ b/mls/domains/program/spamassassin.te
@@ -0,0 +1,11 @@
+#DESC Spamassassin
+#
+# Author: Colin Walters <walters@debian.org>
+# X-Debian-Packages: spamassassin
+#
+
+type spamassassin_exec_t, file_type, sysadmfile, exec_type;
+
+bool spamassasin_can_network false;
+
+# Everything else is in spamassassin_macros.te.
diff --git a/mls/domains/program/spamc.te b/mls/domains/program/spamc.te
new file mode 100644
index 0000000..9b49fbf
--- /dev/null
+++ b/mls/domains/program/spamc.te
@@ -0,0 +1,10 @@
+#DESC Spamc - Spamassassin client
+#
+# Author: Colin Walters <walters@debian.org>
+# X-Debian-Packages: spamc
+# Depends: spamassassin.te
+#
+
+type spamc_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in spamassassin_macros.te.
diff --git a/mls/domains/program/spamd.te b/mls/domains/program/spamd.te
new file mode 100644
index 0000000..26f2a5a
--- /dev/null
+++ b/mls/domains/program/spamd.te
@@ -0,0 +1,57 @@
+#DESC Spamd - Spamassassin daemon
+#
+# Author: Colin Walters <walters@debian.org>
+# X-Debian-Packages: spamassassin
+# Depends: spamassassin.te
+#
+
+daemon_domain(spamd)
+
+tmp_domain(spamd)
+
+general_domain_access(spamd_t)
+uses_shlib(spamd_t)
+read_sysctl(spamd_t)
+
+# Various Perl bits
+allow spamd_t lib_t:file rx_file_perms;
+dontaudit spamd_t shadow_t:file { getattr read };
+dontaudit spamd_t initrc_var_run_t:file { read write lock };
+dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
+
+can_network_server(spamd_t)
+allow spamd_t spamd_port_t:tcp_socket name_bind;
+allow spamd_t port_type:udp_socket name_bind;
+dontaudit spamd_t reserved_port_type:udp_socket name_bind;
+can_ypbind(spamd_t)
+can_resolve(spamd_t)
+allow spamd_t self:capability net_bind_service;
+
+allow spamd_t proc_t:file { getattr read };
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+
+allow spamd_t { bin_t sbin_t }:dir { getattr search };
+can_exec(spamd_t, bin_t)
+
+ifdef(`sendmail.te', `
+allow spamd_t etc_mail_t:dir { getattr read search };
+allow spamd_t etc_mail_t:file { getattr ioctl read };
+')
+allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
+
+ifdef(`amavis.te', `
+# for bayes tokens
+allow spamd_t var_lib_t:dir { getattr search };
+rw_dir_create_file(spamd_t, amavisd_lib_t)
+')
+
+allow spamd_t usr_t:file { getattr ioctl read };
+allow spamd_t usr_t:lnk_file { getattr read };
+allow spamd_t urandom_device_t:chr_file { getattr read };
+
+system_crond_entry(spamd_exec_t, spamd_t)
+ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')
diff --git a/mls/domains/program/squid.te b/mls/domains/program/squid.te
new file mode 100644
index 0000000..141518b
--- /dev/null
+++ b/mls/domains/program/squid.te
@@ -0,0 +1,84 @@
+#DESC Squid - Web cache
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: squid
+#
+
+#################################
+#
+# Rules for the squid_t domain.
+#
+# squid_t is the domain the squid process runs in
+ifdef(`apache.te',`
+can_tcp_connect(squid_t, httpd_t)
+')
+bool squid_connect_any false;
+daemon_domain(squid, `, web_client_domain, nscd_client_domain')
+type squid_conf_t, file_type, sysadmfile;
+general_domain_access(squid_t)
+allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
+allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
+
+logdir_domain(squid)
+rw_dir_create_file(initrc_t, squid_log_t)
+
+allow squid_t usr_t:file { getattr read };
+
+# type for /var/cache/squid
+type squid_cache_t, file_type, sysadmfile;
+
+allow squid_t self:capability { setgid setuid net_bind_service dac_override };
+allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
+allow squid_t etc_t:lnk_file read;
+allow squid_t self:unix_stream_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:fifo_file rw_file_perms;
+
+read_sysctl(squid_t)
+
+allow squid_t devtty_t:chr_file rw_file_perms;
+
+allow squid_t { self proc_t }:file { read getattr };
+
+# for when we use /var/spool/cache
+allow squid_t var_spool_t:dir search;
+
+# Grant permissions to create, access, and delete cache files.
+# No type transitions required, as the files inherit the parent directory type.
+create_dir_file(squid_t, squid_cache_t)
+ifdef(`logrotate.te',
+`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
+ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
+
+# Use the network
+can_network(squid_t)
+if (squid_connect_any) {
+allow squid_t port_type:tcp_socket name_connect;
+}
+can_ypbind(squid_t)
+can_tcp_connect(web_client_domain, squid_t)
+
+# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+# also allow exec()ing itself
+can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
+allow squid_t { bin_t sbin_t }:dir search;
+allow squid_t { bin_t sbin_t }:lnk_file read;
+
+dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr;
+ifdef(`targeted_policy', `
+dontaudit squid_t tty_device_t:chr_file { read write };
+')
+allow squid_t urandom_device_t:chr_file { getattr read };
+
+#squid requires the following when run in diskd mode, the recommended setting
+r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+allow winbind_helper_t squid_log_t:file ra_file_perms;
+')
diff --git a/mls/domains/program/ssh-agent.te b/mls/domains/program/ssh-agent.te
new file mode 100644
index 0000000..f2e3d84
--- /dev/null
+++ b/mls/domains/program/ssh-agent.te
@@ -0,0 +1,13 @@
+#DESC ssh-agent - agent to securely store ssh-keys
+#
+# Authors: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# X-Debian-Packages: ssh
+#
+
+# Type for the ssh-agent executable.
+type ssh_agent_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the ssh_agent_domain macro in
+# macros/program/ssh_agent_macros.te.
+
diff --git a/mls/domains/program/ssh.te b/mls/domains/program/ssh.te
new file mode 100644
index 0000000..367e4c7
--- /dev/null
+++ b/mls/domains/program/ssh.te
@@ -0,0 +1,237 @@
+#DESC SSH - SSH daemon
+#
+# Authors: Anthony Colatrella (NSA) <amcolat@epoch.ncsc.mil>
+# Stephen Smalley <sds@epoch.ncsc.mil>
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: ssh
+#
+
+# Allow ssh logins as sysadm_r:sysadm_t
+bool ssh_sysadm_login false;
+
+# allow host key based authentication
+bool allow_ssh_keysign false;
+
+ifdef(`inetd.te', `
+# Allow ssh to run from inetd instead of as a daemon.
+bool run_ssh_inetd false;
+')
+
+# sshd_exec_t is the type of the sshd executable.
+# sshd_key_t is the type of the ssh private key files
+type sshd_exec_t, file_type, exec_type, sysadmfile;
+type sshd_key_t, file_type, sysadmfile;
+
+define(`sshd_program_domain', `
+# privowner is for changing the identity on the terminal device
+# privfd is for passing the terminal file handle to the user process
+# auth_chkpwd is for running unix_chkpwd and unix_verify.
+type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+can_exec($1_t, sshd_exec_t)
+r_dir_file($1_t, self)
+role system_r types $1_t;
+dontaudit $1_t shadow_t:file { getattr read };
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+allow $1_t self:process { fork sigchld signal setsched setrlimit };
+
+dontaudit $1_t self:lnk_file read;
+
+# do not allow statfs()
+dontaudit $1_t fs_type:filesystem getattr;
+
+allow $1_t bin_t:dir search;
+allow $1_t bin_t:lnk_file read;
+
+# for sshd subsystems, such as sftp-server.
+allow $1_t bin_t:file getattr;
+
+# Read /var.
+allow $1_t var_t:dir { getattr search };
+
+# Read /var/log.
+allow $1_t var_log_t:dir search;
+
+# Read /etc.
+allow $1_t etc_t:dir search;
+# ioctl is for pam_console
+dontaudit $1_t etc_t:file ioctl;
+allow $1_t etc_t:file { getattr read };
+allow $1_t etc_t:lnk_file { getattr read };
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Read and write /dev/tty and /dev/null.
+allow $1_t devtty_t:chr_file rw_file_perms;
+allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
+
+# Read /dev/urandom
+allow $1_t urandom_device_t:chr_file { getattr read };
+
+can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
+can_kerberos($1_t)
+
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t { home_root_t home_dir_type }:dir { search getattr };
+if (use_nfs_home_dirs) {
+allow $1_t autofs_t:dir { search getattr };
+allow $1_t nfs_t:dir { search getattr };
+allow $1_t nfs_t:file { getattr read };
+}
+
+if (use_samba_home_dirs) {
+allow $1_t cifs_t:dir { search getattr };
+allow $1_t cifs_t:file { getattr read };
+}
+
+# Set exec context.
+can_setexec($1_t)
+
+# Update utmp.
+allow $1_t initrc_var_run_t:file rw_file_perms;
+
+# Update wtmp.
+allow $1_t wtmp_t:file rw_file_perms;
+
+# Get security policy decisions.
+can_getsecurity($1_t)
+
+# Allow read access to login context
+r_dir_file( $1_t, default_context_t)
+
+# Access key files
+allow $1_t sshd_key_t:file { getattr read };
+
+# Update /var/log/lastlog.
+allow $1_t lastlog_t:file rw_file_perms;
+
+read_locale($1_t)
+read_sysctl($1_t)
+
+# Can create ptys
+can_create_pty($1, `, server_pty')
+allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
+dontaudit sshd_t userpty_type:chr_file relabelfrom;
+
+allow $1_t faillog_t:file { append getattr };
+allow $1_t sbin_t:file getattr;
+
+# Allow checking users mail at login
+allow $1_t { var_spool_t mail_spool_t }:dir search;
+allow $1_t mail_spool_t:lnk_file read;
+allow $1_t mail_spool_t:file getattr;
+')dnl end sshd_program_domain
+
+# macro for defining which domains a sshd can spawn
+# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the
+# type of the pty for the child
+define(`sshd_spawn_domain', `
+login_spawn_domain($1, $2)
+ifdef(`xauth.te', `
+domain_trans($1_t, xauth_exec_t, $2)
+')
+
+# Relabel and access ptys created by sshd
+# ioctl is necessary for logout() processing for utmp entry and for w to
+# display the tty.
+# some versions of sshd on the new SE Linux require setattr
+allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr };
+
+# inheriting stream sockets is needed for "ssh host command" as no pty
+# is allocated
+allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
+')dnl end sshd_spawn_domain definition
+
+#################################
+#
+# Rules for the sshd_t domain, et al.
+#
+# sshd_t is the domain for the sshd program.
+# sshd_extern_t is the domain for ssh from outside our network
+#
+sshd_program_domain(sshd)
+if (ssh_sysadm_login) {
+allow sshd_t devpts_t:dir r_dir_perms;
+sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
+} else {
+sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
+}
+
+# for X forwarding
+allow sshd_t xserver_port_t:tcp_socket name_bind;
+
+r_dir_file(sshd_t, selinux_config_t)
+sshd_program_domain(sshd_extern)
+sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
+
+# for when the network connection breaks after running newrole -r sysadm_r
+dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
+
+ifdef(`inetd.te', `
+if (run_ssh_inetd) {
+allow inetd_t ssh_port_t:tcp_socket name_bind;
+domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
+domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
+allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms;
+allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
+allow { sshd_t sshd_extern_t } self:process signal;
+} else {
+')
+can_access_pty({ sshd_t sshd_extern_t }, initrc)
+allow { sshd_t sshd_extern_t } self:capability net_bind_service;
+allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
+
+# for port forwarding
+can_tcp_connect(userdomain, sshd_t)
+
+domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+dontaudit initrc_t sshd_key_t:file { getattr read };
+
+# Inherit and use descriptors from init.
+allow { sshd_t sshd_extern_t } init_t:fd use;
+ifdef(`inetd.te', `
+}
+')
+
+# Create /var/run/sshd.pid
+var_run_domain(sshd)
+var_run_domain(sshd_extern)
+
+ifdef(`direct_sysadm_daemon', `
+# Direct execution by sysadm_r.
+domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
+role_transition sysadm_r sshd_exec_t system_r;
+')
+
+undefine(`sshd_program_domain')
+
+# so a tunnel can point to another ssh tunnel...
+can_tcp_connect(sshd_t, sshd_t)
+
+tmp_domain(sshd, `', { dir file sock_file })
+ifdef(`pam.te', `
+can_exec(sshd_t, pam_exec_t)
+')
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+daemon_base_domain(ssh_keygen)
+allow ssh_keygen_t etc_t:file { getattr read };
+file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
+
+# Type for the ssh executable.
+type ssh_exec_t, file_type, exec_type, sysadmfile;
+type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the ssh_domain macro in
+# macros/program/ssh_macros.te.
+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
+allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+')
diff --git a/mls/domains/program/stunnel.te b/mls/domains/program/stunnel.te
new file mode 100644
index 0000000..4dbfcec
--- /dev/null
+++ b/mls/domains/program/stunnel.te
@@ -0,0 +1,33 @@
+# DESC: selinux policy for stunnel
+#
+# Author: petre rodan <kaiowas@gentoo.org>
+#
+ifdef(`distro_gentoo', `
+
+daemon_domain(stunnel)
+
+can_network(stunnel_t)
+allow stunnel_t port_type:tcp_socket name_connect;
+
+allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:fifo_file { read write };
+allow stunnel_t self:tcp_socket { read write };
+allow stunnel_t self:unix_stream_socket { connect create };
+
+r_dir_file(stunnel_t, etc_t)
+', `
+inetd_child_domain(stunnel, tcp)
+allow stunnel_t self:capability sys_chroot;
+
+bool stunnel_is_daemon false;
+if (stunnel_is_daemon) {
+# Policy to run stunnel as a daemon should go here.
+allow stunnel_t self:tcp_socket rw_stream_socket_perms;
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+}
+')
+
+type stunnel_etc_t, file_type, sysadmfile;
+r_dir_file(stunnel_t, stunnel_etc_t)
+allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
+
diff --git a/mls/domains/program/su.te b/mls/domains/program/su.te
new file mode 100644
index 0000000..5769d11
--- /dev/null
+++ b/mls/domains/program/su.te
@@ -0,0 +1,26 @@
+#DESC Su - Run shells with substitute user and group
+#
+# Domains for the su program.
+# X-Debian-Packages: login
+
+#
+# su_exec_t is the type of the su executable.
+#
+type su_exec_t, file_type, sysadmfile;
+
+allow sysadm_su_t user_home_dir_type:dir search;
+
+# Everything else is in the su_domain macro in
+# macros/program/su_macros.te.
+
+ifdef(`use_mcs', `
+ifdef(`targeted_policy', `
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+# allow user to suspend terminal
+allow sysadm_su_t unconfined_t:process signal;
+allow sysadm_su_t self:process { signal sigstop };
+can_exec(sysadm_su_t, bin_t)
+rw_dir_create_file(sysadm_su_t, home_dir_type)
+')
+')
diff --git a/mls/domains/program/sudo.te b/mls/domains/program/sudo.te
new file mode 100644
index 0000000..a1fad31
--- /dev/null
+++ b/mls/domains/program/sudo.te
@@ -0,0 +1,11 @@
+#DESC sudo - execute a command as another user
+#
+# Authors: Dan Walsh, Russell Coker
+# Maintained by Dan Walsh <dwalsh@redhat.com>
+#
+
+# Type for the sudo executable.
+type sudo_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the sudo_domain macro in
+# macros/program/sudo_macros.te.
diff --git a/mls/domains/program/sulogin.te b/mls/domains/program/sulogin.te
new file mode 100644
index 0000000..0bed085
--- /dev/null
+++ b/mls/domains/program/sulogin.te
@@ -0,0 +1,56 @@
+#DESC sulogin - Single-User login
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+# X-Debian-Packages: sysvinit
+
+#################################
+#
+# Rules for the sulogin_t domain
+#
+
+type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth;
+type sulogin_exec_t, file_type, exec_type, sysadmfile;
+role system_r types sulogin_t;
+
+general_domain_access(sulogin_t)
+
+domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
+allow sulogin_t initrc_t:process getpgid;
+uses_shlib(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
+ifdef(`distro_suse', `
+define(`sulogin_no_pam', `')
+')
+ifdef(`distro_debian', `
+define(`sulogin_no_pam', `')
+')
+
+ifdef(`sulogin_no_pam', `
+domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
+allow sulogin_t init_t:process getpgid;
+allow sulogin_t self:capability sys_tty_config;
+', `
+domain_trans(sulogin_t, shell_exec_t, sysadm_t)
+allow sulogin_t shell_exec_t:file r_file_perms;
+
+can_setexec(sulogin_t)
+can_getsecurity(sulogin_t)
+')
+
+r_dir_file(sulogin_t, etc_t)
+
+allow sulogin_t bin_t:dir r_dir_perms;
+r_dir_file(sulogin_t, proc_t)
+allow sulogin_t root_t:dir search;
+
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+allow sulogin_t default_context_t:dir search;
+allow sulogin_t default_context_t:file { getattr read };
+
+r_dir_file(sulogin_t, selinux_config_t)
+
+# because file systems are not mounted
+dontaudit sulogin_t file_t:dir search;
diff --git a/mls/domains/program/swat.te b/mls/domains/program/swat.te
new file mode 100644
index 0000000..aa94d2f
--- /dev/null
+++ b/mls/domains/program/swat.te
@@ -0,0 +1,14 @@
+#DESC swat - Samba Web Administration Tool
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the swat_t domain.
+#
+# swat_exec_t is the type of the swat executable.
+#
+
+inetd_child_domain(swat)
diff --git a/mls/domains/program/syslogd.te b/mls/domains/program/syslogd.te
new file mode 100644
index 0000000..8957fea
--- /dev/null
+++ b/mls/domains/program/syslogd.te
@@ -0,0 +1,110 @@
+#DESC Syslogd - System log daemon
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sysklogd syslog-ng
+#
+
+#################################
+#
+# Rules for the syslogd_t domain.
+#
+# syslogd_t is the domain of syslogd.
+# syslogd_exec_t is the type of the syslogd executable.
+# devlog_t is the type of the Unix domain socket created
+# by syslogd.
+#
+ifdef(`klogd.te', `
+daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
+', `
+daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
+')
+
+# can_network is for the UDP socket
+can_network_udp(syslogd_t)
+can_ypbind(syslogd_t)
+
+r_dir_file(syslogd_t, sysfs_t)
+
+type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
+
+# if something can log to syslog they should be able to log to the console
+allow privlog console_device_t:chr_file { ioctl read write getattr };
+
+tmp_domain(syslogd)
+
+# read files in /etc
+allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
+
+# Use capabilities.
+allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
+
+# Modify/create log files.
+create_append_log_file(syslogd_t, var_log_t)
+
+# Create and bind to /dev/log or /var/run/log.
+file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
+ifdef(`distro_suse', `
+# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
+')
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t devlog_t:unix_stream_socket name_bind;
+allow syslogd_t devlog_t:unix_dgram_socket name_bind;
+# log to the xconsole
+allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
+
+# Domains with the privlog attribute may log to syslogd.
+allow privlog devlog_t:sock_file rw_file_perms;
+can_unix_send(privlog,syslogd_t)
+can_unix_connect(privlog,syslogd_t)
+# allow /dev/log to be a link elsewhere for chroot setup
+allow privlog devlog_t:lnk_file read;
+
+ifdef(`crond.te', `
+# for daemon re-start
+allow system_crond_t syslogd_t:lnk_file read;
+')
+
+ifdef(`logrotate.te', `
+allow logrotate_t syslogd_exec_t:file r_file_perms;
+')
+
+# for sending messages to logged in users
+allow syslogd_t initrc_var_run_t:file { read lock };
+dontaudit syslogd_t initrc_var_run_t:file write;
+allow syslogd_t ttyfile:chr_file { getattr write };
+
+#
+# Special case to handle crashes
+#
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
+
+# Allow syslog to a terminal
+allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
+
+# Allow name_bind for remote logging
+allow syslogd_t syslogd_port_t:udp_socket name_bind;
+#
+# /initrd is not umounted before minilog starts
+#
+dontaudit syslogd_t file_t:dir search;
+allow syslogd_t { tmpfs_t devpts_t }:dir search;
+dontaudit syslogd_t unlabeled_t:file { getattr read };
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`targeted_policy', `
+allow syslogd_t var_run_t:fifo_file { ioctl read write };
+allow syslogd_t ttyfile:chr_file { getattr write ioctl append };
+')
+
+# Allow access to /proc/kmsg for syslog-ng
+allow syslogd_t proc_t:dir search;
+allow syslogd_t proc_kmsg_t:file { getattr read };
+allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+allow syslogd_t self:capability { sys_admin chown fsetid };
+allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t syslogd_port_t:tcp_socket name_bind;
+allow syslogd_t rsh_port_t:tcp_socket name_connect;
diff --git a/mls/domains/program/sysstat.te b/mls/domains/program/sysstat.te
new file mode 100644
index 0000000..f01da4c
--- /dev/null
+++ b/mls/domains/program/sysstat.te
@@ -0,0 +1,65 @@
+#DESC Sysstat - Sar and similar programs
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: sysstat
+#
+
+#################################
+#
+# Rules for the sysstat_t domain.
+#
+# sysstat_exec_t is the type of the sysstat executable.
+#
+type sysstat_t, domain, privlog;
+type sysstat_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types sysstat_t;
+
+allow sysstat_t device_t:dir search;
+
+allow sysstat_t self:process { sigchld fork };
+
+#for date
+can_exec(sysstat_t, { sysstat_exec_t bin_t })
+allow sysstat_t bin_t:dir r_dir_perms;
+dontaudit sysstat_t sbin_t:dir search;
+
+dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:capability sys_resource;
+
+allow sysstat_t devtty_t:chr_file rw_file_perms;
+
+allow sysstat_t urandom_device_t:chr_file read;
+
+# for mtab
+allow sysstat_t etc_runtime_t:file { read getattr };
+# for fstab
+allow sysstat_t etc_t:file { read getattr };
+
+dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
+
+allow sysstat_t self:fifo_file rw_file_perms;
+
+# Type for files created during execution of sysstatd.
+logdir_domain(sysstat)
+allow sysstat_t var_t:dir search;
+
+allow sysstat_t etc_t:dir r_dir_perms;
+read_locale(sysstat_t)
+
+allow sysstat_t fs_t:filesystem getattr;
+
+# get info from /proc
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
+
+domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
+allow sysstat_t init_t:fd use;
+allow sysstat_t console_device_t:chr_file { read write };
+
+uses_shlib(sysstat_t)
+
+system_crond_entry(sysstat_exec_t, sysstat_t)
+allow system_crond_t sysstat_log_t:dir { write remove_name add_name };
+allow system_crond_t sysstat_log_t:file create_file_perms;
+allow sysstat_t initrc_devpts_t:chr_file { read write };
diff --git a/mls/domains/program/tcpd.te b/mls/domains/program/tcpd.te
new file mode 100644
index 0000000..af135be
--- /dev/null
+++ b/mls/domains/program/tcpd.te
@@ -0,0 +1,43 @@
+#DESC Tcpd - Access control facilities from internet services
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: tcpd
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the tcpd_t domain.
+#
+type tcpd_t, domain, privlog;
+role system_r types tcpd_t;
+uses_shlib(tcpd_t)
+type tcpd_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
+
+allow tcpd_t fs_t:filesystem getattr;
+
+# no good reason for this, probably nscd
+dontaudit tcpd_t var_t:dir search;
+
+can_network_server(tcpd_t)
+can_ypbind(tcpd_t)
+allow tcpd_t self:unix_dgram_socket create_socket_perms;
+allow tcpd_t self:unix_stream_socket create_socket_perms;
+allow tcpd_t etc_t:file { getattr read };
+read_locale(tcpd_t)
+
+tmp_domain(tcpd)
+
+# Use sockets inherited from inetd.
+allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# Run each daemon with a defined domain in its own domain.
+# These rules have been moved to each target domain .te file.
+
+# Run other daemons in the inetd_child_t domain.
+allow tcpd_t { bin_t sbin_t }:dir search;
+domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
+
+allow tcpd_t device_t:dir search;
diff --git a/mls/domains/program/telnetd.te b/mls/domains/program/telnetd.te
new file mode 100644
index 0000000..bbbb2c1
--- /dev/null
+++ b/mls/domains/program/telnetd.te
@@ -0,0 +1,10 @@
+# telnet server daemon
+#
+
+#################################
+#
+# Rules for the telnetd_t domain
+#
+
+remote_login_daemon(telnetd)
+typealias telnetd_port_t alias telnet_port_t;
diff --git a/mls/domains/program/tftpd.te b/mls/domains/program/tftpd.te
new file mode 100644
index 0000000..c749987
--- /dev/null
+++ b/mls/domains/program/tftpd.te
@@ -0,0 +1,41 @@
+#DESC TFTP - UDP based file server for boot loaders
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: tftpd atftpd
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the tftpd_t domain.
+#
+# tftpd_exec_t is the type of the tftpd executable.
+#
+daemon_domain(tftpd)
+
+# tftpdir_t is the type of files in the /tftpboot directories.
+type tftpdir_t, file_type, sysadmfile;
+r_dir_file(tftpd_t, tftpdir_t)
+
+domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
+
+# Use the network.
+can_network_udp(tftpd_t)
+allow tftpd_t tftp_port_t:udp_socket name_bind;
+ifdef(`inetd.te', `
+allow inetd_t tftp_port_t:udp_socket name_bind;
+')
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+
+# allow any domain to connect to the TFTP server
+allow tftpd_t inetd_t:udp_socket rw_socket_perms;
+
+# Use capabilities
+allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot };
+
+allow tftpd_t etc_t:dir r_dir_perms;
+allow tftpd_t etc_t:file r_file_perms;
+
+allow tftpd_t var_t:dir r_dir_perms;
+allow tftpd_t var_t:{ file lnk_file } r_file_perms;
diff --git a/mls/domains/program/timidity.te b/mls/domains/program/timidity.te
new file mode 100644
index 0000000..e007d3f
--- /dev/null
+++ b/mls/domains/program/timidity.te
@@ -0,0 +1,34 @@
+# DESC timidity - MIDI to WAV converter and player
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# Note: You only need this policy if you want to run timidity as a server
+
+daemon_base_domain(timidity)
+can_network_server(timidity_t)
+
+allow timidity_t device_t:lnk_file read;
+
+# read /usr/share/alsa/alsa.conf
+allow timidity_t usr_t:file { getattr read };
+# read /etc/esd.conf and /proc/cpuinfo
+allow timidity_t { etc_t proc_t }:file { getattr read };
+# read libartscbackend.la - should these be shlib_t?
+allow timidity_t lib_t:file { getattr read };
+
+allow timidity_t sound_device_t:chr_file { read write ioctl };
+
+# stupid timidity won't start if it can't search its current directory.
+# allow this so /etc/init.d/alsasound start works from /root
+allow timidity_t sysadm_home_dir_t:dir search;
+
+allow timidity_t tmp_t:dir search;
+tmpfs_domain(timidity)
+
+allow timidity_t self:shm create_shm_perms;
+
+allow timidity_t self:unix_stream_socket create_stream_socket_perms;
+
+allow timidity_t devpts_t:dir search;
+allow timidity_t self:capability { dac_override dac_read_search };
+allow timidity_t self:process getsched;
diff --git a/mls/domains/program/tmpreaper.te b/mls/domains/program/tmpreaper.te
new file mode 100644
index 0000000..8cd0fe9
--- /dev/null
+++ b/mls/domains/program/tmpreaper.te
@@ -0,0 +1,33 @@
+#DESC Tmpreaper - Monitor and maintain temporary files
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: tmpreaper
+#
+
+#################################
+#
+# Rules for the tmpreaper_t domain.
+#
+type tmpreaper_t, domain, privlog, mlsfileread, mlsfilewrite;
+type tmpreaper_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types tmpreaper_t;
+
+system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
+uses_shlib(tmpreaper_t)
+# why does it need setattr?
+allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t self:process { fork sigchld };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+allow tmpreaper_t fs_t:filesystem getattr;
+
+r_dir_file(tmpreaper_t, etc_t)
+allow tmpreaper_t var_t:dir { getattr search };
+r_dir_file(tmpreaper_t, var_lib_t)
+allow tmpreaper_t device_t:dir { getattr search };
+allow tmpreaper_t urandom_device_t:chr_file { getattr read };
+
+read_locale(tmpreaper_t)
+
diff --git a/mls/domains/program/traceroute.te b/mls/domains/program/traceroute.te
new file mode 100644
index 0000000..af25e20
--- /dev/null
+++ b/mls/domains/program/traceroute.te
@@ -0,0 +1,66 @@
+#DESC Traceroute - Display network routes
+#
+# Author: Russell Coker <russell@coker.com.au>
+# based on the work of David A. Wheeler <dwheeler@ida.org>
+# X-Debian-Packages: traceroute lft
+#
+
+#################################
+#
+# Rules for the traceroute_t domain.
+#
+# traceroute_t is the domain for the traceroute program.
+# traceroute_exec_t is the type of the corresponding program.
+#
+type traceroute_t, domain, privlog, nscd_client_domain;
+role sysadm_r types traceroute_t;
+role system_r types traceroute_t;
+# for user_ping:
+in_user_role(traceroute_t)
+uses_shlib(traceroute_t)
+can_network_client(traceroute_t)
+allow traceroute_t port_type:tcp_socket name_connect;
+can_ypbind(traceroute_t)
+allow traceroute_t node_t:rawip_socket node_bind;
+type traceroute_exec_t, file_type, sysadmfile, exec_type;
+
+# Transition into this domain when you run this program.
+domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t)
+domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
+
+allow traceroute_t etc_t:file { getattr read };
+
+# Use capabilities.
+allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+
+allow traceroute_t self:rawip_socket create_socket_perms;
+allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow traceroute_t self:unix_stream_socket create_socket_perms;
+allow traceroute_t device_t:dir search;
+
+# for lft
+allow traceroute_t self:packet_socket create_socket_perms;
+r_dir_file(traceroute_t, proc_t)
+r_dir_file(traceroute_t, proc_net_t)
+
+# Access the terminal.
+allow traceroute_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
+allow traceroute_t privfd:fd use;
+
+# dont need this
+dontaudit traceroute_t fs_t:filesystem getattr;
+dontaudit traceroute_t var_t:dir search;
+
+ifdef(`ping.te', `
+if (user_ping) {
+ domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
+ # allow access to the terminal
+ allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
+}
+')
+#rules needed for nmap
+allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+allow traceroute_t usr_t:file { getattr read };
+read_locale(traceroute_t)
+dontaudit traceroute_t userdomain:dir search;
diff --git a/mls/domains/program/udev.te b/mls/domains/program/udev.te
new file mode 100644
index 0000000..cc5f7d4
--- /dev/null
+++ b/mls/domains/program/udev.te
@@ -0,0 +1,152 @@
+#DESC udev - Linux configurable dynamic device naming support
+#
+# Author: Dan Walsh dwalsh@redhat.com
+#
+
+#################################
+#
+# Rules for the udev_t domain.
+#
+# udev_exec_t is the type of the udev executable.
+#
+daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
+
+general_domain_access(udev_t)
+
+if (allow_execmem) {
+# for alsactl
+allow udev_t self:process execmem;
+}
+
+etc_domain(udev)
+type udev_helper_exec_t, file_type, sysadmfile, exec_type;
+can_exec_any(udev_t)
+
+#
+# Rules used for udev
+#
+type udev_tdb_t, file_type, sysadmfile, dev_fs;
+typealias udev_tdb_t alias udev_tbl_t;
+file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
+allow udev_t self:file { getattr read };
+allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
+allow udev_t self:unix_dgram_socket create_socket_perms;
+allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t device_t:file { unlink rw_file_perms };
+allow udev_t device_t:sock_file create_file_perms;
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
+ifdef(`distro_redhat', `
+allow udev_t tmpfs_t:dir create_dir_perms;
+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
+allow udev_t tmpfs_t:lnk_file create_lnk_perms;
+allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
+allow udev_t tmpfs_t:dir search;
+
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
+')
+allow udev_t etc_t:file { getattr read ioctl };
+allow udev_t { bin_t sbin_t }:dir r_dir_perms;
+allow udev_t { sbin_t bin_t }:lnk_file read;
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
+can_exec(udev_t, udev_exec_t)
+rw_dir_file(udev_t, sysfs_t)
+allow udev_t sysadm_tty_device_t:chr_file { read write };
+
+# to read the file_contexts file
+r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
+
+allow udev_t policy_config_t:dir search;
+allow udev_t proc_t:file { getattr read ioctl };
+allow udev_t proc_kcore_t:file getattr;
+
+# Get security policy decisions.
+can_getsecurity(udev_t)
+
+# set file system create context
+can_setfscreate(udev_t)
+
+allow udev_t kernel_t:fd use;
+allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
+allow udev_t kernel_t:process signal;
+
+allow udev_t initrc_var_run_t:file r_file_perms;
+dontaudit udev_t initrc_var_run_t:file write;
+
+domain_auto_trans(kernel_t, udev_exec_t, udev_t)
+domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
+ifdef(`hide_broken_symptoms', `
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
+allow udev_t devpts_t:dir { getattr search };
+allow udev_t etc_runtime_t:file { getattr read };
+ifdef(`xdm.te', `
+allow udev_t xdm_var_run_t:file { getattr read };
+')
+
+ifdef(`hotplug.te', `
+r_dir_file(udev_t, hotplug_etc_t)
+')
+allow udev_t var_log_t:dir search;
+
+ifdef(`consoletype.te', `
+can_exec(udev_t, consoletype_exec_t)
+')
+ifdef(`pamconsole.te', `
+allow udev_t pam_var_console_t:dir search;
+allow udev_t pam_var_console_t:file { getattr read };
+domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
+')
+allow udev_t var_lock_t:dir search;
+allow udev_t var_lock_t:file getattr;
+domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`hide_broken_symptoms', `
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
+
+dontaudit udev_t file_t:dir search;
+ifdef(`dhcpc.te', `
+domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
+')
+
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
+
+dbusd_client(system, udev)
+
+allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_dev_t:dir search;
+allow udev_t mnt_t:dir search;
+allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
+allow udev_t self:rawip_socket create_socket_perms;
+dontaudit udev_t domain:dir r_dir_perms;
+dontaudit udev_t ttyfile:chr_file unlink;
+ifdef(`hotplug.te', `
+r_dir_file(udev_t, hotplug_var_run_t)
+')
+r_dir_file(udev_t, modules_object_t)
+#
+# Udev is now writing dhclient-eth*.conf* files.
+#
+ifdef(`dhcpd.te', `define(`use_dhcp')')
+ifdef(`dhcpc.te', `define(`use_dhcp')')
+ifdef(`use_dhcp', `
+allow udev_t dhcp_etc_t:file rw_file_perms;
+file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
+')
+r_dir_file(udev_t, domain)
+allow udev_t modules_dep_t:file r_file_perms;
+
+nsswitch_domain(udev_t)
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(udev_t)
+')
+dontaudit hostname_t udev_t:fd use;
+ifdef(`use_mcs', `
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+')
diff --git a/mls/domains/program/unconfined.te b/mls/domains/program/unconfined.te
new file mode 100644
index 0000000..9497a3c
--- /dev/null
+++ b/mls/domains/program/unconfined.te
@@ -0,0 +1,15 @@
+#DESC Unconfined - Use to essentially disable SELinux for a particular program
+# This domain will be useful as a workaround for e.g. third-party daemon software
+# that has no policy, until one can be written for it.
+#
+# To use, label the executable with unconfined_exec_t, e.g.:
+# chcon -t unconfined_exec_t /usr/local/bin/appsrv
+# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
+
+type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
+type unconfined_exec_t, file_type, sysadmfile, exec_type;
+role sysadm_r types unconfined_t;
+domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
+role system_r types unconfined_t;
+domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t)
+unconfined_domain(unconfined_t)
diff --git a/mls/domains/program/unused/afs.te b/mls/domains/program/unused/afs.te
new file mode 100644
index 0000000..8bcab3b
--- /dev/null
+++ b/mls/domains/program/unused/afs.te
@@ -0,0 +1,166 @@
+#
+# Policy for AFS server
+#
+
+type afs_files_t, file_type;
+type afs_config_t, file_type, sysadmfile;
+type afs_logfile_t, file_type, logfile;
+type afs_dbdir_t, file_type;
+
+allow afs_files_t afs_files_t:filesystem associate;
+# df should show sizes
+allow sysadm_t afs_files_t:filesystem getattr;
+
+#
+# Macros for defining AFS server domains
+#
+
+define(`afs_server_domain',`
+type afs_$1server_t, domain $2;
+type afs_$1server_exec_t, file_type, sysadmfile;
+
+role system_r types afs_$1server_t;
+
+allow afs_$1server_t afs_config_t:file r_file_perms;
+allow afs_$1server_t afs_config_t:dir r_dir_perms;
+allow afs_$1server_t afs_logfile_t:file create_file_perms;
+allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
+allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
+uses_shlib(afs_$1server_t)
+can_network(afs_$1server_t)
+read_locale(afs_$1server_t)
+
+dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
+dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
+dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
+')
+
+define(`afs_under_bos',`
+domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
+allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
+allow afs_$1server_t net_conf_t:file r_file_perms;
+allow afs_bosserver_t afs_$1server_t:process signal_perms;
+')
+
+define(`afs_server_db',`
+type afs_$1_db_t, file_type;
+
+allow afs_$1server_t afs_$1_db_t:file create_file_perms;
+file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
+')
+
+
+#
+# bosserver
+#
+
+afs_server_domain(`bos')
+base_file_read_access(afs_bosserver_t)
+
+domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
+
+allow afs_bosserver_t self:process { fork setsched signal_perms };
+allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
+allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
+allow afs_bosserver_t afs_config_t:file create_file_perms;
+allow afs_bosserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
+allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_bosserver_t device_t:dir r_dir_perms;
+
+# allow sysadm to use bos
+allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
+
+#
+# fileserver, volserver, and salvager
+#
+
+afs_server_domain(`fs',`,privlog')
+afs_under_bos(`fs')
+
+base_file_read_access(afs_fsserver_t)
+file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
+
+allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:fifo_file { rw_file_perms };
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+allow afs_fsserver_t afs_files_t:file create_file_perms;
+allow afs_fsserver_t afs_files_t:dir create_dir_perms;
+allow afs_fsserver_t afs_config_t:file create_file_perms;
+allow afs_fsserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
+allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
+
+allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_fsserver_t device_t:dir r_dir_perms;
+allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
+allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
+
+allow afs_fsserver_t proc_t:dir r_dir_perms;
+allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
+allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
+
+# fs communicates with other servers
+allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
+allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
+allow afs_fsserver_t self:udp_socket { sendto recvfrom };
+allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
+allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
+
+dontaudit afs_fsserver_t self:capability fsetid;
+dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
+dontaudit afs_fsserver_t initrc_t:fd use;
+dontaudit afs_fsserver_t mnt_t:dir search;
+
+
+#
+# kaserver
+#
+
+afs_server_domain(`ka')
+afs_under_bos(`ka')
+afs_server_db(`ka')
+
+base_file_read_access(afs_kaserver_t)
+
+allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
+allow afs_kaserver_t self:capability { net_bind_service };
+allow afs_kaserver_t afs_config_t:file create_file_perms;
+allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
+
+# allow sysadm to use kas
+allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
+
+
+#
+# ptserver
+#
+
+afs_server_domain(`pt')
+afs_under_bos(`pt')
+afs_server_db(`pt')
+
+# allow users to use pts
+allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
+allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
+allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
+
+
+#
+# vlserver
+#
+
+afs_server_domain(`vl')
+afs_under_bos(`vl')
+afs_server_db(`vl')
+
+allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
+allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };
diff --git a/mls/domains/program/unused/amavis.te b/mls/domains/program/unused/amavis.te
new file mode 100644
index 0000000..1e1752f
--- /dev/null
+++ b/mls/domains/program/unused/amavis.te
@@ -0,0 +1,117 @@
+#DESC Amavis - Anti-virus
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper
+# Depends: clamav.te
+#
+
+#################################
+#
+# Rules for the amavisd_t domain.
+#
+type amavisd_etc_t, file_type, sysadmfile;
+type amavisd_lib_t, file_type, sysadmfile;
+
+# Virus and spam found and quarantined.
+type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
+
+daemon_domain(amavisd)
+tmp_domain(amavisd)
+
+allow initrc_t amavisd_etc_t:file { getattr read };
+allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
+allow initrc_t amavisd_lib_t:file unlink;
+allow initrc_t amavisd_var_run_t:dir setattr;
+allow amavisd_t self:capability { chown dac_override setgid setuid };
+dontaudit amavisd_t self:capability sys_tty_config;
+
+allow amavisd_t usr_t:{ file lnk_file } { getattr read };
+dontaudit amavisd_t usr_t:file ioctl;
+
+# networking
+can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
+allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
+allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
+# The next line doesn't work right so drop the port specification.
+#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
+can_network_client_tcp(amavisd_t)
+allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
+can_resolve(amavisd_t);
+can_ypbind(amavisd_t);
+can_tcp_connect(mail_server_sender, amavisd_t);
+can_tcp_connect(amavisd_t, mail_server_domain)
+
+ifdef(`scannerdaemon.te', `
+can_tcp_connect(amavisd_t, scannerdaemon_t);
+allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms;
+allow scannerdaemon_t amavisd_lib_t:file r_file_perms;
+')
+
+ifdef(`clamav.te', `
+clamscan_domain(amavisd)
+role system_r types amavisd_clamscan_t;
+domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t)
+allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms;
+allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms;
+can_clamd_connect(amavisd)
+allow clamd_t amavisd_lib_t:dir r_dir_perms;
+allow clamd_t amavisd_lib_t:file r_file_perms;
+')
+
+# DCC
+ifdef(`dcc.te', `
+allow dcc_client_t amavisd_lib_t:file r_file_perms;
+')
+
+# Pyzor
+ifdef(`pyzor.te',`
+domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
+#allow pyzor_t amavisd_data_t:dir search;
+# Pyzor creates a temp file adjacent to the working file.
+create_dir_file(pyzor_t, amavisd_lib_t);
+')
+
+# SpamAssassin is executed from within amavisd, but needs to read its
+# config
+ifdef(`spamd.te', `
+r_dir_file(amavisd_t, etc_mail_t)
+')
+
+# Can create unix sockets
+allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
+allow amavisd_t self:unix_dgram_socket create_socket_perms;
+allow amavisd_t self:fifo_file getattr;
+
+read_locale(amavisd_t)
+
+# Access config files (amavisd).
+allow amavisd_t amavisd_etc_t:file r_file_perms;
+
+log_domain(amavisd)
+
+# Access amavisd var/lib files.
+create_dir_file(amavisd_t, amavisd_lib_t)
+
+# Access amavisd quarantined files.
+create_dir_file(amavisd_t, amavisd_quarantine_t)
+
+# Run helper programs.
+can_exec_any(amavisd_t,bin_t)
+allow amavisd_t bin_t:dir { getattr search };
+allow amavisd_t sbin_t:dir search;
+allow amavisd_t var_lib_t:dir search;
+
+# allow access to files for scanning (required for amavis):
+allow clamd_t self:capability { dac_override dac_read_search };
+
+# unknown stuff
+allow amavisd_t self:fifo_file { ioctl read write };
+allow amavisd_t { random_device_t urandom_device_t }:chr_file read;
+allow amavisd_t proc_t:file { getattr read };
+allow amavisd_t etc_runtime_t:file { getattr read };
+
+# broken stuff
+dontaudit amavisd_t sysadm_home_dir_t:dir search;
+dontaudit amavisd_t shadow_t:file { getattr read };
+dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
+
diff --git a/mls/domains/program/unused/asterisk.te b/mls/domains/program/unused/asterisk.te
new file mode 100644
index 0000000..7ae5ffc
--- /dev/null
+++ b/mls/domains/program/unused/asterisk.te
@@ -0,0 +1,56 @@
+#DESC Asterisk IP telephony server
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+# X-Debian-Packages: asterisk
+
+daemon_domain(asterisk)
+allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
+allow initrc_t asterisk_var_run_t:fifo_file unlink;
+
+allow asterisk_t self:process setsched;
+allow asterisk_t self:fifo_file rw_file_perms;
+
+allow asterisk_t proc_t:file { getattr read };
+
+allow asterisk_t { bin_t sbin_t }:dir search;
+allow asterisk_t bin_t:lnk_file read;
+can_exec(asterisk_t, bin_t)
+
+etcdir_domain(asterisk)
+logdir_domain(asterisk)
+var_lib_domain(asterisk)
+
+allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;
+
+# for VOIP voice channels.
+allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;
+
+allow asterisk_t device_t:lnk_file read;
+allow asterisk_t sound_device_t:chr_file rw_file_perms;
+
+type asterisk_spool_t, file_type, sysadmfile;
+create_dir_file(asterisk_t, asterisk_spool_t)
+allow asterisk_t var_spool_t:dir search;
+
+# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+# are labeled usr_t
+allow asterisk_t usr_t:file r_file_perms;
+
+can_network_server(asterisk_t)
+can_ypbind(asterisk_t)
+allow asterisk_t etc_t:file { getattr read };
+
+allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow asterisk_t self:sem create_sem_perms;
+allow asterisk_t self:shm create_shm_perms;
+
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
+
+# for shutdown
+dontaudit asterisk_t self:capability sys_tty_config;
+
+tmpfs_domain(asterisk)
+tmp_domain(asterisk)
diff --git a/mls/domains/program/unused/audio-entropyd.te b/mls/domains/program/unused/audio-entropyd.te
new file mode 100644
index 0000000..216108a
--- /dev/null
+++ b/mls/domains/program/unused/audio-entropyd.te
@@ -0,0 +1,12 @@
+#DESC audio-entropyd - Generate entropy from audio input
+#
+# Author: Chris PeBenito <pebenito@gentoo.org>
+#
+
+daemon_domain(entropyd)
+
+allow entropyd_t self:capability { ipc_lock sys_admin };
+
+allow entropyd_t random_device_t:chr_file rw_file_perms;
+allow entropyd_t device_t:dir r_dir_perms;
+allow entropyd_t sound_device_t:chr_file r_file_perms;
diff --git a/mls/domains/program/unused/authbind.te b/mls/domains/program/unused/authbind.te
new file mode 100644
index 0000000..6aabc3e
--- /dev/null
+++ b/mls/domains/program/unused/authbind.te
@@ -0,0 +1,29 @@
+#DESC Authbind - Program to bind to low ports as non-root
+#
+# Authors: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: authbind
+#
+
+#################################
+#
+# Rules for the authbind_t domain.
+#
+# authbind_exec_t is the type of the authbind executable.
+#
+type authbind_t, domain, privlog;
+type authbind_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types authbind_t;
+
+etcdir_domain(authbind)
+
+can_exec(authbind_t, authbind_etc_t)
+allow authbind_t etc_t:dir r_dir_perms;
+
+uses_shlib(authbind_t)
+
+allow authbind_t self:capability net_bind_service;
+
+allow authbind_t domain:fd use;
+
+allow authbind_t console_device_t:chr_file { read write };
diff --git a/mls/domains/program/unused/backup.te b/mls/domains/program/unused/backup.te
new file mode 100644
index 0000000..628527d
--- /dev/null
+++ b/mls/domains/program/unused/backup.te
@@ -0,0 +1,62 @@
+#DESC Backup - Backup scripts
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: dpkg
+#
+
+#################################
+#
+# Rules for the backup_t domain.
+#
+type backup_t, domain, privlog, auth;
+type backup_exec_t, file_type, sysadmfile, exec_type;
+
+type backup_store_t, file_type, sysadmfile;
+
+role system_r types backup_t;
+role sysadm_r types backup_t;
+
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
+')
+allow backup_t privfd:fd use;
+ifdef(`crond.te', `
+system_crond_entry(backup_exec_t, backup_t)
+rw_dir_create_file(system_crond_t, backup_store_t)
+')
+
+# for SSP
+allow backup_t urandom_device_t:chr_file read;
+
+can_network_client(backup_t)
+allow backup_t port_type:tcp_socket name_connect;
+can_ypbind(backup_t)
+uses_shlib(backup_t)
+
+allow backup_t devtty_t:chr_file rw_file_perms;
+
+allow backup_t { file_type fs_type }:dir r_dir_perms;
+allow backup_t file_type:{ file lnk_file } r_file_perms;
+allow backup_t file_type:{ sock_file fifo_file } getattr;
+allow backup_t { device_t device_type ttyfile }:chr_file getattr;
+allow backup_t { device_t device_type }:blk_file getattr;
+allow backup_t var_t:file create_file_perms;
+
+allow backup_t proc_t:dir r_dir_perms;
+allow backup_t proc_t:file r_file_perms;
+allow backup_t proc_t:lnk_file { getattr read };
+read_sysctl(backup_t)
+
+allow backup_t self:fifo_file rw_file_perms;
+allow backup_t self:process { signal sigchld fork };
+allow backup_t self:capability dac_override;
+
+rw_dir_file(backup_t, backup_store_t)
+allow backup_t backup_store_t:file { create setattr };
+
+allow backup_t fs_t:filesystem getattr;
+
+allow backup_t self:unix_stream_socket create_socket_perms;
+
+can_exec(backup_t, bin_t)
+ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')
diff --git a/mls/domains/program/unused/calamaris.te b/mls/domains/program/unused/calamaris.te
new file mode 100644
index 0000000..1bfce36
--- /dev/null
+++ b/mls/domains/program/unused/calamaris.te
@@ -0,0 +1,72 @@
+#DESC Calamaris - Squid log analysis
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: calamaris
+# Depends: squid.te
+#
+
+#################################
+#
+# Rules for the calamaris_t domain.
+#
+# calamaris_t is the domain the calamaris process runs in
+
+system_domain(calamaris, `, privmail')
+
+ifdef(`crond.te', `
+system_crond_entry(calamaris_exec_t, calamaris_t)
+')
+
+allow calamaris_t { var_t var_run_t }:dir { getattr search };
+allow calamaris_t squid_log_t:dir search;
+allow calamaris_t squid_log_t:file { getattr read };
+allow calamaris_t { usr_t lib_t }:file { getattr read };
+allow calamaris_t usr_t:lnk_file { getattr read };
+dontaudit calamaris_t usr_t:file ioctl;
+
+type calamaris_www_t, file_type, sysadmfile;
+ifdef(`apache.te', `
+allow calamaris_t httpd_sys_content_t:dir search;
+')
+rw_dir_create_file(calamaris_t, calamaris_www_t)
+
+# for when squid has a different UID
+allow calamaris_t self:capability dac_override;
+
+logdir_domain(calamaris)
+
+allow calamaris_t device_t:dir search;
+allow calamaris_t devtty_t:chr_file { read write };
+
+allow calamaris_t urandom_device_t:chr_file { getattr read };
+
+allow calamaris_t self:process { fork signal_perms setsched };
+read_sysctl(calamaris_t)
+allow calamaris_t proc_t:dir search;
+allow calamaris_t proc_t:file { getattr read };
+allow calamaris_t { proc_t self }:lnk_file read;
+allow calamaris_t self:dir search;
+
+allow calamaris_t { bin_t sbin_t }:dir search;
+allow calamaris_t bin_t:lnk_file read;
+allow calamaris_t etc_runtime_t:file { getattr read };
+allow calamaris_t self:fifo_file { getattr read write ioctl };
+read_locale(calamaris_t)
+
+can_exec(calamaris_t, bin_t)
+allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
+allow calamaris_t self:udp_socket create_socket_perms;
+allow calamaris_t etc_t:file { getattr read };
+allow calamaris_t etc_t:lnk_file read;
+dontaudit calamaris_t etc_t:file ioctl;
+dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search };
+can_network_server(calamaris_t)
+can_ypbind(calamaris_t)
+ifdef(`named.te', `
+can_udp_send(calamaris_t, named_t)
+can_udp_send(named_t, calamaris_t)
+')
+
+ifdef(`apache.te', `
+r_dir_file(httpd_t, calamaris_www_t)
+')
diff --git a/mls/domains/program/unused/ciped.te b/mls/domains/program/unused/ciped.te
new file mode 100644
index 0000000..6fddf97
--- /dev/null
+++ b/mls/domains/program/unused/ciped.te
@@ -0,0 +1,32 @@
+
+
+daemon_base_domain(ciped)
+
+# for SSP
+allow ciped_t urandom_device_t:chr_file read;
+
+# cipe uses the afs3-bos port (udp 7007)
+allow ciped_t afs_bos_port_t:udp_socket name_bind;
+
+can_network_udp(ciped_t)
+can_ypbind(ciped_t)
+
+allow ciped_t devpts_t:dir search;
+allow ciped_t devtty_t:chr_file { read write };
+allow ciped_t etc_runtime_t:file { getattr read };
+allow ciped_t etc_t:file { getattr read };
+allow ciped_t proc_t:file { getattr read };
+allow ciped_t { bin_t sbin_t }:dir { getattr search read };
+allow ciped_t bin_t:lnk_file read;
+can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t })
+allow ciped_t self:fifo_file rw_file_perms;
+
+read_locale(ciped_t)
+
+allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+allow ciped_t self:unix_dgram_socket create_socket_perms;
+allow ciped_t self:unix_stream_socket create_socket_perms;
+
+allow ciped_t random_device_t:chr_file { getattr read };
+
+dontaudit ciped_t var_t:dir search;
diff --git a/mls/domains/program/unused/clamav.te b/mls/domains/program/unused/clamav.te
new file mode 100644
index 0000000..3ef34ee
--- /dev/null
+++ b/mls/domains/program/unused/clamav.te
@@ -0,0 +1,147 @@
+#DESC CLAM - Anti-virus program
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# X-Debian-Packages: clamav
+#
+
+#################################
+#
+# Rules for the clamscan_t domain.
+#
+
+# Virus database
+type clamav_var_lib_t, file_type, sysadmfile;
+
+# clamscan_t is the domain of the clamscan virus scanner
+type clamscan_exec_t, file_type, sysadmfile, exec_type;
+
+##########
+##########
+
+#
+# Freshclam
+#
+
+daemon_base_domain(freshclam, `, web_client_domain')
+read_locale(freshclam_t)
+
+# not sure why it needs this
+read_sysctl(freshclam_t)
+
+can_network_client_tcp(freshclam_t, http_port_t);
+allow freshclam_t http_port_t:tcp_socket name_connect;
+can_resolve(freshclam_t)
+can_ypbind(freshclam_t)
+
+# Access virus signatures
+allow freshclam_t { var_t var_lib_t }:dir search;
+rw_dir_create_file(freshclam_t, clamav_var_lib_t)
+
+allow freshclam_t devtty_t:chr_file { read write };
+allow freshclam_t devpts_t:dir search;
+allow freshclam_t etc_t:file { getattr read };
+allow freshclam_t proc_t:file { getattr read };
+
+allow freshclam_t urandom_device_t:chr_file { getattr read };
+dontaudit freshclam_t urandom_device_t:chr_file ioctl;
+
+# for nscd
+dontaudit freshclam_t var_run_t:dir search;
+
+# setuid/getuid used (although maybe not required...)
+allow freshclam_t self:capability { setgid setuid };
+
+allow freshclam_t sbin_t:dir search;
+
+# Allow notification to daemon that virus database has changed
+can_clamd_connect(freshclam)
+
+allow freshclam_t etc_runtime_t:file { read getattr };
+allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
+allow freshclam_t self:unix_dgram_socket create_socket_perms;
+allow freshclam_t self:fifo_file rw_file_perms;
+
+# Log files for freshclam executable
+logdir_domain(freshclam)
+allow initrc_t freshclam_log_t:file append;
+
+# Pid files for freshclam
+allow initrc_t clamd_var_run_t:file { create setattr };
+
+system_crond_entry(freshclam_exec_t, freshclam_t)
+domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
+
+domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
+role sysadm_r types freshclam_t;
+
+create_dir_file(freshclam_t, clamd_var_run_t)
+
+##########
+##########
+
+#
+# Clamscan
+#
+
+# macros/program/clamav_macros.te.
+user_clamscan_domain(sysadm)
+
+##########
+##########
+
+#
+# Clamd
+#
+
+type clamd_sock_t, file_type, sysadmfile;
+
+# clamd executable
+daemon_domain(clamd)
+
+tmp_domain(clamd)
+
+# The dir containing the clamd log files is labelled freshclam_t
+logdir_domain(clamd)
+allow clamd_t freshclam_log_t:dir search;
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
+
+# Give the clamd local communications socket a unique type
+ifdef(`distro_debian', `
+file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
+')
+ifdef(`distro_redhat', `
+file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
+')
+
+# Clamd can be configured to listen on a TCP port.
+can_network_server_tcp(clamd_t, clamd_port_t)
+allow clamd_t clamd_port_t:tcp_socket name_bind;
+can_resolve(clamd_t);
+
+allow clamd_t var_lib_t:dir search;
+r_dir_file(clamd_t, clamav_var_lib_t)
+r_dir_file(clamd_t, etc_t)
+# allow access /proc/sys/kernel/version
+read_sysctl(clamd_t)
+allow clamd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
+allow clamd_t self:fifo_file rw_file_perms;
+
+allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
+
+
+##########
+##########
+
+#
+# Interaction with external programs
+#
+
+ifdef(`amavis.te',`
+allow amavisd_t clamd_var_run_t:dir search;
+allow amavisd_t clamd_t:unix_stream_socket connectto;
+allow amavisd_t clamd_sock_t:sock_file write;
+')
+
diff --git a/mls/domains/program/unused/clockspeed.te b/mls/domains/program/unused/clockspeed.te
new file mode 100644
index 0000000..f79c314
--- /dev/null
+++ b/mls/domains/program/unused/clockspeed.te
@@ -0,0 +1,26 @@
+#DESC clockspeed - Simple network time protocol client
+#
+# Author Petre Rodan <kaiowas@gentoo.org>
+#
+
+daemon_base_domain(clockspeed)
+var_lib_domain(clockspeed)
+can_network(clockspeed_t)
+allow clockspeed_t port_type:tcp_socket name_connect;
+read_locale(clockspeed_t)
+
+allow clockspeed_t self:capability { sys_time net_bind_service };
+allow clockspeed_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_t self:unix_stream_socket create_socket_perms;
+allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
+allow clockspeed_t domain:packet_socket recvfrom;
+
+allow clockspeed_t var_t:dir search;
+allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
+allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
+
+# sysadm can play with clockspeed
+role sysadm_r types clockspeed_t;
+ifdef(`targeted_policy', `', `
+domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
+')
diff --git a/mls/domains/program/unused/courier.te b/mls/domains/program/unused/courier.te
new file mode 100644
index 0000000..75e42d3
--- /dev/null
+++ b/mls/domains/program/unused/courier.te
@@ -0,0 +1,139 @@
+#DESC Courier - POP and IMAP servers
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: courier-base
+#
+
+# Type for files created during execution of courier.
+type courier_var_run_t, file_type, sysadmfile, pidfile;
+type courier_var_lib_t, file_type, sysadmfile;
+
+type courier_etc_t, file_type, sysadmfile;
+
+# allow start scripts to read the config
+allow initrc_t courier_etc_t:file r_file_perms;
+
+type courier_exec_t, file_type, sysadmfile, exec_type;
+type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;
+
+define(`courier_domain', `
+#################################
+#
+# Rules for the courier_$1_t domain.
+#
+# courier_$1_exec_t is the type of the courier_$1 executables.
+#
+daemon_base_domain(courier_$1, `$2')
+
+allow courier_$1_t var_run_t:dir search;
+rw_dir_create_file(courier_$1_t, courier_var_run_t)
+allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
+
+# allow it to read config files etc
+allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
+allow courier_$1_t courier_etc_t:file r_file_perms;
+allow courier_$1_t etc_t:dir r_dir_perms;
+allow courier_$1_t etc_t:file r_file_perms;
+
+# execute scripts etc
+allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
+allow courier_$1_t bin_t:dir r_dir_perms;
+allow courier_$1_t fs_t:filesystem getattr;
+
+# set process group and allow permissions over-ride
+allow courier_$1_t self:process setpgid;
+allow courier_$1_t self:capability dac_override;
+
+# Use the network.
+can_network_server(courier_$1_t)
+allow courier_$1_t self:fifo_file { read write getattr };
+allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_$1_t self:unix_dgram_socket create_socket_perms;
+
+allow courier_$1_t null_device_t:chr_file rw_file_perms;
+
+# allow it to log to /dev/tty
+allow courier_$1_t devtty_t:chr_file rw_file_perms;
+
+allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
+allow courier_$1_t usr_t:dir r_dir_perms;
+allow courier_$1_t root_t:dir r_dir_perms;
+can_exec(courier_$1_t, courier_$1_exec_t)
+can_exec(courier_$1_t, bin_t)
+allow courier_$1_t bin_t:dir search;
+
+allow courier_$1_t proc_t:dir r_dir_perms;
+allow courier_$1_t proc_t:file r_file_perms;
+
+')dnl
+
+courier_domain(authdaemon, `, auth_chkpwd')
+allow courier_authdaemon_t sbin_t:dir search;
+allow courier_authdaemon_t lib_t:file { read getattr };
+allow courier_authdaemon_t tmp_t:dir getattr;
+allow courier_authdaemon_t self:file { getattr read };
+read_locale(courier_authdaemon_t)
+can_exec(courier_authdaemon_t, courier_exec_t)
+dontaudit courier_authdaemon_t selinux_config_t:dir search;
+
+# for SSP
+allow courier_authdaemon_t urandom_device_t:chr_file read;
+
+# should not be needed!
+allow courier_authdaemon_t home_root_t:dir search;
+allow courier_authdaemon_t user_home_dir_type:dir search;
+dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
+allow courier_authdaemon_t self:unix_stream_socket connectto;
+allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+
+courier_domain(tcpd)
+allow courier_tcpd_t self:capability { kill net_bind_service };
+allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
+allow courier_tcpd_t sbin_t:dir search;
+allow courier_tcpd_t var_lib_t:dir search;
+# for TLS
+allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+read_locale(courier_tcpd_t)
+can_exec(courier_tcpd_t, courier_exec_t)
+allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+
+can_tcp_connect(userdomain, courier_tcpd_t)
+rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)
+
+# domain for pop and imap
+courier_domain(pop)
+read_locale(courier_pop_t)
+domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t)
+allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+allow courier_pop_t courier_authdaemon_t:process sigchld;
+domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
+
+# inherits file handle - should it?
+allow courier_pop_t courier_var_lib_t:file { read write };
+
+# do the actual work (read the Maildir)
+# imap needs to write files
+allow courier_pop_t home_root_t:dir { getattr search };
+allow courier_pop_t user_home_dir_type:dir { getattr search };
+# pop does not need to create subdirs, IMAP does
+#rw_dir_create_file(courier_pop_t, user_home_type)
+create_dir_file(courier_pop_t, user_home_type)
+
+# for calendaring
+courier_domain(pcp)
+
+allow courier_pcp_t self:capability { setuid setgid };
+allow courier_pcp_t random_device_t:chr_file r_file_perms;
+
+# for webmail
+courier_domain(sqwebmail)
+ifdef(`crond.te', `
+system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t)
+')
+read_sysctl(courier_sqwebmail_t)
diff --git a/mls/domains/program/unused/daemontools.te b/mls/domains/program/unused/daemontools.te
new file mode 100644
index 0000000..b24a58c
--- /dev/null
+++ b/mls/domains/program/unused/daemontools.te
@@ -0,0 +1,203 @@
+#DESC Daemontools - Tools for managing UNIX services
+#
+# Author: Petre Rodan <kaiowas@gentoo.org>
+# with the help of Chris PeBenito, Russell Coker and Tad Glines
+#
+
+#
+# selinux policy for daemontools
+# http://cr.yp.to/daemontools.html
+#
+# thanks for D. J. Bernstein and the NSA team for the great software
+# they provide
+#
+
+##############################################################
+# type definitions
+
+type svc_conf_t, file_type, sysadmfile;
+type svc_log_t, file_type, sysadmfile;
+type svc_svc_t, file_type, sysadmfile;
+
+
+##############################################################
+# Macros
+define(`svc_filedir_domain', `
+create_dir_file($1, svc_svc_t)
+file_type_auto_trans($1, svc_svc_t, svc_svc_t);
+')
+
+##############################################################
+# the domains
+daemon_base_domain(svc_script)
+svc_filedir_domain(svc_script_t)
+
+# part started by initrc_t
+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
+svc_filedir_domain(svc_start_t)
+
+# also get here from svc_script_t
+domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
+
+# the domain for /service/*/run and /service/*/log/run
+daemon_sub_domain(svc_start_t, svc_run)
+r_dir_file(svc_run_t, svc_conf_t)
+
+# the logger
+daemon_sub_domain(svc_run_t, svc_multilog)
+file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
+
+######
+# rules for all those domains
+
+# sysadm can tweak svc_run_exec_t files
+allow sysadm_t svc_run_exec_t:file create_file_perms;
+
+# run_init can control svc_script_t and svc_start_t domains
+domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
+domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
+allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
+svc_filedir_domain(initrc_t)
+
+# svc_start_t
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
+allow svc_start_t { var_t var_run_t }:dir search;
+can_exec(svc_start_t, bin_t)
+can_exec(svc_start_t, shell_exec_t)
+allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_start_t svc_run_t:process signal;
+dontaudit svc_start_t proc_t:file r_file_perms;
+dontaudit svc_start_t devtty_t:chr_file { read write };
+
+# svc script
+allow svc_script_t self:capability sys_admin;
+allow svc_script_t self:fifo_file { getattr read write };
+allow svc_script_t self:file r_file_perms;
+allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
+allow svc_script_t bin_t:lnk_file r_file_perms;
+can_exec(svc_script_t, bin_t)
+can_exec(svc_script_t, shell_exec_t)
+allow svc_script_t proc_t:file r_file_perms;
+allow svc_script_t shell_exec_t:file rx_file_perms;
+allow svc_script_t devtty_t:chr_file rw_file_perms;
+allow svc_script_t etc_runtime_t:file r_file_perms;
+allow svc_script_t svc_run_exec_t:file r_file_perms;
+allow svc_script_t svc_script_exec_t:file execute_no_trans;
+allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_script_t sysctl_kernel_t:file r_file_perms;
+
+# svc_run_t
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:file r_file_perms;
+allow svc_run_t self:process { fork setrlimit };
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+allow svc_run_t svc_svc_t:dir r_dir_perms;
+allow svc_run_t svc_svc_t:file r_file_perms;
+allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_run_t { var_t var_run_t }:dir search;
+can_exec(svc_run_t, etc_t)
+can_exec(svc_run_t, lib_t)
+can_exec(svc_run_t, bin_t)
+can_exec(svc_run_t, sbin_t)
+can_exec(svc_run_t, ls_exec_t)
+can_exec(svc_run_t, shell_exec_t)
+allow svc_run_t devtty_t:chr_file rw_file_perms;
+allow svc_run_t etc_runtime_t:file r_file_perms;
+allow svc_run_t exec_type:{ file lnk_file } getattr;
+allow svc_run_t init_t:fd use;
+allow svc_run_t initrc_t:fd use;
+allow svc_run_t proc_t:file r_file_perms;
+allow svc_run_t sysctl_t:dir search;
+allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_run_t sysctl_kernel_t:file r_file_perms;
+allow svc_run_t var_lib_t:dir r_dir_perms;
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir { read search };
+allow svc_multilog_t svc_svc_t:file { append write };
+# writes to /var/log/*/*
+allow svc_multilog_t var_t:dir search;
+allow svc_multilog_t var_log_t:dir create_dir_perms;
+allow svc_multilog_t var_log_t:file create_file_perms;
+# misc
+allow svc_multilog_t init_t:fd use;
+allow svc_start_t svc_multilog_t:process signal;
+svc_ipc_domain(svc_multilog_t)
+
+################################################################
+# scripts that can be started by daemontools
+# keep it sorted please.
+
+ifdef(`apache.te', `
+domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
+svc_ipc_domain(httpd_t)
+dontaudit httpd_t svc_svc_t:dir { search };
+')
+
+ifdef(`clamav.te', `
+domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
+svc_ipc_domain(clamd_t)
+')
+
+ifdef(`clockspeed.te', `
+domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
+svc_ipc_domain(clockspeed_t)
+r_dir_file(svc_run_t, clockspeed_var_lib_t)
+allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
+')
+
+ifdef(`dante.te', `
+domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
+svc_ipc_domain(dante_t)
+')
+
+ifdef(`publicfile.te', `
+svc_ipc_domain(publicfile_t)
+')
+
+ifdef(`qmail.te', `
+allow svc_run_t qmail_start_exec_t:file rx_file_perms;
+domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
+r_dir_file(svc_run_t, qmail_etc_t)
+svc_ipc_domain(qmail_send_t)
+svc_ipc_domain(qmail_start_t)
+svc_ipc_domain(qmail_queue_t)
+svc_ipc_domain(qmail_smtpd_t)
+')
+
+ifdef(`rsyncd.te', `
+domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
+svc_ipc_domain(rsyncd_t)
+')
+
+ifdef(`spamd.te', `
+domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
+svc_ipc_domain(spamd_t)
+')
+
+ifdef(`ssh.te', `
+domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
+svc_ipc_domain(sshd_t)
+')
+
+ifdef(`stunnel.te', `
+domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
+svc_ipc_domain(stunnel_t)
+')
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
+allow svc_run_t utcpserver_t:process { signal };
+svc_ipc_domain(utcpserver_t)
+')
+
diff --git a/mls/domains/program/unused/dante.te b/mls/domains/program/unused/dante.te
new file mode 100644
index 0000000..70885ab
--- /dev/null
+++ b/mls/domains/program/unused/dante.te
@@ -0,0 +1,23 @@
+#DESC dante - socks daemon
+#
+# Author: petre rodan <kaiowas@gentoo.org>
+#
+
+type dante_conf_t, file_type, sysadmfile;
+
+daemon_domain(dante)
+can_network_server(dante_t)
+
+allow dante_t self:fifo_file { read write };
+allow dante_t self:capability { setuid setgid };
+allow dante_t self:unix_dgram_socket { connect create write };
+allow dante_t self:unix_stream_socket { connect create read setopt write };
+allow dante_t self:tcp_socket connect;
+
+allow dante_t socks_port_t:tcp_socket name_bind;
+
+allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
+r_dir_file(dante_t, dante_conf_t)
+
+allow dante_t initrc_var_run_t:file { getattr write };
+
diff --git a/mls/domains/program/unused/dcc.te b/mls/domains/program/unused/dcc.te
new file mode 100644
index 0000000..4db79d0
--- /dev/null
+++ b/mls/domains/program/unused/dcc.te
@@ -0,0 +1,251 @@
+#
+# DCC - Distributed Checksum Clearinghouse
+# Author: David Hampton <hampton@employees.org>
+#
+#
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc. For now this policy supports both directories being
+# writable.
+
+# Files common to all dcc programs
+type dcc_client_map_t, file_type, sysadmfile;
+type dcc_var_t, file_type, sysadmfile;
+type dcc_var_run_t, file_type, sysadmfile;
+
+
+##########
+##########
+
+#
+# common to all dcc variants
+#
+define(`dcc_common',`
+# Access files in /var/dcc. The map file can be updated
+r_dir_file($1_t, dcc_var_t)
+allow $1_t dcc_client_map_t:file rw_file_perms;
+
+# Read mtab, nsswitch and locale
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+
+#Networking
+can_resolve($1_t)
+ifelse($2, `server', `
+can_network_udp($1_t)
+', `
+can_network_udp($1_t, `dcc_port_t')
+')
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Create private temp files
+tmp_domain($1)
+
+# Triggered by a call to gethostid(2) in dcc client libs
+allow $1_t self:unix_stream_socket { connect create };
+
+allow $1_t sysadm_su_t:process { sigchld };
+allow $1_t dcc_script_t:fd use;
+
+dontaudit $1_t kernel_t:fd use;
+dontaudit $1_t root_t:file read;
+')
+
+allow initrc_t dcc_var_run_t:dir rw_dir_perms;
+
+
+##########
+##########
+
+#
+# dccd - Server daemon that can be accessed over the net
+#
+daemon_domain(dccd, `, privlog, nscd_client_domain')
+dcc_common(dccd, server);
+
+# Runs the dbclean program
+allow dccd_t bin_t:dir search;
+domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+
+# The daemon needs to listen on the dcc ports
+allow dccd_t dcc_port_t:udp_socket name_bind;
+
+# Updating dcc_db, flod, ...
+create_dir_file(dccd_t, dcc_var_t);
+
+allow dccd_t self:capability net_admin;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+
+# Reading /proc/meminfo
+allow dccd_t proc_t:file { getattr read };
+
+
+#
+# cdcc - control dcc daemon
+#
+application_domain(cdcc, `, nscd_client_domain')
+role system_r types cdcc_t;
+dcc_common(cdcc)
+
+# suid program
+allow cdcc_t self:capability setuid;
+
+# Running from the command line
+allow cdcc_t sshd_t:fd use;
+allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+
+##########
+##########
+
+#
+# DCC Clients
+#
+
+#
+# dccifd - Spamassassin and general MTA persistent client
+#
+daemon_domain(dccifd, `, privlog, nscd_client_domain')
+dcc_common(dccifd);
+file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating dcc_db, flod, ...
+create_dir_notdevfile(dccifd_t, dcc_var_t);
+
+# Updating map, ...
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# dccifd communications socket
+type dccifd_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
+
+# Reading /proc/meminfo
+allow dccifd_t proc_t:file { getattr read };
+
+
+#
+# dccm - sendmail milter client
+#
+daemon_domain(dccm, `, privlog, nscd_client_domain')
+dcc_common(dccm);
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating map, ...
+create_dir_notdevfile(dccm_t, dcc_var_t);
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+# dccm communications socket
+type dccm_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
+
+
+#
+# dccproc - dcc procmail interface
+#
+application_domain(dcc_client, `, privlog, nscd_client_domain')
+role system_r types dcc_client_t;
+dcc_common(dcc_client)
+
+# suid program
+allow dcc_client_t self:capability setuid;
+
+# Running from the command line
+allow dcc_client_t sshd_t:fd use;
+allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+##########
+##########
+
+#
+# DCC Utilities
+#
+
+#
+# dbclean - database cleanup tool
+#
+application_domain(dcc_dbclean, `, nscd_client_domain')
+role system_r types dcc_dbclean_t;
+dcc_common(dcc_dbclean)
+
+# Updating various files.
+create_dir_file(dcc_dbclean_t, dcc_var_t);
+
+# wants to look at /proc/meminfo
+allow dcc_dbclean_t proc_t:dir search;
+allow dcc_dbclean_t proc_t:file { getattr read };
+
+# Running from the command line
+allow dcc_dbclean_t sshd_t:fd use;
+allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
+
+##########
+##########
+
+#
+# DCC Startup scripts
+#
+# These are shell sccripts that start/stop/restart the various dcc
+# programs.
+#
+init_service_domain(dcc_script, `, nscd_client_domain')
+general_domain_access(dcc_script_t)
+general_proc_read_access(dcc_script_t)
+can_exec_any(dcc_script_t)
+dcc_common(dcc_script)
+
+# Allow calling the script from an init script (initrt_t)
+domain_auto_trans(initrc_t, dcc_script_exec_t, dcc_script_t)
+
+# Start up the daemon process. These scripts run 'su' to change to
+# the dcc user (even though the default dcc user is root).
+allow dcc_script_t self:capability setuid;
+su_restricted_domain(dcc_script, system)
+role system_r types dcc_script_su_t;
+domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
+domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
+domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
+
+# Stop the daemon process
+allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
+
+# Access various DCC files
+allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
+allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
+
+allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
+allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
+allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
+allow dcc_script_t devtty_t:chr_file { read write };
+allow dcc_script_su_t sysadm_home_dir_t:dir search;
+allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
+allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
+
+dontaudit dcc_script_su_t kernel_t:fd use;
+dontaudit dcc_script_su_t root_t:file read;
+dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
+
+allow sysadm_t dcc_script_t:fd use;
+
+##########
+##########
+
+#
+# External spam checkers need to run and/or talk to DCC
+#
+define(`access_dcc',`
+domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
+allow $1_t dcc_var_t:dir search;
+allow $1_t dccifd_sock_t:sock_file { getattr write };
+allow $1_t dccifd_t:unix_stream_socket connectto;
+allow $1_t dcc_script_t:unix_stream_socket connectto;
+')
+
+ifdef(`amavis.te',`access_dcc(amavisd)')
+ifdef(`spamd.te',`access_dcc(spamd)')
diff --git a/mls/domains/program/unused/ddclient.te b/mls/domains/program/unused/ddclient.te
new file mode 100644
index 0000000..29255f3
--- /dev/null
+++ b/mls/domains/program/unused/ddclient.te
@@ -0,0 +1,44 @@
+#DESC ddclient - Update dynamic IP address at DynDNS.org
+#
+# Author: Greg Norris <haphazard@kc.rr.com>
+# X-Debian-Packages: ddclient
+#
+
+#################################
+#
+# Rules for the ddclient_t domain.
+#
+daemon_domain(ddclient);
+type ddclient_etc_t, file_type, sysadmfile;
+type ddclient_var_t, file_type, sysadmfile;
+log_domain(ddclient)
+var_lib_domain(ddclient)
+
+base_file_read_access(ddclient_t)
+can_exec(ddclient_t, { shell_exec_t bin_t })
+
+# ddclient can be launched by pppd
+ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)')
+
+# misc. requirements
+allow ddclient_t self:fifo_file rw_file_perms;
+allow ddclient_t self:socket create_socket_perms;
+allow ddclient_t etc_t:file { getattr read };
+allow ddclient_t etc_runtime_t:file r_file_perms;
+allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
+allow ddclient_t urandom_device_t:chr_file read;
+general_proc_read_access(ddclient_t)
+allow ddclient_t sysctl_net_t:dir search;
+
+# network-related goodies
+can_network_client(ddclient_t)
+allow ddclient_t port_type:tcp_socket name_connect;
+allow ddclient_t self:unix_dgram_socket create_socket_perms;
+allow ddclient_t self:unix_stream_socket create_socket_perms;
+
+# allow access to ddclient.conf and ddclient.cache
+allow ddclient_t ddclient_etc_t:file r_file_perms;
+file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
+dontaudit ddclient_t devpts_t:dir search;
+dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
+dontaudit httpd_t selinux_config_t:dir search;
diff --git a/mls/domains/program/unused/distcc.te b/mls/domains/program/unused/distcc.te
new file mode 100644
index 0000000..56034f9
--- /dev/null
+++ b/mls/domains/program/unused/distcc.te
@@ -0,0 +1,34 @@
+#DESC distcc - Distributed compiler daemon
+#
+# Author: Chris PeBenito <pebenito@gentoo.org>
+#
+
+daemon_domain(distccd)
+can_network_server(distccd_t)
+can_ypbind(distccd_t)
+log_domain(distccd)
+tmp_domain(distccd)
+
+allow distccd_t distccd_port_t:tcp_socket name_bind;
+allow distccd_t self:capability { setgid setuid };
+
+# distccd can renice
+allow distccd_t self:process setsched;
+
+# compiler stuff
+allow distccd_t { bin_t sbin_t }:dir { search getattr };
+allow distccd_t { bin_t sbin_t }:lnk_file { getattr read };
+can_exec(distccd_t,bin_t)
+can_exec(distccd_t,lib_t)
+
+# comm stuff
+allow distccd_t net_conf_t:file r_file_perms;
+allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write };
+allow distccd_t self:fifo_file { read write getattr };
+
+# config access
+allow distccd_t { etc_t etc_runtime_t }:file r_file_perms;
+allow distccd_t proc_t:file r_file_perms;
+
+allow distccd_t var_t:dir search;
+allow distccd_t admin_tty_type:chr_file { ioctl read write };
diff --git a/mls/domains/program/unused/djbdns.te b/mls/domains/program/unused/djbdns.te
new file mode 100644
index 0000000..3e11395
--- /dev/null
+++ b/mls/domains/program/unused/djbdns.te
@@ -0,0 +1,46 @@
+# DESC selinux policy for djbdns
+# http://cr.yp.to/djbdns.html
+#
+# Author: petre rodan <kaiowas@gentoo.org>
+#
+# this policy depends on ucspi-tcp and daemontools policies
+#
+
+ifdef(`daemontools.te', `
+ifdef(`ucspi-tcp.te', `
+
+define(`djbdns_daemon_domain', `
+type djbdns_$1_conf_t, file_type, sysadmfile;
+daemon_domain(djbdns_$1)
+domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
+svc_ipc_domain(djbdns_$1_t)
+can_network(djbdns_$1_t)
+allow djbdns_$1_t port_type:tcp_socket name_connect;
+allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+allow djbdns_$1_t port_t:udp_socket name_bind;
+r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
+allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
+')
+
+define(`djbdns_tcpserver_domain', `
+type djbdns_$1_conf_t, file_type, sysadmfile;
+daemon_domain(djbdns_$1)
+domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
+svc_ipc_domain(djbdns_$1_t)
+allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
+allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
+')
+
+djbdns_daemon_domain(dnscache)
+# read seed file
+allow djbdns_dnscache_t svc_svc_t:file r_file_perms;
+
+djbdns_daemon_domain(tinydns)
+
+djbdns_tcpserver_domain(axfrdns)
+r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)
+
+') dnl ifdef ucspi-tcp.te
+') dnl ifdef daemontools.te
diff --git a/mls/domains/program/unused/dnsmasq.te b/mls/domains/program/unused/dnsmasq.te
new file mode 100644
index 0000000..bdef592
--- /dev/null
+++ b/mls/domains/program/unused/dnsmasq.te
@@ -0,0 +1,38 @@
+#DESC dnsmasq - DNS forwarder and DHCP server
+#
+# Author: Greg Norris <haphazard@kc.rr.com>
+# X-Debian-Packages: dnsmasq
+#
+
+#################################
+#
+# Rules for the dnsmasq_t domain.
+#
+daemon_domain(dnsmasq);
+type dnsmasq_lease_t, file_type, sysadmfile;
+
+# misc. requirements
+allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
+allow dnsmasq_t urandom_device_t:chr_file read;
+
+# network-related goodies
+can_network_server(dnsmasq_t)
+can_ypbind(dnsmasq_t)
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
+allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
+
+# UDP ports 53 and 67
+allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
+allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;
+
+# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
+# Comment out the following entry if you do not want to allow this behaviour.
+allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;
+
+# allow access to dnsmasq.conf
+allow dnsmasq_t etc_t:file r_file_perms;
+
+# dhcp leases
+file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)
diff --git a/mls/domains/program/unused/dpkg.te b/mls/domains/program/unused/dpkg.te
new file mode 100644
index 0000000..4feb508
--- /dev/null
+++ b/mls/domains/program/unused/dpkg.te
@@ -0,0 +1,414 @@
+#DESC Dpkg - Debian package manager
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: dpkg
+#
+
+#################################
+#
+# Rules for the dpkg_t domain.
+#
+type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
+type dpkg_exec_t, file_type, sysadmfile, exec_type;
+type dpkg_var_lib_t, file_type, sysadmfile;
+type dpkg_etc_t, file_type, sysadmfile, usercanread;
+type dpkg_lock_t, file_type, sysadmfile;
+type debconf_cache_t, file_type, sysadmfile;
+
+tmp_domain(dpkg)
+can_setfscreate(dpkg_t)
+can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
+
+ifdef(`load_policy.te', `
+domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
+')
+ifdef(`rlogind.te', `
+# for ssh
+can_exec(dpkg_t, rlogind_exec_t)
+')
+can_exec(dpkg_t, { init_exec_t etc_t })
+ifdef(`hostname.te', `
+can_exec(dpkg_t, hostname_exec_t)
+')
+ifdef(`mta.te', `
+allow system_mail_t dpkg_tmp_t:file { getattr read };
+')
+ifdef(`logrotate.te', `
+allow logrotate_t dpkg_var_lib_t:file create_file_perms;
+')
+
+# for open office
+can_exec(dpkg_t, usr_t)
+
+allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;
+
+# for upgrading policycoreutils and loading policy
+allow dpkg_t security_t:dir { getattr search };
+allow dpkg_t security_t:file { getattr read };
+
+ifdef(`setfiles.te',
+`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
+ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
+ifdef(`modutil.te', `
+domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
+domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
+
+# for touch
+allow initrc_t modules_dep_t:file write;
+')
+ifdef(`ipsec.te', `
+allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
+allow ipsec_mgmt_t dpkg_t:fifo_file write;
+allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
+allow ipsec_t dpkg_t:fifo_file { read write };
+domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+ifdef(`cardmgr.te', `
+allow cardmgr_t dpkg_t:fd use;
+allow cardmgr_t dpkg_t:fifo_file write;
+domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+# for start-stop-daemon
+allow dpkg_t cardmgr_t:process signull;
+')
+ifdef(`mount.te', `
+domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
+')
+ifdef(`mozilla.te', `
+# hate to do this, for mozilla install scripts
+can_exec(dpkg_t, mozilla_exec_t)
+')
+ifdef(`postfix.te', `
+domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
+')
+ifdef(`apache.te', `
+domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
+')
+ifdef(`named.te', `
+file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
+')
+ifdef(`nsd.te', `
+allow nsd_crond_t initrc_t:fd use;
+allow nsd_crond_t initrc_devpts_t:chr_file { read write };
+domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
+')
+# because the syslogd package is broken and does not use the start scripts
+ifdef(`klogd.te', `
+domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
+')
+ifdef(`syslogd.te', `
+domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
+allow system_crond_t syslogd_t:dir search;
+allow system_crond_t syslogd_t:file { getattr read };
+allow system_crond_t syslogd_t:process signal;
+')
+# mysqld is broken too
+ifdef(`mysqld.te', `
+domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
+can_unix_connect(dpkg_t, mysqld_t)
+allow mysqld_t dpkg_tmp_t:file { getattr read };
+')
+ifdef(`postgresql.te', `
+# because postgresql postinst creates scripts in /tmp and then runs them
+# also the init scripts do more than they should
+allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
+# for "touch" when it tries to create the log file
+# this works for upgrades, maybe we should allow create access for first install
+allow initrc_t postgresql_log_t:file { write setattr };
+# for dumpall
+can_exec(postgresql_t, postgresql_db_t)
+')
+ifdef(`sysstat.te', `
+domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
+')
+ifdef(`rpcd.te', `
+allow rpcd_t dpkg_t:fd use;
+allow rpcd_t dpkg_t:fifo_file { read write };
+')
+ifdef(`load_policy.te', `
+allow load_policy_t initrc_t:fifo_file { read write };
+')
+ifdef(`checkpolicy.te', `
+domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
+role system_r types checkpolicy_t;
+allow checkpolicy_t initrc_t:fd use;
+allow checkpolicy_t initrc_t:fifo_file write;
+allow checkpolicy_t initrc_devpts_t:chr_file { read write };
+')
+ifdef(`amavis.te', `
+r_dir_file(initrc_t, dpkg_var_lib_t)
+')
+ifdef(`nessusd.te', `
+domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
+')
+ifdef(`crack.te', `
+allow crack_t initrc_t:fd use;
+domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
+')
+ifdef(`xdm.te', `
+domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
+')
+ifdef(`clamav.te', `
+domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
+')
+ifdef(`squid.te', `
+domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
+')
+ifdef(`useradd.te', `
+domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
+domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
+role system_r types { useradd_t groupadd_t };
+')
+ifdef(`passwd.te', `
+domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
+')
+ifdef(`ldconfig.te', `
+domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
+')
+ifdef(`portmap.te', `
+# for pmap_dump
+domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
+')
+
+# for apt
+type apt_t, domain, admin, privmail, web_client_domain;
+type apt_exec_t, file_type, sysadmfile, exec_type;
+type apt_var_lib_t, file_type, sysadmfile;
+type var_cache_apt_t, file_type, sysadmfile;
+etcdir_domain(apt)
+type apt_rw_etc_t, file_type, sysadmfile;
+tmp_domain(apt, `', `{ dir file lnk_file }')
+can_exec(apt_t, apt_tmp_t)
+ifdef(`crond.te', `
+allow system_crond_t apt_etc_t:file { getattr read };
+')
+
+rw_dir_create_file(apt_t, apt_rw_etc_t)
+
+allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };
+
+dontaudit apt_t var_log_t:dir getattr;
+dontaudit apt_t var_run_t:dir search;
+
+# for rc files such as ~/.less
+r_dir_file(apt_t, sysadm_home_t)
+allow apt_t sysadm_home_dir_t:dir { search getattr };
+
+allow apt_t bin_t:lnk_file r_file_perms;
+
+rw_dir_create_file(apt_t, debconf_cache_t)
+r_dir_file(userdomain, debconf_cache_t)
+
+# for python
+read_sysctl(apt_t)
+read_sysctl(dpkg_t)
+
+allow dpkg_t console_device_t:chr_file rw_file_perms;
+
+allow apt_t self:unix_stream_socket create_socket_perms;
+
+allow dpkg_t domain:dir r_dir_perms;
+allow dpkg_t domain:{ file lnk_file } r_file_perms;
+
+# for shared objects that are not yet labelled (upgrades)
+allow { apt_t dpkg_t } lib_t:file execute;
+
+# when dpkg runs postinst scripts run them in initrc_t domain so that the
+# daemons are started in the correct context
+domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)
+
+ifdef(`bootloader.te', `
+domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
+# for mkinitrd
+can_exec(bootloader_t, dpkg_exec_t)
+# for lilo to run dpkg
+allow bootloader_t dpkg_etc_t:file { getattr read };
+')
+
+# for kernel-image postinst
+dontaudit dpkg_t fixed_disk_device_t:blk_file read;
+
+# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
+dontaudit dpkg_t shadow_t:file { getattr read };
+
+# allow user domains to execute dpkg
+allow userdomain dpkg_exec_t:dir r_dir_perms;
+can_exec(userdomain, { dpkg_exec_t apt_exec_t })
+
+# allow everyone to read dpkg database
+allow userdomain var_lib_t:dir search;
+r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })
+
+# for /var/lib/dpkg/lock
+rw_dir_create_file(apt_t, dpkg_var_lib_t)
+
+ifdef(`crond.te', `
+rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
+allow system_crond_t dpkg_etc_t:file r_file_perms;
+
+# for Debian cron job
+create_dir_file(system_crond_t, tetex_data_t)
+can_exec(dpkg_t, tetex_data_t)
+')
+
+r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
+allow install_menu_t initrc_t:fifo_file { read write };
+allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
+can_exec(sysadm_t, dpkg_etc_t)
+
+# Inherit and use descriptors from open_init_pty
+allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
+dontaudit dpkg_t privfd:fd use;
+allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
+allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
+
+allow ifconfig_t dpkg_t:fd use;
+allow ifconfig_t dpkg_t:fifo_file { read write };
+
+uses_shlib({ dpkg_t apt_t })
+allow dpkg_t proc_t:dir r_dir_perms;
+allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
+allow dpkg_t fs_t:filesystem getattr;
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };
+
+# for fgconsole - need policy for it
+allow dpkg_t self:capability sys_tty_config;
+
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(dpkg_t, self)
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connect;
+
+allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
+allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;
+
+# dpkg really needs to be able to kill any process, unfortunate but true
+allow dpkg_t domain:process signal;
+allow dpkg_t sysadm_t:process sigchld;
+allow dpkg_t self:process { setpgid signal_perms fork getsched };
+
+# read/write/create any files in the system
+allow dpkg_t sysadmfile:dir create_dir_perms;
+allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
+allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
+allow dpkg_t device_type:{ chr_file blk_file } getattr;
+dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+allow dpkg_t proc_kmsg_t:file getattr;
+allow dpkg_t fs_type:dir getattr;
+
+# allow compiling and loading new policy
+create_dir_file(dpkg_t, { policy_src_t policy_config_t })
+
+# change to the apt_t domain on exec from dpkg_t (dselect)
+domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
+
+# allow apt to change /var/lib/apt files
+allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
+allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;
+
+# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
+rw_dir_create_file(apt_t, lib_t)
+
+# for apt-listbugs
+allow apt_t usr_t:file { getattr read ioctl };
+allow apt_t usr_t:lnk_file read;
+
+# allow /var/cache/apt/archives to be owned by non-root
+allow apt_t self:capability { chown dac_override fowner fsetid };
+
+can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
+allow apt_t { bin_t sbin_t }:dir search;
+allow apt_t self:process { signal sigchld fork };
+allow apt_t sysadm_t:process sigchld;
+can_network({ apt_t dpkg_t })
+allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
+can_ypbind({ apt_t dpkg_t })
+
+allow { apt_t dpkg_t } var_t:dir { search getattr };
+dontaudit apt_t { fs_type file_type }:dir getattr;
+allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;
+
+allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };
+
+# for /proc/meminfo and for "ps"
+allow apt_t { proc_t apt_t }:dir r_dir_perms;
+allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
+allow apt_t self:fifo_file rw_file_perms;
+allow dpkg_t self:fifo_file rw_file_perms;
+
+allow apt_t etc_t:dir r_dir_perms;
+allow apt_t etc_t:file r_file_perms;
+allow apt_t etc_t:lnk_file read;
+read_locale(apt_t)
+r_dir_file(userdomain, apt_etc_t)
+
+# apt wants to check available disk space
+allow apt_t fs_t:filesystem getattr;
+allow apt_t etc_runtime_t:file r_file_perms;
+
+# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
+# have apt run dpkg.
+# This means that getting apt_t access is almost as good as dpkg_t which has
+# as much power as sysadm_t...
+domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)
+
+# hack to allow update-menus/install-menu to manage menus
+type install_menu_t, domain, admin, etc_writer;
+type install_menu_exec_t, file_type, sysadmfile, exec_type;
+var_run_domain(install_menu)
+
+allow install_menu_t self:unix_stream_socket create_socket_perms;
+
+type debian_menu_t, file_type, sysadmfile;
+
+r_dir_file(userdomain, debian_menu_t)
+dontaudit install_menu_t sysadm_home_dir_t:dir search;
+create_dir_file(install_menu_t, debian_menu_t)
+allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
+allow install_menu_t self:process signal;
+allow install_menu_t proc_t:dir search;
+allow install_menu_t proc_t:file r_file_perms;
+can_getcon(install_menu_t)
+can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
+allow install_menu_t { bin_t sbin_t }:dir search;
+allow install_menu_t bin_t:lnk_file read;
+
+# for menus
+allow install_menu_t usr_t:file r_file_perms;
+
+# for /etc/kde3/debian/kde-update-menu.sh
+can_exec(install_menu_t, etc_t)
+
+allow install_menu_t var_t:dir search;
+tmp_domain(install_menu)
+
+create_dir_file(install_menu_t, var_lib_t)
+ifdef(`xdm.te', `
+create_dir_file(install_menu_t, xdm_var_lib_t)
+')
+allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
+allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
+allow install_menu_t self:fifo_file rw_file_perms;
+allow install_menu_t etc_runtime_t:file r_file_perms;
+allow install_menu_t devtty_t:chr_file rw_file_perms;
+allow install_menu_t fs_t:filesystem getattr;
+
+domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
+allow dpkg_t install_menu_t:process signal_perms;
+
+allow install_menu_t privfd:fd use;
+uses_shlib(install_menu_t)
+
+allow install_menu_t self:process { fork sigchld };
+
+role system_r types { dpkg_t apt_t install_menu_t };
+
+#################################
+#
+# Rules for the run_deb_t domain.
+#
+#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
+#domain_trans(run_deb_t, apt_exec_t, apt_t)
+domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
+domain_auto_trans(initrc_t, apt_exec_t, apt_t)
diff --git a/mls/domains/program/unused/ethereal.te b/mls/domains/program/unused/ethereal.te
new file mode 100644
index 0000000..a56d321
--- /dev/null
+++ b/mls/domains/program/unused/ethereal.te
@@ -0,0 +1,48 @@
+# DESC - Ethereal
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executables
+type tethereal_exec_t, file_type, exec_type, sysadmfile;
+type ethereal_exec_t, file_type, exec_type, sysadmfile;
+
+########################################################
+# Tethereal
+#
+
+# Type for program
+type tethereal_t, domain, nscd_client_domain;
+
+# Transition from sysadm type
+domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)
+role sysadm_r types tethereal_t;
+
+uses_shlib(tethereal_t)
+read_locale(tethereal_t)
+
+# Terminal output
+access_terminal(tethereal_t, sysadm)
+
+# /proc
+read_sysctl(tethereal_t)
+allow tethereal_t { self proc_t }:dir { read search getattr };
+allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };
+
+# Access root
+allow tethereal_t root_t:dir search;
+
+# Read ethereal files in /usr
+allow tethereal_t usr_t:file { read getattr };
+
+# /etc/nsswitch.conf
+allow tethereal_t etc_t:file { read getattr };
+
+# Ethereal sysadm rules
+ethereal_networking(tethereal)
+
+# FIXME: policy is incomplete
+
+#####################################
+# Ethereal (GNOME) policy can be found
+# in ethereal_macros.te
diff --git a/mls/domains/program/unused/evolution.te b/mls/domains/program/unused/evolution.te
new file mode 100644
index 0000000..c8a045e
--- /dev/null
+++ b/mls/domains/program/unused/evolution.te
@@ -0,0 +1,14 @@
+# DESC - Evolution
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executables
+type evolution_exec_t, file_type, exec_type, sysadmfile;
+type evolution_server_exec_t, file_type, exec_type, sysadmfile;
+type evolution_webcal_exec_t, file_type, exec_type, sysadmfile;
+type evolution_alarm_exec_t, file_type, exec_type, sysadmfile;
+type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/evolution_macros.te
+bool disable_evolution_trans false;
diff --git a/mls/domains/program/unused/exim.te b/mls/domains/program/unused/exim.te
new file mode 100644
index 0000000..ccc6555
--- /dev/null
+++ b/mls/domains/program/unused/exim.te
@@ -0,0 +1,309 @@
+#DESC Exim - Mail server
+#
+# Author: David Hampton <hampton@employees.org>
+# From postfix.te by Russell Coker <russell@coker.com.au>
+# Depends: mta.te
+#
+
+type exim_spool_t, file_type, sysadmfile;
+type exim_spool_db_t, file_type, sysadmfile;
+
+
+##########
+# Exim daemon
+##########
+daemon_domain(exim, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog, privhome', nosysadm)
+exim_common(exim);
+etcdir_domain(exim)
+logdir_domain(exim)
+########################################
+########################################
+role sysadm_r types exim_t;
+
+# Server side networking
+can_network_tcp(exim_t);
+allow exim_t { smtp_port_t amavisd_send_port_t }:tcp_socket name_bind;
+# The exim daemon gets to listen to mail coming back from amavisd
+# For identd lookups
+allow exim_t inetd_child_port_t:tcp_socket name_connect;
+allow exim_t self:unix_dgram_socket create_socket_perms;
+
+# Lock file between exim processes. Exim creates a lock file in /tmp
+# that doesn't transition to the exim_tmp_t domain for some reason,
+# thus the allow statement.
+tmp_domain(exim)
+allow exim_t tmp_t:file { getattr read };
+
+# Lock files for the actual mail delivery. Exim wants to create a
+# 'hitching post' file in the same directory as the delivery file.
+# These are the additiona privileges over and above what's defined for
+# an mta_delivery_agent. Additional privs for maildir mail files
+allow exim_t mail_spool_t:dir remove_name;
+allow exim_t mail_spool_t:file { link setattr unlink write rename };
+
+# For access to users .forward files
+allow exim_t home_dir_type:dir { getattr search };
+
+allow exim_t self:capability { dac_read_search net_bind_service };
+
+# Create exim spool files, update spool database
+create_dir_file(exim_t, exim_spool_t)
+rw_dir_file(exim_t, exim_spool_db_t)
+
+# Start daemon/child processes
+can_exec(exim_t, exim_exec_t)
+
+allow exim_t sbin_t:dir r_dir_perms;
+
+# Read aliases file
+allow exim_t etc_aliases_t:file r_file_perms;
+
+#
+allow exim_t devpts_t:chr_file getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(exim_exec_t, exim_t)
+domain_auto_trans(crond_t, exim_exec_t, exim_t)
+allow exim_t system_crond_tmp_t:file { getattr read append };
+#logwatch
+allow system_crond_t exim_log_t:file read;
+')
+
+# For squirrelmail
+ifdef(`httpd.te', `
+domain_auto_trans(httpd_sys_script_t, exim_exec_t, exim_t)
+allow exim_t httpd_t:fd use;
+allow exim_t httpd_t:process sigchld;
+allow exim_t httpd_log_t:file { append getattr };
+allow exim_t httpd_squirrelmail_t:file { append read };
+allow exim_t httpd_t:fifo_file { read write getattr };
+allow exim_t httpd_t:tcp_socket { read write };
+')
+
+########################################
+########################################
+
+
+## --------------------------------------------------
+## exim_ro, exim_ro_net
+##
+## Many of the subsequent applications call exim for
+## the sole purpose of extracting configuration or
+## other information. Lock down the permissions on
+## these instances to be pretty much read-only
+## everything.
+##
+## One of the applications calls exim only to
+## determine whether an address is valid. It does
+## this by having exim attempt to deliver an empty
+## message, without doing the actual deliver.
+## These function are aplit out here to keep all the
+## access controls on exim itself in poe part of the
+## file.
+## --------------------------------------------------
+
+define(`exim_ro_base', `
+application_domain($1)
+role system_r types $1_t;
+read_sysctl($1_t)
+r_dir_file($1_t, etc_t) #for nsswitch.conf
+r_dir_file($1_t, var_spool_t)
+r_dir_file($1_t, exim_spool_t)
+allow $1_t devpts_t:chr_file { getattr read write };
+allow $1_t self:capability { dac_override setgid setuid };
+')
+
+exim_ro_base(exim_ro)
+dontaudit exim_ro_t self:unix_stream_socket { connect create };
+
+exim_ro_base(exim_ro_net)
+can_network(exim_ro_net_t)
+general_proc_read_access(exim_ro_net_t)
+read_locale(exim_ro_net_t)
+allow exim_ro_net_t mail_spool_t:dir search;
+allow exim_ro_net_t etc_aliases_t:file r_file_perms;
+allow exim_ro_net_t self:unix_stream_socket { create connect };
+
+
+
+
+## --------------------------------------------------
+## exim_helper_base
+##
+## Define the base attributes for an exim helper
+## program.
+## --------------------------------------------------
+define(`exim_helper_base',`
+application_domain($1)
+role system_r types $1_t;
+can_exec_any($1_t)
+
+allow $1_t devpts_t:dir search;
+
+# Needed for perl
+general_domain_access($1_t)
+general_proc_read_access($1_t)
+allow $1_t urandom_device_t:chr_file read;
+allow $1_t { devtty_t devpts_t }:chr_file { read write ioctl };
+read_locale($1_t)
+allow $1_t sbin_t:dir r_dir_perms;
+')
+
+
+
+
+## --------------------------------------------------
+## exim_helper_script_base
+## --------------------------------------------------
+define(`exim_helper_script_base',`
+exim_helper_base($1)
+
+# Needed for bash
+allow $1_t { devtty_t devpts_t }:chr_file { read write getattr };
+allow $1_t devpts_t:dir search;
+allow $1_t fs_t:filesystem getattr;
+rw_dir_create_file($1_t, tmp_t) # Script uses a "here" document
+dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab
+dontaudit $1_t selinux_config_t:dir { search };
+dontaudit $1_t selinux_config_t:file { getattr read }; # mtab
+allow $1_t var_spool_t:dir search; # Needed to traverse to get to /var/spool/exim
+
+')
+
+
+## --------------------------------------------------
+## exicyclog
+## --------------------------------------------------
+
+exim_helper_script_base(exicyclog)
+allow exicyclog_t self:capability { dac_override setuid setgid };
+create_dir_file(exicyclog_t, exim_log_t)
+allow exicyclog_t var_t:dir r_dir_perms;
+allow exicyclog_t var_log_t:dir r_dir_perms;
+allow exicyclog_t exim_spool_t:dir r_dir_perms;
+
+
+
+
+## --------------------------------------------------
+## exigrep
+## --------------------------------------------------
+
+exim_helper_base(exigrep)
+allow exigrep_t self:capability dac_override;
+r_dir_file(exigrep_t, var_log_t)
+r_dir_file(exigrep_t, exim_log_t)
+
+
+
+
+## --------------------------------------------------
+## exipick
+## --------------------------------------------------
+
+exim_helper_base(exipick)
+domain_auto_trans(exipick_t, exim_exec_t, exim_ro_t)
+r_dir_file(exipick_t, var_spool_t)
+r_dir_file(exipick_t, exim_spool_t)
+allow exipick_t self:capability dac_override;
+
+
+
+
+## --------------------------------------------------
+## exiqgrep
+## --------------------------------------------------
+
+exim_helper_base(exiqgrep)
+domain_auto_trans(exiqgrep_t, exim_exec_t, exim_ro_t)
+
+
+
+application_domain(exim_lock)
+role system_r types exim_lock_t;
+
+
+## --------------------------------------------------
+## exiwhat
+## 1) Runs exim to extract config info
+## 2) Sends a signal to all running exim processes
+## 3) Collects the status files they drop in the spool directory
+## --------------------------------------------------
+
+exim_helper_script_base(exiwhat)
+domain_auto_trans(exiwhat_t, exim_exec_t, exim_ro_t)
+allow exiwhat_t exim_spool_t:dir { rw_dir_perms };
+allow exiwhat_t exim_spool_t:file { r_file_perms unlink };
+
+# killall
+r_dir_file(exiwhat_t, exim_t)
+r_dir_file(exiwhat_t, selinux_config_t)
+allow exiwhat_t exim_t:process signal;
+allow exiwhat_t self:capability { dac_override kill sys_nice };
+
+dontaudit exiwhat_t file_type:dir search;
+dontaudit exiwhat_t file_type:file { getattr read };
+
+# rm
+allow exiwhat_t devpts_t:chr_file ioctl;
+
+
+
+
+## --------------------------------------------------
+## exim_check_access
+## 1) Runs exim to simulate mail receipt
+## 2) Checks on whether the mail address is allowed from the ip address
+## --------------------------------------------------
+
+exim_helper_script_base(exim_checkaccess)
+domain_auto_trans(exim_checkaccess_t, exim_exec_t, exim_ro_net_t)
+allow exim_checkaccess_t exim_spool_t:dir { r_dir_perms };
+allow exim_checkaccess_t self:capability dac_override;
+
+
+
+
+
+## --------------------------------------------------
+## exim_helper
+## --------------------------------------------------
+application_domain(exim_helper)
+domain_auto_trans(exim_helper_t, exim_exec_t, exim_ro_t)
+can_exec(exim_helper_t, bin_t)
+role system_r types exim_helper_t;
+general_domain_access(exim_helper_t)
+read_locale(exim_helper_t)
+
+allow exim_helper_t { devtty_t devpts_t }:chr_file { read write };
+
+# Have to walk through /var/log to get to /var/log/exim
+allow exim_helper_t var_t:dir r_dir_perms;
+r_dir_file(exim_helper_t, exim_log_t)
+
+
+
+
+
+
+## --------------------------------------------------
+## exim database maintenance programs
+## exim_dump_db, exim_fixdb, exim_tidydb
+## --------------------------------------------------
+define(`exim_db_base',`
+application_domain($1)
+role system_r types $1_t;
+read_locale($1_t)
+general_proc_read_access($1_t)
+allow $1_t devpts_t:chr_file { getattr read write };
+allow $1_t self:capability { dac_override setgid setuid };
+allow $1_t tmp_t:dir { getattr };
+r_dir_file($1_t, var_spool_t)
+r_dir_file($1_t, exim_spool_t)
+r_dir_file($1_t, exim_spool_db_t)
+dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab
+')
+
+exim_db_base(exim_db_ro)
+exim_db_base(exim_db_rw)
+rw_dir_file(exim_db_rw_t, exim_spool_db_t)
diff --git a/mls/domains/program/unused/fontconfig.te b/mls/domains/program/unused/fontconfig.te
new file mode 100644
index 0000000..836470a
--- /dev/null
+++ b/mls/domains/program/unused/fontconfig.te
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in fontconfig_macros.te
diff --git a/mls/domains/program/unused/games.te b/mls/domains/program/unused/games.te
new file mode 100644
index 0000000..dee046c
--- /dev/null
+++ b/mls/domains/program/unused/games.te
@@ -0,0 +1,20 @@
+#DESC Games - Miscellaneous games
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: bsdgames
+#
+
+# type for shared data from games
+type games_data_t, file_type, sysadmfile;
+
+# domain games_t is for system operation of games, generic games daemons and
+# games recovery scripts, also defines games_exec_t
+daemon_domain(games,,nosysadm)
+rw_dir_create_file(games_t, games_data_t)
+r_dir_file(initrc_t, games_data_t)
+
+# Run in user_t
+bool disable_games_trans false;
+
+# Everything else is in the x_client_domain macro in
+# macros/program/x_client_macros.te.
diff --git a/mls/domains/program/unused/gatekeeper.te b/mls/domains/program/unused/gatekeeper.te
new file mode 100644
index 0000000..a1b464e
--- /dev/null
+++ b/mls/domains/program/unused/gatekeeper.te
@@ -0,0 +1,51 @@
+#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: opengate openh323gk
+#
+
+#################################
+#
+# Rules for the gatekeeper_t domain.
+#
+# gatekeeper_exec_t is the type of the gk executable.
+#
+daemon_domain(gatekeeper)
+
+# for SSP
+allow gatekeeper_t urandom_device_t:chr_file read;
+
+etc_domain(gatekeeper)
+allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+logdir_domain(gatekeeper)
+
+# Use the network.
+can_network_server(gatekeeper_t)
+can_ypbind(gatekeeper_t)
+allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
+allow gatekeeper_t self:unix_stream_socket create_socket_perms;
+
+# for stupid symlinks
+tmp_domain(gatekeeper)
+
+# pthreads wants to know the kernel version
+read_sysctl(gatekeeper_t)
+
+allow gatekeeper_t etc_t:file { getattr read };
+
+allow gatekeeper_t etc_t:dir r_dir_perms;
+allow gatekeeper_t sbin_t:dir r_dir_perms;
+
+allow gatekeeper_t self:process setsched;
+allow gatekeeper_t self:fifo_file rw_file_perms;
+
+allow gatekeeper_t proc_t:file read;
+
+# for local users to run VOIP software
+can_udp_send(userdomain, gatekeeper_t)
+can_udp_send(gatekeeper_t, userdomain)
+can_tcp_connect(gatekeeper_t, userdomain)
+
+# this is crap, gk wants to create symlinks in /etc every time it starts and
+# remove them when it exits.
+#allow gatekeeper_t etc_t:dir rw_dir_perms;
diff --git a/mls/domains/program/unused/gconf.te b/mls/domains/program/unused/gconf.te
new file mode 100644
index 0000000..e4dfa4b
--- /dev/null
+++ b/mls/domains/program/unused/gconf.te
@@ -0,0 +1,12 @@
+# DESC - GConf preference daemon
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type gconfd_exec_t, file_type, exec_type, sysadmfile;
+
+# Type for /etc files
+type gconf_etc_t, file_type, sysadmfile;
+
+# Everything else is in macros/gconfd_macros.te
diff --git a/mls/domains/program/unused/gift.te b/mls/domains/program/unused/gift.te
new file mode 100644
index 0000000..9e9786e
--- /dev/null
+++ b/mls/domains/program/unused/gift.te
@@ -0,0 +1,9 @@
+# DESC - giFT file sharing tool
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+type gift_exec_t, file_type, exec_type, sysadmfile;
+type giftd_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/program/gift_macros.te
diff --git a/mls/domains/program/unused/gnome-pty-helper.te b/mls/domains/program/unused/gnome-pty-helper.te
new file mode 100644
index 0000000..084aa68
--- /dev/null
+++ b/mls/domains/program/unused/gnome-pty-helper.te
@@ -0,0 +1,11 @@
+#DESC Gnome Terminal - Helper program for GNOME x-terms
+#
+# Domains for the gnome-pty-helper program.
+# X-Debian-Packages: gnome-terminal
+#
+
+# Type for the gnome-pty-helper executable.
+type gph_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the gph_domain macro in
+# macros/program/gph_macros.te.
diff --git a/mls/domains/program/unused/gnome.te b/mls/domains/program/unused/gnome.te
new file mode 100644
index 0000000..b45ea8e
--- /dev/null
+++ b/mls/domains/program/unused/gnome.te
@@ -0,0 +1,7 @@
+#
+# GNOME related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in gnome_macros.te
diff --git a/mls/domains/program/unused/gnome_vfs.te b/mls/domains/program/unused/gnome_vfs.te
new file mode 100644
index 0000000..d4cabb6
--- /dev/null
+++ b/mls/domains/program/unused/gnome_vfs.te
@@ -0,0 +1,9 @@
+# DESC - GNOME VFS Daemon
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/gnome_vfs_macros.te
diff --git a/mls/domains/program/unused/iceauth.te b/mls/domains/program/unused/iceauth.te
new file mode 100644
index 0000000..f41ad9e
--- /dev/null
+++ b/mls/domains/program/unused/iceauth.te
@@ -0,0 +1,12 @@
+#DESC ICEauth - ICE authority file utility
+#
+# Domains for the iceauth program.
+#
+# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
+#
+# iceauth_exec_t is the type of the xauth executable.
+#
+type iceauth_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the iceauth_domain macro in
+# macros/program/iceauth_macros.te.
diff --git a/mls/domains/program/unused/imazesrv.te b/mls/domains/program/unused/imazesrv.te
new file mode 100644
index 0000000..27bae3f
--- /dev/null
+++ b/mls/domains/program/unused/imazesrv.te
@@ -0,0 +1,29 @@
+#DESC Imazesrv - Imaze Server
+#
+# Author: Torsten Knodt <tk-selinux@datas-world.de>
+# based on games.te by Russell Coker <russell@coker.com.au>
+#
+
+# type for shared data from imazesrv
+type imazesrv_data_t, file_type, sysadmfile;
+type imazesrv_data_labs_t, file_type, sysadmfile;
+
+# domain imazesrv_t is for system operation of imazesrv
+# also defines imazesrv_exec_t
+daemon_domain(imazesrv)
+log_domain(imazesrv);
+
+r_dir_file(imazesrv_t, imazesrv_data_t)
+
+allow imazesrv_t imaze_port_t:tcp_socket name_bind;
+allow imazesrv_t imaze_port_t:udp_socket name_bind;
+
+create_append_log_file(imazesrv_t,imazesrv_log_t)
+
+can_network_server(imazesrv_t)
+
+allow imazesrv_t self:capability net_bind_service;
+
+r_dir_file(imazesrv_t, etc_t)
+
+general_domain_access(imazesrv_t)
diff --git a/mls/domains/program/unused/ircd.te b/mls/domains/program/unused/ircd.te
new file mode 100644
index 0000000..c85390e
--- /dev/null
+++ b/mls/domains/program/unused/ircd.te
@@ -0,0 +1,43 @@
+#DESC Ircd - IRC server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu
+#
+
+#################################
+#
+# Rules for the ircd_t domain.
+#
+# ircd_exec_t is the type of the slapd executable.
+#
+daemon_domain(ircd)
+
+allow ircd_t ircd_port_t:tcp_socket name_bind;
+
+etcdir_domain(ircd)
+
+logdir_domain(ircd)
+
+var_lib_domain(ircd)
+
+# Use the network.
+can_network_server(ircd_t)
+can_ypbind(ircd_t)
+#allow ircd_t self:fifo_file { read write };
+allow ircd_t self:unix_stream_socket create_socket_perms;
+allow ircd_t self:unix_dgram_socket create_socket_perms;
+
+allow ircd_t devtty_t:chr_file rw_file_perms;
+
+allow ircd_t sbin_t:dir search;
+
+allow ircd_t proc_t:file { getattr read };
+
+# read config files
+allow ircd_t { etc_t etc_runtime_t }:file { getattr read };
+allow ircd_t etc_t:lnk_file read;
+
+ifdef(`logrotate.te', `
+allow logrotate_t ircd_var_run_t:dir search;
+allow logrotate_t ircd_var_run_t:file { getattr read };
+')
diff --git a/mls/domains/program/unused/jabberd.te b/mls/domains/program/unused/jabberd.te
new file mode 100644
index 0000000..aed3b81
--- /dev/null
+++ b/mls/domains/program/unused/jabberd.te
@@ -0,0 +1,29 @@
+#DESC jabberd - Jabber daemon
+#
+# Author: Colin Walters <walters@verbum.org>
+# X-Debian-Packages: jabber
+
+daemon_domain(jabberd)
+logdir_domain(jabberd)
+var_lib_domain(jabberd)
+
+allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
+allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
+
+allow jabberd_t etc_t:lnk_file read;
+allow jabberd_t { etc_t etc_runtime_t }:file { read getattr };
+
+# For SSL
+allow jabberd_t random_device_t:file r_file_perms;
+
+can_network_server(jabberd_t)
+can_ypbind(jabberd_t)
+
+allow jabberd_t self:unix_dgram_socket create_socket_perms;
+allow jabberd_t self:unix_stream_socket create_socket_perms;
+allow jabberd_t self:fifo_file { read write getattr };
+
+allow jabberd_t self:capability dac_override;
+
+# allow any user domain to connect to jabber
+can_tcp_connect(userdomain, jabberd_t)
diff --git a/mls/domains/program/unused/lcd.te b/mls/domains/program/unused/lcd.te
new file mode 100644
index 0000000..2e2eddf
--- /dev/null
+++ b/mls/domains/program/unused/lcd.te
@@ -0,0 +1,35 @@
+#DESC lcd - program for Cobalt LCD device
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#################################
+#
+# Rules for the lcd_t domain.
+#
+# lcd_t is the domain for the lcd program.
+# lcd_exec_t is the type of the corresponding program.
+#
+type lcd_t, domain, privlog;
+role sysadm_r types lcd_t;
+role system_r types lcd_t;
+uses_shlib(lcd_t)
+type lcd_exec_t, file_type, sysadmfile, exec_type;
+type lcd_device_t, file_type;
+
+# Transition into this domain when you run this program.
+domain_auto_trans(initrc_t, lcd_exec_t, lcd_t)
+domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t)
+
+allow lcd_t lcd_device_t:chr_file rw_file_perms;
+
+# for /etc/locks/.lcd_lock
+lock_domain(lcd)
+allow lcd_t etc_t:lnk_file read;
+allow lcd_t var_t:dir search;
+
+# Access the terminal.
+allow lcd_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;')
+allow lcd_t privfd:fd use;
+
diff --git a/mls/domains/program/unused/lrrd.te b/mls/domains/program/unused/lrrd.te
new file mode 100644
index 0000000..b1916f1
--- /dev/null
+++ b/mls/domains/program/unused/lrrd.te
@@ -0,0 +1,68 @@
+#DESC LRRD - network-wide load graphing
+#
+# Author: Erich Schubert <erich@debian.org>
+# X-Debian-Packages: lrrd-client, lrrd-server
+#
+
+#################################
+#
+# Rules for the lrrd_t domain.
+#
+# lrrd_exec_t is the type of the lrrd executable.
+#
+daemon_domain(lrrd)
+
+allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
+
+etcdir_domain(lrrd)
+type lrrd_var_lib_t, file_type, sysadmfile;
+
+log_domain(lrrd)
+tmp_domain(lrrd)
+
+# has cron jobs
+system_crond_entry(lrrd_exec_t, lrrd_t)
+allow crond_t lrrd_var_lib_t:dir search;
+
+# init script
+allow initrc_t lrrd_log_t:file { write append setattr ioctl };
+
+# allow to drop privileges and renice
+allow lrrd_t self:capability { setgid setuid };
+allow lrrd_t self:process { getsched setsched };
+
+allow lrrd_t urandom_device_t:chr_file { getattr read };
+allow lrrd_t proc_t:file { getattr read };
+allow lrrd_t usr_t:file { read ioctl };
+
+can_exec(lrrd_t, bin_t)
+allow lrrd_t bin_t:dir search;
+allow lrrd_t usr_t:lnk_file read;
+
+# Allow access to the lrrd databases
+create_dir_file(lrrd_t, lrrd_var_lib_t)
+allow lrrd_t var_lib_t:dir search;
+
+# read config files
+r_dir_file(initrc_t, lrrd_etc_t)
+allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
+# for accessing the output directory
+ifdef(`apache.te', `
+allow lrrd_t httpd_sys_content_t:dir search;
+')
+
+allow lrrd_t etc_t:dir search;
+
+can_unix_connect(sysadm_t, lrrd_t)
+can_unix_connect(lrrd_t, lrrd_t)
+can_unix_send(lrrd_t, lrrd_t)
+can_network_server(lrrd_t)
+can_ypbind(lrrd_t)
+
+ifdef(`logrotate.te', `
+r_dir_file(logrotate_t, lrrd_etc_t)
+allow logrotate_t lrrd_var_lib_t:dir search;
+allow logrotate_t lrrd_var_run_t:dir search;
+allow logrotate_t lrrd_var_run_t:sock_file write;
+can_unix_connect(logrotate_t, lrrd_t)
+')
diff --git a/mls/domains/program/unused/monopd.te b/mls/domains/program/unused/monopd.te
new file mode 100644
index 0000000..3512592
--- /dev/null
+++ b/mls/domains/program/unused/monopd.te
@@ -0,0 +1,30 @@
+#DESC MonopD - Monopoly Daemon
+#
+# Author: Torsten Knodt <tk-selinux@datas-world.de>
+# based on the dhcpd_t policy from:
+# Russell Coker <russell@coker.com.au>
+#
+
+#################################
+#
+# Rules for the monopd_t domain.
+#
+daemon_domain(monopd)
+etc_domain(monopd)
+typealias monopd_etc_t alias etc_monopd_t;
+
+type monopd_share_t, file_type, sysadmfile;
+typealias monopd_share_t alias share_monopd_t;
+
+# Use the network.
+can_network_server(monopd_t)
+can_ypbind(monopd_t)
+
+allow monopd_t monopd_port_t:tcp_socket name_bind;
+
+r_dir_file(monopd_t,share_monopd_t)
+
+allow monopd_t self:unix_dgram_socket create_socket_perms;
+allow monopd_t self:unix_stream_socket create_socket_perms;
+
+r_dir_file(monopd_t, etc_t)
diff --git a/mls/domains/program/unused/mozilla.te b/mls/domains/program/unused/mozilla.te
new file mode 100644
index 0000000..f286ea0
--- /dev/null
+++ b/mls/domains/program/unused/mozilla.te
@@ -0,0 +1,15 @@
+#DESC Netscape - Web browser
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: mozilla
+#
+
+# Type for the netscape, mozilla or other browser executables.
+type mozilla_exec_t, file_type, sysadmfile, exec_type;
+type mozilla_conf_t, file_type, sysadmfile;
+
+# Run in user_t
+bool disable_mozilla_trans false;
+
+# Everything else is in the mozilla_domain macro in
+# macros/program/mozilla_macros.te.
diff --git a/mls/domains/program/unused/mplayer.te b/mls/domains/program/unused/mplayer.te
new file mode 100644
index 0000000..194c807
--- /dev/null
+++ b/mls/domains/program/unused/mplayer.te
@@ -0,0 +1,15 @@
+#DESC mplayer - media player
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for the mplayer executable.
+type mplayer_exec_t, file_type, exec_type, sysadmfile;
+type mencoder_exec_t, file_type, exec_type, sysadmfile;
+type mplayer_etc_t, file_type, sysadmfile;
+
+# Allow mplayer executable stack
+bool allow_mplayer_execstack false;
+
+# Everything else is in the mplayer_domain macro in
+# macros/program/mplayer_macros.te.
diff --git a/mls/domains/program/unused/nagios.te b/mls/domains/program/unused/nagios.te
new file mode 100644
index 0000000..9d540c8
--- /dev/null
+++ b/mls/domains/program/unused/nagios.te
@@ -0,0 +1,90 @@
+#DESC Net Saint / NAGIOS - network monitoring server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: netsaint, nagios
+# Depends: mta.te
+#
+
+#################################
+#
+# Rules for the nagios_t domain.
+#
+# nagios_exec_t is the type of the netsaint/nagios executable.
+#
+daemon_domain(nagios, `, privmail')
+
+etcdir_domain(nagios)
+
+logdir_domain(nagios)
+allow nagios_t nagios_log_t:fifo_file create_file_perms;
+allow initrc_t nagios_log_t:dir rw_dir_perms;
+
+tmp_domain(nagios)
+allow system_mail_t nagios_tmp_t:file { getattr read };
+# for open file handles
+dontaudit system_mail_t nagios_etc_t:file read;
+dontaudit system_mail_t nagios_log_t:fifo_file read;
+
+# Use the network.
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:unix_stream_socket create_socket_perms;
+allow nagios_t self:unix_dgram_socket create_socket_perms;
+
+# Use capabilities
+allow nagios_t self:capability { dac_override setgid setuid };
+allow nagios_t self:process setpgid;
+
+allow nagios_t { bin_t sbin_t }:dir search;
+allow nagios_t bin_t:lnk_file read;
+can_exec(nagios_t, { shell_exec_t bin_t })
+
+allow nagios_t proc_t:file { getattr read };
+
+can_network_server(nagios_t)
+can_ypbind(nagios_t)
+
+# read config files
+allow nagios_t { etc_t etc_runtime_t }:file { getattr read };
+allow nagios_t etc_t:lnk_file read;
+
+allow nagios_t etc_t:dir r_dir_perms;
+
+# for ps
+r_dir_file(nagios_t, domain)
+allow nagios_t boot_t:dir search;
+allow nagios_t system_map_t:file { getattr read };
+
+# for who
+allow nagios_t initrc_var_run_t:file { getattr read lock };
+
+system_domain(nagios_cgi)
+allow nagios_cgi_t device_t:dir search;
+r_dir_file(nagios_cgi_t, nagios_etc_t)
+allow nagios_cgi_t var_log_t:dir search;
+r_dir_file(nagios_cgi_t, nagios_log_t)
+allow nagios_cgi_t self:process { fork signal_perms };
+allow nagios_cgi_t self:fifo_file rw_file_perms;
+allow nagios_cgi_t bin_t:dir search;
+can_exec(nagios_cgi_t, bin_t)
+read_locale(nagios_cgi_t)
+
+# for ps
+allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read };
+r_dir_file(nagios_cgi_t, { proc_t self nagios_t })
+allow nagios_cgi_t boot_t:dir search;
+allow nagios_cgi_t system_map_t:file { getattr read };
+dontaudit nagios_cgi_t domain:dir getattr;
+allow nagios_cgi_t self:unix_stream_socket create_socket_perms;
+
+ifdef(`apache.te', `
+r_dir_file(httpd_t, nagios_etc_t)
+domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t)
+allow nagios_cgi_t httpd_log_t:file append;
+')
+
+ifdef(`ping.te', `
+domain_auto_trans(nagios_t, ping_exec_t, ping_t)
+allow nagios_t ping_t:process { sigkill signal };
+dontaudit ping_t nagios_etc_t:file read;
+dontaudit ping_t nagios_log_t:fifo_file read;
+')
diff --git a/mls/domains/program/unused/nessusd.te b/mls/domains/program/unused/nessusd.te
new file mode 100644
index 0000000..65d89e1
--- /dev/null
+++ b/mls/domains/program/unused/nessusd.te
@@ -0,0 +1,54 @@
+#DESC Nessus network scanning daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: nessus
+#
+
+#################################
+#
+# Rules for the nessusd_t domain.
+#
+# nessusd_exec_t is the type of the nessusd executable.
+#
+daemon_domain(nessusd)
+
+etc_domain(nessusd)
+type nessusd_db_t, file_type, sysadmfile;
+
+allow nessusd_t nessus_port_t:tcp_socket name_bind;
+
+#tmp_domain(nessusd)
+
+# Use the network.
+can_network(nessusd_t)
+allow nessusd_t port_type:tcp_socket name_connect;
+can_ypbind(nessusd_t)
+allow nessusd_t self:unix_stream_socket create_socket_perms;
+#allow nessusd_t self:unix_dgram_socket create_socket_perms;
+
+# why ioctl on /dev/urandom?
+allow nessusd_t random_device_t:chr_file { getattr read ioctl };
+allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms;
+allow nessusd_t self:capability net_raw;
+
+# for nmap etc
+allow nessusd_t { bin_t sbin_t }:dir search;
+allow nessusd_t bin_t:lnk_file read;
+can_exec(nessusd_t, bin_t)
+allow nessusd_t self:fifo_file { getattr read write };
+
+# allow user domains to connect to nessusd
+can_tcp_connect(userdomain, nessusd_t)
+
+allow nessusd_t self:process setsched;
+
+allow nessusd_t proc_t:file { getattr read };
+
+# Allow access to the nessusd authentication database
+create_dir_file(nessusd_t, nessusd_db_t)
+allow nessusd_t var_lib_t:dir r_dir_perms;
+
+# read config files
+allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms;
+
+logdir_domain(nessusd)
diff --git a/mls/domains/program/unused/nrpe.te b/mls/domains/program/unused/nrpe.te
new file mode 100644
index 0000000..87d1a02
--- /dev/null
+++ b/mls/domains/program/unused/nrpe.te
@@ -0,0 +1,40 @@
+# DESC nrpe - Nagios Remote Plugin Execution
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# Depends: tcpd.te
+# X-Debian-Packages: nagios-nrpe-server
+#
+# This policy assumes that nrpe is called from inetd
+
+daemon_base_domain(nrpe)
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
+')
+domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
+
+allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
+
+allow nrpe_t self:fifo_file rw_file_perms;
+allow nrpe_t self:unix_dgram_socket create_socket_perms;
+# use sockets inherited from inetd
+allow nrpe_t inetd_t:tcp_socket { ioctl read write };
+allow nrpe_t devtty_t:chr_file { read write };
+
+allow nrpe_t self:process setpgid;
+
+etc_domain(nrpe)
+read_locale(nrpe_t)
+
+# permissions for the scripts executed by nrpe
+#
+# call shell programs
+can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
+allow nrpe_t { bin_t sbin_t }:dir search;
+# for /bin/sh
+allow nrpe_t bin_t:lnk_file read;
+
+# read /proc/meminfo, /proc/self/mounts and /etc/mtab
+allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
+
+# you will have to add more permissions here, depending on the scripts you call!
diff --git a/mls/domains/program/unused/nsd.te b/mls/domains/program/unused/nsd.te
new file mode 100644
index 0000000..2aa35c5
--- /dev/null
+++ b/mls/domains/program/unused/nsd.te
@@ -0,0 +1,102 @@
+#DESC Authoritative only name server
+#
+# Author: Russell Coker
+# X-Debian-Packages: nsd
+#
+#
+
+#################################
+#
+# Rules for the nsd_t domain.
+#
+
+daemon_domain(nsd)
+
+# a type for nsd.db
+type nsd_db_t, file_type, sysadmfile;
+
+# for zone update cron job
+type nsd_crond_t, domain, privlog;
+role system_r types nsd_crond_t;
+uses_shlib(nsd_crond_t)
+can_network_client(nsd_crond_t)
+allow nsd_crond_t port_type:tcp_socket name_connect;
+can_ypbind(nsd_crond_t)
+allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
+allow nsd_crond_t self:process { fork signal_perms };
+system_crond_entry(nsd_exec_t, nsd_crond_t)
+allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
+allow nsd_crond_t proc_t:lnk_file { getattr read };
+allow nsd_crond_t { bin_t sbin_t }:dir search;
+can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
+allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
+allow nsd_crond_t bin_t:lnk_file read;
+read_locale(nsd_crond_t)
+allow nsd_crond_t self:fifo_file rw_file_perms;
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_override kill };
+allow nsd_crond_t nsd_t:process signal;
+dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
+dontaudit nsd_crond_t self:capability sys_nice;
+dontaudit nsd_crond_t domain:dir search;
+allow nsd_crond_t self:process setsched;
+can_ps(nsd_crond_t, nsd_t)
+
+file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
+allow nsd_crond_t var_lib_t:dir search;
+
+allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
+allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
+allow nsd_crond_t proc_t:dir r_dir_perms;
+allow nsd_crond_t device_t:dir search;
+allow nsd_crond_t devtty_t:chr_file rw_file_perms;
+allow nsd_crond_t etc_t:file { getattr read };
+allow nsd_crond_t etc_t:lnk_file read;
+allow nsd_crond_t { var_t var_run_t }:dir search;
+allow nsd_crond_t nsd_var_run_t:file { getattr read };
+
+# for SSP
+allow nsd_crond_t urandom_device_t:chr_file read;
+
+# A type for configuration files of nsd
+type nsd_conf_t, file_type, sysadmfile;
+# A type for zone files
+type nsd_zone_t, file_type, sysadmfile;
+
+r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t })
+# zone files may be in /var/lib/nsd
+allow nsd_t var_lib_t:dir search;
+r_dir_file(initrc_t, nsd_conf_t)
+allow nsd_t etc_runtime_t:file { getattr read };
+allow nsd_t proc_t:file { getattr read };
+allow nsd_t { sbin_t bin_t }:dir search;
+can_exec(nsd_t, { nsd_exec_t bin_t })
+
+# Use capabilities. chown is for chowning /var/run/nsd.pid
+allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };
+
+allow nsd_t etc_t:{ file lnk_file } { getattr read };
+
+# nsd can use network
+can_network_server(nsd_t)
+can_ypbind(nsd_t)
+# allow client access from caching BIND
+ifdef(`named.te', `
+can_udp_send(named_t, nsd_t)
+can_udp_send(nsd_t, named_t)
+can_tcp_connect(named_t, nsd_t)
+')
+
+# if you want to allow all programs to contact the primary name server
+#can_udp_send(domain, nsd_t)
+#can_udp_send(nsd_t, domain)
+#can_tcp_connect(domain, nsd_t)
+
+# Bind to the named port.
+allow nsd_t dns_port_t:udp_socket name_bind;
+allow nsd_t dns_port_t:tcp_socket name_bind;
+
+allow nsd_t self:unix_stream_socket create_stream_socket_perms;
+allow nsd_t self:unix_dgram_socket create_socket_perms;
+
diff --git a/mls/domains/program/unused/nx_server.te b/mls/domains/program/unused/nx_server.te
new file mode 100644
index 0000000..a6e723a
--- /dev/null
+++ b/mls/domains/program/unused/nx_server.te
@@ -0,0 +1,70 @@
+# DESC NX - NX Server
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# Depends: sshd.te
+#
+
+# Type for the nxserver executable, called from ssh
+type nx_server_exec_t, file_type, sysadmfile, exec_type;
+
+# type of the nxserver; userdomain is needed so sshd can transition
+type nx_server_t, domain, userdomain;
+
+# we need an extra role because nxserver is called from sshd
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
+
+# not really sure if the additional attributes are needed, copied from userdomains
+can_create_pty(nx_server, `, userpty_type, user_tty_type')
+type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
+
+uses_shlib(nx_server_t)
+read_locale(nx_server_t)
+
+tmp_domain(nx_server)
+var_run_domain(nx_server)
+
+# nxserver is a shell script --> call other programs
+can_exec(nx_server_t, { bin_t shell_exec_t })
+allow nx_server_t self:process { fork sigchld };
+allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t bin_t:dir { getattr read search };
+allow nx_server_t bin_t:lnk_file read;
+
+r_dir_file(nx_server_t, proc_t)
+allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
+
+# we do not actually need this attribute or the types defined here,
+# but otherwise we cannot call the ssh_domain-macro
+attribute nx_server_file_type;
+type nx_server_home_dir_t alias nx_server_home_t;
+type nx_server_xauth_home_t;
+type nx_server_tty_device_t;
+type nx_server_gph_t;
+type nx_server_fonts_cache_t;
+type nx_server_fonts_t;
+type nx_server_fonts_config_t;
+type nx_server_gnome_settings_t;
+
+ssh_domain(nx_server)
+
+can_network_client(nx_server_t)
+allow nx_server_t port_type:tcp_socket name_connect;
+
+allow nx_server_t devtty_t:chr_file { read write };
+allow nx_server_t sysctl_kernel_t:dir search;
+allow nx_server_t sysctl_kernel_t:file { getattr read };
+allow nx_server_t urandom_device_t:chr_file read;
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+allow nx_server_t usr_t:file { getattr read };
+
+dontaudit nx_server_t selinux_config_t:dir search;
+
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+
diff --git a/mls/domains/program/unused/oav-update.te b/mls/domains/program/unused/oav-update.te
new file mode 100644
index 0000000..a9843c6
--- /dev/null
+++ b/mls/domains/program/unused/oav-update.te
@@ -0,0 +1,38 @@
+#DESC Oav - Anti-virus update program
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# X-Debian-Packages:
+#
+
+type oav_update_var_lib_t, file_type, sysadmfile;
+type oav_update_exec_t, file_type, sysadmfile, exec_type;
+type oav_update_etc_t, file_type, sysadmfile;
+
+# Derived domain based on the calling user domain and the program.
+type oav_update_t, domain, privlog;
+
+# Transition from the sysadm domain to the derived domain.
+role sysadm_r types oav_update_t;
+domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t)
+
+# Transition from the sysadm domain to the derived domain.
+role system_r types oav_update_t;
+system_crond_entry(oav_update_exec_t, oav_update_t)
+
+# Uses shared librarys
+uses_shlib(oav_update_t)
+
+# Run helper programs.
+can_exec_any(oav_update_t,bin_t)
+
+# Can read /etc/oav-update/* files
+allow oav_update_t oav_update_etc_t:dir r_dir_perms;
+allow oav_update_t oav_update_etc_t:file r_file_perms;
+
+# Can read /var/lib/oav-update/current
+allow oav_update_t oav_update_var_lib_t:dir create_dir_perms;
+allow oav_update_t oav_update_var_lib_t:file create_file_perms;
+allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
+
+# Can download via network
+can_network_server(oav_update_t)
diff --git a/mls/domains/program/unused/openca-ca.te b/mls/domains/program/unused/openca-ca.te
new file mode 100644
index 0000000..411c61d
--- /dev/null
+++ b/mls/domains/program/unused/openca-ca.te
@@ -0,0 +1,134 @@
+#DESC OpenCA - Open Certificate Authority
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# X-Debian-Packages:
+# Depends: apache.te
+#
+
+#################################
+#
+# domain for openCA cgi-bin scripts.
+#
+# Type that system CGI scripts run as
+#
+type openca_ca_t, domain;
+role system_r types openca_ca_t;
+uses_shlib(openca_ca_t)
+
+# Types that system CGI scripts on the disk are
+# labeled with
+#
+type openca_ca_exec_t, file_type, sysadmfile;
+
+# When the server starts the script it needs to get the proper context
+#
+domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)
+
+#
+# Allow httpd daemon to search /usr/share/openca
+#
+allow httpd_t openca_usr_share_t:dir { getattr search };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+allow httpd_t bin_t:file { read execute }; # execute perl
+
+allow httpd_t openca_ca_exec_t:file {execute getattr read};
+allow httpd_t openca_ca_t:process {signal sigkill sigstop};
+allow httpd_t openca_ca_t:process transition;
+allow httpd_t openca_ca_exec_t:dir r_dir_perms;
+
+##################################################################
+# Allow the script to get the file descriptor from the http deamon
+# and send sigchild to http deamon
+#################################################################
+allow openca_ca_t httpd_t:process sigchld;
+allow openca_ca_t httpd_t:fd use;
+allow openca_ca_t httpd_t:fifo_file {getattr write};
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow openca_ca_t httpd_log_t:file { append getattr };
+
+#############################################################
+# Allow the script access to the library files so it can run
+#############################################################
+can_exec(openca_ca_t, lib_t)
+
+########################################################################
+# The script needs to inherit the file descriptor and find the script it
+# needs to run
+########################################################################
+allow openca_ca_t initrc_t:fd use;
+allow openca_ca_t init_t:fd use;
+allow openca_ca_t default_t:dir r_dir_perms;
+allow openca_ca_t random_device_t:chr_file r_file_perms;
+
+#######################################################################
+# Allow the script to return its output
+######################################################################
+#allow openca_ca_t httpd_var_run_t: file rw_file_perms;
+allow openca_ca_t null_device_t: chr_file rw_file_perms;
+allow openca_ca_t httpd_cache_t: file rw_file_perms;
+
+###########################################################################
+# Allow the script interpreters to run the scripts. So
+# the perl executable will be able to run a perl script
+#########################################################################
+can_exec(openca_ca_t, bin_t)
+
+############################################################################
+# Allow the script process to search the cgi directory, and users directory
+##############################################################################
+allow openca_ca_t openca_ca_exec_t:dir search;
+
+#
+# Allow access to writeable files under /etc/openca
+#
+allow openca_ca_t openca_etc_writeable_t:file create_file_perms;
+allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;
+
+#
+# Allow access to other files under /etc/openca
+#
+allow openca_ca_t openca_etc_t:file r_file_perms;
+allow openca_ca_t openca_etc_t:dir r_dir_perms;
+
+#
+# Allow access to private CA key
+#
+allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;
+allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;
+
+#
+# Allow access to other /var/lib/openca files
+#
+allow openca_ca_t openca_var_lib_t:file create_file_perms;
+allow openca_ca_t openca_var_lib_t:dir create_dir_perms;
+
+#
+# Allow access to other /usr/share/openca files
+#
+allow openca_ca_t openca_usr_share_t:file r_file_perms;
+allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
+allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
+
+# /etc/openca standard files
+type openca_etc_t, file_type, sysadmfile;
+
+# /etc/openca template files
+type openca_etc_in_t, file_type, sysadmfile;
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t, file_type, sysadmfile;
+
+# /var/lib/openca
+type openca_var_lib_t, file_type, sysadmfile;
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t, file_type, sysadmfile;
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t, file_type, sysadmfile;
diff --git a/mls/domains/program/unused/openvpn.te b/mls/domains/program/unused/openvpn.te
new file mode 100644
index 0000000..0ab1317
--- /dev/null
+++ b/mls/domains/program/unused/openvpn.te
@@ -0,0 +1,39 @@
+#DESC OpenVPN - Firewall-friendly SSL-based VPN
+#
+# Author: Colin Walters <walters@verbum.org>
+#
+########################################
+#
+
+daemon_domain(openvpn)
+etcdir_domain(openvpn)
+
+allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
+
+allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
+allow openvpn_t devpts_t:dir { search getattr };
+allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
+allow openvpn_t proc_t:file { getattr read };
+
+allow openvpn_t self:unix_dgram_socket create_socket_perms;
+allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
+allow openvpn_t self:unix_dgram_socket sendto;
+allow openvpn_t self:unix_stream_socket connectto;
+allow openvpn_t self:capability { net_admin setgid setuid };
+r_dir_file(openvpn_t, sysctl_net_t)
+
+can_network_server(openvpn_t)
+allow openvpn_t openvpn_port_t:udp_socket name_bind;
+
+# OpenVPN executes a lot of helper programs and scripts
+allow openvpn_t { bin_t sbin_t }:dir { search getattr };
+allow openvpn_t bin_t:lnk_file { getattr read };
+can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
+# Do not transition to ifconfig_t, since then it needs
+# permission to access openvpn_t:udp_socket, which seems
+# worse.
+can_exec(openvpn_t, ifconfig_exec_t)
+
+# The Fedora init script iterates over /etc/openvpn/*.conf, and
+# starts a daemon for each file.
+r_dir_file(initrc_t, openvpn_etc_t)
diff --git a/mls/domains/program/unused/perdition.te b/mls/domains/program/unused/perdition.te
new file mode 100644
index 0000000..b95cb75
--- /dev/null
+++ b/mls/domains/program/unused/perdition.te
@@ -0,0 +1,29 @@
+#DESC Perdition POP and IMAP proxy
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: perdition
+#
+
+#################################
+#
+# Rules for the perdition_t domain.
+#
+daemon_domain(perdition)
+
+allow perdition_t pop_port_t:tcp_socket name_bind;
+
+etc_domain(perdition)
+
+# Use the network.
+can_network_server(perdition_t)
+allow perdition_t self:unix_stream_socket create_socket_perms;
+allow perdition_t self:unix_dgram_socket create_socket_perms;
+
+# allow any domain to connect to the proxy
+can_tcp_connect(userdomain, perdition_t)
+
+# Use capabilities
+allow perdition_t self:capability { setgid setuid net_bind_service };
+
+allow perdition_t etc_t:file { getattr read };
+allow perdition_t etc_t:lnk_file read;
diff --git a/mls/domains/program/unused/portslave.te b/mls/domains/program/unused/portslave.te
new file mode 100644
index 0000000..55dfad6
--- /dev/null
+++ b/mls/domains/program/unused/portslave.te
@@ -0,0 +1,85 @@
+#DESC Portslave - Terminal server software
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: portslave
+# Depends: pppd.te
+#
+
+#################################
+#
+# Rules for the portslave_t domain.
+#
+daemon_base_domain(portslave, `, privmail, auth_chkpwd')
+
+type portslave_etc_t, file_type, sysadmfile;
+
+general_domain_access(portslave_t)
+domain_auto_trans(init_t, portslave_exec_t, portslave_t)
+ifdef(`rlogind.te', `
+domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
+')
+ifdef(`inetd.te', `
+domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
+allow portslave_t inetd_t:tcp_socket { getattr read write };
+')
+
+allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
+read_locale(portslave_t)
+r_dir_file(portslave_t, portslave_etc_t)
+
+allow portslave_t pppd_etc_t:dir r_dir_perms;
+allow portslave_t pppd_etc_rw_t:file { getattr read };
+
+allow portslave_t proc_t:file { getattr read };
+
+allow portslave_t { var_t var_log_t devpts_t }:dir search;
+
+allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
+
+allow portslave_t pppd_secret_t:file r_file_perms;
+
+can_network_server(portslave_t)
+allow portslave_t fs_t:filesystem getattr;
+ifdef(`radius.te', `
+can_udp_send(portslave_t, radiusd_t)
+can_udp_send(radiusd_t, portslave_t)
+')
+# for rlogin etc
+can_exec(portslave_t, { bin_t ssh_exec_t })
+# net_bind_service for rlogin
+allow portslave_t self:capability { net_bind_service sys_tty_config };
+# for ssh
+allow portslave_t urandom_device_t:chr_file read;
+ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
+
+# for pppd
+allow portslave_t self:capability { setuid setgid net_admin fsetid };
+allow portslave_t ppp_device_t:chr_file rw_file_perms;
+
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+
+# for ctlportslave
+dontaudit portslave_t self:capability sys_admin;
+
+file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
+can_exec(portslave_t, { etc_t shell_exec_t })
+
+# Run login in local_login_t domain.
+#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
+
+# Write to /var/run/utmp.
+allow portslave_t initrc_var_run_t:file rw_file_perms;
+
+# Write to /var/log/wtmp.
+allow portslave_t wtmp_t:file rw_file_perms;
+
+# Read and write ttys.
+allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
+allow portslave_t ttyfile:chr_file rw_file_perms;
+
+
+lock_domain(portslave)
+can_exec(portslave_t, pppd_exec_t)
+allow portslave_t { bin_t sbin_t }:dir search;
+allow portslave_t bin_t:lnk_file read;
diff --git a/mls/domains/program/unused/postgrey.te b/mls/domains/program/unused/postgrey.te
new file mode 100644
index 0000000..f60e67b
--- /dev/null
+++ b/mls/domains/program/unused/postgrey.te
@@ -0,0 +1,30 @@
+#DESC postgrey - Postfix Grey-listing server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: postgrey
+
+daemon_domain(postgrey)
+
+allow postgrey_t urandom_device_t:chr_file { getattr read };
+
+# for perl
+allow postgrey_t { bin_t sbin_t }:dir { getattr search };
+allow postgrey_t usr_t:{ file lnk_file } { getattr read };
+dontaudit postgrey_t usr_t:file ioctl;
+
+allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
+etcdir_domain(postgrey)
+
+can_network_server_tcp(postgrey_t)
+can_ypbind(postgrey_t)
+allow postgrey_t postgrey_port_t:tcp_socket name_bind;
+allow postgrey_t self:unix_dgram_socket create_socket_perms;
+allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
+allow postgrey_t proc_t:file { getattr read };
+
+allow postgrey_t self:capability { chown setgid setuid };
+dontaudit postgrey_t self:capability sys_tty_config;
+
+var_lib_domain(postgrey)
+
+allow postgrey_t tmp_t:dir getattr;
diff --git a/mls/domains/program/unused/publicfile.te b/mls/domains/program/unused/publicfile.te
new file mode 100644
index 0000000..b6a206b
--- /dev/null
+++ b/mls/domains/program/unused/publicfile.te
@@ -0,0 +1,25 @@
+#DESC Publicfile - HTTP and FTP file services
+# http://cr.yp.to/publicfile.html
+#
+# Author: petre rodan <kaiowas@gentoo.org>
+#
+# this policy depends on ucspi-tcp
+#
+
+daemon_domain(publicfile)
+type publicfile_content_t, file_type, sysadmfile;
+domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
+allow publicfile_t utcpserver_t:tcp_socket { read write };
+allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
+')
+
+allow publicfile_t initrc_t:tcp_socket { read write };
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+
+r_dir_file(publicfile_t, publicfile_content_t)
+
+
diff --git a/mls/domains/program/unused/pxe.te b/mls/domains/program/unused/pxe.te
new file mode 100644
index 0000000..1515593
--- /dev/null
+++ b/mls/domains/program/unused/pxe.te
@@ -0,0 +1,21 @@
+#DESC PXE - a server for the PXE network boot protocol
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: pxe
+#
+
+#################################
+#
+# Rules for the pxe_t domain.
+#
+daemon_domain(pxe)
+
+allow pxe_t pxe_port_t:udp_socket name_bind;
+
+allow pxe_t etc_t:file { getattr read };
+
+allow pxe_t self:capability { chown setgid setuid };
+
+allow pxe_t zero_device_t:chr_file rw_file_perms;
+
+log_domain(pxe)
diff --git a/mls/domains/program/unused/pyzor.te b/mls/domains/program/unused/pyzor.te
new file mode 100644
index 0000000..b0629ad
--- /dev/null
+++ b/mls/domains/program/unused/pyzor.te
@@ -0,0 +1,57 @@
+#
+# Pyzor - Pyzor is a collaborative, networked system to detect and
+# block spam using identifying digests of messages.
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms.
+# Pyzor normally dumps everything into $HOME/.pyzor. By putting the
+# following line to the spamassassin config file:
+#
+# pyzor_options --homedir /etc/pyzor
+#
+# the various files will be put into appropriate directories.
+# (I.E. The log file into /var/log, etc.) This policy will work
+# either way.
+
+##########
+# pyzor daemon
+##########
+daemon_domain(pyzord, `, privlog, nscd_client_domain')
+pyzor_base_domain(pyzord)
+allow pyzord_t pyzor_port_t:udp_socket name_bind;
+home_domain_access(pyzord_t, sysadm, pyzor)
+log_domain(pyzord)
+
+# Read shared daemon/client config file
+r_dir_file(pyzord_t, pyzor_etc_t)
+
+# Write shared daemon/client data dir
+allow pyzord_t var_lib_t:dir search;
+create_dir_file(pyzord_t, pyzor_var_lib_t)
+
+##########
+# Pyzor query application - from system_r applictions
+##########
+type pyzor_t, domain, privlog, daemon;
+type pyzor_exec_t, file_type, sysadmfile, exec_type;
+role system_r types pyzor_t;
+
+pyzor_base_domain(pyzor)
+
+# System config/data files
+etcdir_domain(pyzor)
+var_lib_domain(pyzor)
+
+##########
+##########
+
+#
+# Some spam filters executes the pyzor code directly. Allow them access here.
+#
+ifdef(`spamd.te',`
+domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t);
+# pyzor needs access to the email spamassassin is checking
+allow pyzor_t spamd_tmp_t:file r_file_perms;
+')
diff --git a/mls/domains/program/unused/qmail.te b/mls/domains/program/unused/qmail.te
new file mode 100644
index 0000000..6c51cd7
--- /dev/null
+++ b/mls/domains/program/unused/qmail.te
@@ -0,0 +1,197 @@
+#DESC Qmail - Mail server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: qmail-src qmail
+# Depends: inetd.te mta.te
+#
+
+
+# Type for files created during execution of qmail.
+type qmail_var_run_t, file_type, sysadmfile, pidfile;
+
+type qmail_etc_t, file_type, sysadmfile;
+
+allow inetd_t smtp_port_t:tcp_socket name_bind;
+
+type qmail_exec_t, file_type, sysadmfile, exec_type;
+type qmail_spool_t, file_type, sysadmfile;
+type var_qmail_t, file_type, sysadmfile;
+
+define(`qmaild_sub_domain', `
+daemon_sub_domain($1, $2, `$3')
+allow $2_t qmail_etc_t:dir { getattr search };
+allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
+allow $2_t { var_t var_spool_t }:dir search;
+allow $2_t console_device_t:chr_file rw_file_perms;
+allow $2_t fs_t:filesystem getattr;
+')
+
+#################################
+#
+# Rules for the qmail_$1_t domain.
+#
+# qmail_$1_exec_t is the type of the qmail_$1 executables.
+#
+define(`qmail_daemon_domain', `
+qmaild_sub_domain(qmail_start_t, qmail_$1, `$2')
+allow qmail_$1_t qmail_start_t:fifo_file { read write };
+')dnl
+
+
+daemon_base_domain(qmail_start)
+
+allow qmail_start_t self:capability { setgid setuid };
+allow qmail_start_t { bin_t sbin_t }:dir search;
+allow qmail_start_t qmail_etc_t:dir search;
+allow qmail_start_t qmail_etc_t:file { getattr read };
+can_exec(qmail_start_t, qmail_start_exec_t)
+allow qmail_start_t self:fifo_file { getattr read write };
+
+qmail_daemon_domain(lspawn, `, mta_delivery_agent')
+allow qmail_lspawn_t self:fifo_file { read write };
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process { fork signal_perms };
+allow qmail_lspawn_t sbin_t:dir search;
+can_exec(qmail_lspawn_t, qmail_exec_t)
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+allow qmail_lspawn_t qmail_spool_t:dir search;
+allow qmail_lspawn_t qmail_spool_t:file { read getattr };
+allow qmail_lspawn_t etc_t:file { getattr read };
+allow qmail_lspawn_t tmp_t:dir getattr;
+dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };
+
+qmail_daemon_domain(send, `, mail_server_sender')
+rw_dir_create_file(qmail_send_t, qmail_spool_t)
+allow qmail_send_t qmail_spool_t:fifo_file read;
+allow qmail_send_t self:process { fork signal_perms };
+allow qmail_send_t self:fifo_file write;
+domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t)
+allow qmail_send_t sbin_t:dir search;
+
+qmail_daemon_domain(splogger)
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+allow qmail_splogger_t etc_t:lnk_file read;
+dontaudit qmail_splogger_t initrc_t:fd use;
+read_locale(qmail_splogger_t)
+
+qmail_daemon_domain(rspawn)
+allow qmail_rspawn_t qmail_spool_t:dir search;
+allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
+allow qmail_rspawn_t self:process { fork signal_perms };
+allow qmail_rspawn_t self:fifo_file read;
+allow qmail_rspawn_t { bin_t sbin_t }:dir search;
+
+qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
+allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
+can_network_server(qmail_remote_t)
+can_ypbind(qmail_remote_t)
+allow qmail_remote_t qmail_spool_t:dir search;
+allow qmail_remote_t qmail_spool_t:file rw_file_perms;
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+qmail_daemon_domain(clean)
+allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
+allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
+
+# privhome will do until we get a separate maildir type
+qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
+allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
+allow qmail_local_t self:process { fork signal_perms };
+domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
+allow qmail_local_t qmail_queue_exec_t:file { getattr read };
+allow qmail_local_t qmail_spool_t:file { ioctl read };
+allow qmail_local_t self:fifo_file write;
+allow qmail_local_t sbin_t:dir search;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+allow qmail_local_t etc_t:file { getattr read };
+
+# for piping mail to a command
+can_exec(qmail_local_t, shell_exec_t)
+allow qmail_local_t bin_t:dir search;
+allow qmail_local_t bin_t:lnk_file read;
+allow qmail_local_t devtty_t:chr_file rw_file_perms;
+allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
+
+ifdef(`tcpd.te', `
+qmaild_sub_domain(tcpd_t, qmail_tcp_env)
+# bug
+can_exec(tcpd_t, tcpd_exec_t)
+', `
+qmaild_sub_domain(inetd_t, qmail_tcp_env)
+')
+allow qmail_tcp_env_t inetd_t:fd use;
+allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
+allow qmail_tcp_env_t inetd_t:process sigchld;
+allow qmail_tcp_env_t sbin_t:dir search;
+can_network_server(qmail_tcp_env_t)
+can_ypbind(qmail_tcp_env_t)
+
+qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
+can_network_server(qmail_smtpd_t)
+can_ypbind(qmail_smtpd_t)
+allow qmail_smtpd_t inetd_t:fd use;
+allow qmail_smtpd_t inetd_t:tcp_socket { read write };
+allow qmail_smtpd_t inetd_t:process sigchld;
+allow qmail_smtpd_t self:process { fork signal_perms };
+allow qmail_smtpd_t self:fifo_file write;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+allow qmail_smtpd_t sbin_t:dir search;
+domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
+allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
+
+qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
+allow qmail_inject_t self:process { fork signal_perms };
+allow qmail_inject_t self:fifo_file write;
+allow qmail_inject_t sbin_t:dir search;
+role sysadm_r types qmail_inject_t;
+in_user_role(qmail_inject_t)
+
+qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent')
+in_user_role(qmail_qread_t)
+role sysadm_r types qmail_qread_t;
+r_dir_file(qmail_qread_t, qmail_spool_t)
+allow qmail_qread_t self:capability dac_override;
+allow qmail_qread_t privfd:fd use;
+
+qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
+role sysadm_r types qmail_queue_t;
+in_user_role(qmail_queue_t)
+allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
+rw_dir_create_file(qmail_queue_t, qmail_spool_t)
+allow qmail_queue_t qmail_spool_t:fifo_file { read write };
+allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write;
+allow qmail_queue_t qmail_start_t:fifo_file { read write };
+allow qmail_queue_t privfd:fd use;
+allow qmail_queue_t crond_t:fifo_file { read write };
+allow qmail_queue_t inetd_t:fd use;
+allow qmail_queue_t inetd_t:tcp_socket { read write };
+allow qmail_queue_t sysadm_t:fd use;
+allow qmail_queue_t sysadm_t:fifo_file write;
+
+allow user_crond_domain qmail_etc_t:dir search;
+allow user_crond_domain qmail_etc_t:file { getattr read };
+
+qmaild_sub_domain(user_crond_domain, qmail_serialmail)
+in_user_role(qmail_serialmail_t)
+can_network_server(qmail_serialmail_t)
+can_ypbind(qmail_serialmail_t)
+can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
+allow qmail_serialmail_t self:process { fork signal_perms };
+allow qmail_serialmail_t proc_t:file { getattr read };
+allow qmail_serialmail_t etc_runtime_t:file { getattr read };
+allow qmail_serialmail_t home_root_t:dir search;
+allow qmail_serialmail_t user_home_dir_type:dir { search read getattr };
+rw_dir_create_file(qmail_serialmail_t, user_home_type)
+allow qmail_serialmail_t self:fifo_file { read write };
+allow qmail_serialmail_t self:udp_socket create_socket_perms;
+allow qmail_serialmail_t self:tcp_socket create_socket_perms;
+allow qmail_serialmail_t privfd:fd use;
+allow qmail_serialmail_t crond_t:fifo_file { read write ioctl };
+allow qmail_serialmail_t devtty_t:chr_file { read write };
+
+# for tcpclient
+can_exec(qmail_serialmail_t, bin_t)
+allow qmail_serialmail_t bin_t:dir search;
diff --git a/mls/domains/program/unused/razor.te b/mls/domains/program/unused/razor.te
new file mode 100644
index 0000000..e88bb49
--- /dev/null
+++ b/mls/domains/program/unused/razor.te
@@ -0,0 +1,53 @@
+#
+# Razor - Vipul's Razor is a distributed, collaborative, spam
+# detection and filtering network.
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+# NOTE: This policy will work with either the ATrpms provided config
+# file in /etc/razor, or with the default of dumping everything into
+# $HOME/.razor.
+
+##########
+# Razor query application - from system_r applictions
+##########
+type razor_t, domain, privlog, daemon;
+type razor_exec_t, file_type, sysadmfile, exec_type;
+role system_r types razor_t;
+
+razor_base_domain(razor)
+
+# Razor config file directory. When invoked as razor-admin, it can
+# update files in this directory.
+etcdir_domain(razor)
+create_dir_file(razor_t, razor_etc_t);
+
+# Shared razor files updated freuently
+var_lib_domain(razor)
+
+# Log files
+log_domain(razor)
+allow razor_t var_log_t:dir search;
+ifdef(`logrotate.te', `
+allow logrotate_t razor_log_t:file r_file_perms;
+')
+
+##########
+##########
+
+#
+# Some spam filters executes the razor code directly. Allow them access here.
+#
+define(`razor_access',`
+r_dir_file($1, razor_etc_t)
+allow $1 var_log_t:dir search;
+allow $1 razor_log_t:file ra_file_perms;
+r_dir_file($1, razor_var_lib_t)
+r_dir_file($1, sysadm_razor_home_t)
+can_network_client_tcp($1, razor_port_t)
+allow $1 razor_port_t:tcp_socket name_connect;
+')
+
+ifdef(`spamd.te', `razor_access(spamd_t)');
+ifdef(`amavis.te', `razor_access(amavisd_t)');
diff --git a/mls/domains/program/unused/resmgrd.te b/mls/domains/program/unused/resmgrd.te
new file mode 100644
index 0000000..9224ad3
--- /dev/null
+++ b/mls/domains/program/unused/resmgrd.te
@@ -0,0 +1,25 @@
+# DESC resmgrd - resource manager daemon
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+daemon_base_domain(resmgrd)
+var_run_domain(resmgrd, { file sock_file })
+etc_domain(resmgrd)
+read_locale(resmgrd_t)
+allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
+
+allow resmgrd_t etc_t:file { getattr read };
+allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
+allow resmgrd_t self:unix_dgram_socket create_socket_perms;
+
+# hardware access
+allow resmgrd_t device_t:lnk_file { getattr read };
+# not sure if it needs write access, needs to be investigated further...
+allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
+allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
+allow resmgrd_t scanner_device_t:chr_file { getattr };
+# I think a dontaudit should be enough there
+dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
+
+# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
+
diff --git a/mls/domains/program/unused/rhgb.te b/mls/domains/program/unused/rhgb.te
new file mode 100644
index 0000000..5d176e9
--- /dev/null
+++ b/mls/domains/program/unused/rhgb.te
@@ -0,0 +1,100 @@
+#DESC rhgb - Red Hat Graphical Boot
+#
+# Author: Russell Coker <russell@coker.com.au>
+# Depends: xdm.te gnome-pty-helper.te xserver.te
+
+daemon_base_domain(rhgb)
+
+allow rhgb_t { bin_t sbin_t }:dir search;
+allow rhgb_t bin_t:lnk_file read;
+
+domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
+domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
+can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
+
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_file_perms;
+
+# for gnome-pty-helper
+gph_domain(rhgb, system)
+allow initrc_t rhgb_gph_t:fd use;
+
+allow rhgb_t proc_t:file { getattr read };
+
+allow rhgb_t devtty_t:chr_file { read write };
+allow rhgb_t tty_device_t:chr_file rw_file_perms;
+
+read_locale(rhgb_t)
+allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
+
+# for ramfs file systems
+allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
+allow rhgb_t ramfs_t:sock_file create_file_perms;
+allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
+allow insmod_t ramfs_t:file write;
+allow insmod_t rhgb_t:fd use;
+
+allow rhgb_t ramfs_t:filesystem { mount unmount };
+allow rhgb_t mnt_t:dir { search mounton };
+allow rhgb_t self:capability { sys_admin sys_tty_config };
+dontaudit rhgb_t var_run_t:dir search;
+
+can_network_client(rhgb_t)
+allow rhgb_t port_type:tcp_socket name_connect;
+can_ypbind(rhgb_t)
+
+allow rhgb_t usr_t:{ file lnk_file } { getattr read };
+
+# for running setxkbmap
+r_dir_file(rhgb_t, xkb_var_lib_t)
+
+# for localization
+allow rhgb_t lib_t:file { getattr read };
+
+allow rhgb_t initctl_t:fifo_file write;
+
+ifdef(`hide_broken_symptoms', `
+# it should not do this
+dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+')dnl end hide_broken_symptoms
+
+can_create_pty(rhgb)
+
+allow rhgb_t self:shm create_shm_perms;
+allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
+
+can_unix_connect(initrc_t, rhgb_t)
+tmpfs_domain(rhgb)
+allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
+
+read_fonts(rhgb_t)
+
+# for nscd
+dontaudit rhgb_t var_t:dir search;
+
+ifdef(`hide_broken_symptoms', `
+# for a bug in the X server
+dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
+dontaudit insmod_t serial_device:chr_file { read write };
+dontaudit mount_t rhgb_gph_t:fd use;
+dontaudit mount_t rhgb_t:unix_stream_socket { read write };
+dontaudit mount_t ptmx_t:chr_file { read write };
+')dnl end hide_broken_symptoms
+
+ifdef(`firstboot.te', `
+allow rhgb_t firstboot_rw_t:file r_file_perms;
+')
+allow rhgb_t tmp_t:dir search;
+allow rhgb_t xdm_xserver_t:process sigkill;
+allow domain rhgb_devpts_t:chr_file { read write };
+ifdef(`fsadm.te', `
+dontaudit fsadm_t ramfs_t:fifo_file write;
+')
+allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
+dontaudit rhgb_t default_t:file read;
+
+allow initrc_t ramfs_t:dir search;
+allow initrc_t ramfs_t:sock_file write;
+allow initrc_t rhgb_t:unix_stream_socket { read write };
+
+allow rhgb_t default_t:file { getattr read };
diff --git a/mls/domains/program/unused/rssh.te b/mls/domains/program/unused/rssh.te
new file mode 100644
index 0000000..73bab4a
--- /dev/null
+++ b/mls/domains/program/unused/rssh.te
@@ -0,0 +1,13 @@
+#DESC Rssh - Restricted (scp/sftp) only shell
+#
+# Authors: Colin Walters <walters@verbum.org>
+# X-Debian-Package: rssh
+#
+
+type rssh_exec_t, file_type, sysadmfile, exec_type;
+
+ifdef(`ssh.te',`
+allow sshd_t rssh_exec_t:file r_file_perms;
+')
+
+# See rssh_macros.te for the rest.
diff --git a/mls/domains/program/unused/scannerdaemon.te b/mls/domains/program/unused/scannerdaemon.te
new file mode 100644
index 0000000..6245e8b
--- /dev/null
+++ b/mls/domains/program/unused/scannerdaemon.te
@@ -0,0 +1,58 @@
+#DESC Scannerdaemon - Virus scanner daemon
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the scannerdaemon_t domain.
+#
+type scannerdaemon_etc_t, file_type, sysadmfile;
+
+#networking
+daemon_domain(scannerdaemon)
+can_network_server(scannerdaemon_t)
+ifdef(`postfix.te',
+`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);')
+
+# for testing
+can_tcp_connect(sysadm_t,scannerdaemon_t)
+
+# Can create unix sockets
+allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+# Access config files (libc6).
+allow scannerdaemon_t etc_t:file r_file_perms;
+allow scannerdaemon_t etc_t:lnk_file r_file_perms;
+allow scannerdaemon_t proc_t:file r_file_perms;
+allow scannerdaemon_t etc_runtime_t:file r_file_perms;
+
+# Access config files (scannerdaemon).
+allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
+
+# Access signature files.
+ifdef(`oav-update.te',`
+allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
+')
+
+log_domain(scannerdaemon)
+ifdef(`logrotate.te', `
+allow logrotate_t scannerdaemon_log_t:file create_file_perms;
+')
+
+# Can run kaffe
+# Run helper programs.
+can_exec_any(scannerdaemon_t)
+allow scannerdaemon_t var_lib_t:dir search;
+allow scannerdaemon_t { sbin_t bin_t }:dir search;
+allow scannerdaemon_t bin_t:lnk_file read;
+
+# unknown stuff
+allow scannerdaemon_t self:fifo_file { read write };
+
+# broken stuff
+dontaudit scannerdaemon_t sysadm_home_dir_t:dir search;
+dontaudit scannerdaemon_t devtty_t:chr_file { read write };
+dontaudit scannerdaemon_t shadow_t:file { read getattr };
diff --git a/mls/domains/program/unused/snort.te b/mls/domains/program/unused/snort.te
new file mode 100644
index 0000000..24188f6
--- /dev/null
+++ b/mls/domains/program/unused/snort.te
@@ -0,0 +1,33 @@
+#DESC Snort - Network sniffer
+#
+# Author: Shaun Savage <savages@pcez.com>
+# Modified by Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: snort-common
+#
+
+daemon_domain(snort)
+
+logdir_domain(snort)
+allow snort_t snort_log_t:dir create;
+can_network_server(snort_t)
+type snort_etc_t, file_type, sysadmfile;
+
+# Create temporary files.
+tmp_domain(snort)
+
+# use iptable netlink
+allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+
+r_dir_file(snort_t, snort_etc_t)
+allow snort_t etc_t:file { getattr read };
+allow snort_t etc_t:lnk_file read;
+
+allow snort_t self:unix_dgram_socket create_socket_perms;
+allow snort_t self:unix_stream_socket create_socket_perms;
+
+# for start script
+allow initrc_t snort_etc_t:file { getattr read };
+
+dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --git a/mls/domains/program/unused/sound-server.te b/mls/domains/program/unused/sound-server.te
new file mode 100644
index 0000000..c84a1fa
--- /dev/null
+++ b/mls/domains/program/unused/sound-server.te
@@ -0,0 +1,42 @@
+#DESC sound server - for network audio server programs, nasd, yiff, etc
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#################################
+#
+# Rules for the soundd_t domain.
+#
+# soundd_exec_t is the type of the soundd executable.
+#
+daemon_domain(soundd)
+
+allow soundd_t soundd_port_t:tcp_socket name_bind;
+
+type etc_soundd_t, file_type, sysadmfile;
+type soundd_state_t, file_type, sysadmfile;
+
+tmp_domain(soundd)
+rw_dir_create_file(soundd_t, soundd_state_t)
+
+allow soundd_t sound_device_t:chr_file rw_file_perms;
+allow soundd_t device_t:lnk_file read;
+
+# Use the network.
+can_network_server(soundd_t)
+allow soundd_t self:unix_stream_socket create_stream_socket_perms;
+allow soundd_t self:unix_dgram_socket create_socket_perms;
+# allow any domain to connect to the sound server
+can_tcp_connect(userdomain, soundd_t)
+
+allow soundd_t self:process setpgid;
+
+# read config files
+allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
+
+allow soundd_t etc_t:dir r_dir_perms;
+r_dir_file(soundd_t, etc_soundd_t)
+
+# for yiff - probably need some rules for the client support too
+allow soundd_t self:shm create_shm_perms;
+tmpfs_domain(soundd)
diff --git a/mls/domains/program/unused/speedmgmt.te b/mls/domains/program/unused/speedmgmt.te
new file mode 100644
index 0000000..6d399fb
--- /dev/null
+++ b/mls/domains/program/unused/speedmgmt.te
@@ -0,0 +1,26 @@
+#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#################################
+#
+# Rules for the speedmgmt_t domain.
+#
+# speedmgmt_exec_t is the type of the speedmgmt executable.
+#
+daemon_domain(speedmgmt)
+tmp_domain(speedmgmt)
+
+# for accessing USB
+allow speedmgmt_t proc_t:dir r_dir_perms;
+allow speedmgmt_t usbdevfs_t:file rw_file_perms;
+allow speedmgmt_t usbdevfs_t:dir r_dir_perms;
+
+allow speedmgmt_t usr_t:file r_file_perms;
+
+allow speedmgmt_t self:unix_dgram_socket create_socket_perms;
+
+# allow time
+allow speedmgmt_t etc_t:dir r_dir_perms;
+allow speedmgmt_t etc_t:lnk_file r_file_perms;
diff --git a/mls/domains/program/unused/sxid.te b/mls/domains/program/unused/sxid.te
new file mode 100644
index 0000000..a96c987
--- /dev/null
+++ b/mls/domains/program/unused/sxid.te
@@ -0,0 +1,62 @@
+#DESC Sxid - SUID/SGID program monitoring
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: sxid
+#
+
+#################################
+#
+# Rules for the sxid_t domain.
+#
+# sxid_exec_t is the type of the sxid executable.
+#
+daemon_base_domain(sxid, `, privmail')
+tmp_domain(sxid)
+
+allow sxid_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(sxid_exec_t, sxid_t)
+')
+#allow system_crond_t sxid_log_t:file create_file_perms;
+
+read_locale(sxid_t)
+
+can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
+allow sxid_t bin_t:lnk_file read;
+
+log_domain(sxid)
+
+allow sxid_t file_type:notdevfile_class_set getattr;
+allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
+allow sxid_t ttyfile:chr_file getattr;
+allow sxid_t file_type:dir { getattr read search };
+allow sxid_t sysadmfile:file { getattr read };
+dontaudit sxid_t devpts_t:dir r_dir_perms;
+allow sxid_t fs_type:dir { getattr read search };
+
+# Use the network.
+can_network_server(sxid_t)
+allow sxid_t self:fifo_file rw_file_perms;
+allow sxid_t self:unix_stream_socket create_socket_perms;
+
+allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
+read_sysctl(sxid_t)
+allow sxid_t devtty_t:chr_file rw_file_perms;
+
+allow sxid_t self:capability { dac_override dac_read_search fsetid };
+dontaudit sxid_t self:capability { setuid setgid };
+
+ifdef(`mta.te', `
+# sxid leaves an open file handle to /proc/mounts
+dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
+
+# allow mta to read the log files
+allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
+# stop warnings if mailx is passed a read/write file handle
+dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
+')
+
+allow logrotate_t sxid_t:file { getattr write };
+
+dontaudit sxid_t security_t:dir { getattr read search };
diff --git a/mls/domains/program/unused/thunderbird.te b/mls/domains/program/unused/thunderbird.te
new file mode 100644
index 0000000..c640f87
--- /dev/null
+++ b/mls/domains/program/unused/thunderbird.te
@@ -0,0 +1,10 @@
+# DESC - Thunderbird
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executables
+type thunderbird_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/thunderbird_macros.te
+bool disable_thunderbird_trans false;
diff --git a/mls/domains/program/unused/tinydns.te b/mls/domains/program/unused/tinydns.te
new file mode 100644
index 0000000..a911b89
--- /dev/null
+++ b/mls/domains/program/unused/tinydns.te
@@ -0,0 +1,58 @@
+#DESC TINYDNS - Name server for djbdns
+#
+# Authors: Matthew J. Fanto <mattjf@uncompiled.com>
+#
+# Based off Named policy file written by
+# Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
+# Russell Coker
+# X-Debian-Packages: djbdns-installer djbdns
+#
+#
+
+#################################
+#
+# Rules for the tinydns_t domain.
+#
+daemon_domain(tinydns)
+
+can_exec(tinydns_t, tinydns_exec_t)
+allow tinydns_t sbin_t:dir search;
+
+allow tinydns_t self:process setsched;
+
+# A type for configuration files of tinydns.
+type tinydns_conf_t, file_type, sysadmfile;
+
+# for primary zone files - the data file
+type tinydns_zone_t, file_type, sysadmfile;
+
+allow tinydns_t etc_t:file { getattr read };
+allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
+
+#tinydns can use network
+can_network_server(tinydns_t)
+allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+# allow UDP transfer to/from any program
+can_udp_send(domain, tinydns_t)
+can_udp_send(tinydns_t, domain)
+# tinydns itself doesn't do zone transfers
+# so we do not need to have it tcp_connect
+
+#read configuration files
+r_dir_file(tinydns_t, tinydns_conf_t)
+
+r_dir_file(tinydns_t, tinydns_zone_t)
+
+# allow tinydns to create datagram sockets (udp)
+# allow tinydns_t self:unix_stream_socket create_stream_socket_perms;
+allow tinydns_t self:unix_dgram_socket create_socket_perms;
+
+# Read /dev/random.
+allow tinydns_t device_t:dir r_dir_perms;
+allow tinydns_t random_device_t:chr_file r_file_perms;
+
+# Set own capabilities.
+allow tinydns_t self:process setcap;
+
+# for chmod in start script
+dontaudit initrc_t tinydns_var_run_t:dir setattr;
diff --git a/mls/domains/program/unused/transproxy.te b/mls/domains/program/unused/transproxy.te
new file mode 100644
index 0000000..e34b804
--- /dev/null
+++ b/mls/domains/program/unused/transproxy.te
@@ -0,0 +1,36 @@
+#DESC Transproxy - Transparent proxy for web access
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: transproxy
+#
+
+#################################
+#
+# Rules for the transproxy_t domain.
+#
+# transproxy_exec_t is the type of the transproxy executable.
+#
+daemon_domain(transproxy)
+
+# Use the network.
+can_network_server_tcp(transproxy_t)
+allow transproxy_t transproxy_port_t:tcp_socket name_bind;
+
+#allow transproxy_t self:fifo_file { read write };
+allow transproxy_t self:unix_stream_socket create_socket_perms;
+allow transproxy_t self:unix_dgram_socket create_socket_perms;
+
+# Use capabilities
+allow transproxy_t self:capability { setgid setuid };
+#allow transproxy_t self:process setsched;
+
+#allow transproxy_t proc_t:file r_file_perms;
+
+# read config files
+allow transproxy_t etc_t:lnk_file read;
+allow transproxy_t etc_t:file { read getattr };
+
+#allow transproxy_t etc_t:dir r_dir_perms;
+
+#read_sysctl(transproxy_t)
+
diff --git a/mls/domains/program/unused/tripwire.te b/mls/domains/program/unused/tripwire.te
new file mode 100644
index 0000000..9ee61e8
--- /dev/null
+++ b/mls/domains/program/unused/tripwire.te
@@ -0,0 +1,139 @@
+# DESC tripwire
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+# NOTE: Tripwire creates temp file in its current working directory.
+# This policy does not allow write access to home directories, so
+# users will need to either cd to a directory where they have write
+# permission, or set the TEMPDIRECTORY variable in the tripwire config
+# file. The latter is preferable, as then the file_type_auto_trans
+# rules will kick in and label the files as private to tripwire.
+
+
+# Common definitions
+type tripwire_report_t, file_type, sysadmfile;
+etcdir_domain(tripwire)
+var_lib_domain(tripwire)
+tmp_domain(tripwire)
+
+
+# Macro for defining tripwire domains
+define(`tripwire_domain',`
+application_domain($1, `, auth')
+role system_r types $1_t;
+
+# Allow access to common tripwire files
+allow $1_t tripwire_etc_t:file r_file_perms;
+allow $1_t tripwire_etc_t:dir r_dir_perms;
+allow $1_t tripwire_etc_t:lnk_file { getattr read };
+file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
+allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
+file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')
+
+allow $1_t self:process { fork sigchld };
+allow $1_t self:capability { setgid setuid dac_override };
+
+# Tripwire needs to read all files on the system
+general_proc_read_access($1_t)
+allow $1_t file_type:dir { search getattr read};
+allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
+allow $1_t file_type:fifo_file { getattr };
+allow $1_t device_type:file { getattr read };
+allow $1_t sysctl_t:dir { getattr read };
+allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
+
+# Tripwire report files
+create_dir_file($1_t, tripwire_report_t)
+
+# gethostid()?
+allow $1_t self:unix_stream_socket { connect create };
+
+# Running editor program (tripwire forks then runs bash which rins editor)
+can_exec($1_t, shell_exec_t)
+can_exec($1_t, bin_t)
+uses_shlib($1_t)
+
+allow $1_t self:dir search;
+allow $1_t self:file { getattr read };
+')
+
+
+##########
+##########
+
+#
+# When run by a user
+#
+tripwire_domain(`tripwire')
+
+# Running from the command line
+allow tripwire_t devpts_t:dir search;
+allow tripwire_t devtty_t:chr_file { read write };
+allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
+allow tripwire_t privfd:fd use;
+
+
+##########
+##########
+
+#
+# When run from cron
+#
+tripwire_domain(`tripwire_crond')
+system_crond_entry(tripwire_exec_t, tripwire_crond_t)
+domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)
+
+# Tripwire uses a temp file in the root home directory
+#create_dir_file(tripwire_crond_t, root_t)
+
+
+##########
+# Twadmin
+##########
+application_domain(twadmin)
+read_locale(twadmin_t)
+create_dir_file(twadmin_t, tripwire_etc_t)
+
+allow twadmin_t sysadm_tmp_t:file { getattr read write };
+
+# Running from the command line
+allow twadmin_t sshd_t:fd use;
+allow twadmin_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit twadmin_t { bin_t sbin_t }:dir search;
+dontaudit twadmin_t home_root_t:dir search;
+dontaudit twprint_t user_home_dir_t:dir search;
+
+
+##########
+# Twprint
+##########
+application_domain(twprint)
+read_locale(twprint_t)
+r_dir_file(twprint_t, tripwire_etc_t)
+allow twprint_t { var_t var_lib_t }:dir search;
+r_dir_file(twprint_t, tripwire_var_lib_t)
+r_dir_file(twprint_t, tripwire_report_t)
+
+# Running from the command line
+allow twprint_t sshd_t:fd use;
+allow twprint_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit twprint_t { bin_t sbin_t }:dir search;
+dontaudit twprint_t home_root_t:dir search;
+
+
+##########
+# Siggen
+##########
+application_domain(siggen, `, auth')
+read_locale(siggen_t)
+
+# Need permission to read files
+allow siggen_t file_type:dir { search getattr read};
+allow siggen_t file_type:file {getattr read};
+
+# Running from the command line
+allow siggen_t sshd_t:fd use;
+allow siggen_t admin_tty_type:chr_file rw_file_perms;
diff --git a/mls/domains/program/unused/tvtime.te b/mls/domains/program/unused/tvtime.te
new file mode 100644
index 0000000..fa72021
--- /dev/null
+++ b/mls/domains/program/unused/tvtime.te
@@ -0,0 +1,12 @@
+#DESC tvtime - a high quality television application
+#
+# Domains for the tvtime program.
+# Author : Dan Walsh <dwalsh@redhat.com>
+#
+# tvtime_exec_t is the type of the tvtime executable.
+#
+type tvtime_exec_t, file_type, sysadmfile, exec_type;
+type tvtime_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the tvtime_domain macro in
+# macros/program/tvtime_macros.te.
diff --git a/mls/domains/program/unused/ucspi-tcp.te b/mls/domains/program/unused/ucspi-tcp.te
new file mode 100644
index 0000000..b2eeb5c
--- /dev/null
+++ b/mls/domains/program/unused/ucspi-tcp.te
@@ -0,0 +1,49 @@
+#DESC ucspi-tcp - TCP Server and Client Tools
+#
+# Author Petre Rodan <kaiowas@gentoo.org>
+# Andy Dustman (rblsmtp-related policy)
+#
+
+# http://cr.yp.to/ucspi-tcp.html
+
+daemon_base_domain(utcpserver)
+can_network(utcpserver_t)
+
+allow utcpserver_t etc_t:file r_file_perms;
+allow utcpserver_t { bin_t sbin_t var_t }:dir search;
+
+allow utcpserver_t self:capability { net_bind_service setgid setuid };
+allow utcpserver_t self:fifo_file { read write };
+allow utcpserver_t self:process { fork sigchld };
+
+allow utcpserver_t port_t:udp_socket name_bind;
+
+ifdef(`qmail.te', `
+domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow utcpserver_t smtp_port_t:tcp_socket name_bind;
+allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr };
+allow utcpserver_t qmail_etc_t:dir r_dir_perms;
+allow utcpserver_t qmail_etc_t:file r_file_perms;
+')
+
+daemon_base_domain(rblsmtpd)
+can_network(rblsmtpd_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+allow rblsmtpd_t etc_t:file r_file_perms;
+allow rblsmtpd_t { bin_t var_t }:dir search;
+allow rblsmtpd_t port_t:udp_socket name_bind;
+allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
+
+ifdef(`qmail.te', `
+domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow qmail_queue_t rblsmtpd_t:fd use;
+')
+
+ifdef(`daemontools.te', `
+svc_ipc_domain(rblsmtpd_t)
+')
+
+domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
+
diff --git a/mls/domains/program/unused/uml.te b/mls/domains/program/unused/uml.te
new file mode 100644
index 0000000..75ae501
--- /dev/null
+++ b/mls/domains/program/unused/uml.te
@@ -0,0 +1,14 @@
+
+# Author: Russell Coker <russell@coker.com.au>
+#
+type uml_exec_t, file_type, sysadmfile, exec_type;
+type uml_ro_t, file_type, sysadmfile;
+
+# the main code is in macros/program/uml_macros.te
+
+daemon_domain(uml_switch)
+allow uml_switch_t self:unix_dgram_socket create_socket_perms;
+allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
+allow initrc_t uml_switch_var_run_t:sock_file setattr;
+rw_dir_create_file(initrc_t, uml_switch_var_run_t)
diff --git a/mls/domains/program/unused/uml_net.te b/mls/domains/program/unused/uml_net.te
new file mode 100644
index 0000000..da3fe34
--- /dev/null
+++ b/mls/domains/program/unused/uml_net.te
@@ -0,0 +1,30 @@
+#DESC uml_net helper program for user-mode Linux
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+# WARNING: Do not install this file on any machine that has hostile users.
+
+type uml_net_t, domain, privlog;
+type uml_net_exec_t, file_type, sysadmfile, exec_type;
+in_user_role(uml_net_t)
+allow uml_net_t self:process { fork signal_perms };
+allow uml_net_t { bin_t sbin_t }:dir search;
+allow uml_net_t self:fifo_file { read write };
+allow uml_net_t device_t:dir search;
+allow uml_net_t self:udp_socket { create ioctl };
+uses_shlib(uml_net_t)
+allow uml_net_t devtty_t:chr_file { read write };
+allow uml_net_t etc_runtime_t:file { getattr read };
+allow uml_net_t etc_t:file { getattr read };
+allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
+allow uml_net_t proc_t:file { getattr read };
+
+# if you want ip_forward to be set then you should set it yourself
+dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
+dontaudit uml_net_t sysctl_net_t:file write;
+
+dontaudit ifconfig_t uml_net_t:udp_socket { read write };
+dontaudit uml_net_t self:capability sys_module;
+
+allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
+can_exec(uml_net_t, { shell_exec_t sbin_t })
diff --git a/mls/domains/program/unused/uptimed.te b/mls/domains/program/unused/uptimed.te
new file mode 100644
index 0000000..0c9b1c7
--- /dev/null
+++ b/mls/domains/program/unused/uptimed.te
@@ -0,0 +1,37 @@
+#DESC uptimed - a uptime daemon
+#
+# Author: Carsten Grohmann <carsten@securityenhancedlinux.de>
+#
+# Date: 19. June 2003
+#
+
+#################################
+#
+# General Types
+#
+
+type uptimed_spool_t, file_type, sysadmfile;
+
+#################################
+#
+# Rules for the uptimed_t domain.
+#
+daemon_domain(uptimed, `,privmail')
+etc_domain(uptimed)
+typealias uptimed_etc_t alias etc_uptimed_t;
+file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t)
+allow uptimed_t proc_t:file { getattr read };
+read_locale(uptimed_t)
+allow uptimed_t uptimed_spool_t:file create_file_perms;
+allow uptimed_t self:unix_dgram_socket create_socket_perms;
+
+# to send mail
+can_exec(uptimed_t, shell_exec_t)
+allow uptimed_t { bin_t sbin_t }:dir search;
+allow uptimed_t bin_t:lnk_file read;
+allow uptimed_t etc_runtime_t:file { getattr read };
+allow uptimed_t self:fifo_file { getattr write };
+
+# rules for uprecords - it runs in the user context
+allow userdomain uptimed_spool_t:dir search;
+allow userdomain uptimed_spool_t:file { getattr read };
diff --git a/mls/domains/program/unused/uwimapd.te b/mls/domains/program/unused/uwimapd.te
new file mode 100644
index 0000000..f1f5831
--- /dev/null
+++ b/mls/domains/program/unused/uwimapd.te
@@ -0,0 +1,47 @@
+#DESC uw-imapd-ssl server
+#
+# Author: Ed Street <edstreet@street-tek.com>
+# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)
+# Depends: inetd.te
+#
+
+daemon_domain(imapd, `, auth_chkpwd, privhome')
+tmp_domain(imapd)
+
+can_network_server_tcp(imapd_t)
+allow imapd_t port_type:tcp_socket name_connect;
+
+#declare our own services
+allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow imapd_t pop_port_t:tcp_socket name_bind;
+
+#declare this a socket from inetd
+allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow imapd_t self:unix_stream_socket create_socket_perms;
+domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')
+
+#friendly stuff we dont want to see :)
+dontaudit imapd_t bin_t:dir search;
+
+#read /etc/ for hostname nsswitch.conf
+allow imapd_t etc_t:file { getattr read };
+
+#socket i/o stuff
+allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };
+
+#read resolv.conf
+allow imapd_t net_conf_t:file { getattr read };
+
+#urandom, for ssl
+allow imapd_t random_device_t:chr_file read;
+allow imapd_t urandom_device_t:chr_file { read getattr };
+
+allow imapd_t self:fifo_file rw_file_perms;
+
+#mail directory
+rw_dir_file(imapd_t, mail_spool_t)
+
+#home directory
+allow imapd_t home_root_t:dir search;
+allow imapd_t self:file { read getattr };
diff --git a/mls/domains/program/unused/vmware.te b/mls/domains/program/unused/vmware.te
new file mode 100644
index 0000000..fcda9b8
--- /dev/null
+++ b/mls/domains/program/unused/vmware.te
@@ -0,0 +1,52 @@
+#DESC VMWare - Virtual machine
+#
+# Domains,types and permissions for running VMWare (the program) and for
+# running a SELinux system in a VMWare session (the VMWare-tools).
+#
+# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
+# modifications by NAI Labs.
+#
+# Domain is for the VMWare admin programs and daemons.
+# X-Debian-Packages:
+#
+# NOTE: The user vmware domain is provided separately in
+# macros/program/vmware_macros.te
+#
+# Next two domains are create by the daemon_domain() macro.
+# The vmware_t domain is for running VMWare daemons
+# The vmware_exec_t type is for the VMWare daemon and admin programs.
+#
+# quick hack making it privhome, should have a domain for each user in a macro
+daemon_domain(vmware, `, privhome')
+
+#
+# The vmware_user_exec_t type is for the user programs.
+#
+type vmware_user_exec_t, file_type, sysadmfile, exec_type;
+
+# Type for vmware devices.
+type vmware_device_t, device_type, dev_fs;
+
+# The sys configuration used for the /etc/vmware configuration files
+type vmware_sys_conf_t, file_type, sysadmfile;
+
+#########################################################################
+# Additional rules to start/stop VMWare
+#
+
+# Give init access to VMWare configuration files
+allow initrc_t vmware_sys_conf_t:file { ioctl read append };
+
+#
+# Rules added to kernel_t domain for VMWare to start up
+#
+# VMWare need access to pcmcia devices for network
+ifdef(`cardmgr.te', `
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
diff --git a/mls/domains/program/unused/watchdog.te b/mls/domains/program/unused/watchdog.te
new file mode 100644
index 0000000..01ceea8
--- /dev/null
+++ b/mls/domains/program/unused/watchdog.te
@@ -0,0 +1,55 @@
+#DESC Watchdog - Software watchdog daemon
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: watchdog
+#
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+daemon_domain(watchdog, `, privmail')
+type watchdog_device_t, device_type, dev_fs;
+
+allow watchdog_t self:process setsched;
+
+log_domain(watchdog)
+
+allow watchdog_t etc_t:file r_file_perms;
+allow watchdog_t etc_t:lnk_file read;
+allow watchdog_t self:unix_dgram_socket create_socket_perms;
+
+allow watchdog_t proc_t:file r_file_perms;
+
+allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+can_network(watchdog_t)
+allow watchdog_t port_type:tcp_socket name_connect;
+can_ypbind(watchdog_t)
+allow watchdog_t bin_t:dir search;
+allow watchdog_t bin_t:lnk_file read;
+allow watchdog_t init_t:process signal;
+allow watchdog_t kernel_t:process sigstop;
+
+allow watchdog_t watchdog_device_t:chr_file { getattr write };
+
+# for orderly shutdown
+can_exec(watchdog_t, shell_exec_t)
+allow watchdog_t domain:process { signal_perms getsession };
+allow watchdog_t self:capability kill;
+allow watchdog_t sbin_t:dir search;
+
+# for updating mtab on umount
+file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot };
+allow watchdog_t fixed_disk_device_t:blk_file swapon;
+allow watchdog_t { proc_t fs_t }:filesystem unmount;
+
+# record the fact that we are going down
+allow watchdog_t wtmp_t:file append;
+
+# do not care about saving the random seed
+dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;
diff --git a/mls/domains/program/unused/xauth.te b/mls/domains/program/unused/xauth.te
new file mode 100644
index 0000000..6382d77
--- /dev/null
+++ b/mls/domains/program/unused/xauth.te
@@ -0,0 +1,13 @@
+#DESC Xauth - X authority file utility
+#
+# Domains for the xauth program.
+# X-Debian-Packages: xbase-clients
+
+# Author: Russell Coker <russell@coker.com.au>
+#
+# xauth_exec_t is the type of the xauth executable.
+#
+type xauth_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the xauth_domain macro in
+# macros/program/xauth_macros.te.
diff --git a/mls/domains/program/unused/xdm.te b/mls/domains/program/unused/xdm.te
new file mode 100644
index 0000000..e3e9c8d
--- /dev/null
+++ b/mls/domains/program/unused/xdm.te
@@ -0,0 +1,376 @@
+#DESC XDM - X Display Manager
+#
+# Authors: Mark Westerman mark.westerman@westcam.com
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: gdm xdm wdm kdm
+# Depends: xserver.te
+#
+# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
+#
+# Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
+#
+
+#################################
+#
+# Rules for the xdm_t domain.
+#
+# xdm_t is the domain of a X Display Manager process
+# spawned by getty.
+# xdm_exec_t is the type of the [xgkw]dm program
+#
+daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
+
+# for running xdm from init
+domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+
+allow xdm_t xdm_var_run_t:dir setattr;
+
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+allow initrc_t xdm_var_run_t:fifo_file unlink;
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
+
+tmp_domain(xdm, `', `{ file dir sock_file }')
+var_lib_domain(xdm)
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+type xsession_exec_t, file_type, sysadmfile, exec_type;
+type xdm_rw_etc_t, file_type, sysadmfile;
+typealias xdm_rw_etc_t alias etc_xdm_t;
+
+allow xdm_t default_context_t:dir search;
+allow xdm_t default_context_t:{ file lnk_file } { read getattr };
+
+can_network(xdm_t)
+allow xdm_t port_type:tcp_socket name_connect;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:fifo_file rw_file_perms;
+
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_t xdm_xserver_t:process signal;
+can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+allow xdm_xserver_t xdm_t:process signal;
+# for reboot
+allow xdm_t initctl_t:fifo_file write;
+
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t xdm_rw_etc_t:file { getattr read };
+ifdef(`distro_suse', `
+# set permissions on /tmp/.X11-unix
+allow initrc_t xdm_tmp_t:dir setattr;
+')
+
+#
+# Use capabilities.
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
+
+allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
+
+# Transition to user domains for user sessions.
+domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
+allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
+allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
+allow unpriv_userdomain xdm_xserver_t:fd use;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
+allow xdm_xserver_t unpriv_userdomain:fd use;
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# gnome-session creates socket under /tmp/.ICE-unix/
+allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
+allow unpriv_userdomain xdm_tmp_t:sock_file create;
+
+# Allow xdm logins as sysadm_r:sysadm_t
+bool xdm_sysadm_login false;
+if (xdm_sysadm_login) {
+domain_trans(xdm_t, xsession_exec_t, sysadm_t)
+allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
+allow sysadm_t xdm_xserver_t:shm r_shm_perms;
+allow sysadm_t xdm_xserver_t:fd use;
+allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
+allow xdm_xserver_t sysadm_t:fd use;
+}
+can_setexec(xdm_t)
+
+# Label pid and temporary files with derived types.
+rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
+allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
+
+# Run helper programs.
+allow xdm_t etc_t:file { getattr read };
+allow xdm_t bin_t:dir { getattr search };
+# lib_t is for running cpp
+can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
+allow xdm_t { bin_t sbin_t }:lnk_file read;
+ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
+ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
+allow xdm_t xdm_xserver_t:process sigkill;
+allow xdm_t xdm_xserver_tmp_t:file unlink;
+
+# Access devices.
+allow xdm_t device_t:dir { read search };
+allow xdm_t console_device_t:chr_file setattr;
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t framebuf_device_t:chr_file { getattr setattr };
+allow xdm_t mouse_device_t:chr_file { getattr setattr };
+allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
+allow xdm_t dri_device_t:chr_file rw_file_perms;
+allow xdm_t device_t:dir rw_dir_perms;
+allow xdm_t agp_device_t:chr_file rw_file_perms;
+allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
+allow xdm_t v4l_device_t:chr_file { setattr getattr };
+allow xdm_t scanner_device_t:chr_file { setattr getattr };
+allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
+allow xdm_t device_t:lnk_file read;
+can_resmgrd_connect(xdm_t)
+
+# Access xdm log files.
+file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
+allow xdm_t xserver_log_t:dir rw_dir_perms;
+allow xdm_t xserver_log_t:dir setattr;
+# Access /var/gdm/.gdmfifo.
+allow xdm_t xserver_log_t:fifo_file create_file_perms;
+
+allow xdm_t self:shm create_shm_perms;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
+
+# Remove /tmp/.X11-unix/X0.
+allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
+allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
+
+ifdef(`gpm.te', `
+# Talk to the console mouse server.
+allow xdm_t gpmctl_t:sock_file { getattr setattr write };
+allow xdm_t gpm_t:unix_stream_socket connectto;
+')
+
+allow xdm_t sysfs_t:dir search;
+
+# Update utmp and wtmp.
+allow xdm_t initrc_var_run_t: file { read write lock };
+allow xdm_t wtmp_t:file append;
+
+# Update lastlog.
+allow xdm_t lastlog_t:file rw_file_perms;
+
+# Ask the security server for SIDs for user sessions.
+can_getsecurity(xdm_t)
+
+tmpfs_domain(xdm)
+
+# Need to further investigate these permissions and
+# perhaps define derived types.
+allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
+allow xdm_t var_lib_t:file { create write unlink };
+
+lock_domain(xdm)
+
+# Connect to xfs.
+ifdef(`xfs.te', `
+allow xdm_t xfs_tmp_t:dir search;
+allow xdm_t xfs_tmp_t:sock_file write;
+can_unix_connect(xdm_t, xfs_t)
+')
+
+allow xdm_t self:process { setpgid setsched };
+allow xdm_t etc_t:lnk_file read;
+allow xdm_t etc_runtime_t:file { getattr read };
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+# Signal any user domain.
+allow xdm_t userdomain:process signal_perms;
+
+allow xdm_t proc_t:file { getattr read };
+
+read_sysctl(xdm_t)
+
+# Search /proc for any user domain processes.
+allow xdm_t userdomain:dir r_dir_perms;
+allow xdm_t userdomain:{ file lnk_file } r_file_perms;
+
+# Allow xdm access to the user domains
+allow xdm_t home_root_t:dir search;
+allow xdm_xserver_t home_root_t:dir search;
+
+# Do not audit denied attempts to access devices.
+dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
+dontaudit xdm_t device_t:file_class_set rw_file_perms;
+dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir search;
+
+# Do not audit denied probes of /proc.
+dontaudit xdm_t domain:dir r_dir_perms;
+dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
+
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+allow xdm_t usr_t:{ lnk_file file } { getattr read };
+
+# Read fonts
+read_fonts(xdm_t)
+
+# Do not audit attempts to write to index files under /usr
+dontaudit xdm_t usr_t:file write;
+
+# Do not audit access to /root
+dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# Do not audit attempts to check whether user root has email
+dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
+dontaudit xdm_t mail_spool_t:file getattr;
+
+# Access sound device.
+allow xdm_t sound_device_t:chr_file { setattr getattr };
+
+# Allow setting of attributes on power management devices.
+allow xdm_t power_device_t:chr_file { getattr setattr };
+
+# Run the X server in a derived domain.
+xserver_domain(xdm)
+
+ifdef(`rhgb.te', `
+allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow rhgb_t xdm_xserver_t:process signal;
+')
+
+# Unrestricted inheritance.
+allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
+
+# Run xkbcomp.
+allow xdm_xserver_t var_lib_t:dir search;
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
+
+# Insert video drivers.
+allow xdm_xserver_t self:capability mknod;
+allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
+domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
+allow insmod_t xserver_log_t:file write;
+allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
+
+# Read /proc/dri/.*
+allow xdm_xserver_t proc_t:dir { search read };
+
+# Search /var/run.
+allow xdm_xserver_t var_run_t:dir search;
+
+# FIXME: After per user fonts are properly working
+# xdm_xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+
+# Search home directories.
+allow xdm_xserver_t user_home_type:dir search;
+allow xdm_xserver_t user_home_type:file { getattr read };
+
+if (use_nfs_home_dirs) {
+allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
+allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
+# for .dmrc
+allow xdm_t user_home_dir_type:dir { getattr search };
+allow xdm_t user_home_type:file { getattr read };
+
+ifdef(`support_polyinstatiation', `
+# xdm_t can polyinstantiate
+polyinstantiater(xdm_t)
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
+allow xdm_t mnt_t:dir { getattr read search };
+#
+# Wants to delete .xsession-errors file
+#
+allow xdm_t user_home_type:file unlink;
+#
+# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+#
+ifdef(`pam.te', `
+allow xdm_t pam_var_run_t:dir create_dir_perms;
+allow xdm_t pam_var_run_t:file create_file_perms;
+allow pam_t xdm_t:fifo_file { getattr ioctl write };
+domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
+can_exec(xdm_t, pam_exec_t)
+# For pam_console
+rw_dir_create_file(xdm_t, pam_var_console_t)
+')
+
+# Pamconsole/alsa
+ifdef(`alsa.te', `
+domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
+') dnl ifdef
+
+allow xdm_t var_log_t:file { getattr read };
+allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process setrlimit;
+allow xdm_t wtmp_t:file { getattr read };
+
+domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
+#
+# Poweroff wants to create the /poweroff file when run from xdm
+#
+file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
+
+#
+# xdm tries to bind to biff_port_t
+#
+dontaudit xdm_t port_type:tcp_socket name_bind;
+
+# VNC v4 module in X server
+allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
+ifdef(`crack.te', `
+allow xdm_t crack_db_t:file r_file_perms;
+')
+r_dir_file(xdm_t, selinux_config_t)
+
+# Run telinit->init to shutdown.
+can_exec(xdm_t, init_exec_t)
+allow xdm_t self:sem create_sem_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+
+#### Also see xdm_macros.te
+ifdef(`use_mcs', `
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+')
diff --git a/mls/domains/program/unused/xprint.te b/mls/domains/program/unused/xprint.te
new file mode 100644
index 0000000..e1af323
--- /dev/null
+++ b/mls/domains/program/unused/xprint.te
@@ -0,0 +1,50 @@
+#DESC X print server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: xprt-xprintorg
+#
+
+#################################
+#
+# Rules for the xprint_t domain.
+#
+# xprint_exec_t is the type of the xprint executable.
+#
+daemon_domain(xprint)
+
+allow initrc_t readable_t:dir r_dir_perms;
+allow initrc_t fonts_t:dir r_dir_perms;
+
+allow xprint_t var_lib_t:dir search;
+allow xprint_t fonts_t:dir r_dir_perms;
+allow xprint_t fonts_t:file { getattr read };
+
+allow xprint_t { bin_t sbin_t }:dir search;
+can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t })
+allow xprint_t bin_t:lnk_file { getattr read };
+
+allow xprint_t tmp_t:dir { getattr search };
+ifdef(`xdm.te', `
+allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms;
+allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms;
+')
+
+# Use the network.
+can_network_server(xprint_t)
+can_ypbind(xprint_t)
+allow xprint_t self:fifo_file rw_file_perms;
+allow xprint_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xprint_t proc_t:file { getattr read };
+allow xprint_t self:file { getattr read };
+
+# read config files
+allow xprint_t { etc_t etc_runtime_t }:file { getattr read };
+ifdef(`cups.te', `
+allow xprint_t cupsd_etc_t:dir search;
+allow xprint_t cupsd_etc_t:file { getattr read };
+')
+
+r_dir_file(xprint_t, usr_t)
+
+allow xprint_t urandom_device_t:chr_file { getattr read };
diff --git a/mls/domains/program/unused/xserver.te b/mls/domains/program/unused/xserver.te
new file mode 100644
index 0000000..cc2c493
--- /dev/null
+++ b/mls/domains/program/unused/xserver.te
@@ -0,0 +1,20 @@
+#DESC XServer - X Server
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: xserver-common xserver-xfree86
+#
+
+# Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_exec_t, file_type, sysadmfile, exec_type;
+
+# Type for the X server log file.
+type xserver_log_t, file_type, sysadmfile, logfile;
+
+# type for /var/lib/xkb
+type xkb_var_lib_t, file_type, sysadmfile, usercanread;
+typealias xkb_var_lib_t alias var_lib_xkb_t;
+
+# Everything else is in the xserver_domain macro in
+# macros/program/xserver_macros.te.
+
+allow initrc_t xserver_log_t:fifo_file { read write };
diff --git a/mls/domains/program/unused/yam.te b/mls/domains/program/unused/yam.te
new file mode 100644
index 0000000..da85a8c
--- /dev/null
+++ b/mls/domains/program/unused/yam.te
@@ -0,0 +1,149 @@
+# DESC yam - Yum/Apt Mirroring
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+
+#
+# Yam downloads lots of files, indexes them, and makes them available
+# for upload. Define a type for these file.
+#
+type yam_content_t, file_type, sysadmfile, httpdcontent;
+
+
+#
+# Common definitions used by both the command line and the cron
+# invocation of yam.
+#
+define(`yam_common',`
+
+# Update the content being managed by yam.
+create_dir_file($1_t, yam_content_t)
+
+# Content can also be on ISO image files.
+r_dir_file($1_t, iso9660_t)
+
+# Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+allow $1_t var_t:dir { getattr search };
+allow $1_t httpd_sys_content_t:dir { getattr search };
+
+# Allow access to locale database, nsswitch, and mtab
+read_locale($1_t)
+allow $1_t etc_t:file { getattr read };
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Python seems to need things from various places
+allow $1_t { bin_t sbin_t }:dir { search getattr };
+allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
+allow $1_t bin_t:lnk_file read;
+
+# Python works fine without reading /proc/meminfo
+dontaudit $1_t proc_t:dir search;
+dontaudit $1_t proc_t:file { getattr read };
+
+# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter
+# two here. Run rsync and lftp in the yam_t context so that we dont
+# have to give any other programs write access to the yam_t files.
+general_domain_access($1_t)
+can_exec($1_t, shell_exec_t)
+can_exec($1_t, rsync_exec_t)
+can_exec($1_t, bin_t)
+can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py
+ifdef(`mount.te', `
+domain_auto_trans($1_t, mount_exec_t, mount_t)
+')
+
+# Rsync and lftp need to network. They also set files attributes to
+# match whats on the remote server.
+can_network_client($1_t)
+allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect;
+allow $1_t self:capability { chown fowner fsetid dac_override };
+allow $1_t self:process execmem;
+
+# access to sysctl_kernel_t ( proc/sys/kernel/* )
+read_sysctl($1_t)
+
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+allow $1_t var_t:file { getattr read write };
+allow $1_t var_t:dir read;
+# mktemp
+allow $1_t urandom_device_t:chr_file read;
+# mv
+allow $1_t proc_t:lnk_file read;
+allow $1_t selinux_config_t:dir search;
+allow $1_t selinux_config_t:file { getattr read };
+')
+
+
+##########
+##########
+
+#
+# Runnig yam from the command line
+#
+application_domain(yam, `, nscd_client_domain')
+role system_r types yam_t;
+yam_common(yam)
+etc_domain(yam)
+tmp_domain(yam)
+
+# Terminal access
+allow yam_t devpts_t:dir search;
+allow yam_t devtty_t:chr_file { read write };
+allow yam_t sshd_t:fd use;
+allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+
+# Reading dotfiles...
+allow yam_t sysadm_home_dir_t:dir search; # /root
+allow yam_t sysadm_home_t:dir search; # /root/xxx
+allow yam_t home_root_t:dir search; # /home
+allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user
+
+
+##########
+##########
+
+#
+# Running yam from cron
+#
+application_domain(yam_crond, `, nscd_client_domain')
+role system_r types yam_crond_t;
+ifdef(`crond.te', `
+system_crond_entry(yam_exec_t, yam_crond_t)
+')
+
+yam_common(yam_crond)
+allow yam_crond_t yam_etc_t:file r_file_perms;
+file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
+
+allow yam_crond_t devtty_t:chr_file { read write };
+
+# Reading dotfiles...
+# LFTP uses a directory for its dotfiles
+allow yam_crond_t default_t:dir search;
+
+# Don't know why init tries to read this.
+allow initrc_t yam_etc_t:file { getattr read };
+
+
+##########
+##########
+
+# The whole point of this program is to make updates available on a
+# local web server. Allow apache access to these files.
+ifdef(`apache.te', `
+r_dir_file(httpd_t, yam_content_t)
+')
+
+ifdef(`webalizer.te', `
+dontaudit webalizer_t yam_content_t:dir search;
+')
+
+# Mount needs access to the yam directories in order to mount the ISO
+# files on a loobpack file system.
+ifdef(`mount.te', `
+allow mount_t yam_content_t:dir mounton;
+allow mount_t yam_content_t:file { read write };
+')
diff --git a/mls/domains/program/updfstab.te b/mls/domains/program/updfstab.te
new file mode 100644
index 0000000..82edf3d
--- /dev/null
+++ b/mls/domains/program/updfstab.te
@@ -0,0 +1,81 @@
+#DESC updfstab - Red Hat utility to change /etc/fstab
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+daemon_base_domain(updfstab, `, fs_domain, etc_writer')
+
+rw_dir_create_file(updfstab_t, etc_t)
+create_dir_file(updfstab_t, mnt_t)
+
+# Read /dev directories and modify sym-links
+allow updfstab_t device_t:dir rw_dir_perms;
+allow updfstab_t device_t:lnk_file create_file_perms;
+
+# Access disk devices.
+allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
+allow updfstab_t removable_device_t:blk_file rw_file_perms;
+allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
+
+# for /proc/partitions
+allow updfstab_t proc_t:file { getattr read };
+
+# for /proc/self/mounts
+r_dir_file(updfstab_t, self)
+
+# for /etc/mtab
+allow updfstab_t etc_runtime_t:file { getattr read };
+
+read_locale(updfstab_t)
+
+ifdef(`dbusd.te', `
+dbusd_client(system, updfstab)
+allow updfstab_t system_dbusd_t:dbus { send_msg };
+allow initrc_t updfstab_t:dbus send_msg;
+allow updfstab_t initrc_t:dbus send_msg;
+')
+
+# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
+# I will not allow it
+read_sysctl(updfstab_t)
+dontaudit updfstab_t sysctl_kernel_t:file write;
+allow updfstab_t modules_conf_t:file { getattr read };
+allow updfstab_t sbin_t:dir search;
+allow updfstab_t sbin_t:lnk_file read;
+allow updfstab_t { var_t var_log_t }:dir search;
+
+allow updfstab_t kernel_t:fd use;
+
+allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
+allow updfstab_t self:unix_dgram_socket create_socket_perms;
+
+ifdef(`modutil.te', `
+dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
+can_exec(updfstab_t, insmod_exec_t)
+allow updfstab_t modules_object_t:dir search;
+allow updfstab_t modules_dep_t:file { getattr read };
+')
+
+ifdef(`pamconsole.te', `
+domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
+')
+allow updfstab_t kernel_t:system syslog_console;
+allow updfstab_t sysadm_tty_device_t:chr_file { read write };
+allow updfstab_t self:capability dac_override;
+dontaudit updfstab_t self:capability sys_admin;
+
+r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
+can_getsecurity(updfstab_t)
+
+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
+dontaudit updfstab_t devtty_t:chr_file { read write };
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir search;
+allow updfstab_t fs_t:filesystem { getattr };
+allow updfstab_t tmpfs_t:dir getattr;
+ifdef(`hald.te', `
+can_unix_connect(updfstab_t, hald_t)
+')
+
diff --git a/mls/domains/program/usbmodules.te b/mls/domains/program/usbmodules.te
new file mode 100644
index 0000000..f76f56b
--- /dev/null
+++ b/mls/domains/program/usbmodules.te
@@ -0,0 +1,35 @@
+#DESC USBModules - List kernel modules for USB devices
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the usbmodules_t domain.
+#
+type usbmodules_t, domain, privlog;
+type usbmodules_exec_t, file_type, sysadmfile, exec_type;
+
+in_user_role(usbmodules_t)
+role sysadm_r types usbmodules_t;
+role system_r types usbmodules_t;
+
+domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t)
+ifdef(`hotplug.te',`
+domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t)
+allow usbmodules_t hotplug_etc_t:file r_file_perms;
+allow usbmodules_t hotplug_etc_t:dir search;
+')
+allow usbmodules_t init_t:fd use;
+allow usbmodules_t console_device_t:chr_file { read write };
+
+uses_shlib(usbmodules_t)
+
+# allow usb device access
+allow usbmodules_t usbdevfs_t:file rw_file_perms;
+
+allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms;
+
+# needs etc_t read access for the hotplug config, maybe should have a new type
+allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms;
diff --git a/mls/domains/program/useradd.te b/mls/domains/program/useradd.te
new file mode 100644
index 0000000..1df38af
--- /dev/null
+++ b/mls/domains/program/useradd.te
@@ -0,0 +1,108 @@
+#DESC Useradd - Manage system user accounts
+#
+# Authors: Chris Vance <cvance@tislabs.com> David Caplan <dac@tresys.com>
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: passwd
+#
+
+#################################
+#
+# Rules for the useradd_t and groupadd_t domains.
+#
+# useradd_t is the domain of the useradd/userdel programs.
+# groupadd_t is for adding groups (can not create home dirs)
+#
+define(`user_group_add_program', `
+type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
+role sysadm_r types $1_t;
+role system_r types $1_t;
+
+general_domain_access($1_t)
+uses_shlib($1_t)
+
+type $1_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+
+# Use capabilities.
+allow $1_t self:capability { dac_override chown kill };
+
+# Allow access to context for shadow file
+can_getsecurity($1_t)
+
+# Inherit and use descriptors from login.
+allow $1_t { init_t privfd }:fd use;
+
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+allow $1_t { bin_t sbin_t }:dir r_dir_perms;
+can_exec($1_t, { bin_t sbin_t })
+
+# Update /etc/shadow and /etc/passwd
+file_type_auto_trans($1_t, etc_t, shadow_t, file)
+allow $1_t etc_t:file create_file_perms;
+
+# some apps ask for these accesses, but seems to work regardless
+dontaudit $1_t var_run_t:dir search;
+r_dir_file($1_t, selinux_config_t)
+
+# Set fscreate context.
+can_setfscreate($1_t)
+
+allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
+
+read_locale($1_t)
+
+# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
+# but will operate without them.
+dontaudit $1_t { device_t var_t var_log_t }:dir search;
+
+# For userdel and groupadd
+allow $1_t fs_t:filesystem getattr;
+
+# Access terminals.
+allow $1_t ttyfile:chr_file rw_file_perms;
+allow $1_t ptyfile:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
+
+# for when /root is the cwd
+dontaudit $1_t sysadm_home_dir_t:dir search;
+nsswitch_domain($1_t)
+
+allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+')
+user_group_add_program(useradd)
+allow useradd_t lastlog_t:file { getattr read write };
+
+# for getting the number of groups
+read_sysctl(useradd_t)
+
+# Add/remove user home directories
+file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
+file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
+
+# create/delete mail spool file in /var/mail
+allow useradd_t var_spool_t:dir search;
+allow useradd_t mail_spool_t:dir { search write add_name remove_name };
+allow useradd_t mail_spool_t:file create_file_perms;
+# /var/mail is a link to /var/spool/mail
+allow useradd_t mail_spool_t:lnk_file read;
+
+allow useradd_t self:capability { fowner fsetid setuid sys_resource };
+can_exec(useradd_t, shell_exec_t)
+
+# /usr/bin/userdel locks the user being deleted, allow write access to utmp
+allow useradd_t initrc_var_run_t:file { read write lock };
+
+user_group_add_program(groupadd)
+
+dontaudit groupadd_t self:capability fsetid;
+
+allow groupadd_t self:capability { setuid sys_resource };
+allow groupadd_t self:process setrlimit;
+allow groupadd_t initrc_var_run_t:file r_file_perms;
+dontaudit groupadd_t initrc_var_run_t:file write;
+
+allow useradd_t default_context_t:dir search;
+allow useradd_t file_context_t:dir search;
+allow useradd_t file_context_t:file { getattr read };
+allow useradd_t var_lib_t:dir search;
diff --git a/mls/domains/program/userhelper.te b/mls/domains/program/userhelper.te
new file mode 100644
index 0000000..cab6c70
--- /dev/null
+++ b/mls/domains/program/userhelper.te
@@ -0,0 +1,22 @@
+#DESC Userhelper - SELinux utility to run a shell with a new role
+#
+# Authors: Dan Walsh (Red Hat)
+# Maintained by Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the userhelper_t domain.
+#
+# userhelper_exec_t is the type of the userhelper executable.
+# userhelper_conf_t is the type of the userhelper configuration files.
+#
+type userhelper_exec_t, file_type, exec_type, sysadmfile;
+type userhelper_conf_t, file_type, sysadmfile;
+
+# Everything else is in the userhelper_domain macro in
+# macros/program/userhelper_macros.te.
+
+ifdef(`xdm.te', `
+dontaudit xdm_t userhelper_conf_t:dir search;
+')
diff --git a/mls/domains/program/usernetctl.te b/mls/domains/program/usernetctl.te
new file mode 100644
index 0000000..6a2c64f
--- /dev/null
+++ b/mls/domains/program/usernetctl.te
@@ -0,0 +1,64 @@
+#DESC usernetctl - User network interface configuration helper
+#
+# Author: Colin Walters <walters@redhat.com>
+
+type usernetctl_exec_t, file_type, sysadmfile, exec_type;
+
+type usernetctl_t, domain, privfd;
+
+if (user_net_control) {
+domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t)
+} else {
+can_exec(userdomain, usernetctl_exec_t)
+}
+in_user_role(usernetctl_t)
+role sysadm_r types usernetctl_t;
+
+define(`usernetctl_transition',`
+domain_auto_trans(usernetctl_t, $1_exec_t, $1_t)
+in_user_role($1_t)
+allow $1_t userpty_type:chr_file { getattr read write };
+')
+
+ifdef(`ifconfig.te',`
+usernetctl_transition(ifconfig)
+')
+ifdef(`iptables.te',`
+usernetctl_transition(iptables)
+')
+ifdef(`dhcpc.te',`
+usernetctl_transition(dhcpc)
+allow usernetctl_t dhcp_etc_t:file ra_file_perms;
+')
+ifdef(`modutil.te',`
+usernetctl_transition(insmod)
+')
+ifdef(`consoletype.te',`
+usernetctl_transition(consoletype)
+')
+ifdef(`hostname.te',`
+usernetctl_transition(hostname)
+')
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+
+base_file_read_access(usernetctl_t)
+base_pty_perms(usernetctl)
+allow usernetctl_t devtty_t:chr_file rw_file_perms;
+uses_shlib(usernetctl_t)
+read_locale(usernetctl_t)
+general_domain_access(usernetctl_t)
+
+r_dir_file(usernetctl_t, proc_t)
+dontaudit usernetctl_t { domain - usernetctl_t }:dir search;
+
+allow usernetctl_t userpty_type:chr_file rw_file_perms;
+
+can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t})
+can_exec(usernetctl_t, etc_t)
+
+r_dir_file(usernetctl_t, etc_t)
+allow usernetctl_t { var_t var_run_t }:dir { getattr read search };
+allow usernetctl_t etc_runtime_t:file r_file_perms;
+allow usernetctl_t net_conf_t:file r_file_perms;
+
diff --git a/mls/domains/program/utempter.te b/mls/domains/program/utempter.te
new file mode 100644
index 0000000..92b443f
--- /dev/null
+++ b/mls/domains/program/utempter.te
@@ -0,0 +1,51 @@
+#DESC Utempter - Privileged helper for utmp/wtmp updates
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the utempter_t domain.
+#
+# This is the domain for the utempter program. utempter is
+# executed by xterm to update utmp and wtmp.
+# utempter_exec_t is the type of the utempter binary.
+#
+type utempter_t, domain, nscd_client_domain;
+in_user_role(utempter_t)
+role sysadm_r types utempter_t;
+uses_shlib(utempter_t)
+type utempter_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
+
+allow utempter_t urandom_device_t:chr_file { getattr read };
+
+# Use capabilities.
+allow utempter_t self:capability setgid;
+
+allow utempter_t etc_t:file { getattr read };
+
+# Update /var/run/utmp and /var/log/wtmp.
+allow utempter_t initrc_var_run_t:file rw_file_perms;
+allow utempter_t var_log_t:dir search;
+allow utempter_t wtmp_t:file rw_file_perms;
+
+# dontaudit access to /dev/ptmx.
+dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
+dontaudit utempter_t sysadm_devpts_t:chr_file { read write };
+
+# Allow utemper to write to /tmp/.xses-*
+allow utempter_t user_tmpfile:file { getattr write append };
+
+# Inherit and use descriptors from login.
+allow utempter_t privfd:fd use;
+ifdef(`xdm.te', `can_pipe_xdm(utempter_t)')
+
+allow utempter_t self:unix_stream_socket create_stream_socket_perms;
+
+# Access terminals.
+allow utempter_t ttyfile:chr_file getattr;
+allow utempter_t ptyfile:chr_file getattr;
+allow utempter_t devpts_t:dir search;
+dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write };
diff --git a/mls/domains/program/uucpd.te b/mls/domains/program/uucpd.te
new file mode 100644
index 0000000..05791bd
--- /dev/null
+++ b/mls/domains/program/uucpd.te
@@ -0,0 +1,24 @@
+#DESC uucpd - UUCP file transfer daemon
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the uucpd_t domain.
+#
+# uucpd_exec_t is the type of the uucpd executable.
+#
+
+inetd_child_domain(uucpd, tcp)
+type uucpd_rw_t, file_type, sysadmfile;
+type uucpd_ro_t, file_type, sysadmfile;
+type uucpd_spool_t, file_type, sysadmfile;
+create_dir_file(uucpd_t, uucpd_rw_t)
+r_dir_file(uucpd_t, uucpd_ro_t)
+allow uucpd_t sbin_t:dir search;
+can_exec(uucpd_t, sbin_t)
+logdir_domain(uucpd)
+allow uucpd_t var_spool_t:dir search;
+create_dir_file(uucpd_t, uucpd_spool_t)
diff --git a/mls/domains/program/vpnc.te b/mls/domains/program/vpnc.te
new file mode 100644
index 0000000..01ddac1
--- /dev/null
+++ b/mls/domains/program/vpnc.te
@@ -0,0 +1,62 @@
+#DESC vpnc
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the vpnc_t domain, et al.
+#
+# vpnc_t is the domain for the vpnc program.
+# vpnc_exec_t is the type of the vpnc executable.
+#
+application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
+
+allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+# Use the network.
+can_network(vpnc_t)
+allow vpnc_t port_type:tcp_socket name_connect;
+allow vpnc_t isakmp_port_t:udp_socket name_bind;
+
+can_ypbind(vpnc_t)
+allow vpnc_t self:socket create_socket_perms;
+
+# Use capabilities.
+allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
+
+allow vpnc_t devpts_t:dir search;
+allow vpnc_t etc_t:file { getattr read };
+allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket name_bind;
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sysctl_net_t:file write;
+allow vpnc_t sbin_t:dir search;
+allow vpnc_t bin_t:dir search;
+allow vpnc_t bin_t:lnk_file read;
+allow vpnc_t self:dir search;
+r_dir_file(vpnc_t, proc_t)
+r_dir_file(vpnc_t, proc_net_t)
+tmp_domain(vpnc)
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:file { getattr read };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
+allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
+dontaudit vpnc_t home_root_t:dir search;
+dontaudit vpnc_t user_home_dir_type:dir search;
+var_run_domain(vpnc)
+allow vpnc_t userdomain:fd use;
+r_dir_file(vpnc_t, sysfs_t)
+allow vpnc_t self:process { fork sigchld };
+read_locale(vpnc_t)
+read_sysctl(vpnc_t)
+allow vpnc_t fs_t:filesystem getattr;
diff --git a/mls/domains/program/webalizer.te b/mls/domains/program/webalizer.te
new file mode 100644
index 0000000..c1f38bd
--- /dev/null
+++ b/mls/domains/program/webalizer.te
@@ -0,0 +1,51 @@
+# DESC webalizer - webalizer
+#
+# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
+#
+# Depends: apache.te
+
+application_domain(webalizer, `, nscd_client_domain')
+# to use from cron
+system_crond_entry(webalizer_exec_t,webalizer_t)
+role system_r types webalizer_t;
+
+##type definision
+# type for usage file
+type webalizer_usage_t,file_type,sysadmfile;
+# type for /var/lib/webalizer
+type webalizer_write_t,file_type,sysadmfile;
+# type for webalizer.conf
+etc_domain(webalizer)
+
+#read apache log
+allow webalizer_t var_log_t:dir r_dir_perms;
+r_dir_file(webalizer_t, httpd_log_t)
+ifdef(`ftpd.te', `
+allow webalizer_t xferlog_t:file { getattr read };
+')
+
+#r/w /var/lib/webalizer
+var_lib_domain(webalizer)
+
+#read /var/www/usage
+create_dir_file(webalizer_t, httpd_sys_content_t)
+
+#read system files under /etc
+allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale(webalizer_t)
+
+# can use tmp file
+tmp_domain(webalizer)
+
+# can read /proc
+read_sysctl(webalizer_t)
+allow webalizer_t proc_t:dir search;
+allow webalizer_t proc_t:file r_file_perms;
+
+# network
+can_network_server(webalizer_t)
+
+#process communication inside webalizer itself
+general_domain_access(webalizer_t)
+
+allow webalizer_t self:capability dac_override;
diff --git a/mls/domains/program/winbind.te b/mls/domains/program/winbind.te
new file mode 100644
index 0000000..7b9e5e9
--- /dev/null
+++ b/mls/domains/program/winbind.te
@@ -0,0 +1,50 @@
+#DESC winbind - Name Service Switch daemon for resolving names from NT servers
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for winbind
+#
+
+daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
+log_domain(winbind)
+tmp_domain(winbind)
+allow winbind_t etc_t:file r_file_perms;
+allow winbind_t etc_t:lnk_file read;
+can_network(winbind_t)
+allow winbind_t smbd_port_t:tcp_socket name_connect;
+can_resolve(winbind_t)
+
+ifdef(`samba.te', `', `
+type samba_etc_t, file_type, sysadmfile, usercanread;
+type samba_log_t, file_type, sysadmfile, logfile;
+type samba_var_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
+')
+file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
+rw_dir_create_file(winbind_t, samba_log_t)
+allow winbind_t samba_secrets_t:file rw_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t urandom_device_t:chr_file { getattr read };
+allow winbind_t self:fifo_file { read write };
+rw_dir_create_file(winbind_t, samba_var_t)
+can_kerberos(winbind_t)
+allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+allow initrc_t winbind_var_run_t:file r_file_perms;
+
+application_domain(winbind_helper, `, nscd_client_domain')
+role system_r types winbind_helper_t;
+access_terminal(winbind_helper_t, sysadm)
+read_locale(winbind_helper_t)
+r_dir_file(winbind_helper_t, samba_etc_t)
+r_dir_file(winbind_t, samba_etc_t)
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t samba_var_t:dir search;
+allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
+can_winbind(winbind_helper_t)
+allow winbind_helper_t privfd:fd use;
diff --git a/mls/domains/program/xfs.te b/mls/domains/program/xfs.te
new file mode 100644
index 0000000..04302cd
--- /dev/null
+++ b/mls/domains/program/xfs.te
@@ -0,0 +1,49 @@
+#DESC XFS - X Font Server
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: xfs
+#
+
+#################################
+#
+# Rules for the xfs_t domain.
+#
+# xfs_t is the domain of the X font server.
+# xfs_exec_t is the type of the xfs executable.
+#
+daemon_domain(xfs)
+
+# for /tmp/.font-unix/fs7100
+ifdef(`distro_debian', `
+type xfs_tmp_t, file_type, sysadmfile, tmpfile;
+allow xfs_t tmp_t:dir search;
+file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
+', `
+tmp_domain(xfs, `', `{dir sock_file}')
+')
+
+allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
+allow xfs_t proc_t:file { getattr read };
+
+allow xfs_t self:process setpgid;
+can_ypbind(xfs_t)
+
+# Use capabilities.
+allow xfs_t self:capability { setgid setuid };
+
+# Bind to /tmp/.font-unix/fs-1.
+allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+
+# Read fonts
+read_fonts(xfs_t)
+
+# Unlink the xfs socket.
+allow initrc_t xfs_tmp_t:dir rw_dir_perms;
+allow initrc_t xfs_tmp_t:dir rmdir;
+allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
+allow initrc_t fonts_t:dir create_dir_perms;
+allow initrc_t fonts_t:file create_file_perms;
+
diff --git a/mls/domains/program/ypbind.te b/mls/domains/program/ypbind.te
new file mode 100644
index 0000000..ed7c3f8
--- /dev/null
+++ b/mls/domains/program/ypbind.te
@@ -0,0 +1,44 @@
+#DESC Ypbind - NIS/YP
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: nis
+# Depends: portmap.te named.te
+#
+
+#################################
+#
+# Rules for the ypbind_t domain.
+#
+daemon_domain(ypbind)
+
+tmp_domain(ypbind)
+
+# Use capabilities.
+allow ypbind_t self:capability { net_bind_service };
+dontaudit ypbind_t self:capability net_admin;
+
+# Use the network.
+can_network(ypbind_t)
+allow ypbind_t port_type:tcp_socket name_connect;
+allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+
+allow ypbind_t self:fifo_file rw_file_perms;
+
+read_sysctl(ypbind_t)
+
+# Send to portmap and initrc.
+can_udp_send(ypbind_t, portmap_t)
+can_udp_send(ypbind_t, initrc_t)
+
+# Read and write /var/yp.
+allow ypbind_t var_yp_t:dir rw_dir_perms;
+allow ypbind_t var_yp_t:file create_file_perms;
+allow initrc_t var_yp_t:dir { getattr read };
+allow ypbind_t etc_t:file { getattr read };
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_udp_send(initrc_t, ypbind_t)
+
diff --git a/mls/domains/program/yppasswdd.te b/mls/domains/program/yppasswdd.te
new file mode 100644
index 0000000..b7588a2
--- /dev/null
+++ b/mls/domains/program/yppasswdd.te
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# Depends: portmap.te
+#
+
+#################################
+#
+# Rules for the yppasswdd_t domain.
+#
+daemon_domain(yppasswdd, `, auth_write, privowner')
+
+# Use capabilities.
+allow yppasswdd_t self:capability { net_bind_service };
+
+# Use the network.
+can_network_server(yppasswdd_t)
+
+read_sysctl(yppasswdd_t)
+
+# Send to portmap and initrc.
+can_udp_send(yppasswdd_t, portmap_t)
+can_udp_send(yppasswdd_t, initrc_t)
+
+allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
+allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
+can_setfscreate(yppasswdd_t)
+allow yppasswdd_t proc_t:file getattr;
+allow yppasswdd_t { bin_t sbin_t }:dir search;
+allow yppasswdd_t bin_t:lnk_file read;
+can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
+allow yppasswdd_t self:fifo_file rw_file_perms;
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --git a/mls/domains/program/ypserv.te b/mls/domains/program/ypserv.te
new file mode 100644
index 0000000..b9d95fb
--- /dev/null
+++ b/mls/domains/program/ypserv.te
@@ -0,0 +1,50 @@
+#DESC Ypserv - NIS/YP
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# Depends: portmap.te
+#
+
+#################################
+#
+# Rules for the ypserv_t domain.
+#
+daemon_domain(ypserv)
+
+tmp_domain(ypserv)
+
+# Use capabilities.
+allow ypserv_t self:capability { net_bind_service };
+
+# Use the network.
+can_network_server(ypserv_t)
+
+allow ypserv_t self:fifo_file rw_file_perms;
+
+read_sysctl(ypserv_t)
+
+# Send to portmap and initrc.
+can_udp_send(ypserv_t, portmap_t)
+can_udp_send(ypserv_t, initrc_t)
+
+type ypserv_conf_t, file_type, sysadmfile;
+
+# Read and write /var/yp.
+allow ypserv_t var_yp_t:dir rw_dir_perms;
+allow ypserv_t var_yp_t:file create_file_perms;
+allow ypserv_t ypserv_conf_t:file { getattr read };
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`rpcd.te', `
+allow rpcd_t ypserv_conf_t:file { getattr read };
+')
+allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_exec(ypserv_t, bin_t)
+
+application_domain(ypxfr, `, nscd_client_domain')
+can_network_client(ypxfr_t)
+allow ypxfr_t etc_t:file { getattr read };
+allow ypxfr_t portmap_port_t:tcp_socket name_connect;
+allow ypxfr_t reserved_port_t:tcp_socket name_connect;
+dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect;
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/mls/domains/program/zebra.te b/mls/domains/program/zebra.te
new file mode 100644
index 0000000..0cf4e24
--- /dev/null
+++ b/mls/domains/program/zebra.te
@@ -0,0 +1,32 @@
+#DESC Zebra - BGP server
+#
+# Author: Russell Coker <russell@coker.com.au>
+# X-Debian-Packages: zebra
+#
+
+daemon_domain(zebra, `, sysctl_net_writer')
+type zebra_conf_t, file_type, sysadmfile;
+r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
+
+can_network_server(zebra_t)
+can_ypbind(zebra_t)
+allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
+
+allow zebra_t self:process setcap;
+allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw };
+file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file)
+
+logdir_domain(zebra)
+
+# /tmp/.bgpd is such a bad idea!
+tmp_domain(zebra, `', sock_file)
+
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:rawip_socket create_socket_perms;
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t zebra_port_t:tcp_socket name_bind;
+
+allow zebra_t proc_t:file { getattr read };
+allow zebra_t { sysctl_t sysctl_net_t }:dir search;
+allow zebra_t sysctl_net_t:file rw_file_perms;
diff --git a/mls/domains/user.te b/mls/domains/user.te
new file mode 100644
index 0000000..d86e5d4
--- /dev/null
+++ b/mls/domains/user.te
@@ -0,0 +1,108 @@
+#DESC User - Domains for ordinary users.
+#
+#################################
+
+# Booleans for user domains.
+
+# Allow applications to read untrusted content
+# If this is disallowed, Internet content has
+# to be manually relabeled for read access to be granted
+bool read_untrusted_content false;
+
+# Allow applications to write untrusted content
+# If this is disallowed, no Internet content
+# will be stored.
+bool write_untrusted_content false;
+
+# Allow users to read system messages.
+bool user_dmesg false;
+
+# Support NFS home directories
+bool use_nfs_home_dirs false;
+
+# Allow making anonymous memory executable, e.g.
+# for runtime-code generation or executable stack.
+bool allow_execmem false;
+
+# Allow making the stack executable via mprotect.
+# Also requires allow_execmem.
+bool allow_execstack false;
+
+# Allow making a modified private file mapping executable (text relocation).
+bool allow_execmod false;
+
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols
+bool user_tcp_server false;
+
+# Allow system to run with NIS
+bool allow_ypbind false;
+
+# Allow system to run with kerberos
+bool allow_kerberos false;
+
+# Allow users to rw usb devices
+bool user_rw_usb false;
+
+# Allow users to control network interfaces (also needs USERCTL=true)
+bool user_net_control false;
+
+# Allow regular users direct mouse access
+bool user_direct_mouse false;
+
+# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
+bool user_rw_noexattrfile false;
+
+# Allow reading of default_t files.
+bool read_default_t false;
+
+# Allow staff_r users to search the sysadm home dir and read
+# files (such as ~/.bashrc)
+bool staff_read_sysadm_file false;
+
+
+full_user_role(user)
+
+ifdef(`user_canbe_sysadm', `
+reach_sysadm(user)
+role_tty_type_change(user, sysadm)
+')
+
+# Do not add any rules referring to user_t to this file! That will break
+# support for multiple user roles.
+
+# a role for staff that allows seeing all domains and control over the user_t
+# domain
+full_user_role(staff)
+
+priv_user(staff)
+# if adding new user roles make sure you edit the in_user_role macro in
+# macros/user_macros.te to match
+
+# lots of user programs accidentally search /root, and also the admin often
+# logs in as UID=0 domain=user_t...
+dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+
+#
+# Allow the user roles to transition
+# into each other.
+role_tty_type_change(sysadm, user)
+role_tty_type_change(staff, sysadm)
+role_tty_type_change(sysadm, staff)
+role_tty_type_change(sysadm, secadm)
+role_tty_type_change(staff, secadm)
+
+# "ps aux" and "ls -l /dev/pts" make too much noise without this
+dontaudit unpriv_userdomain ptyfile:chr_file getattr;
+
+# to allow w to display everyone...
+bool user_ttyfile_stat false;
+
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
+
diff --git a/mls/file_contexts/distros.fc b/mls/file_contexts/distros.fc
new file mode 100644
index 0000000..33c7f5e
--- /dev/null
+++ b/mls/file_contexts/distros.fc
@@ -0,0 +1,164 @@
+ifdef(`distro_redhat', `
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
+/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
+/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
+/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
+/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0
+/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
+/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
+/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
+/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
+/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
+/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
+/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
+/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
+/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
+/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
+/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
+/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0
+/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0
+/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0
+/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0
+/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0
+/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0
+/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0
+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0
+/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0
+#
+# /emul/ia32-linux/usr
+#
+/emul(/.*)? system_u:object_r:usr_t:s0
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
+/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
+/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0
+# /emul/ia32-linux/lib
+/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
+# /emul/ia32-linux/bin
+/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0
+# /emul/ia32-linux/sbin
+/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0
+
+ifdef(`dbusd.te', `', `
+/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
+')
+
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
+# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0
+/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0
+/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0
+
+# Fedora Extras packages: ladspa, imlib2, ocaml
+/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0
+
+# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0
+
+# Flash plugin, Macromedia
+HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
+
+# Jai, Sun Microsystems (Jpackage SPRM)
+/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0
+
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0
+')
+
+ifdef(`distro_suse', `
+/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0
+/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0
+/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0
+/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/success -- system_u:object_r:etc_runtime_t:s0
+/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0
+')
diff --git a/mls/file_contexts/homedir_template b/mls/file_contexts/homedir_template
new file mode 100644
index 0000000..6c7695a
--- /dev/null
+++ b/mls/file_contexts/homedir_template
@@ -0,0 +1,21 @@
+# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+# HOME_DIR expands to each users home directory,
+# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+# ROLE expands to each users role when role != user_r, and to "user" otherwise.
+HOME_ROOT -d system_u:object_r:home_root_t:s0
+HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255
+HOME_DIR/.+ <<none>>
+HOME_ROOT/\.journal <<none>>
+HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+HOME_ROOT/lost\+found/.* <<none>>
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0
+HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0
+HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0
+/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0
+/tmp/orbit-USER(-.*)?/linc.* -s <<none>>
+/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0
+HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0
+HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0
+HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0
+HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0
+HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
diff --git a/mls/file_contexts/program/NetworkManager.fc b/mls/file_contexts/program/NetworkManager.fc
new file mode 100644
index 0000000..cb57584
--- /dev/null
+++ b/mls/file_contexts/program/NetworkManager.fc
@@ -0,0 +1,2 @@
+# NetworkManager
+/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t:s0
diff --git a/mls/file_contexts/program/acct.fc b/mls/file_contexts/program/acct.fc
new file mode 100644
index 0000000..78622bd
--- /dev/null
+++ b/mls/file_contexts/program/acct.fc
@@ -0,0 +1,5 @@
+# berkeley process accounting
+/sbin/accton -- system_u:object_r:acct_exec_t:s0
+/usr/sbin/accton -- system_u:object_r:acct_exec_t:s0
+/var/account(/.*)? system_u:object_r:acct_data_t:s0
+/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0
diff --git a/mls/file_contexts/program/afs.fc b/mls/file_contexts/program/afs.fc
new file mode 100644
index 0000000..fb49f33
--- /dev/null
+++ b/mls/file_contexts/program/afs.fc
@@ -0,0 +1,20 @@
+# afs
+/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t
+/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t
+/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t
+/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t
+/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t
+/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t
+/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t
+
+/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t
+/usr/afs/etc(/.*)? system_u:object_r:afs_config_t
+/usr/afs/local(/.*)? system_u:object_r:afs_config_t
+/usr/afs/db -d system_u:object_r:afs_dbdir_t
+/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t
+/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t
+/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t
+
+/vicepa system_u:object_r:afs_files_t
+/vicepb system_u:object_r:afs_files_t
+/vicepc system_u:object_r:afs_files_t
diff --git a/mls/file_contexts/program/alsa.fc b/mls/file_contexts/program/alsa.fc
new file mode 100644
index 0000000..ce56849
--- /dev/null
+++ b/mls/file_contexts/program/alsa.fc
@@ -0,0 +1,3 @@
+#DESC ainit - configuration tool for ALSA
+/usr/bin/ainit -- system_u:object_r:alsa_exec_t:s0
+/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t:s0
diff --git a/mls/file_contexts/program/amanda.fc b/mls/file_contexts/program/amanda.fc
new file mode 100644
index 0000000..917b41a
--- /dev/null
+++ b/mls/file_contexts/program/amanda.fc
@@ -0,0 +1,70 @@
+#
+# Author: Carsten Grohmann <carstengrohmann@gmx.de>
+#
+
+# amanda
+/etc/amanda(/.*)? system_u:object_r:amanda_config_t:s0
+/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t:s0
+/etc/amandates system_u:object_r:amanda_amandates_t:s0
+/etc/dumpdates system_u:object_r:amanda_dumpdates_t:s0
+/root/restore -d system_u:object_r:amanda_recover_dir_t:s0
+/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t:s0
+/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t:s0
+/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t:s0
+/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t:s0
+/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t:s0
+/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t:s0
+/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t:s0
+/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t:s0
+/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t:s0
+/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t:s0
+/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t:s0
+/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t:s0
+/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t:s0
+/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t:s0
+/var/lib/amanda -d system_u:object_r:amanda_var_lib_t:s0
+/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t:s0
+/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t:s0
+/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t:s0
+/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t:s0
+/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t:s0
+/var/lib/amanda/index system_u:object_r:amanda_data_t:s0
+/var/log/amanda(/.*)? system_u:object_r:amanda_log_t:s0
diff --git a/mls/file_contexts/program/amavis.fc b/mls/file_contexts/program/amavis.fc
new file mode 100644
index 0000000..366da33
--- /dev/null
+++ b/mls/file_contexts/program/amavis.fc
@@ -0,0 +1,8 @@
+# amavis
+/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t
+/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t
+/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
+/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
+/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
+/var/amavis(/.*)? system_u:object_r:amavisd_lib_t
+/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t
diff --git a/mls/file_contexts/program/anaconda.fc b/mls/file_contexts/program/anaconda.fc
new file mode 100644
index 0000000..a0cbc0e
--- /dev/null
+++ b/mls/file_contexts/program/anaconda.fc
@@ -0,0 +1,5 @@
+#
+# Anaconda file context
+# currently anaconda does not have any file context since it is started during install
+# This is a placeholder to stop makefile from complaining
+#
diff --git a/mls/file_contexts/program/apache.fc b/mls/file_contexts/program/apache.fc
new file mode 100644
index 0000000..a3bf8f4
--- /dev/null
+++ b/mls/file_contexts/program/apache.fc
@@ -0,0 +1,61 @@
+# apache
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0
+/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
+/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
+/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
+/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t:s0
+/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t:s0
+/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t:s0
+/var/cache/mason(/.*)? system_u:object_r:httpd_cache_t:s0
+/var/cache/rt3(/.*)? system_u:object_r:httpd_cache_t:s0
+/etc/httpd -d system_u:object_r:httpd_config_t:s0
+/etc/httpd/conf.* system_u:object_r:httpd_config_t:s0
+/etc/httpd/logs system_u:object_r:httpd_log_t:s0
+/etc/httpd/modules system_u:object_r:httpd_modules_t:s0
+/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t:s0
+/etc/vhosts -- system_u:object_r:httpd_config_t:s0
+/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t:s0
+/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t:s0
+/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t:s0
+/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t:s0
+/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t:s0
+/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t:s0
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0
+/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t:s0
+/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0
+/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t:s0
+/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0
+/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t:s0
+/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t:s0
+/var/run/apache.* system_u:object_r:httpd_var_run_t:s0
+/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t:s0
+/var/lib/dav(/.*)? system_u:object_r:httpd_var_lib_t:s0
+/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0
+/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t:s0
+/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t:s0
+/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t:s0
+/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t:s0
+/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? system_u:object_r:httpd_log_t:s0
+')
+ifdef(`distro_suse', `
+# suse puts shell scripts there :-(
+/usr/share/apache2/[^/]* -- system_u:object_r:bin_t:s0
+/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t:s0
+')
+/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t:s0
+/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t:s0
+/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t:s0
+/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t:s0
+ifdef(`targeted_policy', `', `
+/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t:s0
+')
+/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t:s0
+
diff --git a/mls/file_contexts/program/apmd.fc b/mls/file_contexts/program/apmd.fc
new file mode 100644
index 0000000..6554b52
--- /dev/null
+++ b/mls/file_contexts/program/apmd.fc
@@ -0,0 +1,14 @@
+# apmd
+/usr/sbin/apmd -- system_u:object_r:apmd_exec_t:s0
+/usr/sbin/acpid -- system_u:object_r:apmd_exec_t:s0
+/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t:s0
+/usr/bin/apm -- system_u:object_r:apm_exec_t:s0
+/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t:s0
+/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t:s0
+/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0
+/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t:s0
+/var/log/acpid -- system_u:object_r:apmd_log_t:s0
+ifdef(`distro_suse', `
+/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t:s0
+')
+
diff --git a/mls/file_contexts/program/arpwatch.fc b/mls/file_contexts/program/arpwatch.fc
new file mode 100644
index 0000000..4869940
--- /dev/null
+++ b/mls/file_contexts/program/arpwatch.fc
@@ -0,0 +1,4 @@
+# arpwatch - keep track of ethernet/ip address pairings
+/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t:s0
+/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0
+/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0
diff --git a/mls/file_contexts/program/asterisk.fc b/mls/file_contexts/program/asterisk.fc
new file mode 100644
index 0000000..6f4eb4b
--- /dev/null
+++ b/mls/file_contexts/program/asterisk.fc
@@ -0,0 +1,7 @@
+# asterisk
+/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t
+/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t
+/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t
+/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t
+/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t
+/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t
diff --git a/mls/file_contexts/program/audio-entropyd.fc b/mls/file_contexts/program/audio-entropyd.fc
new file mode 100644
index 0000000..a8f616a
--- /dev/null
+++ b/mls/file_contexts/program/audio-entropyd.fc
@@ -0,0 +1 @@
+/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t
diff --git a/mls/file_contexts/program/auditd.fc b/mls/file_contexts/program/auditd.fc
new file mode 100644
index 0000000..d01ff76
--- /dev/null
+++ b/mls/file_contexts/program/auditd.fc
@@ -0,0 +1,8 @@
+# auditd
+/sbin/auditctl -- system_u:object_r:auditctl_exec_t:s0
+/sbin/auditd -- system_u:object_r:auditd_exec_t:s0
+/var/log/audit.log -- system_u:object_r:auditd_log_t:s15:c0.c255
+/var/log/audit(/.*)? system_u:object_r:auditd_log_t:s15:c0.c255
+/etc/auditd.conf -- system_u:object_r:auditd_etc_t:s0
+/etc/audit.rules -- system_u:object_r:auditd_etc_t:s0
+
diff --git a/mls/file_contexts/program/authbind.fc b/mls/file_contexts/program/authbind.fc
new file mode 100644
index 0000000..9fed63e
--- /dev/null
+++ b/mls/file_contexts/program/authbind.fc
@@ -0,0 +1,3 @@
+# authbind
+/etc/authbind(/.*)? system_u:object_r:authbind_etc_t
+/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t
diff --git a/mls/file_contexts/program/automount.fc b/mls/file_contexts/program/automount.fc
new file mode 100644
index 0000000..8952107
--- /dev/null
+++ b/mls/file_contexts/program/automount.fc
@@ -0,0 +1,5 @@
+# automount
+/usr/sbin/automount -- system_u:object_r:automount_exec_t:s0
+/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t:s0
+/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t:s0
+/etc/auto\..+ -- system_u:object_r:automount_etc_t:s0
diff --git a/mls/file_contexts/program/avahi.fc b/mls/file_contexts/program/avahi.fc
new file mode 100644
index 0000000..fa6e00e
--- /dev/null
+++ b/mls/file_contexts/program/avahi.fc
@@ -0,0 +1,4 @@
+#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
+/usr/sbin/avahi-daemon -- system_u:object_r:avahi_exec_t:s0
+/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0
+/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0
diff --git a/mls/file_contexts/program/backup.fc b/mls/file_contexts/program/backup.fc
new file mode 100644
index 0000000..ed82809
--- /dev/null
+++ b/mls/file_contexts/program/backup.fc
@@ -0,0 +1,6 @@
+# backup
+# label programs that do backups to other files on disk (IE a cron job that
+# calls tar) in backup_exec_t and label the directory for storing them as
+# backup_store_t, Debian uses /var/backups
+#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t
+/var/backups(/.*)? system_u:object_r:backup_store_t
diff --git a/mls/file_contexts/program/bluetooth.fc b/mls/file_contexts/program/bluetooth.fc
new file mode 100644
index 0000000..6c5aac3
--- /dev/null
+++ b/mls/file_contexts/program/bluetooth.fc
@@ -0,0 +1,11 @@
+# bluetooth
+/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t:s0
+/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t:s0
+/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t:s0
+/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t:s0
+/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0
+/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t:s0
+/var/run/sdp -s system_u:object_r:bluetooth_var_run_t:s0
+/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t:s0
+/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t:s0
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t:s0
diff --git a/mls/file_contexts/program/bonobo.fc b/mls/file_contexts/program/bonobo.fc
new file mode 100644
index 0000000..23d2214
--- /dev/null
+++ b/mls/file_contexts/program/bonobo.fc
@@ -0,0 +1 @@
+/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t:s0
diff --git a/mls/file_contexts/program/bootloader.fc b/mls/file_contexts/program/bootloader.fc
new file mode 100644
index 0000000..bce2ff8
--- /dev/null
+++ b/mls/file_contexts/program/bootloader.fc
@@ -0,0 +1,11 @@
+# bootloader
+/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t:s0
+/initrd\.img.* -l system_u:object_r:boot_t:s0
+/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0
+/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0
+/vmlinuz.* -l system_u:object_r:boot_t:s0
+/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0
+/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0
+/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t:s0
+/sbin/ybin.* -- system_u:object_r:bootloader_exec_t:s0
+/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t:s0
diff --git a/mls/file_contexts/program/calamaris.fc b/mls/file_contexts/program/calamaris.fc
new file mode 100644
index 0000000..36d8c87
--- /dev/null
+++ b/mls/file_contexts/program/calamaris.fc
@@ -0,0 +1,4 @@
+# squid
+/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t
+/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t
+/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t
diff --git a/mls/file_contexts/program/canna.fc b/mls/file_contexts/program/canna.fc
new file mode 100644
index 0000000..aada263
--- /dev/null
+++ b/mls/file_contexts/program/canna.fc
@@ -0,0 +1,12 @@
+# canna.fc
+/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t:s0
+/usr/sbin/jserver -- system_u:object_r:canna_exec_t:s0
+/usr/bin/cannaping -- system_u:object_r:canna_exec_t:s0
+/usr/bin/catdic -- system_u:object_r:canna_exec_t:s0
+/var/log/canna(/.*)? system_u:object_r:canna_log_t:s0
+/var/log/wnn(/.*)? system_u:object_r:canna_log_t:s0
+/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t:s0
+/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t:s0
+/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t:s0
+/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t:s0
+/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t:s0
diff --git a/mls/file_contexts/program/cardmgr.fc b/mls/file_contexts/program/cardmgr.fc
new file mode 100644
index 0000000..1dc5187
--- /dev/null
+++ b/mls/file_contexts/program/cardmgr.fc
@@ -0,0 +1,7 @@
+# cardmgr
+/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t:s0
+/sbin/cardctl -- system_u:object_r:cardctl_exec_t:s0
+/var/run/stab -- system_u:object_r:cardmgr_var_run_t:s0
+/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t:s0
+/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t:s0
+/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t:s0
diff --git a/mls/file_contexts/program/cdrecord.fc b/mls/file_contexts/program/cdrecord.fc
new file mode 100644
index 0000000..c29a00c
--- /dev/null
+++ b/mls/file_contexts/program/cdrecord.fc
@@ -0,0 +1,3 @@
+# cdrecord
+/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t:s0
+
diff --git a/mls/file_contexts/program/certwatch.fc b/mls/file_contexts/program/certwatch.fc
new file mode 100644
index 0000000..8c955ee
--- /dev/null
+++ b/mls/file_contexts/program/certwatch.fc
@@ -0,0 +1,3 @@
+# certwatch.fc
+/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t:s0
+
diff --git a/mls/file_contexts/program/checkpolicy.fc b/mls/file_contexts/program/checkpolicy.fc
new file mode 100644
index 0000000..dddeecf
--- /dev/null
+++ b/mls/file_contexts/program/checkpolicy.fc
@@ -0,0 +1,2 @@
+# checkpolicy
+/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t:s0
diff --git a/mls/file_contexts/program/chkpwd.fc b/mls/file_contexts/program/chkpwd.fc
new file mode 100644
index 0000000..5f253f7
--- /dev/null
+++ b/mls/file_contexts/program/chkpwd.fc
@@ -0,0 +1,6 @@
+# chkpwd
+/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0
+/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0
+ifdef(`distro_suse', `
+/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t:s0
+')
diff --git a/mls/file_contexts/program/chroot.fc b/mls/file_contexts/program/chroot.fc
new file mode 100644
index 0000000..a23cd81
--- /dev/null
+++ b/mls/file_contexts/program/chroot.fc
@@ -0,0 +1 @@
+/usr/sbin/chroot -- system_u:object_r:chroot_exec_t:s0
diff --git a/mls/file_contexts/program/ciped.fc b/mls/file_contexts/program/ciped.fc
new file mode 100644
index 0000000..e3a12a1
--- /dev/null
+++ b/mls/file_contexts/program/ciped.fc
@@ -0,0 +1,3 @@
+/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t
+/etc/cipe/ip-up.* -- system_u:object_r:bin_t
+/etc/cipe/ip-down.* -- system_u:object_r:bin_t
diff --git a/mls/file_contexts/program/clamav.fc b/mls/file_contexts/program/clamav.fc
new file mode 100644
index 0000000..90c898c
--- /dev/null
+++ b/mls/file_contexts/program/clamav.fc
@@ -0,0 +1,15 @@
+# clamscan
+/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t
+/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t
+/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t
+/usr/sbin/clamd -- system_u:object_r:clamd_exec_t
+/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t
+/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t
+/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
+/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
+/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t
+/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t
+/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
+/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
+/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
+/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --git a/mls/file_contexts/program/clockspeed.fc b/mls/file_contexts/program/clockspeed.fc
new file mode 100644
index 0000000..e00cd56
--- /dev/null
+++ b/mls/file_contexts/program/clockspeed.fc
@@ -0,0 +1,11 @@
+# clockspeed
+/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t
+/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t
+/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t
+/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t
+/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t
+/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t
+/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t
+
+/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t
+
diff --git a/mls/file_contexts/program/compat.fc b/mls/file_contexts/program/compat.fc
new file mode 100644
index 0000000..d64b892
--- /dev/null
+++ b/mls/file_contexts/program/compat.fc
@@ -0,0 +1,66 @@
+ifdef(`setfiles.te', `', `
+# setfiles
+/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
+')
+
+ifdef(`mount.te', `', `
+# mount
+/bin/mount.* -- system_u:object_r:mount_exec_t
+/bin/umount.* -- system_u:object_r:mount_exec_t
+')
+ifdef(`loadkeys.te', `', `
+# loadkeys
+/bin/unikeys -- system_u:object_r:loadkeys_exec_t
+/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
+')
+ifdef(`dmesg.te', `', `
+# dmesg
+/bin/dmesg -- system_u:object_r:dmesg_exec_t
+')
+ifdef(`fsadm.te', `', `
+# fs admin utilities
+/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
+/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
+/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
+/sbin/e2label -- system_u:object_r:fsadm_exec_t
+/sbin/findfs -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs -- system_u:object_r:fsadm_exec_t
+/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
+/sbin/mkswap -- system_u:object_r:fsadm_exec_t
+/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
+/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/fdisk -- system_u:object_r:fsadm_exec_t
+/sbin/parted -- system_u:object_r:fsadm_exec_t
+/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
+/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
+/sbin/hdparm -- system_u:object_r:fsadm_exec_t
+/sbin/raidstart -- system_u:object_r:fsadm_exec_t
+/sbin/mkraid -- system_u:object_r:fsadm_exec_t
+/sbin/dmraid -- system_u:object_r:fsadm_exec_t
+/sbin/blockdev -- system_u:object_r:fsadm_exec_t
+/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
+/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
+/sbin/lsraid -- system_u:object_r:fsadm_exec_t
+/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
+/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
+/usr/bin/raw -- system_u:object_r:fsadm_exec_t
+/sbin/partx -- system_u:object_r:fsadm_exec_t
+/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
+/sbin/partprobe -- system_u:object_r:fsadm_exec_t
+')
+ifdef(`lvm.te', `', `
+/sbin/lvm.static -- system_u:object_r:lvm_exec_t
+')
+ifdef(`kudzu.te', `', `
+# kudzu
+/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t
+')
diff --git a/mls/file_contexts/program/comsat.fc b/mls/file_contexts/program/comsat.fc
new file mode 100644
index 0000000..3704901
--- /dev/null
+++ b/mls/file_contexts/program/comsat.fc
@@ -0,0 +1,2 @@
+# biff server
+/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t:s0
diff --git a/mls/file_contexts/program/consoletype.fc b/mls/file_contexts/program/consoletype.fc
new file mode 100644
index 0000000..1258f57
--- /dev/null
+++ b/mls/file_contexts/program/consoletype.fc
@@ -0,0 +1,2 @@
+# consoletype
+/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0
diff --git a/mls/file_contexts/program/courier.fc b/mls/file_contexts/program/courier.fc
new file mode 100644
index 0000000..16f6adb
--- /dev/null
+++ b/mls/file_contexts/program/courier.fc
@@ -0,0 +1,18 @@
+# courier pop, imap, and webmail
+/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t
+/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t
+/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t
+/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t
+/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t
+/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t
+/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t
+/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t
+/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t
+/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t
+/var/run/courier(/.*)? system_u:object_r:courier_var_run_t
+/etc/courier(/.*)? system_u:object_r:courier_etc_t
diff --git a/mls/file_contexts/program/cpucontrol.fc b/mls/file_contexts/program/cpucontrol.fc
new file mode 100644
index 0000000..e7e488a
--- /dev/null
+++ b/mls/file_contexts/program/cpucontrol.fc
@@ -0,0 +1,3 @@
+# cpucontrol
+/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t:s0
+/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t:s0
diff --git a/mls/file_contexts/program/cpuspeed.fc b/mls/file_contexts/program/cpuspeed.fc
new file mode 100644
index 0000000..5e91f55
--- /dev/null
+++ b/mls/file_contexts/program/cpuspeed.fc
@@ -0,0 +1,3 @@
+# cpuspeed
+/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t:s0
+/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t:s0
diff --git a/mls/file_contexts/program/crack.fc b/mls/file_contexts/program/crack.fc
new file mode 100644
index 0000000..18b5371
--- /dev/null
+++ b/mls/file_contexts/program/crack.fc
@@ -0,0 +1,6 @@
+# crack - for password checking
+/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t:s0
+/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t:s0
+/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t:s0
+/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t:s0
+/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t:s0
diff --git a/mls/file_contexts/program/crond.fc b/mls/file_contexts/program/crond.fc
new file mode 100644
index 0000000..3ee6ee5
--- /dev/null
+++ b/mls/file_contexts/program/crond.fc
@@ -0,0 +1,34 @@
+# crond
+/etc/crontab -- system_u:object_r:system_cron_spool_t:s0
+/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0
+/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t:s0
+/usr/sbin/anacron -- system_u:object_r:anacron_exec_t:s0
+/var/spool/cron -d system_u:object_r:cron_spool_t:s0
+/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t:s0
+/var/spool/cron/crontabs/.* -- <<none>>
+/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t:s0
+/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t:s0
+/var/spool/cron/[^/]* -- <<none>>
+/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t:s0
+/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t:s0
+# fcron
+/usr/sbin/fcron -- system_u:object_r:crond_exec_t:s0
+/var/spool/fcron -d system_u:object_r:cron_spool_t:s0
+/var/spool/fcron/.* <<none>>
+/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t:s0
+/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t:s0
+/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t:s0
+/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t:s0
+/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t:s0
+# atd
+/usr/sbin/atd -- system_u:object_r:crond_exec_t:s0
+/var/spool/at -d system_u:object_r:cron_spool_t:s0
+/var/spool/at/spool -d system_u:object_r:cron_spool_t:s0
+/var/spool/at/[^/]* -- <<none>>
+/var/run/atd\.pid -- system_u:object_r:crond_var_run_t:s0
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons -- system_u:object_r:bin_t:s0
+/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t:s0
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+/var/spool/cron/tabs -d system_u:object_r:cron_spool_t:s0
+')
diff --git a/mls/file_contexts/program/crontab.fc b/mls/file_contexts/program/crontab.fc
new file mode 100644
index 0000000..e0ee359
--- /dev/null
+++ b/mls/file_contexts/program/crontab.fc
@@ -0,0 +1,3 @@
+# crontab
+/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t:s0
+/usr/bin/at -- system_u:object_r:crontab_exec_t:s0
diff --git a/mls/file_contexts/program/cups.fc b/mls/file_contexts/program/cups.fc
new file mode 100644
index 0000000..fea8ef0
--- /dev/null
+++ b/mls/file_contexts/program/cups.fc
@@ -0,0 +1,46 @@
+# cups printing
+/etc/cups(/.*)? system_u:object_r:cupsd_etc_t:s0
+/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t:s0
+/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0
+/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/client\.conf -- system_u:object_r:etc_t:s0
+/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0
+/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t:s0
+/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t:s0
+/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t:s0
+/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t:s0
+/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t:s0
+ifdef(`hald.te', `
+# cupsd_config depends on hald
+/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t:s0
+/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t:s0
+/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t:s0
+')
+/var/log/cups(/.*)? system_u:object_r:cupsd_log_t:s0
+/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t:s0
+/var/spool/cups(/.*)? system_u:object_r:print_spool_t:s0
+/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t:s0
+/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t:s0
+/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t:s0
+/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t:s0
+/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t:s0
+/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t:s0
+/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t:s0
+/etc/hp(/.*)? system_u:object_r:hplip_etc_t:s0
+/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t:s0
+/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t:s0
+/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t:s0
+/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t:s0
+/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t:s0
+/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t:s0
diff --git a/mls/file_contexts/program/cvs.fc b/mls/file_contexts/program/cvs.fc
new file mode 100644
index 0000000..8aa1edc
--- /dev/null
+++ b/mls/file_contexts/program/cvs.fc
@@ -0,0 +1,2 @@
+# cvs program
+/usr/bin/cvs -- system_u:object_r:cvs_exec_t:s0
diff --git a/mls/file_contexts/program/cyrus.fc b/mls/file_contexts/program/cyrus.fc
new file mode 100644
index 0000000..f415273
--- /dev/null
+++ b/mls/file_contexts/program/cyrus.fc
@@ -0,0 +1,5 @@
+# cyrus
+/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t:s0
+/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t:s0
+/var/spool/imap(/.*)? system_u:object_r:mail_spool_t:s0
diff --git a/mls/file_contexts/program/daemontools.fc b/mls/file_contexts/program/daemontools.fc
new file mode 100644
index 0000000..c2642ed
--- /dev/null
+++ b/mls/file_contexts/program/daemontools.fc
@@ -0,0 +1,54 @@
+# daemontools
+
+/var/service/.* system_u:object_r:svc_svc_t
+
+# symlinks to /var/service/*
+/service(/.*)? system_u:object_r:svc_svc_t
+
+# supervise scripts
+/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t
+
+# supervise init binaries
+# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
+/usr/bin/svc -- system_u:object_r:svc_start_exec_t
+/usr/bin/svscan -- system_u:object_r:svc_start_exec_t
+/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t
+/usr/bin/svok -- system_u:object_r:svc_start_exec_t
+/usr/bin/supervise -- system_u:object_r:svc_start_exec_t
+
+# starting scripts
+/var/service/.*/run.* system_u:object_r:svc_run_exec_t
+/var/service/.*/log/run system_u:object_r:svc_run_exec_t
+
+# configurations
+/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t
+
+# log
+/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t
+
+# programs that impose a given environment to daemons
+/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t
+/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t
+/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t
+/usr/bin/envdir -- system_u:object_r:svc_run_exec_t
+/usr/bin/setlock -- system_u:object_r:svc_run_exec_t
+
+# helper programs
+/usr/bin/fghack -- system_u:object_r:svc_run_exec_t
+/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t
+
+/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t
+# daemontools logger # writes to service/*/log/main/ and /var/log/*/
+/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t
+
+/sbin/svcinit -- system_u:object_r:initrc_exec_t
+/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t
+
diff --git a/mls/file_contexts/program/dante.fc b/mls/file_contexts/program/dante.fc
new file mode 100644
index 0000000..ce7f335
--- /dev/null
+++ b/mls/file_contexts/program/dante.fc
@@ -0,0 +1,4 @@
+# dante
+/usr/sbin/sockd -- system_u:object_r:dante_exec_t
+/etc/socks(/.*)? system_u:object_r:dante_conf_t
+/var/run/sockd.pid -- system_u:object_r:dante_var_run_t
diff --git a/mls/file_contexts/program/dbskkd.fc b/mls/file_contexts/program/dbskkd.fc
new file mode 100644
index 0000000..4f2d72f
--- /dev/null
+++ b/mls/file_contexts/program/dbskkd.fc
@@ -0,0 +1,2 @@
+# A dictionary server for the SKK Japanese input method system.
+/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t:s0
diff --git a/mls/file_contexts/program/dbusd.fc b/mls/file_contexts/program/dbusd.fc
new file mode 100644
index 0000000..ea4e065
--- /dev/null
+++ b/mls/file_contexts/program/dbusd.fc
@@ -0,0 +1,3 @@
+/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0
+/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t:s0
+/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
diff --git a/mls/file_contexts/program/dcc.fc b/mls/file_contexts/program/dcc.fc
new file mode 100644
index 0000000..a6b1372
--- /dev/null
+++ b/mls/file_contexts/program/dcc.fc
@@ -0,0 +1,17 @@
+# DCC
+/etc/dcc(/.*)? system_u:object_r:dcc_var_t
+/etc/dcc/map -- system_u:object_r:dcc_client_map_t
+/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t
+/usr/bin/cdcc system_u:object_r:cdcc_exec_t
+/usr/bin/dccproc system_u:object_r:dcc_client_exec_t
+/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t
+/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t
+/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t
+/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t
+/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t
+/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t
+/var/dcc(/.*)? system_u:object_r:dcc_var_t
+/var/dcc/map -- system_u:object_r:dcc_client_map_t
+/var/run/dcc system_u:object_r:dcc_var_run_t
+/var/run/dcc/map -- system_u:object_r:dcc_client_map_t
+/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t
diff --git a/mls/file_contexts/program/ddclient.fc b/mls/file_contexts/program/ddclient.fc
new file mode 100644
index 0000000..83ee3d2
--- /dev/null
+++ b/mls/file_contexts/program/ddclient.fc
@@ -0,0 +1,11 @@
+# ddclient
+/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t
+/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t
+/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t
+/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t
+# ddt - Dynamic DNS client
+/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t
+/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t
+/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t
+/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t
+/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t
diff --git a/mls/file_contexts/program/ddcprobe.fc b/mls/file_contexts/program/ddcprobe.fc
new file mode 100644
index 0000000..8879280
--- /dev/null
+++ b/mls/file_contexts/program/ddcprobe.fc
@@ -0,0 +1 @@
+/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t:s0
diff --git a/mls/file_contexts/program/dhcpc.fc b/mls/file_contexts/program/dhcpc.fc
new file mode 100644
index 0000000..e892abe
--- /dev/null
+++ b/mls/file_contexts/program/dhcpc.fc
@@ -0,0 +1,19 @@
+# dhcpcd
+/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0
+/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0
+/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t:s0
+/etc/dhclient-script -- system_u:object_r:dhcp_etc_t:s0
+/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t:s0
+/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t:s0
+/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t:s0
+/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t:s0
+/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t:s0
+/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t:s0
+/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t:s0
+/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t:s0
+# pump
+/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0
+ifdef(`dhcp_defined', `', `
+/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t:s0
+define(`dhcp_defined')
+')
diff --git a/mls/file_contexts/program/dhcpd.fc b/mls/file_contexts/program/dhcpd.fc
new file mode 100644
index 0000000..a03636f
--- /dev/null
+++ b/mls/file_contexts/program/dhcpd.fc
@@ -0,0 +1,32 @@
+# dhcpd
+/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0
+/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0
+/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t:s0
+/var/lib/dhcp([3d])?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
+/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0
+ifdef(`dhcp_defined', `', `
+/var/lib/dhcp([3d])? -d system_u:object_r:dhcp_state_t:s0
+define(`dhcp_defined')
+')
+/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
+/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t:s0
+ifdef(`distro_gentoo', `
+/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0
+/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0
+/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0
+
+# for the chroot setup
+/chroot/dhcp -d system_u:object_r:root_t:s0
+/chroot/dhcp/dev -d system_u:object_r:device_t:s0
+/chroot/dhcp/etc -d system_u:object_r:etc_t:s0
+/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0
+/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0
+/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t:s0
+/chroot/dhcp/var -d system_u:object_r:var_t:s0
+/chroot/dhcp/var/run -d system_u:object_r:var_run_t:s0
+/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t:s0
+/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0
+/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
+/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t:s0
+')
+
diff --git a/mls/file_contexts/program/dictd.fc b/mls/file_contexts/program/dictd.fc
new file mode 100644
index 0000000..b089863
--- /dev/null
+++ b/mls/file_contexts/program/dictd.fc
@@ -0,0 +1,4 @@
+# dictd
+/etc/dictd\.conf -- system_u:object_r:dictd_etc_t:s0
+/usr/sbin/dictd -- system_u:object_r:dictd_exec_t:s0
+/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t:s0
diff --git a/mls/file_contexts/program/distcc.fc b/mls/file_contexts/program/distcc.fc
new file mode 100644
index 0000000..3ab9797
--- /dev/null
+++ b/mls/file_contexts/program/distcc.fc
@@ -0,0 +1,2 @@
+# distcc
+/usr/bin/distccd -- system_u:object_r:distccd_exec_t
diff --git a/mls/file_contexts/program/djbdns.fc b/mls/file_contexts/program/djbdns.fc
new file mode 100644
index 0000000..6174b9f
--- /dev/null
+++ b/mls/file_contexts/program/djbdns.fc
@@ -0,0 +1,26 @@
+#djbdns
+/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t
+/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t
+/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t
+
+/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t
+/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t
+/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t
+/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t
+/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t
+/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t
+
+/var/tinydns(/.*)? system_u:object_r:svc_svc_t
+/var/tinydns/run -- system_u:object_r:svc_run_exec_t
+/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t
+/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t
+/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t
+/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t
+
+/var/axfrdns(/.*)? system_u:object_r:svc_svc_t
+/var/axfrdns/run -- system_u:object_r:svc_run_exec_t
+/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t
+/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t
+/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t
+/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t
+
diff --git a/mls/file_contexts/program/dmesg.fc b/mls/file_contexts/program/dmesg.fc
new file mode 100644
index 0000000..938875b
--- /dev/null
+++ b/mls/file_contexts/program/dmesg.fc
@@ -0,0 +1,2 @@
+# dmesg
+/bin/dmesg -- system_u:object_r:dmesg_exec_t:s0
diff --git a/mls/file_contexts/program/dmidecode.fc b/mls/file_contexts/program/dmidecode.fc
new file mode 100644
index 0000000..7b02fd5
--- /dev/null
+++ b/mls/file_contexts/program/dmidecode.fc
@@ -0,0 +1,4 @@
+# dmidecode
+/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t:s0
+/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t:s0
+/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t:s0
diff --git a/mls/file_contexts/program/dnsmasq.fc b/mls/file_contexts/program/dnsmasq.fc
new file mode 100644
index 0000000..e1b1c35
--- /dev/null
+++ b/mls/file_contexts/program/dnsmasq.fc
@@ -0,0 +1,4 @@
+# dnsmasq
+/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t
+/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t
+/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t
diff --git a/mls/file_contexts/program/dovecot.fc b/mls/file_contexts/program/dovecot.fc
new file mode 100644
index 0000000..bc45b9d
--- /dev/null
+++ b/mls/file_contexts/program/dovecot.fc
@@ -0,0 +1,16 @@
+# for Dovecot POP and IMAP server
+/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t:s0
+/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t:s0
+/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t:s0
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0
+')
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0
+')
+/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0
+/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0
+/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t:s0
+/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0
+/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t:s0
+/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t:s0
diff --git a/mls/file_contexts/program/dpkg.fc b/mls/file_contexts/program/dpkg.fc
new file mode 100644
index 0000000..f0f56f6
--- /dev/null
+++ b/mls/file_contexts/program/dpkg.fc
@@ -0,0 +1,49 @@
+# dpkg/dselect/apt
+/etc/apt(/.*)? system_u:object_r:apt_etc_t
+/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t
+/usr/bin/apt-cache -- system_u:object_r:apt_exec_t
+/usr/bin/apt-config -- system_u:object_r:apt_exec_t
+/usr/bin/apt-get -- system_u:object_r:apt_exec_t
+/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t
+/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t
+/usr/bin/dselect -- system_u:object_r:dpkg_exec_t
+/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t
+/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t
+/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t
+/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t
+/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t
+/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t
+/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t
+/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t
+/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t
+/usr/share/lintian/.+ -- system_u:object_r:bin_t
+/usr/share/kernel-package/.+ -- system_u:object_r:bin_t
+/usr/share/smartmontools/selftests -- system_u:object_r:bin_t
+/usr/share/bug/[^/]+ -- system_u:object_r:bin_t
+/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t
+/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t
+/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t
+/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t
+/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t
+/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t
+/var/lib/kde(/.*)? system_u:object_r:debian_menu_t
+/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t
+/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t
+/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t
+/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t
+/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
+/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t
+/usr/share/dlint/digparse -- system_u:object_r:bin_t
+/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t
+/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t
+/var/lib/defoma(/.*)? system_u:object_r:fonts_t
+/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t
+/usr/share/intltool-debian/.* -- system_u:object_r:bin_t
+/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t
+/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t
+/usr/share/shorewall/.* -- system_u:object_r:bin_t
+/usr/share/reportbug/.* -- system_u:object_r:bin_t
+/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t
+/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t
+/bin/mountpoint -- system_u:object_r:fsadm_exec_t
diff --git a/mls/file_contexts/program/ethereal.fc b/mls/file_contexts/program/ethereal.fc
new file mode 100644
index 0000000..abe9b02
--- /dev/null
+++ b/mls/file_contexts/program/ethereal.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t
+/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t
+HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t
diff --git a/mls/file_contexts/program/evolution.fc b/mls/file_contexts/program/evolution.fc
new file mode 100644
index 0000000..1a3bf38
--- /dev/null
+++ b/mls/file_contexts/program/evolution.fc
@@ -0,0 +1,8 @@
+/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t
+/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t
+/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t
+/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t
+/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t
+HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t
+HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t
+/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t
diff --git a/mls/file_contexts/program/exim.fc b/mls/file_contexts/program/exim.fc
new file mode 100644
index 0000000..26f6bac
--- /dev/null
+++ b/mls/file_contexts/program/exim.fc
@@ -0,0 +1,18 @@
+# exim
+/usr/sbin/exicyclog -- system_u:object_r:exicyclog_exec_t
+/usr/sbin/exigrep -- system_u:object_r:exigrep_exec_t
+/usr/sbin/exim_checkaccess -- system_u:object_r:exim_checkaccess_exec_t
+/usr/sbin/exim_dumpdb -- system_u:object_r:exim_db_ro_exec_t
+/usr/sbin/exim_fixdb -- system_u:object_r:exim_db_rw_exec_t
+/usr/sbin/exim_lock -- system_u:object_r:exim_helper_exec_t
+/usr/sbin/exim_tidydb -- system_u:object_r:exim_db_rw_exec_t
+/usr/sbin/exinext -- system_u:object_r:exim_helper_exec_t
+/usr/sbin/exipick -- system_u:object_r:exipick_exec_t
+/usr/sbin/exiqgrep -- system_u:object_r:exiqgrep_exec_t
+/usr/sbin/exim -- system_u:object_r:exim_exec_t
+/usr/sbin/exiwhat -- system_u:object_r:exiwhat_exec_t
+/var/spool/exim(/.*)? system_u:object_r:exim_spool_t
+/var/spool/exim/db(/.*)? system_u:object_r:exim_spool_db_t
+/var/spool/exim/msglog(/.*)? system_u:object_r:exim_log_t
+/var/run/exim.pid -- system_u:object_r:exim_var_run_t
+/var/log/exim(/.*)? system_u:object_r:exim_log_t
diff --git a/mls/file_contexts/program/fetchmail.fc b/mls/file_contexts/program/fetchmail.fc
new file mode 100644
index 0000000..9ac51a2
--- /dev/null
+++ b/mls/file_contexts/program/fetchmail.fc
@@ -0,0 +1,5 @@
+# fetchmail
+/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t:s0
+/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t:s0
+/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t:s0
+/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t:s0
diff --git a/mls/file_contexts/program/fingerd.fc b/mls/file_contexts/program/fingerd.fc
new file mode 100644
index 0000000..f7ed20d
--- /dev/null
+++ b/mls/file_contexts/program/fingerd.fc
@@ -0,0 +1,6 @@
+# fingerd
+/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t:s0
+/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t:s0
+/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0
+/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t:s0
+/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t:s0
diff --git a/mls/file_contexts/program/firstboot.fc b/mls/file_contexts/program/firstboot.fc
new file mode 100644
index 0000000..9a087ed
--- /dev/null
+++ b/mls/file_contexts/program/firstboot.fc
@@ -0,0 +1,4 @@
+# firstboot
+/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t:s0
+/usr/share/firstboot system_u:object_r:firstboot_rw_t:s0
+/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t:s0
diff --git a/mls/file_contexts/program/fontconfig.fc b/mls/file_contexts/program/fontconfig.fc
new file mode 100644
index 0000000..d8a8dc9
--- /dev/null
+++ b/mls/file_contexts/program/fontconfig.fc
@@ -0,0 +1,4 @@
+HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t
+HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t
+HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t
diff --git a/mls/file_contexts/program/fs_daemon.fc b/mls/file_contexts/program/fs_daemon.fc
new file mode 100644
index 0000000..1e086fd
--- /dev/null
+++ b/mls/file_contexts/program/fs_daemon.fc
@@ -0,0 +1,4 @@
+# fs admin daemons
+/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0
+/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t:s0
+/etc/smartd\.conf -- system_u:object_r:etc_runtime_t:s0
diff --git a/mls/file_contexts/program/fsadm.fc b/mls/file_contexts/program/fsadm.fc
new file mode 100644
index 0000000..4601a39
--- /dev/null
+++ b/mls/file_contexts/program/fsadm.fc
@@ -0,0 +1,40 @@
+# fs admin utilities
+/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t:s0
+/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0
+/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0
+/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0
+/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0
+/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0
+/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0
+/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0
+/sbin/parted -- system_u:object_r:fsadm_exec_t:s0
+/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0
+/sbin/dump -- system_u:object_r:fsadm_exec_t:s0
+/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0
+/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0
+/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0
+/sbin/raidautorun -- system_u:object_r:fsadm_exec_t:s0
+/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0
+/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0
+/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0
+/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0
+/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0
+/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0
+/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0
+/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0
+/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0
+/sbin/partx -- system_u:object_r:fsadm_exec_t:s0
+/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0
+/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0
+/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t:s0
diff --git a/mls/file_contexts/program/ftpd.fc b/mls/file_contexts/program/ftpd.fc
new file mode 100644
index 0000000..92a8c3e
--- /dev/null
+++ b/mls/file_contexts/program/ftpd.fc
@@ -0,0 +1,17 @@
+# ftpd
+/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t:s0
+/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t:s0
+/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t:s0
+/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t:s0
+/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t:s0
+/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t:s0
+/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0
+/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t:s0
+/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t:s0
+/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t:s0
+/var/log/xferlog.* -- system_u:object_r:xferlog_t:s0
+/var/log/vsftpd.* -- system_u:object_r:xferlog_t:s0
+/var/log/xferreport.* -- system_u:object_r:xferlog_t:s0
+/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0
+/var/ftp(/.*)? system_u:object_r:public_content_t:s0
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0
diff --git a/mls/file_contexts/program/games.fc b/mls/file_contexts/program/games.fc
new file mode 100644
index 0000000..3465eee
--- /dev/null
+++ b/mls/file_contexts/program/games.fc
@@ -0,0 +1,61 @@
+# games
+/usr/lib/games(/.*)? system_u:object_r:games_exec_t
+/var/lib/games(/.*)? system_u:object_r:games_data_t
+ifdef(`distro_debian', `
+/usr/games/.* -- system_u:object_r:games_exec_t
+/var/games(/.*)? system_u:object_r:games_data_t
+', `
+/usr/bin/micq -- system_u:object_r:games_exec_t
+/usr/bin/blackjack -- system_u:object_r:games_exec_t
+/usr/bin/gataxx -- system_u:object_r:games_exec_t
+/usr/bin/glines -- system_u:object_r:games_exec_t
+/usr/bin/gnect -- system_u:object_r:games_exec_t
+/usr/bin/gnibbles -- system_u:object_r:games_exec_t
+/usr/bin/gnobots2 -- system_u:object_r:games_exec_t
+/usr/bin/gnome-stones -- system_u:object_r:games_exec_t
+/usr/bin/gnomine -- system_u:object_r:games_exec_t
+/usr/bin/gnotravex -- system_u:object_r:games_exec_t
+/usr/bin/gnotski -- system_u:object_r:games_exec_t
+/usr/bin/gtali -- system_u:object_r:games_exec_t
+/usr/bin/iagno -- system_u:object_r:games_exec_t
+/usr/bin/mahjongg -- system_u:object_r:games_exec_t
+/usr/bin/same-gnome -- system_u:object_r:games_exec_t
+/usr/bin/sol -- system_u:object_r:games_exec_t
+/usr/bin/atlantik -- system_u:object_r:games_exec_t
+/usr/bin/kasteroids -- system_u:object_r:games_exec_t
+/usr/bin/katomic -- system_u:object_r:games_exec_t
+/usr/bin/kbackgammon -- system_u:object_r:games_exec_t
+/usr/bin/kbattleship -- system_u:object_r:games_exec_t
+/usr/bin/kblackbox -- system_u:object_r:games_exec_t
+/usr/bin/kbounce -- system_u:object_r:games_exec_t
+/usr/bin/kenolaba -- system_u:object_r:games_exec_t
+/usr/bin/kfouleggs -- system_u:object_r:games_exec_t
+/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t
+/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t
+/usr/bin/klickety -- system_u:object_r:games_exec_t
+/usr/bin/klines -- system_u:object_r:games_exec_t
+/usr/bin/kmahjongg -- system_u:object_r:games_exec_t
+/usr/bin/kmines -- system_u:object_r:games_exec_t
+/usr/bin/kolf -- system_u:object_r:games_exec_t
+/usr/bin/konquest -- system_u:object_r:games_exec_t
+/usr/bin/kpat -- system_u:object_r:games_exec_t
+/usr/bin/kpoker -- system_u:object_r:games_exec_t
+/usr/bin/kreversi -- system_u:object_r:games_exec_t
+/usr/bin/ksame -- system_u:object_r:games_exec_t
+/usr/bin/kshisen -- system_u:object_r:games_exec_t
+/usr/bin/ksirtet -- system_u:object_r:games_exec_t
+/usr/bin/ksmiletris -- system_u:object_r:games_exec_t
+/usr/bin/ksnake -- system_u:object_r:games_exec_t
+/usr/bin/ksokoban -- system_u:object_r:games_exec_t
+/usr/bin/kspaceduel -- system_u:object_r:games_exec_t
+/usr/bin/ktron -- system_u:object_r:games_exec_t
+/usr/bin/ktuberling -- system_u:object_r:games_exec_t
+/usr/bin/kwin4 -- system_u:object_r:games_exec_t
+/usr/bin/kwin4proc -- system_u:object_r:games_exec_t
+/usr/bin/lskat -- system_u:object_r:games_exec_t
+/usr/bin/lskatproc -- system_u:object_r:games_exec_t
+/usr/bin/Maelstrom -- system_u:object_r:games_exec_t
+/usr/bin/civclient.* -- system_u:object_r:games_exec_t
+/usr/bin/civserver.* -- system_u:object_r:games_exec_t
+')dnl end non-Debian section
+
diff --git a/mls/file_contexts/program/gatekeeper.fc b/mls/file_contexts/program/gatekeeper.fc
new file mode 100644
index 0000000..e51491a
--- /dev/null
+++ b/mls/file_contexts/program/gatekeeper.fc
@@ -0,0 +1,7 @@
+# gatekeeper
+/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t
+/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t
+/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t
+/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t
+/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t
+/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t
diff --git a/mls/file_contexts/program/gconf.fc b/mls/file_contexts/program/gconf.fc
new file mode 100644
index 0000000..3ee63e0
--- /dev/null
+++ b/mls/file_contexts/program/gconf.fc
@@ -0,0 +1,5 @@
+/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t
+/etc/gconf(/.*)? system_u:object_r:gconf_etc_t
+HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t
+HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t
+/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t
diff --git a/mls/file_contexts/program/getty.fc b/mls/file_contexts/program/getty.fc
new file mode 100644
index 0000000..19b7e64
--- /dev/null
+++ b/mls/file_contexts/program/getty.fc
@@ -0,0 +1,5 @@
+# getty
+/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
+/etc/mgetty(/.*)? system_u:object_r:getty_etc_t:s0
+/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t:s0
+/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t:s0
diff --git a/mls/file_contexts/program/gift.fc b/mls/file_contexts/program/gift.fc
new file mode 100644
index 0000000..88ed5f2
--- /dev/null
+++ b/mls/file_contexts/program/gift.fc
@@ -0,0 +1,5 @@
+/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t
+/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t
+/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t
+/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t
+HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t
diff --git a/mls/file_contexts/program/gnome-pty-helper.fc b/mls/file_contexts/program/gnome-pty-helper.fc
new file mode 100644
index 0000000..24a0b1b
--- /dev/null
+++ b/mls/file_contexts/program/gnome-pty-helper.fc
@@ -0,0 +1,3 @@
+# gnome-pty-helper
+/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t
+/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t
diff --git a/mls/file_contexts/program/gnome.fc b/mls/file_contexts/program/gnome.fc
new file mode 100644
index 0000000..670c86f
--- /dev/null
+++ b/mls/file_contexts/program/gnome.fc
@@ -0,0 +1,8 @@
+# FIXME: add a lot more GNOME folders
+HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t
+HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t
+ifdef(`evolution.te', `
+HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t
+')
+HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t
diff --git a/mls/file_contexts/program/gnome_vfs.fc b/mls/file_contexts/program/gnome_vfs.fc
new file mode 100644
index 0000000..f945d59
--- /dev/null
+++ b/mls/file_contexts/program/gnome_vfs.fc
@@ -0,0 +1 @@
+/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t
diff --git a/mls/file_contexts/program/gpg-agent.fc b/mls/file_contexts/program/gpg-agent.fc
new file mode 100644
index 0000000..a8a7603
--- /dev/null
+++ b/mls/file_contexts/program/gpg-agent.fc
@@ -0,0 +1,3 @@
+# gpg-agent
+/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t:s0
+/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t:s0
diff --git a/mls/file_contexts/program/gpg.fc b/mls/file_contexts/program/gpg.fc
new file mode 100644
index 0000000..b820755
--- /dev/null
+++ b/mls/file_contexts/program/gpg.fc
@@ -0,0 +1,7 @@
+# gpg
+HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0
+/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t:s0
+/usr/bin/kgpg -- system_u:object_r:gpg_exec_t:s0
+/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t:s0
+/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t:s0
+
diff --git a/mls/file_contexts/program/gpm.fc b/mls/file_contexts/program/gpm.fc
new file mode 100644
index 0000000..1210518
--- /dev/null
+++ b/mls/file_contexts/program/gpm.fc
@@ -0,0 +1,5 @@
+# gpm
+/dev/gpmctl -s system_u:object_r:gpmctl_t:s0
+/dev/gpmdata -p system_u:object_r:gpmctl_t:s0
+/usr/sbin/gpm -- system_u:object_r:gpm_exec_t:s0
+/etc/gpm(/.*)? system_u:object_r:gpm_conf_t:s0
diff --git a/mls/file_contexts/program/groupadd.fc b/mls/file_contexts/program/groupadd.fc
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/mls/file_contexts/program/groupadd.fc
diff --git a/mls/file_contexts/program/hald.fc b/mls/file_contexts/program/hald.fc
new file mode 100644
index 0000000..b57463d
--- /dev/null
+++ b/mls/file_contexts/program/hald.fc
@@ -0,0 +1,6 @@
+# hald - hardware information daemon
+/usr/sbin/hald -- system_u:object_r:hald_exec_t:s0
+/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t:s0
+/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t:s0
+/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t:s0
+/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t:s0
diff --git a/mls/file_contexts/program/hostname.fc b/mls/file_contexts/program/hostname.fc
new file mode 100644
index 0000000..01a957a
--- /dev/null
+++ b/mls/file_contexts/program/hostname.fc
@@ -0,0 +1 @@
+/bin/hostname -- system_u:object_r:hostname_exec_t:s0
diff --git a/mls/file_contexts/program/hotplug.fc b/mls/file_contexts/program/hotplug.fc
new file mode 100644
index 0000000..05c6504
--- /dev/null
+++ b/mls/file_contexts/program/hotplug.fc
@@ -0,0 +1,13 @@
+# hotplug
+/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t:s0
+/sbin/hotplug -- system_u:object_r:hotplug_exec_t:s0
+/sbin/netplugd -- system_u:object_r:hotplug_exec_t:s0
+/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t:s0
+/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t:s0
+/etc/netplug\.d(/.*)? system_u:object_r:sbin_t:s0
+/etc/hotplug/.*agent -- system_u:object_r:sbin_t:s0
+/etc/hotplug/.*rc -- system_u:object_r:sbin_t:s0
+/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t:s0
+/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t:s0
+/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t:s0
+/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t:s0
diff --git a/mls/file_contexts/program/howl.fc b/mls/file_contexts/program/howl.fc
new file mode 100644
index 0000000..4546ac1
--- /dev/null
+++ b/mls/file_contexts/program/howl.fc
@@ -0,0 +1,3 @@
+/usr/bin/nifd -- system_u:object_r:howl_exec_t:s0
+/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t:s0
+/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t:s0
diff --git a/mls/file_contexts/program/hwclock.fc b/mls/file_contexts/program/hwclock.fc
new file mode 100644
index 0000000..9d0d909
--- /dev/null
+++ b/mls/file_contexts/program/hwclock.fc
@@ -0,0 +1,3 @@
+# hwclock
+/sbin/hwclock -- system_u:object_r:hwclock_exec_t:s0
+/etc/adjtime -- system_u:object_r:adjtime_t:s0
diff --git a/mls/file_contexts/program/i18n_input.fc b/mls/file_contexts/program/i18n_input.fc
new file mode 100644
index 0000000..66cea53
--- /dev/null
+++ b/mls/file_contexts/program/i18n_input.fc
@@ -0,0 +1,11 @@
+# i18n_input.fc
+/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t:s0
+/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t:s0
+/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t:s0
+/usr/bin/httx -- system_u:object_r:i18n_input_exec_t:s0
+/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t:s0
+/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t:s0
+/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t:s0
+/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t:s0
+/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t:s0
+/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t:s0
diff --git a/mls/file_contexts/program/iceauth.fc b/mls/file_contexts/program/iceauth.fc
new file mode 100644
index 0000000..31bf1f3
--- /dev/null
+++ b/mls/file_contexts/program/iceauth.fc
@@ -0,0 +1,3 @@
+# iceauth
+/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t
+HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t
diff --git a/mls/file_contexts/program/ifconfig.fc b/mls/file_contexts/program/ifconfig.fc
new file mode 100644
index 0000000..22d52ed
--- /dev/null
+++ b/mls/file_contexts/program/ifconfig.fc
@@ -0,0 +1,12 @@
+# ifconfig
+/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/ip -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0
+/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0
+/bin/ip -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/ethtool -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t:s0
+/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t:s0
diff --git a/mls/file_contexts/program/imazesrv.fc b/mls/file_contexts/program/imazesrv.fc
new file mode 100644
index 0000000..dae194e
--- /dev/null
+++ b/mls/file_contexts/program/imazesrv.fc
@@ -0,0 +1,4 @@
+# imazesrv
+/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t
+/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t
+/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t
diff --git a/mls/file_contexts/program/inetd.fc b/mls/file_contexts/program/inetd.fc
new file mode 100644
index 0000000..d066e36
--- /dev/null
+++ b/mls/file_contexts/program/inetd.fc
@@ -0,0 +1,8 @@
+# inetd
+/usr/sbin/inetd -- system_u:object_r:inetd_exec_t:s0
+/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t:s0
+/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t:s0
+/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t:s0
+/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t:s0
+/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0
+/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t:s0
diff --git a/mls/file_contexts/program/init.fc b/mls/file_contexts/program/init.fc
new file mode 100644
index 0000000..cdf424f
--- /dev/null
+++ b/mls/file_contexts/program/init.fc
@@ -0,0 +1,3 @@
+# init
+/dev/initctl -p system_u:object_r:initctl_t:s0
+/sbin/init -- system_u:object_r:init_exec_t:s0
diff --git a/mls/file_contexts/program/initrc.fc b/mls/file_contexts/program/initrc.fc
new file mode 100644
index 0000000..65a1dba
--- /dev/null
+++ b/mls/file_contexts/program/initrc.fc
@@ -0,0 +1,48 @@
+# init rc scripts
+ifdef(`targeted_policy', `
+/etc/X11/prefdm -- system_u:object_r:bin_t:s0
+', `
+/etc/X11/prefdm -- system_u:object_r:initrc_exec_t:s0
+')
+/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t:s0
+/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t:s0
+/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t:s0
+/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t:s0
+/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t:s0
+/etc/init\.d/.* -- system_u:object_r:initrc_exec_t:s0
+/etc/init\.d/functions -- system_u:object_r:etc_t:s0
+/var/run/utmp -- system_u:object_r:initrc_var_run_t:s0
+/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t:s0
+/var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0
+/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t:s0
+ifdef(`distro_suse', `
+/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t:s0
+/var/run/keymap -- system_u:object_r:initrc_var_run_t:s0
+/var/run/numlock-on -- system_u:object_r:initrc_var_run_t:s0
+/var/run/setleds-on -- system_u:object_r:initrc_var_run_t:s0
+/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t:s0
+/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t:s0
+')
+
+ifdef(`distro_gentoo', `
+/sbin/rc -- system_u:object_r:initrc_exec_t:s0
+/sbin/runscript -- system_u:object_r:initrc_exec_t:s0
+/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t:s0
+/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t:s0
+')
+
+# run_init
+/usr/sbin/run_init -- system_u:object_r:run_init_exec_t:s0
+/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t:s0
+/etc/nologin.* -- system_u:object_r:etc_runtime_t:s0
+/etc/nohotplug -- system_u:object_r:etc_runtime_t:s0
+ifdef(`distro_redhat', `
+/halt -- system_u:object_r:etc_runtime_t:s0
+/fastboot -- system_u:object_r:etc_runtime_t:s0
+/fsckoptions -- system_u:object_r:etc_runtime_t:s0
+/forcefsck -- system_u:object_r:etc_runtime_t:s0
+/poweroff -- system_u:object_r:etc_runtime_t:s0
+/\.autofsck -- system_u:object_r:etc_runtime_t:s0
+/\.autorelabel -- system_u:object_r:etc_runtime_t:s0
+')
+
diff --git a/mls/file_contexts/program/innd.fc b/mls/file_contexts/program/innd.fc
new file mode 100644
index 0000000..c8646ea
--- /dev/null
+++ b/mls/file_contexts/program/innd.fc
@@ -0,0 +1,50 @@
+# innd
+/usr/sbin/innd.* -- system_u:object_r:innd_exec_t:s0
+/usr/bin/rpost -- system_u:object_r:innd_exec_t:s0
+/usr/bin/suck -- system_u:object_r:innd_exec_t:s0
+/var/run/innd(/.*)? system_u:object_r:innd_var_run_t:s0
+/etc/news(/.*)? system_u:object_r:innd_etc_t:s0
+/etc/news/boot -- system_u:object_r:innd_exec_t:s0
+/var/spool/news(/.*)? system_u:object_r:news_spool_t:s0
+/var/log/news(/.*)? system_u:object_r:innd_log_t:s0
+/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t:s0
+/var/run/news(/.*)? system_u:object_r:innd_var_run_t:s0
+/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t:s0
+/usr/bin/inews -- system_u:object_r:innd_exec_t:s0
+/usr/bin/rnews -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t:s0
+/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/controlchan -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t:s0
+/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t:s0
diff --git a/mls/file_contexts/program/ipsec.fc b/mls/file_contexts/program/ipsec.fc
new file mode 100644
index 0000000..cb4c966
--- /dev/null
+++ b/mls/file_contexts/program/ipsec.fc
@@ -0,0 +1,32 @@
+# IPSEC utilities and daemon.
+
+/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t:s0
+/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t:s0
+/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t:s0
+/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t:s0
+/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0
+/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t:s0
+/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t:s0
+/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0
+/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0
+/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0
+/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0
+/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0
+/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0
+/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0
+/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0
+/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0
+/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0
+/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0
+/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0
+/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0
+/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t:s0
+/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t:s0
+
+# Kame
+/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t:s0
+/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0
+/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0
+/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t:s0
+/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t:s0
+/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t:s0
diff --git a/mls/file_contexts/program/iptables.fc b/mls/file_contexts/program/iptables.fc
new file mode 100644
index 0000000..c55fd08
--- /dev/null
+++ b/mls/file_contexts/program/iptables.fc
@@ -0,0 +1,8 @@
+# iptables
+/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0
+/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0
+/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0
+/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0
+/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0
+/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0
+
diff --git a/mls/file_contexts/program/irc.fc b/mls/file_contexts/program/irc.fc
new file mode 100644
index 0000000..586977b
--- /dev/null
+++ b/mls/file_contexts/program/irc.fc
@@ -0,0 +1,5 @@
+# irc clients
+/usr/bin/[st]irc -- system_u:object_r:irc_exec_t:s0
+/usr/bin/ircII -- system_u:object_r:irc_exec_t:s0
+/usr/bin/tinyirc -- system_u:object_r:irc_exec_t:s0
+HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0
diff --git a/mls/file_contexts/program/ircd.fc b/mls/file_contexts/program/ircd.fc
new file mode 100644
index 0000000..2ef668c
--- /dev/null
+++ b/mls/file_contexts/program/ircd.fc
@@ -0,0 +1,6 @@
+# ircd - irc server
+/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t
+/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t
+/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t
+/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t
+/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t
diff --git a/mls/file_contexts/program/irqbalance.fc b/mls/file_contexts/program/irqbalance.fc
new file mode 100644
index 0000000..15b5004
--- /dev/null
+++ b/mls/file_contexts/program/irqbalance.fc
@@ -0,0 +1,2 @@
+# irqbalance
+/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t:s0
diff --git a/mls/file_contexts/program/jabberd.fc b/mls/file_contexts/program/jabberd.fc
new file mode 100644
index 0000000..c614cb8
--- /dev/null
+++ b/mls/file_contexts/program/jabberd.fc
@@ -0,0 +1,4 @@
+# jabberd
+/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t
+/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t
+/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t
diff --git a/mls/file_contexts/program/java.fc b/mls/file_contexts/program/java.fc
new file mode 100644
index 0000000..0513971
--- /dev/null
+++ b/mls/file_contexts/program/java.fc
@@ -0,0 +1,2 @@
+# java
+/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t:s0
diff --git a/mls/file_contexts/program/kerberos.fc b/mls/file_contexts/program/kerberos.fc
new file mode 100644
index 0000000..2faebe0
--- /dev/null
+++ b/mls/file_contexts/program/kerberos.fc
@@ -0,0 +1,20 @@
+# MIT Kerberos krbkdc, kadmind
+/etc/krb5\.keytab system_u:object_r:krb5_keytab_t:s0
+/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0
+/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0
+/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
+/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
+/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
+/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
+/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t:s0
+/var/log/kadmind\.log system_u:object_r:kadmind_log_t:s0
+/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t:s0
+
+# gentoo file locations
+/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0
+/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0
+/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
+/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
+/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t:s0
+/var/log/kadmin.log -- system_u:object_r:kadmind_log_t:s0
+
diff --git a/mls/file_contexts/program/klogd.fc b/mls/file_contexts/program/klogd.fc
new file mode 100644
index 0000000..5fcdf29
--- /dev/null
+++ b/mls/file_contexts/program/klogd.fc
@@ -0,0 +1,4 @@
+# klogd
+/sbin/klogd -- system_u:object_r:klogd_exec_t:s0
+/usr/sbin/klogd -- system_u:object_r:klogd_exec_t:s0
+/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t:s0
diff --git a/mls/file_contexts/program/ktalkd.fc b/mls/file_contexts/program/ktalkd.fc
new file mode 100644
index 0000000..33973fd
--- /dev/null
+++ b/mls/file_contexts/program/ktalkd.fc
@@ -0,0 +1,2 @@
+# kde talk daemon
+/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t:s0
diff --git a/mls/file_contexts/program/kudzu.fc b/mls/file_contexts/program/kudzu.fc
new file mode 100644
index 0000000..3602a30
--- /dev/null
+++ b/mls/file_contexts/program/kudzu.fc
@@ -0,0 +1,4 @@
+# kudzu
+(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0
+/var/run/Xconfig -- root:object_r:kudzu_var_run_t:s0
diff --git a/mls/file_contexts/program/lcd.fc b/mls/file_contexts/program/lcd.fc
new file mode 100644
index 0000000..4294d44
--- /dev/null
+++ b/mls/file_contexts/program/lcd.fc
@@ -0,0 +1,2 @@
+# lcd
+/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t
diff --git a/mls/file_contexts/program/ldconfig.fc b/mls/file_contexts/program/ldconfig.fc
new file mode 100644
index 0000000..1f82fcf
--- /dev/null
+++ b/mls/file_contexts/program/ldconfig.fc
@@ -0,0 +1 @@
+/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t:s0
diff --git a/mls/file_contexts/program/load_policy.fc b/mls/file_contexts/program/load_policy.fc
new file mode 100644
index 0000000..a4c98ce
--- /dev/null
+++ b/mls/file_contexts/program/load_policy.fc
@@ -0,0 +1,3 @@
+# load_policy
+/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0
+/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0
diff --git a/mls/file_contexts/program/loadkeys.fc b/mls/file_contexts/program/loadkeys.fc
new file mode 100644
index 0000000..ebe1cfc
--- /dev/null
+++ b/mls/file_contexts/program/loadkeys.fc
@@ -0,0 +1,3 @@
+# loadkeys
+/bin/unikeys -- system_u:object_r:loadkeys_exec_t:s0
+/bin/loadkeys -- system_u:object_r:loadkeys_exec_t:s0
diff --git a/mls/file_contexts/program/lockdev.fc b/mls/file_contexts/program/lockdev.fc
new file mode 100644
index 0000000..b917bf7
--- /dev/null
+++ b/mls/file_contexts/program/lockdev.fc
@@ -0,0 +1,2 @@
+# lockdev
+/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t:s0
diff --git a/mls/file_contexts/program/login.fc b/mls/file_contexts/program/login.fc
new file mode 100644
index 0000000..ab8bf1a
--- /dev/null
+++ b/mls/file_contexts/program/login.fc
@@ -0,0 +1,3 @@
+# login
+/bin/login -- system_u:object_r:login_exec_t:s0
+/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0
diff --git a/mls/file_contexts/program/logrotate.fc b/mls/file_contexts/program/logrotate.fc
new file mode 100644
index 0000000..85b6ee7
--- /dev/null
+++ b/mls/file_contexts/program/logrotate.fc
@@ -0,0 +1,13 @@
+# logrotate
+/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t:s0
+/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t:s0
+ifdef(`distro_debian', `
+/usr/bin/savelog -- system_u:object_r:logrotate_exec_t:s0
+/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t:s0
+', `
+/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t:s0
+')
+/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t:s0
+/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t:s0
+# using a hard-coded name under /var/tmp is a bug - new version fixes it
+/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t:s0
diff --git a/mls/file_contexts/program/lpd.fc b/mls/file_contexts/program/lpd.fc
new file mode 100644
index 0000000..da61bf4
--- /dev/null
+++ b/mls/file_contexts/program/lpd.fc
@@ -0,0 +1,8 @@
+# lpd
+/dev/printer -s system_u:object_r:printer_t:s0
+/usr/sbin/lpd -- system_u:object_r:lpd_exec_t:s0
+/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t:s0
+/var/spool/lpd(/.*)? system_u:object_r:print_spool_t:s0
+/usr/share/printconf/.* -- system_u:object_r:printconf_t:s0
+/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t:s0
+/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t:s0
diff --git a/mls/file_contexts/program/lpr.fc b/mls/file_contexts/program/lpr.fc
new file mode 100644
index 0000000..a2725c7
--- /dev/null
+++ b/mls/file_contexts/program/lpr.fc
@@ -0,0 +1,4 @@
+# lp utilities.
+/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t:s0
+/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t:s0
+/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t:s0
diff --git a/mls/file_contexts/program/lrrd.fc b/mls/file_contexts/program/lrrd.fc
new file mode 100644
index 0000000..08494fc
--- /dev/null
+++ b/mls/file_contexts/program/lrrd.fc
@@ -0,0 +1,10 @@
+# lrrd
+/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t
+/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t
+/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t
+/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t
+/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t
+/var/log/lrrd.* -- system_u:object_r:lrrd_log_t
+/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
+/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
+/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t
diff --git a/mls/file_contexts/program/lvm.fc b/mls/file_contexts/program/lvm.fc
new file mode 100644
index 0000000..baa6ce1
--- /dev/null
+++ b/mls/file_contexts/program/lvm.fc
@@ -0,0 +1,69 @@
+# lvm
+/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t:s0
+/etc/lvm(/.*)? system_u:object_r:lvm_etc_t:s0
+/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t:s0
+/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t:s0
+/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t:s0
+/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t:s0
+/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t:s0
+# LVM creates lock files in /var before /var is mounted
+# configure LVM to put lockfiles in /etc/lvm/lock instead
+# for this policy to work (unless you have no separate /var)
+/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t:s0
+/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t:s0
+/dev/lvm -c system_u:object_r:fixed_disk_device_t:s0
+/dev/mapper/control -c system_u:object_r:lvm_control_t:s0
+/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t:s0
+/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t:s0
+/sbin/e2fsadm -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvchange -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvcreate -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvdisplay -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvextend -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvmchange -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvmsadc -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvmsar -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvreduce -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvremove -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvrename -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvscan -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvchange -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvcreate -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvdata -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvdisplay -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvmove -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvscan -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgchange -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgck -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgcreate -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgdisplay -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgexport -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgextend -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgimport -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgmerge -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgmknodes -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgreduce -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgremove -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgrename -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgscan -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgsplit -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgwrapper -- system_u:object_r:lvm_exec_t:s0
+/sbin/cryptsetup -- system_u:object_r:lvm_exec_t:s0
+/sbin/dmsetup -- system_u:object_r:lvm_exec_t:s0
+/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvm -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvm\.static -- system_u:object_r:lvm_exec_t:s0
+/usr/sbin/lvm -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvresize -- system_u:object_r:lvm_exec_t:s0
+/sbin/lvs -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvremove -- system_u:object_r:lvm_exec_t:s0
+/sbin/pvs -- system_u:object_r:lvm_exec_t:s0
+/sbin/vgs -- system_u:object_r:lvm_exec_t:s0
+/sbin/multipathd -- system_u:object_r:lvm_exec_t:s0
+/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t:s0
+/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t:s0
diff --git a/mls/file_contexts/program/mailman.fc b/mls/file_contexts/program/mailman.fc
new file mode 100644
index 0000000..d8d5b4b
--- /dev/null
+++ b/mls/file_contexts/program/mailman.fc
@@ -0,0 +1,24 @@
+# mailman list server
+/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t:s0
+/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0
+/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t:s0
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t:s0
+/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
+/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t:s0
+
+ifdef(`distro_debian', `
+/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t:s0
+/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0
+/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0
+/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t:s0
+/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t:s0
+')
+
+ifdef(`distro_redhat', `
+/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t:s0
+/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
+/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t:s0
+/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t:s0
+/etc/mailman(/.*)? system_u:object_r:mailman_data_t:s0
+/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t:s0
+')
diff --git a/mls/file_contexts/program/mdadm.fc b/mls/file_contexts/program/mdadm.fc
new file mode 100644
index 0000000..61ebacd
--- /dev/null
+++ b/mls/file_contexts/program/mdadm.fc
@@ -0,0 +1,4 @@
+# mdadm - manage MD devices aka Linux Software Raid.
+/sbin/mdmpd -- system_u:object_r:mdadm_exec_t:s0
+/sbin/mdadm -- system_u:object_r:mdadm_exec_t:s0
+/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t:s0
diff --git a/mls/file_contexts/program/modutil.fc b/mls/file_contexts/program/modutil.fc
new file mode 100644
index 0000000..0c88179
--- /dev/null
+++ b/mls/file_contexts/program/modutil.fc
@@ -0,0 +1,14 @@
+# module utilities
+/etc/modules\.conf.* -- system_u:object_r:modules_conf_t:s0
+/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0
+/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t:s0
+/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t:s0
+/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t:s0
+/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0
+/sbin/depmod.* -- system_u:object_r:depmod_exec_t:s0
+/sbin/modprobe.* -- system_u:object_r:insmod_exec_t:s0
+/sbin/insmod.* -- system_u:object_r:insmod_exec_t:s0
+/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t:s0
+/sbin/rmmod.* -- system_u:object_r:insmod_exec_t:s0
+/sbin/update-modules -- system_u:object_r:update_modules_exec_t:s0
+/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t:s0
diff --git a/mls/file_contexts/program/monopd.fc b/mls/file_contexts/program/monopd.fc
new file mode 100644
index 0000000..457493e
--- /dev/null
+++ b/mls/file_contexts/program/monopd.fc
@@ -0,0 +1,4 @@
+# monopd
+/etc/monopd\.conf -- system_u:object_r:monopd_etc_t
+/usr/sbin/monopd -- system_u:object_r:monopd_exec_t
+/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t
diff --git a/mls/file_contexts/program/mount.fc b/mls/file_contexts/program/mount.fc
new file mode 100644
index 0000000..93b7874
--- /dev/null
+++ b/mls/file_contexts/program/mount.fc
@@ -0,0 +1,3 @@
+# mount
+/bin/mount.* -- system_u:object_r:mount_exec_t:s0
+/bin/umount.* -- system_u:object_r:mount_exec_t:s0
diff --git a/mls/file_contexts/program/mozilla.fc b/mls/file_contexts/program/mozilla.fc
new file mode 100644
index 0000000..2b533a6
--- /dev/null
+++ b/mls/file_contexts/program/mozilla.fc
@@ -0,0 +1,21 @@
+# netscape/mozilla
+HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
+/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
+/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t
+/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --git a/mls/file_contexts/program/mplayer.fc b/mls/file_contexts/program/mplayer.fc
new file mode 100644
index 0000000..10465aa
--- /dev/null
+++ b/mls/file_contexts/program/mplayer.fc
@@ -0,0 +1,6 @@
+# mplayer
+/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t
+/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t
+
+/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t
+HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t
diff --git a/mls/file_contexts/program/mrtg.fc b/mls/file_contexts/program/mrtg.fc
new file mode 100644
index 0000000..ed68c4e
--- /dev/null
+++ b/mls/file_contexts/program/mrtg.fc
@@ -0,0 +1,7 @@
+# mrtg - traffic grapher
+/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t:s0
+/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t:s0
+/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t:s0
+/etc/mrtg.* system_u:object_r:mrtg_etc_t:s0
+/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t:s0
+/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t:s0
diff --git a/mls/file_contexts/program/mta.fc b/mls/file_contexts/program/mta.fc
new file mode 100644
index 0000000..68b30e8
--- /dev/null
+++ b/mls/file_contexts/program/mta.fc
@@ -0,0 +1,12 @@
+# types for general mail servers
+/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t:s0
+/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t:s0
+/etc/aliases -- system_u:object_r:etc_aliases_t:s0
+/etc/aliases\.db -- system_u:object_r:etc_aliases_t:s0
+/var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0
+/var/mail(/.*)? system_u:object_r:mail_spool_t:s0
+ifdef(`postfix.te', `', `
+/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0
+/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t:s0
+')
+
diff --git a/mls/file_contexts/program/mysqld.fc b/mls/file_contexts/program/mysqld.fc
new file mode 100644
index 0000000..22933da
--- /dev/null
+++ b/mls/file_contexts/program/mysqld.fc
@@ -0,0 +1,12 @@
+# mysql database server
+/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0
+/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0
+/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0
+/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0
+/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0
+/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0
+/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0
+/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0
+ifdef(`distro_debian', `
+/etc/mysql/debian-start -- system_u:object_r:bin_t:s0
+')
diff --git a/mls/file_contexts/program/nagios.fc b/mls/file_contexts/program/nagios.fc
new file mode 100644
index 0000000..6a8a22d
--- /dev/null
+++ b/mls/file_contexts/program/nagios.fc
@@ -0,0 +1,15 @@
+# nagios - network monitoring server
+/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
+/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
+# nagios
+ifdef(`distro_debian', `
+/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
+/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t
+', `
+/usr/bin/nagios -- system_u:object_r:nagios_exec_t
+/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
+')
+/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
+/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
+/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
diff --git a/mls/file_contexts/program/named.fc b/mls/file_contexts/program/named.fc
new file mode 100644
index 0000000..b94d641
--- /dev/null
+++ b/mls/file_contexts/program/named.fc
@@ -0,0 +1,49 @@
+# named
+ifdef(`distro_redhat', `
+/var/named(/.*)? system_u:object_r:named_zone_t:s0
+/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0
+/var/named/data(/.*)? system_u:object_r:named_cache_t:s0
+/etc/named\.conf -- system_u:object_r:named_conf_t:s0
+') dnl end distro_redhat
+
+ifdef(`distro_debian', `
+/etc/bind(/.*)? system_u:object_r:named_zone_t:s0
+/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0
+/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0
+/var/cache/bind(/.*)? system_u:object_r:named_cache_t:s0
+') dnl distro_debian
+
+/etc/rndc.* -- system_u:object_r:named_conf_t:s0
+/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
+/usr/sbin/named -- system_u:object_r:named_exec_t:s0
+/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t:s0
+/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t:s0
+/var/run/ndc -s system_u:object_r:named_var_run_t:s0
+/var/run/bind(/.*)? system_u:object_r:named_var_run_t:s0
+/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0
+/usr/sbin/lwresd -- system_u:object_r:named_exec_t:s0
+/var/log/named.* -- system_u:object_r:named_log_t:s0
+
+ifdef(`distro_redhat', `
+/var/named/named\.ca -- system_u:object_r:named_conf_t:s0
+/var/named/chroot(/.*)? system_u:object_r:named_conf_t:s0
+/var/named/chroot/dev/null -c system_u:object_r:null_device_t:s0
+/var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0
+/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t:s0
+/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t:s0
+/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t:s0
+/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0
+/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t:s0
+/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0
+/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0
+/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t:s0
+/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t:s0
+') dnl distro_redhat
+
+ifdef(`distro_gentoo', `
+/etc/bind(/.*)? system_u:object_r:named_zone_t:s0
+/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0
+/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0
+/var/bind(/.*)? system_u:object_r:named_cache_t:s0
+/var/bind/pri(/.*)? system_u:object_r:named_zone_t:s0
+') dnl distro_gentoo
diff --git a/mls/file_contexts/program/nessusd.fc b/mls/file_contexts/program/nessusd.fc
new file mode 100644
index 0000000..adec00b
--- /dev/null
+++ b/mls/file_contexts/program/nessusd.fc
@@ -0,0 +1,6 @@
+# nessusd - network scanning server
+/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t
+/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t
+/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t
+/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t
+/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t
diff --git a/mls/file_contexts/program/netutils.fc b/mls/file_contexts/program/netutils.fc
new file mode 100644
index 0000000..a6ae5d5
--- /dev/null
+++ b/mls/file_contexts/program/netutils.fc
@@ -0,0 +1,4 @@
+# network utilities
+/sbin/arping -- system_u:object_r:netutils_exec_t:s0
+/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t:s0
+/etc/network/ifstate -- system_u:object_r:etc_runtime_t:s0
diff --git a/mls/file_contexts/program/newrole.fc b/mls/file_contexts/program/newrole.fc
new file mode 100644
index 0000000..6b03678
--- /dev/null
+++ b/mls/file_contexts/program/newrole.fc
@@ -0,0 +1,2 @@
+# newrole
+/usr/bin/newrole -- system_u:object_r:newrole_exec_t:s0
diff --git a/mls/file_contexts/program/nrpe.fc b/mls/file_contexts/program/nrpe.fc
new file mode 100644
index 0000000..6523cc3
--- /dev/null
+++ b/mls/file_contexts/program/nrpe.fc
@@ -0,0 +1,7 @@
+# nrpe
+/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t
+/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t
+ifdef(`nagios.te', `', `
+/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
+')
diff --git a/mls/file_contexts/program/nscd.fc b/mls/file_contexts/program/nscd.fc
new file mode 100644
index 0000000..aa8af5b
--- /dev/null
+++ b/mls/file_contexts/program/nscd.fc
@@ -0,0 +1,7 @@
+# nscd
+/usr/sbin/nscd -- system_u:object_r:nscd_exec_t:s0
+/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t:s0
+/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t:s0
+/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0
+/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0
+/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t:s0
diff --git a/mls/file_contexts/program/nsd.fc b/mls/file_contexts/program/nsd.fc
new file mode 100644
index 0000000..43b49fe
--- /dev/null
+++ b/mls/file_contexts/program/nsd.fc
@@ -0,0 +1,12 @@
+# nsd
+/etc/nsd(/.*)? system_u:object_r:nsd_conf_t
+/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
+/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
+/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t
+/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t
+/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t
+/usr/sbin/nsd -- system_u:object_r:nsd_exec_t
+/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t
+/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t
+/usr/sbin/zonec -- system_u:object_r:nsd_exec_t
+/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t
diff --git a/mls/file_contexts/program/ntpd.fc b/mls/file_contexts/program/ntpd.fc
new file mode 100644
index 0000000..b9040bb
--- /dev/null
+++ b/mls/file_contexts/program/ntpd.fc
@@ -0,0 +1,12 @@
+/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t:s0
+/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t:s0
+/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t:s0
+/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t:s0
+/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t:s0
+/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t:s0
+/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t:s0
+/var/log/ntp.* -- system_u:object_r:ntpd_log_t:s0
+/var/log/xntpd.* -- system_u:object_r:ntpd_log_t:s0
+/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t:s0
+/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0
+/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0
diff --git a/mls/file_contexts/program/nx_server.fc b/mls/file_contexts/program/nx_server.fc
new file mode 100644
index 0000000..d993646
--- /dev/null
+++ b/mls/file_contexts/program/nx_server.fc
@@ -0,0 +1,5 @@
+# nx
+/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t
+/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t
+/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t
+
diff --git a/mls/file_contexts/program/oav-update.fc b/mls/file_contexts/program/oav-update.fc
new file mode 100644
index 0000000..5e88a02
--- /dev/null
+++ b/mls/file_contexts/program/oav-update.fc
@@ -0,0 +1,4 @@
+/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t
+/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t
+/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t
+/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t
diff --git a/mls/file_contexts/program/openca-ca.fc b/mls/file_contexts/program/openca-ca.fc
new file mode 100644
index 0000000..99ddefe
--- /dev/null
+++ b/mls/file_contexts/program/openca-ca.fc
@@ -0,0 +1,8 @@
+/etc/openca(/.*)? system_u:object_r:openca_etc_t
+/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
+/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
+/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
+/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
+/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
+/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
+/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t
diff --git a/mls/file_contexts/program/openca-common.fc b/mls/file_contexts/program/openca-common.fc
new file mode 100644
index 0000000..b75952f
--- /dev/null
+++ b/mls/file_contexts/program/openca-common.fc
@@ -0,0 +1,7 @@
+/etc/openca(/.*)? system_u:object_r:openca_etc_t
+/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
+/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
+/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
+/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
+/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
+/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
diff --git a/mls/file_contexts/program/openct.fc b/mls/file_contexts/program/openct.fc
new file mode 100644
index 0000000..5f1db4b
--- /dev/null
+++ b/mls/file_contexts/program/openct.fc
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control -- system_u:object_r:openct_exec_t:s0
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t:s0
diff --git a/mls/file_contexts/program/openvpn.fc b/mls/file_contexts/program/openvpn.fc
new file mode 100644
index 0000000..34b2992
--- /dev/null
+++ b/mls/file_contexts/program/openvpn.fc
@@ -0,0 +1,4 @@
+# OpenVPN
+
+/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t
+/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t
diff --git a/mls/file_contexts/program/orbit.fc b/mls/file_contexts/program/orbit.fc
new file mode 100644
index 0000000..9ff0bc8
--- /dev/null
+++ b/mls/file_contexts/program/orbit.fc
@@ -0,0 +1,3 @@
+/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0
+/tmp/orbit-USER(-.*)?/linc.* -s <<none>>
+/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0
diff --git a/mls/file_contexts/program/pam.fc b/mls/file_contexts/program/pam.fc
new file mode 100644
index 0000000..ad51a01
--- /dev/null
+++ b/mls/file_contexts/program/pam.fc
@@ -0,0 +1,3 @@
+/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
+/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t:s0
+/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t:s0
diff --git a/mls/file_contexts/program/pamconsole.fc b/mls/file_contexts/program/pamconsole.fc
new file mode 100644
index 0000000..633977d
--- /dev/null
+++ b/mls/file_contexts/program/pamconsole.fc
@@ -0,0 +1,3 @@
+# pam_console_apply
+/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t:s0
+/var/run/console(/.*)? system_u:object_r:pam_var_console_t:s0
diff --git a/mls/file_contexts/program/passwd.fc b/mls/file_contexts/program/passwd.fc
new file mode 100644
index 0000000..823f931
--- /dev/null
+++ b/mls/file_contexts/program/passwd.fc
@@ -0,0 +1,13 @@
+# spasswd
+/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0
+/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0
+/usr/bin/chsh -- system_u:object_r:chfn_exec_t:s0
+/usr/bin/chfn -- system_u:object_r:chfn_exec_t:s0
+/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0
+/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0
diff --git a/mls/file_contexts/program/pegasus.fc b/mls/file_contexts/program/pegasus.fc
new file mode 100644
index 0000000..f4b9f15
--- /dev/null
+++ b/mls/file_contexts/program/pegasus.fc
@@ -0,0 +1,9 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0
+/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0
+/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0
+/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0
+/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0
+/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0
+/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0
+
diff --git a/mls/file_contexts/program/perdition.fc b/mls/file_contexts/program/perdition.fc
new file mode 100644
index 0000000..a2d2adb
--- /dev/null
+++ b/mls/file_contexts/program/perdition.fc
@@ -0,0 +1,3 @@
+# perdition POP and IMAP proxy
+/usr/sbin/perdition -- system_u:object_r:perdition_exec_t
+/etc/perdition(/.*)? system_u:object_r:perdition_etc_t
diff --git a/mls/file_contexts/program/ping.fc b/mls/file_contexts/program/ping.fc
new file mode 100644
index 0000000..a4ed8cb
--- /dev/null
+++ b/mls/file_contexts/program/ping.fc
@@ -0,0 +1,3 @@
+# ping
+/bin/ping.* -- system_u:object_r:ping_exec_t:s0
+/usr/sbin/hping2 -- system_u:object_r:ping_exec_t:s0
diff --git a/mls/file_contexts/program/portmap.fc b/mls/file_contexts/program/portmap.fc
new file mode 100644
index 0000000..60da994
--- /dev/null
+++ b/mls/file_contexts/program/portmap.fc
@@ -0,0 +1,10 @@
+# portmap
+/sbin/portmap -- system_u:object_r:portmap_exec_t:s0
+ifdef(`distro_debian', `
+/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0
+/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0
+', `
+/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0
+/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0
+')
+/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t:s0
diff --git a/mls/file_contexts/program/portslave.fc b/mls/file_contexts/program/portslave.fc
new file mode 100644
index 0000000..873334d
--- /dev/null
+++ b/mls/file_contexts/program/portslave.fc
@@ -0,0 +1,5 @@
+# portslave
+/usr/sbin/portslave -- system_u:object_r:portslave_exec_t
+/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t
+/etc/portslave(/.*)? system_u:object_r:portslave_etc_t
+/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t
diff --git a/mls/file_contexts/program/postfix.fc b/mls/file_contexts/program/postfix.fc
new file mode 100644
index 0000000..300da75
--- /dev/null
+++ b/mls/file_contexts/program/postfix.fc
@@ -0,0 +1,59 @@
+# postfix
+/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0
+ifdef(`distro_redhat', `
+/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0
+/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t:s0
+/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
+/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t:s0
+/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t:s0
+/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0
+/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
+/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0
+/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
+/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0
+/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0
+/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0
+/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
+', `
+/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t:s0
+/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
+/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t:s0
+/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t:s0
+/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0
+/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
+/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0
+/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
+/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0
+/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0
+/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0
+/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
+')
+/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0
+/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0
+/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t:s0
+/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0
+/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t:s0
+/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t:s0
+/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t:s0
+/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0
+/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0
+/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0
+/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0
+/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0
+/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0
+/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0
+/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0
+/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0
+/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0
+/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0
+/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0
+/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0
+/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0
+/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0
+/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0
diff --git a/mls/file_contexts/program/postgresql.fc b/mls/file_contexts/program/postgresql.fc
new file mode 100644
index 0000000..635a74a
--- /dev/null
+++ b/mls/file_contexts/program/postgresql.fc
@@ -0,0 +1,20 @@
+# postgresql - database server
+/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t:s0
+/usr/bin/postgres -- system_u:object_r:postgresql_exec_t:s0
+/usr/bin/initdb -- system_u:object_r:postgresql_exec_t:s0
+
+/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0
+/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0
+/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0
+/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0
+/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t:s0
+/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0
+/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t:s0
+/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t:s0
+/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t:s0
+/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0
+/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0
+/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t:s0
+')
diff --git a/mls/file_contexts/program/postgrey.fc b/mls/file_contexts/program/postgrey.fc
new file mode 100644
index 0000000..89e43fd
--- /dev/null
+++ b/mls/file_contexts/program/postgrey.fc
@@ -0,0 +1,5 @@
+# postgrey - postfix grey-listing server
+/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t
+/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t
+/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t
+/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t
diff --git a/mls/file_contexts/program/pppd.fc b/mls/file_contexts/program/pppd.fc
new file mode 100644
index 0000000..87e3cb7
--- /dev/null
+++ b/mls/file_contexts/program/pppd.fc
@@ -0,0 +1,25 @@
+# pppd
+/usr/sbin/pppd -- system_u:object_r:pppd_exec_t:s0
+/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0
+/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t:s0
+/dev/ppp -c system_u:object_r:ppp_device_t:s0
+/dev/pppox.* -c system_u:object_r:ppp_device_t:s0
+/dev/ippp.* -c system_u:object_r:ppp_device_t:s0
+/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t:s0
+/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t:s0
+/etc/ppp -d system_u:object_r:pppd_etc_t:s0
+/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t:s0
+/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t:s0
+/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t:s0
+/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t:s0
+/var/log/ppp/.* -- system_u:object_r:pppd_log_t:s0
+/etc/ppp/ip-down\..* -- system_u:object_r:bin_t:s0
+/etc/ppp/ip-up\..* -- system_u:object_r:bin_t:s0
+/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t:s0
+/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t:s0
+/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t:s0
+/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t:s0
+# Fix pptp sockets
+/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t:s0
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t:s0
diff --git a/mls/file_contexts/program/prelink.fc b/mls/file_contexts/program/prelink.fc
new file mode 100644
index 0000000..fca98ee
--- /dev/null
+++ b/mls/file_contexts/program/prelink.fc
@@ -0,0 +1,8 @@
+# prelink - prelink ELF shared libraries and binaries to speed up startup time
+/usr/sbin/prelink -- system_u:object_r:prelink_exec_t:s0
+ifdef(`distro_debian', `
+/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t:s0
+')
+/etc/prelink\.conf -- system_u:object_r:etc_prelink_t:s0
+/var/log/prelink\.log -- system_u:object_r:prelink_log_t:s0
+/etc/prelink\.cache -- system_u:object_r:prelink_cache_t:s0
diff --git a/mls/file_contexts/program/privoxy.fc b/mls/file_contexts/program/privoxy.fc
new file mode 100644
index 0000000..d8d5647
--- /dev/null
+++ b/mls/file_contexts/program/privoxy.fc
@@ -0,0 +1,3 @@
+# privoxy
+/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t:s0
+/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t:s0
diff --git a/mls/file_contexts/program/procmail.fc b/mls/file_contexts/program/procmail.fc
new file mode 100644
index 0000000..f231527
--- /dev/null
+++ b/mls/file_contexts/program/procmail.fc
@@ -0,0 +1,2 @@
+# procmail
+/usr/bin/procmail -- system_u:object_r:procmail_exec_t:s0
diff --git a/mls/file_contexts/program/publicfile.fc b/mls/file_contexts/program/publicfile.fc
new file mode 100644
index 0000000..dc32249
--- /dev/null
+++ b/mls/file_contexts/program/publicfile.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t
+/usr/bin/httpd -- system_u:object_r:publicfile_exec_t
+/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)? system_u:object_r:publicfile_content_t
+
diff --git a/mls/file_contexts/program/pxe.fc b/mls/file_contexts/program/pxe.fc
new file mode 100644
index 0000000..165076a
--- /dev/null
+++ b/mls/file_contexts/program/pxe.fc
@@ -0,0 +1,5 @@
+# pxe network boot server
+/usr/sbin/pxe -- system_u:object_r:pxe_exec_t
+/var/log/pxe\.log -- system_u:object_r:pxe_log_t
+/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t
+
diff --git a/mls/file_contexts/program/pyzor.fc b/mls/file_contexts/program/pyzor.fc
new file mode 100644
index 0000000..ff62295
--- /dev/null
+++ b/mls/file_contexts/program/pyzor.fc
@@ -0,0 +1,6 @@
+/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t
+/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t
+/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t
+/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t
+/var/log/pyzord.log -- system_u:object_r:pyzord_log_t
+HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t
diff --git a/mls/file_contexts/program/qmail.fc b/mls/file_contexts/program/qmail.fc
new file mode 100644
index 0000000..7704ed7
--- /dev/null
+++ b/mls/file_contexts/program/qmail.fc
@@ -0,0 +1,38 @@
+# qmail - Debian locations
+/etc/qmail(/.*)? system_u:object_r:qmail_etc_t
+/var/qmail(/.*)? system_u:object_r:qmail_etc_t
+/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t
+/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t
+/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
+/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
+/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
+/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
+/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
+/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t
+/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
+/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t
+/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
+/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
+/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
+/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
+/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
+/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
+# qmail - djb locations
+/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
+/var/qmail/bin -d system_u:object_r:bin_t
+/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
+/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
+/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
+/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
+/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
+/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
+/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t
+/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
+/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t
+/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
+/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
+/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
+/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t
+/var/qmail/rc -- system_u:object_r:bin_t
+/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t
+/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t
diff --git a/mls/file_contexts/program/quota.fc b/mls/file_contexts/program/quota.fc
new file mode 100644
index 0000000..8aa74f1
--- /dev/null
+++ b/mls/file_contexts/program/quota.fc
@@ -0,0 +1,10 @@
+# quota system
+/var/lib/quota(/.*)? system_u:object_r:quota_flag_t:s0
+/sbin/quota(check|on) -- system_u:object_r:quota_exec_t:s0
+ifdef(`distro_redhat', `
+/usr/sbin/convertquota -- system_u:object_r:quota_exec_t:s0
+', `
+/sbin/convertquota -- system_u:object_r:quota_exec_t:s0
+')
+HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0
+/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0
diff --git a/mls/file_contexts/program/radius.fc b/mls/file_contexts/program/radius.fc
new file mode 100644
index 0000000..e3b9d51
--- /dev/null
+++ b/mls/file_contexts/program/radius.fc
@@ -0,0 +1,15 @@
+# radius
+/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t:s0
+/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t:s0
+/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t:s0
+/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t:s0
+/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t:s0
+/var/log/radius(/.*)? system_u:object_r:radiusd_log_t:s0
+/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t:s0
+/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t:s0
+/var/log/radutmp -- system_u:object_r:radiusd_log_t:s0
+/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t:s0
+/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0
+/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0
+/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t:s0
+/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t:s0
diff --git a/mls/file_contexts/program/radvd.fc b/mls/file_contexts/program/radvd.fc
new file mode 100644
index 0000000..ab6bc47
--- /dev/null
+++ b/mls/file_contexts/program/radvd.fc
@@ -0,0 +1,5 @@
+# radvd
+/etc/radvd\.conf -- system_u:object_r:radvd_etc_t:s0
+/usr/sbin/radvd -- system_u:object_r:radvd_exec_t:s0
+/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t:s0
+/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t:s0
diff --git a/mls/file_contexts/program/razor.fc b/mls/file_contexts/program/razor.fc
new file mode 100644
index 0000000..f3f1346
--- /dev/null
+++ b/mls/file_contexts/program/razor.fc
@@ -0,0 +1,6 @@
+# razor
+/etc/razor(/.*)? system_u:object_r:razor_etc_t
+/usr/bin/razor.* system_u:object_r:razor_exec_t
+/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t
+/var/log/razor-agent.log system_u:object_r:razor_log_t
+HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t
diff --git a/mls/file_contexts/program/rdisc.fc b/mls/file_contexts/program/rdisc.fc
new file mode 100644
index 0000000..f3ec427
--- /dev/null
+++ b/mls/file_contexts/program/rdisc.fc
@@ -0,0 +1,2 @@
+# rdisc
+/sbin/rdisc system_u:object_r:rdisc_exec_t:s0
diff --git a/mls/file_contexts/program/readahead.fc b/mls/file_contexts/program/readahead.fc
new file mode 100644
index 0000000..16362a4
--- /dev/null
+++ b/mls/file_contexts/program/readahead.fc
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t:s0
diff --git a/mls/file_contexts/program/resmgrd.fc b/mls/file_contexts/program/resmgrd.fc
new file mode 100644
index 0000000..bee4680
--- /dev/null
+++ b/mls/file_contexts/program/resmgrd.fc
@@ -0,0 +1,6 @@
+# resmgrd
+/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t
+/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t
+/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t
+/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t
+
diff --git a/mls/file_contexts/program/restorecon.fc b/mls/file_contexts/program/restorecon.fc
new file mode 100644
index 0000000..cd62c78
--- /dev/null
+++ b/mls/file_contexts/program/restorecon.fc
@@ -0,0 +1,2 @@
+# restorecon
+/sbin/restorecon -- system_u:object_r:restorecon_exec_t:s0
diff --git a/mls/file_contexts/program/rhgb.fc b/mls/file_contexts/program/rhgb.fc
new file mode 100644
index 0000000..118972e
--- /dev/null
+++ b/mls/file_contexts/program/rhgb.fc
@@ -0,0 +1 @@
+/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
diff --git a/mls/file_contexts/program/rlogind.fc b/mls/file_contexts/program/rlogind.fc
new file mode 100644
index 0000000..ce68e2c
--- /dev/null
+++ b/mls/file_contexts/program/rlogind.fc
@@ -0,0 +1,4 @@
+# rlogind and telnetd
+/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t:s0
+/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t:s0
+/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t:s0
diff --git a/mls/file_contexts/program/roundup.fc b/mls/file_contexts/program/roundup.fc
new file mode 100644
index 0000000..394359f
--- /dev/null
+++ b/mls/file_contexts/program/roundup.fc
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t:s0
+/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t:s0
diff --git a/mls/file_contexts/program/rpcd.fc b/mls/file_contexts/program/rpcd.fc
new file mode 100644
index 0000000..916cd25
--- /dev/null
+++ b/mls/file_contexts/program/rpcd.fc
@@ -0,0 +1,12 @@
+# RPC daemons
+/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t:s0
+/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t:s0
+/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t:s0
+/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t:s0
+/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t:s0
+/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t:s0
+/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0
+/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t:s0
+/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t:s0
+/etc/exports -- system_u:object_r:exports_t:s0
+
diff --git a/mls/file_contexts/program/rpm.fc b/mls/file_contexts/program/rpm.fc
new file mode 100644
index 0000000..494fbcf
--- /dev/null
+++ b/mls/file_contexts/program/rpm.fc
@@ -0,0 +1,29 @@
+# rpm
+/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t:s0
+/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t:s0
+/bin/rpm -- system_u:object_r:rpm_exec_t:s0
+/usr/bin/yum -- system_u:object_r:rpm_exec_t:s0
+/usr/bin/apt-get -- system_u:object_r:rpm_exec_t:s0
+/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t:s0
+/usr/bin/synaptic -- system_u:object_r:rpm_exec_t:s0
+/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t:s0
+/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t:s0
+/var/log/yum\.log -- system_u:object_r:rpm_log_t:s0
+ifdef(`distro_redhat', `
+/usr/sbin/up2date -- system_u:object_r:rpm_exec_t:s0
+/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t:s0
+')
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- system_u:object_r:rpm_exec_t:s0
+/sbin/yast2 -- system_u:object_r:rpm_exec_t:s0
+/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t:s0
+/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t:s0
+')
+
+ifdef(`mls_policy', `
+/sbin/cpio -- system_u:object_r:rpm_exec_t:s0
+')
diff --git a/mls/file_contexts/program/rshd.fc b/mls/file_contexts/program/rshd.fc
new file mode 100644
index 0000000..a7141fe
--- /dev/null
+++ b/mls/file_contexts/program/rshd.fc
@@ -0,0 +1,4 @@
+# rshd.
+/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t:s0
+/usr/sbin/in\.rexecd -- system_u:object_r:rshd_exec_t:s0
+/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t:s0
diff --git a/mls/file_contexts/program/rssh.fc b/mls/file_contexts/program/rssh.fc
new file mode 100644
index 0000000..16ec3a3
--- /dev/null
+++ b/mls/file_contexts/program/rssh.fc
@@ -0,0 +1,2 @@
+# rssh
+/usr/bin/rssh -- system_u:object_r:rssh_exec_t
diff --git a/mls/file_contexts/program/rsync.fc b/mls/file_contexts/program/rsync.fc
new file mode 100644
index 0000000..edb25f3
--- /dev/null
+++ b/mls/file_contexts/program/rsync.fc
@@ -0,0 +1,3 @@
+# rsync program
+/usr/bin/rsync -- system_u:object_r:rsync_exec_t:s0
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0
diff --git a/mls/file_contexts/program/samba.fc b/mls/file_contexts/program/samba.fc
new file mode 100644
index 0000000..204eb3f
--- /dev/null
+++ b/mls/file_contexts/program/samba.fc
@@ -0,0 +1,26 @@
+# samba scripts
+/usr/sbin/smbd -- system_u:object_r:smbd_exec_t:s0
+/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t:s0
+/usr/bin/net -- system_u:object_r:samba_net_exec_t:s0
+/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0
+/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0
+/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0
+/var/lib/samba(/.*)? system_u:object_r:samba_var_t:s0
+/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0
+/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0
+# samba really wants write access to smbpasswd
+/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0
+/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t:s0
+/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0
+/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0
+/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t:s0
+/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0
+/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t:s0
+/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0
+/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t:s0
+/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0
+/var/spool/samba(/.*)? system_u:object_r:samba_var_t:s0
+ifdef(`mount.te', `
+/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0
+/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0
+')
diff --git a/mls/file_contexts/program/saslauthd.fc b/mls/file_contexts/program/saslauthd.fc
new file mode 100644
index 0000000..a8275a6
--- /dev/null
+++ b/mls/file_contexts/program/saslauthd.fc
@@ -0,0 +1,3 @@
+# saslauthd
+/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t:s0
+/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t:s0
diff --git a/mls/file_contexts/program/scannerdaemon.fc b/mls/file_contexts/program/scannerdaemon.fc
new file mode 100644
index 0000000..a43bf87
--- /dev/null
+++ b/mls/file_contexts/program/scannerdaemon.fc
@@ -0,0 +1,4 @@
+# scannerdaemon
+/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t
+/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t
+/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t
diff --git a/mls/file_contexts/program/screen.fc b/mls/file_contexts/program/screen.fc
new file mode 100644
index 0000000..401072a
--- /dev/null
+++ b/mls/file_contexts/program/screen.fc
@@ -0,0 +1,5 @@
+# screen
+/usr/bin/screen -- system_u:object_r:screen_exec_t:s0
+HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0
+/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t:s0
+/var/run/screens?/S-[^/]+/.* <<none>>
diff --git a/mls/file_contexts/program/sendmail.fc b/mls/file_contexts/program/sendmail.fc
new file mode 100644
index 0000000..8b9164d
--- /dev/null
+++ b/mls/file_contexts/program/sendmail.fc
@@ -0,0 +1,13 @@
+# sendmail
+/etc/mail(/.*)? system_u:object_r:etc_mail_t:s0
+/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0
+/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0
+/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t:s0
+/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t:s0
+ifdef(`distro_redhat', `
+/etc/rc.d/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0
+/var/lock/subsys/sm-client -- system_u:object_r:sendmail_launch_lock_t:s0
+/var/lock/subsys/sendmail -- system_u:object_r:sendmail_launch_lock_t:s0
+', `
+/etc/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0
+')
diff --git a/mls/file_contexts/program/setfiles.fc b/mls/file_contexts/program/setfiles.fc
new file mode 100644
index 0000000..45e245b
--- /dev/null
+++ b/mls/file_contexts/program/setfiles.fc
@@ -0,0 +1,3 @@
+# setfiles
+/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0
+
diff --git a/mls/file_contexts/program/slapd.fc b/mls/file_contexts/program/slapd.fc
new file mode 100644
index 0000000..4a5ff0d
--- /dev/null
+++ b/mls/file_contexts/program/slapd.fc
@@ -0,0 +1,19 @@
+# slapd - ldap server
+/usr/sbin/slapd -- system_u:object_r:slapd_exec_t:s0
+/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t:s0
+/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t:s0
+/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t:s0
+/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t:s0
+/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t:s0
+/var/run/ldapi -s system_u:object_r:slapd_var_run_t:s0
+/opt/(fedora|redhat)-ds(/.*)?/bin/slapd/server/ns-slapd -- system_u:object_r:slapd_exec_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/logs(/.*)? system_u:object_r:slapd_var_run_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/locks(/.*)? system_u:object_r:slapd_lock_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/tmp(/.*)? system_u:object_r:slapd_var_run_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/config(/.*)? system_u:object_r:slapd_var_run_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/db(/.*)? system_u:object_r:slapd_db_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/bak(/.*)? system_u:object_r:slapd_db_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/start-slapd system_u:object_r:initrc_exec_t:s0
+/opt/(fedora|redhat)-ds/slapd-[^/]+/stop-slapd system_u:object_r:initrc_exec_t:s0
+/opt/(fedora|redhat)-ds/alias(/.*)? system_u:object_r:slapd_cert_t:s0
+/opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t:s0
diff --git a/mls/file_contexts/program/slocate.fc b/mls/file_contexts/program/slocate.fc
new file mode 100644
index 0000000..5baa3b2
--- /dev/null
+++ b/mls/file_contexts/program/slocate.fc
@@ -0,0 +1,4 @@
+# locate - file locater
+/usr/bin/s?locate -- system_u:object_r:locate_exec_t:s0
+/var/lib/[sm]locate(/.*)? system_u:object_r:locate_var_lib_t:s0
+/etc/updatedb\.conf -- system_u:object_r:locate_etc_t:s0
diff --git a/mls/file_contexts/program/slrnpull.fc b/mls/file_contexts/program/slrnpull.fc
new file mode 100644
index 0000000..e05abc8
--- /dev/null
+++ b/mls/file_contexts/program/slrnpull.fc
@@ -0,0 +1,3 @@
+# slrnpull
+/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t:s0
+/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t:s0
diff --git a/mls/file_contexts/program/snmpd.fc b/mls/file_contexts/program/snmpd.fc
new file mode 100644
index 0000000..c81b3fe
--- /dev/null
+++ b/mls/file_contexts/program/snmpd.fc
@@ -0,0 +1,10 @@
+# snmpd
+/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t:s0
+/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0
+/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0
+/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t:s0
+/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t:s0
+/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t:s0
+/var/run/snmpd -d system_u:object_r:snmpd_var_run_t:s0
+/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t:s0
+/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0
diff --git a/mls/file_contexts/program/snort.fc b/mls/file_contexts/program/snort.fc
new file mode 100644
index 0000000..a40670c
--- /dev/null
+++ b/mls/file_contexts/program/snort.fc
@@ -0,0 +1,4 @@
+# SNORT
+/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t
+/etc/snort(/.*)? system_u:object_r:snort_etc_t
+/var/log/snort(/.*)? system_u:object_r:snort_log_t
diff --git a/mls/file_contexts/program/sound-server.fc b/mls/file_contexts/program/sound-server.fc
new file mode 100644
index 0000000..dfa8245
--- /dev/null
+++ b/mls/file_contexts/program/sound-server.fc
@@ -0,0 +1,8 @@
+# sound servers, nas, yiff, etc
+/usr/sbin/yiff -- system_u:object_r:soundd_exec_t
+/usr/bin/nasd -- system_u:object_r:soundd_exec_t
+/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t
+/etc/nas(/.*)? system_u:object_r:etc_soundd_t
+/etc/yiff(/.*)? system_u:object_r:etc_soundd_t
+/var/state/yiff(/.*)? system_u:object_r:soundd_state_t
+/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t
diff --git a/mls/file_contexts/program/sound.fc b/mls/file_contexts/program/sound.fc
new file mode 100644
index 0000000..4226dc3
--- /dev/null
+++ b/mls/file_contexts/program/sound.fc
@@ -0,0 +1,3 @@
+# sound
+/bin/aumix-minimal -- system_u:object_r:sound_exec_t:s0
+/etc/\.aumixrc -- system_u:object_r:sound_file_t:s0
diff --git a/mls/file_contexts/program/spamassassin.fc b/mls/file_contexts/program/spamassassin.fc
new file mode 100644
index 0000000..6896485
--- /dev/null
+++ b/mls/file_contexts/program/spamassassin.fc
@@ -0,0 +1,3 @@
+# spamassasin
+/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t:s0
+HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0
diff --git a/mls/file_contexts/program/spamc.fc b/mls/file_contexts/program/spamc.fc
new file mode 100644
index 0000000..1168d40
--- /dev/null
+++ b/mls/file_contexts/program/spamc.fc
@@ -0,0 +1 @@
+/usr/bin/spamc -- system_u:object_r:spamc_exec_t:s0
diff --git a/mls/file_contexts/program/spamd.fc b/mls/file_contexts/program/spamd.fc
new file mode 100644
index 0000000..8c9add8
--- /dev/null
+++ b/mls/file_contexts/program/spamd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/spamd -- system_u:object_r:spamd_exec_t:s0
+/usr/bin/spamd -- system_u:object_r:spamd_exec_t:s0
+/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t:s0
diff --git a/mls/file_contexts/program/speedmgmt.fc b/mls/file_contexts/program/speedmgmt.fc
new file mode 100644
index 0000000..486906e
--- /dev/null
+++ b/mls/file_contexts/program/speedmgmt.fc
@@ -0,0 +1,2 @@
+# speedmgmt
+/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t
diff --git a/mls/file_contexts/program/squid.fc b/mls/file_contexts/program/squid.fc
new file mode 100644
index 0000000..03f291b
--- /dev/null
+++ b/mls/file_contexts/program/squid.fc
@@ -0,0 +1,11 @@
+# squid
+/usr/sbin/squid -- system_u:object_r:squid_exec_t:s0
+/var/cache/squid(/.*)? system_u:object_r:squid_cache_t:s0
+/var/spool/squid(/.*)? system_u:object_r:squid_cache_t:s0
+/var/log/squid(/.*)? system_u:object_r:squid_log_t:s0
+/etc/squid(/.*)? system_u:object_r:squid_conf_t:s0
+/var/run/squid\.pid -- system_u:object_r:squid_var_run_t:s0
+/usr/share/squid(/.*)? system_u:object_r:squid_conf_t:s0
+ifdef(`apache.te', `
+/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t:s0
+')
diff --git a/mls/file_contexts/program/ssh-agent.fc b/mls/file_contexts/program/ssh-agent.fc
new file mode 100644
index 0000000..90a4603
--- /dev/null
+++ b/mls/file_contexts/program/ssh-agent.fc
@@ -0,0 +1,2 @@
+# ssh-agent
+/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t:s0
diff --git a/mls/file_contexts/program/ssh.fc b/mls/file_contexts/program/ssh.fc
new file mode 100644
index 0000000..4ccba2e
--- /dev/null
+++ b/mls/file_contexts/program/ssh.fc
@@ -0,0 +1,21 @@
+# ssh
+/usr/bin/ssh -- system_u:object_r:ssh_exec_t:s0
+/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0
+/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t:s0
+# sshd
+/etc/ssh/primes -- system_u:object_r:sshd_key_t:s0
+/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t:s0
+/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t:s0
+/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t:s0
+/usr/sbin/sshd -- system_u:object_r:sshd_exec_t:s0
+/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t:s0
+# subsystems
+/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t:s0
+/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t:s0
+ifdef(`distro_suse', `
+/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t:s0
+')
+ifdef(`targeted_policy', `', `
+HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0
+')
diff --git a/mls/file_contexts/program/stunnel.fc b/mls/file_contexts/program/stunnel.fc
new file mode 100644
index 0000000..2f0798c
--- /dev/null
+++ b/mls/file_contexts/program/stunnel.fc
@@ -0,0 +1,3 @@
+/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t:s0
+/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t:s0
+/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t:s0
diff --git a/mls/file_contexts/program/su.fc b/mls/file_contexts/program/su.fc
new file mode 100644
index 0000000..8712b4b
--- /dev/null
+++ b/mls/file_contexts/program/su.fc
@@ -0,0 +1,2 @@
+# su
+/bin/su -- system_u:object_r:su_exec_t:s0
diff --git a/mls/file_contexts/program/sudo.fc b/mls/file_contexts/program/sudo.fc
new file mode 100644
index 0000000..ecaf228
--- /dev/null
+++ b/mls/file_contexts/program/sudo.fc
@@ -0,0 +1,3 @@
+# sudo
+/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t:s0
+
diff --git a/mls/file_contexts/program/sulogin.fc b/mls/file_contexts/program/sulogin.fc
new file mode 100644
index 0000000..bb2bc51
--- /dev/null
+++ b/mls/file_contexts/program/sulogin.fc
@@ -0,0 +1,2 @@
+# sulogin
+/sbin/sulogin -- system_u:object_r:sulogin_exec_t:s0
diff --git a/mls/file_contexts/program/swat.fc b/mls/file_contexts/program/swat.fc
new file mode 100644
index 0000000..e75e1e3
--- /dev/null
+++ b/mls/file_contexts/program/swat.fc
@@ -0,0 +1,2 @@
+# samba management tool
+/usr/sbin/swat -- system_u:object_r:swat_exec_t:s0
diff --git a/mls/file_contexts/program/sxid.fc b/mls/file_contexts/program/sxid.fc
new file mode 100644
index 0000000..e9126bc
--- /dev/null
+++ b/mls/file_contexts/program/sxid.fc
@@ -0,0 +1,6 @@
+# sxid - ldap server
+/usr/bin/sxid -- system_u:object_r:sxid_exec_t
+/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t
+/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t
+/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t
+/var/log/setuid.* -- system_u:object_r:sxid_log_t
diff --git a/mls/file_contexts/program/syslogd.fc b/mls/file_contexts/program/syslogd.fc
new file mode 100644
index 0000000..d0fb0a4
--- /dev/null
+++ b/mls/file_contexts/program/syslogd.fc
@@ -0,0 +1,11 @@
+# syslogd
+/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0
+/sbin/minilogd -- system_u:object_r:syslogd_exec_t:s0
+/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0
+/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t:s0
+/dev/log -s system_u:object_r:devlog_t:s0
+/var/run/log -s system_u:object_r:devlog_t:s0
+ifdef(`distro_suse', `
+/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t:s0
+')
+/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t:s0
diff --git a/mls/file_contexts/program/sysstat.fc b/mls/file_contexts/program/sysstat.fc
new file mode 100644
index 0000000..1b5e5e7
--- /dev/null
+++ b/mls/file_contexts/program/sysstat.fc
@@ -0,0 +1,7 @@
+# sysstat and other sar programs
+/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t:s0
+/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t:s0
+/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t:s0
+/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t:s0
+/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t:s0
+/var/log/sa(/.*)? system_u:object_r:sysstat_log_t:s0
diff --git a/mls/file_contexts/program/tcpd.fc b/mls/file_contexts/program/tcpd.fc
new file mode 100644
index 0000000..7215d91
--- /dev/null
+++ b/mls/file_contexts/program/tcpd.fc
@@ -0,0 +1,2 @@
+# tcpd
+/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t:s0
diff --git a/mls/file_contexts/program/telnetd.fc b/mls/file_contexts/program/telnetd.fc
new file mode 100644
index 0000000..15587a2
--- /dev/null
+++ b/mls/file_contexts/program/telnetd.fc
@@ -0,0 +1,3 @@
+# telnetd
+/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t:s0
+/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t:s0
diff --git a/mls/file_contexts/program/tftpd.fc b/mls/file_contexts/program/tftpd.fc
new file mode 100644
index 0000000..1e503b9
--- /dev/null
+++ b/mls/file_contexts/program/tftpd.fc
@@ -0,0 +1,4 @@
+# tftpd
+/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t:s0
+/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t:s0
+/tftpboot(/.*)? system_u:object_r:tftpdir_t:s0
diff --git a/mls/file_contexts/program/thunderbird.fc b/mls/file_contexts/program/thunderbird.fc
new file mode 100644
index 0000000..ca37346
--- /dev/null
+++ b/mls/file_contexts/program/thunderbird.fc
@@ -0,0 +1,2 @@
+/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t
+HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t
diff --git a/mls/file_contexts/program/timidity.fc b/mls/file_contexts/program/timidity.fc
new file mode 100644
index 0000000..84221fa
--- /dev/null
+++ b/mls/file_contexts/program/timidity.fc
@@ -0,0 +1,2 @@
+# timidity
+/usr/bin/timidity -- system_u:object_r:timidity_exec_t:s0
diff --git a/mls/file_contexts/program/tinydns.fc b/mls/file_contexts/program/tinydns.fc
new file mode 100644
index 0000000..10ea1a3
--- /dev/null
+++ b/mls/file_contexts/program/tinydns.fc
@@ -0,0 +1,6 @@
+# tinydns
+/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t
+/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t
+/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t
+#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t
+#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t
diff --git a/mls/file_contexts/program/tmpreaper.fc b/mls/file_contexts/program/tmpreaper.fc
new file mode 100644
index 0000000..796037a
--- /dev/null
+++ b/mls/file_contexts/program/tmpreaper.fc
@@ -0,0 +1,3 @@
+# tmpreaper or tmpwatch
+/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t:s0
+/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t:s0
diff --git a/mls/file_contexts/program/traceroute.fc b/mls/file_contexts/program/traceroute.fc
new file mode 100644
index 0000000..634dbe9
--- /dev/null
+++ b/mls/file_contexts/program/traceroute.fc
@@ -0,0 +1,6 @@
+# traceroute
+/bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0
+/bin/tracepath.* -- system_u:object_r:traceroute_exec_t:s0
+/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0
+/usr/bin/lft -- system_u:object_r:traceroute_exec_t:s0
+/usr/bin/nmap -- system_u:object_r:traceroute_exec_t:s0
diff --git a/mls/file_contexts/program/transproxy.fc b/mls/file_contexts/program/transproxy.fc
new file mode 100644
index 0000000..2027eea
--- /dev/null
+++ b/mls/file_contexts/program/transproxy.fc
@@ -0,0 +1,3 @@
+# transproxy - http transperant proxy
+/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t
+/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t
diff --git a/mls/file_contexts/program/tripwire.fc b/mls/file_contexts/program/tripwire.fc
new file mode 100644
index 0000000..88afc34
--- /dev/null
+++ b/mls/file_contexts/program/tripwire.fc
@@ -0,0 +1,9 @@
+# tripwire
+/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t
+/usr/sbin/siggen system_u:object_r:siggen_exec_t
+/usr/sbin/tripwire system_u:object_r:tripwire_exec_t
+/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t
+/usr/sbin/twadmin system_u:object_r:twadmin_exec_t
+/usr/sbin/twprint system_u:object_r:twprint_exec_t
+/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t
+/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t
diff --git a/mls/file_contexts/program/tvtime.fc b/mls/file_contexts/program/tvtime.fc
new file mode 100644
index 0000000..0969e96
--- /dev/null
+++ b/mls/file_contexts/program/tvtime.fc
@@ -0,0 +1,3 @@
+# tvtime
+/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
+
diff --git a/mls/file_contexts/program/ucspi-tcp.fc b/mls/file_contexts/program/ucspi-tcp.fc
new file mode 100644
index 0000000..448c1ab
--- /dev/null
+++ b/mls/file_contexts/program/ucspi-tcp.fc
@@ -0,0 +1,3 @@
+#ucspi-tcp
+/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t
+/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t
diff --git a/mls/file_contexts/program/udev.fc b/mls/file_contexts/program/udev.fc
new file mode 100644
index 0000000..0df162f
--- /dev/null
+++ b/mls/file_contexts/program/udev.fc
@@ -0,0 +1,14 @@
+# udev
+/sbin/udevsend -- system_u:object_r:udev_exec_t:s0
+/sbin/udev -- system_u:object_r:udev_exec_t:s0
+/sbin/udevd -- system_u:object_r:udev_exec_t:s0
+/sbin/start_udev -- system_u:object_r:udev_exec_t:s0
+/sbin/udevstart -- system_u:object_r:udev_exec_t:s0
+/usr/bin/udevinfo -- system_u:object_r:udev_exec_t:s0
+/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t:s0
+/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t:s0
+/etc/udev/devices/.* system_u:object_r:device_t:s0
+/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t:s0
+/dev/udev\.tbl -- system_u:object_r:udev_tbl_t:s0
+/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t:s0
+/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t:s0
diff --git a/mls/file_contexts/program/uml.fc b/mls/file_contexts/program/uml.fc
new file mode 100644
index 0000000..dc1621d
--- /dev/null
+++ b/mls/file_contexts/program/uml.fc
@@ -0,0 +1,4 @@
+# User Mode Linux
+/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t
+/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t
+HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
diff --git a/mls/file_contexts/program/uml_net.fc b/mls/file_contexts/program/uml_net.fc
new file mode 100644
index 0000000..67aa1f2
--- /dev/null
+++ b/mls/file_contexts/program/uml_net.fc
@@ -0,0 +1,3 @@
+# User Mode Linux
+# WARNING: Do not install this file on any machine that has hostile users.
+/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t
diff --git a/mls/file_contexts/program/unconfined.fc b/mls/file_contexts/program/unconfined.fc
new file mode 100644
index 0000000..5e289fa
--- /dev/null
+++ b/mls/file_contexts/program/unconfined.fc
@@ -0,0 +1,3 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t:s0
diff --git a/mls/file_contexts/program/updfstab.fc b/mls/file_contexts/program/updfstab.fc
new file mode 100644
index 0000000..f6ac1d9
--- /dev/null
+++ b/mls/file_contexts/program/updfstab.fc
@@ -0,0 +1,3 @@
+# updfstab
+/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t:s0
+/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t:s0
diff --git a/mls/file_contexts/program/uptimed.fc b/mls/file_contexts/program/uptimed.fc
new file mode 100644
index 0000000..f80ccb4
--- /dev/null
+++ b/mls/file_contexts/program/uptimed.fc
@@ -0,0 +1,4 @@
+# uptimed
+/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t
+/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t
+/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t
diff --git a/mls/file_contexts/program/usbmodules.fc b/mls/file_contexts/program/usbmodules.fc
new file mode 100644
index 0000000..1ab2742
--- /dev/null
+++ b/mls/file_contexts/program/usbmodules.fc
@@ -0,0 +1,3 @@
+# usbmodules
+/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0
+/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0
diff --git a/mls/file_contexts/program/useradd.fc b/mls/file_contexts/program/useradd.fc
new file mode 100644
index 0000000..c7bb659
--- /dev/null
+++ b/mls/file_contexts/program/useradd.fc
@@ -0,0 +1,10 @@
+#useradd
+/usr/sbin/usermod -- system_u:object_r:useradd_exec_t:s0
+/usr/sbin/useradd -- system_u:object_r:useradd_exec_t:s0
+/usr/sbin/userdel -- system_u:object_r:useradd_exec_t:s0
+#groupadd
+/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t:s0
+/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t:s0
+/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t:s0
+/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t:s0
+/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t:s0
diff --git a/mls/file_contexts/program/userhelper.fc b/mls/file_contexts/program/userhelper.fc
new file mode 100644
index 0000000..319c82a
--- /dev/null
+++ b/mls/file_contexts/program/userhelper.fc
@@ -0,0 +1,2 @@
+/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t:s0
+/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t:s0
diff --git a/mls/file_contexts/program/usernetctl.fc b/mls/file_contexts/program/usernetctl.fc
new file mode 100644
index 0000000..728a65c
--- /dev/null
+++ b/mls/file_contexts/program/usernetctl.fc
@@ -0,0 +1,2 @@
+# usernetctl
+/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t:s0
diff --git a/mls/file_contexts/program/utempter.fc b/mls/file_contexts/program/utempter.fc
new file mode 100644
index 0000000..922bc2a
--- /dev/null
+++ b/mls/file_contexts/program/utempter.fc
@@ -0,0 +1,2 @@
+# utempter
+/usr/sbin/utempter -- system_u:object_r:utempter_exec_t:s0
diff --git a/mls/file_contexts/program/uucpd.fc b/mls/file_contexts/program/uucpd.fc
new file mode 100644
index 0000000..a359cc3
--- /dev/null
+++ b/mls/file_contexts/program/uucpd.fc
@@ -0,0 +1,5 @@
+# uucico program
+/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t:s0
+/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t:s0
+/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0
+/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t:s0
diff --git a/mls/file_contexts/program/uwimapd.fc b/mls/file_contexts/program/uwimapd.fc
new file mode 100644
index 0000000..00f9073
--- /dev/null
+++ b/mls/file_contexts/program/uwimapd.fc
@@ -0,0 +1,2 @@
+# uw-imapd and uw-imapd-ssl
+/usr/sbin/imapd -- system_u:object_r:imapd_exec_t
diff --git a/mls/file_contexts/program/vmware.fc b/mls/file_contexts/program/vmware.fc
new file mode 100644
index 0000000..d015988
--- /dev/null
+++ b/mls/file_contexts/program/vmware.fc
@@ -0,0 +1,42 @@
+#
+# File contexts for VMWare.
+# Contributed by Mark Westerman (mark.westerman@westcam.com)
+# Changes made by NAI Labs.
+# Tested with VMWare 3.1
+#
+/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t
+/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t
+
+/dev/vmmon -c system_u:object_r:vmware_device_t
+/dev/vmnet.* -c system_u:object_r:vmware_device_t
+/dev/plex86 -c system_u:object_r:vmware_device_t
+
+/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t
+/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t
+
+/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t
+/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t
+
+#
+# This is only an example of how to protect vmware session configuration
+# files. A general user can execute vmware and start a vmware session
+# but the user can not modify the session configuration information
+#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t
+#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
+
+# The rules below assume that the user VMWare virtual disks are in the
+# ~/vmware, and the preferences and license files are in ~/.vmware.
+#
+HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
+HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t
diff --git a/mls/file_contexts/program/vpnc.fc b/mls/file_contexts/program/vpnc.fc
new file mode 100644
index 0000000..66a6271
--- /dev/null
+++ b/mls/file_contexts/program/vpnc.fc
@@ -0,0 +1,4 @@
+# vpnc
+/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0
+/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0
+/etc/vpnc/vpnc-script -- system_u:object_r:bin_t:s0
diff --git a/mls/file_contexts/program/watchdog.fc b/mls/file_contexts/program/watchdog.fc
new file mode 100644
index 0000000..d7a8c7f
--- /dev/null
+++ b/mls/file_contexts/program/watchdog.fc
@@ -0,0 +1,5 @@
+# watchdog
+/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t
+/dev/watchdog -c system_u:object_r:watchdog_device_t
+/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t
+/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t
diff --git a/mls/file_contexts/program/webalizer.fc b/mls/file_contexts/program/webalizer.fc
new file mode 100644
index 0000000..7244932
--- /dev/null
+++ b/mls/file_contexts/program/webalizer.fc
@@ -0,0 +1,3 @@
+#
+/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t:s0
+/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t:s0
diff --git a/mls/file_contexts/program/winbind.fc b/mls/file_contexts/program/winbind.fc
new file mode 100644
index 0000000..b1d9d57
--- /dev/null
+++ b/mls/file_contexts/program/winbind.fc
@@ -0,0 +1,11 @@
+/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t:s0
+/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0
+ifdef(`samba.te', `', `
+/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0
+/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0
+/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0
+/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0
+/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0
+')
+/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t:s0
+/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t:s0
diff --git a/mls/file_contexts/program/xauth.fc b/mls/file_contexts/program/xauth.fc
new file mode 100644
index 0000000..055fc2f
--- /dev/null
+++ b/mls/file_contexts/program/xauth.fc
@@ -0,0 +1,4 @@
+# xauth
+/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t
+HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t
+HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
diff --git a/mls/file_contexts/program/xdm.fc b/mls/file_contexts/program/xdm.fc
new file mode 100644
index 0000000..16c2d7d
--- /dev/null
+++ b/mls/file_contexts/program/xdm.fc
@@ -0,0 +1,40 @@
+# X Display Manager
+/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
+/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
+/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
+/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t
+/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
+/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
+/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
+/var/log/gdm(/.*)? system_u:object_r:xserver_log_t
+/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t
+/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t
+/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t
+/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t
+/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t
+/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t
+/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t
+/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t
+/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t
+/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t
+/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t
+ifdef(`distro_suse', `
+/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t
+')
+
+#
+# Additional Xsession scripts
+#
+/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t
+/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t
+/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t
+/etc/X11/xinit(/.*)? system_u:object_r:bin_t
+#
+# Rules for kde login
+#
+/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t
+/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t
diff --git a/mls/file_contexts/program/xfs.fc b/mls/file_contexts/program/xfs.fc
new file mode 100644
index 0000000..dc1881f
--- /dev/null
+++ b/mls/file_contexts/program/xfs.fc
@@ -0,0 +1,5 @@
+# xfs
+/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t:s0
+/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t:s0
+/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t:s0
+/usr/bin/xfstt -- system_u:object_r:xfs_exec_t:s0
diff --git a/mls/file_contexts/program/xprint.fc b/mls/file_contexts/program/xprint.fc
new file mode 100644
index 0000000..3c72a77
--- /dev/null
+++ b/mls/file_contexts/program/xprint.fc
@@ -0,0 +1 @@
+/usr/bin/Xprt -- system_u:object_r:xprint_exec_t
diff --git a/mls/file_contexts/program/xserver.fc b/mls/file_contexts/program/xserver.fc
new file mode 100644
index 0000000..3d48a6f
--- /dev/null
+++ b/mls/file_contexts/program/xserver.fc
@@ -0,0 +1,17 @@
+# X server
+/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
+/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
+/var/log/XFree86.* -- system_u:object_r:xserver_log_t
+/var/log/Xorg.* -- system_u:object_r:xserver_log_t
+/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
+/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t
+/tmp/\.X11-unix/.* -s <<none>>
+/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t
+/tmp/\.ICE-unix/.* -s <<none>>
diff --git a/mls/file_contexts/program/yam.fc b/mls/file_contexts/program/yam.fc
new file mode 100644
index 0000000..023b740
--- /dev/null
+++ b/mls/file_contexts/program/yam.fc
@@ -0,0 +1,5 @@
+# yam
+/etc/yam.conf -- system_u:object_r:yam_etc_t
+/usr/bin/yam system_u:object_r:yam_exec_t
+/var/yam(/.*)? system_u:object_r:yam_content_t
+/var/www/yam(/.*)? system_u:object_r:yam_content_t
diff --git a/mls/file_contexts/program/ypbind.fc b/mls/file_contexts/program/ypbind.fc
new file mode 100644
index 0000000..f9f6ff8
--- /dev/null
+++ b/mls/file_contexts/program/ypbind.fc
@@ -0,0 +1,2 @@
+# ypbind
+/sbin/ypbind -- system_u:object_r:ypbind_exec_t:s0
diff --git a/mls/file_contexts/program/yppasswdd.fc b/mls/file_contexts/program/yppasswdd.fc
new file mode 100644
index 0000000..b70c5a0
--- /dev/null
+++ b/mls/file_contexts/program/yppasswdd.fc
@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t:s0
diff --git a/mls/file_contexts/program/ypserv.fc b/mls/file_contexts/program/ypserv.fc
new file mode 100644
index 0000000..023746f
--- /dev/null
+++ b/mls/file_contexts/program/ypserv.fc
@@ -0,0 +1,4 @@
+# ypserv
+/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t:s0
+/usr/lib/yp/.+ -- system_u:object_r:bin_t:s0
+/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t:s0
diff --git a/mls/file_contexts/program/zebra.fc b/mls/file_contexts/program/zebra.fc
new file mode 100644
index 0000000..328f987
--- /dev/null
+++ b/mls/file_contexts/program/zebra.fc
@@ -0,0 +1,13 @@
+# Zebra - BGP daemon
+/usr/sbin/zebra -- system_u:object_r:zebra_exec_t:s0
+/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t:s0
+/var/log/zebra(/.*)? system_u:object_r:zebra_log_t:s0
+/etc/zebra(/.*)? system_u:object_r:zebra_conf_t:s0
+/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0
+/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0
+# Quagga
+/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0
+/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t:s0
+/etc/quagga(/.*)? system_u:object_r:zebra_conf_t:s0
+/var/log/quagga(/.*)? system_u:object_r:zebra_log_t:s0
+/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t:s0
diff --git a/mls/file_contexts/types.fc b/mls/file_contexts/types.fc
new file mode 100644
index 0000000..b80644c
--- /dev/null
+++ b/mls/file_contexts/types.fc
@@ -0,0 +1,523 @@
+#
+# This file describes the security contexts to be applied to files
+# when the security policy is installed. The setfiles program
+# reads this file and labels files accordingly.
+#
+# Each specification has the form:
+# regexp [ -type ] ( context | <<none>> )
+#
+# By default, the regexp is an anchored match on both ends (i.e. a
+# caret (^) is prepended and a dollar sign ($) is appended automatically).
+# This default may be overridden by using .* at the beginning and/or
+# end of the regular expression.
+#
+# The optional type field specifies the file type as shown in the mode
+# field by ls, e.g. use -d to match only directories or -- to match only
+# regular files.
+#
+# The value of <<none> may be used to indicate that matching files
+# should not be relabeled.
+#
+# The last matching specification is used.
+#
+# If there are multiple hard links to a file that match
+# different specifications and those specifications indicate
+# different security contexts, then a warning is displayed
+# but the file is still labeled based on the last matching
+# specification other than <<none>>.
+#
+# Some of the files listed here get re-created during boot and therefore
+# need type transition rules to retain the correct type. These files are
+# listed here anyway so that if the setfiles program is used on a running
+# system it does not relabel them to something we do not want. An example of
+# this is /var/run/utmp.
+#
+
+#
+# The security context for all files not otherwise specified.
+#
+/.* system_u:object_r:default_t:s0
+
+#
+# The root directory.
+#
+/ -d system_u:object_r:root_t:s0
+
+#
+# Ordinary user home directories.
+# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+# HOME_DIR expands to each users home directory,
+# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+# ROLE expands to each users role when role != user_r, and to "user" otherwise.
+#
+HOME_ROOT -d system_u:object_r:home_root_t:s0
+HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255
+HOME_DIR/.+ <<none>>
+
+/root/\.default_contexts -- system_u:object_r:default_context_t:s0
+
+#
+# Mount points; do not relabel subdirectories, since
+# we do not want to change any removable media by default.
+/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0
+/mnt/[^/]*/.* <<none>>
+/media(/[^/]*)? -d system_u:object_r:mnt_t:s0
+/media/[^/]*/.* <<none>>
+
+#
+# /var
+#
+/var(/.*)? system_u:object_r:var_t:s0
+/var/cache/man(/.*)? system_u:object_r:man_t:s0
+/var/yp(/.*)? system_u:object_r:var_yp_t:s0
+/var/lib(/.*)? system_u:object_r:var_lib_t:s0
+/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t:s0
+/var/lib/abl(/.*)? system_u:object_r:var_auth_t:s0
+/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t:s0
+/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t:s0
+/var/lock(/.*)? system_u:object_r:var_lock_t:s0
+/var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
+/var/tmp/.* <<none>>
+/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0
+/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+/var/mailman/bin(/.*)? system_u:object_r:bin_t:s0
+/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t:s0
+
+#
+# /var/ftp
+#
+/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0
+/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0
+/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0
+/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
+/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0
+
+#
+# /bin
+#
+/bin(/.*)? system_u:object_r:bin_t:s0
+/bin/tcsh -- system_u:object_r:shell_exec_t:s0
+/bin/bash -- system_u:object_r:shell_exec_t:s0
+/bin/bash2 -- system_u:object_r:shell_exec_t:s0
+/bin/sash -- system_u:object_r:shell_exec_t:s0
+/bin/d?ash -- system_u:object_r:shell_exec_t:s0
+/bin/zsh.* -- system_u:object_r:shell_exec_t:s0
+/usr/sbin/sesh -- system_u:object_r:shell_exec_t:s0
+/bin/ls -- system_u:object_r:ls_exec_t:s0
+
+#
+# /boot
+#
+/boot(/.*)? system_u:object_r:boot_t:s0
+/boot/System\.map(-.*)? system_u:object_r:system_map_t:s0
+
+#
+# /dev
+#
+/dev(/.*)? system_u:object_r:device_t:s0
+/dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255
+/dev/pts(/.*)? <<none>>
+/dev/cpu/.* -c system_u:object_r:cpu_device_t:s0
+/dev/microcode -c system_u:object_r:cpu_device_t:s0
+/dev/MAKEDEV -- system_u:object_r:sbin_t:s0
+/dev/null -c system_u:object_r:null_device_t:s0
+/dev/full -c system_u:object_r:null_device_t:s0
+/dev/zero -c system_u:object_r:zero_device_t:s0
+/dev/console -c system_u:object_r:console_device_t:s0
+/dev/xconsole -p system_u:object_r:xconsole_device_t:s0
+/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t:s15:c0.c255
+/dev/nvram -c system_u:object_r:memory_device_t:s0
+/dev/random -c system_u:object_r:random_device_t:s0
+/dev/urandom -c system_u:object_r:urandom_device_t:s0
+/dev/adb.* -c system_u:object_r:tty_device_t:s0
+/dev/capi.* -c system_u:object_r:tty_device_t:s0
+/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t:s0
+/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t:s0
+/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t:s0
+/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t:s0
+/dev/isdn.* -c system_u:object_r:tty_device_t:s0
+/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0
+/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t:s0
+/dev/cu.* -c system_u:object_r:tty_device_t:s0
+/dev/vcs[^/]* -c system_u:object_r:tty_device_t:s0
+/dev/ip2[^/]* -c system_u:object_r:tty_device_t:s0
+/dev/hvc.* -c system_u:object_r:tty_device_t:s0
+/dev/hvsi.* -c system_u:object_r:tty_device_t:s0
+/dev/ttySG.* -c system_u:object_r:tty_device_t:s0
+/dev/tty -c system_u:object_r:devtty_t:s0
+/dev/lp.* -c system_u:object_r:printer_device_t:s0
+/dev/par.* -c system_u:object_r:printer_device_t:s0
+/dev/usb/lp.* -c system_u:object_r:printer_device_t:s0
+/dev/usblp.* -c system_u:object_r:printer_device_t:s0
+ifdef(`distro_redhat', `
+/dev/root -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+')
+/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t:s0
+/dev/rd.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/loop.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/net/.* -c system_u:object_r:tun_tap_device_t:s0
+/dev/ram.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/initrd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/jsfd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/js.* -c system_u:object_r:mouse_device_t:s0
+/dev/jsflash -c system_u:object_r:fixed_disk_device_t:s15:c0.c255
+/dev/xvd.* -b system_u:object_r:fixed_disk_device_t:s0
+/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t:s0
+/dev/usb/rio500 -c system_u:object_r:removable_device_t:s0
+/dev/fd[^/]+ -b system_u:object_r:removable_device_t:s0
+# I think a parallel port disk is a removable device...
+/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t:s0
+/dev/p[fg][0-3] -b system_u:object_r:removable_device_t:s0
+/dev/aztcd -b system_u:object_r:removable_device_t:s0
+/dev/bpcd -b system_u:object_r:removable_device_t:s0
+/dev/gscd -b system_u:object_r:removable_device_t:s0
+/dev/hitcd -b system_u:object_r:removable_device_t:s0
+/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
+/dev/mcdx? -b system_u:object_r:removable_device_t:s0
+/dev/cdu.* -b system_u:object_r:removable_device_t:s0
+/dev/cm20.* -b system_u:object_r:removable_device_t:s0
+/dev/optcd -b system_u:object_r:removable_device_t:s0
+/dev/sbpcd.* -b system_u:object_r:removable_device_t:s0
+/dev/sjcd -b system_u:object_r:removable_device_t:s0
+/dev/sonycd -b system_u:object_r:removable_device_t:s0
+# parallel port ATAPI generic device
+/dev/pg[0-3] -c system_u:object_r:removable_device_t:s0
+/dev/rtc -c system_u:object_r:clock_device_t:s0
+/dev/psaux -c system_u:object_r:mouse_device_t:s0
+/dev/atibm -c system_u:object_r:mouse_device_t:s0
+/dev/logibm -c system_u:object_r:mouse_device_t:s0
+/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0
+/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t:s0
+/dev/input/event.* -c system_u:object_r:event_device_t:s0
+/dev/input/mice -c system_u:object_r:mouse_device_t:s0
+/dev/input/js.* -c system_u:object_r:mouse_device_t:s0
+/dev/ptmx -c system_u:object_r:ptmx_t:s0
+/dev/sequencer -c system_u:object_r:misc_device_t:s0
+/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t:s0
+/dev/apm_bios -c system_u:object_r:apm_bios_t:s0
+/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t:s0
+/dev/pmu -c system_u:object_r:power_device_t:s0
+/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t:s0
+/dev/winradio. -c system_u:object_r:v4l_device_t:s0
+/dev/vttuner -c system_u:object_r:v4l_device_t:s0
+/dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0
+/dev/adsp -c system_u:object_r:sound_device_t:s0
+/dev/mixer.* -c system_u:object_r:sound_device_t:s0
+/dev/dsp.* -c system_u:object_r:sound_device_t:s0
+/dev/audio.* -c system_u:object_r:sound_device_t:s0
+/dev/r?midi.* -c system_u:object_r:sound_device_t:s0
+/dev/sequencer2 -c system_u:object_r:sound_device_t:s0
+/dev/smpte.* -c system_u:object_r:sound_device_t:s0
+/dev/sndstat -c system_u:object_r:sound_device_t:s0
+/dev/beep -c system_u:object_r:sound_device_t:s0
+/dev/patmgr[01] -c system_u:object_r:sound_device_t:s0
+/dev/mpu401.* -c system_u:object_r:sound_device_t:s0
+/dev/srnd[0-7] -c system_u:object_r:sound_device_t:s0
+/dev/aload.* -c system_u:object_r:sound_device_t:s0
+/dev/amidi.* -c system_u:object_r:sound_device_t:s0
+/dev/amixer.* -c system_u:object_r:sound_device_t:s0
+/dev/snd/.* -c system_u:object_r:sound_device_t:s0
+/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t:s0
+/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t:s0
+/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t:s0
+/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t:s0
+/dev/ht[0-1] -b system_u:object_r:tape_device_t:s0
+/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t:s0
+/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t:s0
+/dev/tape.* -c system_u:object_r:tape_device_t:s0
+ifdef(`distro_suse', `
+/dev/usbscanner -c system_u:object_r:scanner_device_t:s0
+')
+/dev/usb/scanner.* -c system_u:object_r:scanner_device_t:s0
+/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t:s0
+/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0
+/dev/usb/tty.* -c system_u:object_r:usbtty_device_t:s0
+/dev/mmetfgrab -c system_u:object_r:scanner_device_t:s0
+/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t:s0
+/dev/dri/.+ -c system_u:object_r:dri_device_t:s0
+/dev/radeon -c system_u:object_r:dri_device_t:s0
+/dev/agpgart -c system_u:object_r:agp_device_t:s0
+/dev/z90crypt -c system_u:object_r:crypt_device_t:s0
+
+#
+# Misc
+#
+/proc(/.*)? <<none>>
+/sys(/.*)? <<none>>
+/selinux(/.*)? <<none>>
+
+#
+# /opt
+#
+/opt(/.*)? system_u:object_r:usr_t:s0
+/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
+/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t:s0
+/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
+/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
+/opt(/.*)?/man(/.*)? system_u:object_r:man_t:s0
+/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t:s0
+
+#
+# /etc
+#
+/etc(/.*)? system_u:object_r:etc_t:s0
+/var/db/.*\.db -- system_u:object_r:etc_t:s0
+/etc/\.pwd\.lock -- system_u:object_r:shadow_t:s0
+/etc/passwd\.lock -- system_u:object_r:shadow_t:s0
+/etc/group\.lock -- system_u:object_r:shadow_t:s0
+/etc/shadow.* -- system_u:object_r:shadow_t:s0
+/etc/gshadow.* -- system_u:object_r:shadow_t:s0
+/var/db/shadow.* -- system_u:object_r:shadow_t:s0
+/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t:s0
+/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t:s0
+/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t:s0
+/etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0
+/etc/ioctl\.save -- system_u:object_r:etc_runtime_t:s0
+/etc/mtab -- system_u:object_r:etc_runtime_t:s0
+/etc/motd -- system_u:object_r:etc_runtime_t:s0
+/etc/issue -- system_u:object_r:etc_runtime_t:s0
+/etc/issue\.net -- system_u:object_r:etc_runtime_t:s0
+/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t:s0
+/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t:s0
+/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t:s0
+/etc/asound\.state -- system_u:object_r:etc_runtime_t:s0
+/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t:s0
+ifdef(`distro_gentoo', `
+/etc/profile\.env -- system_u:object_r:etc_runtime_t:s0
+/etc/csh\.env -- system_u:object_r:etc_runtime_t:s0
+/etc/env\.d/.* -- system_u:object_r:etc_runtime_t:s0
+')
+/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0
+/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0
+/etc/yp\.conf.* -- system_u:object_r:net_conf_t:s0
+/etc/resolv\.conf.* -- system_u:object_r:net_conf_t:s0
+
+/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0
+/etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s15:c0.c255
+/etc/selinux/([^/]*/)?users(/.*)? system_u:object_r:selinux_config_t:s15:c0.c255
+/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t:s15:c0.c255
+/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t:s15:c0.c255
+/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0
+/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s15:c0.c255
+
+
+#
+# /lib(64)?
+#
+/lib(64)?(/.*)? system_u:object_r:lib_t:s0
+/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
+
+#
+# /sbin
+#
+/sbin(/.*)? system_u:object_r:sbin_t:s0
+
+#
+# /tmp
+#
+/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
+/tmp/.* <<none>>
+
+#
+# /usr
+#
+/usr(/.*)? system_u:object_r:usr_t:s0
+/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
+/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/usr/lib/win32/.* -- system_u:object_r:shlib_t:s0
+/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
+/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
+/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
+/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
+/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
+/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
+/usr/etc(/.*)? system_u:object_r:etc_t:s0
+/usr/inclu.e(/.*)? system_u:object_r:usr_t:s0
+/usr/libexec(/.*)? system_u:object_r:bin_t:s0
+/usr/src(/.*)? system_u:object_r:src_t:s0
+/usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
+/usr/tmp/.* <<none>>
+/usr/man(/.*)? system_u:object_r:man_t:s0
+/usr/share/man(/.*)? system_u:object_r:man_t:s0
+/usr/share/mc/extfs/.* -- system_u:object_r:bin_t:s0
+/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t:s0
+/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t:s0
+/usr/share/ssl/private(/.*)? system_u:object_r:cert_t:s0
+
+# nvidia share libraries
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t:s0
+
+# libGL
+/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t:s0
+
+ifdef(`distro_debian', `
+/usr/share/selinux(/.*)? system_u:object_r:policy_src_t:s0
+')
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t:s0
+')
+
+#
+# /usr/lib(64)?
+#
+/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t:s0
+/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t:s0
+/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t:s0
+
+#
+# /usr/local
+#
+/usr/local/etc(/.*)? system_u:object_r:etc_t:s0
+/usr/local/src(/.*)? system_u:object_r:src_t:s0
+/usr/local/man(/.*)? system_u:object_r:man_t:s0
+/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
+/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
+
+
+#
+# /usr/X11R6/man
+#
+/usr/X11R6/man(/.*)? system_u:object_r:man_t:s0
+
+#
+# Fonts dir
+#
+/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t:s0
+ifdef(`distro_debian', `
+/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t:s0
+')
+/usr/share/fonts(/.*)? system_u:object_r:fonts_t:s0
+/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t:s0
+/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t:s0
+
+#
+# /var/run
+#
+/var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255
+/var/run/.*\.*pid <<none>>
+/var/run/.* system_u:object_r:var_run_t:s0
+
+#
+# /var/spool
+#
+/var/spool(/.*)? system_u:object_r:var_spool_t:s0
+/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t:s0
+/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t:s0
+
+#
+# /var/log
+#
+/var/log(/.*)? system_u:object_r:var_log_t:s0
+/var/log/wtmp.* -- system_u:object_r:wtmp_t:s0
+/var/log/btmp.* -- system_u:object_r:faillog_t:s0
+/var/log/faillog -- system_u:object_r:faillog_t:s0
+/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t:s0
+/var/log/dmesg -- system_u:object_r:var_log_t:s0
+/var/log/lastlog -- system_u:object_r:lastlog_t:s0
+/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t:s0
+/var/log/syslog -- system_u:object_r:var_log_t:s0
+
+#
+# Journal files
+#
+/\.journal <<none>>
+/usr/\.journal <<none>>
+/boot/\.journal <<none>>
+HOME_ROOT/\.journal <<none>>
+/var/\.journal <<none>>
+/tmp/\.journal <<none>>
+/usr/local/\.journal <<none>>
+
+#
+# Lost and found directories.
+#
+/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/lost\+found/.* <<none>>
+/usr/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/usr/lost\+found/.* <<none>>
+/boot/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/boot/lost\+found/.* <<none>>
+HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+HOME_ROOT/lost\+found/.* <<none>>
+/var/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/var/lost\+found/.* <<none>>
+/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/tmp/lost\+found/.* <<none>>
+/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/var/tmp/lost\+found/.* <<none>>
+/usr/local/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
+/usr/local/lost\+found/.* <<none>>
+
+#
+# system localization
+#
+/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t:s0
+/usr/share/locale(/.*)? system_u:object_r:locale_t:s0
+/usr/lib/locale(/.*)? system_u:object_r:locale_t:s0
+/etc/localtime -- system_u:object_r:locale_t:s0
+/etc/localtime -l system_u:object_r:etc_t:s0
+/etc/pki(/.*)? system_u:object_r:cert_t:s0
+
+#
+# Gnu Cash
+#
+/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0
+/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t:s0
+
+#
+# Turboprint
+#
+/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0
+/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t:s0
+
+#
+# initrd mount point, only used during boot
+#
+/initrd -d system_u:object_r:root_t:s0
+
+#
+# The krb5.conf file is always being tested for writability, so
+# we defined a type to dontaudit
+#
+/etc/krb5\.conf -- system_u:object_r:krb5_conf_t:s0
+
+#
+# Thunderbird
+#
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t:s0
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t:s0
+
+#
+# /srv
+#
+/srv(/.*)? system_u:object_r:var_t:s0
+
+/etc/sysconfig/network-scripts/ifup-.* -- system_u:object_r:bin_t:s0
+/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t:s0
diff --git a/mls/flask/Makefile b/mls/flask/Makefile
new file mode 100644
index 0000000..970b9fe
--- /dev/null
+++ b/mls/flask/Makefile
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+ install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+ install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+ install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:
+ rm -f $(FLASK_H_FILES)
+ rm -f $(AV_H_FILES)
diff --git a/mls/flask/access_vectors b/mls/flask/access_vectors
new file mode 100644
index 0000000..dc20463
--- /dev/null
+++ b/mls/flask/access_vectors
@@ -0,0 +1,608 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+}
+
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class drawable
+{
+ create
+ destroy
+ draw
+ copy
+ getattr
+}
+
+class gc
+{
+ create
+ free
+ getattr
+ setattr
+}
+
+class window
+{
+ addchild
+ create
+ destroy
+ map
+ unmap
+ chstack
+ chproplist
+ chprop
+ listprop
+ getattr
+ setattr
+ setfocus
+ move
+ chselection
+ chparent
+ ctrllife
+ enumerate
+ transparent
+ mousemotion
+ clientcomevent
+ inputevent
+ drawevent
+ windowchangeevent
+ windowchangerequest
+ serverchangeevent
+ extensionevent
+}
+
+class font
+{
+ load
+ free
+ getattr
+ use
+}
+
+class colormap
+{
+ create
+ free
+ install
+ uninstall
+ list
+ read
+ store
+ getattr
+ setattr
+}
+
+class property
+{
+ create
+ free
+ read
+ write
+}
+
+class cursor
+{
+ create
+ createglyph
+ free
+ assign
+ setattr
+}
+
+class xclient
+{
+ kill
+}
+
+class xinput
+{
+ lookup
+ getattr
+ setattr
+ setfocus
+ warppointer
+ activegrab
+ passivegrab
+ ungrab
+ bell
+ mousemotion
+ relabelinput
+}
+
+class xserver
+{
+ screensaver
+ gethostlist
+ sethostlist
+ getfontpath
+ setfontpath
+ getattr
+ grab
+ ungrab
+}
+
+class xextension
+{
+ query
+ use
+}
+
+#
+# Define the access vector interpretation for controlling
+# PaX flags
+#
+class pax
+{
+ pageexec # Paging based non-executable pages
+ emutramp # Emulate trampolines
+ mprotect # Restrict mprotect()
+ randmmap # Randomize mmap() base
+ randexec # Randomize ET_EXEC base
+ segmexec # Segmentation based non-executable pages
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
diff --git a/mls/flask/initial_sids b/mls/flask/initial_sids
new file mode 100644
index 0000000..95894eb
--- /dev/null
+++ b/mls/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/mls/flask/mkaccess_vector.sh b/mls/flask/mkaccess_vector.sh
new file mode 100644
index 0000000..b5da734
--- /dev/null
+++ b/mls/flask/mkaccess_vector.sh
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$av_permissions\"
+ inheritfile = \"$av_inherit\"
+ cpermfile = \"$common_perm_to_string\"
+ avpermfile = \"$av_perm_to_string\"
+ "'
+ nextstate = "COMMON_OR_AV";
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
+;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "common" {
+ if (nextstate != "COMMON_OR_AV")
+ {
+ printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in common_defined)
+ {
+ printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ common_defined[$2] = 1;
+
+ tclass = $2;
+ common_name = $2;
+ permission = 1;
+
+ printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
+
+ nextstate = "COMMON-OPENBRACKET";
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "COMMON_OR_AV" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ tclass = $2;
+
+ if (tclass in av_defined)
+ {
+ printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+ next;
+ }
+ av_defined[tclass] = 1;
+
+ inherits = "";
+ permission = 1;
+
+ nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "inherits" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
+ next;
+ }
+
+ if (!($2 in common_defined))
+ {
+ printf("COMMON %s is not defined (line %d).\n", $2, NR);
+ next;
+ }
+
+ inherits = $2;
+ permission = common_base[$2];
+
+ for (combined in common_perms)
+ {
+ split(combined,separate, SUBSEP);
+ if (separate[1] == inherits)
+ {
+ inherited_perms[common_perms[combined]] = separate[2];
+ }
+ }
+
+ j = 1;
+ for (i in inherited_perms) {
+ ind[j] = i + 0;
+ j++;
+ }
+ n = asort(ind);
+ for (i = 1; i <= n; i++) {
+ perm = inherited_perms[ind[i]];
+ printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
+ spaces = 40 - (length(perm) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+ for (j = 0; j < spaces; j++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
+ printf("\n") > outfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+ printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
+
+ nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "{" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "COMMON-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected { on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "COMMON-OPENBRACKET")
+ nextstate = "COMMON-CLOSEBRACKET";
+ }
+/[a-z][a-z_]*/ {
+ if (nextstate != "COMMON-CLOSEBRACKET" &&
+ nextstate != "CLASS-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ if ((common_name,$1) in common_perms)
+ {
+ printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+ next;
+ }
+
+ common_perms[common_name,$1] = permission;
+
+ printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
+
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
+ }
+ else
+ {
+ if ((tclass,$1) in av_perms)
+ {
+ printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+ next;
+ }
+
+ av_perms[tclass,$1] = permission;
+
+ if (inherits != "")
+ {
+ if ((inherits,$1) in common_perms)
+ {
+ printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+ next;
+ }
+ }
+
+ printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
+
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ }
+
+ spaces = 40 - (length($1) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+
+ for (i = 0; i < spaces; i++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
+ }
+$1 == "}" {
+ if (nextstate != "CLASS-CLOSEBRACKET" &&
+ nextstate != "COMMON-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected } on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ common_base[common_name] = permission;
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
+ }
+
+ printf("\n") > outfile;
+
+ nextstate = "COMMON_OR_AV";
+ }
+END {
+ if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ printf("Parse error: Unexpected end of file\n");
+
+ }'
+
+# FLASK
diff --git a/mls/flask/mkflask.sh b/mls/flask/mkflask.sh
new file mode 100644
index 0000000..9c84754
--- /dev/null
+++ b/mls/flask/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$output_file\"
+ debugfile = \"$debug_file\"
+ debugfile2 = \"$debug_file2\"
+ "'
+ nextstate = "CLASS";
+
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
+ printf("/*\n * Security object class definitions\n */\n") > debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
+ printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+ printf(" \"null\",\n") > debugfile2;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "CLASS")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in class_found)
+ {
+ printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ class_found[$2] = 1;
+
+ class_value++;
+
+ printf("#define SECCLASS_%s", toupper($2)) > outfile;
+ for (i = 0; i < 40 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", class_value) > outfile;
+
+ printf(" S_(\"%s\")\n", $2) > debugfile;
+ }
+$1 == "sid" {
+ if (nextstate == "CLASS")
+ {
+ nextstate = "SID";
+ printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
+ }
+
+ if ($2 in sid_found)
+ {
+ printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ sid_found[$2] = 1;
+ sid_value++;
+
+ printf("#define SECINITSID_%s", toupper($2)) > outfile;
+ for (i = 0; i < 37 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf(" \"%s\",\n", $2) > debugfile2;
+ }
+END {
+ if (nextstate != "SID")
+ printf("Parse error: Unexpected end of file\n");
+
+ printf("\n#define SECINITSID_NUM") > outfile;
+ for (i = 0; i < 34; i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf("\n#endif\n") > outfile;
+ printf("};\n\n") > debugfile2;
+ }'
+
+# FLASK
diff --git a/mls/flask/security_classes b/mls/flask/security_classes
new file mode 100644
index 0000000..2669c30
--- /dev/null
+++ b/mls/flask/security_classes
@@ -0,0 +1,86 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd
+
+# SE-X Windows stuff
+class drawable
+class window
+class gc
+class font
+class colormap
+class property
+class cursor
+class xclient
+class xinput
+class xserver
+class xextension
+
+# pax flags
+class pax
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus
+class nscd
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+# FLASK
diff --git a/mls/fs_use b/mls/fs_use
new file mode 100644
index 0000000..d884039
--- /dev/null
+++ b/mls/fs_use
@@ -0,0 +1,33 @@
+#
+# Define the labeling behavior for inodes in particular filesystem types.
+# This information was formerly hardcoded in the SELinux module.
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ext2 system_u:object_r:fs_t:s0;
+fs_use_xattr ext3 system_u:object_r:fs_t:s0;
+fs_use_xattr xfs system_u:object_r:fs_t:s0;
+fs_use_xattr jfs system_u:object_r:fs_t:s0;
+fs_use_xattr reiserfs system_u:object_r:fs_t:s0;
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.
+fs_use_task pipefs system_u:object_r:fs_t:s0;
+fs_use_task sockfs system_u:object_r:fs_t:s0;
+
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans devpts system_u:object_r:devpts_t:s0;
+fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
+fs_use_trans shm system_u:object_r:tmpfs_t:s0;
+fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
+
+# The separate genfs_contexts configuration can be used for filesystem
+# types that cannot support persistent label mappings or use
+# one of the fixed label schemes specified here.
diff --git a/mls/genfs_contexts b/mls/genfs_contexts
new file mode 100644
index 0000000..b9d5bc2
--- /dev/null
+++ b/mls/genfs_contexts
@@ -0,0 +1,108 @@
+# FLASK
+
+#
+# Security contexts for files in filesystems that
+# cannot support xattr or use one of the fixed labeling schemes
+# specified in fs_use.
+#
+# Each specifications has the form:
+# genfscon fstype pathname-prefix [ -type ] context
+#
+# The entry with the longest matching pathname prefix is used.
+# / refers to the root directory of the file system, and
+# everything is specified relative to this root directory.
+# If there is no entry with a matching pathname prefix, then
+# the unlabeled initial SID is used.
+#
+# The optional type field specifies the file type as shown in the mode
+# field by ls, e.g. use -c to match only character device files, -b
+# to match only block device files.
+#
+# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
+# that covers all entries in the filesystem with a default file context.
+# For proc, a pathname can be reliably generated from the proc_dir_entry
+# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
+# calls. /proc/PID entries are automatically labeled based on the associated
+# process.
+#
+# Support for other filesystem types requires corresponding code to be
+# added to the kernel, either as an xattr handler in the filesystem
+# implementation (preferred, and necessary if you want to access the labels
+# from userspace) or as logic in the SELinux module.
+
+# proc (excluding /proc/PID)
+genfscon proc / system_u:object_r:proc_t:s0
+genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
+genfscon proc /kcore system_u:object_r:proc_kcore_t:s15:c0.c255
+genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0
+genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0
+genfscon proc /net system_u:object_r:proc_net_t:s0
+genfscon proc /sysvipc system_u:object_r:proc_t:s0
+genfscon proc /sys system_u:object_r:sysctl_t:s0
+genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0
+genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0
+genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0
+genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0
+genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0
+genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0
+genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0
+genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0
+genfscon proc /irq system_u:object_r:sysctl_irq_t:s0
+
+# rootfs
+genfscon rootfs / system_u:object_r:root_t:s0
+
+# sysfs
+genfscon sysfs / system_u:object_r:sysfs_t:s0
+
+# selinuxfs
+genfscon selinuxfs / system_u:object_r:security_t:s0
+
+# autofs
+genfscon autofs / system_u:object_r:autofs_t:s0
+genfscon automount / system_u:object_r:autofs_t:s0
+
+# usbdevfs
+genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0
+
+# iso9660
+genfscon iso9660 / system_u:object_r:iso9660_t:s0
+genfscon udf / system_u:object_r:iso9660_t:s0
+
+# romfs
+genfscon romfs / system_u:object_r:romfs_t:s0
+genfscon cramfs / system_u:object_r:romfs_t:s0
+
+# ramfs
+genfscon ramfs / system_u:object_r:ramfs_t:s0
+
+# vfat, msdos
+genfscon vfat / system_u:object_r:dosfs_t:s0
+genfscon msdos / system_u:object_r:dosfs_t:s0
+genfscon fat / system_u:object_r:dosfs_t:s0
+genfscon ntfs / system_u:object_r:dosfs_t:s0
+
+# samba
+genfscon cifs / system_u:object_r:cifs_t:s0
+genfscon smbfs / system_u:object_r:cifs_t:s0
+
+# nfs
+genfscon nfs / system_u:object_r:nfs_t:s0
+genfscon nfs4 / system_u:object_r:nfs_t:s0
+genfscon afs / system_u:object_r:nfs_t:s0
+
+genfscon debugfs / system_u:object_r:debugfs_t:s0
+genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0
+genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0
+genfscon capifs / system_u:object_r:capifs_t:s0
+genfscon configfs / system_u:object_r:configfs_t:s0
+
+# needs more work
+genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0
+genfscon futexfs / system_u:object_r:futexfs_t:s0
+genfscon bdev / system_u:object_r:bdev_t:s0
+genfscon usbfs / system_u:object_r:usbfs_t:s0
+genfscon nfsd / system_u:object_r:nfsd_fs_t:s0
+genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0
+genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0
+
diff --git a/mls/initial_sid_contexts b/mls/initial_sid_contexts
new file mode 100644
index 0000000..53a3504
--- /dev/null
+++ b/mls/initial_sid_contexts
@@ -0,0 +1,46 @@
+# FLASK
+
+#
+# Define the security context for each initial SID
+# sid sidname context
+
+sid kernel system_u:system_r:kernel_t:s15:c0.c255
+sid security system_u:object_r:security_t:s15:c0.c255
+sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255
+sid fs system_u:object_r:fs_t:s0
+sid file system_u:object_r:file_t:s0
+# Persistent label mapping is gone. This initial SID can be removed.
+sid file_labels system_u:object_r:unlabeled_t:s15:c0.c255
+# init_t is still used, but an initial SID is no longer required.
+sid init system_u:object_r:unlabeled_t:s15:c0.c255
+# any_socket is no longer used.
+sid any_socket system_u:object_r:unlabeled_t:s15:c0.c255
+sid port system_u:object_r:port_t:s0
+sid netif system_u:object_r:netif_t:s0
+# netmsg is no longer used.
+sid netmsg system_u:object_r:unlabeled_t:s15:c0.c255
+sid node system_u:object_r:node_t:s0
+# These sockets are now labeled with the kernel SID,
+# and do not require their own initial SIDs.
+sid igmp_packet system_u:object_r:unlabeled_t:s15:c0.c255
+sid icmp_socket system_u:object_r:unlabeled_t:s15:c0.c255
+sid tcp_socket system_u:object_r:unlabeled_t:s15:c0.c255
+# Most of the sysctl SIDs are now computed at runtime
+# from genfs_contexts, so the corresponding initial SIDs
+# are no longer required.
+sid sysctl_modprobe system_u:object_r:unlabeled_t:s15:c0.c255
+# But we still need the base sysctl initial SID as a default.
+sid sysctl system_u:object_r:sysctl_t:s0
+sid sysctl_fs system_u:object_r:unlabeled_t:s15:c0.c255
+sid sysctl_kernel system_u:object_r:unlabeled_t:s15:c0.c255
+sid sysctl_net system_u:object_r:unlabeled_t:s15:c0.c255
+sid sysctl_net_unix system_u:object_r:unlabeled_t:s15:c0.c255
+sid sysctl_vm system_u:object_r:unlabeled_t:s15:c0.c255
+sid sysctl_dev system_u:object_r:unlabeled_t:s15:c0.c255
+# No longer used, can be removed.
+sid kmod system_u:object_r:unlabeled_t:s15:c0.c255
+sid policy system_u:object_r:unlabeled_t:s15:c0.c255
+sid scmp_packet system_u:object_r:unlabeled_t:s15:c0.c255
+sid devnull system_u:object_r:null_device_t:s0
+
+# FLASK
diff --git a/mls/local.users b/mls/local.users
new file mode 100644
index 0000000..6dd04d6
--- /dev/null
+++ b/mls/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r system_r };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --git a/mls/macros/admin_macros.te b/mls/macros/admin_macros.te
new file mode 100644
index 0000000..aaa816e
--- /dev/null
+++ b/mls/macros/admin_macros.te
@@ -0,0 +1,227 @@
+#
+# Macros for all admin domains.
+#
+
+#
+# admin_domain(domain_prefix)
+#
+# Define derived types and rules for an administrator domain.
+#
+# The type declaration and role authorization for the domain must be
+# provided separately. Likewise, domain transitions into this domain
+# must be specified separately. If the every_domain() rules are desired,
+# then these rules must also be specified separately.
+#
+undefine(`admin_domain')
+define(`admin_domain',`
+# Type for home directory.
+attribute $1_file_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
+
+# Type and access for pty devices.
+can_create_pty($1, `, admin_tty_type')
+
+# Transition manually for { lnk sock fifo }. The rest is in content macros.
+tmp_domain_notrans($1, `, $1_file_type')
+file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
+allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
+
+# Type for tty devices.
+type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
+
+# Inherit rules for ordinary users.
+base_user_domain($1)
+access_removable_media($1_t)
+
+allow $1_t self:capability setuid;
+
+ifdef(`su.te', `su_domain($1)')
+ifdef(`userhelper.te', `userhelper_domain($1)')
+ifdef(`sudo.te', `sudo_domain($1)')
+
+# Let admin stat the shadow file.
+allow $1_t shadow_t:file getattr;
+
+ifdef(`crond.te', `
+allow $1_crond_t var_log_t:file r_file_perms;
+')
+
+# Allow system log read
+allow $1_t kernel_t:system syslog_read;
+
+# Allow autrace
+# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
+
+# Use capabilities other than sys_module.
+allow $1_t self:capability ~sys_module;
+
+# Use system operations.
+allow $1_t kernel_t:system *;
+
+# Set password information for other users.
+allow $1_t self:passwd { passwd chfn chsh };
+
+# Skip authentication when pam_rootok is specified.
+allow $1_t self:passwd rootok;
+
+# Manipulate other user crontab.
+allow $1_t self:passwd crontab;
+can_getsecurity(sysadm_crontab_t)
+
+# Change system parameters.
+can_sysctl($1_t)
+
+# Create and use all files that have the sysadmfile attribute.
+allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
+allow $1_t sysadmfile:lnk_file create_lnk_perms;
+allow $1_t sysadmfile:dir create_dir_perms;
+
+# for lsof
+allow $1_t mtrr_device_t:file getattr;
+allow $1_t fs_type:dir getattr;
+
+# Access removable devices.
+allow $1_t removable_device_t:devfile_class_set rw_file_perms;
+
+# Communicate with the init process.
+allow $1_t initctl_t:fifo_file rw_file_perms;
+
+# Examine all processes.
+can_ps($1_t, domain)
+
+# allow renice
+allow $1_t domain:process setsched;
+
+# Send signals to all processes.
+allow $1_t { domain unlabeled_t }:process signal_perms;
+
+# Access all user terminals.
+allow $1_t tty_device_t:chr_file rw_file_perms;
+allow $1_t ttyfile:chr_file rw_file_perms;
+allow $1_t ptyfile:chr_file rw_file_perms;
+allow $1_t serial_device:chr_file setattr;
+
+# allow setting up tunnels
+allow $1_t tun_tap_device_t:chr_file rw_file_perms;
+
+# run ls -l /dev
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
+allow $1_t ptyfile:chr_file getattr;
+
+# Run programs from staff home directories.
+# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+can_exec($1_t, staff_home_t)
+
+# Run programs from /usr/src.
+can_exec($1_t, src_t)
+
+# Relabel all files.
+# Actually this will not allow relabeling ALL files unless you change
+# sysadmfile to file_type (and change the assertion in assert.te that
+# only auth_write can relabel shadow_t)
+allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
+allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
+
+ifdef(`startx.te', `
+ifdef(`xserver.te', `
+# Create files in /tmp/.X11-unix with our X servers derived
+# tmp type rather than user_xserver_tmp_t.
+file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
+')dnl end xserver.te
+')dnl end startx.te
+
+ifdef(`xdm.te', `
+ifdef(`xauth.te', `
+if (xdm_sysadm_login) {
+allow xdm_t $1_home_t:lnk_file read;
+allow xdm_t $1_home_t:dir search;
+}
+can_pipe_xdm($1_t)
+')dnl end ifdef xauth.te
+')dnl end ifdef xdm.te
+
+#
+# A user who is authorized for sysadm_t may nonetheless have
+# a home directory labeled with user_home_t if the user is expected
+# to login in either user_t or sysadm_t. Hence, the derived domains
+# for programs need to be able to access user_home_t.
+#
+
+# Allow our gph domain to write to .xsession-errors.
+ifdef(`gnome-pty-helper.te', `
+allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
+allow $1_gph_t user_home_type:file create_file_perms;
+')
+
+# Allow our crontab domain to unlink a user cron spool file.
+ifdef(`crontab.te',
+`allow $1_crontab_t user_cron_spool_t:file unlink;')
+
+# for the administrator to run TCP servers directly
+can_tcp_connect($1_t, $1_t)
+allow $1_t port_t:tcp_socket name_bind;
+
+# Connect data port to ftpd.
+ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
+
+# Connect second port to rshd.
+ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
+
+#
+# Allow sysadm to execute quota commands against filesystems and files.
+#
+allow $1_t fs_type:filesystem quotamod;
+
+# Grant read and write access to /dev/console.
+allow $1_t console_device_t:chr_file rw_file_perms;
+
+# Allow MAKEDEV to work
+allow $1_t device_t:dir rw_dir_perms;
+allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+allow $1_t device_t:lnk_file { create read };
+
+# for lsof
+allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
+')
+
+define(`security_manager_domain', `
+
+typeattribute $1 secadmin;
+# Allow administrator domains to set the enforcing flag.
+can_setenforce($1)
+
+# Allow administrator domains to set policy booleans.
+can_setbool($1)
+
+# Get security policy decisions.
+can_getsecurity($1)
+
+# Allow administrator domains to set security parameters
+can_setsecparam($1)
+
+# Run admin programs that require different permissions in their own domain.
+# These rules were moved into the appropriate program domain file.
+
+# added by mayerf@tresys.com
+# The following rules are temporary until such time that a complete
+# policy management infrastructure is in place so that an administrator
+# cannot directly manipulate policy files with arbitrary programs.
+#
+allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
+allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
+allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
+
+# Set an exec context, e.g. for runcon.
+can_setexec($1)
+
+# Set a context other than the default one for newly created files.
+can_setfscreate($1)
+
+allow $1 self:netlink_audit_socket nlmsg_readpriv;
+
+')
+
+
diff --git a/mls/macros/base_user_macros.te b/mls/macros/base_user_macros.te
new file mode 100644
index 0000000..cecbaf7
--- /dev/null
+++ b/mls/macros/base_user_macros.te
@@ -0,0 +1,397 @@
+#
+# Macros for all user login domains.
+#
+
+#
+# base_user_domain(domain_prefix)
+#
+# Define derived types and rules for an ordinary user domain.
+#
+# The type declaration and role authorization for the domain must be
+# provided separately. Likewise, domain transitions into this domain
+# must be specified separately.
+#
+
+# base_user_domain() is also called by the admin_domain() macro
+undefine(`base_user_domain')
+define(`base_user_domain', `
+
+# Type for network-obtained content
+type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
+type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
+
+# Allow user to relabel untrusted content
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
+# Read content
+read_content($1_t, $1)
+
+# Write trusted content. This includes proper transition
+# for /home, and /tmp, so no other transition is necessary (or allowed)
+write_trusted($1_t, $1)
+
+# Maybe the home directory is networked
+network_home($1_t)
+
+# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
+# Relabel files in the home directory
+file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
+allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
+can_setfscreate($1_t)
+
+ifdef(`ftpd.te' , `
+if (ftpd_is_daemon) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')
+
+allow $1_t self:capability { setgid chown fowner };
+dontaudit $1_t self:capability { sys_nice fsetid };
+
+# $1_r is authorized for $1_t for the initial login domain.
+role $1_r types $1_t;
+allow system_r $1_r;
+
+r_dir_file($1_t, usercanread)
+
+# Grant permissions within the domain.
+general_domain_access($1_t)
+
+if (allow_execmem) {
+# Allow making anonymous memory executable, e.g.
+# for runtime-code generation or executable stack.
+allow $1_t self:process execmem;
+}
+
+if (allow_execmem && allow_execstack) {
+# Allow making the stack executable via mprotect.
+allow $1_t self:process execstack;
+}
+
+# Allow text relocations on system shared libraries, e.g. libGL.
+allow $1_t texrel_shlib_t:file execmod;
+
+#
+# kdeinit wants this access
+#
+allow $1_t device_t:dir { getattr search };
+
+# Find CDROM devices
+r_dir_file($1_t, sysctl_dev_t)
+# for eject
+allow $1_t fixed_disk_device_t:blk_file getattr;
+
+allow $1_t fs_type:dir getattr;
+
+allow $1_t event_device_t:chr_file { getattr read ioctl };
+
+# open office is looking for the following
+allow $1_t dri_device_t:chr_file getattr;
+dontaudit $1_t dri_device_t:chr_file rw_file_perms;
+
+# Supress ls denials:
+# getattr() - ls -l
+# search_dir() - symlink path resolution
+# read_dir() - deep ls: ls parent/...
+
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+dontaudit_read_dir($1_t)
+
+# allow ptrace
+can_ptrace($1_t, $1_t)
+
+# Allow user to run restorecon and relabel files
+can_getsecurity($1_t)
+r_dir_file($1_t, default_context_t)
+r_dir_file($1_t, file_context_t)
+
+allow $1_t usbtty_device_t:chr_file read;
+
+# GNOME checks for usb and other devices
+rw_dir_file($1_t,usbfs_t)
+
+can_exec($1_t, noexattrfile)
+# Bind to a Unix domain socket in /tmp.
+allow $1_t $1_tmp_t:unix_stream_socket name_bind;
+
+# Use the type when relabeling terminal devices.
+type_change $1_t tty_device_t:chr_file $1_tty_device_t;
+
+# Debian login is from shadow utils and does not allow resetting the perms.
+# have to fix this!
+type_change $1_t ttyfile:chr_file $1_tty_device_t;
+
+# for running TeX programs
+r_dir_file($1_t, tetex_data_t)
+can_exec($1_t, tetex_data_t)
+
+# Use the type when relabeling pty devices.
+type_change $1_t server_pty:chr_file $1_devpts_t;
+
+tmpfs_domain($1)
+
+ifdef(`cardmgr.te', `
+# to allow monitoring of pcmcia status
+allow $1_t cardmgr_var_run_t:file { getattr read };
+')
+
+# Modify mail spool file.
+allow $1_t mail_spool_t:dir r_dir_perms;
+allow $1_t mail_spool_t:file rw_file_perms;
+allow $1_t mail_spool_t:lnk_file read;
+
+#
+# Allow graphical boot to check battery lifespan
+#
+ifdef(`apmd.te', `
+allow $1_t apmd_t:unix_stream_socket connectto;
+allow $1_t apmd_var_run_t:sock_file write;
+')
+
+#
+# Allow the query of filesystem quotas
+#
+allow $1_t fs_type:filesystem quotaget;
+
+# Run helper programs.
+can_exec_any($1_t)
+# Run programs developed by other users in the same domain.
+can_exec($1_t, $1_home_t)
+can_exec($1_t, $1_tmp_t)
+
+# Run user programs that require different permissions in their own domain.
+# These rules were moved into the individual program domains.
+
+# Instantiate derived domains for a number of programs.
+# These derived domains encode both information about the calling
+# user domain and the program, and allow us to maintain separation
+# between different instances of the program being run by different
+# user domains.
+ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
+ifdef(`chkpwd.te', `chkpwd_domain($1)')
+ifdef(`fingerd.te', `fingerd_macro($1)')
+ifdef(`mta.te', `mail_domain($1)')
+ifdef(`exim.te', `exim_user_domain($1)')
+ifdef(`crontab.te', `crontab_domain($1)')
+
+ifdef(`screen.te', `screen_domain($1)')
+ifdef(`tvtime.te', `tvtime_domain($1)')
+ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`thunderbird.te', `thunderbird_domain($1)')
+ifdef(`samba.te', `samba_domain($1)')
+ifdef(`gpg.te', `gpg_domain($1)')
+ifdef(`xauth.te', `xauth_domain($1)')
+ifdef(`iceauth.te', `iceauth_domain($1)')
+ifdef(`startx.te', `xserver_domain($1)')
+ifdef(`lpr.te', `lpr_domain($1)')
+ifdef(`ssh.te', `ssh_domain($1)')
+ifdef(`irc.te', `irc_domain($1)')
+ifdef(`using_spamassassin', `spamassassin_domain($1)')
+ifdef(`pyzor.te', `pyzor_domain($1)')
+ifdef(`razor.te', `razor_domain($1)')
+ifdef(`uml.te', `uml_domain($1)')
+ifdef(`cdrecord.te', `cdrecord_domain($1)')
+ifdef(`mplayer.te', `mplayer_domains($1)')
+
+fontconfig_domain($1)
+
+# GNOME
+ifdef(`gnome.te', `
+gnome_domain($1)
+ifdef(`games.te', `games_domain($1)')
+ifdef(`gift.te', `gift_domains($1)')
+ifdef(`evolution.te', `evolution_domains($1)')
+ifdef(`ethereal.te', `ethereal_domain($1)')
+')
+
+# ICE communication channel
+ice_domain($1, $1)
+
+# ORBit communication channel (independent of GNOME)
+orbit_domain($1, $1)
+
+# Instantiate a derived domain for user cron jobs.
+ifdef(`crond.te', `crond_domain($1)')
+
+ifdef(`vmware.te', `vmware_domain($1)')
+
+if (user_direct_mouse) {
+# Read the mouse.
+allow $1_t mouse_device_t:chr_file r_file_perms;
+}
+# Access other miscellaneous devices.
+allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
+allow $1_t device_t:lnk_file { getattr read };
+
+can_resmgrd_connect($1_t)
+
+#
+# evolution and gnome-session try to create a netlink socket
+#
+dontaudit $1_t self:netlink_socket create_socket_perms;
+dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
+
+# Use the network.
+can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
+can_ypbind($1_t)
+can_winbind($1_t)
+
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir search;
+')
+
+allow $1_t var_lock_t:dir search;
+
+# Grant permissions to access the system DBus
+ifdef(`dbusd.te', `
+dbusd_client(system, $1)
+can_network_server_tcp($1_dbusd_t)
+allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
+
+allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_client($1, $1)
+allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_domain($1)
+ifdef(`hald.te', `
+allow $1_t hald_t:dbus send_msg;
+allow hald_t $1_t:dbus send_msg;
+') dnl end ifdef hald.te
+') dnl end ifdef dbus.te
+
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
+
+# Gnome pannel binds to the following
+ifdef(`cups.te', `
+allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
+')
+
+# for perl
+dontaudit $1_t net_conf_t:file ioctl;
+
+# Communicate within the domain.
+can_udp_send($1_t, self)
+
+# Connect to inetd.
+ifdef(`inetd.te', `
+can_tcp_connect($1_t, inetd_t)
+can_udp_send($1_t, inetd_t)
+can_udp_send(inetd_t, $1_t)
+')
+
+# Connect to portmap.
+ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
+
+# Inherit and use sockets from inetd
+ifdef(`inetd.te', `
+allow $1_t inetd_t:fd use;
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')
+
+# Very permissive allowing every domain to see every type.
+allow $1_t kernel_t:system ipc_info;
+
+# When the user domain runs ps, there will be a number of access
+# denials when ps tries to search /proc. Do not audit these denials.
+dontaudit $1_t domain:dir r_dir_perms;
+dontaudit $1_t domain:notdevfile_class_set r_file_perms;
+dontaudit $1_t domain:process { getattr getsession };
+#
+# Cups daemon running as user tries to write /etc/printcap
+#
+dontaudit $1_t usr_t:file setattr;
+
+# Use X
+x_client_domain($1, $1)
+
+ifdef(`xserver.te', `
+allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
+')
+
+ifdef(`xdm.te', `
+# Connect to the X server run by the X Display Manager.
+can_unix_connect($1_t, xdm_t)
+# certain apps want to read xdm.pid file
+r_dir_file($1_t, xdm_var_run_t)
+allow $1_t xdm_var_lib_t:file { getattr read };
+allow xdm_t $1_home_dir_t:dir getattr;
+ifdef(`xauth.te', `
+file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
+')
+
+')dnl end ifdef xdm.te
+
+# Access the sound device.
+allow $1_t sound_device_t:chr_file { getattr read write ioctl };
+
+# Access the power device.
+allow $1_t power_device_t:chr_file { getattr read write ioctl };
+
+allow $1_t var_log_t:dir { getattr search };
+dontaudit $1_t logfile:file getattr;
+
+# Check to see if cdrom is mounted
+allow $1_t mnt_t:dir { getattr search };
+
+# Get attributes of file systems.
+allow $1_t fs_type:filesystem getattr;
+
+# Read and write /dev/tty and /dev/null.
+allow $1_t devtty_t:chr_file rw_file_perms;
+allow $1_t null_device_t:chr_file rw_file_perms;
+allow $1_t zero_device_t:chr_file { rw_file_perms execute };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
+#
+# Added to allow reading of cdrom
+#
+allow $1_t rpc_pipefs_t:dir getattr;
+allow $1_t nfsd_fs_t:dir getattr;
+allow $1_t binfmt_misc_fs_t:dir getattr;
+
+# /initrd is left mounted, various programs try to look at it
+dontaudit $1_t ramfs_t:dir getattr;
+
+#
+# Emacs wants this access
+#
+allow $1_t wtmp_t:file r_file_perms;
+dontaudit $1_t wtmp_t:file write;
+
+# Read the devpts root directory.
+allow $1_t devpts_t:dir r_dir_perms;
+
+r_dir_file($1_t, src_t)
+
+# Allow user to read default_t files
+# This is different from reading default_t content,
+# because it also includes sockets, fifos, and links
+
+if (read_default_t) {
+allow $1_t default_t:dir r_dir_perms;
+allow $1_t default_t:notdevfile_class_set r_file_perms;
+}
+
+# Read fonts
+read_fonts($1_t, $1)
+
+read_sysctl($1_t);
+
+#
+# Caused by su - init scripts
+#
+dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
+
+#
+# Running ifconfig as a user generates the following
+#
+dontaudit $1_t self:socket create;
+dontaudit $1_t sysctl_net_t:dir search;
+
+ifdef(`rpcd.te', `
+create_dir_file($1_t, nfsd_rw_t)
+')
+
+')dnl end base_user_domain macro
+
diff --git a/mls/macros/content_macros.te b/mls/macros/content_macros.te
new file mode 100644
index 0000000..fb36d46
--- /dev/null
+++ b/mls/macros/content_macros.te
@@ -0,0 +1,188 @@
+# Content access macros
+
+# FIXME: After nested booleans are supported, replace NFS/CIFS
+# w/ read_network_home, and write_network_home macros from global
+
+# FIXME: If true/false constant booleans are supported, replace
+# ugly $3 ifdefs with if(true), if(false)...
+
+# FIXME: Do we want write to imply read?
+
+############################################################
+# read_content(domain, role_prefix, bool_prefix)
+#
+# Allow the given domain to read content.
+# Content may be trusted or untrusted,
+# Reading anything is subject to a controlling boolean based on bool_prefix.
+# Reading untrusted content is additionally subject to read_untrusted_content
+# Reading default_t is additionally subject to read_default_t
+
+define(`read_content', `
+
+# Declare controlling boolean
+ifelse($3, `', `', `
+ifdef(`$3_read_content_defined', `', `
+define(`$3_read_content_defined')
+bool $3_read_content false;
+') dnl ifdef
+') dnl ifelse
+
+# Handle nfs home dirs
+ifelse($3, `',
+`if (use_nfs_home_dirs) { ',
+`if ($3_read_content && use_nfs_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+r_dir_file($1, nfs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 nfs_t:file r_file_perms;
+dontaudit $1 nfs_t:dir r_dir_perms;
+}
+
+# Handle samba home dirs
+ifelse($3, `',
+`if (use_samba_home_dirs) { ',
+`if ($3_read_content && use_samba_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+r_dir_file($1, cifs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 cifs_t:file r_file_perms;
+dontaudit $1 cifs_t:dir r_dir_perms;
+}
+
+# Handle removable media, /tmp, and /home
+ifelse($3, `', `',
+`if ($3_read_content) {')
+allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+r_dir_file($1, { $2_tmp_t $2_home_t } )
+ifdef(`mls_policy', `', `
+r_dir_file($1, removable_t)
+')
+
+ifelse($3, `', `',
+`} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms;
+dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms;
+}')
+
+# Handle default_t content
+ifelse($3, `',
+`if (read_default_t) { ',
+`if ($3_read_content && read_default_t) {')
+r_dir_file($1, default_t)
+} else {
+dontaudit $1 default_t:file r_file_perms;
+dontaudit $1 default_t:dir r_dir_perms;
+}
+
+# Handle untrusted content
+ifelse($3, `',
+`if (read_untrusted_content) { ',
+`if ($3_read_content && read_untrusted_content) {')
+allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t })
+} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms;
+dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms;
+}
+') dnl read_content
+
+#################################################
+# write_trusted(domain, role_prefix, bool_prefix)
+#
+# Allow the given domain to write trusted content.
+# This is subject to a controlling boolean based
+# on bool_prefix.
+
+define(`write_trusted', `
+
+# Declare controlling boolean
+ifelse($3, `', `', `
+ifdef(`$3_write_content_defined', `', `
+define(`$3_write_content_defined')
+bool $3_write_content false;
+') dnl ifdef
+') dnl ifelse
+
+# Handle nfs homedirs
+ifelse($3, `',
+`if (use_nfs_home_dirs) { ',
+`if ($3_write_content && use_nfs_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, nfs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 nfs_t:file create_file_perms;
+dontaudit $1 nfs_t:dir create_dir_perms;
+}
+
+# Handle samba homedirs
+ifelse($3, `',
+`if (use_samba_home_dirs) { ',
+`if ($3_write_content && use_samba_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, cifs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 cifs_t:file create_file_perms;
+dontaudit $1 cifs_t:dir create_dir_perms;
+}
+
+# Handle /tmp and /home
+ifelse($3, `', `',
+`if ($3_write_content) {')
+allow $1 home_root_t:dir { read getattr search };
+file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file });
+file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file });
+ifelse($3, `', `',
+`} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
+dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
+}')
+
+') dnl write_trusted
+
+#########################################
+# write_untrusted(domain, role_prefix)
+#
+# Allow the given domain to write untrusted content.
+# This is subject to the global boolean write_untrusted.
+
+define(`write_untrusted', `
+
+# Handle nfs homedirs
+if (write_untrusted_content && use_nfs_home_dirs) {
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, nfs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 nfs_t:file create_file_perms;
+dontaudit $1 nfs_t:dir create_dir_perms;
+}
+
+# Handle samba homedirs
+if (write_untrusted_content && use_samba_home_dirs) {
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, cifs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 cifs_t:file create_file_perms;
+dontaudit $1 cifs_t:dir create_dir_perms;
+}
+
+# Handle /tmp and /home
+if (write_untrusted_content) {
+allow $1 home_root_t:dir { read getattr search };
+file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file })
+file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file })
+} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
+dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
+}
+
+') dnl write_untrusted
diff --git a/mls/macros/core_macros.te b/mls/macros/core_macros.te
new file mode 100644
index 0000000..6bae8bf
--- /dev/null
+++ b/mls/macros/core_macros.te
@@ -0,0 +1,706 @@
+
+##############################
+#
+# core macros for the type enforcement (TE) configuration.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser
+# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
+# Russell Coker <russell@coker.com.au>
+#
+
+#################################
+#
+# Macros for groups of classes and
+# groups of permissions.
+#
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+
+
+#
+# Datagram socket classes.
+#
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+
+#
+# Permissions for getting file attributes.
+#
+define(`stat_file_perms', `{ getattr }')
+
+#
+# Permissions for executing files.
+#
+define(`x_file_perms', `{ getattr execute }')
+
+#
+# Permissions for reading files and their attributes.
+#
+define(`r_file_perms', `{ read getattr lock ioctl }')
+
+#
+# Permissions for reading and executing files.
+#
+define(`rx_file_perms', `{ read getattr lock execute ioctl }')
+
+#
+# Permissions for reading and writing files and their attributes.
+#
+define(`rw_file_perms', `{ ioctl read getattr lock write append }')
+
+#
+# Permissions for reading and appending to files.
+#
+define(`ra_file_perms', `{ ioctl read getattr lock append }')
+
+#
+# Permissions for linking, unlinking and renaming files.
+#
+define(`link_file_perms', `{ getattr link unlink rename }')
+
+#
+# Permissions for creating lnk_files.
+#
+define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
+
+#
+# Permissions for creating and using files.
+#
+define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
+
+#
+# Permissions for reading directories and their attributes.
+#
+define(`r_dir_perms', `{ read getattr lock search ioctl }')
+
+#
+# Permissions for reading and writing directories and their attributes.
+#
+define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
+
+#
+# Permissions for reading and adding names to directories.
+#
+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
+
+
+#
+# Permissions for creating and using directories.
+#
+define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+#
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+#
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+#
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+#
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+#
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+#
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+#################################
+#
+# Macros for type transition rules and
+# access vector rules.
+#
+
+#
+# Simple combinations for reading and writing both
+# directories and files.
+#
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:file r_file_perms;
+allow $1 $2:lnk_file { getattr read };
+')
+
+define(`rw_dir_file', `
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file rw_file_perms;
+allow $1 $2:lnk_file { getattr read };
+')
+
+define(`ra_dir_file', `
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:file ra_file_perms;
+allow $1 $2:lnk_file { getattr read };
+')
+
+define(`ra_dir_create_file', `
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:file { create ra_file_perms };
+allow $1 $2:lnk_file { create read getattr };
+')
+
+define(`rw_dir_create_file', `
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+')
+
+define(`create_dir_file', `
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+')
+
+define(`create_dir_notdevfile', `
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:{ file sock_file fifo_file } create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+')
+
+define(`create_append_log_file', `
+allow $1 $2:dir { read getattr search add_name write };
+allow $1 $2:file { create ioctl getattr setattr append link };
+')
+
+##################################
+#
+# can_ps(domain1, domain2)
+#
+# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
+#
+define(`can_ps',`
+allow $1 $2:dir { search getattr read };
+allow $1 $2:{ file lnk_file } { read getattr };
+allow $1 $2:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6). Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit $1 $2:process ptrace;
+')
+
+##################################
+#
+# can_getsecurity(domain)
+#
+# Authorize a domain to get security policy decisions.
+#
+define(`can_getsecurity',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } { getattr read };
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
+')
+
+##################################
+#
+# can_setenforce(domain)
+#
+# Authorize a domain to set the enforcing flag.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setenforce',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
+allow $1 security_t:security setenforce;
+auditallow $1 security_t:security setenforce;
+}dnl end if !secure_mode_policyload
+')
+
+##################################
+#
+# can_setbool(domain)
+#
+# Authorize a domain to set a policy boolean.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setbool',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
+allow $1 security_t:security setbool;
+auditallow $1 security_t:security setbool;
+}dnl end if !secure_mode_policyload
+')
+
+##################################
+#
+# can_setsecparam(domain)
+#
+# Authorize a domain to set security parameters.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setsecparam',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setsecparam;
+auditallow $1 security_t:security setsecparam;
+')
+
+##################################
+#
+# can_loadpol(domain)
+#
+# Authorize a domain to load a policy configuration.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_loadpol',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
+allow $1 security_t:security load_policy;
+auditallow $1 security_t:security load_policy;
+}dnl end if !secure_mode_policyload
+')
+
+#################################
+#
+# domain_trans(parent_domain, program_type, child_domain)
+#
+# Permissions for transitioning to a new domain.
+#
+
+define(`domain_trans',`
+
+#
+# Allow the process to transition to the new domain.
+#
+allow $1 $3:process transition;
+
+#
+# Do not audit when glibc secure mode is enabled upon the transition.
+#
+dontaudit $1 $3:process noatsecure;
+
+#
+# Do not audit when signal-related state is cleared upon the transition.
+#
+dontaudit $1 $3:process siginh;
+
+#
+# Do not audit when resource limits are reset upon the transition.
+#
+dontaudit $1 $3:process rlimitinh;
+
+#
+# Allow the process to execute the program.
+#
+allow $1 $2:file { read x_file_perms };
+
+#
+# Allow the process to reap the new domain.
+#
+allow $3 $1:process sigchld;
+
+#
+# Allow the new domain to inherit and use file
+# descriptions from the creating process and vice versa.
+#
+allow $3 $1:fd use;
+allow $1 $3:fd use;
+
+#
+# Allow the new domain to write back to the old domain via a pipe.
+#
+allow $3 $1:fifo_file rw_file_perms;
+
+#
+# Allow the new domain to read and execute the program.
+#
+allow $3 $2:file rx_file_perms;
+
+#
+# Allow the new domain to be entered via the program.
+#
+allow $3 $2:file entrypoint;
+')
+
+#################################
+#
+# domain_auto_trans(parent_domain, program_type, child_domain)
+#
+# Define a default domain transition and allow it.
+#
+define(`domain_auto_trans',`
+domain_trans($1,$2,$3)
+type_transition $1 $2:process $3;
+')
+
+#################################
+#
+# can_ptrace(domain, domain)
+#
+# Permissions for running ptrace (strace or gdb) on another domain
+#
+define(`can_ptrace',`
+allow $1 $2:process ptrace;
+allow $2 $1:process sigchld;
+')
+
+#################################
+#
+# can_exec(domain, type)
+#
+# Permissions for executing programs with
+# a specified type without changing domains.
+#
+define(`can_exec',`
+allow $1 $2:file { rx_file_perms execute_no_trans };
+')
+
+# this is an internal macro used by can_create
+define(`can_create_internal', `
+ifelse(`$3', `dir', `
+allow $1 $2:$3 create_dir_perms;
+', `$3', `lnk_file', `
+allow $1 $2:$3 create_lnk_perms;
+', `
+allow $1 $2:$3 create_file_perms;
+')dnl end if dir
+')dnl end can_create_internal
+
+
+#################################
+#
+# can_create(domain, file_type, object_class)
+#
+# Permissions for creating files of the specified type and class
+#
+define(`can_create', `
+ifelse(regexp($3, `\w'), -1, `', `
+can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
+
+can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
+')
+')
+#################################
+#
+# file_type_trans(domain, dir_type, file_type)
+#
+# Permissions for transitioning to a new file type.
+#
+
+define(`file_type_trans',`
+
+#
+# Allow the process to modify the directory.
+#
+allow $1 $2:dir rw_dir_perms;
+
+#
+# Allow the process to create the file.
+#
+ifelse(`$4', `', `
+can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
+', `
+can_create($1, $3, $4)
+')dnl end if param 4 specified
+
+')
+
+#################################
+#
+# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
+#
+# the object class will default to notdevfile_class_set if not specified as
+# the fourth parameter
+#
+# Define a default file type transition and allow it.
+#
+define(`file_type_auto_trans',`
+ifelse(`$4', `', `
+file_type_trans($1,$2,$3)
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+', `
+file_type_trans($1,$2,$3,$4)
+type_transition $1 $2:$4 $3;
+')dnl end ifelse
+
+')
+
+
+#################################
+#
+# can_unix_connect(client, server)
+#
+# Permissions for establishing a Unix stream connection.
+#
+define(`can_unix_connect',`
+allow $1 $2:unix_stream_socket connectto;
+')
+
+#################################
+#
+# can_unix_send(sender, receiver)
+#
+# Permissions for sending Unix datagrams.
+#
+define(`can_unix_send',`
+allow $1 $2:unix_dgram_socket sendto;
+')
+
+#################################
+#
+# can_tcp_connect(client, server)
+#
+# Permissions for establishing a TCP connection.
+# Irrelevant until we have labeled networking.
+#
+define(`can_tcp_connect',`
+#allow $1 $2:tcp_socket { connectto recvfrom };
+#allow $2 $1:tcp_socket { acceptfrom recvfrom };
+#allow $2 kernel_t:tcp_socket recvfrom;
+#allow $1 kernel_t:tcp_socket recvfrom;
+')
+
+#################################
+#
+# can_udp_send(sender, receiver)
+#
+# Permissions for sending/receiving UDP datagrams.
+# Irrelevant until we have labeled networking.
+#
+define(`can_udp_send',`
+#allow $1 $2:udp_socket sendto;
+#allow $2 $1:udp_socket recvfrom;
+')
+
+
+##################################
+#
+# base_pty_perms(domain_prefix)
+#
+# Base permissions used for can_create_pty() and can_create_other_pty()
+#
+define(`base_pty_perms', `
+# Access the pty master multiplexer.
+allow $1_t ptmx_t:chr_file rw_file_perms;
+
+allow $1_t devpts_t:filesystem getattr;
+
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr read search };
+
+# ignore old BSD pty devices
+dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
+')
+
+
+##################################
+#
+# pty_slave_label(domain_prefix, attributes)
+#
+# give access to a slave pty but do not allow creating new ptys
+#
+define(`pty_slave_label', `
+type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
+
+# Allow the pty to be associated with the file system.
+allow $1_devpts_t devpts_t:filesystem associate;
+
+# Label pty files with a derived type.
+type_transition $1_t devpts_t:chr_file $1_devpts_t;
+
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr read search };
+
+# Read and write my pty files.
+allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+')
+
+
+##################################
+#
+# can_create_pty(domain_prefix, attributes)
+#
+# Permissions for creating ptys.
+#
+define(`can_create_pty',`
+base_pty_perms($1)
+pty_slave_label($1, `$2')
+')
+
+
+##################################
+#
+# can_create_other_pty(domain_prefix,other_domain)
+#
+# Permissions for creating ptys for another domain.
+#
+define(`can_create_other_pty',`
+base_pty_perms($1)
+# Label pty files with a derived type.
+type_transition $1_t devpts_t:chr_file $2_devpts_t;
+
+# Read and write pty files.
+allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
+')
+
+
+#
+# general_domain_access(domain)
+#
+# Grant permissions within the domain.
+# This includes permissions to processes, /proc/PID files,
+# file descriptors, pipes, Unix sockets, and System V IPC objects
+# labeled with the domain.
+#
+define(`general_domain_access',`
+# Access other processes in the same domain.
+# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
+
+# Access /proc/PID files for processes in the same domain.
+allow $1 self:dir r_dir_perms;
+allow $1 self:notdevfile_class_set r_file_perms;
+
+# Access file descriptions, pipes, and sockets
+# created by processes in the same domain.
+allow $1 self:fd *;
+allow $1 self:fifo_file rw_file_perms;
+allow $1 self:unix_dgram_socket create_socket_perms;
+allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+# Allow the domain to communicate with other processes in the same domain.
+allow $1 self:unix_dgram_socket sendto;
+allow $1 self:unix_stream_socket connectto;
+
+# Access System V IPC objects created by processes in the same domain.
+allow $1 self:sem create_sem_perms;
+allow $1 self:msg { send receive };
+allow $1 self:msgq create_msgq_perms;
+allow $1 self:shm create_shm_perms;
+allow $1 unpriv_userdomain:fd use;
+#
+# Every app is asking for ypbind so I am adding this here,
+# eventually this should become can_nsswitch
+#
+can_ypbind($1)
+allow $1 autofs_t:dir { search getattr };
+')dnl end general_domain_access
diff --git a/mls/macros/global_macros.te b/mls/macros/global_macros.te
new file mode 100644
index 0000000..277ab49
--- /dev/null
+++ b/mls/macros/global_macros.te
@@ -0,0 +1,772 @@
+##############################
+#
+# Global macros for the type enforcement (TE) configuration.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
+# Russell Coker <russell@coker.com.au>
+#
+#
+#
+
+##################################
+#
+# can_setexec(domain)
+#
+# Authorize a domain to set its exec context
+# (via /proc/pid/attr/exec).
+#
+define(`can_setexec',`
+allow $1 self:process setexec;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read write };
+')
+
+##################################
+#
+# can_getcon(domain)
+#
+# Authorize a domain to get its context
+# (via /proc/pid/attr/current).
+#
+define(`can_getcon',`
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+allow $1 self:process getattr;
+')
+
+##################################
+#
+# can_setcon(domain)
+#
+# Authorize a domain to set its current context
+# (via /proc/pid/attr/current).
+#
+define(`can_setcon',`
+allow $1 self:process setcurrent;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read write };
+')
+
+##################################
+# read_sysctl(domain)
+#
+# Permissions for reading sysctl variables.
+# If the second parameter is full, allow
+# reading of any sysctl variables, else only
+# sysctl_kernel_t.
+#
+define(`read_sysctl', `
+# Read system variables in /sys.
+ifelse($2,`full', `
+allow $1 sysctl_type:dir r_dir_perms;
+allow $1 sysctl_type:file r_file_perms;
+', `
+allow $1 sysctl_t:dir search;
+allow $1 sysctl_kernel_t:dir search;
+allow $1 sysctl_kernel_t:file { getattr read };
+')
+
+')dnl read_sysctl
+
+##################################
+#
+# can_setfscreate(domain)
+#
+# Authorize a domain to set its fscreate context
+# (via /proc/pid/attr/fscreate).
+#
+define(`can_setfscreate',`
+allow $1 self:process setfscreate;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read write };
+')
+
+#################################
+#
+# uses_shlib(domain)
+#
+# Permissions for using shared libraries.
+#
+define(`uses_shlib',`
+allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
+allow $1 lib_t:lnk_file r_file_perms;
+allow $1 ld_so_t:file rx_file_perms;
+#allow $1 ld_so_t:file execute_no_trans;
+allow $1 ld_so_t:lnk_file r_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+allow $1 texrel_shlib_t:file execmod;
+allow $1 ld_so_cache_t:file r_file_perms;
+allow $1 device_t:dir search;
+allow $1 null_device_t:chr_file rw_file_perms;
+')
+
+#################################
+#
+# can_exec_any(domain)
+#
+# Permissions for executing a variety
+# of executable types.
+#
+define(`can_exec_any',`
+allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
+allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
+uses_shlib($1)
+can_exec($1, etc_t)
+can_exec($1, lib_t)
+can_exec($1, bin_t)
+can_exec($1, sbin_t)
+can_exec($1, exec_type)
+can_exec($1, ld_so_t)
+')
+
+
+#################################
+#
+# can_sysctl(domain)
+#
+# Permissions for modifying sysctl parameters.
+#
+define(`can_sysctl',`
+allow $1 sysctl_type:dir r_dir_perms;
+allow $1 sysctl_type:file { setattr rw_file_perms };
+')
+
+
+##################################
+#
+# read_locale(domain)
+#
+# Permissions for reading the locale data,
+# /etc/localtime and the files that it links to
+#
+define(`read_locale', `
+allow $1 etc_t:lnk_file read;
+allow $1 lib_t:file r_file_perms;
+r_dir_file($1, locale_t)
+')
+
+define(`can_access_pty', `
+allow $1 devpts_t:dir r_dir_perms;
+allow $1 $2_devpts_t:chr_file rw_file_perms;
+')
+
+###################################
+#
+# access_terminal(domain, typeprefix)
+#
+# Permissions for accessing the terminal
+#
+define(`access_terminal', `
+allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
+allow $1 devtty_t:chr_file { read write getattr ioctl };
+can_access_pty($1, $2)
+')
+
+#
+# general_proc_read_access(domain)
+#
+# Grant read/search permissions to most of /proc, excluding
+# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
+# The general_domain_access macro grants access to the domain /proc/PID
+# directories, but not to other domains. Only permissions to stat
+# are granted for /proc/kmsg and /proc/kcore, since these files are more
+# sensitive.
+#
+define(`general_proc_read_access',`
+# Read system information files in /proc.
+r_dir_file($1, proc_t)
+r_dir_file($1, proc_net_t)
+allow $1 proc_mdstat_t:file r_file_perms;
+
+# Stat /proc/kmsg and /proc/kcore.
+allow $1 proc_fs:file stat_file_perms;
+
+# Read system variables in /proc/sys.
+read_sysctl($1)
+')
+
+#
+# base_file_read_access(domain)
+#
+# Grant read/search permissions to a few system file types.
+#
+define(`base_file_read_access',`
+# Read /.
+allow $1 root_t:dir r_dir_perms;
+allow $1 root_t:notdevfile_class_set r_file_perms;
+
+# Read /home.
+allow $1 home_root_t:dir r_dir_perms;
+
+# Read /usr.
+allow $1 usr_t:dir r_dir_perms;
+allow $1 usr_t:notdevfile_class_set r_file_perms;
+
+# Read bin and sbin directories.
+allow $1 bin_t:dir r_dir_perms;
+allow $1 bin_t:notdevfile_class_set r_file_perms;
+allow $1 sbin_t:dir r_dir_perms;
+allow $1 sbin_t:notdevfile_class_set r_file_perms;
+read_sysctl($1)
+
+r_dir_file($1, selinux_config_t)
+
+if (read_default_t) {
+#
+# Read default_t
+#.
+allow $1 default_t:dir r_dir_perms;
+allow $1 default_t:notdevfile_class_set r_file_perms;
+}
+
+')
+
+#######################
+# daemon_core_rules(domain_prefix, attribs)
+#
+# Define the core rules for a daemon, used by both daemon_base_domain() and
+# init_service_domain().
+# Attribs is the list of attributes which must start with "," if it is not empty
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+define(`daemon_core_rules', `
+type $1_t, domain, privlog, daemon $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+dontaudit $1_t self:capability sys_tty_config;
+
+role system_r types $1_t;
+
+# Inherit and use descriptors from init.
+allow $1_t init_t:fd use;
+allow $1_t init_t:process sigchld;
+allow $1_t self:process { signal_perms fork };
+
+uses_shlib($1_t)
+
+allow $1_t { self proc_t }:dir r_dir_perms;
+allow $1_t { self proc_t }:lnk_file { getattr read };
+
+allow $1_t device_t:dir r_dir_perms;
+ifdef(`udev.te', `
+allow $1_t udev_tdb_t:file r_file_perms;
+')dnl end if udev.te
+allow $1_t null_device_t:chr_file rw_file_perms;
+dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
+
+r_dir_file($1_t, sysfs_t)
+
+allow $1_t autofs_t:dir { search getattr };
+ifdef(`targeted_policy', `
+dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
+dontaudit $1_t root_t:file { getattr read };
+')dnl end if targeted_policy
+
+')dnl end macro daemon_core_rules
+
+#######################
+# init_service_domain(domain_prefix, attribs)
+#
+# Define a domain for a program that is run from init
+# Attribs is the list of attributes which must start with "," if it is not empty
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+define(`init_service_domain', `
+daemon_core_rules($1, `$2')
+bool $1_disable_trans false;
+if ($1_disable_trans) {
+can_exec(init_t, $1_exec_t)
+} else {
+domain_auto_trans(init_t, $1_exec_t, $1_t)
+}
+')dnl
+
+#######################
+# daemon_base_domain(domain_prefix, attribs)
+#
+# Define a daemon domain with a base set of type declarations
+# and permissions that are common to most daemons.
+# attribs is the list of attributes which must start with "," if it is not empty
+# nosysadm may be given as an optional third parameter, to specify that the
+# sysadmin should not transition to the domain when directly calling the executable
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+define(`daemon_base_domain', `
+daemon_core_rules($1, `$2')
+
+rhgb_domain($1_t)
+
+read_sysctl($1_t)
+
+ifdef(`direct_sysadm_daemon', `
+dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
+')
+
+#
+# Allows user to define a tunable to disable domain transition
+#
+ifelse(index(`$2',`transitionbool'), -1, `', `
+bool $1_disable_trans false;
+if ($1_disable_trans) {
+can_exec(initrc_t, $1_exec_t)
+can_exec(sysadm_t, $1_exec_t)
+} else {
+') dnl transitionbool
+domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+
+allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
+ifdef(`direct_sysadm_daemon', `
+ifelse(`$3', `nosysadm', `', `
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
+')dnl end nosysadm
+')dnl end direct_sysadm_daemon
+ifelse(index(`$2', `transitionbool'), -1, `', `
+}
+') dnl end transitionbool
+ifdef(`direct_sysadm_daemon', `
+ifelse(`$3', `nosysadm', `', `
+role_transition sysadm_r $1_exec_t system_r;
+')dnl end nosysadm
+')dnl end direct_sysadm_daemon
+
+allow $1_t privfd:fd use;
+ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
+allow $1_t initrc_devpts_t:chr_file rw_file_perms;
+')dnl
+
+# allow a domain to create its own files under /var/run and to create files
+# in directories that are created for it. $2 is an optional list of
+# classes to use; default is file.
+define(`var_run_domain', `
+type $1_var_run_t, file_type, sysadmfile, pidfile;
+
+ifelse(`$2', `', `
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
+', `
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
+')
+allow $1_t var_t:dir search;
+allow $1_t $1_var_run_t:dir rw_dir_perms;
+')
+
+#######################
+# daemon_domain(domain_prefix, attribs)
+#
+# see daemon_base_domain for calling details
+# daemon_domain defines some additional privileges needed by many domains,
+# like pid files and locale support
+
+define(`daemon_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `$2, transitionbool', $3)
+', `
+daemon_base_domain($1, `$2', $3)
+')
+# Create pid file.
+allow $1_t var_t:dir { getattr search };
+var_run_domain($1)
+
+allow $1_t devtty_t:chr_file rw_file_perms;
+
+# for daemons that look at /root on startup
+dontaudit $1_t sysadm_home_dir_t:dir search;
+
+# for df
+allow $1_t fs_type:filesystem getattr;
+allow $1_t removable_t:filesystem getattr;
+
+read_locale($1_t)
+
+# for localization
+allow $1_t lib_t:file { getattr read };
+')dnl end daemon_domain macro
+
+define(`uses_authbind',
+`domain_auto_trans($1, authbind_exec_t, authbind_t)
+allow authbind_t $1:process sigchld;
+allow authbind_t $1:fd use;
+allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
+
+# define a sub-domain, $1_t is the parent domain, $2 is the name
+# of the sub-domain.
+#
+define(`daemon_sub_domain', `
+# $1 is the parent domain (or domains), $2_t is the child domain,
+# and $3 is any attributes to apply to the child
+type $2_t, domain, privlog, daemon $3;
+type $2_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types $2_t;
+
+ifelse(index(`$3',`transitionbool'), -1, `
+
+domain_auto_trans($1, $2_exec_t, $2_t)
+
+', `
+
+bool $2_disable_trans false;
+
+if (! $2_disable_trans) {
+domain_auto_trans($1, $2_exec_t, $2_t)
+}
+
+');
+# Inherit and use descriptors from parent.
+allow $2_t $1:fd use;
+allow $2_t $1:process sigchld;
+
+allow $2_t self:process signal_perms;
+
+uses_shlib($2_t)
+
+allow $2_t { self proc_t }:dir r_dir_perms;
+allow $2_t { self proc_t }:lnk_file read;
+
+allow $2_t device_t:dir getattr;
+')
+
+# grant access to /tmp
+# by default, only plain files and dirs may be stored there.
+# This can be overridden with a third parameter
+define(`tmp_domain', `
+type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
+ifelse($3, `',
+`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
+`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
+')
+
+# grant access to /tmp. Do not perform an automatic transition.
+define(`tmp_domain_notrans', `
+type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
+')
+
+define(`tmpfs_domain', `
+ifdef(`$1_tmpfs_t_defined',`', `
+define(`$1_tmpfs_t_defined')
+type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
+# Use this type when creating tmpfs/shm objects.
+file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
+allow $1_tmpfs_t tmpfs_t:filesystem associate;
+')
+')
+
+define(`var_lib_domain', `
+type $1_var_lib_t, file_type, sysadmfile;
+file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
+allow $1_t $1_var_lib_t:dir rw_dir_perms;
+')
+
+define(`log_domain', `
+type $1_log_t, file_type, sysadmfile, logfile;
+file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
+')
+
+define(`logdir_domain', `
+log_domain($1)
+allow $1_t $1_log_t:dir { setattr rw_dir_perms };
+')
+
+define(`etc_domain', `
+type $1_etc_t, file_type, sysadmfile, usercanread;
+allow $1_t $1_etc_t:file r_file_perms;
+')
+
+define(`etcdir_domain', `
+etc_domain($1)
+allow $1_t $1_etc_t:dir r_dir_perms;
+allow $1_t $1_etc_t:lnk_file { getattr read };
+')
+
+define(`append_log_domain', `
+type $1_log_t, file_type, sysadmfile, logfile;
+allow $1_t var_log_t:dir ra_dir_perms;
+allow $1_t $1_log_t:file { create ra_file_perms };
+type_transition $1_t var_log_t:file $1_log_t;
+')
+
+define(`append_logdir_domain', `
+append_log_domain($1)
+allow $1_t $1_log_t:dir { setattr ra_dir_perms };
+')
+
+define(`lock_domain', `
+type $1_lock_t, file_type, sysadmfile, lockfile;
+file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
+')
+
+#######################
+# application_domain(domain_prefix)
+#
+# Define a domain with a base set of type declarations
+# and permissions that are common to simple applications.
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+define(`application_domain', `
+type $1_t, domain, privlog $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+role sysadm_r types $1_t;
+ifdef(`targeted_policy', `
+role system_r types $1_t;
+')
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+uses_shlib($1_t)
+')
+
+define(`system_domain', `
+type $1_t, domain, privlog $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+role system_r types $1_t;
+uses_shlib($1_t)
+allow $1_t etc_t:dir r_dir_perms;
+')
+
+# Dontaudit macros to prevent flooding the log
+
+define(`dontaudit_getattr', `
+dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
+dontaudit $1 unlabeled_t:dir_file_class_set getattr;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
+')dnl end dontaudit_getattr
+
+define(`dontaudit_search_dir', `
+dontaudit $1 file_type - secure_file_type:dir search;
+dontaudit $1 unlabeled_t:dir search;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
+')dnl end dontaudit_search_dir
+
+define(`dontaudit_read_dir', `
+dontaudit $1 file_type - secure_file_type:dir read;
+dontaudit $1 unlabeled_t:dir read;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
+')dnl end dontaudit_read_dir
+
+# Define legacy_domain for legacy binaries (java)
+# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
+# toolchain. They cause the kernel to automatically start translating all
+# read protection requests to read|execute for backward compatibility on
+# x86. They will all need execmem and execmod, including execmod to
+# shlib_t and ld_so_t unlike non-legacy binaries.
+
+define(`legacy_domain', `
+allow $1_t self:process { execmem execstack };
+allow $1_t { texrel_shlib_t shlib_t }:file execmod;
+allow $1_t ld_so_t:file execmod;
+allow $1_t ld_so_cache_t:file execute;
+')
+
+
+# Allow domain to perform polyinstantiation functions
+# polyinstantiater(domain)
+
+define(`polyinstantiater', `
+
+ifdef(`support_polyinstantiation', `
+# Need to give access to /selinux/member
+allow $1 security_t:security compute_member;
+
+# Need to give access to the directories to be polyinstantiated
+allow $1 polydir:dir { getattr mounton add_name create setattr write search };
+
+# Need to give access to the polyinstantiated subdirectories
+allow $1 polymember:dir {getattr search };
+
+# Need to give access to parent directories where original
+# is remounted for polyinstantiation aware programs (like gdm)
+allow $1 polyparent:dir { getattr mounton };
+
+# Need to give permission to create directories where applicable
+allow $1 polymember: dir { create setattr };
+allow $1 polydir: dir { write add_name };
+allow $1 self:process setfscreate;
+allow $1 polyparent:dir { write add_name };
+# Default type for mountpoints
+allow $1 poly_t:dir { create mounton };
+
+# Need sys_admin capability for mounting
+allow $1 self:capability sys_admin;
+')dnl end else support_polyinstantiation
+
+')dnl end polyinstantiater
+
+#
+# Domain that is allow to read anonymous data off the network
+# without providing authentication.
+# Also define boolean to allow anonymous writing
+#
+define(`anonymous_domain', `
+r_dir_file($1_t, { public_content_t public_content_rw_t } )
+bool allow_$1_anon_write false;
+if (allow_$1_anon_write) {
+create_dir_file($1_t,public_content_rw_t)
+}
+')
+#
+# Define a domain that can do anything, so that it is
+# effectively unconfined by the SELinux policy. This
+# means that it is only restricted by the normal Linux
+# protections. Note that you may need to add further rules
+# to allow other domains to interact with this domain as expected,
+# since this macro only allows the specified domain to act upon
+# all other domains and types, not vice versa.
+#
+define(`unconfined_domain', `
+
+typeattribute $1 unrestricted;
+typeattribute $1 privuser;
+
+# Mount/unmount any filesystem.
+allow $1 fs_type:filesystem *;
+
+# Mount/unmount any filesystem with the context= option.
+allow $1 file_type:filesystem *;
+
+# Create/access any file in a labeled filesystem;
+allow $1 file_type:{ file chr_file } ~execmod;
+allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+allow $1 sysctl_t:{ dir file } *;
+allow $1 device_type:devfile_class_set *;
+allow $1 mtrr_device_t:file *;
+
+# Create/access other files. fs_type is to pick up various
+# pseudo filesystem types that are applied to both the filesystem
+# and its files.
+allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
+allow $1 proc_fs:{ dir file } *;
+
+# For /proc/pid
+r_dir_file($1,domain)
+# Write access is for setting attributes under /proc/self/attr.
+allow $1 self:file rw_file_perms;
+
+# Read and write sysctls.
+can_sysctl($1)
+
+# Access the network.
+allow $1 node_type:node *;
+allow $1 netif_type:netif *;
+allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
+allow $1 port_type:tcp_socket name_connect;
+
+# Bind to any network address.
+allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind;
+allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+# Use/sendto/connectto sockets created by any domain.
+allow $1 domain:{ socket_class_set socket key_socket } *;
+
+# Use descriptors and pipes created by any domain.
+allow $1 domain:fd use;
+allow $1 domain:fifo_file rw_file_perms;
+
+# Act upon any other process.
+allow $1 domain:process ~{ transition dyntransition execmem };
+# Transition to myself, to make get_ordered_context_list happy.
+allow $1 self:process transition;
+
+if (allow_execmem) {
+# Allow making anonymous memory executable, e.g.
+# for runtime-code generation or executable stack.
+allow $1 self:process execmem;
+}
+
+if (allow_execmem && allow_execstack) {
+# Allow making the stack executable via mprotect.
+allow $1 self:process execstack;
+}
+
+if (allow_execmod) {
+# Allow text relocations on system shared libraries, e.g. libGL.
+ifdef(`targeted_policy', `
+allow $1 file_type:file execmod;
+', `
+allow $1 texrel_shlib_t:file execmod;
+allow $1 home_type:file execmod;
+')
+}
+
+# Create/access any System V IPC objects.
+allow $1 domain:{ sem msgq shm } *;
+allow $1 domain:msg { send receive };
+
+# Access the security API.
+if (!secure_mode_policyload) {
+allow $1 security_t:security *;
+auditallow $1 security_t:security { load_policy setenforce setbool };
+}dnl end if !secure_mode_policyload
+
+# Perform certain system operations that lacked individual capabilities.
+allow $1 kernel_t:system *;
+
+# Use any Linux capability.
+allow $1 self:capability *;
+
+# Set user information and skip authentication.
+allow $1 self:passwd *;
+
+# Communicate via dbusd.
+allow $1 self:dbus *;
+ifdef(`dbusd.te', `
+allow $1 system_dbusd_t:dbus *;
+')
+
+# Get info via nscd.
+allow $1 self:nscd *;
+ifdef(`nscd.te', `
+allow $1 nscd_t:nscd *;
+')
+
+')dnl end unconfined_domain
+
+
+define(`access_removable_media', `
+
+can_exec($1, { removable_t noexattrfile } )
+if (user_rw_noexattrfile) {
+create_dir_file($1, noexattrfile)
+create_dir_file($1, removable_t)
+# Write floppies
+allow $1 removable_device_t:blk_file rw_file_perms;
+allow $1 usbtty_device_t:chr_file write;
+} else {
+r_dir_file($1, noexattrfile)
+r_dir_file($1, removable_t)
+allow $1 removable_device_t:blk_file r_file_perms;
+}
+allow $1 removable_t:filesystem getattr;
+
+')
+
+define(`authentication_domain', `
+can_ypbind($1)
+can_kerberos($1)
+can_ldap($1)
+can_resolve($1)
+can_winbind($1)
+r_dir_file($1, cert_t)
+allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+allow $1 self:capability { audit_write audit_control };
+dontaudit $1 shadow_t:file { getattr read };
+allow $1 sbin_t:dir search;
+allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow $1 var_lib_t:dir r_dir_perms;
+rw_dir_file($1, var_auth_t)
+')
diff --git a/mls/macros/home_macros.te b/mls/macros/home_macros.te
new file mode 100644
index 0000000..e780425
--- /dev/null
+++ b/mls/macros/home_macros.te
@@ -0,0 +1,139 @@
+# Home macros
+
+################################################
+# network_home(source)
+#
+# Allows source domain to use a network home
+# This includes privileges of create and execute
+# as well as the ability to create sockets and fifo
+
+define(`network_home', `
+allow $1 autofs_t:dir { search getattr };
+
+if (use_nfs_home_dirs) {
+create_dir_file($1, nfs_t)
+can_exec($1, nfs_t)
+allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;
+}
+
+if (use_samba_home_dirs) {
+create_dir_file($1, cifs_t)
+can_exec($1, cifs_t)
+allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;
+}
+') dnl network_home
+
+################################################
+# write_network_home(source)
+#
+# Allows source domain to create directories and
+# files on network file system
+
+define(`write_network_home', `
+allow $1 home_root_t:dir search;
+
+if (use_nfs_home_dirs) {
+create_dir_file($1, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1, cifs_t)
+}
+allow $1 autofs_t:dir { search getattr };
+') dnl write_network_home
+
+################################################
+# read_network_home(source)
+#
+# Allows source domain to read directories and
+# files on network file system
+
+define(`read_network_home', `
+allow $1 home_root_t:dir search;
+
+if (use_nfs_home_dirs) {
+r_dir_file($1, nfs_t)
+}
+if (use_samba_home_dirs) {
+r_dir_file($1, cifs_t)
+}
+allow $1 autofs_t:dir { search getattr };
+') dnl read_network_home
+
+##################################################
+# home_domain_ro_access(source, user, app)
+#
+# Gives source access to the read-only home
+# domain of app for the given user type
+
+define(`home_domain_ro_access', `
+allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
+read_network_home($1)
+ifelse($3, `', `
+r_dir_file($1, $2_home_t)
+', `
+r_dir_file($1, $2_$3_ro_home_t)
+')
+') dnl home_domain_ro_access
+
+#################################################
+# home_domain_access(source, user, app)
+#
+# Gives source full access to the home
+# domain of app for the given user type
+#
+# Requires transition in caller
+
+define(`home_domain_access', `
+allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
+write_network_home($1)
+ifelse($3, `', `
+file_type_auto_trans($1, $2_home_dir_t, $2_home_t)
+create_dir_file($1, $2_home_t)
+', `
+create_dir_file($1, $2_$3_home_t)
+')
+') dnl home_domain_access
+
+####################################################################
+# home_domain (prefix, app)
+#
+# Creates a domain in the prefix home where an application can
+# store its settings. It is accessible by the prefix domain.
+#
+# Requires transition in caller
+
+define(`home_domain', `
+
+# Declare home domain
+type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;
+typealias $1_$2_home_t alias $1_$2_rw_t;
+
+# User side access
+create_dir_file($1_t, $1_$2_home_t)
+allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+# App side access
+home_domain_access($1_$2_t, $1, $2)
+')
+
+####################################################################
+# home_domain_ro (user, app)
+#
+# Creates a read-only domain in the user home where an application can
+# store its settings. It is fully accessible by the user, but
+# it is read-only for the application.
+#
+
+define(`home_domain_ro', `
+
+# Declare home domain
+type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
+typealias $1_$2_ro_home_t alias $1_$2_ro_t;
+
+# User side access
+create_dir_file($1_t, $1_$2_ro_home_t)
+allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+# App side access
+home_domain_ro_access($1_$2_t, $1, $2)
+')
diff --git a/mls/macros/mini_user_macros.te b/mls/macros/mini_user_macros.te
new file mode 100644
index 0000000..9f7d994
--- /dev/null
+++ b/mls/macros/mini_user_macros.te
@@ -0,0 +1,57 @@
+#
+# Macros for all user login domains.
+#
+
+#
+# mini_user_domain(domain_prefix)
+#
+# Define derived types and rules for a minimal privs user domain named
+# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
+#
+undefine(`mini_user_domain')
+define(`mini_user_domain',`
+# user_t/$1_t is an unprivileged users domain.
+type $1_mini_t, domain, user_mini_domain;
+
+# for ~/.bash_profile and other files that the mini domain should be allowed
+# to read (but not write)
+type $1_home_mini_t, file_type, sysadmfile;
+allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
+allow $1_mini_t $1_home_mini_t:file r_file_perms;
+
+# $1_r is authorized for $1_mini_t for the initial login domain.
+role $1_r types $1_mini_t;
+uses_shlib($1_mini_t)
+pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
+
+allow $1_mini_t devtty_t:chr_file rw_file_perms;
+allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
+dontaudit $1_mini_t proc_t:dir { getattr search };
+allow $1_mini_t self:unix_stream_socket create_socket_perms;
+allow $1_mini_t self:fifo_file rw_file_perms;
+allow $1_mini_t self:process { fork sigchld setpgid };
+dontaudit $1_mini_t var_t:dir search;
+allow $1_mini_t { bin_t sbin_t }:dir search;
+
+dontaudit $1_mini_t device_t:dir { getattr read };
+dontaudit $1_mini_t devpts_t:dir { getattr read };
+dontaudit $1_mini_t proc_t:lnk_file read;
+
+can_exec($1_mini_t, bin_t)
+allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
+dontaudit $1_mini_t home_root_t:dir getattr;
+dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
+dontaudit $1_mini_t $1_home_t:file { append getattr read write };
+
+dontaudit $1_mini_t fs_t:filesystem getattr;
+
+type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
+# uncomment this if using mini domains for console logins
+#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
+
+type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
+type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
+
+domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
+')dnl end mini_user_domain definition
+
diff --git a/mls/macros/network_macros.te b/mls/macros/network_macros.te
new file mode 100644
index 0000000..3d7bd06
--- /dev/null
+++ b/mls/macros/network_macros.te
@@ -0,0 +1,191 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:$2_socket { send_msg recv_msg };
+', `
+allow $1 $3:$2_socket { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type. Remove once
+# individual rules have been added to all domains that
+# bind sockets.
+allow $1 node_type:$2_socket node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_network_server_tcp(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server_tcp',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_network_client_tcp(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client_tcp',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { connect };
+')
+
+#################################
+#
+# can_network_tcp(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_tcp',`
+
+can_network_server_tcp($1, `$2')
+can_network_client_tcp($1, `$2')
+
+')
+
+#################################
+#
+# can_network_udp(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_udp',`
+base_can_network($1, udp, `$2')
+allow $1 self:udp_socket { connect };
+')
+
+#################################
+#
+# can_network_server(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server',`
+
+can_network_server_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+')dnl end can_network_server definition
+
+
+#################################
+#
+# can_network_client(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client',`
+
+can_network_client_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+')dnl end can_network_client definition
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_network_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+ifdef(`mount.te', `
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+')
+
+')dnl end can_network definition
+
+define(`can_resolve',`
+can_network_client($1, `dns_port_t')
+allow $1 dns_port_t:tcp_socket name_connect;
+')
+
+define(`can_portmap',`
+can_network_client($1, `portmap_port_t')
+allow $1 portmap_port_t:tcp_socket name_connect;
+')
+
+define(`can_ldap',`
+can_network_client_tcp($1, `ldap_port_t')
+allow $1 ldap_port_t:tcp_socket name_connect;
+')
+
+define(`can_winbind',`
+ifdef(`winbind.te', `
+allow $1 winbind_var_run_t:dir { getattr search };
+allow $1 winbind_t:unix_stream_socket connectto;
+allow $1 winbind_var_run_t:sock_file { getattr read write };
+')
+')
+
+
+#################################
+#
+# nsswitch_domain(domain)
+#
+# Permissions for looking up uid/username mapping via nsswitch
+#
+define(`nsswitch_domain', `
+can_resolve($1)
+can_ypbind($1)
+can_ldap($1)
+can_winbind($1)
+')
diff --git a/mls/macros/program/apache_macros.te b/mls/macros/program/apache_macros.te
new file mode 100644
index 0000000..a1422be
--- /dev/null
+++ b/mls/macros/program/apache_macros.te
@@ -0,0 +1,205 @@
+
+define(`apache_domain', `
+
+#This type is for webpages
+#
+type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
+
+# This type is used for .htaccess files
+#
+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
+
+# This type is used for executable scripts files
+#
+type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
+
+# Type that CGI scripts run as
+type httpd_$1_script_t, domain, privmail, nscd_client_domain;
+role system_r types httpd_$1_script_t;
+uses_shlib(httpd_$1_script_t)
+
+if (httpd_enable_cgi) {
+domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
+
+allow httpd_$1_script_t httpd_t:fd use;
+allow httpd_$1_script_t httpd_t:process sigchld;
+
+allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
+allow httpd_$1_script_t usr_t:lnk_file { getattr read };
+
+allow httpd_$1_script_t self:process { fork signal_perms };
+
+allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
+allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
+allow httpd_$1_script_t etc_runtime_t:file { getattr read };
+read_locale(httpd_$1_script_t)
+allow httpd_$1_script_t fs_t:filesystem getattr;
+allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow httpd_$1_script_t { self proc_t }:file r_file_perms;
+allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
+allow httpd_$1_script_t { self proc_t }:lnk_file read;
+
+allow httpd_$1_script_t device_t:dir { getattr search };
+allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
+}
+
+if (httpd_enable_cgi && httpd_can_network_connect) {
+can_network_client(httpd_$1_script_t)
+allow httpd_$1_script_t port_type:tcp_socket name_connect;
+}
+
+ifdef(`ypbind.te', `
+if (httpd_enable_cgi && allow_ypbind) {
+uncond_can_ypbind(httpd_$1_script_t)
+}
+')
+# The following are the only areas that
+# scripts can read, read/write, or append to
+#
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
+file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
+
+domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+allow httpd_$1_script_t httpd_t:fifo_file write;
+
+allow httpd_$1_script_t self:fifo_file rw_file_perms;
+
+allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+###########################################################################
+# Allow the script interpreters to run the scripts. So
+# the perl executable will be able to run a perl script
+#########################################################################
+allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
+can_exec_any(httpd_$1_script_t)
+
+allow httpd_$1_script_t etc_t:file { getattr read };
+dontaudit httpd_$1_script_t selinux_config_t:dir search;
+
+############################################################################
+# Allow the script process to search the cgi directory, and users directory
+##############################################################################
+allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+allow httpd_$1_script_t home_root_t:dir { getattr search };
+allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
+
+#############################################################################
+# Allow the scripts to read, read/write, append to the specified directories
+# or files
+############################################################################
+read_fonts(httpd_$1_script_t)
+r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
+allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
+ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
+anonymous_domain(httpd_$1_script)
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent)
+}
+
+#
+# If a user starts a script by hand it gets the proper context
+#
+ifdef(`targeted_policy', `', `
+if (httpd_enable_cgi) {
+domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+}
+')
+role sysadm_r types httpd_$1_script_t;
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+if (httpd_builtin_scripting) {
+r_dir_file(httpd_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_t, httpd_$1_script_rw_t)
+allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
+r_dir_file(httpd_t, httpd_$1_content_t)
+}
+
+')
+define(`apache_user_domain', `
+
+apache_domain($1)
+
+typeattribute httpd_$1_content_t $1_file_type;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+}
+
+if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+# If a user starts a script by hand it gets the proper context
+domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+}
+role $1_r types httpd_$1_script_t;
+
+#######################################
+# Allow user to create or edit web content
+#########################################
+
+create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
+allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
+
+######################################################################
+# Allow the user to create htaccess files
+#####################################################################
+
+allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
+
+#########################################################################
+# Allow user to create files or directories
+# that scripts are able to read, write, or append to
+###########################################################################
+
+create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
+allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
+
+# allow accessing files/dirs below the users home dir
+if (httpd_enable_homedirs) {
+allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
+ifdef(`nfs_home_dirs', `
+r_dir_file(httpd_$1_script_t, nfs_t)
+')dnl end if nfs_home_dirs
+}
+ifdef(`crond.te', `
+create_dir_file($1_crond_t, httpd_$1_content_t)
+')
+
+ifdef(`ftpd.te', `
+if (ftp_home_dir) {
+create_dir_file(ftpd_t, httpd_$1_content_t)
+}
+')
+
+
+')
diff --git a/mls/macros/program/bonobo_macros.te b/mls/macros/program/bonobo_macros.te
new file mode 100644
index 0000000..4c3fdac
--- /dev/null
+++ b/mls/macros/program/bonobo_macros.te
@@ -0,0 +1,117 @@
+#
+# Bonobo
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# bonobo_domain(role_prefix) - invoke per role
+# bonobo_client(app_prefix, role_prefix) - invoke per client app
+# bonobo_connect(type1_prefix, type2_prefix) -
+# connect two bonobo clients, the channel is bidirectional
+
+######################
+
+define(`bonobo_domain', `
+
+# Protect against double inclusion for faster compile
+ifdef(`bonobo_domain_$1', `', `
+define(`bonobo_domain_$1')
+
+# Type for daemon
+type $1_bonobo_t, domain, nscd_client_domain;
+
+# Transition from caller
+domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
+role $1_r types $1_bonobo_t;
+
+# Shared libraries, gconv-modules
+uses_shlib($1_bonobo_t)
+allow $1_bonobo_t lib_t:file r_file_perms;
+
+read_locale($1_bonobo_t)
+read_sysctl($1_bonobo_t)
+
+# Session management
+# FIXME: More specific context is needed for gnome-session
+ice_connect($1_bonobo, $1)
+
+# nsswitch.conf
+allow $1_bonobo_t etc_t:file { read getattr };
+
+# Fork to start apps
+allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
+allow $1_bonobo_t self:fifo_file rw_file_perms;
+
+# ???
+allow $1_bonobo_t root_t:dir search;
+allow $1_bonobo_t home_root_t:dir search;
+allow $1_bonobo_t $1_home_dir_t:dir search;
+
+# libexec ???
+allow $1_bonobo_t bin_t:dir search;
+
+# ORBit sockets for bonobo
+orbit_domain($1_bonobo, $1)
+
+# Bonobo can launch evolution
+ifdef(`evolution.te', `
+domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
+domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
+domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
+domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
+')
+
+# Bonobo can launch GNOME vfs daemon
+ifdef(`gnome_vfs.te', `
+domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+')
+
+# Transition to ROLE_t on bin_t apps
+# FIXME: The goal is to get rid of this rule, as it
+# defeats the purpose of a separate domain. It is only
+# here temporarily, since bonobo runs as ROLE_t by default anyway
+domain_auto_trans($1_bonobo_t, bin_t, $1_t)
+
+can_pipe_xdm($1_bonobo_t)
+
+') dnl ifdef bonobo_domain_args
+') dnl bonobo_domain
+
+#####################
+
+define(`bonobo_client', `
+
+# Protect against double inclusion for faster compile
+ifdef(`bonobo_client_$1_$2', `', `
+define(`bonobo_client_$1_$2')
+# Connect over bonobo
+bonobo_connect($1, $2_gconfd, $1)
+
+# Create ORBit sockets
+orbit_domain($1, $2)
+
+# Connect to bonobo
+orbit_connect($1, $2_bonobo)
+orbit_connect($2_bonobo, $1)
+
+# Lock /tmp/bonobo-activation-register.lock
+# Stat /tmp/bonobo-activation-server.ior
+# FIXME: this should probably be of type $2_bonobo..
+# Note that this is file, not sock_file
+allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
+
+domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
+
+') dnl ifdef bonobo_client_args
+') dnl bonobo_client
+
+#####################
+
+define(`bonobo_connect', `
+
+# FIXME: Should there be a macro for unidirectional conn. ?
+
+orbit_connect($1, $2)
+orbit_connect($2, $1)
+
+') dnl bonobo_connect
diff --git a/mls/macros/program/cdrecord_macros.te b/mls/macros/program/cdrecord_macros.te
new file mode 100644
index 0000000..72d3f4f
--- /dev/null
+++ b/mls/macros/program/cdrecord_macros.te
@@ -0,0 +1,53 @@
+# macros for the cdrecord domain
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+define(`cdrecord_domain', `
+type $1_cdrecord_t, domain, privlog;
+
+domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_cdrecord_t;
+
+uses_shlib($1_cdrecord_t)
+read_locale($1_cdrecord_t)
+
+# allow ps to show cdrecord and allow the user to kill it
+can_ps($1_t, $1_cdrecord_t)
+allow $1_t $1_cdrecord_t:process signal;
+
+# write to the user domain tty.
+access_terminal($1_cdrecord_t, $1)
+allow $1_cdrecord_t privfd:fd use;
+
+allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
+
+allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+can_resmgrd_connect($1_cdrecord_t)
+
+read_content($1_cdrecord_t, $1, cdrecord)
+
+allow $1_cdrecord_t etc_t:file { getattr read };
+
+# allow searching for cdrom-drive
+allow $1_cdrecord_t device_t:dir r_dir_perms;
+allow $1_cdrecord_t device_t:lnk_file { getattr read };
+
+# allow cdrecord to write the CD
+allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
+allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
+
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
+can_access_pty($1_cdrecord_t, $1)
+allow $1_cdrecord_t $1_home_t:dir search;
+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
+allow $1_cdrecord_t $1_home_t:file r_file_perms;
+if (use_nfs_home_dirs) {
+allow $1_cdrecord_t mnt_t:dir search;
+r_dir_file($1_cdrecord_t, nfs_t)
+}
+')
+
diff --git a/mls/macros/program/chkpwd_macros.te b/mls/macros/program/chkpwd_macros.te
new file mode 100644
index 0000000..2151d85
--- /dev/null
+++ b/mls/macros/program/chkpwd_macros.te
@@ -0,0 +1,72 @@
+#
+# Macros for chkpwd domains.
+#
+
+#
+# chkpwd_domain(domain_prefix)
+#
+# Define a derived domain for the *_chkpwd program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/su.te.
+#
+undefine(`chkpwd_domain')
+ifdef(`chkpwd.te', `
+define(`chkpwd_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
+
+role $1_r types $1_chkpwd_t;
+
+# read /selinux/mls
+allow $1_chkpwd_t security_t:dir search;
+allow $1_chkpwd_t security_t:file read;
+# is_selinux_enabled
+allow $1_chkpwd_t proc_t:file read;
+
+can_getcon($1_chkpwd_t)
+authentication_domain($1_chkpwd_t)
+
+ifelse($1, system, `
+domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
+dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+authentication_domain(auth_chkpwd)
+', `
+domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+
+# Write to the user domain tty.
+access_terminal($1_chkpwd_t, $1)
+
+allow $1_chkpwd_t privfd:fd use;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors from newrole.
+ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
+')
+
+uses_shlib($1_chkpwd_t)
+allow $1_chkpwd_t etc_t:file { getattr read };
+allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
+allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
+read_locale($1_chkpwd_t)
+
+# Use capabilities.
+allow $1_chkpwd_t self:capability setuid;
+r_dir_file($1_chkpwd_t, selinux_config_t)
+
+# for nscd
+ifdef(`nscd.te', `', `
+dontaudit $1_chkpwd_t var_t:dir search;
+')
+
+dontaudit $1_chkpwd_t fs_t:filesystem getattr;
+')
+
+', `
+
+define(`chkpwd_domain',`')
+
+')
diff --git a/mls/macros/program/chroot_macros.te b/mls/macros/program/chroot_macros.te
new file mode 100644
index 0000000..47ca86b
--- /dev/null
+++ b/mls/macros/program/chroot_macros.te
@@ -0,0 +1,131 @@
+
+# macro for chroot environments
+# Author Russell Coker
+
+# chroot(initial_domain, basename, role, tty_device_type)
+define(`chroot', `
+
+ifelse(`$1', `initrc', `
+define(`chroot_role', `system_r')
+define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
+define(`chroot_mount_domain', `mount_t')
+define(`chroot_fd_use', `{ privfd init_t }')
+', `
+define(`chroot_role', `$1_r')
+define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
+define(`chroot_fd_use', `privfd')
+
+# allow mounting /proc and /dev
+ifdef(`$1_mount_def', `', `
+mount_domain($1, $1_mount)
+role chroot_role types $1_mount_t;
+')
+define(`chroot_mount_domain', `$1_mount_t')
+ifdef(`ssh.te', `
+can_tcp_connect($1_ssh_t, $2_t)
+')dnl end ssh
+')dnl end ifelse initrc
+
+# types for read-only and read-write files in the chroot
+type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
+type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
+# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
+# when you execute it
+type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
+
+allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
+allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
+
+# entry point for $2_super_t
+type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
+# $2_t is the base domain, has full access to $2_rw_t files
+type $2_t, domain;
+# $2_super_t is the super-chroot domain, can also write to $2_ro_t
+# but still can not access outside the chroot
+type $2_super_t, domain;
+allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
+
+ifdef(`$1_chroot_def', `', `
+dnl can not have this defined twice
+define(`$1_chroot_def')
+
+allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
+
+# $1_chroot_t is the domain for /usr/sbin/chroot
+type $1_chroot_t, domain;
+
+# allow $1_chroot_t to write to the tty device
+allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
+allow $1_chroot_t chroot_fd_use:fd use;
+allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
+
+role chroot_role types $1_chroot_t;
+uses_shlib($1_chroot_t)
+allow $1_chroot_t self:capability sys_chroot;
+allow $1_t $1_chroot_t:dir { search getattr read };
+allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
+domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
+allow $1_chroot_t fs_t:filesystem getattr;
+')dnl End conditional
+
+role chroot_role types { $2_t $2_super_t };
+
+# allow ps to show processes and allow killing them
+allow $1_t { $2_super_t $2_t }:dir { search getattr read };
+allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
+allow $1_t { $2_super_t $2_t }:process signal_perms;
+allow $2_super_t $2_t:dir { search getattr read };
+allow $2_super_t $2_t:{ file lnk_file } { read getattr };
+allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
+allow $1_t $2_super_t:process { signal_perms ptrace };
+allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
+
+allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
+allow { $2_super_t $2_t } device_t:dir { search getattr };
+allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
+allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
+allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
+allow $2_super_t self:capability sys_ptrace;
+
+can_tcp_connect($2_super_t, $2_t)
+allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
+
+# quiet ps and killall
+dontaudit { $2_super_t $2_t } domain:dir { search getattr };
+
+# allow $2_t to write to the owner tty device (should remove this)
+allow $2_t chroot_tty_device:chr_file { read write };
+
+r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
+create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+# $2_super_t transitions to $2_t when it executes
+# any file that $2_t can write
+domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
+allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
+r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
+create_dir_notdevfile($2_t, $2_rw_t)
+allow $2_t $2_rw_t:fifo_file create_file_perms;
+allow $2_t $2_ro_t:fifo_file rw_file_perms;
+allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
+create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($1_t, { $2_ro_t $2_dropdown_t })
+domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
+domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
+allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
+general_proc_read_access({ $2_t $2_super_t })
+general_domain_access({ $2_t $2_super_t })
+can_create_pty($2)
+can_create_pty($2_super)
+can_network({ $2_t $2_super_t })
+allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
+allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
+allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
+allow { $2_t $2_super_t } self:capability { dac_override kill };
+
+undefine(`chroot_role')
+undefine(`chroot_tty_device')
+undefine(`chroot_mount_domain')
+undefine(`chroot_fd_use')
+')
diff --git a/mls/macros/program/clamav_macros.te b/mls/macros/program/clamav_macros.te
new file mode 100644
index 0000000..bc15930
--- /dev/null
+++ b/mls/macros/program/clamav_macros.te
@@ -0,0 +1,58 @@
+#
+# Macros for clamscan
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+#
+
+#
+# can_clamd_connect(domain_prefix)
+#
+# Define a domain that can access clamd
+#
+define(`can_clamd_connect',`
+allow $1_t clamd_var_run_t:dir search;
+allow $1_t clamd_var_run_t:sock_file write;
+allow $1_t clamd_sock_t:sock_file write;
+can_unix_connect($1_t, clamd_t)
+')
+
+# clamscan_domain(domain_prefix)
+#
+# Define a derived domain for the clamscan program when executed
+#
+define(`clamscan_domain', `
+# Derived domain based on the calling user domain and the program.
+type $1_clamscan_t, domain, privlog;
+
+# Uses shared librarys
+uses_shlib($1_clamscan_t)
+allow $1_clamscan_t fs_t:filesystem getattr;
+r_dir_file($1_clamscan_t, etc_t)
+read_locale($1_clamscan_t)
+
+# Access virus signatures
+allow $1_clamscan_t var_lib_t:dir search;
+r_dir_file($1_clamscan_t, clamav_var_lib_t)
+
+# Allow temp files
+tmp_domain($1_clamscan)
+
+# Why is this required?
+allow $1_clamscan_t proc_t:dir r_dir_perms;
+allow $1_clamscan_t proc_t:file r_file_perms;
+read_sysctl($1_clamscan_t)
+allow $1_clamscan_t self:unix_stream_socket { connect create read write };
+')
+
+define(`user_clamscan_domain',`
+clamscan_domain($1)
+role $1_r types $1_clamscan_t;
+domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t)
+access_terminal($1_clamscan_t, $1)
+r_dir_file($1_clamscan_t,$1_home_t);
+r_dir_file($1_clamscan_t,$1_home_dir_t);
+allow $1_clamscan_t $1_home_t:file r_file_perms;
+allow $1_clamscan_t privfd:fd use;
+ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;')
+')
+
diff --git a/mls/macros/program/crond_macros.te b/mls/macros/program/crond_macros.te
new file mode 100644
index 0000000..5e61d7d
--- /dev/null
+++ b/mls/macros/program/crond_macros.te
@@ -0,0 +1,126 @@
+#
+# Macros for crond domains.
+#
+
+#
+# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
+# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <rcoker@redhat.com>
+#
+
+#
+# crond_domain(domain_prefix)
+#
+# Define a derived domain for cron jobs executed by crond on behalf
+# of a user domain. These domains are separate from the top-level domain
+# defined for the crond daemon and the domain defined for system cron jobs,
+# which are specified in domains/program/crond.te.
+#
+undefine(`crond_domain')
+define(`crond_domain',`
+# Derived domain for user cron jobs, user user_crond_domain if not system
+ifelse(`system', `$1', `
+type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
+', `
+type $1_crond_t, domain, user_crond_domain;
+
+# Access user files and dirs.
+allow $1_crond_t home_root_t:dir search;
+file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
+
+# Run scripts in user home directory and access shared libs.
+can_exec($1_crond_t, $1_home_t)
+
+file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
+')
+r_dir_file($1_crond_t, selinux_config_t)
+
+# Type of user crontabs once moved to cron spool.
+type $1_cron_spool_t, file_type, sysadmfile;
+
+ifdef(`fcron.te', `
+allow crond_t $1_cron_spool_t:file create_file_perms;
+')
+
+allow $1_crond_t urandom_device_t:chr_file { getattr read };
+
+allow $1_crond_t usr_t:file { getattr ioctl read };
+allow $1_crond_t usr_t:lnk_file read;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via execve_secure. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+domain_trans(crond_t, shell_exec_t, $1_crond_t)
+
+ifdef(`mta.te', `
+domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
+allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
+
+# $1_mail_t should only be reading from the cron fifo not needing to write
+dontaudit $1_mail_t crond_t:fifo_file write;
+allow mta_user_agent $1_crond_t:fd use;
+')
+
+# The user role is authorized for this domain.
+role $1_r types $1_crond_t;
+
+# This domain is granted permissions common to most domains.
+can_network($1_crond_t)
+allow $1_crond_t port_type:tcp_socket name_connect;
+can_ypbind($1_crond_t)
+r_dir_file($1_crond_t, self)
+allow $1_crond_t self:fifo_file rw_file_perms;
+allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_crond_t self:unix_dgram_socket create_socket_perms;
+allow $1_crond_t etc_runtime_t:file { getattr read };
+allow $1_crond_t self:process { fork signal_perms setsched };
+allow $1_crond_t proc_t:dir r_dir_perms;
+allow $1_crond_t proc_t:file { getattr read ioctl };
+read_locale($1_crond_t)
+read_sysctl($1_crond_t)
+allow $1_crond_t var_spool_t:dir search;
+allow $1_crond_t fs_type:filesystem getattr;
+
+allow $1_crond_t devtty_t:chr_file { read write };
+allow $1_crond_t var_t:dir r_dir_perms;
+allow $1_crond_t var_t:file { getattr read ioctl };
+allow $1_crond_t var_log_t:dir search;
+
+# Use capabilities.
+allow $1_crond_t self:capability dac_override;
+
+# Inherit and use descriptors from initrc - I think this is wrong
+#allow $1_crond_t initrc_t:fd use;
+
+#
+# Since crontab files are not directly executed,
+# crond must ensure that the crontab file has
+# a type that is appropriate for the domain of
+# the user cron job. It performs an entrypoint
+# permission check for this purpose.
+#
+allow $1_crond_t $1_cron_spool_t:file entrypoint;
+
+# Run helper programs.
+can_exec_any($1_crond_t)
+
+# ps does not need to access /boot when run from cron
+dontaudit $1_crond_t boot_t:dir search;
+# quiet other ps operations
+dontaudit $1_crond_t domain:dir { getattr search };
+# for nscd
+dontaudit $1_crond_t var_run_t:dir search;
+')
+
+# When system_crond_t domain executes a type $1 executable then transition to
+# domain $2, allow $2 to interact with crond_t as well.
+define(`system_crond_entry', `
+ifdef(`crond.te', `
+domain_auto_trans(system_crond_t, $1, $2)
+allow $2 crond_t:fifo_file { getattr read write ioctl };
+# a rule for privfd may make this obsolete
+allow $2 crond_t:fd use;
+allow $2 crond_t:process sigchld;
+')dnl end ifdef
+')dnl end system_crond_entry
diff --git a/mls/macros/program/crontab_macros.te b/mls/macros/program/crontab_macros.te
new file mode 100644
index 0000000..a18d80f
--- /dev/null
+++ b/mls/macros/program/crontab_macros.te
@@ -0,0 +1,102 @@
+#
+# Macros for crontab domains.
+#
+
+#
+# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>
+# Revised by Stephen Smalley <sds@epoch.ncsc.mil>
+#
+
+#
+# crontab_domain(domain_prefix)
+#
+# Define a derived domain for the crontab program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/crontab.te.
+#
+undefine(`crontab_domain')
+define(`crontab_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_crontab_t, domain, privlog;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
+
+can_ps($1_t, $1_crontab_t)
+
+# for ^Z
+allow $1_t $1_crontab_t:process signal;
+
+# The user role is authorized for this domain.
+role $1_r types $1_crontab_t;
+
+uses_shlib($1_crontab_t)
+allow $1_crontab_t etc_t:file { getattr read };
+allow $1_crontab_t self:unix_stream_socket create_socket_perms;
+allow $1_crontab_t self:unix_dgram_socket create_socket_perms;
+read_locale($1_crontab_t)
+
+# Use capabilities dac_override is to create the file in the directory
+# under /tmp
+allow $1_crontab_t self:capability { setuid setgid chown dac_override };
+
+# Type for temporary files.
+file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
+
+# Use the type when creating files in /var/spool/cron.
+allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
+allow $1_crontab_t { var_t var_spool_t }:dir { getattr search };
+file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
+allow $1_crontab_t self:process { fork signal_perms };
+ifdef(`fcron.te', `
+# fcron wants an instant update of a crontab change for the administrator
+# also crontab does a security check for crontab -u
+ifelse(`$1', `sysadm', `
+allow $1_crontab_t crond_t:process signal;
+can_setfscreate($1_crontab_t)
+', `
+dontaudit $1_crontab_t crond_t:process signal;
+')dnl end ifelse
+')dnl end ifdef fcron
+
+# for the checks used by crontab -u
+dontaudit $1_crontab_t security_t:dir search;
+allow $1_crontab_t proc_t:dir search;
+allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
+allow $1_crontab_t selinux_config_t:dir search;
+allow $1_crontab_t selinux_config_t:file { getattr read };
+dontaudit $1_crontab_t self:dir search;
+
+# crontab signals crond by updating the mtime on the spooldir
+allow $1_crontab_t cron_spool_t:dir setattr;
+# Allow crond to read those crontabs in cron spool.
+allow crond_t $1_cron_spool_t:file r_file_perms;
+
+# Run helper programs as $1_t
+allow $1_crontab_t { bin_t sbin_t }:dir search;
+allow $1_crontab_t bin_t:lnk_file read;
+domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
+
+# Read user crontabs
+allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
+allow $1_crontab_t $1_home_t:file r_file_perms;
+dontaudit $1_crontab_t $1_home_dir_t:dir write;
+
+# Access the cron log file.
+allow $1_crontab_t crond_log_t:file r_file_perms;
+allow $1_crontab_t crond_log_t:file append;
+
+# Access terminals.
+allow $1_crontab_t device_t:dir search;
+access_terminal($1_crontab_t, $1);
+
+allow $1_crontab_t fs_t:filesystem getattr;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
+allow $1_crontab_t privfd:fd use;
+
+dontaudit $1_crontab_t var_run_t:dir search;
+')
diff --git a/mls/macros/program/daemontools_macros.te b/mls/macros/program/daemontools_macros.te
new file mode 100644
index 0000000..94c4f8e
--- /dev/null
+++ b/mls/macros/program/daemontools_macros.te
@@ -0,0 +1,11 @@
+ifdef(`daemontools.te', `
+
+define(`svc_ipc_domain',`
+allow $1 svc_start_t:process sigchld;
+allow $1 svc_start_t:fd use;
+allow $1 svc_start_t:fifo_file { read write getattr };
+allow svc_start_t $1:process signal;
+')
+
+') dnl ifdef daemontools
+
diff --git a/mls/macros/program/dbusd_macros.te b/mls/macros/program/dbusd_macros.te
new file mode 100644
index 0000000..2e542a0
--- /dev/null
+++ b/mls/macros/program/dbusd_macros.te
@@ -0,0 +1,90 @@
+#
+# Macros for Dbus
+#
+# Author: Colin Walters <walters@redhat.com>
+
+# dbusd_domain(domain_prefix)
+#
+# Define a derived domain for the DBus daemon.
+
+define(`dbusd_domain', `
+ifelse(`system', `$1',`
+daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
+# For backwards compatibility
+typealias system_dbusd_t alias dbusd_t;
+type etc_dbusd_t, file_type, sysadmfile;
+',`
+type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
+role $1_r types $1_dbusd_t;
+domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
+read_locale($1_dbusd_t)
+allow $1_t $1_dbusd_t:process { sigkill signal };
+allow $1_dbusd_t self:process { sigkill signal };
+dontaudit $1_dbusd_t var_t:dir { getattr search };
+')dnl end ifelse system
+
+base_file_read_access($1_dbusd_t)
+uses_shlib($1_dbusd_t)
+allow $1_dbusd_t etc_t:file { getattr read };
+r_dir_file($1_dbusd_t, etc_dbusd_t)
+tmp_domain($1_dbusd)
+allow $1_dbusd_t self:process fork;
+can_pipe_xdm($1_dbusd_t)
+
+allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
+allow $1_dbusd_t self:file { getattr read write };
+allow $1_dbusd_t proc_t:file read;
+
+can_getsecurity($1_dbusd_t)
+r_dir_file($1_dbusd_t, default_context_t)
+allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+ifdef(`pamconsole.te', `
+r_dir_file($1_dbusd_t, pam_var_console_t)
+')
+
+allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+
+')dnl end dbusd_domain definition
+
+# dbusd_client(dbus_type, domain_prefix)
+# Example: dbusd_client_domain(system, user)
+#
+# Define a new derived domain for connecting to dbus_type
+# from domain_prefix_t.
+undefine(`dbusd_client')
+define(`dbusd_client',`
+
+ifdef(`dbusd.te',`
+# Derived type used for connection
+type $2_dbusd_$1_t;
+type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
+
+# SE-DBus specific permissions
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+
+# For connecting to the bus
+allow $2_t $1_dbusd_t:unix_stream_socket connectto;
+
+ifelse(`system', `$1', `
+allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
+allow { $2_t } system_dbusd_var_run_t:sock_file write;
+',`') dnl endif system
+') dnl endif dbusd.te
+')
+
+# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
+# Example: can_dbusd_converse(system, hald, updfstab)
+# Example: can_dbusd_converse(session, user, user)
+define(`can_dbusd_converse',`')
+ifdef(`dbusd.te',`
+undefine(`can_dbusd_converse')
+define(`can_dbusd_converse',`
+allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
+allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
+') dnl endif dbusd.te
+')
diff --git a/mls/macros/program/ethereal_macros.te b/mls/macros/program/ethereal_macros.te
new file mode 100644
index 0000000..36f1a96
--- /dev/null
+++ b/mls/macros/program/ethereal_macros.te
@@ -0,0 +1,82 @@
+# DESC - Ethereal
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#############################################################
+# ethereal_networking(app_prefix) -
+# restricted ethereal rules (sysadm only)
+#
+
+define(`ethereal_networking', `
+
+# Create various types of sockets
+allow $1_t self:netlink_route_socket create_netlink_socket_perms;
+allow $1_t self:udp_socket create_socket_perms;
+allow $1_t self:packet_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:tcp_socket create_socket_perms;
+
+allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
+
+# Resolve names via DNS
+can_resolve($1_t)
+
+') dnl ethereal_networking
+
+########################################################
+# Ethereal (GNOME)
+#
+
+define(`ethereal_domain', `
+
+# Type for program
+type $1_ethereal_t, domain, nscd_client_domain;
+
+# Transition from sysadm type
+domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
+role $1_r types $1_ethereal_t;
+
+# Manual transition from userhelper
+ifdef(`userhelper.te', `
+allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
+allow $1_ethereal_t userhelperdomain:fd use;
+allow $1_ethereal_t userhelperdomain:process sigchld;
+') dnl userhelper
+
+# X, GNOME
+x_client_domain($1_ethereal, $1)
+gnome_application($1_ethereal, $1)
+gnome_file_dialog($1_ethereal, $1)
+
+# Why does it write this?
+ifdef(`snmpd.te', `
+dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
+')
+
+# /home/.ethereal
+home_domain($1, ethereal)
+file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
+
+# Enable restricted networking rules for sysadm - this is shared w/ tethereal
+ifelse($1, `sysadm', `
+ethereal_networking($1_ethereal)
+
+# Ethereal tries to write to user terminal
+dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
+dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
+', `')
+
+# Store temporary files
+tmp_domain($1_ethereal)
+
+# Re-execute itself (why?)
+can_exec($1_ethereal_t, ethereal_exec_t)
+allow $1_ethereal_t sbin_t:dir search;
+
+# Supress .local denials until properly implemented
+dontaudit $1_ethereal_t $1_home_t:dir search;
+
+# FIXME: policy is incomplete
+
+') dnl ethereal_domain
diff --git a/mls/macros/program/evolution_macros.te b/mls/macros/program/evolution_macros.te
new file mode 100644
index 0000000..37fc087
--- /dev/null
+++ b/mls/macros/program/evolution_macros.te
@@ -0,0 +1,234 @@
+#
+# Evolution
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+################################################
+# evolution_common(app_prefix,role_prefix)
+#
+define(`evolution_common', `
+
+# Gnome common stuff
+gnome_application($1, $2)
+
+# Stat root
+allow $1_t root_t:dir search;
+
+# Access null device
+allow $1_t null_device_t:chr_file rw_file_perms;
+
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+dontaudit $1_t $2_home_t:dir r_dir_perms;
+
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+dontaudit $1_t $2_home_t:file r_file_perms;
+
+') dnl evolution_common
+
+#######################################
+# evolution_data_server(role_prefix)
+#
+
+define(`evolution_data_server', `
+
+# Type for daemon
+type $1_evolution_server_t, domain, nscd_client_domain;
+
+# Transition from user type
+if (! disable_evolution_trans) {
+domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
+}
+role $1_r types $1_evolution_server_t;
+
+# Evolution common stuff
+evolution_common($1_evolution_server, $1)
+
+# Access evolution home
+home_domain_access($1_evolution_server_t, $1, evolution)
+
+# Talks to exchange
+bonobo_connect($1_evolution_server, $1_evolution_exchange)
+
+can_exec($1_evolution_server_t, shell_exec_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+allow $1_evolution_server_t usr_t:file r_file_perms;
+can_resolve($1_evolution_server_t)
+can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
+allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
+
+# Talk to ldap (address book)
+can_network_client_tcp($1_evolution_server_t, ldap_port_t)
+allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
+
+# Look in /etc/pki
+r_dir_file($1_evolution_server_t, cert_t)
+
+') dnl evolution_data_server
+
+#######################################
+# evolution_webcal(role_prefix)
+#
+
+define(`evolution_webcal', `
+
+# Type for program
+type $1_evolution_webcal_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+role $1_r types $1_evolution_webcal_t;
+
+# X/evolution common stuff
+x_client_domain($1_evolution_webcal, $1)
+evolution_common($1_evolution_webcal, $1)
+
+# Search home directory (?)
+allow $1_evolution_webcal_t $1_home_dir_t:dir search;
+
+# Networking capability - connect to website and handle ics link
+# FIXME: is this necessary ?
+can_resolve($1_evolution_webcal_t);
+can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
+allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
+
+') dnl evolution_webcal
+
+#######################################
+# evolution_alarm(role_prefix)
+#
+define(`evolution_alarm', `
+
+# Type for program
+type $1_evolution_alarm_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
+role $1_r types $1_evolution_alarm_t;
+
+# Common evolution stuff, X
+evolution_common($1_evolution_alarm, $1)
+x_client_domain($1_evolution_alarm, $1)
+
+# Connect to exchange, e-d-s
+bonobo_connect($1_evolution_alarm, $1_evolution_server)
+bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
+
+# Access evolution home
+home_domain_access($1_evolution_alarm_t, $1, evolution)
+
+') dnl evolution_alarm
+
+########################################
+# evolution_exchange(role_prefix)
+#
+define(`evolution_exchange', `
+
+# Type for program
+type $1_evolution_exchange_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
+role $1_r types $1_evolution_exchange_t;
+
+# Common evolution stuff, X
+evolution_common($1_evolution_exchange, $1)
+x_client_domain($1_evolution_exchange, $1)
+
+# Access evolution home
+home_domain_access($1_evolution_exchange_t, $1, evolution)
+
+# /tmp/.exchange-$USER
+tmp_domain($1_evolution_exchange)
+
+# Allow netstat
+allow $1_evolution_exchange_t bin_t:dir search;
+can_exec($1_evolution_exchange_t, bin_t)
+r_dir_file($1_evolution_exchange_t, proc_net_t)
+allow $1_evolution_exchange_t sysctl_net_t:dir search;
+allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
+
+# Clock applet talks to exchange (FIXME: Needs policy)
+bonobo_connect($1, $1_evolution_exchange)
+
+# FIXME: policy incomplete
+
+') dnl evolution_exchange
+
+#######################################
+# evolution_domain(role_prefix)
+#
+
+define(`evolution_domain', `
+
+# Type for program
+type $1_evolution_t, domain, nscd_client_domain, privlog;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
+role $1_r types $1_evolution_t;
+
+# X, mail, evolution common stuff
+x_client_domain($1_evolution, $1)
+mail_client_domain($1_evolution, $1)
+gnome_file_dialog($1_evolution, $1)
+evolution_common($1_evolution, $1)
+
+# Connect to e-d-s, exchange, alarm
+bonobo_connect($1_evolution, $1_evolution_server)
+bonobo_connect($1_evolution, $1_evolution_exchange)
+bonobo_connect($1_evolution, $1_evolution_alarm)
+
+# Access .evolution
+home_domain($1, evolution)
+
+# Store passwords in .gnome2_private
+gnome_private_store($1_evolution, $1)
+
+# Run various programs
+allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
+allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
+
+### Junk mail filtering (start spamd)
+ifdef(`spamd.te', `
+# Start the spam daemon
+domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
+role $1_r types spamd_t;
+
+# Write pid file and socket in ~/.evolution/cache/tmp
+file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
+
+# Allow evolution to signal the daemon
+# FIXME: Now evolution can read spamd temp files
+allow $1_evolution_t spamd_tmp_t:file r_file_perms;
+allow $1_evolution_t spamd_t:process signal;
+dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
+') dnl spamd.te
+
+### Junk mail filtering (start spamc)
+ifdef(`spamc.te', `
+domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
+
+# Allow connection to spamd socket above
+allow $1_spamc_t $1_evolution_home_t:dir search;
+') dnl spamc.te
+
+### Junk mail filtering (start spamassassin)
+ifdef(`spamassassin.te', `
+domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
+') dnl spamassasin.te
+
+') dnl evolution_domain
+
+#################################
+# evolution_domains(role_prefix)
+
+define(`evolution_domains', `
+evolution_domain($1)
+evolution_data_server($1)
+evolution_webcal($1)
+evolution_alarm($1)
+evolution_exchange($1)
+') dnl end evolution_domains
diff --git a/mls/macros/program/exim_macros.te b/mls/macros/program/exim_macros.te
new file mode 100644
index 0000000..610ca15
--- /dev/null
+++ b/mls/macros/program/exim_macros.te
@@ -0,0 +1,75 @@
+#DESC Exim - Mail server
+#
+# Author: David Hampton <hampton@employees.org>
+# From postfix.te by Russell Coker <russell@coker.com.au>
+# Depends: mta.te
+#
+
+##########
+# Permissions common to the exim daemon, and exim invoked by a user to
+# send a file
+##########
+define(`exim_common',`
+
+# Networking - All instances need to talk to other mail hosts and
+# amavisd
+can_network_tcp($1_t);
+allow $1_t smtp_port_t:tcp_socket name_connect;
+## can_network_client_tcp($1_t, smtp_port_t);
+## ifdef(`amavis.te', `
+## can_network_client_tcp($1_t, amavisd_recv_port_t);
+## allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg };
+## ')
+can_resolve($1_t);
+
+# Exim forks children to do its work.
+general_domain_access($1_t)
+
+# Certs and SSL
+r_dir_file($1_t, cert_t)
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+general_proc_read_access($1_t)
+read_locale($1_t)
+
+allow $1_t etc_t:file { getattr read };
+allow $1_t sbin_t:dir search;
+allow $1_t tmp_t:dir getattr;
+allow $1_t self:fifo_file { read write };
+can_exec($1_t, exim_exec_t)
+allow $1_t self:capability { chown fowner dac_override setgid setuid };
+allow $1_t self:process setrlimit;
+
+# Have to walk through /var/xxx to get to /var/xxx/exim
+allow $1_t var_log_t:dir search;
+allow $1_t var_spool_t:dir search;
+
+# Exim creates a spool file per message
+create_dir_file($1_t, exim_spool_t);
+# It also creates a log file per message
+create_dir_file($1_t, exim_log_t);
+# The database is modified by every message
+allow $1_t exim_spool_db_t:dir search;
+allow $1_t exim_spool_db_t:file rw_file_perms;
+
+# Checking the existence of mailman lists
+allow $1_t mailman_data_t:file getattr;
+
+# Trying to read mtab
+dontaudit $1_t etc_runtime_t:file { getattr read };
+')
+
+
+define(`exim_user_domain',`
+########################################
+########################################
+application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog');
+in_user_role(exim_$1_t)
+domain_auto_trans($1_t, exim_exec_t, exim_$1_t)
+exim_common(exim_$1)
+role $1_r types exim_$1_t;
+allow exim_$1_t $1_tmp_t:file { getattr read };
+allow exim_$1_t $1_devpts_t:chr_file rw_file_perms;
+allow exim_$1_t sshd_t:fd use;
+')
+
diff --git a/mls/macros/program/fingerd_macros.te b/mls/macros/program/fingerd_macros.te
new file mode 100644
index 0000000..fd56ca7
--- /dev/null
+++ b/mls/macros/program/fingerd_macros.te
@@ -0,0 +1,15 @@
+#
+# Macro for fingerd
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#
+# fingerd_macro(domain_prefix)
+#
+# allow fingerd to create a fingerlog file in the user home dir
+#
+define(`fingerd_macro', `
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type;
+file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
+')
diff --git a/mls/macros/program/fontconfig_macros.te b/mls/macros/program/fontconfig_macros.te
new file mode 100644
index 0000000..7f4a56d
--- /dev/null
+++ b/mls/macros/program/fontconfig_macros.te
@@ -0,0 +1,52 @@
+#
+# Fontconfig related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# fontconfig_domain(role_prefix) - create fontconfig domain
+#
+# read_fonts(domain, role_prefix) -
+# allow domain to read fonts, optionally per/user
+#
+
+define(`fontconfig_domain', `
+
+type $1_fonts_t, file_type, $1_file_type, sysadmfile;
+type $1_fonts_config_t, file_type, $1_file_type, sysadmfile;
+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
+
+create_dir_file($1_t, $1_fonts_t)
+allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+create_dir_file($1_t, $1_fonts_config_t)
+allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
+
+# For startup relabel
+allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
+') dnl fontconfig_domain
+
+####################
+
+define(`read_fonts', `
+
+# Read global fonts and font config
+r_dir_file($1, fonts_t)
+r_dir_file($1, etc_t)
+
+ifelse(`$2', `', `', `
+
+# Manipulate the global font cache
+create_dir_file($1, $2_fonts_cache_t)
+
+# Read per user fonts and font config
+r_dir_file($1, $2_fonts_t)
+r_dir_file($1, $2_fonts_config_t)
+
+# There are some fonts in .gnome2
+ifdef(`gnome.te', `
+allow $1 $2_gnome_settings_t:dir { getattr search };
+')
+
+') dnl ifelse
+') dnl read_fonts
diff --git a/mls/macros/program/games_domain.te b/mls/macros/program/games_domain.te
new file mode 100644
index 0000000..d4c1d05
--- /dev/null
+++ b/mls/macros/program/games_domain.te
@@ -0,0 +1,89 @@
+#DESC games
+#
+# Macros for games
+#
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+# games_domain(domain_prefix)
+#
+#
+define(`games_domain', `
+
+type $1_games_t, domain, nscd_client_domain;
+
+# Type transition
+if (! disable_games_trans) {
+domain_auto_trans($1_t, games_exec_t, $1_games_t)
+}
+can_exec($1_games_t, games_exec_t)
+role $1_r types $1_games_t;
+
+can_create_pty($1_games)
+
+# X access, GNOME, /tmp files
+x_client_domain($1_games, $1)
+tmp_domain($1_games, `', { dir notdevfile_class_set })
+gnome_application($1_games, $1)
+gnome_file_dialog($1_games, $1)
+
+# Games seem to need this
+if (allow_execmem) {
+allow $1_games_t self:process execmem;
+}
+
+allow $1_games_t texrel_shlib_t:file execmod;
+allow $1_games_t var_t:dir { search getattr };
+rw_dir_create_file($1_games_t, games_data_t)
+allow $1_games_t sound_device_t:chr_file rw_file_perms;
+can_udp_send($1_games_t, $1_games_t)
+can_tcp_connect($1_games_t, $1_games_t)
+
+# Access /home/user/.gnome2
+# FIXME: Change to use per app types
+create_dir_file($1_games_t, $1_gnome_settings_t)
+
+# FIXME: why is this necessary - ORBit?
+# ORBit works differently now
+create_dir_file($1_games_t, $1_tmp_t)
+allow $1_games_t $1_tmp_t:sock_file create_file_perms;
+can_unix_connect($1_t, $1_games_t)
+can_unix_connect($1_games_t, $1_t)
+
+ifdef(`xdm.te', `
+allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
+allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
+allow $1_games_t xdm_var_lib_t:file { getattr read };
+')dnl end if xdm.te
+
+allow $1_games_t var_lib_t:dir search;
+r_dir_file($1_games_t, man_t)
+allow $1_games_t { proc_t self }:dir search;
+allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
+ifdef(`mozilla.te', `
+dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
+')
+allow $1_games_t event_device_t:chr_file getattr;
+allow $1_games_t mouse_device_t:chr_file getattr;
+
+allow $1_games_t self:file { getattr read };
+allow $1_games_t self:sem create_sem_perms;
+
+allow $1_games_t { bin_t sbin_t }:dir { getattr search };
+can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
+allow $1_games_t bin_t:lnk_file read;
+
+dontaudit $1_games_t var_run_t:dir search;
+dontaudit $1_games_t initrc_var_run_t:file { read write };
+dontaudit $1_games_t var_log_t:dir search;
+
+can_network($1_games_t)
+allow $1_games_t port_t:tcp_socket name_bind;
+allow $1_games_t port_t:tcp_socket name_connect;
+
+# Suppress .icons denial until properly implemented
+dontaudit $1_games_t $1_home_t:dir read;
+
+')dnl end macro definition
+
diff --git a/mls/macros/program/gconf_macros.te b/mls/macros/program/gconf_macros.te
new file mode 100644
index 0000000..6f97ca3
--- /dev/null
+++ b/mls/macros/program/gconf_macros.te
@@ -0,0 +1,57 @@
+#
+# GConfd daemon
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#######################################
+# gconfd_domain(role_prefix)
+#
+
+define(`gconfd_domain', `
+
+# Type for daemon
+type $1_gconfd_t, domain, nscd_client_domain, privlog;
+
+gnome_application($1_gconfd, $1)
+
+# Transition from user type
+domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t)
+role $1_r types $1_gconfd_t;
+
+allow $1_gconfd_t self:process { signal getsched };
+
+# Access .gconfd and .gconf
+home_domain($1, gconfd)
+file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir)
+
+# Access /etc/gconf
+r_dir_file($1_gconfd_t, gconf_etc_t)
+
+# /tmp/gconfd-USER
+tmp_domain($1_gconfd)
+
+can_pipe_xdm($1_gconfd_t)
+ifdef(`xdm.te', `
+allow xdm_t $1_gconfd_t:process signal;
+')
+
+') dnl gconf_domain
+
+#####################################
+# gconf_client(prefix, role_prefix)
+#
+
+define(`gconf_client', `
+
+# Launch the daemon if necessary
+domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t)
+
+# Connect over bonobo
+bonobo_connect($1, $2_gconfd)
+
+# Read lock/ior
+allow $1_t $2_gconfd_tmp_t:dir { getattr search };
+allow $1_t $2_gconfd_tmp_t:file { getattr read };
+
+') dnl gconf_client
diff --git a/mls/macros/program/gift_macros.te b/mls/macros/program/gift_macros.te
new file mode 100644
index 0000000..d8e39e2
--- /dev/null
+++ b/mls/macros/program/gift_macros.te
@@ -0,0 +1,104 @@
+#
+# Macros for giFT
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# gift_domains(domain_prefix)
+# declares a domain for giftui and giftd
+
+#########################
+# gift_domain(user) #
+#########################
+
+define(`gift_domain', `
+
+# Type transition
+type $1_gift_t, domain, nscd_client_domain;
+domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
+role $1_r types $1_gift_t;
+
+# X access, Home files, GNOME, /tmp
+x_client_domain($1_gift, $1)
+gnome_application($1_gift, $1)
+home_domain($1, gift)
+file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
+
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;
+
+# Launch gift daemon
+allow $1_gift_t bin_t:dir search;
+domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
+
+# Connect to gift daemon
+can_network_client_tcp($1_gift_t, giftd_port_t)
+allow $1_gift_t giftd_port_t:tcp_socket name_connect;
+
+# Read /proc/meminfo
+allow $1_gift_t proc_t:dir search;
+allow $1_gift_t proc_t:file { getattr read };
+
+# giftui looks in .icons, .themes.
+dontaudit $1_gift_t $1_home_t:dir { getattr read search };
+dontaudit $1_gift_t $1_home_t:file { getattr read };
+
+') dnl gift_domain
+
+##########################
+# giftd_domain(user) #
+##########################
+
+define(`giftd_domain', `
+
+type $1_giftd_t, domain;
+
+# Transition from user type
+domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
+role $1_r types $1_giftd_t;
+
+# Self permissions, allow fork
+allow $1_giftd_t self:process { fork signal sigchld setsched };
+allow $1_giftd_t self:unix_stream_socket create_socket_perms;
+
+read_sysctl($1_giftd_t)
+read_locale($1_giftd_t)
+uses_shlib($1_giftd_t)
+access_terminal($1_giftd_t, $1)
+
+# Read /proc/meminfo
+allow $1_giftd_t proc_t:dir search;
+allow $1_giftd_t proc_t:file { getattr read };
+
+# Read /etc/mtab
+allow $1_giftd_t etc_runtime_t:file { getattr read };
+
+# Access home domain
+home_domain_access($1_giftd_t, $1, gift)
+file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
+
+# Serve content on various p2p networks. Ports can be random.
+can_network_server($1_giftd_t)
+allow $1_giftd_t self:udp_socket listen;
+allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
+
+# Connect to various p2p networks. Ports can be random.
+can_network_client($1_giftd_t)
+allow $1_giftd_t port_type:tcp_socket name_connect;
+
+# Plugins
+r_dir_file($1_giftd_t, usr_t)
+
+# Connect to xdm
+can_pipe_xdm($1_giftd_t)
+
+') dnl giftd_domain
+
+##########################
+# gift_domains(user) #
+##########################
+
+define(`gift_domains', `
+gift_domain($1)
+giftd_domain($1)
+') dnl gift_domains
diff --git a/mls/macros/program/gnome_macros.te b/mls/macros/program/gnome_macros.te
new file mode 100644
index 0000000..5d31af5
--- /dev/null
+++ b/mls/macros/program/gnome_macros.te
@@ -0,0 +1,115 @@
+#
+# GNOME related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# gnome_domain(role_prefix) - create GNOME domain (run for each role)
+# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
+# gnome_file_dialog(role_prefix) - gnome file dialog rules
+# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
+
+define(`gnome_domain', `
+
+# Types for .gnome2 and .gnome2_private.
+# For backwards compatibility, allow unrestricted
+# access from ROLE_t. However, content inside
+# *should* be labeled per application eventually.
+# For .gnome2_private, use the private_store macro below.
+
+type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
+create_dir_file($1_t, $1_gnome_settings_t)
+allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
+
+type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
+create_dir_file($1_t, $1_gnome_secret_t)
+allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
+
+# GConf domain
+gconfd_domain($1)
+gconf_client($1, $1)
+
+# Bonobo-activation-server
+bonobo_domain($1)
+bonobo_client($1, $1)
+
+# GNOME vfs daemon
+gnome_vfs_domain($1)
+gnome_vfs_client($1, $1)
+
+# ICE is necessary for session management
+ice_domain($1, $1)
+
+')
+
+#################################
+
+define(`gnome_application', `
+
+# If launched from a terminal
+access_terminal($1_t, $2)
+
+# Forking is generally okay
+allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
+allow $1_t self:fifo_file rw_file_perms;
+
+# Shlib, locale, sysctl, proc
+uses_shlib($1_t)
+read_locale($1_t)
+read_sysctl($1_t)
+
+allow $1_t { self proc_t }:dir { search read getattr };
+allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
+
+# Most gnome apps use bonobo
+bonobo_client($1, $2)
+
+# Within-process bonobo-activation of components
+bonobo_connect($1, $1)
+
+# Session management happens over ICE
+# FIXME: More specific context is needed for gnome-session
+ice_connect($1, $2)
+
+# Most talk to GConf
+gconf_client($1, $2)
+
+# Allow getattr/read/search of .gnome2 and .gnome2_private
+# Reading files should *not* be allowed - instead, more specific
+# types should be created to handle such requests
+allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
+
+# Access /etc/mtab, /etc/nsswitch.conf
+allow $1_t etc_t:file { read getattr };
+allow $1_t etc_runtime_t:file { read getattr };
+
+# Themes, gtkrc
+allow $1_t usr_t:{ file lnk_file } r_file_perms;
+
+') dnl gnome_application
+
+################################
+
+define(`gnome_file_dialog', `
+
+# GNOME Open/Save As dialogs
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+
+# Bonobo connection to gnome_vfs daemon
+bonobo_connect($1, $2_gnome_vfs)
+
+') dnl gnome_file_dialog
+
+################################
+
+define(`gnome_private_store', `
+
+# Type for storing secret data
+# (different from home, not directly accessible from ROLE_t)
+type $1_secret_t, file_type, $2_file_type, sysadmfile;
+
+# Put secret files in .gnome2_private
+file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
+allow $2_t $1_secret_t:file unlink;
+
+') dnl gnome_private_store
diff --git a/mls/macros/program/gnome_vfs_macros.te b/mls/macros/program/gnome_vfs_macros.te
new file mode 100644
index 0000000..8ff5c28
--- /dev/null
+++ b/mls/macros/program/gnome_vfs_macros.te
@@ -0,0 +1,55 @@
+#
+# GNOME VFS daemon
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#######################################
+# gnome_vfs_domain(role_prefix)
+#
+
+define(`gnome_vfs_domain', `
+
+# Type for daemon
+type $1_gnome_vfs_t, domain, nscd_client_domain;
+
+# GNOME, dbus
+gnome_application($1_gnome_vfs, $1)
+dbusd_client(system, $1_gnome_vfs)
+allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
+ifdef(`hald.te', `
+allow $1_gnome_vfs_t hald_t:dbus send_msg;
+allow hald_t $1_gnome_vfs_t:dbus send_msg;
+')
+
+# Transition from user type
+domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+role $1_r types $1_gnome_vfs_t;
+
+# Stat top level directories on mount_points (check free space?)
+allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr;
+
+# Search path to /home (??)
+allow $1_gnome_vfs_t home_root_t:dir search;
+allow $1_gnome_vfs_t $1_home_dir_t:dir search;
+
+# Search path to rpc_pipefs mount point (??)
+allow $1_gnome_vfs_t var_lib_nfs_t:dir search;
+allow $1_gnome_vfs_t var_lib_t:dir search;
+
+# Search libexec (??)
+allow $1_gnome_vfs_t bin_t:dir search;
+can_exec($1_gnome_vfs_t, bin_t)
+
+') dnl gnome_vfs_domain
+
+#####################################
+# gnome_vfs_client(prefix, role_prefix)
+#
+
+define(`gnome_vfs_client', `
+
+# Connect over bonobo
+bonobo_connect($1, $2_gnome_vfs)
+
+') dnl gnome_vfs_client
diff --git a/mls/macros/program/gpg_agent_macros.te b/mls/macros/program/gpg_agent_macros.te
new file mode 100644
index 0000000..f7ad8b0
--- /dev/null
+++ b/mls/macros/program/gpg_agent_macros.te
@@ -0,0 +1,125 @@
+#
+# Macros for gpg agent
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+#
+# gpg_agent_domain(domain_prefix)
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/gpg-agent.te.
+#
+define(`gpg_agent_domain',`
+# Define a derived domain for the gpg-agent program when executed
+# by a user domain.
+# Derived domain based on the calling user domain and the program.
+type $1_gpg_agent_t, domain;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_gpg_agent_t;
+
+allow $1_gpg_agent_t privfd:fd use;
+
+# Write to the user domain tty.
+access_terminal($1_gpg_agent_t, $1)
+
+# Allow the user shell to signal the gpg-agent program.
+allow $1_t $1_gpg_agent_t:process { signal sigkill };
+# allow ps to show gpg-agent
+can_ps($1_t, $1_gpg_agent_t)
+
+uses_shlib($1_gpg_agent_t)
+read_locale($1_gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow $1_gpg_agent_t self:process { setrlimit fork sigchld };
+
+allow $1_gpg_agent_t { self proc_t }:dir search;
+allow $1_gpg_agent_t { self proc_t }:lnk_file read;
+
+allow $1_gpg_agent_t device_t:dir { getattr read };
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
+create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
+if (use_nfs_home_dirs) {
+create_dir_file($1_gpg_agent_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_agent_t, cifs_t)
+}
+
+allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gpg_agent_t self:fifo_file { getattr read write };
+
+# create /tmp files
+tmp_domain($1_gpg_agent, `', `{ file dir sock_file }')
+
+# gpg connect
+allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+can_unix_connect($1_gpg_t, $1_gpg_agent_t)
+
+# policy for pinentry
+# ===================
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+# Please note that I didnt use the x_client_domain-macro as it gives too
+# much permissions
+type $1_gpg_pinentry_t, domain;
+role $1_r types $1_gpg_pinentry_t;
+
+allow $1_gpg_agent_t bin_t:dir search;
+domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
+
+uses_shlib($1_gpg_pinentry_t)
+read_locale($1_gpg_pinentry_t)
+
+allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
+
+ifdef(`xdm.te', `
+allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
+allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
+can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+')dnl end ig xdm.te
+
+read_fonts($1_gpg_pinentry_t, $1)
+# read kde font cache
+allow $1_gpg_pinentry_t usr_t:file { getattr read };
+
+allow $1_gpg_pinentry_t { proc_t self }:dir search;
+allow $1_gpg_pinentry_t { proc_t self }:lnk_file read;
+# read /proc/meminfo
+allow $1_gpg_pinentry_t proc_t:file read;
+
+allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
+
+# for .Xauthority
+allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
+allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
+# wants to put some lock files into the user home dir, seems to work fine without
+dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
+dontaudit $1_gpg_pinentry_t $1_home_t:file write;
+if (use_nfs_home_dirs) {
+allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
+allow $1_gpg_pinentry_t nfs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t nfs_t:file write;
+}
+if (use_samba_home_dirs) {
+allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t cifs_t:file write;
+}
+
+# read /etc/X11/qtrc
+allow $1_gpg_pinentry_t etc_t:file { getattr read };
+
+dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search };
+
+')dnl end if gpg_agent
diff --git a/mls/macros/program/gpg_macros.te b/mls/macros/program/gpg_macros.te
new file mode 100644
index 0000000..9dba8f7
--- /dev/null
+++ b/mls/macros/program/gpg_macros.te
@@ -0,0 +1,113 @@
+#
+# Macros for gpg and pgp
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+# based on the work of:
+# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# gpg_domain(domain_prefix)
+#
+# Define a derived domain for the gpg/pgp program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/gpg.te.
+#
+define(`gpg_domain', `
+# Derived domain based on the calling user domain and the program.
+type $1_gpg_t, domain, privlog;
+type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
+role $1_r types $1_gpg_t;
+
+can_network($1_gpg_t)
+allow $1_gpg_t port_type:tcp_socket name_connect;
+can_ypbind($1_gpg_t)
+
+# for a bug in kmail
+dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
+
+allow $1_gpg_t device_t:dir r_dir_perms;
+allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+allow $1_gpg_t etc_t:file r_file_perms;
+
+allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
+
+access_terminal($1_gpg_t, $1)
+ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors
+allow $1_gpg_t { privfd $1_t }:fd use;
+allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+
+# setrlimit is for ulimit -c 0
+allow $1_gpg_t self:process { setrlimit setcap setpgid };
+
+# allow ps to show gpg
+can_ps($1_t, $1_gpg_t)
+
+uses_shlib($1_gpg_t)
+
+# Access .gnupg
+rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
+
+# Read content to encrypt/decrypt/sign
+read_content($1_gpg_t, $1)
+
+# Write content to encrypt/decrypt/sign
+write_trusted($1_gpg_t, $1)
+
+allow $1_gpg_t self:capability { ipc_lock setuid };
+
+allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
+allow $1_gpg_t fs_t:filesystem getattr;
+allow $1_gpg_t usr_t:file r_file_perms;
+read_locale($1_gpg_t)
+
+dontaudit $1_gpg_t var_t:dir search;
+
+ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+type $1_gpg_helper_t, domain;
+role $1_r types $1_gpg_helper_t;
+
+domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
+uses_shlib($1_gpg_helper_t)
+
+# allow gpg to fork so it can call the helpers
+allow $1_gpg_t self:process { fork sigchld };
+allow $1_gpg_t self:fifo_file { getattr read write };
+
+dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+if (use_nfs_home_dirs) {
+dontaudit $1_gpg_helper_t nfs_t:file { read write };
+}
+if (use_samba_home_dirs) {
+dontaudit $1_gpg_helper_t cifs_t:file { read write };
+}
+
+# communicate with the user
+allow $1_gpg_helper_t $1_t:fd use;
+allow $1_gpg_helper_t $1_t:fifo_file write;
+# get keys from the network
+can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t port_type:tcp_socket name_connect;
+allow $1_gpg_helper_t etc_t:file { getattr read };
+allow $1_gpg_helper_t urandom_device_t:chr_file read;
+allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+# for nscd
+dontaudit $1_gpg_helper_t var_t:dir search;
+
+can_pipe_xdm($1_gpg_t)
+
+')dnl end gpg_domain definition
diff --git a/mls/macros/program/gph_macros.te b/mls/macros/program/gph_macros.te
new file mode 100644
index 0000000..d784fcc
--- /dev/null
+++ b/mls/macros/program/gph_macros.te
@@ -0,0 +1,85 @@
+#
+# Macros for gnome-pty-helper domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# gph_domain(domain_prefix, role_prefix)
+#
+# Define a derived domain for the gnome-pty-helper program when
+# executed by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/gnome-pty-helper.te.
+#
+# The *_gph_t domains are for the gnome_pty_helper program.
+# This program is executed by gnome-terminal to handle
+# updates to utmp and wtmp. In this regard, it is similar
+# to utempter. However, unlike utempter, gnome-pty-helper
+# also creates the pty file for the terminal program.
+# There is one *_gph_t domain for each user domain.
+#
+undefine(`gph_domain')
+define(`gph_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_gph_t, domain, gphdomain, nscd_client_domain;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
+
+# The user role is authorized for this domain.
+role $2_r types $1_gph_t;
+
+# This domain is granted permissions common to most domains.
+uses_shlib($1_gph_t)
+
+# Use capabilities.
+allow $1_gph_t self:capability { chown fsetid setgid setuid };
+
+# Update /var/run/utmp and /var/log/wtmp.
+allow $1_gph_t { var_t var_run_t }:dir search;
+allow $1_gph_t initrc_var_run_t:file rw_file_perms;
+allow $1_gph_t wtmp_t:file rw_file_perms;
+
+# Allow gph to rw to stream sockets of appropriate user type.
+# (Need this so gnome-pty-helper can pass pty fd to parent
+# gnome-terminal which is running in a user domain.)
+allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;
+
+allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow user domain to use pty fd from gnome-pty-helper.
+allow $1_t $1_gph_t:fd use;
+
+# Use the network, e.g. for NIS lookups.
+can_resolve($1_gph_t)
+can_ypbind($1_gph_t)
+
+allow $1_gph_t etc_t:file { getattr read };
+
+# Added by David A. Wheeler:
+# Allow gnome-pty-helper to update /var/log/lastlog
+# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
+allow $1_gph_t lastlog_t:file rw_file_perms;
+allow $1_gph_t var_log_t:dir search;
+allow $1_t $1_gph_t:process signal;
+
+ifelse($2, `system', `
+# Create ptys for the system
+can_create_other_pty($1_gph, initrc)
+', `
+# Create ptys for the user domain.
+can_create_other_pty($1_gph, $1)
+
+# Read and write the users tty.
+allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;
+
+# Allow gnome-pty-helper to write the .xsession-errors file.
+allow $1_gph_t home_root_t:dir search;
+allow $1_gph_t $1_home_t:dir { search add_name };
+allow $1_gph_t $1_home_t:file { create write };
+')dnl end ifelse system
+')dnl end macro
diff --git a/mls/macros/program/i18n_input_macros.te b/mls/macros/program/i18n_input_macros.te
new file mode 100644
index 0000000..58699fc
--- /dev/null
+++ b/mls/macros/program/i18n_input_macros.te
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
+#
+
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# i18n_input_domain(domain)
+#
+ifdef(`i18n_input.te', `
+define(`i18n_input_domain', `
+allow i18n_input_t $1_home_dir_t:dir { getattr search };
+r_dir_file(i18n_input_t, $1_home_t)
+if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
+if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
+')
+')
+
+
diff --git a/mls/macros/program/ice_macros.te b/mls/macros/program/ice_macros.te
new file mode 100644
index 0000000..b373496
--- /dev/null
+++ b/mls/macros/program/ice_macros.te
@@ -0,0 +1,38 @@
+#
+# ICE related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# ice_domain(prefix, role) - create ICE sockets
+# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets
+
+define(`ice_domain', `
+ifdef(`$1_ice_tmp_t_defined',`', `
+define(`$1_ice_tmp_t_defined')
+
+# Type for ICE sockets
+type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile;
+file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t)
+
+# Create the sockets
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# FIXME: How does iceauth tie in?
+
+')
+')
+
+# FIXME: Should this be bidirectional?
+# Adding only unidirectional for now.
+
+define(`ice_connect', `
+
+# Read .ICEauthority file
+allow $1_t $2_iceauth_home_t:file { read getattr };
+
+can_unix_connect($1_t, $2_t)
+allow $1_t ice_tmp_t:dir r_dir_perms;
+allow $1_t $2_ice_tmp_t:sock_file { read write };
+allow $1_t $2_t:unix_stream_socket { read write };
+')
diff --git a/mls/macros/program/iceauth_macros.te b/mls/macros/program/iceauth_macros.te
new file mode 100644
index 0000000..cc7e804
--- /dev/null
+++ b/mls/macros/program/iceauth_macros.te
@@ -0,0 +1,40 @@
+#
+# Macros for iceauth domains.
+#
+# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
+#
+# iceauth_domain(domain_prefix)
+
+define(`iceauth_domain',`
+
+# Program type
+type $1_iceauth_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t)
+role $1_r types $1_iceauth_t;
+
+# Store .ICEauthority files
+home_domain($1, iceauth)
+file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file)
+
+# Supress xdm trying to restore .ICEauthority permissions
+ifdef(`xdm.te', `
+dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
+')
+
+# /root
+allow $1_iceauth_t root_t:dir search;
+
+# Terminal output
+access_terminal($1_iceauth_t, $1)
+
+uses_shlib($1_iceauth_t)
+
+# ???
+allow $1_iceauth_t etc_t:dir search;
+allow $1_iceauth_t usr_t:dir search;
+
+# FIXME: policy is incomplete
+
+')dnl end xauth_domain macro
diff --git a/mls/macros/program/inetd_macros.te b/mls/macros/program/inetd_macros.te
new file mode 100644
index 0000000..e5c4eed
--- /dev/null
+++ b/mls/macros/program/inetd_macros.te
@@ -0,0 +1,97 @@
+#################################
+#
+# Rules for the $1_t domain.
+#
+# $1_t is a general domain for daemons started
+# by inetd that do not have their own individual domains yet.
+# $1_exec_t is the type of the corresponding
+# programs.
+#
+define(`inetd_child_domain', `
+type $1_t, domain, privlog, nscd_client_domain;
+role system_r types $1_t;
+
+#
+# Allows user to define a tunable to disable domain transition
+#
+bool $1_disable_trans false;
+if ($1_disable_trans) {
+can_exec(initrc_t, $1_exec_t)
+can_exec(sysadm_t, $1_exec_t)
+} else {
+domain_auto_trans(inetd_t, $1_exec_t, $1_t)
+allow inetd_t $1_t:process sigkill;
+}
+
+can_network_server($1_t)
+can_ypbind($1_t)
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+read_locale($1_t)
+allow $1_t device_t:dir search;
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:{ file lnk_file } { getattr read };
+allow $1_t self:process { fork signal_perms };
+allow $1_t fs_t:filesystem getattr;
+
+read_sysctl($1_t)
+
+allow $1_t etc_t:file { getattr read };
+
+tmp_domain($1)
+allow $1_t var_t:dir search;
+var_run_domain($1)
+
+# Inherit and use descriptors from inetd.
+allow $1_t inetd_t:fd use;
+
+# for identd
+allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow $1_t self:capability { setuid setgid };
+allow $1_t home_root_t:dir search;
+allow $1_t self:dir search;
+allow $1_t self:{ lnk_file file } { getattr read };
+can_kerberos($1_t)
+allow $1_t urandom_device_t:chr_file r_file_perms;
+# Use sockets inherited from inetd.
+ifelse($2, `', `
+allow inetd_t $1_port_t:udp_socket name_bind;
+allow $1_t inetd_t:udp_socket rw_socket_perms;
+allow inetd_t $1_port_t:tcp_socket name_bind;
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
+ifelse($2, tcp, `
+allow inetd_t $1_port_t:tcp_socket name_bind;
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
+ifelse($2, udp, `
+allow inetd_t $1_port_t:udp_socket name_bind;
+allow $1_t inetd_t:udp_socket rw_socket_perms;
+')
+r_dir_file($1_t, proc_net_t)
+')
+define(`remote_login_daemon', `
+inetd_child_domain($1)
+
+# Execute /bin/login on a new PTY
+allow $1_t { bin_t sbin_t }:dir search;
+domain_auto_trans($1_t, login_exec_t, remote_login_t)
+can_create_pty($1, `, server_pty, userpty_type')
+allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
+
+# Append to /var/log/wtmp.
+allow $1_t var_log_t:dir search;
+allow $1_t wtmp_t:file rw_file_perms;
+allow $1_t initrc_var_run_t:file rw_file_perms;
+
+# Allow reading of /etc/issue.net
+allow $1_t etc_runtime_t:file r_file_perms;
+
+# Allow krb5 $1 to use fork and open /dev/tty for use
+allow $1_t userpty_type:chr_file setattr;
+allow $1_t devtty_t:chr_file rw_file_perms;
+dontaudit $1_t selinux_config_t:dir search;
+')
diff --git a/mls/macros/program/irc_macros.te b/mls/macros/program/irc_macros.te
new file mode 100644
index 0000000..3adaef7
--- /dev/null
+++ b/mls/macros/program/irc_macros.te
@@ -0,0 +1,85 @@
+#
+# Macros for irc domains.
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#
+# irc_domain(domain_prefix)
+#
+# Define a derived domain for the irc program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/irc.te.
+#
+undefine(`irc_domain')
+ifdef(`irc.te', `
+define(`irc_domain',`
+
+# Home domain
+home_domain($1, irc)
+file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir)
+
+# Derived domain based on the calling user domain and the program.
+type $1_irc_t, domain;
+type $1_irc_exec_t, file_type, sysadmfile, $1_file_type;
+
+allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_irc_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors from newrole.
+ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;')
+
+# allow ps to show irc
+can_ps($1_t, $1_irc_t)
+allow $1_t $1_irc_t:process signal;
+
+# Use the network.
+can_network_client($1_irc_t)
+allow $1_irc_t port_type:tcp_socket name_connect;
+can_ypbind($1_irc_t)
+
+allow $1_irc_t usr_t:file { getattr read };
+
+access_terminal($1_irc_t, $1)
+uses_shlib($1_irc_t)
+allow $1_irc_t etc_t:file { read getattr };
+read_locale($1_irc_t)
+allow $1_irc_t fs_t:filesystem getattr;
+allow $1_irc_t var_t:dir search;
+allow $1_irc_t device_t:dir search;
+allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_irc_t privfd:fd use;
+allow $1_irc_t proc_t:dir search;
+allow $1_irc_t { self proc_t }:lnk_file read;
+allow $1_irc_t self:dir search;
+dontaudit $1_irc_t var_run_t:dir search;
+
+# allow utmp access
+allow $1_irc_t initrc_var_run_t:file { getattr read };
+dontaudit $1_irc_t initrc_var_run_t:file lock;
+
+# access files under /tmp
+file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t)
+
+ifdef(`ircd.te', `
+can_tcp_connect($1_irc_t, ircd_t)
+')dnl end ifdef irc.te
+')dnl end macro definition
+
+', `
+
+define(`irc_domain',`')
+
+')dnl end ifdef irc.te
diff --git a/mls/macros/program/java_macros.te b/mls/macros/program/java_macros.te
new file mode 100644
index 0000000..874d6dc
--- /dev/null
+++ b/mls/macros/program/java_macros.te
@@ -0,0 +1,93 @@
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+# Macros for javaplugin (java plugin) domains.
+#
+#
+# javaplugin_domain(domain_prefix, role)
+#
+# Define a derived domain for the javaplugin program when executed by
+# a web browser.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/java.te.
+#
+define(`javaplugin_domain',`
+type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool;
+
+# The user role is authorized for this domain.
+role $2_r types $1_javaplugin_t;
+domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
+
+allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms;
+# Unrestricted inheritance from the caller.
+allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh };
+allow $1_javaplugin_t $1_t:process signull;
+
+can_unix_connect($1_javaplugin_t, $1_t)
+allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
+
+# This domain is granted permissions common to most domains (including can_net)
+can_network_client($1_javaplugin_t)
+allow $1_javaplugin_t port_type:tcp_socket name_connect;
+can_ypbind($1_javaplugin_t)
+allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
+allow $1_javaplugin_t self:fifo_file rw_file_perms;
+allow $1_javaplugin_t etc_runtime_t:file { getattr read };
+allow $1_javaplugin_t fs_t:filesystem getattr;
+r_dir_file($1_javaplugin_t, { proc_t proc_net_t })
+allow $1_javaplugin_t self:dir search;
+allow $1_javaplugin_t self:lnk_file read;
+allow $1_javaplugin_t self:file { getattr read };
+
+read_sysctl($1_javaplugin_t)
+allow $1_javaplugin_t sysctl_vm_t:dir search;
+
+tmp_domain($1_javaplugin)
+read_fonts($1_javaplugin_t, $2)
+r_dir_file($1_javaplugin_t,{ usr_t etc_t })
+
+# Search bin directory under javaplugin for javaplugin executable
+allow $1_javaplugin_t bin_t:dir search;
+can_exec($1_javaplugin_t, java_exec_t)
+
+# libdeploy.so legacy
+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+if (allow_execmem) {
+allow $1_javaplugin_t self:process execmem;
+}
+
+# Connect to X server
+x_client_domain($1_javaplugin, $2)
+
+uses_shlib($1_javaplugin_t)
+read_locale($1_javaplugin_t)
+rw_dir_file($1_javaplugin_t, $1_home_t)
+
+if (allow_java_execstack) {
+legacy_domain($1_javaplugin)
+allow $1_javaplugin_t lib_t:file execute;
+allow $1_javaplugin_t locale_t:file execute;
+allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+allow $1_javaplugin_t fonts_t:file execute;
+allow $1_javaplugin_t sound_device_t:chr_file execute;
+}
+
+allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
+
+allow $1_javaplugin_t home_root_t:dir { getattr search };
+file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t)
+allow $1_javaplugin_t $2_xauth_home_t:file { getattr read };
+allow $1_javaplugin_t $2_tmp_t:sock_file write;
+allow $1_javaplugin_t $2_t:fd use;
+
+allow $1_javaplugin_t var_t:dir getattr;
+allow $1_javaplugin_t var_lib_t:dir { getattr search };
+
+dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write };
+dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write };
+dontaudit $1_javaplugin_t devtty_t:chr_file { read write };
+dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
+dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
+
+')
diff --git a/mls/macros/program/kerberos_macros.te b/mls/macros/program/kerberos_macros.te
new file mode 100644
index 0000000..91850d3
--- /dev/null
+++ b/mls/macros/program/kerberos_macros.te
@@ -0,0 +1,11 @@
+define(`can_kerberos',`
+ifdef(`kerberos.te',`
+if (allow_kerberos) {
+can_network_client($1, `kerberos_port_t')
+allow $1 kerberos_port_t:tcp_socket name_connect;
+can_resolve($1)
+}
+') dnl kerberos.te
+dontaudit $1 krb5_conf_t:file write;
+allow $1 krb5_conf_t:file { getattr read };
+')
diff --git a/mls/macros/program/lockdev_macros.te b/mls/macros/program/lockdev_macros.te
new file mode 100644
index 0000000..28f7c01
--- /dev/null
+++ b/mls/macros/program/lockdev_macros.te
@@ -0,0 +1,46 @@
+#
+# Macros for lockdev domains.
+#
+
+#
+# Authors: Daniel Walsh <dwalsh@redhat.com>
+#
+
+#
+# lockdev_domain(domain_prefix)
+#
+# Define a derived domain for the lockdev programs when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/lockdev.te.
+#
+undefine(`lockdev_domain')
+define(`lockdev_domain',`
+# Derived domain based on the calling user domain and the program
+type $1_lockdev_t, domain, privlog;
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_lockdev_t;
+# Use capabilities.
+allow $1_lockdev_t self:capability setgid;
+allow $1_lockdev_t $1_t:process signull;
+
+allow $1_lockdev_t var_t:dir search;
+
+lock_domain($1_lockdev)
+
+r_dir_file($1_lockdev_t, lockfile)
+
+allow $1_lockdev_t device_t:dir search;
+allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
+access_terminal($1_lockdev_t, $1)
+dontaudit $1_lockdev_t root_t:dir search;
+
+uses_shlib($1_lockdev_t)
+allow $1_lockdev_t fs_t:filesystem getattr;
+
+')dnl end macro definition
+
diff --git a/mls/macros/program/login_macros.te b/mls/macros/program/login_macros.te
new file mode 100644
index 0000000..0d0993c
--- /dev/null
+++ b/mls/macros/program/login_macros.te
@@ -0,0 +1,11 @@
+# Macros for login type programs (/bin/login, sshd, etc).
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+define(`login_spawn_domain', `
+domain_trans($1_t, shell_exec_t, $2)
+
+# Signal the user domains.
+allow $1_t $2:process signal;
+')
diff --git a/mls/macros/program/lpr_macros.te b/mls/macros/program/lpr_macros.te
new file mode 100644
index 0000000..d8b3b31
--- /dev/null
+++ b/mls/macros/program/lpr_macros.te
@@ -0,0 +1,117 @@
+#
+# Macros for lpr domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# lpr_domain(domain_prefix)
+#
+# Define a derived domain for the lpr/lpq/lprm programs when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/lpr.te.
+#
+undefine(`lpr_domain')
+define(`lpr_domain',`
+# Derived domain based on the calling user domain and the program
+type $1_lpr_t, domain, privlog, nscd_client_domain;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
+
+allow $1_t $1_lpr_t:process signull;
+
+# allow using shared objects, accessing root dir, etc
+uses_shlib($1_lpr_t)
+
+read_locale($1_lpr_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_lpr_t;
+
+# This domain is granted permissions common to most domains (including can_net)
+can_network_client($1_lpr_t)
+allow $1_lpr_t port_type:tcp_socket name_connect;
+can_ypbind($1_lpr_t)
+
+# Use capabilities.
+allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
+
+allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
+
+# for lpd config files (should have a new type)
+r_dir_file($1_lpr_t, etc_t)
+
+# for test print
+r_dir_file($1_lpr_t, usr_t)
+ifdef(`lpd.te', `
+r_dir_file($1_lpr_t, printconf_t)
+')
+
+tmp_domain($1_lpr)
+
+# Type for spool files.
+type $1_print_spool_t, file_type, sysadmfile;
+# Use this type when creating files in /var/spool/lpd and /var/spool/cups.
+file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
+allow $1_lpr_t var_spool_t:dir search;
+
+# for /dev/null
+allow $1_lpr_t device_t:dir search;
+
+# Access the terminal.
+access_terminal($1_lpr_t, $1)
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
+allow $1_lpr_t privfd:fd use;
+
+# Read user files.
+read_content(sysadm_lpr_t, $1)
+read_content($1_lpr_t, $1)
+
+# Read and write shared files in the spool directory.
+allow $1_lpr_t print_spool_t:file rw_file_perms;
+
+# lpr can run in lightweight mode, without a local print spooler. If the
+# lpd policy is present, grant some permissions for this domain and the lpd
+# domain to interact.
+ifdef(`lpd.te', `
+allow $1_lpr_t { var_t var_run_t }:dir search;
+allow $1_lpr_t lpd_var_run_t:dir search;
+allow $1_lpr_t lpd_var_run_t:sock_file write;
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t $1_print_spool_t:file r_file_perms;
+allow lpd_t $1_print_spool_t:file link_file_perms;
+
+# Connect to lpd via a Unix domain socket.
+allow $1_lpr_t printer_t:sock_file rw_file_perms;
+can_unix_connect($1_lpr_t, lpd_t)
+dontaudit $1_lpr_t $1_t:unix_stream_socket { read write };
+
+# Connect to lpd via a TCP socket.
+can_tcp_connect($1_lpr_t, lpd_t)
+
+allow $1_lpr_t fs_t:filesystem getattr;
+# Send SIGHUP to lpd.
+allow $1_lpr_t lpd_t:process signal;
+
+')dnl end if lpd.te
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_lpr_t)
+')
+
+ifdef(`cups.te', `
+allow { $1_lpr_t $1_t } cupsd_etc_t:dir search;
+allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
+can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
+')dnl end ifdef cups.te
+
+')dnl end macro definition
+
diff --git a/mls/macros/program/mail_client_macros.te b/mls/macros/program/mail_client_macros.te
new file mode 100644
index 0000000..da22a62
--- /dev/null
+++ b/mls/macros/program/mail_client_macros.te
@@ -0,0 +1,68 @@
+#
+# Shared macro for mail clients
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+########################################
+# mail_client_domain(client, role_prefix)
+#
+
+define(`mail_client_domain', `
+
+# Allow netstat
+# Startup shellscripts
+allow $1_t bin_t:dir r_dir_perms;
+allow $1_t bin_t:lnk_file r_file_perms;
+can_exec($1_t, bin_t)
+r_dir_file($1_t, proc_net_t)
+allow $1_t sysctl_net_t:dir search;
+
+# Allow DNS
+can_resolve($1_t)
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+can_ypbind($1_t)
+can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
+allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
+
+# Allow printing the mail
+ifdef(`cups.te',`
+allow $1_t cupsd_etc_t:dir r_dir_perms;
+allow $1_t cupsd_rw_etc_t:file r_file_perms;
+')
+ifdef(`lpr.te', `
+domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
+')
+
+# Attachments
+read_content($1_t, $2, mail)
+
+# Save mail
+write_untrusted($1_t, $2)
+
+# Encrypt mail
+ifdef(`gpg.te', `
+domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
+allow $1_t $2_gpg_t:process signal;
+')
+
+# Start links in web browser
+ifdef(`mozilla.te', `
+can_exec($1_t, shell_exec_t)
+domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
+')
+ifdef(`dbusd.te', `
+dbusd_client(system, $1)
+allow $1_t system_dbusd_t:dbus send_msg;
+dbusd_client($2, $1)
+allow $1_t $2_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_t:dbus send_msg;
+')
+')
+# Allow the user domain to signal/ps.
+can_ps($2_t, $1_t)
+allow $2_t $1_t:process signal_perms;
+
+')
diff --git a/mls/macros/program/mount_macros.te b/mls/macros/program/mount_macros.te
new file mode 100644
index 0000000..0aa0577
--- /dev/null
+++ b/mls/macros/program/mount_macros.te
@@ -0,0 +1,90 @@
+#
+# Macros for mount
+#
+# Author: Brian May <bam@snoopy.apana.org.au>
+# Extended by Russell Coker <russell@coker.com.au>
+#
+
+#
+# mount_domain(domain_prefix,dst_domain_prefix)
+#
+# Define a derived domain for the mount program for anyone.
+#
+define(`mount_domain', `
+#
+# Rules for the $2_t domain, used by the $1_t domain.
+#
+# $2_t is the domain for the mount process.
+#
+# This macro will not be included by all users and it may be included twice if
+# called from other macros, so we need protection for this do not call this
+# macro if $2_def is defined
+define(`$2_def', `')
+#
+type $2_t, domain, privlog $3, nscd_client_domain;
+
+allow $2_t sysfs_t:dir search;
+
+uses_shlib($2_t)
+
+role $1_r types $2_t;
+# when mount is run by $1 goto $2_t domain
+domain_auto_trans($1_t, mount_exec_t, $2_t)
+
+allow $2_t proc_t:dir search;
+allow $2_t proc_t:file { getattr read };
+
+#
+# Allow mounting of cdrom by user
+#
+allow $2_t device_type:blk_file getattr;
+
+tmp_domain($2)
+
+# Use capabilities.
+allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+allow $2_t self:unix_stream_socket create_socket_perms;
+
+# Create and modify /etc/mtab.
+file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
+
+allow $2_t etc_t:file { getattr read };
+
+read_locale($2_t)
+
+allow $2_t home_root_t:dir search;
+allow $2_t $1_home_dir_t:dir search;
+allow $2_t noexattrfile:filesystem { mount unmount };
+allow $2_t fs_t:filesystem getattr;
+allow $2_t removable_t:filesystem { mount unmount };
+allow $2_t mnt_t:dir { mounton search };
+allow $2_t sbin_t:dir search;
+
+# Access the terminal.
+access_terminal($2_t, $1)
+ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
+allow $2_t var_t:dir search;
+allow $2_t var_run_t:dir search;
+
+ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
+r_dir_file($2_t,pam_var_console_t)
+# mount config by default sets fscontext=removable_t
+allow $2_t dosfs_t:filesystem relabelfrom;
+') dnl end pamconsole.te
+') dnl end distro_redhat
+') dnl end mount_domain
+
+# mount_loopback_privs(domain_prefix,dst_domain_prefix)
+#
+# Add loopback mounting privileges to a particular derived
+# mount domain.
+#
+define(`mount_loopback_privs',`
+type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
+allow $1_t $1_$2_source_t:file create_file_perms;
+allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
+allow $2_t $1_$2_source_t:file rw_file_perms;
+')
+
diff --git a/mls/macros/program/mozilla_macros.te b/mls/macros/program/mozilla_macros.te
new file mode 100644
index 0000000..cc8afb0
--- /dev/null
+++ b/mls/macros/program/mozilla_macros.te
@@ -0,0 +1,157 @@
+#
+# Macros for mozilla/mozilla (or other browser) domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# mozilla_domain(domain_prefix)
+#
+# Define a derived domain for the mozilla/mozilla program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/mozilla.te.
+#
+
+# FIXME: Rules were removed to centralize policy in a gnome_app macro
+# A similar thing might be necessary for mozilla compiled without GNOME
+# support (is this possible?).
+
+define(`mozilla_domain',`
+
+type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
+
+# Type transition
+if (! disable_mozilla_trans) {
+domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
+}
+role $1_r types $1_mozilla_t;
+
+# X access, Home files
+home_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
+
+# GNOME integration
+ifdef(`gnome.te', `
+gnome_application($1_mozilla, $1)
+gnome_file_dialog($1_mozilla, $1)
+')
+
+# Look for plugins
+allow $1_mozilla_t bin_t:dir { getattr read search };
+
+# Browse the web, connect to printer
+can_resolve($1_mozilla_t)
+can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
+allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
+
+# Should not need other ports
+dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
+
+allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
+dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+
+# Unrestricted inheritance from the caller.
+allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
+allow $1_mozilla_t $1_t:process signull;
+
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
+# Access /proc, sysctl
+allow $1_mozilla_t proc_t:dir search;
+allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t proc_t:lnk_file read;
+allow $1_mozilla_t sysctl_net_t:dir search;
+allow $1_mozilla_t sysctl_t:dir search;
+
+# /var/lib
+allow $1_mozilla_t var_lib_t:dir search;
+allow $1_mozilla_t var_lib_t:file { getattr read };
+
+# Self permissions
+allow $1_mozilla_t self:socket create_socket_perms;
+allow $1_mozilla_t self:file { getattr read };
+allow $1_mozilla_t self:sem create_sem_perms;
+
+# for bash - old mozilla binary
+can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, shell_exec_t)
+can_exec($1_mozilla_t, bin_t)
+allow $1_mozilla_t bin_t:lnk_file read;
+allow $1_mozilla_t device_t:dir r_dir_perms;
+allow $1_mozilla_t self:dir search;
+allow $1_mozilla_t self:lnk_file read;
+r_dir_file($1_mozilla_t, proc_net_t)
+
+# interacting with gstreamer
+r_dir_file($1_mozilla_t, var_t)
+
+# Uploads, local html
+read_content($1_mozilla_t, $1, mozilla)
+
+# Save web pages
+write_untrusted($1_mozilla_t, $1)
+
+# Mozpluggerrc
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+
+######### Java plugin
+ifdef(`java.te', `
+javaplugin_domain($1_mozilla, $1)
+') dnl java.te
+
+######### Print web content
+ifdef(`cups.te', `
+allow $1_mozilla_t cupsd_etc_t:dir search;
+allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
+')
+ifdef(`lpr.te', `
+domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
+dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+') dnl if lpr.te
+
+######### Launch mplayer
+ifdef(`mplayer.te', `
+domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+')dnl end if mplayer.te
+
+######### Launch email client, and make webcal links work
+ifdef(`evolution.te', `
+domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
+domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+') dnl if evolution.te
+
+ifdef(`thunderbird.te', `
+domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
+') dnl if evolution.te
+
+if (allow_execmem) {
+allow $1_mozilla_t self:process { execmem execstack };
+}
+allow $1_mozilla_t texrel_shlib_t:file execmod;
+
+ifdef(`dbusd.te', `
+dbusd_client(system, $1_mozilla)
+allow $1_mozilla_t system_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_mozilla_t:dbus send_msg;
+')
+')
+
+ifdef(`apache.te', `
+ifelse($1, sysadm, `', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+')
+
+')dnl end mozilla macro
+
diff --git a/mls/macros/program/mplayer_macros.te b/mls/macros/program/mplayer_macros.te
new file mode 100644
index 0000000..6d06757
--- /dev/null
+++ b/mls/macros/program/mplayer_macros.te
@@ -0,0 +1,159 @@
+#
+# Macros for mplayer
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# mplayer_domains(user) declares domains for mplayer, gmplayer,
+# and mencoder
+
+#####################################################
+# mplayer_common(role_prefix, mplayer_domain) #
+#####################################################
+
+define(`mplayer_common',`
+
+# Read global config
+r_dir_file($1_$2_t, mplayer_etc_t)
+
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
+# Read data in /usr/share (fonts, icons..)
+r_dir_file($1_$2_t, usr_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+allow $1_$2_t proc_t:dir search;
+allow $1_$2_t proc_t:file { getattr read };
+
+# Sysctl on kernel version
+read_sysctl($1_$2_t)
+
+# Allow ps, shared libs, locale, terminal access
+can_ps($1_t, $1_$2_t)
+uses_shlib($1_$2_t)
+read_locale($1_$2_t)
+access_terminal($1_$2_t, $1)
+
+# Required for win32 binary loader
+allow $1_$2_t zero_device_t:chr_file { read write execute };
+if (allow_execmem) {
+allow $1_$2_t self:process execmem;
+}
+
+if (allow_execmod) {
+allow $1_$2_t zero_device_t:chr_file execmod;
+}
+allow $1_$2_t texrel_shlib_t:file execmod;
+
+# Access to DVD/CD/V4L
+allow $1_$2_t device_t:dir r_dir_perms;
+allow $1_$2_t device_t:lnk_file { getattr read };
+allow $1_$2_t removable_device_t:blk_file { getattr read };
+allow $1_$2_t v4l_device_t:chr_file { getattr read };
+
+# Legacy domain issues
+if (allow_mplayer_execstack) {
+legacy_domain($1_$2)
+allow $1_$2_t lib_t:file execute;
+allow $1_$2_t locale_t:file execute;
+allow $1_$2_t sound_device_t:chr_file execute;
+}
+')
+
+###################################
+# mplayer_domain(role_prefix) #
+###################################
+
+define(`mplayer_domain',`
+
+type $1_mplayer_t, domain, nscd_client_domain;
+
+# Type transition
+domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
+role $1_r types $1_mplayer_t;
+
+# Home access, X access
+home_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
+
+# Mplayer common stuff
+mplayer_common($1, mplayer)
+
+# Fork
+allow $1_mplayer_t self:process { fork signal_perms getsched };
+allow $1_mplayer_t self:fifo_file rw_file_perms;
+
+# Audio, alsa.conf
+allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+allow $1_mplayer_t etc_t:file { getattr read };
+r_dir_file($1_mplayer_t, alsa_etc_rw_t);
+
+# RTC clock
+allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
+
+# Legacy domain issues
+if (allow_mplayer_execstack) {
+allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
+}
+
+#======gmplayer gui==========#
+# File dialogs
+dontaudit_getattr($1_mplayer_t)
+dontaudit_read_dir($1_mplayer_t)
+dontaudit_search_dir($1_mplayer_t)
+
+# Unfortunately the ancient file dialog starts in /
+allow $1_mplayer_t home_root_t:dir read;
+
+# Read /etc/mtab
+allow $1_mplayer_t etc_runtime_t:file { read getattr };
+
+# Run bash/sed (??)
+allow $1_mplayer_t bin_t:dir search;
+allow $1_mplayer_t bin_t:lnk_file read;
+can_exec($1_mplayer_t, bin_t)
+can_exec($1_mplayer_t, shell_exec_t)
+#============================#
+
+# Read songs
+read_content($1_mplayer_t, $1)
+
+') dnl end mplayer_domain
+
+###################################
+# mencoder_domain(role_prefix) #
+###################################
+
+define(`mencoder_domain',`
+
+type $1_mencoder_t, domain;
+
+# Type transition
+domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
+role $1_r types $1_mencoder_t;
+
+# Access mplayer home domain
+home_domain_access($1_mencoder_t, $1, mplayer)
+
+# Mplayer common stuff
+mplayer_common($1, mencoder)
+
+# Read content to encode
+read_content($1_mencoder_t, $1)
+
+# Save encoded files
+write_trusted($1_mencoder_t, $1)
+
+') dnl end mencoder_domain
+
+#############################
+# mplayer_domains(role) #
+#############################
+
+define(`mplayer_domains', `
+mplayer_domain($1)
+mencoder_domain($1)
+') dnl end mplayer_domains
+
diff --git a/mls/macros/program/mta_macros.te b/mls/macros/program/mta_macros.te
new file mode 100644
index 0000000..b221f54
--- /dev/null
+++ b/mls/macros/program/mta_macros.te
@@ -0,0 +1,121 @@
+# Macros for MTA domains.
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+# Based on the work of: Stephen Smalley <sds@epoch.ncsc.mil>
+# Timothy Fraser
+#
+
+#
+# mail_domain(domain_prefix)
+#
+# Define a derived domain for the sendmail program when executed by
+# a user domain to send outgoing mail. These domains are separate and
+# independent of the domain used for the sendmail daemon process.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/mta.te.
+#
+undefine(`mail_domain')
+define(`mail_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
+
+ifdef(`sendmail.te', `
+sendmail_user_domain($1)
+')
+
+can_exec($1_mail_t, sendmail_exec_t)
+allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+
+# The user role is authorized for this domain.
+role $1_r types $1_mail_t;
+
+uses_shlib($1_mail_t)
+can_network_client_tcp($1_mail_t)
+allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
+can_resolve($1_mail_t)
+can_ypbind($1_mail_t)
+allow $1_mail_t self:unix_dgram_socket create_socket_perms;
+allow $1_mail_t self:unix_stream_socket create_socket_perms;
+
+read_locale($1_mail_t)
+read_sysctl($1_mail_t)
+allow $1_mail_t device_t:dir search;
+allow $1_mail_t { var_t var_spool_t }:dir search;
+allow $1_mail_t self:process { fork signal_perms setrlimit };
+allow $1_mail_t sbin_t:dir search;
+
+# It wants to check for nscd
+dontaudit $1_mail_t var_run_t:dir search;
+
+# Use capabilities
+allow $1_mail_t self:capability { setuid setgid chown };
+
+# Execute procmail.
+can_exec($1_mail_t, bin_t)
+ifdef(`procmail.te',`
+can_exec($1_mail_t, procmail_exec_t)')
+
+ifelse(`$1', `system', `
+# Transition from a system domain to the derived domain.
+domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
+allow privmail sendmail_exec_t:lnk_file { getattr read };
+
+ifdef(`crond.te', `
+# Read cron temporary files.
+allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
+allow mta_user_agent system_crond_tmp_t:file { read getattr };
+')
+can_access_pty(system_mail_t, initrc)
+
+', `
+# For when the user wants to send mail via port 25 localhost
+can_tcp_connect($1_t, mail_server_domain)
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
+allow $1_t sendmail_exec_t:lnk_file { getattr read };
+
+# Read user temporary files.
+allow $1_mail_t $1_tmp_t:file r_file_perms;
+dontaudit $1_mail_t $1_tmp_t:file append;
+ifdef(`postfix.te', `
+# postfix seems to need write access if the file handle is opened read/write
+allow $1_mail_t $1_tmp_t:file write;
+')dnl end if postfix
+
+allow mta_user_agent $1_tmp_t:file { read getattr };
+
+# Write to the user domain tty.
+access_terminal(mta_user_agent, $1)
+access_terminal($1_mail_t, $1)
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
+allow $1_mail_t privfd:fd use;
+
+# Create dead.letter in user home directories.
+file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
+
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
+}
+
+# if you do not want to allow dead.letter then use the following instead
+#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
+#allow $1_mail_t $1_home_t:file r_file_perms;
+
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+')dnl end if system
+
+allow $1_mail_t etc_t:file { getattr read };
+ifdef(`qmail.te', `
+allow $1_mail_t qmail_etc_t:dir search;
+allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+')dnl end if qmail
+
+')
diff --git a/mls/macros/program/newrole_macros.te b/mls/macros/program/newrole_macros.te
new file mode 100644
index 0000000..0d52282
--- /dev/null
+++ b/mls/macros/program/newrole_macros.te
@@ -0,0 +1,97 @@
+# Authors: Anthony Colatrella (NSA) Stephen Smalley <sds@epoch.ncsc.mil>
+# Russell Coker <russell@coker.com.au>
+
+# This macro defines the rules for a newrole like program, it is used by
+# newrole.te and sudo.te, but may be used by other policy at some later time.
+
+define(`newrole_domain', `
+# Rules for the $1_t domain.
+#
+# $1_t is the domain for the program.
+# $1_exec_t is the type of the executable.
+#
+type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
+in_user_role($1_t)
+role sysadm_r types $1_t;
+
+general_domain_access($1_t);
+
+uses_shlib($1_t)
+read_locale($1_t)
+read_sysctl($1_t)
+
+allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
+# for when the user types "exec newrole" at the command line
+allow $1_t privfd:process sigchld;
+
+# Inherit descriptors from the current session.
+allow $1_t privfd:fd use;
+
+# Execute /sbin/pwdb_chkpwd to check the password.
+allow $1_t sbin_t:dir r_dir_perms;
+
+# Execute shells
+allow $1_t bin_t:dir r_dir_perms;
+allow $1_t bin_t:lnk_file read;
+allow $1_t shell_exec_t:file r_file_perms;
+
+allow $1_t urandom_device_t:chr_file { getattr read };
+
+# Allow $1_t to transition to user domains.
+domain_trans($1_t, shell_exec_t, unpriv_userdomain)
+if(!secure_mode)
+{
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans($1_t, shell_exec_t, sysadm_t)
+}
+
+can_setexec($1_t)
+
+allow $1_t autofs_t:dir search;
+
+# Use capabilities.
+allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
+
+# Read the devpts root directory.
+allow $1_t devpts_t:dir r_dir_perms;
+
+# Read the /etc/security/default_type file
+r_dir_file($1_t, default_context_t)
+r_dir_file($1_t, selinux_config_t)
+allow $1_t etc_t:file r_file_perms;
+
+# Read /var.
+r_dir_file($1_t, var_t)
+
+# Read /dev directories and any symbolic links.
+allow $1_t device_t:dir r_dir_perms;
+
+# Relabel terminals.
+allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Access terminals.
+allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
+
+ifdef(`distro_debian', `
+# for /etc/alternatives
+allow $1_t etc_t:lnk_file read;
+')
+
+#
+# Allow newrole to obtain contexts to relabel TTYs
+#
+can_getsecurity($1_t)
+
+allow $1_t fs_t:filesystem getattr;
+
+# for some PAM modules and for cwd
+dontaudit $1_t { home_root_t home_type }:dir search;
+
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:file { getattr read };
+
+# for when the network connection is killed
+dontaudit unpriv_userdomain $1_t:process signal;
+')
diff --git a/mls/macros/program/orbit_macros.te b/mls/macros/program/orbit_macros.te
new file mode 100644
index 0000000..b2dd5d1
--- /dev/null
+++ b/mls/macros/program/orbit_macros.te
@@ -0,0 +1,44 @@
+#
+# ORBit related types
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# orbit_domain(prefix, role_prefix) - create ORBit sockets
+# orbit_connect(type1_prefix, type2_prefix)
+# - allow communication through ORBit sockets from type1 to type2
+
+define(`orbit_domain', `
+
+# Protect against double inclusion for speed and correctness
+ifdef(`orbit_domain_$1_$2', `', `
+define(`orbit_domain_$1_$2')
+
+# Relabel directory (startup script)
+allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
+
+# Type for ORBit sockets
+type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
+file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
+allow $1_t tmp_t:dir { read search getattr };
+
+# Create the sockets
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Use random device(s)
+allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
+
+# Why do they do that?
+dontaudit $1_t $2_orbit_tmp_t:dir setattr;
+
+') dnl ifdef orbit_domain_args
+') dnl orbit_domain
+
+##########################
+
+define(`orbit_connect', `
+
+can_unix_connect($1_t, $2_t)
+allow $1_t $2_orbit_tmp_t:sock_file write;
+
+') dnl orbit_connect
diff --git a/mls/macros/program/pyzor_macros.te b/mls/macros/program/pyzor_macros.te
new file mode 100644
index 0000000..af67d30
--- /dev/null
+++ b/mls/macros/program/pyzor_macros.te
@@ -0,0 +1,69 @@
+#
+# Pyzor - Pyzor is a collaborative, networked system to detect and
+# block spam using identifying digests of messages.
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+##########
+# common definitions for pyzord and all flavors of pyzor
+##########
+define(`pyzor_base_domain',`
+
+# Networking
+can_network_client_tcp($1_t, http_port_t);
+can_network_udp($1_t, pyzor_port_t);
+can_resolve($1_t);
+
+general_proc_read_access($1_t)
+
+tmp_domain($1)
+
+allow $1_t bin_t:dir { getattr search };
+allow $1_t bin_t:file getattr;
+allow $1_t lib_t:file { getattr read };
+allow $1_t { var_t var_lib_t var_run_t }:dir search;
+uses_shlib($1_t)
+
+# Python does a getattr on this file
+allow $1_t pyzor_exec_t:file getattr;
+
+# mktemp and other randoms
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+# Allow access to various files in the /etc/directory including mtab
+# and nsswitch
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+')
+
+
+#
+# Define a user domain for a pyzor
+#
+# Note: expects to be called with an argument of user, sysadm
+
+define(`pyzor_domain',`
+type $1_pyzor_t, domain, privlog, nscd_client_domain;
+role $1_r types $1_pyzor_t;
+domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
+
+pyzor_base_domain($1_pyzor)
+
+# Per-user config/data files
+home_domain($1, pyzor)
+file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
+
+# System config files
+r_dir_file($1_pyzor_t, pyzor_etc_t)
+
+# System data files
+r_dir_file($1_pyzor_t, pyzor_var_lib_t);
+
+allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow pyzor to be run by hand. Needed by any action other than
+# invocation from a spam filter.
+can_access_pty($1_pyzor_t, $1)
+allow $1_pyzor_t sshd_t:fd use;
+')
diff --git a/mls/macros/program/razor_macros.te b/mls/macros/program/razor_macros.te
new file mode 100644
index 0000000..e4c7c55
--- /dev/null
+++ b/mls/macros/program/razor_macros.te
@@ -0,0 +1,75 @@
+#
+# Razor - Razor is a collaborative, networked system to detect and
+# block spam using identifying digests of messages.
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+##########
+# common definitions for razord and all flavors of razor
+##########
+define(`razor_base_domain',`
+
+# Razor is one executable and several symlinks
+allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
+
+# Networking
+can_network_client_tcp($1_t, razor_port_t)
+can_resolve($1_t);
+
+general_proc_read_access($1_t)
+
+# Read system config file
+r_dir_file($1_t, razor_etc_t)
+
+# Update razor common files
+file_type_auto_trans($1_t, var_log_t, razor_log_t, file)
+create_dir_file($1_t, razor_log_t)
+allow $1_t var_lib_t:dir search;
+create_dir_file($1_t, razor_var_lib_t)
+
+allow $1_t bin_t:dir { getattr search };
+allow $1_t bin_t:file getattr;
+allow $1_t lib_t:file { getattr read };
+allow $1_t { var_t var_run_t }:dir search;
+uses_shlib($1_t)
+
+# Razor forks other programs to do part of its work.
+general_domain_access($1_t)
+can_exec($1_t, bin_t)
+
+# mktemp and other randoms
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+# Allow access to various files in the /etc/directory including mtab
+# and nsswitch
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+')
+
+
+#
+# Define a user domain for a razor
+#
+# Note: expects to be called with an argument of user, sysadm
+
+define(`razor_domain',`
+type $1_razor_t, domain, privlog, nscd_client_domain;
+role $1_r types $1_razor_t;
+domain_auto_trans($1_t, razor_exec_t, $1_razor_t)
+
+razor_base_domain($1_razor)
+
+# Per-user config/data files
+home_domain($1, razor)
+file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir)
+
+tmp_domain($1_razor)
+
+allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow razor to be run by hand. Needed by any action other than
+# invocation from a spam filter.
+can_access_pty($1_razor_t, $1)
+allow $1_razor_t sshd_t:fd use;
+')
diff --git a/mls/macros/program/resmgrd_macros.te b/mls/macros/program/resmgrd_macros.te
new file mode 100644
index 0000000..ec0ac60
--- /dev/null
+++ b/mls/macros/program/resmgrd_macros.te
@@ -0,0 +1,11 @@
+# Macro for resmgrd
+
+define(`can_resmgrd_connect', `
+ifdef(`resmgrd.te', `
+allow $1 resmgrd_t:unix_stream_socket connectto;
+allow $1 { var_t var_run_t }:dir search;
+allow $1 resmgrd_var_run_t:sock_file write;
+allow $1 resmgrd_t:fd use;
+')
+')
+
diff --git a/mls/macros/program/rhgb_macros.te b/mls/macros/program/rhgb_macros.te
new file mode 100644
index 0000000..9700fba
--- /dev/null
+++ b/mls/macros/program/rhgb_macros.te
@@ -0,0 +1,8 @@
+
+define(`rhgb_domain', `
+ifdef(`rhgb.te', `
+allow $1 rhgb_t:process sigchld;
+allow $1 rhgb_t:fd use;
+allow $1 rhgb_t:fifo_file { read write };
+')dnl end ifdef
+')
diff --git a/mls/macros/program/rssh_macros.te b/mls/macros/program/rssh_macros.te
new file mode 100644
index 0000000..33fbdb5
--- /dev/null
+++ b/mls/macros/program/rssh_macros.te
@@ -0,0 +1,58 @@
+#
+# Macros for Rssh domains
+#
+# Author: Colin Walters <walters@verbum.org>
+#
+
+#
+# rssh_domain(domain_prefix)
+#
+# Define a specific rssh domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/rssh.te.
+#
+undefine(`rssh_domain')
+ifdef(`rssh.te', `
+define(`rssh_domain',`
+type rssh_$1_t, domain, userdomain, privlog, privfd;
+role rssh_$1_r types rssh_$1_t;
+allow system_r rssh_$1_r;
+
+type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type;
+
+general_domain_access(rssh_$1_t);
+uses_shlib(rssh_$1_t);
+base_file_read_access(rssh_$1_t);
+allow rssh_$1_t var_t:dir r_dir_perms;
+r_dir_file(rssh_$1_t, etc_t);
+allow rssh_$1_t etc_runtime_t:file { getattr read };
+r_dir_file(rssh_$1_t, locale_t);
+can_exec(rssh_$1_t, bin_t);
+
+allow rssh_$1_t proc_t:dir { getattr search };
+allow rssh_$1_t proc_t:lnk_file { getattr read };
+
+r_dir_file(rssh_$1_t, rssh_$1_ro_t);
+create_dir_file(rssh_$1_t, rssh_$1_rw_t);
+
+can_create_pty(rssh_$1, `, userpty_type, user_tty_type')
+# Use the type when relabeling pty devices.
+type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t;
+
+ifdef(`ssh.te',`
+allow rssh_$1_t sshd_t:fd use;
+allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms;
+allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+# For reading /home/user/.ssh
+r_dir_file(sshd_t, rssh_$1_ro_t);
+domain_trans(sshd_t, rssh_exec_t, rssh_$1_t);
+')
+')
+
+', `
+
+define(`rssh_domain',`')
+
+')
diff --git a/mls/macros/program/run_program_macros.te b/mls/macros/program/run_program_macros.te
new file mode 100644
index 0000000..c98bbee
--- /dev/null
+++ b/mls/macros/program/run_program_macros.te
@@ -0,0 +1,73 @@
+
+# $1 is the source domain (or domains), $2 is the source role (or roles) and $3
+# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is
+# normally sysadm_r. $4 is the type of program to run and $5 is the domain to
+# transition to.
+# sample usage:
+# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t)
+#
+# if you have several users who run the same run_init type program for
+# different purposes (think of a run_db program used by several database
+# administrators to start several databases) then you can list all the source
+# domains in $1, all the source roles in $2, but you may not want to list all
+# types of programs to run in $4 and target domains in $5 (as that may permit
+# entering a domain from the wrong type). In such a situation just specify
+# one value for each of $4 and $5 and have some rules such as the following:
+# domain_trans(run_whatever_t, whatever_exec_t, whatever_t)
+
+define(`run_program', `
+type run_$3_exec_t, file_type, exec_type, sysadmfile;
+
+# domain for program to run in, needs to change role (priv_system_role), change
+# identity to system_u (privuser), log failures to syslog (privlog) and
+# authenticate users
+type run_$3_t, domain, priv_system_role, privuser, privlog;
+domain_auto_trans($1, run_$3_exec_t, run_$3_t)
+role $2 types run_$3_t;
+
+domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t)
+dontaudit run_$3_t shadow_t:file getattr;
+
+# for utmp
+allow run_$3_t initrc_var_run_t:file rw_file_perms;
+allow run_$3_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit run_$3_t devpts_t:dir { getattr read };
+dontaudit run_$3_t device_t:dir read;
+
+# for auth_chkpwd
+dontaudit run_$3_t shadow_t:file read;
+allow run_$3_t self:process { fork sigchld };
+allow run_$3_t self:fifo_file rw_file_perms;
+allow run_$3_t self:capability setuid;
+allow run_$3_t self:lnk_file read;
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_$3_t file_type:dir search;
+dontaudit run_$3_t self:capability { dac_override dac_read_search };
+
+allow run_$3_t bin_t:lnk_file read;
+can_exec(run_$3_t, { bin_t shell_exec_t })
+ifdef(`chkpwd.te', `
+can_exec(run_$3_t, chkpwd_exec_t)
+')
+
+domain_trans(run_$3_t, $4, $5)
+can_setexec(run_$3_t)
+
+allow run_$3_t privfd:fd use;
+uses_shlib(run_$3_t)
+allow run_$3_t lib_t:file { getattr read };
+can_getsecurity(run_$3_t)
+r_dir_file(run_$3_t,selinux_config_t)
+r_dir_file(run_$3_t,default_context_t)
+allow run_$3_t self:unix_stream_socket create_socket_perms;
+allow run_$3_t self:unix_dgram_socket create_socket_perms;
+allow run_$3_t etc_t:file { getattr read };
+read_locale(run_$3_t)
+allow run_$3_t fs_t:filesystem getattr;
+allow run_$3_t { bin_t sbin_t }:dir search;
+dontaudit run_$3_t device_t:dir { getattr search };
+')
diff --git a/mls/macros/program/samba_macros.te b/mls/macros/program/samba_macros.te
new file mode 100644
index 0000000..d766784
--- /dev/null
+++ b/mls/macros/program/samba_macros.te
@@ -0,0 +1,30 @@
+#
+# Macros for samba domains.
+#
+
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# samba_domain(domain_prefix)
+#
+# Define a derived domain for the samba program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/samba.te.
+#
+undefine(`samba_domain')
+ifdef(`samba.te', `
+define(`samba_domain',`
+if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir r_dir_perms;
+file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+dontaudit smbd_t $1_file_type:dir_file_class_set getattr;
+}
+')
+', `
+define(`samba_domain',`')
+
+')dnl end if samba.te
diff --git a/mls/macros/program/screen_macros.te b/mls/macros/program/screen_macros.te
new file mode 100644
index 0000000..e81a90a
--- /dev/null
+++ b/mls/macros/program/screen_macros.te
@@ -0,0 +1,113 @@
+#
+# Macros for screen domains.
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
+# and Timothy Fraser
+#
+
+#
+# screen_domain(domain_prefix)
+#
+# Define a derived domain for the screen program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/screen.te.
+#
+undefine(`screen_domain')
+ifdef(`screen.te', `
+define(`screen_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
+
+tmp_domain($1_screen, `', `{ dir file fifo_file }')
+base_file_read_access($1_screen_t)
+# The user role is authorized for this domain.
+role $1_r types $1_screen_t;
+
+uses_shlib($1_screen_t)
+
+# for SSP
+allow $1_screen_t urandom_device_t:chr_file read;
+
+# Revert to the user domain when a shell is executed.
+domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t)
+domain_auto_trans($1_screen_t, $1_home_t, $1_t)
+if (use_nfs_home_dirs) {
+domain_auto_trans($1_screen_t, nfs_t, $1_t)
+}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_screen_t, cifs_t, $1_t)
+}
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
+
+home_domain_ro($1, screen)
+
+allow $1_screen_t privfd:fd use;
+
+# Write to utmp.
+allow $1_screen_t initrc_var_run_t:file rw_file_perms;
+ifdef(`utempter.te', `
+dontaudit $1_screen_t utempter_exec_t:file execute;
+')
+
+# create pty devices
+can_create_other_pty($1_screen, $1)
+allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_screen_t device_t:dir { getattr read };
+
+allow $1_screen_t fs_t:filesystem getattr;
+
+# Create fifo
+allow $1_screen_t var_t:dir search;
+file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
+type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
+file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
+
+allow $1_screen_t self:process { fork signal_perms };
+allow $1_t $1_screen_t:process signal;
+allow $1_screen_t $1_t:process signal;
+allow $1_screen_t self:capability { setuid setgid fsetid };
+
+dontaudit $1_screen_t shadow_t:file read;
+
+allow $1_screen_t tmp_t:dir search;
+can_network($1_screen_t)
+allow $1_screen_t port_type:tcp_socket name_connect;
+can_ypbind($1_screen_t)
+
+# get stats
+allow $1_screen_t proc_t:dir search;
+allow $1_screen_t proc_t:file { getattr read };
+allow $1_screen_t proc_t:lnk_file read;
+allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
+allow $1_screen_t self:dir { search read };
+allow $1_screen_t self:lnk_file read;
+allow $1_screen_t device_t:dir search;
+allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
+
+# Internal screen networking
+allow $1_screen_t self:fd use;
+allow $1_screen_t self:unix_stream_socket create_socket_perms;
+allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_screen_t bin_t:dir search;
+allow $1_screen_t bin_t:lnk_file read;
+read_locale($1_screen_t)
+
+dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
+')dnl end screen_domain
+
+', `
+
+define(`screen_domain',`')
+
+')
diff --git a/mls/macros/program/sendmail_macros.te b/mls/macros/program/sendmail_macros.te
new file mode 100644
index 0000000..540e0a2
--- /dev/null
+++ b/mls/macros/program/sendmail_macros.te
@@ -0,0 +1,56 @@
+#
+# Macros for sendmail domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell@coker.com.au>
+#
+
+#
+# sendmail_user_domain(domain_prefix)
+#
+# Define a derived domain for the sendmail program when executed by
+# a user domain to send outgoing mail. These domains are separate and
+# independent of the domain used for the sendmail daemon process.
+#
+undefine(`sendmail_user_domain')
+define(`sendmail_user_domain', `
+
+# Use capabilities
+allow $1_mail_t self:capability net_bind_service;
+
+tmp_domain($1_mail)
+
+# Write to /var/spool/mail and /var/spool/mqueue.
+allow $1_mail_t mail_spool_t:dir rw_dir_perms;
+allow $1_mail_t mail_spool_t:file create_file_perms;
+allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
+allow $1_mail_t mqueue_spool_t:file create_file_perms;
+
+# Write to /var/log/sendmail.st
+file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
+
+allow $1_mail_t etc_mail_t:dir { getattr search };
+
+allow $1_mail_t { var_t var_spool_t }:dir getattr;
+
+allow $1_mail_t etc_runtime_t:file { getattr read };
+
+# Check available space.
+allow $1_mail_t fs_t:filesystem getattr;
+
+allow $1_mail_t sysctl_kernel_t:dir search;
+
+ifelse(`$1', `sysadm', `
+allow $1_mail_t proc_t:dir { getattr search };
+allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
+dontaudit $1_mail_t proc_net_t:dir search;
+allow $1_mail_t sysctl_kernel_t:file { getattr read };
+allow $1_mail_t etc_runtime_t:file { getattr read };
+', `
+dontaudit $1_mail_t proc_t:dir search;
+dontaudit $1_mail_t sysctl_kernel_t:file read;
+')dnl end if sysadm
+')
+
diff --git a/mls/macros/program/slocate_macros.te b/mls/macros/program/slocate_macros.te
new file mode 100644
index 0000000..115022b
--- /dev/null
+++ b/mls/macros/program/slocate_macros.te
@@ -0,0 +1,64 @@
+#
+# Macros for locate domains.
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#
+# locate_domain(domain_prefix)
+#
+# Define a derived domain for the locate program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/locate.te.
+#
+undefine(`locate_domain')
+ifdef(`slocate.te', `
+define(`locate_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_locate_t, domain;
+
+allow $1_locate_t self:process signal;
+
+allow $1_locate_t etc_t:file { getattr read };
+allow $1_locate_t self:unix_stream_socket create_socket_perms;
+r_dir_file($1_locate_t,locate_var_lib_t)
+allow $1_locate_t var_lib_t:dir search;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, locate_exec_t, $1_locate_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_locate_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow $1_locate_t $1_gph_t:fd use;
+')
+
+allow $1_locate_t privfd:fd use;
+
+# allow ps to show locate
+can_ps($1_t, $1_locate_t)
+allow $1_t $1_locate_t:process signal;
+
+uses_shlib($1_locate_t)
+access_terminal($1_locate_t, $1)
+
+allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
+allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };
+
+base_file_read_access($1_locate_t)
+r_dir_file($1_locate_t, { etc_t lib_t var_t })
+dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
+')
+
+', `
+
+define(`locate_domain',`')
+
+')
diff --git a/mls/macros/program/spamassassin_macros.te b/mls/macros/program/spamassassin_macros.te
new file mode 100644
index 0000000..c85cfc7
--- /dev/null
+++ b/mls/macros/program/spamassassin_macros.te
@@ -0,0 +1,128 @@
+#
+# Macros for spamassassin domains.
+#
+# Author: Colin Walters <walters@verbum.org>
+
+# spamassassin_domain(domain_prefix)
+#
+# Define derived domains for various spamassassin tools when executed
+# by a user domain.
+#
+# The type declarations for the executable types of these programs are
+# provided separately in domains/program/spamassassin.te and
+# domains/program/spamc.te.
+#
+undefine(`spamassassin_domain')
+ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
+ifdef(`spamd.te', `define(`using_spamassassin', `')')
+ifdef(`spamc.te', `define(`using_spamassassin', `')')
+
+ifdef(`using_spamassassin',`
+
+#######
+# Macros used internally in these spamassassin macros.
+#
+
+###
+# Define a domain for a spamassassin-like program (spamc/spamassassin).
+#
+# Note: most of this should really be in a generic macro like
+# base_user_program($1, foo)
+define(`spamassassin_program_domain',`
+type $1_$2_t, domain, privlog $3;
+domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
+
+role $1_r types $1_$2_t;
+general_domain_access($1_$2_t)
+
+base_file_read_access($1_$2_t)
+r_dir_file($1_$2_t, etc_t)
+ifdef(`sendmail.te', `
+r_dir_file($1_$2_t, etc_mail_t)
+')
+allow $1_$2_t etc_runtime_t:file r_file_perms;
+uses_shlib($1_$2_t)
+read_locale($1_$2_t)
+dontaudit $1_$2_t var_t:dir search;
+tmp_domain($1_$2)
+allow $1_$2_t privfd:fd use;
+allow $1_$2_t userpty_type:chr_file rw_file_perms;
+') dnl end spamassassin_program_domain
+
+###
+# Give privileges to a domain for accessing ~/.spamassassin
+# and a few other misc things like /dev/random.
+# This is granted to /usr/bin/spamassassin and
+# /usr/sbin/spamd, but NOT spamc (because it does not need it).
+#
+define(`spamassassin_agent_privs',`
+allow $1 home_root_t:dir r_dir_perms;
+file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t)
+create_dir_file($1, $2_spamassassin_home_t)
+
+allow $1 urandom_device_t:chr_file r_file_perms;
+')
+
+#######
+# Define the main spamassassin macro. This itself creates a
+# domain for /usr/bin/spamassassin, and also spamc/spamd if
+# applicable.
+#
+define(`spamassassin_domain',`
+spamassassin_program_domain($1, spamassassin)
+
+# For perl libraries.
+allow $1_spamassassin_t lib_t:file rx_file_perms;
+# Ignore perl digging in /proc and /var.
+dontaudit $1_spamassassin_t proc_t:dir search;
+dontaudit $1_spamassassin_t proc_t:lnk_file read;
+dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
+
+# For ~/.spamassassin
+home_domain($1, spamassassin)
+file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
+
+spamassassin_agent_privs($1_spamassassin_t, $1)
+
+can_resolve($1_spamassassin_t)
+# set tunable if you have spamassassin do DNS lookups
+if (spamassasin_can_network) {
+can_network($1_spamassassin_t)
+allow $1_spamassassin_t port_type:tcp_socket name_connect;
+}
+if (spamassasin_can_network && allow_ypbind) {
+uncond_can_ypbind($1_spamassassin_t)
+}
+###
+# Define the domain for /usr/bin/spamc
+#
+ifdef(`spamc.te',`
+spamassassin_program_domain($1, spamc, `, nscd_client_domain')
+can_network($1_spamc_t)
+allow $1_spamc_t port_type:tcp_socket name_connect;
+can_ypbind($1_spamc_t)
+
+# Allow connecting to a local spamd
+ifdef(`spamd.te',`
+can_tcp_connect($1_spamc_t, spamd_t)
+can_unix_connect($1_spamc_t, spamd_t)
+allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
+') dnl endif spamd.te
+') dnl endif spamc.te
+
+###
+# Define the domain for /usr/sbin/spamd
+#
+ifdef(`spamd.te',`
+
+spamassassin_agent_privs(spamd_t, $1)
+
+') dnl endif spamd.te
+
+') dnl end spamassassin_domain
+
+', `
+
+define(`spamassassin_domain',`')
+
+')
diff --git a/mls/macros/program/ssh_agent_macros.te b/mls/macros/program/ssh_agent_macros.te
new file mode 100644
index 0000000..7215f5c
--- /dev/null
+++ b/mls/macros/program/ssh_agent_macros.te
@@ -0,0 +1,117 @@
+#
+# Macros for ssh agent
+#
+
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+
+#
+# ssh_agent_domain(domain_prefix)
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/ssh-agent.te.
+#
+define(`ssh_agent_domain',`
+# Define a derived domain for the ssh-agent program when executed
+# by a user domain.
+# Derived domain based on the calling user domain and the program.
+type $1_ssh_agent_t, domain, privlog;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_ssh_agent_t;
+
+allow $1_ssh_agent_t privfd:fd use;
+
+# Write to the user domain tty.
+access_terminal($1_ssh_agent_t, $1)
+
+# Allow the user shell to signal the ssh program.
+allow $1_t $1_ssh_agent_t:process signal;
+# allow ps to show ssh
+can_ps($1_t, $1_ssh_agent_t)
+
+can_ypbind($1_ssh_agent_t)
+if (use_nfs_home_dirs) {
+allow $1_ssh_agent_t autofs_t:dir { search getattr };
+rw_dir_create_file($1_ssh_agent_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_ssh_agent_t, cifs_t)
+}
+
+uses_shlib($1_ssh_agent_t)
+read_locale($1_ssh_agent_t)
+
+allow $1_ssh_agent_t proc_t:dir search;
+dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
+dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
+read_sysctl($1_ssh_agent_t)
+
+# Access the ssh temporary files. Should we have an own type here
+# to which only ssh, ssh-agent and ssh-add have access?
+allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
+file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
+allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
+allow $1_ssh_agent_t self:capability setgid;
+
+# access the random devices
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+# for ssh-add
+can_unix_connect($1_t, $1_ssh_agent_t)
+
+# transition back to normal privs upon exec
+domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
+if (use_nfs_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
+}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
+}
+allow $1_ssh_agent_t bin_t:dir search;
+
+# allow reading of /usr/bin/X11 (is a symlink)
+allow $1_ssh_agent_t bin_t:lnk_file read;
+
+allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
+
+allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;
+
+allow $1_ssh_t $1_tmp_t:sock_file write;
+allow $1_ssh_t $1_t:unix_stream_socket connectto;
+allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_ssh_agent_t)
+
+# kdm: sigchld
+allow $1_ssh_agent_t xdm_t:process sigchld;
+')
+
+#
+# Allow command to ssh-agent > ~/.ssh_agent
+#
+allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
+allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
+
+allow $1_ssh_agent_t etc_runtime_t:file { getattr read };
+allow $1_ssh_agent_t etc_t:file { getattr read };
+allow $1_ssh_agent_t lib_t:file { getattr read };
+
+allow $1_ssh_agent_t self:dir search;
+allow $1_ssh_agent_t self:file { getattr read };
+
+# Allow the ssh program to communicate with ssh-agent.
+allow $1_ssh_t $1_tmp_t:sock_file write;
+allow $1_ssh_t $1_t:unix_stream_socket connectto;
+allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+')dnl end if ssh_agent
+
diff --git a/mls/macros/program/ssh_macros.te b/mls/macros/program/ssh_macros.te
new file mode 100644
index 0000000..0f6549f
--- /dev/null
+++ b/mls/macros/program/ssh_macros.te
@@ -0,0 +1,168 @@
+#
+# Macros for ssh domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
+# Russell Coker <russell@coker.com.au>
+# Thomas Bleher <ThomasBleher@gmx.de>
+#
+
+#
+# ssh_domain(domain_prefix)
+#
+# Define a derived domain for the ssh program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/ssh.te.
+#
+undefine(`ssh_domain')
+ifdef(`ssh.te', `
+define(`ssh_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_ssh_t, domain, privlog, nscd_client_domain;
+type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
+
+allow $1_ssh_t autofs_t:dir { search getattr };
+if (use_nfs_home_dirs) {
+create_dir_file($1_ssh_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_ssh_t, cifs_t)
+}
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_ssh_t;
+
+# Grant permissions within the domain.
+general_domain_access($1_ssh_t)
+
+# Use descriptors created by sshd
+allow $1_ssh_t privfd:fd use;
+
+uses_shlib($1_ssh_t)
+read_locale($1_ssh_t)
+
+# Get attributes of file systems.
+allow $1_ssh_t fs_type:filesystem getattr;
+
+base_file_read_access($1_ssh_t)
+
+# Read /var.
+r_dir_file($1_ssh_t, var_t)
+
+# Read /var/run, /var/log.
+allow $1_ssh_t var_run_t:dir r_dir_perms;
+allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
+allow $1_ssh_t var_log_t:dir r_dir_perms;
+allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
+
+# Read /etc.
+r_dir_file($1_ssh_t, etc_t)
+allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow $1_ssh_t device_t:dir r_dir_perms;
+allow $1_ssh_t device_t:lnk_file r_file_perms;
+
+# Read /dev/urandom.
+allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
+
+# Read and write /dev/null.
+allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
+
+# Grant permissions needed to create TCP and UDP sockets and
+# to access the network.
+can_network_client_tcp($1_ssh_t)
+allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
+can_resolve($1_ssh_t)
+can_ypbind($1_ssh_t)
+can_kerberos($1_ssh_t)
+
+# for port forwarding
+if (user_tcp_server) {
+allow $1_ssh_t port_t:tcp_socket name_bind;
+}
+
+# Use capabilities.
+allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+
+# run helper programs - needed eg for x11-ssh-askpass
+can_exec($1_ssh_t, { shell_exec_t bin_t })
+
+# Read the ssh key file.
+allow $1_ssh_t sshd_key_t:file r_file_perms;
+
+# Access the ssh temporary files.
+file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t)
+allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
+
+# for rsync
+allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
+
+# Access the users .ssh directory.
+file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
+file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
+allow $1_t $1_home_ssh_t:sock_file create_file_perms;
+allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms;
+allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read };
+dontaudit $1_ssh_t $1_home_t:dir { getattr search };
+r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
+rw_dir_create_file($1_t, $1_home_ssh_t)
+
+# for /bin/sh used to execute xauth
+dontaudit $1_ssh_t proc_t:dir search;
+dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
+
+# Write to the user domain tty.
+access_terminal($1_ssh_t, $1)
+
+# Allow the user shell to signal the ssh program.
+allow $1_t $1_ssh_t:process signal;
+# allow ps to show ssh
+can_ps($1_t, $1_ssh_t)
+
+# Connect to X server
+x_client_domain($1_ssh, $1)
+
+ifdef(`ssh-agent.te', `
+ssh_agent_domain($1)
+')dnl end if ssh_agent.te
+
+#allow ssh to access keys stored on removable media
+# Should we have a boolean around this?
+allow $1_ssh_t mnt_t:dir search;
+r_dir_file($1_ssh_t, removable_t)
+
+type $1_ssh_keysign_t, domain, nscd_client_domain;
+role $1_r types $1_ssh_keysign_t;
+
+if (allow_ssh_keysign) {
+domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+allow $1_ssh_keysign_t self:capability { setgid setuid };
+allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+uses_shlib($1_ssh_keysign_t)
+dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+allow $1_ssh_keysign_t usr_t:dir search;
+allow $1_ssh_keysign_t etc_t:file { getattr read };
+allow $1_ssh_keysign_t self:dir search;
+allow $1_ssh_keysign_t self:file { getattr read };
+allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+}
+
+')dnl end macro definition
+', `
+
+define(`ssh_domain',`')
+
+')dnl end if ssh.te
diff --git a/mls/macros/program/su_macros.te b/mls/macros/program/su_macros.te
new file mode 100644
index 0000000..206f58e
--- /dev/null
+++ b/mls/macros/program/su_macros.te
@@ -0,0 +1,188 @@
+#
+# Macros for su domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# su_domain(domain_prefix)
+#
+# Define a derived domain for the su program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/su.te.
+#
+
+undefine(`su_restricted_domain')
+undefine(`su_mini_domain')
+undefine(`su_domain')
+ifdef(`su.te', `
+
+define(`su_restricted_domain', `
+# Derived domain based on the calling user domain and the program.
+type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
+ifdef(`support_polyinstantiation', `
+typeattribute $1_su_t mlsfileread;
+typeattribute $1_su_t mlsfilewrite;
+typeattribute $1_su_t mlsfileupgrade;
+typeattribute $1_su_t mlsfiledowngrade;
+typeattribute $1_su_t mlsprocsetsl;
+')
+
+# for SSP
+allow $1_su_t urandom_device_t:chr_file { getattr read };
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, su_exec_t, $1_su_t)
+
+allow $1_su_t sbin_t:dir search;
+
+uses_shlib($1_su_t)
+allow $1_su_t etc_t:file { getattr read };
+read_locale($1_su_t)
+read_sysctl($1_su_t)
+allow $1_su_t self:unix_dgram_socket { connect create write };
+allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_su_t self:fifo_file rw_file_perms;
+allow $1_su_t proc_t:dir search;
+allow $1_su_t proc_t:lnk_file read;
+r_dir_file($1_su_t, self)
+allow $1_su_t proc_t:file read;
+allow $1_su_t self:process { setsched setrlimit };
+allow $1_su_t device_t:dir search;
+allow $1_su_t self:process { fork sigchld };
+nsswitch_domain($1_su_t)
+r_dir_file($1_su_t, selinux_config_t)
+
+dontaudit $1_su_t shadow_t:file { getattr read };
+dontaudit $1_su_t home_root_t:dir search;
+dontaudit $1_su_t init_t:fd use;
+allow $1_su_t var_lib_t:dir search;
+allow $1_t $1_su_t:process signal;
+
+ifdef(`crond.te', `
+allow $1_su_t crond_t:fifo_file read;
+')
+
+# Use capabilities.
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write };
+dontaudit $1_su_t self:capability sys_tty_config;
+#
+# Caused by su - init scripts
+#
+dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+# By default, revert to the calling domain when a shell is executed.
+domain_auto_trans($1_su_t, shell_exec_t, $1_t)
+allow $1_su_t bin_t:dir search;
+allow $1_su_t bin_t:lnk_file read;
+
+# But also allow transitions to unprivileged user domains.
+domain_trans($1_su_t, shell_exec_t, unpriv_userdomain)
+can_setexec($1_su_t)
+
+# Get security decisions
+can_getsecurity($1_su_t)
+r_dir_file($1_su_t, default_context_t)
+
+allow $1_su_t privfd:fd use;
+
+# Write to utmp.
+allow $1_su_t { var_t var_run_t }:dir search;
+allow $1_su_t initrc_var_run_t:file rw_file_perms;
+can_kerberos($1_su_t)
+
+ifdef(`chkpwd.te', `
+domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
+')
+
+allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
+') dnl end su_restricted_domain
+
+define(`su_mini_domain', `
+su_restricted_domain($1,$1)
+if(!secure_mode)
+{
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans($1_su_t, shell_exec_t, sysadm_t)
+}
+
+# Relabel ttys and ptys.
+allow $1_su_t device_t:dir { getattr read search };
+allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Close and re-open ttys and ptys to get the fd into the correct domain.
+allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
+
+')dnl end su_mini_domain
+
+define(`su_domain', `
+su_mini_domain($1)
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+# The user role is authorized for this domain.
+role $1_r types $1_su_t;
+
+# Write to the user domain tty.
+access_terminal($1_su_t, $1)
+
+allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+allow $1_su_t $1_home_t:file create_file_perms;
+ifdef(`user_canbe_sysadm', `
+allow $1_su_t home_dir_type:dir { search write };
+', `
+dontaudit $1_su_t home_dir_type:dir { search write };
+')
+
+allow $1_su_t autofs_t:dir { search getattr };
+if (use_nfs_home_dirs) {
+allow $1_su_t nfs_t:dir search;
+}
+if (use_samba_home_dirs) {
+allow $1_su_t cifs_t:dir search;
+}
+
+ifdef(`support_polyinstantiation', `
+# Su can polyinstantiate
+polyinstantiater($1_su_t)
+# Su has to unmount polyinstantiated directories (like home)
+# that should not be polyinstantiated under the new user
+allow $1_su_t fs_t:filesystem unmount;
+# Su needs additional permission to mount over a previous mount
+allow $1_su_t polymember:dir mounton;
+')
+
+# Modify .Xauthority file (via xauth program).
+ifdef(`xauth.te', `
+file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+')
+
+ifdef(`cyrus.te', `
+allow $1_su_t cyrus_var_lib_t:dir search;
+')
+ifdef(`ssh.te', `
+# Access sshd cookie files.
+allow $1_su_t sshd_tmp_t:dir rw_dir_perms;
+allow $1_su_t sshd_tmp_t:file rw_file_perms;
+file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+')
+
+allow $1_su_t var_lib_t:dir search;
+dontaudit $1_su_t init_t:fd use;
+')dnl end su_domain
+
+', `
+
+define(`su_domain',`')
+
+')
+
diff --git a/mls/macros/program/sudo_macros.te b/mls/macros/program/sudo_macros.te
new file mode 100644
index 0000000..b2b4e1c
--- /dev/null
+++ b/mls/macros/program/sudo_macros.te
@@ -0,0 +1,34 @@
+# Authors: Dan Walsh, Russell Coker
+# Maintained by Dan Walsh <dwalsh@redhat.com>
+define(`sudo_domain',`
+newrole_domain($1_sudo, `, privuser')
+
+# By default, revert to the calling domain when a shell is executed.
+domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
+
+ifdef(`mta.te', `
+domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
+')
+
+allow $1_sudo_t self:capability sys_resource;
+
+allow $1_sudo_t self:process setrlimit;
+
+ifdef(`pam.te', `
+allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
+allow $1_sudo_t pam_var_run_t:file create_file_perms;
+')
+
+allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
+allow $1_sudo_t sysctl_t:dir search;
+allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
+allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
+read_sysctl($1_sudo_t)
+
+allow $1_sudo_t var_run_t:dir search;
+r_dir_file($1_sudo_t, default_context_t)
+rw_dir_create_file($1_sudo_t, $1_tmp_t)
+rw_dir_create_file($1_sudo_t, $1_home_t)
+domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+')
diff --git a/mls/macros/program/thunderbird_macros.te b/mls/macros/program/thunderbird_macros.te
new file mode 100644
index 0000000..2c0711d
--- /dev/null
+++ b/mls/macros/program/thunderbird_macros.te
@@ -0,0 +1,60 @@
+#
+# Thunderbird
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#######################################
+# thunderbird_domain(role_prefix)
+#
+
+# FIXME: Rules were removed to centralize policy in a gnome_app macro
+# A similar thing might be necessary for mozilla compiled without GNOME
+# support (is this possible?).
+
+define(`thunderbird_domain', `
+
+# Type for program
+type $1_thunderbird_t, domain, nscd_client_domain;
+
+# Transition from user type
+if (! disable_thunderbird_trans) {
+domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
+}
+role $1_r types $1_thunderbird_t;
+
+# FIXME: Why does it try to do that?
+dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
+
+# Why is thunderbird looking in .mozilla ?
+# FIXME: there are legitimate uses of invoking the browser - about -> release notes
+dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
+
+# .kde/....gtkrc
+# FIXME: support properly
+dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
+
+# X, mail common stuff
+x_client_domain($1_thunderbird, $1)
+mail_client_domain($1_thunderbird, $1)
+
+allow $1_thunderbird_t self:process signull;
+allow $1_thunderbird_t fs_t:filesystem getattr;
+
+# GNOME support
+ifdef(`gnome.te', `
+gnome_application($1_thunderbird, $1)
+gnome_file_dialog($1_thunderbird, $1)
+allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
+')
+
+# Access ~/.thunderbird
+home_domain($1, thunderbird)
+
+# RSS feeds
+can_network_client_tcp($1_thunderbird_t, http_port_t)
+allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
+
+allow $1_thunderbird_t self:process { execheap execmem execstack };
+
+')
diff --git a/mls/macros/program/tvtime_macros.te b/mls/macros/program/tvtime_macros.te
new file mode 100644
index 0000000..d965ae1
--- /dev/null
+++ b/mls/macros/program/tvtime_macros.te
@@ -0,0 +1,64 @@
+#
+# Macros for tvtime domains.
+#
+
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# tvtime_domain(domain_prefix)
+#
+# Define a derived domain for the tvtime program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/tvtime.te.
+#
+undefine(`tvtime_domain')
+ifdef(`tvtime.te', `
+define(`tvtime_domain',`
+
+# Type transition
+type $1_tvtime_t, domain, nscd_client_domain;
+domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
+role $1_r types $1_tvtime_t;
+
+# X access, Home files
+home_domain($1, tvtime)
+file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir)
+x_client_domain($1_tvtime, $1)
+
+uses_shlib($1_tvtime_t)
+read_locale($1_tvtime_t)
+read_sysctl($1_tvtime_t)
+access_terminal($1_tvtime_t, $1)
+
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
+# Read /etc/tvtime
+allow $1_tvtime_t etc_t:file { getattr read };
+
+# Tmp files
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
+
+allow $1_tvtime_t urandom_device_t:chr_file read;
+allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
+allow $1_tvtime_t kernel_t:system ipc_info;
+allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
+allow $1_tvtime_t $1_home_t:dir { getattr read search };
+allow $1_tvtime_t $1_home_t:file { getattr read };
+allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+allow $1_tvtime_t self:process setsched;
+allow $1_tvtime_t usr_t:file { getattr read };
+
+')dnl end tvtime_domain
+
+', `
+
+define(`tvtime_domain',`')
+
+')
+
diff --git a/mls/macros/program/uml_macros.te b/mls/macros/program/uml_macros.te
new file mode 100644
index 0000000..bc635f8
--- /dev/null
+++ b/mls/macros/program/uml_macros.te
@@ -0,0 +1,137 @@
+#
+# Macros for uml domains.
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#
+# uml_domain(domain_prefix)
+#
+# Define a derived domain for the uml program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/uml.te.
+#
+undefine(`uml_domain')
+ifdef(`uml.te', `
+define(`uml_domain',`
+
+# Derived domain based on the calling user domain and the program.
+type $1_uml_t, domain;
+type $1_uml_exec_t, file_type, sysadmfile, $1_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_file_type;
+
+# for X
+ifdef(`startx.te', `
+ifelse($1, sysadm, `', `
+ifdef(`xdm.te', `
+allow $1_uml_t xdm_xserver_tmp_t:dir search;
+')dnl end if xdm.te
+allow $1_uml_t $1_xserver_tmp_t:sock_file write;
+can_unix_connect($1_uml_t, $1_xserver_t)
+')dnl end ifelse sysadm
+')dnl end ifdef startx
+
+allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
+allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
+allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
+allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
+r_dir_file($1_t, uml_ro_t)
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
+can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
+
+# The user role is authorized for this domain.
+role $1_r types $1_uml_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors from newrole.
+ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;')
+
+# allow ps, ptrace, signal
+can_ps($1_t, $1_uml_t)
+can_ptrace($1_t, $1_uml_t)
+allow $1_t $1_uml_t:process signal_perms;
+
+# allow the UML thing to happen
+allow $1_uml_t self:process { fork signal_perms ptrace };
+can_create_pty($1_uml)
+allow $1_uml_t root_t:dir search;
+tmp_domain($1_uml)
+can_exec($1_uml_t, $1_uml_tmp_t)
+tmpfs_domain($1_uml)
+can_exec($1_uml_t, $1_uml_tmpfs_t)
+create_dir_file($1_t, $1_uml_tmp_t)
+allow $1_t $1_uml_tmp_t:sock_file create_file_perms;
+allow $1_uml_t self:fifo_file rw_file_perms;
+allow $1_uml_t fs_t:filesystem getattr;
+
+allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl };
+
+ifdef(`uml_net.te', `
+# for uml_net
+domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
+allow uml_net_t $1_uml_t:unix_stream_socket { read write };
+allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
+dontaudit uml_net_t privfd:fd use;
+can_access_pty(uml_net_t, $1_uml)
+dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
+')dnl end ifdef uml_net.te
+
+# for mconsole
+allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
+allow $1_uml_t $1_t:unix_dgram_socket sendto;
+
+# Use the network.
+can_network($1_uml_t)
+allow $1_uml_t port_type:tcp_socket name_connect;
+can_ypbind($1_uml_t)
+
+# for xterm
+uses_shlib($1_uml_t)
+can_exec($1_uml_t, { bin_t sbin_t lib_t })
+allow $1_uml_t { bin_t sbin_t }:dir search;
+allow $1_uml_t etc_t:file { getattr read };
+dontaudit $1_uml_t etc_runtime_t:file read;
+can_tcp_connect($1_uml_t, sshd_t)
+ifdef(`xauth.te', `
+allow $1_uml_t $1_xauth_home_t:file { getattr read };
+')
+allow $1_uml_t var_run_t:dir search;
+allow $1_uml_t initrc_var_run_t:file { getattr read };
+dontaudit $1_uml_t initrc_var_run_t:file { write lock };
+
+allow $1_uml_t device_t:dir search;
+allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_uml_t self:unix_dgram_socket create_socket_perms;
+allow $1_uml_t privfd:fd use;
+allow $1_uml_t proc_t:dir search;
+allow $1_uml_t proc_t:file { getattr read };
+
+# for SKAS - need something better
+allow $1_uml_t proc_t:file write;
+
+# Write to the user domain tty.
+access_terminal($1_uml_t, $1)
+
+# access config files
+allow $1_uml_t home_root_t:dir search;
+file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t)
+r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t })
+
+# putting uml data under /var is usual...
+allow $1_uml_t var_t:dir search;
+')dnl end macro definition
+
+', `
+
+define(`uml_domain',`')
+
+')
diff --git a/mls/macros/program/userhelper_macros.te b/mls/macros/program/userhelper_macros.te
new file mode 100644
index 0000000..2c715d3
--- /dev/null
+++ b/mls/macros/program/userhelper_macros.te
@@ -0,0 +1,142 @@
+#DESC Userhelper - SELinux utility to run a shell with a new role
+#
+# Authors: Dan Walsh (Red Hat)
+# Maintained by Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# userhelper_domain(domain_prefix)
+#
+# Define a derived domain for the userhelper/userhelper program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/userhelper.te.
+#
+define(`userhelper_domain',`
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
+
+in_user_role($1_userhelper_t)
+role sysadm_r types $1_userhelper_t;
+
+ifelse($1, sysadm, `
+typealias sysadm_userhelper_t alias userhelper_t;
+domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+general_domain_access($1_userhelper_t);
+
+uses_shlib($1_userhelper_t)
+read_locale($1_userhelper_t)
+read_sysctl($1_userhelper_t)
+
+# for when the user types "exec userhelper" at the command line
+allow $1_userhelper_t privfd:process sigchld;
+
+domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t)
+
+# Inherit descriptors from the current session.
+allow $1_userhelper_t { init_t privfd }:fd use;
+
+can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t })
+
+# Execute shells
+allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms;
+allow $1_userhelper_t { sbin_t bin_t }:lnk_file read;
+allow $1_userhelper_t shell_exec_t:file r_file_perms;
+
+# By default, revert to the calling domain when a program is executed.
+domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t)
+
+# Allow $1_userhelper_t to transition to user domains.
+domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain)
+if (!secure_mode) {
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t)
+}
+can_setexec($1_userhelper_t)
+
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+# Allow transitioning to rpm_t, for up2date
+allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure };
+')
+')
+
+# Use capabilities.
+allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+
+# Write to utmp.
+file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file)
+
+# Read the devpts root directory.
+allow $1_userhelper_t devpts_t:dir r_dir_perms;
+
+# Read the /etc/security/default_type file
+allow $1_userhelper_t etc_t:file r_file_perms;
+
+# Read /var.
+r_dir_file($1_userhelper_t, var_t)
+
+# Read /dev directories and any symbolic links.
+allow $1_userhelper_t device_t:dir r_dir_perms;
+
+# Relabel terminals.
+allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Access terminals.
+allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;')
+
+#
+# Allow $1_userhelper to obtain contexts to relabel TTYs
+#
+can_getsecurity($1_userhelper_t)
+
+allow $1_userhelper_t fs_t:filesystem getattr;
+
+# for some PAM modules and for cwd
+allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
+
+allow $1_userhelper_t proc_t:dir search;
+allow $1_userhelper_t proc_t:file { getattr read };
+
+# for when the network connection is killed
+dontaudit unpriv_userdomain $1_userhelper_t:process signal;
+
+allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
+allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+
+ifdef(`pam.te', `
+allow $1_userhelper_t pam_var_run_t:dir create_dir_perms;
+allow $1_userhelper_t pam_var_run_t:file create_file_perms;
+')
+
+allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
+
+allow $1_userhelper_t autofs_t:dir search;
+role system_r types $1_userhelper_t;
+r_dir_file($1_userhelper_t, nfs_t)
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_userhelper_t)
+allow $1_userhelper_t xdm_var_run_t:dir search;
+')
+
+r_dir_file($1_userhelper_t, selinux_config_t)
+r_dir_file($1_userhelper_t, default_context_t)
+
+ifdef(`xauth.te', `
+domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
+')
+
+ifdef(`pamconsole.te', `
+allow $1_userhelper_t pam_var_console_t:dir { search };
+')
+
+ifdef(`mozilla.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
+
+')dnl end userhelper macro
diff --git a/mls/macros/program/vmware_macros.te b/mls/macros/program/vmware_macros.te
new file mode 100644
index 0000000..bb0914a
--- /dev/null
+++ b/mls/macros/program/vmware_macros.te
@@ -0,0 +1,128 @@
+# Macro for vmware
+#
+# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
+# modifications by NAI Labs.
+#
+# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
+#
+# vmware_domain(domain_prefix)
+#
+# Define a derived domain for the vmware program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/vmware.te. This file also
+# implements a separate domain vmware_t.
+#
+
+define(`vmware_domain', `
+
+# Domain for the user applications to run in.
+type $1_vmware_t, domain, privmem;
+
+role $1_r types $1_vmware_t;
+
+# The user file type is for files created when the user is running VMWare
+type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
+
+# The user file type for the VMWare configuration files
+type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
+
+#############################################################
+# User rules for running VMWare
+#
+# Transition to VMWare user domain
+domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
+can_exec($1_vmware_t, vmware_user_exec_t)
+uses_shlib($1_vmware_t)
+var_run_domain($1_vmware)
+
+general_domain_access($1_vmware_t);
+
+# Capabilities needed by VMWare for the user execution. This seems a
+# bit too much, so be careful.
+allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
+
+# Access to ttys
+allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
+allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_vmware_t privfd:fd use;
+
+# Access /proc
+r_dir_file($1_vmware_t, proc_t)
+allow $1_vmware_t proc_net_t:dir search;
+allow $1_vmware_t proc_net_t:file { getattr read };
+
+# Access to some files in the user home directory
+r_dir_file($1_vmware_t, $1_home_t)
+
+# Access to runtime files for user
+allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
+allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
+allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
+
+# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
+r_dir_file($1_vmware_t, vmware_sys_conf_t)
+
+# Allow $1_vmware_t to read/write files in the tmp dir
+tmp_domain($1_vmware)
+allow $1_vmware_t $1_vmware_tmp_t:file execute;
+
+# Allow read access to several paths
+r_dir_file($1_vmware_t, etc_t)
+allow $1_vmware_t etc_runtime_t:file r_file_perms;
+allow $1_vmware_t device_t:dir r_dir_perms;
+allow $1_vmware_t var_t:dir r_dir_perms;
+allow $1_vmware_t tmpfs_t:file rw_file_perms;
+
+# Allow vmware to write to ~/.vmware
+rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
+
+#
+# This is bad; VMWare needs execute permission to the .cfg file for the
+# configuration to run.
+#
+allow $1_vmware_t $1_vmware_conf_t:file execute;
+
+# Access X11 config files
+allow $1_vmware_t lib_t:file r_file_perms;
+
+# Access components of VMWare in /usr/lib/vmware/bin by default
+allow $1_vmware_t bin_t:dir r_dir_perms;
+
+# Allow access to lp port (Need to create an lp device domain )
+allow $1_vmware_t device_t:chr_file r_file_perms;
+
+# Allow access to /dev/mem
+allow $1_vmware_t memory_device_t:chr_file { read write };
+
+# Allow access to mouse
+allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
+
+# Allow access the sound device
+allow $1_vmware_t sound_device_t:chr_file { ioctl write };
+
+# Allow removable media and devices
+allow $1_vmware_t removable_device_t:blk_file r_file_perms;
+allow $1_vmware_t device_t:lnk_file read;
+
+# Allow access to the real time clock device
+allow $1_vmware_t clock_device_t:chr_file read;
+
+# Allow to attach to Xserver, and Xserver to attach back
+ifdef(`gnome-pty-helper.te', `
+allow $1_vmware_t $1_gph_t:fd use;
+')
+ifdef(`startx.te', `
+allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
+allow $1_vmware_t $1_xserver_tmp_t:dir search;
+allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
+allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
+allow $1_xserver_t $1_vmware_t:fd use;
+')
+
+# Allow filesystem read access
+allow $1_vmware_t fs_t:filesystem getattr;
+
+')
+
diff --git a/mls/macros/program/x_client_macros.te b/mls/macros/program/x_client_macros.te
new file mode 100644
index 0000000..adce9f0
--- /dev/null
+++ b/mls/macros/program/x_client_macros.te
@@ -0,0 +1,96 @@
+#
+# Macros for X client programs
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
+# and Timothy Fraser
+#
+
+# Allows clients to write to the X server's shm
+bool allow_write_xshm false;
+
+define(`xsession_domain', `
+
+# Connect to xserver
+can_unix_connect($1_t, $2_xserver_t)
+
+# Read /tmp/.X0-lock
+allow $1_t $2_xserver_tmp_t:file { getattr read };
+
+# Signal Xserver
+allow $1_t $2_xserver_t:process signal;
+
+# Xserver read/write client shm
+allow $2_xserver_t $1_t:fd use;
+allow $2_xserver_t $1_t:shm rw_shm_perms;
+allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
+
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
+allow $1_t $2_xserver_t:shm r_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
+')
+
+#
+# x_client_domain(client, role)
+#
+# Defines common X access rules for the client domain
+#
+define(`x_client_domain',`
+
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+# Read .Xauthority file
+ifdef(`xauth.te',`
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_home_dir_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
+')
+
+# for .xsession-errors
+dontaudit $1_t $2_home_t:file write;
+
+# for X over a ssh tunnel
+ifdef(`ssh.te', `
+can_tcp_connect($1_t, sshd_t)
+')
+
+# Use a separate type for tmpfs/shm pseudo files.
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
+
+# allow X client to read all font files
+read_fonts($1_t, $2)
+
+# Allow connections to X server.
+ifdef(`xserver.te', `
+allow $1_t tmp_t:dir search;
+
+ifdef(`xdm.te', `
+xsession_domain($1, xdm)
+
+# for when /tmp/.X11-unix is created by the system
+can_pipe_xdm($1_t)
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+dontaudit $1_t xdm_t:tcp_socket { read write };
+')
+
+ifdef(`startx.te', `
+xsession_domain($1, $2)
+')dnl end startx
+
+')dnl end xserver
+
+')dnl end x_client macro
diff --git a/mls/macros/program/xauth_macros.te b/mls/macros/program/xauth_macros.te
new file mode 100644
index 0000000..ca7a5ee
--- /dev/null
+++ b/mls/macros/program/xauth_macros.te
@@ -0,0 +1,83 @@
+#
+# Macros for xauth domains.
+#
+
+#
+# Author: Russell Coker <russell@coker.com.au>
+#
+
+#
+# xauth_domain(domain_prefix)
+#
+# Define a derived domain for the xauth program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/xauth.te.
+#
+undefine(`xauth_domain')
+ifdef(`xauth.te', `
+define(`xauth_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_xauth_t, domain;
+
+allow $1_xauth_t self:process signal;
+
+home_domain($1, xauth)
+file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file)
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
+ifdef(`ssh.te', `
+domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
+allow $1_xauth_t sshd_t:fifo_file { getattr read };
+dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
+allow $1_xauth_t sshd_t:process sigchld;
+')dnl end if ssh
+
+# The user role is authorized for this domain.
+role $1_r types $1_xauth_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow $1_xauth_t $1_gph_t:fd use;
+')
+
+allow $1_xauth_t privfd:fd use;
+allow $1_xauth_t ptmx_t:chr_file { read write };
+
+# allow ps to show xauth
+can_ps($1_t, $1_xauth_t)
+allow $1_t $1_xauth_t:process signal;
+
+uses_shlib($1_xauth_t)
+
+# allow DNS lookups...
+can_resolve($1_xauth_t)
+can_ypbind($1_xauth_t)
+ifdef(`named.te', `
+can_udp_send($1_xauth_t, named_t)
+can_udp_send(named_t, $1_xauth_t)
+')dnl end if named.te
+
+allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_xauth_t etc_t:file { getattr read };
+allow $1_xauth_t fs_t:filesystem getattr;
+
+# Write to the user domain tty.
+access_terminal($1_xauth_t, $1)
+
+# Scan /var/run.
+allow $1_xauth_t var_t:dir search;
+allow $1_xauth_t var_run_t:dir search;
+
+tmp_domain($1_xauth)
+allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
+
+')dnl end xauth_domain macro
+
+', `
+
+define(`xauth_domain',`')
+
+')dnl end if xauth.te
diff --git a/mls/macros/program/xdm_macros.te b/mls/macros/program/xdm_macros.te
new file mode 100644
index 0000000..bea127f
--- /dev/null
+++ b/mls/macros/program/xdm_macros.te
@@ -0,0 +1,13 @@
+########################################
+#
+# can_pipe_xdm(domain)
+#
+# Allow communication to xdm over a pipe
+#
+
+define(`can_pipe_xdm', `
+ifdef(`xdm.te', `
+allow $1 xdm_t:fd use;
+allow $1 xdm_t:fifo_file { getattr read write ioctl };
+')
+') dnl can_pipe_xdm
diff --git a/mls/macros/program/xserver_macros.te b/mls/macros/program/xserver_macros.te
new file mode 100644
index 0000000..e2eaf82
--- /dev/null
+++ b/mls/macros/program/xserver_macros.te
@@ -0,0 +1,274 @@
+#
+# Macros for X server domains.
+#
+
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#################################
+#
+# xserver_domain(domain_prefix)
+#
+# Define a derived domain for the X server when executed
+# by a user domain (e.g. via startx). See the xdm_t domain
+# in domains/program/xdm.te if using an X Display Manager.
+#
+# The type declarations for the executable type for this program
+# and the log type are provided separately in domains/program/xserver.te.
+#
+# FIXME! The X server requires far too many privileges.
+#
+undefine(`xserver_domain')
+ifdef(`xserver.te', `
+
+define(`xserver_domain',`
+# Derived domain based on the calling user domain and the program.
+ifdef(`distro_redhat', `
+type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
+allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
+allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
+allow $1_xserver_t rpm_tmpfs_t:file { read write };
+allow $1_xserver_t rpm_t:fd use;
+')
+
+', `
+type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
+')
+
+# for SSP
+allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
+
+# Transition from the user domain to this domain.
+ifelse($1, xdm, `
+ifdef(`xdm.te', `
+domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
+')
+', `
+domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
+')dnl end ifelse xdm
+can_exec($1_xserver_t, xserver_exec_t)
+
+uses_shlib($1_xserver_t)
+
+allow $1_xserver_t texrel_shlib_t:file execmod;
+
+can_network($1_xserver_t)
+allow $1_xserver_t port_type:tcp_socket name_connect;
+can_ypbind($1_xserver_t)
+allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
+
+# for access within the domain
+general_domain_access($1_xserver_t)
+
+allow $1_xserver_t self:process execmem;
+# Until the X module loader is fixed.
+allow $1_xserver_t self:process execheap;
+
+allow $1_xserver_t etc_runtime_t:file { getattr read };
+
+ifelse($1, xdm, `
+# The system role is authorised for the xdm and initrc domains
+role system_r types xdm_xserver_t;
+
+allow xdm_xserver_t init_t:fd use;
+
+dontaudit xdm_xserver_t home_dir_type:dir { read search };
+
+# Read all global and per user fonts
+read_fonts($1_xserver_t, sysadm)
+read_fonts($1_xserver_t, staff)
+read_fonts($1_xserver_t, user)
+
+', `
+# The user role is authorized for this domain.
+role $1_r types $1_xserver_t;
+
+allow $1_xserver_t getty_t:fd use;
+allow $1_xserver_t local_login_t:fd use;
+allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+
+allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
+allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
+
+can_unix_connect($1_t, $1_xserver_t)
+
+# Read fonts
+read_fonts($1_xserver_t, $1)
+
+# Access the home directory.
+allow $1_xserver_t home_root_t:dir search;
+allow $1_xserver_t $1_home_dir_t:dir { getattr search };
+
+ifdef(`xauth.te', `
+domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
+allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+', `
+allow $1_xserver_t $1_home_t:file { getattr read };
+')dnl end ifdef xauth
+ifdef(`userhelper.te', `
+allow $1_xserver_t userhelper_conf_t:dir search;
+')dnl end ifdef userhelper
+')dnl end ifelse xdm
+
+allow $1_xserver_t self:process setsched;
+
+allow $1_xserver_t fs_t:filesystem getattr;
+
+# Xorg wants to check if kernel is tainted
+read_sysctl($1_xserver_t)
+
+# Use capabilities.
+# allow setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow $1_xserver_t nfs_t:dir { getattr search };
+
+# memory_device_t access is needed if not using the frame buffer
+#dontaudit $1_xserver_t memory_device_t:chr_file read;
+allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
+# net_bind_service is needed if you want your X server to allow TCP connections
+# from other hosts, EG an XDM serving a network of X terms
+# if you want good security you do not want this
+# not sure why some people want chown, fsetid, and sys_tty_config.
+#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
+dontaudit $1_xserver_t self:capability chown;
+
+# for nscd
+dontaudit $1_xserver_t var_run_t:dir search;
+
+allow $1_xserver_t mtrr_device_t:file rw_file_perms;
+allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
+allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
+allow $1_xserver_t device_t:lnk_file { getattr read };
+allow $1_xserver_t devtty_t:chr_file rw_file_perms;
+allow $1_xserver_t zero_device_t:chr_file { read write execute };
+
+# Type for temporary files.
+tmp_domain($1_xserver, `', `{ dir file sock_file }')
+file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
+
+ifelse($1, xdm, `
+ifdef(`xdm.te', `
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+allow xdm_t $1_xserver_t:process signal;
+can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_xserver_t xdm_t:process signal;
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
+')
+', `
+allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow $1_t xdm_xserver_t:unix_stream_socket connectto;
+allow $1_t $1_xserver_t:process signal;
+
+# Allow the user domain to connect to the X server.
+can_unix_connect($1_t, $1_xserver_t)
+allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
+allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
+ifdef(`xdm.te', `
+allow $1_t xdm_tmp_t:sock_file unlink;
+allow $1_xserver_t xdm_var_run_t:dir search;
+')
+
+# Signal the user domain.
+allow $1_xserver_t $1_t:process signal;
+
+# Communicate via System V shared memory.
+allow $1_xserver_t $1_t:shm rw_shm_perms;
+allow $1_t $1_xserver_t:shm rw_shm_perms;
+allow $1_xserver_t initrc_t:shm rw_shm_perms;
+
+')dnl end ifelse xdm
+
+# Create files in /var/log with the xserver_log_t type.
+allow $1_xserver_t var_t:dir search;
+file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
+allow $1_xserver_t xserver_log_t:dir r_dir_perms;
+
+# Access AGP device.
+allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
+
+# for other device nodes such as the NVidia binary-only driver
+allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
+
+# Access /proc/mtrr
+allow $1_xserver_t proc_t:file rw_file_perms;
+allow $1_xserver_t proc_t:lnk_file { getattr read };
+
+# Access /proc/sys/dev
+allow $1_xserver_t sysctl_dev_t:dir search;
+allow $1_xserver_t sysctl_dev_t:file { getattr read };
+# Access /proc/bus/pci
+allow $1_xserver_t proc_t:dir r_dir_perms;
+
+# Create and access /dev/dri devices.
+allow $1_xserver_t device_t:dir { create setattr };
+file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
+# brought on by rhgb
+allow $1_xserver_t mnt_t:dir search;
+
+allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
+
+# Run helper programs in $1_xserver_t.
+allow $1_xserver_t { bin_t sbin_t }:dir search;
+allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
+allow $1_xserver_t bin_t:lnk_file read;
+can_exec($1_xserver_t, { bin_t shell_exec_t })
+
+# Connect to xfs.
+ifdef(`xfs.te', `
+can_unix_connect($1_xserver_t, xfs_t)
+allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
+allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
+
+# Bind to the X server socket in /tmp.
+allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
+')
+
+read_locale($1_xserver_t)
+
+# Type for tmpfs/shm files.
+tmpfs_domain($1_xserver)
+ifelse($1, xdm, `
+ifdef(`xdm.te', `
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+')
+', `
+allow $1_xserver_t $1_t:shm rw_shm_perms;
+rw_dir_file($1_xserver_t, $1_tmpfs_t)
+')dnl end ifelse xdm
+
+
+r_dir_file($1_xserver_t,sysfs_t)
+
+# Use the mouse.
+allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
+# Allow xserver to read events - the synaptics touchpad
+# driver reads raw events
+allow $1_xserver_t event_device_t:chr_file rw_file_perms;
+ifdef(`pamconsole.te', `
+allow $1_xserver_t pam_var_console_t:dir search;
+')
+dontaudit $1_xserver_t selinux_config_t:dir search;
+
+allow $1_xserver_t var_lib_t:dir search;
+rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
+
+')dnl end macro definition
+
+', `
+
+define(`xserver_domain',`')
+
+')
+
diff --git a/mls/macros/program/ypbind_macros.te b/mls/macros/program/ypbind_macros.te
new file mode 100644
index 0000000..04a8f1d
--- /dev/null
+++ b/mls/macros/program/ypbind_macros.te
@@ -0,0 +1,19 @@
+define(`uncond_can_ypbind', `
+can_network($1)
+r_dir_file($1,var_yp_t)
+allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
+dontaudit $1 self:capability net_bind_service;
+dontaudit $1 reserved_port_type:tcp_socket name_connect;
+dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
+')
+
+define(`can_ypbind', `
+ifdef(`ypbind.te', `
+if (allow_ypbind) {
+uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir search;
+}
+') dnl ypbind.te
+') dnl can_ypbind
diff --git a/mls/macros/user_macros.te b/mls/macros/user_macros.te
new file mode 100644
index 0000000..5575e64
--- /dev/null
+++ b/mls/macros/user_macros.te
@@ -0,0 +1,326 @@
+#
+# Macros for all user login domains.
+#
+
+# role_tty_type_change(starting_role, ending_role)
+#
+# change from role $1_r to $2_r and relabel tty appropriately
+#
+
+undefine(`role_tty_type_change')
+define(`role_tty_type_change', `
+allow $1_r $2_r;
+type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+#
+# reach_sysadm(user)
+#
+# Reach sysadm_t via programs like userhelper/sudo/su
+#
+
+undefine(`reach_sysadm')
+define(`reach_sysadm', `
+ifdef(`userhelper.te', `userhelper_domain($1)')
+ifdef(`sudo.te', `sudo_domain($1)')
+ifdef(`su.te', `
+su_domain($1)
+# When an ordinary user domain runs su, su may try to
+# update the /root/.Xauthority file, and the user shell may
+# try to update the shell history. This is not allowed, but
+# we dont need to audit it.
+dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
+') dnl ifdef su.te
+ifdef(`xauth.te', `
+file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
+ifdef(`userhelper.te', `
+file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
+') dnl userhelper.te
+') dnl xauth.te
+') dnl reach_sysadm
+
+#
+# priv_user(user)
+#
+# Privileged user domain
+#
+
+undefine(`priv_user')
+define(`priv_user', `
+# Reach sysadm_t
+reach_sysadm($1)
+
+# Read file_contexts for rpm and get security decisions.
+r_dir_file($1_t, file_context_t)
+can_getsecurity($1_t)
+
+# Signal and see information about unprivileged user domains.
+allow $1_t unpriv_userdomain:process signal_perms;
+can_ps($1_t, unpriv_userdomain)
+allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
+
+# Read /root files if boolean is enabled.
+if (staff_read_sysadm_file) {
+allow $1_t sysadm_home_dir_t:dir { getattr search };
+allow $1_t sysadm_home_t:file { getattr read };
+}
+
+') dnl priv_user
+
+#
+# user_domain(domain_prefix)
+#
+# Define derived types and rules for an ordinary user domain.
+#
+# The type declaration and role authorization for the domain must be
+# provided separately. Likewise, domain transitions into this domain
+# must be specified separately.
+#
+
+# user_domain() is also called by the admin_domain() macro
+undefine(`user_domain')
+define(`user_domain', `
+# Use capabilities
+
+# Type for home directory.
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
+
+# Transition manually for { lnk sock fifo }. The rest is in content macros.
+tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
+file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
+allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
+
+ifdef(`support_polyinstantiation', `
+type_member $1_t tmp_t:dir $1_tmp_t;
+type_member $1_t $1_home_dir_t:dir $1_home_t;
+')
+
+base_user_domain($1)
+ifdef(`mls_policy', `', `
+access_removable_media($1_t)
+')
+
+# do not allow privhome access to sysadm_home_dir_t
+file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
+
+allow $1_t boot_t:dir { getattr search };
+dontaudit $1_t boot_t:lnk_file read;
+dontaudit $1_t boot_t:file read;
+allow $1_t system_map_t:file { getattr read };
+
+# Instantiate derived domains for a number of programs.
+# These derived domains encode both information about the calling
+# user domain and the program, and allow us to maintain separation
+# between different instances of the program being run by different
+# user domains.
+ifelse($1, sysadm, `',`
+ifdef(`apache.te', `apache_user_domain($1)')
+ifdef(`i18n_input.te', `i18n_input_domain($1)')
+ifdef(`spamd.te', `home_domain_ro_access(spamd_t, $1)')
+')
+ifdef(`slocate.te', `locate_domain($1)')
+ifdef(`lockdev.te', `lockdev_domain($1)')
+
+can_kerberos($1_t)
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
+
+#
+# Need the following rule to allow users to run vpnc
+#
+ifdef(`xserver.te', `
+allow $1_t xserver_port_t:tcp_socket name_bind;
+')
+
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols
+if (user_tcp_server) {
+allow $1_t port_t:tcp_socket name_bind;
+}
+# port access is audited even if dac would not have allowed it, so dontaudit it here
+dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind;
+
+# Allow system log read
+if (user_dmesg) {
+allow $1_t kernel_t:system syslog_read;
+} else {
+# else do not log it
+dontaudit $1_t kernel_t:system syslog_read;
+}
+
+# Allow read access to utmp.
+allow $1_t initrc_var_run_t:file { getattr read lock };
+# The library functions always try to open read-write first,
+# then fall back to read-only if it fails.
+# Do not audit write denials to utmp to avoid the noise.
+dontaudit $1_t initrc_var_run_t:file write;
+
+
+# do not audit read on disk devices
+dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
+
+ifdef(`xdm.te', `
+allow xdm_t $1_home_t:lnk_file read;
+allow xdm_t $1_home_t:dir search;
+#
+# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
+#
+dontaudit xdm_t $1_home_t:file rw_file_perms;
+')dnl end ifdef xdm.te
+
+ifdef(`ftpd.te', `
+if (ftp_home_dir) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')dnl end ifdef ftpd
+
+
+')dnl end user_domain macro
+
+
+###########################################################################
+#
+# Domains for ordinary users.
+#
+undefine(`limited_user_role')
+define(`limited_user_role', `
+# user_t/$1_t is an unprivileged users domain.
+type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
+
+#Type for tty devices.
+type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
+# Type and access for pty devices.
+can_create_pty($1, `, userpty_type, user_tty_type')
+
+# Access ttys.
+allow $1_t privfd:fd use;
+allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+
+# Grant read/search permissions to some of /proc.
+r_dir_file($1_t, proc_t)
+# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead
+r_dir_file($1_t, proc_net_t)
+
+base_file_read_access($1_t)
+
+# Execute from the system shared libraries.
+uses_shlib($1_t)
+
+# Read /etc.
+r_dir_file($1_t, etc_t)
+allow $1_t etc_runtime_t:file r_file_perms;
+allow $1_t etc_runtime_t:lnk_file { getattr read };
+
+allow $1_t self:process { fork sigchld setpgid signal_perms };
+
+# read localization information
+read_locale($1_t)
+
+read_sysctl($1_t)
+can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
+
+allow $1_t self:dir search;
+allow $1_t self:file { getattr read };
+allow $1_t self:fifo_file rw_file_perms;
+
+allow $1_t self:lnk_file read;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t urandom_device_t:chr_file { getattr read };
+dontaudit $1_t { var_spool_t var_log_t }:dir search;
+
+# Read /dev directories and any symbolic links.
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t device_t:lnk_file { getattr read };
+allow $1_t devtty_t:chr_file { read write };
+
+')
+
+undefine(`full_user_role')
+define(`full_user_role', `
+
+limited_user_role($1)
+
+typeattribute $1_t web_client_domain;
+
+attribute $1_file_type;
+
+ifdef(`useradd.te', `
+# Useradd relabels /etc/skel files so needs these privs
+allow useradd_t $1_file_type:dir create_dir_perms;
+allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+')
+
+can_exec($1_t, usr_t)
+
+# Read directories and files with the readable_t type.
+# This type is a general type for "world"-readable files.
+allow $1_t readable_t:dir r_dir_perms;
+allow $1_t readable_t:notdevfile_class_set r_file_perms;
+
+# Stat lost+found.
+allow $1_t lost_found_t:dir getattr;
+
+# Read /var, /var/spool, /var/run.
+r_dir_file($1_t, var_t)
+# what about pipes and sockets under /var/spool?
+r_dir_file($1_t, var_spool_t)
+r_dir_file($1_t, var_run_t)
+allow $1_t var_lib_t:dir r_dir_perms;
+allow $1_t var_lib_t:file { getattr read };
+
+# for running depmod as part of the kernel packaging process
+allow $1_t modules_conf_t:file { getattr read };
+
+# Read man directories and files.
+r_dir_file($1_t, man_t)
+
+# Allow users to rw usb devices
+if (user_rw_usb) {
+rw_dir_create_file($1_t,usbdevfs_t)
+} else {
+r_dir_file($1_t,usbdevfs_t)
+}
+
+r_dir_file($1_t,sysfs_t)
+
+# Do not audit write denials to /etc/ld.so.cache.
+dontaudit $1_t ld_so_cache_t:file write;
+
+# $1_t is also granted permissions specific to user domains.
+user_domain($1)
+
+dontaudit $1_t sysadm_home_t:file { read append };
+
+ifdef(`syslogd.te', `
+# Some programs that are left in $1_t will try to connect
+# to syslogd, but we do not want to let them generate log messages.
+# Do not audit.
+dontaudit $1_t devlog_t:sock_file { read write };
+dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
+')
+
+# Stop warnings about access to /dev/console
+dontaudit $1_t init_t:fd use;
+dontaudit $1_t initrc_t:fd use;
+allow $1_t initrc_t:fifo_file write;
+
+#
+# Rules used to associate a homedir as a mountpoint
+#
+allow $1_home_t self:filesystem associate;
+allow $1_file_type $1_home_t:filesystem associate;
+')
+
+undefine(`in_user_role')
+define(`in_user_role', `
+role user_r types $1;
+role staff_r types $1;
+')
+
diff --git a/mls/mcs b/mls/mcs
new file mode 100644
index 0000000..8a04ae8
--- /dev/null
+++ b/mls/mcs
@@ -0,0 +1,162 @@
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+category c24; category c25; category c26; category c27;
+category c28; category c29; category c30; category c31;
+category c32; category c33; category c34; category c35;
+category c36; category c37; category c38; category c39;
+category c40; category c41; category c42; category c43;
+category c44; category c45; category c46; category c47;
+category c48; category c49; category c50; category c51;
+category c52; category c53; category c54; category c55;
+category c56; category c57; category c58; category c59;
+category c60; category c61; category c62; category c63;
+category c64; category c65; category c66; category c67;
+category c68; category c69; category c70; category c71;
+category c72; category c73; category c74; category c75;
+category c76; category c77; category c78; category c79;
+category c80; category c81; category c82; category c83;
+category c84; category c85; category c86; category c87;
+category c88; category c89; category c90; category c91;
+category c92; category c93; category c94; category c95;
+category c96; category c97; category c98; category c99;
+category c100; category c101; category c102; category c103;
+category c104; category c105; category c106; category c107;
+category c108; category c109; category c110; category c111;
+category c112; category c113; category c114; category c115;
+category c116; category c117; category c118; category c119;
+category c120; category c121; category c122; category c123;
+category c124; category c125; category c126; category c127;
+category c128; category c129; category c130; category c131;
+category c132; category c133; category c134; category c135;
+category c136; category c137; category c138; category c139;
+category c140; category c141; category c142; category c143;
+category c144; category c145; category c146; category c147;
+category c148; category c149; category c150; category c151;
+category c152; category c153; category c154; category c155;
+category c156; category c157; category c158; category c159;
+category c160; category c161; category c162; category c163;
+category c164; category c165; category c166; category c167;
+category c168; category c169; category c170; category c171;
+category c172; category c173; category c174; category c175;
+category c176; category c177; category c178; category c179;
+category c180; category c181; category c182; category c183;
+category c184; category c185; category c186; category c187;
+category c188; category c189; category c190; category c191;
+category c192; category c193; category c194; category c195;
+category c196; category c197; category c198; category c199;
+category c200; category c201; category c202; category c203;
+category c204; category c205; category c206; category c207;
+category c208; category c209; category c210; category c211;
+category c212; category c213; category c214; category c215;
+category c216; category c217; category c218; category c219;
+category c220; category c221; category c222; category c223;
+category c224; category c225; category c226; category c227;
+category c228; category c229; category c230; category c231;
+category c232; category c233; category c234; category c235;
+category c236; category c237; category c238; category c239;
+category c240; category c241; category c242; category c243;
+category c244; category c245; category c246; category c247;
+category c248; category c249; category c250; category c251;
+category c252; category c253; category c254; category c255;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file. We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { write setattr append unlink link rename
+ create ioctl lock execute } (h1 dom h2);
+
+mlsconstrain file { read } ((h1 dom h2) or
+ ( t1 == mlsfileread ));
+
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+ ( h1 dom h2 );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
+rename search add_name remove_name reparent write rmdir relabelfrom
+relabelto }')
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error. Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
diff --git a/mls/mls b/mls/mls
new file mode 100644
index 0000000..c7d04ef
--- /dev/null
+++ b/mls/mls
@@ -0,0 +1,665 @@
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+category c24; category c25; category c26; category c27;
+category c28; category c29; category c30; category c31;
+category c32; category c33; category c34; category c35;
+category c36; category c37; category c38; category c39;
+category c40; category c41; category c42; category c43;
+category c44; category c45; category c46; category c47;
+category c48; category c49; category c50; category c51;
+category c52; category c53; category c54; category c55;
+category c56; category c57; category c58; category c59;
+category c60; category c61; category c62; category c63;
+category c64; category c65; category c66; category c67;
+category c68; category c69; category c70; category c71;
+category c72; category c73; category c74; category c75;
+category c76; category c77; category c78; category c79;
+category c80; category c81; category c82; category c83;
+category c84; category c85; category c86; category c87;
+category c88; category c89; category c90; category c91;
+category c92; category c93; category c94; category c95;
+category c96; category c97; category c98; category c99;
+category c100; category c101; category c102; category c103;
+category c104; category c105; category c106; category c107;
+category c108; category c109; category c110; category c111;
+category c112; category c113; category c114; category c115;
+category c116; category c117; category c118; category c119;
+category c120; category c121; category c122; category c123;
+category c124; category c125; category c126; category c127;
+category c128; category c129; category c130; category c131;
+category c132; category c133; category c134; category c135;
+category c136; category c137; category c138; category c139;
+category c140; category c141; category c142; category c143;
+category c144; category c145; category c146; category c147;
+category c148; category c149; category c150; category c151;
+category c152; category c153; category c154; category c155;
+category c156; category c157; category c158; category c159;
+category c160; category c161; category c162; category c163;
+category c164; category c165; category c166; category c167;
+category c168; category c169; category c170; category c171;
+category c172; category c173; category c174; category c175;
+category c176; category c177; category c178; category c179;
+category c180; category c181; category c182; category c183;
+category c184; category c185; category c186; category c187;
+category c188; category c189; category c190; category c191;
+category c192; category c193; category c194; category c195;
+category c196; category c197; category c198; category c199;
+category c200; category c201; category c202; category c203;
+category c204; category c205; category c206; category c207;
+category c208; category c209; category c210; category c211;
+category c212; category c213; category c214; category c215;
+category c216; category c217; category c218; category c219;
+category c220; category c221; category c222; category c223;
+category c224; category c225; category c226; category c227;
+category c228; category c229; category c230; category c231;
+category c232; category c233; category c234; category c235;
+category c236; category c237; category c238; category c239;
+category c240; category c241; category c242; category c243;
+category c244; category c245; category c246; category c247;
+category c248; category c249; category c250; category c251;
+category c252; category c253; category c254; category c255;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MLS policy for the file classes
+#
+
+# make sure these file classes are "single level"
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ ( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+ ( h1 dom h2 );
+
+# the file "read" ops (note the check is dominance of the low level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir search
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# the "ranged" file "write" ops
+mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir { add_name remove_name reparent rmdir }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
+#
+# { file chr_file } { execute_no_trans entrypoint execmod }
+
+# the file upgrade/downgrade rule
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( h1 eq h2 ) or
+ (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
+# create can also require the upgrade/downgrade checks if the creating process
+# has used setfscreate (note that both the high and low level of the object
+# default to the process' sensitivity level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
+ ((( l1 eq l2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( l1 eq h2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
+
+
+#
+# MLS policy for the filesystem class
+#
+
+# new filesystem labels must be dominated by the relabeling subject's clearance
+mlsconstrain filesystem relabelto
+ ( h1 dom h2 );
+
+# the filesystem "read" ops (implicit single level)
+mlsconstrain filesystem { getattr quotaget }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ));
+
+# all the filesystem "write" ops (implicit single level)
+mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ));
+
+# these access vectors have no MLS restrictions
+# filesystem { transition associate }
+
+
+
+
+#
+# MLS policy for the socket classes
+#
+
+# new socket labels must be dominated by the relabeling subject's clearance
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
+# the socket "read" ops (note the check is dominance of the low level)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+# the socket "write" ops
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+# these access vectors have no MLS restrictions
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+#
+# { tcp_socket udp_socket rawip_socket } node_bind
+#
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
+# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+#
+
+
+
+
+#
+# MLS policy for the ipc classes
+#
+
+# the ipc "read" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+mlsconstrain msg receive
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+# the ipc "write" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msgq enqueue
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain shm lock
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msg send
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+# these access vectors have no MLS restrictions
+# { ipc sem msgq shm } associate
+
+
+
+
+#
+# MLS policy for the fd class
+#
+
+# these access vectors have no MLS restrictions
+# fd use
+
+
+
+
+#
+# MLS policy for the network object classes
+#
+
+# the netif/node "read" ops (implicit single level socket doing the read)
+# (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+ (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+ (( l1 dom l2 ) and ( l1 domby h2 ));
+
+# these access vectors have no MLS restrictions
+# { netif node } { enforce_dest }
+
+
+
+
+#
+# MLS policy for the process class
+#
+
+# new process labels must be dominated by the relabeling subject's clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+ (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
+
+# all the process "read" ops
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (( l1 dom l2 ) or
+ (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsprocread ));
+
+# all the process "write" ops (note the check is equality on the low level)
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+ (( l1 eq l2 ) or
+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsprocwrite ));
+
+# these access vectors have no MLS restrictions
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
+
+
+
+
+#
+# MLS policy for the security class
+#
+
+# these access vectors have no MLS restrictions
+# security *
+
+
+
+
+#
+# MLS policy for the system class
+#
+
+# these access vectors have no MLS restrictions
+# system *
+
+
+
+
+#
+# MLS policy for the capability class
+#
+
+# these access vectors have no MLS restrictions
+# capability *
+
+
+
+
+#
+# MLS policy for the passwd class
+#
+
+# these access vectors have no MLS restrictions
+# passwd *
+
+
+
+
+#
+# MLS policy for the drawable class
+#
+
+# the drawable "read" ops (implicit single level)
+mlsconstrain drawable { getattr copy }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the drawable "write" ops (implicit single level)
+mlsconstrain drawable { create destroy draw copy }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the gc class
+#
+
+# the gc "read" ops (implicit single level)
+mlsconstrain gc getattr
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the gc "write" ops (implicit single level)
+mlsconstrain gc { create free setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the window class
+#
+
+# the window "read" ops (implicit single level)
+mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the window "write" ops (implicit single level)
+mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# window { map unmap }
+
+
+
+
+#
+# MLS policy for the font class
+#
+
+# the font "read" ops (implicit single level)
+mlsconstrain font { load getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the font "write" ops (implicit single level)
+mlsconstrain font free
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# font use
+
+
+
+
+#
+# MLS policy for the colormap class
+#
+
+# the colormap "read" ops (implicit single level)
+mlsconstrain colormap { list read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadcolormap ) or
+ ( t1 == mlsxwinread ));
+
+# the colormap "write" ops (implicit single level)
+mlsconstrain colormap { create free install uninstall store setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritecolormap ) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the property class
+#
+
+# the property "read" ops (implicit single level)
+mlsconstrain property { read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadproperty ) or
+ ( t1 == mlsxwinread ));
+
+# the property "write" ops (implicit single level)
+mlsconstrain property { create free write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwriteproperty ) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the cursor class
+#
+
+# the cursor "write" ops (implicit single level)
+mlsconstrain cursor { create createglyph free assign setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xclient class
+#
+
+# the xclient "write" ops (implicit single level)
+mlsconstrain xclient kill
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xinput class
+#
+
+# these access vectors have no MLS restrictions
+# xinput ~{ relabelinput setattr }
+
+# the xinput "write" ops (implicit single level)
+mlsconstrain xinput { setattr relabelinput }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritexinput ) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xserver class
+#
+
+# these access vectors have no MLS restrictions
+# xserver *
+
+
+
+
+#
+# MLS policy for the xextension class
+#
+
+# these access vectors have no MLS restrictions
+# xextension { query use }
+
+
+#
+# MLS policy for the pax class
+#
+
+# these access vectors have no MLS restrictions
+# pax { pageexec emutramp mprotect randmmap randexec segmexec }
+
+
+
+
+#
+# MLS policy for the dbus class
+#
+
+# these access vectors have no MLS restrictions
+# dbus { acquire_svc send_msg }
+
+
+
+
+#
+# MLS policy for the nscd class
+#
+
+# these access vectors have no MLS restrictions
+# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
+
+
+#
+# MLS policy for the association class
+#
+
+# these access vectors have no MLS restrictions
+# association { sendto recvfrom }
+
diff --git a/mls/net_contexts b/mls/net_contexts
new file mode 100644
index 0000000..c15f994
--- /dev/null
+++ b/mls/net_contexts
@@ -0,0 +1,251 @@
+# FLASK
+
+#
+# Security contexts for network entities
+# If no context is specified, then a default initial SID is used.
+#
+
+# Modified by Reino Wallin <reino@oribium.com>
+# Multi NIC, and IPSEC features
+
+# Modified by Russell Coker
+# ifdefs to encapsulate domains, and many additional port contexts
+
+#
+# Port numbers (default = initial SID "port")
+#
+# protocol number context
+# protocol low-high context
+#
+portcon tcp 7 system_u:object_r:inetd_child_port_t:s0
+portcon udp 7 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 9 system_u:object_r:inetd_child_port_t:s0
+portcon udp 9 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 13 system_u:object_r:inetd_child_port_t:s0
+portcon udp 13 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 19 system_u:object_r:inetd_child_port_t:s0
+portcon udp 19 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 37 system_u:object_r:inetd_child_port_t:s0
+portcon udp 37 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 113 system_u:object_r:auth_port_t:s0
+portcon tcp 512 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 543 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 544 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 891 system_u:object_r:inetd_child_port_t:s0
+portcon udp 891 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 892 system_u:object_r:inetd_child_port_t:s0
+portcon udp 892 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 20 system_u:object_r:ftp_data_port_t:s0
+portcon tcp 21 system_u:object_r:ftp_port_t:s0
+portcon tcp 22 system_u:object_r:ssh_port_t:s0
+portcon tcp 23 system_u:object_r:telnetd_port_t:s0
+
+portcon tcp 25 system_u:object_r:smtp_port_t:s0
+portcon tcp 465 system_u:object_r:smtp_port_t:s0
+portcon tcp 587 system_u:object_r:smtp_port_t:s0
+
+portcon udp 500 system_u:object_r:isakmp_port_t:s0
+portcon udp 53 system_u:object_r:dns_port_t:s0
+portcon tcp 53 system_u:object_r:dns_port_t:s0
+
+portcon udp 67 system_u:object_r:dhcpd_port_t:s0
+portcon udp 647 system_u:object_r:dhcpd_port_t:s0
+portcon tcp 647 system_u:object_r:dhcpd_port_t:s0
+portcon udp 847 system_u:object_r:dhcpd_port_t:s0
+portcon tcp 847 system_u:object_r:dhcpd_port_t:s0
+portcon udp 68 system_u:object_r:dhcpc_port_t:s0
+portcon udp 70 system_u:object_r:gopher_port_t:s0
+portcon tcp 70 system_u:object_r:gopher_port_t:s0
+
+portcon udp 69 system_u:object_r:tftp_port_t:s0
+portcon tcp 79 system_u:object_r:fingerd_port_t:s0
+
+portcon tcp 80 system_u:object_r:http_port_t:s0
+portcon tcp 443 system_u:object_r:http_port_t:s0
+portcon tcp 488 system_u:object_r:http_port_t:s0
+portcon tcp 8008 system_u:object_r:http_port_t:s0
+portcon tcp 8090 system_u:object_r:http_port_t:s0
+
+portcon tcp 106 system_u:object_r:pop_port_t:s0
+portcon tcp 109 system_u:object_r:pop_port_t:s0
+portcon tcp 110 system_u:object_r:pop_port_t:s0
+portcon tcp 143 system_u:object_r:pop_port_t:s0
+portcon tcp 220 system_u:object_r:pop_port_t:s0
+portcon tcp 993 system_u:object_r:pop_port_t:s0
+portcon tcp 995 system_u:object_r:pop_port_t:s0
+portcon tcp 1109 system_u:object_r:pop_port_t:s0
+
+portcon udp 111 system_u:object_r:portmap_port_t:s0
+portcon tcp 111 system_u:object_r:portmap_port_t:s0
+
+portcon tcp 119 system_u:object_r:innd_port_t:s0
+portcon udp 123 system_u:object_r:ntp_port_t:s0
+
+portcon tcp 137 system_u:object_r:smbd_port_t:s0
+portcon udp 137 system_u:object_r:nmbd_port_t:s0
+portcon tcp 138 system_u:object_r:smbd_port_t:s0
+portcon udp 138 system_u:object_r:nmbd_port_t:s0
+portcon tcp 139 system_u:object_r:smbd_port_t:s0
+portcon udp 139 system_u:object_r:nmbd_port_t:s0
+portcon tcp 445 system_u:object_r:smbd_port_t:s0
+
+portcon udp 161 system_u:object_r:snmp_port_t:s0
+portcon udp 162 system_u:object_r:snmp_port_t:s0
+portcon tcp 199 system_u:object_r:snmp_port_t:s0
+portcon udp 512 system_u:object_r:comsat_port_t:s0
+
+portcon tcp 389 system_u:object_r:ldap_port_t:s0
+portcon udp 389 system_u:object_r:ldap_port_t:s0
+portcon tcp 636 system_u:object_r:ldap_port_t:s0
+portcon udp 636 system_u:object_r:ldap_port_t:s0
+
+portcon tcp 513 system_u:object_r:rlogind_port_t:s0
+portcon tcp 514 system_u:object_r:rsh_port_t:s0
+
+portcon tcp 515 system_u:object_r:printer_port_t:s0
+portcon udp 514 system_u:object_r:syslogd_port_t:s0
+portcon udp 517 system_u:object_r:ktalkd_port_t:s0
+portcon udp 518 system_u:object_r:ktalkd_port_t:s0
+portcon tcp 631 system_u:object_r:ipp_port_t:s0
+portcon udp 631 system_u:object_r:ipp_port_t:s0
+portcon tcp 88 system_u:object_r:kerberos_port_t:s0
+portcon udp 88 system_u:object_r:kerberos_port_t:s0
+portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0
+portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0
+portcon tcp 750 system_u:object_r:kerberos_port_t:s0
+portcon udp 750 system_u:object_r:kerberos_port_t:s0
+portcon tcp 783 system_u:object_r:spamd_port_t:s0
+portcon tcp 540 system_u:object_r:uucpd_port_t:s0
+portcon tcp 2401 system_u:object_r:cvs_port_t:s0
+portcon udp 2401 system_u:object_r:cvs_port_t:s0
+portcon tcp 873 system_u:object_r:rsync_port_t:s0
+portcon udp 873 system_u:object_r:rsync_port_t:s0
+portcon tcp 901 system_u:object_r:swat_port_t:s0
+portcon tcp 953 system_u:object_r:rndc_port_t:s0
+portcon tcp 1213 system_u:object_r:giftd_port_t:s0
+portcon tcp 1241 system_u:object_r:nessus_port_t:s0
+portcon tcp 1234 system_u:object_r:monopd_port_t:s0
+portcon udp 1645 system_u:object_r:radius_port_t:s0
+portcon udp 1646 system_u:object_r:radacct_port_t:s0
+portcon udp 1812 system_u:object_r:radius_port_t:s0
+portcon udp 1813 system_u:object_r:radacct_port_t:s0
+portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0
+portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0
+portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0
+portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0
+portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0
+portcon udp 7000 system_u:object_r:afs_fs_port_t:s0
+portcon udp 7002 system_u:object_r:afs_pt_port_t:s0
+portcon udp 7003 system_u:object_r:afs_vl_port_t:s0
+portcon udp 7004 system_u:object_r:afs_ka_port_t:s0
+portcon udp 7005 system_u:object_r:afs_fs_port_t:s0
+portcon udp 7007 system_u:object_r:afs_bos_port_t:s0
+portcon tcp 1720 system_u:object_r:asterisk_port_t:s0
+portcon udp 2427 system_u:object_r:asterisk_port_t:s0
+portcon udp 2727 system_u:object_r:asterisk_port_t:s0
+portcon udp 4569 system_u:object_r:asterisk_port_t:s0
+portcon udp 5060 system_u:object_r:asterisk_port_t:s0
+portcon tcp 2000 system_u:object_r:mail_port_t:s0
+portcon tcp 2601 system_u:object_r:zebra_port_t:s0
+portcon tcp 2605 system_u:object_r:zebra_port_t:s0
+portcon tcp 2628 system_u:object_r:dict_port_t:s0
+portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
+portcon tcp 3632 system_u:object_r:distccd_port_t:s0
+portcon udp 4011 system_u:object_r:pxe_port_t:s0
+portcon udp 5000 system_u:object_r:openvpn_port_t:s0
+portcon tcp 5323 system_u:object_r:imaze_port_t:s0
+portcon udp 5323 system_u:object_r:imaze_port_t:s0
+portcon tcp 5335 system_u:object_r:howl_port_t:s0
+portcon udp 5353 system_u:object_r:howl_port_t:s0
+portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0
+portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0
+portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0
+portcon tcp 5432 system_u:object_r:postgresql_port_t:s0
+portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 5703 system_u:object_r:ptal_port_t:s0
+portcon tcp 9290 system_u:object_r:hplip_port_t:s0
+portcon tcp 9291 system_u:object_r:hplip_port_t:s0
+portcon tcp 9292 system_u:object_r:hplip_port_t:s0
+portcon tcp 50000 system_u:object_r:hplip_port_t:s0
+portcon tcp 50002 system_u:object_r:hplip_port_t:s0
+portcon tcp 5900 system_u:object_r:vnc_port_t:s0
+portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0
+portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0
+portcon tcp 6000 system_u:object_r:xserver_port_t:s0
+portcon tcp 6001 system_u:object_r:xserver_port_t:s0
+portcon tcp 6002 system_u:object_r:xserver_port_t:s0
+portcon tcp 6003 system_u:object_r:xserver_port_t:s0
+portcon tcp 6004 system_u:object_r:xserver_port_t:s0
+portcon tcp 6005 system_u:object_r:xserver_port_t:s0
+portcon tcp 6006 system_u:object_r:xserver_port_t:s0
+portcon tcp 6007 system_u:object_r:xserver_port_t:s0
+portcon tcp 6008 system_u:object_r:xserver_port_t:s0
+portcon tcp 6009 system_u:object_r:xserver_port_t:s0
+portcon tcp 6010 system_u:object_r:xserver_port_t:s0
+portcon tcp 6011 system_u:object_r:xserver_port_t:s0
+portcon tcp 6012 system_u:object_r:xserver_port_t:s0
+portcon tcp 6013 system_u:object_r:xserver_port_t:s0
+portcon tcp 6014 system_u:object_r:xserver_port_t:s0
+portcon tcp 6015 system_u:object_r:xserver_port_t:s0
+portcon tcp 6016 system_u:object_r:xserver_port_t:s0
+portcon tcp 6017 system_u:object_r:xserver_port_t:s0
+portcon tcp 6018 system_u:object_r:xserver_port_t:s0
+portcon tcp 6019 system_u:object_r:xserver_port_t:s0
+portcon tcp 6667 system_u:object_r:ircd_port_t:s0
+portcon tcp 8000 system_u:object_r:soundd_port_t:s0
+# 9433 is for YIFF
+portcon tcp 9433 system_u:object_r:soundd_port_t:s0
+portcon tcp 3128 system_u:object_r:http_cache_port_t:s0
+portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
+portcon udp 3130 system_u:object_r:http_cache_port_t:s0
+# 8118 is for privoxy
+portcon tcp 8118 system_u:object_r:http_cache_port_t:s0
+
+portcon udp 4041 system_u:object_r:clockspeed_port_t:s0
+portcon tcp 8081 system_u:object_r:transproxy_port_t:s0
+portcon udp 10080 system_u:object_r:amanda_port_t:s0
+portcon tcp 10080 system_u:object_r:amanda_port_t:s0
+portcon udp 10081 system_u:object_r:amanda_port_t:s0
+portcon tcp 10081 system_u:object_r:amanda_port_t:s0
+portcon tcp 10082 system_u:object_r:amanda_port_t:s0
+portcon tcp 10083 system_u:object_r:amanda_port_t:s0
+portcon tcp 60000 system_u:object_r:postgrey_port_t:s0
+
+portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0
+portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0
+portcon tcp 3310 system_u:object_r:clamd_port_t:s0
+portcon udp 6276 system_u:object_r:dcc_port_t:s0
+portcon udp 6277 system_u:object_r:dcc_port_t:s0
+portcon udp 24441 system_u:object_r:pyzor_port_t:s0
+portcon tcp 2703 system_u:object_r:razor_port_t:s0
+portcon tcp 8021 system_u:object_r:zope_port_t:s0
+
+# Defaults for reserved ports. Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise
+# declared or omitted due to removal of a domain.
+portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0
+portcon udp 1-1023 system_u:object_r:reserved_port_t:s0
+
+# Network interfaces (default = initial SID "netif" and "netmsg")
+#
+# interface netif_context default_msg_context
+#
+netifcon lo system_u:object_r:netif_lo_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0
+
+# Nodes (default = initial SID "node")
+#
+# address mask context
+#
+nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t:s0 - s15:c0.c255
+nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t:s0
+nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t:s0
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t:s0
+nodecon ff00:: ff00:: system_u:object_r:node_multicast_t:s0
+nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t:s0
+nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t:s0
+nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t:s0
+nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t:s0
+
+# FLASK
diff --git a/mls/rbac b/mls/rbac
new file mode 100644
index 0000000..708f70d
--- /dev/null
+++ b/mls/rbac
@@ -0,0 +1,33 @@
+################################################
+#
+# Role-based access control (RBAC) configuration.
+#
+
+# The RBAC configuration was originally centralized in this
+# file, but has been decomposed into individual role declarations,
+# role allow rules, and role transition rules throughout the TE
+# configuration to support easy removal or adding of domains without
+# modifying a centralized file each time. This also allowed the macros
+# to properly instantiate role declarations and rules for domains.
+# Hence, this file is largely unused, except for miscellaneous
+# role allow rules.
+
+########################################
+#
+# Role allow rules.
+#
+# A role allow rule specifies the allowable
+# transitions between roles on an execve.
+# If no rule is specified, then the change in
+# roles will not be permitted. Additional
+# controls over role transitions based on the
+# type of the process may be specified through
+# the constraints file.
+#
+# The syntax of a role allow rule is:
+# allow current_role new_role ;
+#
+# Allow the admin role to transition to the system
+# role for run_init.
+#
+allow sysadm_r system_r;
diff --git a/mls/tunables/distro.tun b/mls/tunables/distro.tun
new file mode 100644
index 0000000..00b6eca
--- /dev/null
+++ b/mls/tunables/distro.tun
@@ -0,0 +1,14 @@
+# Distro-specific customizations.
+
+# Comment out all but the one that matches your distro.
+# The policy .te files can then wrap distro-specific customizations with
+# appropriate ifdefs.
+
+
+define(`distro_redhat')
+
+dnl define(`distro_suse')
+
+dnl define(`distro_gentoo')
+
+dnl define(`distro_debian')
diff --git a/mls/tunables/tunable.tun b/mls/tunables/tunable.tun
new file mode 100644
index 0000000..35dd15e
--- /dev/null
+++ b/mls/tunables/tunable.tun
@@ -0,0 +1,35 @@
+# Allow rpm to run unconfined.
+define(`unlimitedRPM')
+
+# Allow privileged utilities like hotplug and insmod to run unconfined.
+dnl define(`unlimitedUtils')
+
+# Allow rc scripts to run unconfined, including any daemon
+# started by an rc script that does not have a domain transition
+# explicitly defined.
+dnl define(`unlimitedRC')
+
+# Allow sysadm_t to directly start daemons
+dnl define(`direct_sysadm_daemon')
+
+# Do not allow sysadm_t to be in the security manager domain
+define(`separate_secadm')
+
+# Do not audit things that we know to be broken but which
+# are not security risks
+define(`hide_broken_symptoms')
+
+# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
+# Otherwise, only staff_r can do so.
+dnl define(`user_canbe_sysadm')
+
+# Allow xinetd to run unconfined, including any services it starts
+# that do not have a domain transition explicitly defined.
+dnl define(`unlimitedInetd')
+
+# for ndc_t to be used for restart shell scripts
+dnl define(`ndc_shell_script')
+
+# Enable Polyinstantiation support
+dnl define(`support_polyinstatiation')
+define(`mls_policy')
diff --git a/mls/types/device.te b/mls/types/device.te
new file mode 100644
index 0000000..aee0a4c
--- /dev/null
+++ b/mls/types/device.te
@@ -0,0 +1,163 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Device types
+#
+
+#
+# device_t is the type of /dev.
+#
+type device_t, file_type, mount_point, dev_fs;
+
+#
+# null_device_t is the type of /dev/null.
+#
+type null_device_t, device_type, dev_fs, mlstrustedobject;
+
+#
+# zero_device_t is the type of /dev/zero.
+#
+type zero_device_t, device_type, dev_fs, mlstrustedobject;
+
+#
+# console_device_t is the type of /dev/console.
+#
+type console_device_t, device_type, dev_fs;
+
+#
+# xconsole_device_t is the type of /dev/xconsole
+type xconsole_device_t, file_type, dev_fs;
+
+#
+# memory_device_t is the type of /dev/kmem,
+# /dev/mem, and /dev/port.
+#
+type memory_device_t, device_type, dev_fs;
+
+#
+# random_device_t is the type of /dev/random
+# urandom_device_t is the type of /dev/urandom
+#
+type random_device_t, device_type, dev_fs;
+type urandom_device_t, device_type, dev_fs;
+
+#
+# devtty_t is the type of /dev/tty.
+#
+type devtty_t, device_type, dev_fs, mlstrustedobject;
+
+#
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t, serial_device, device_type, dev_fs;
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t, device_type, dev_fs;
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t, serial_device, device_type, dev_fs;
+
+#
+# printer_device_t is the type for printer devices
+#
+type printer_device_t, device_type, dev_fs;
+
+#
+# fixed_disk_device_t is the type of
+# /dev/hd* and /dev/sd*.
+#
+type fixed_disk_device_t, device_type, dev_fs;
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t, device_type, dev_fs;
+
+#
+# removable_device_t is the type of
+# /dev/scd* and /dev/fd*.
+#
+type removable_device_t, device_type, dev_fs;
+
+#
+# clock_device_t is the type of
+# /dev/rtc.
+#
+type clock_device_t, device_type, dev_fs;
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t, device_type, dev_fs;
+
+#
+# misc_device_t is the type of miscellaneous devices.
+# XXX: FIXME! Appropriate access to these devices need to be identified.
+#
+type misc_device_t, device_type, dev_fs;
+
+#
+# A more general type for mouse devices.
+#
+type mouse_device_t, device_type, dev_fs;
+
+#
+# For generic /dev/input/event* event devices
+#
+type event_device_t, device_type, dev_fs;
+
+#
+# Not sure what these devices are for, but X wants access to them.
+#
+type agp_device_t, device_type, dev_fs;
+type dri_device_t, device_type, dev_fs;
+
+# Type for sound devices.
+type sound_device_t, device_type, dev_fs;
+
+# Type for /dev/ppp.
+type ppp_device_t, device_type, dev_fs;
+
+# Type for frame buffer /dev/fb/*
+type framebuf_device_t, device_type, dev_fs;
+
+# Type for /dev/.devfsd
+type devfs_control_t, device_type, dev_fs;
+
+# Type for /dev/cpu/mtrr and /proc/mtrr
+type mtrr_device_t, device_type, dev_fs, proc_fs;
+
+# Type for /dev/pmu
+type power_device_t, device_type, dev_fs;
+
+# Type for /dev/apm_bios
+type apm_bios_t, device_type, dev_fs;
+
+# Type for v4l
+type v4l_device_t, device_type, dev_fs;
+
+# tape drives
+type tape_device_t, device_type, dev_fs;
+
+# scanners
+type scanner_device_t, device_type, dev_fs;
+
+# cpu control devices /dev/cpu/0/*
+type cpu_device_t, device_type, dev_fs;
+
+# for other device nodes such as the NVidia binary-only driver
+type xserver_misc_device_t, device_type, dev_fs;
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_type, dev_fs;
+
+
+
+
diff --git a/mls/types/devpts.te b/mls/types/devpts.te
new file mode 100644
index 0000000..c6982ac
--- /dev/null
+++ b/mls/types/devpts.te
@@ -0,0 +1,23 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Devpts types
+#
+
+#
+# ptmx_t is the type for /dev/ptmx.
+#
+type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
+
+#
+# devpts_t is the type of the devpts file system and
+# the type of the root directory of the file system.
+#
+type devpts_t, mount_point, fs_type;
+
+ifdef(`targeted_policy', `
+typeattribute devpts_t ttyfile;
+')
diff --git a/mls/types/file.te b/mls/types/file.te
new file mode 100644
index 0000000..fc03dcd
--- /dev/null
+++ b/mls/types/file.te
@@ -0,0 +1,326 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#######################################
+#
+# General file-related types
+#
+
+#
+# unlabeled_t is the type of unlabeled objects.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
+#
+type unlabeled_t, sysadmfile;
+
+#
+# fs_t is the default type for conventional filesystems.
+#
+type fs_t, fs_type;
+
+# needs more work
+type eventpollfs_t, fs_type;
+type futexfs_t, fs_type;
+type bdev_t, fs_type;
+type usbfs_t, mount_point, fs_type;
+type nfsd_fs_t, fs_type;
+type rpc_pipefs_t, fs_type;
+type binfmt_misc_fs_t, mount_point, fs_type;
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t, file_type, mount_point, sysadmfile;
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t, file_type, mount_point, sysadmfile;
+
+#
+# root_t is the type for the root directory.
+#
+type root_t, file_type, mount_point, polyparent, sysadmfile;
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+type mnt_t, file_type, mount_point, sysadmfile;
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t, file_type, mount_point, polyparent, sysadmfile;
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t, file_type, sysadmfile;
+
+#
+# boot_t is the type for files in /boot,
+# including the kernel.
+#
+type boot_t, file_type, mount_point, sysadmfile;
+# system_map_t is for the system.map files in /boot
+type system_map_t, file_type, sysadmfile;
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for red hat
+type boot_runtime_t, file_type, sysadmfile;
+
+#
+# tmp_t is the type of /tmp and /var/tmp.
+#
+type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, file_type, sysadmfile;
+
+# etc_mail_t is the type of /etc/mail.
+type etc_mail_t, file_type, sysadmfile, usercanread;
+
+#
+# shadow_t is the type of the /etc/shadow file
+#
+type shadow_t, file_type, secure_file_type;
+allow auth shadow_t:file { getattr read };
+
+#
+# ld_so_cache_t is the type of /etc/ld.so.cache.
+#
+type ld_so_cache_t, file_type, sysadmfile;
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t, file_type, sysadmfile;
+
+#
+# fonts_runtime_t is the type of various
+# fonts files in /usr that are automatically
+# generated during initialization.
+#
+type fonts_t, file_type, sysadmfile, usercanread;
+
+#
+# etc_aliases_t is the type of the aliases database.
+#
+type etc_aliases_t, file_type, sysadmfile;
+
+# net_conf_t is the type of the /etc/resolv.conf file.
+# all DHCP clients and PPP need write access to this file.
+type net_conf_t, file_type, sysadmfile;
+
+#
+# lib_t is the type of files in the system lib directories.
+#
+type lib_t, file_type, sysadmfile;
+
+#
+# shlib_t is the type of shared objects in the system lib
+# directories.
+#
+ifdef(`targeted_policy', `
+typealias lib_t alias shlib_t;
+', `
+type shlib_t, file_type, sysadmfile;
+')
+
+#
+# texrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+ifdef(`targeted_policy', `
+typealias lib_t alias texrel_shlib_t;
+', `
+type texrel_shlib_t, file_type, sysadmfile;
+')
+
+# ld_so_t is the type of the system dynamic loaders.
+#
+type ld_so_t, file_type, sysadmfile;
+
+#
+# bin_t is the type of files in the system bin directories.
+#
+type bin_t, file_type, sysadmfile;
+
+#
+# cert_t is the type of files in the system certs directories.
+#
+type cert_t, file_type, sysadmfile, secure_file_type;
+
+#
+# ls_exec_t is the type of the ls program.
+#
+type ls_exec_t, file_type, exec_type, sysadmfile;
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t, file_type, exec_type, sysadmfile;
+
+#
+# sbin_t is the type of files in the system sbin directories.
+#
+type sbin_t, file_type, sysadmfile;
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t, file_type, mount_point, sysadmfile;
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t, file_type, mount_point, sysadmfile;
+
+#
+# var_t is the type for /var.
+#
+type var_t, file_type, mount_point, sysadmfile;
+
+#
+# Types for subdirectories of /var.
+#
+type var_run_t, file_type, sysadmfile;
+type var_log_t, file_type, sysadmfile, logfile;
+typealias var_log_t alias crond_log_t;
+type faillog_t, file_type, sysadmfile, logfile;
+type var_lock_t, file_type, sysadmfile, lockfile;
+type var_lib_t, mount_point, file_type, sysadmfile;
+type var_auth_t, file_type, sysadmfile;
+# for /var/{spool,lib}/texmf index files
+type tetex_data_t, file_type, sysadmfile, tmpfile;
+type var_spool_t, file_type, sysadmfile, tmpfile;
+type var_yp_t, file_type, sysadmfile;
+
+# Type for /var/log/ksyms.
+type var_log_ksyms_t, file_type, sysadmfile, logfile;
+
+# Type for /var/log/lastlog.
+type lastlog_t, file_type, sysadmfile, logfile;
+
+# Type for /var/lib/nfs.
+type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
+
+#
+# wtmp_t is the type of /var/log/wtmp.
+#
+type wtmp_t, file_type, sysadmfile, logfile;
+
+#
+# cron_spool_t is the type for /var/spool/cron.
+#
+type cron_spool_t, file_type, sysadmfile;
+
+#
+# print_spool_t is the type for /var/spool/lpd and /var/spool/cups.
+#
+type print_spool_t, file_type, sysadmfile, tmpfile;
+
+#
+# mail_spool_t is the type for /var/spool/mail.
+#
+type mail_spool_t, file_type, sysadmfile;
+
+#
+# mqueue_spool_t is the type for /var/spool/mqueue.
+#
+type mqueue_spool_t, file_type, sysadmfile;
+
+#
+# man_t is the type for the man directories.
+#
+type man_t, file_type, sysadmfile;
+typealias man_t alias catman_t;
+
+#
+# readable_t is a general type for
+# files that are readable by all domains.
+#
+type readable_t, file_type, sysadmfile;
+
+#
+# Base type for the tests directory.
+#
+type test_file_t, file_type, sysadmfile;
+
+#
+# poly_t is the type for the polyinstantiated directories.
+#
+type poly_t, file_type, sysadmfile;
+
+#
+# swapfile_t is for swap files
+#
+type swapfile_t, file_type, sysadmfile;
+
+#
+# locale_t is the type for system localization
+#
+type locale_t, file_type, sysadmfile;
+
+#
+# Allow each file type to be associated with
+# the default file system type.
+#
+allow { file_type device_type ttyfile } fs_t:filesystem associate;
+
+type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
+allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
+allow { logfile tmpfile home_type } tmp_t:filesystem associate;
+ifdef(`distro_redhat', `
+allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
+')
+
+type autofs_t, fs_type, noexattrfile, sysadmfile;
+type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
+type sysfs_t, mount_point, fs_type, sysadmfile;
+type iso9660_t, fs_type, noexattrfile, sysadmfile;
+type romfs_t, fs_type, sysadmfile;
+type ramfs_t, fs_type, sysadmfile;
+type dosfs_t, fs_type, noexattrfile, sysadmfile;
+type hugetlbfs_t, mount_point, fs_type, sysadmfile;
+typealias file_t alias mqueue_t;
+
+# udev_runtime_t is the type of the udev table file
+type udev_runtime_t, file_type, sysadmfile;
+
+# krb5_conf_t is the type of the /etc/krb5.conf file
+type krb5_conf_t, file_type, sysadmfile;
+
+type cifs_t, fs_type, noexattrfile, sysadmfile;
+type debugfs_t, fs_type, sysadmfile;
+type configfs_t, fs_type, sysadmfile;
+type inotifyfs_t, fs_type, sysadmfile;
+type capifs_t, fs_type, sysadmfile;
+
+# removable_t is the default type of all removable media
+type removable_t, file_type, sysadmfile, usercanread;
+allow file_type removable_t:filesystem associate;
+allow file_type noexattrfile:filesystem associate;
+
+# Type for anonymous FTP data, used by ftp and rsync
+type public_content_t, file_type, sysadmfile, customizable;
+type public_content_rw_t, file_type, sysadmfile, customizable;
+typealias public_content_t alias ftpd_anon_t;
+typealias public_content_rw_t alias ftpd_anon_rw_t;
+
+# type for /tmp/.ICE-unix
+type ice_tmp_t, file_type, sysadmfile, tmpfile;
+
+# type for /usr/share/hwdata
+type hwdata_t, file_type, sysadmfile;
+allow { fs_type file_type } self:filesystem associate;
+
diff --git a/mls/types/network.te b/mls/types/network.te
new file mode 100644
index 0000000..c5965fd
--- /dev/null
+++ b/mls/types/network.te
@@ -0,0 +1,179 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+# Modified by Reino Wallin <reino@oribium.com>
+# Multi NIC, and IPSEC features
+
+# Modified by Russell Coker
+# Move port types to their respective domains, add ifdefs, other cleanups.
+
+type xserver_port_t, port_type;
+#
+# Defines used by the te files need to be defined outside of net_constraints
+#
+type rsh_port_t, port_type, reserved_port_type;
+type dns_port_t, port_type, reserved_port_type;
+type smtp_port_t, port_type, reserved_port_type;
+type dhcpd_port_t, port_type, reserved_port_type;
+type smbd_port_t, port_type, reserved_port_type;
+type nmbd_port_t, port_type, reserved_port_type;
+type http_cache_port_t, port_type;
+type http_port_t, port_type, reserved_port_type;
+type ipp_port_t, port_type, reserved_port_type;
+type gopher_port_t, port_type, reserved_port_type;
+type isakmp_port_t, port_type, reserved_port_type;
+
+allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
+type pop_port_t, port_type, reserved_port_type;
+
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
+
+############################################
+#
+# Network types
+#
+
+#
+# mail_port_t is for generic mail ports shared by different mail servers
+#
+type mail_port_t, port_type;
+
+#
+# Ports used to communicate with kerberos server
+#
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
+
+#
+# Ports used to communicate with portmap server
+#
+type portmap_port_t, port_type, reserved_port_type;
+
+#
+# Ports used to communicate with ldap server
+#
+type ldap_port_t, port_type, reserved_port_type;
+
+#
+# port_t is the default type of INET port numbers.
+# The *_port_t types are used for specific port
+# numbers in net_contexts or net_contexts.mls.
+#
+type port_t, port_type;
+
+# reserved_port_t is the default type for INET reserved ports
+# that are not otherwise mapped to a specific port type.
+type reserved_port_t, port_type;
+
+#
+# netif_t is the default type of network interfaces.
+# The netif_*_t types are used for specific network
+# interfaces in net_contexts or net_contexts.mls.
+#
+type netif_t, netif_type;
+type netif_lo_t, netif_type;
+
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+type node_lo_t, node_type;
+type node_internal_t, node_type;
+type node_inaddr_any_t, node_type;
+type node_unspec_t, node_type;
+type node_link_local_t, node_type;
+type node_site_local_t, node_type;
+type node_multicast_t, node_type;
+type node_mapped_ipv4_t, node_type;
+type node_compat_ipv4_t, node_type;
+
+# Kernel-generated traffic, e.g. ICMP replies.
+allow kernel_t netif_type:netif { rawip_send rawip_recv };
+allow kernel_t node_type:node { rawip_send rawip_recv };
+
+# Kernel-generated traffic, e.g. TCP resets.
+allow kernel_t netif_type:netif { tcp_send tcp_recv };
+allow kernel_t node_type:node { tcp_send tcp_recv };
+type radius_port_t, port_type;
+type radacct_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
+type tftp_port_t, port_type, reserved_port_type;
+type printer_port_t, port_type, reserved_port_type;
+type mysqld_port_t, port_type;
+type postgresql_port_t, port_type;
+type ptal_port_t, port_type;
+type howl_port_t, port_type;
+type dict_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
+type spamd_port_t, port_type, reserved_port_type;
+type ssh_port_t, port_type, reserved_port_type;
+type pxe_port_t, port_type;
+type amanda_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
+type ntp_port_t, port_type, reserved_port_type;
+type stunnel_port_t, port_type;
+type zebra_port_t, port_type;
+type i18n_input_port_t, port_type;
+type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
+type openvpn_port_t, port_type;
+type clamd_port_t, port_type;
+type transproxy_port_t, port_type;
+type clockspeed_port_t, port_type;
+type pyzor_port_t, port_type;
+type postgrey_port_t, port_type;
+type asterisk_port_t, port_type;
+type utcpserver_port_t, port_type;
+type nessus_port_t, port_type;
+type razor_port_t, port_type;
+type distccd_port_t, port_type;
+type socks_port_t, port_type;
+type gatekeeper_port_t, port_type;
+type dcc_port_t, port_type;
+type lrrd_port_t, port_type;
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+type ircd_port_t, port_type;
+type giftd_port_t, port_type;
+type soundd_port_t, port_type;
+type imaze_port_t, port_type;
+type monopd_port_t, port_type;
+# Differentiate between the port where amavisd receives mail, and the
+# port where it returns cleaned mail back to the MTA.
+type amavisd_recv_port_t, port_type;
+type amavisd_send_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
+type snmp_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
+type hplip_port_t, port_type;
+
+#inetd_child_ports
+
+type rlogind_port_t, port_type, reserved_port_type;
+type telnetd_port_t, port_type, reserved_port_type;
+type comsat_port_t, port_type, reserved_port_type;
+type cvs_port_t, port_type;
+type dbskkd_port_t, port_type;
+type inetd_child_port_t, port_type, reserved_port_type;
+type ktalkd_port_t, port_type, reserved_port_type;
+type rsync_port_t, port_type, reserved_port_type;
+type uucpd_port_t, port_type, reserved_port_type;
+type swat_port_t, port_type, reserved_port_type;
+type zope_port_t, port_type;
+type auth_port_t, port_type, reserved_port_type;
+
+# afs ports
+
+type afs_fs_port_t, port_type;
+type afs_pt_port_t, port_type;
+type afs_vl_port_t, port_type;
+type afs_ka_port_t, port_type;
+type afs_bos_port_t, port_type;
+
diff --git a/mls/types/nfs.te b/mls/types/nfs.te
new file mode 100644
index 0000000..e6dd6e0
--- /dev/null
+++ b/mls/types/nfs.te
@@ -0,0 +1,21 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+#############################################
+#
+# NFS types
+#
+
+#
+# nfs_t is the default type for NFS file systems
+# and their files.
+# The nfs_*_t types are used for specific NFS
+# servers in net_contexts or net_contexts.mls.
+#
+type nfs_t, mount_point, fs_type;
+
+#
+# Allow NFS files to be associated with an NFS file system.
+#
+allow file_type nfs_t:filesystem associate;
diff --git a/mls/types/procfs.te b/mls/types/procfs.te
new file mode 100644
index 0000000..20703ac
--- /dev/null
+++ b/mls/types/procfs.te
@@ -0,0 +1,50 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Procfs types
+#
+
+#
+# proc_t is the type of /proc.
+# proc_kmsg_t is the type of /proc/kmsg.
+# proc_kcore_t is the type of /proc/kcore.
+# proc_mdstat_t is the type of /proc/mdstat.
+# proc_net_t is the type of /proc/net.
+#
+type proc_t, fs_type, mount_point, proc_fs;
+type proc_kmsg_t, proc_fs;
+type proc_kcore_t, proc_fs;
+type proc_mdstat_t, proc_fs;
+type proc_net_t, proc_fs;
+
+#
+# sysctl_t is the type of /proc/sys.
+# sysctl_fs_t is the type of /proc/sys/fs.
+# sysctl_kernel_t is the type of /proc/sys/kernel.
+# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe.
+# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug.
+# sysctl_net_t is the type of /proc/sys/net.
+# sysctl_net_unix_t is the type of /proc/sys/net/unix.
+# sysctl_vm_t is the type of /proc/sys/vm.
+# sysctl_dev_t is the type of /proc/sys/dev.
+# sysctl_rpc_t is the type of /proc/net/rpc.
+#
+# These types are applied to both the entries in
+# /proc/sys and the corresponding sysctl parameters.
+#
+type sysctl_t, mount_point, sysctl_type;
+type sysctl_fs_t, sysctl_type;
+type sysctl_kernel_t, sysctl_type;
+type sysctl_modprobe_t, sysctl_type;
+type sysctl_hotplug_t, sysctl_type;
+type sysctl_net_t, sysctl_type;
+type sysctl_net_unix_t, sysctl_type;
+type sysctl_vm_t, sysctl_type;
+type sysctl_dev_t, sysctl_type;
+type sysctl_rpc_t, sysctl_type;
+type sysctl_irq_t, sysctl_type;
+
+
diff --git a/mls/types/security.te b/mls/types/security.te
new file mode 100644
index 0000000..cc1574f
--- /dev/null
+++ b/mls/types/security.te
@@ -0,0 +1,60 @@
+#
+# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Security types
+#
+
+#
+# security_t is the target type when checking
+# the permissions in the security class. It is also
+# applied to selinuxfs inodes.
+#
+type security_t, mount_point, fs_type, mlstrustedobject;
+dontaudit domain security_t:dir search;
+dontaudit domain security_t:file { getattr read };
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t, file_type, secadmfile;
+
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t, file_type, login_contexts, secadmfile;
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t, file_type, secadmfile;
+
+#
+# no_access_t is the type for objects that should
+# only be accessed administratively.
+#
+type no_access_t, file_type, sysadmfile;
+
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+type selinux_config_t, file_type, secadmfile;
+
+
diff --git a/mls/types/x.te b/mls/types/x.te
new file mode 100644
index 0000000..0cee314
--- /dev/null
+++ b/mls/types/x.te
@@ -0,0 +1,32 @@
+#
+# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
+#
+
+#######################################
+#
+# Types for the SELinux-enabled X Window System
+#
+
+#
+# X protocol extension types. The SELinux extension in the X server
+# has a hardcoded table that maps actual extension names to these types.
+#
+type accelgraphics_ext_t, xextension;
+type debug_ext_t, xextension;
+type font_ext_t, xextension;
+type input_ext_t, xextension;
+type screensaver_ext_t, xextension;
+type security_ext_t, xextension;
+type shmem_ext_t, xextension;
+type std_ext_t, xextension;
+type sync_ext_t, xextension;
+type unknown_ext_t, xextension;
+type video_ext_t, xextension;
+type windowmgr_ext_t, xextension;
+
+#
+# X property types. The SELinux extension in the X server has a
+# hardcoded table that maps actual extension names to these types.
+#
+type wm_property_t, xproperty;
+type unknown_property_t, xproperty;
diff --git a/mls/users b/mls/users
new file mode 100644
index 0000000..058c5fb
--- /dev/null
+++ b/mls/users
@@ -0,0 +1,57 @@
+##################################
+#
+# User configuration.
+#
+# This file defines each user recognized by the system security policy.
+# Only the user identities defined in this file may be used as the
+# user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ] level s0 range s0 - s15:c0.c255;
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system_u,
+# and a user process should never be assigned the system_u user
+# identity.
+#
+user system_u roles system_r level s0 range s0 - s15:c0.c255;
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined. The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user. If you do not want to
+# permit any access to such users, then remove this entry.
+#
+user user_u roles { user_r } level s0 range s0 - s0;
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell. Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+
+# The sysadm_r user also needs to be permitted system_r if we are to allow
+# direct execution of daemons
+user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255;
+
+# sample for administrative user
+#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255;
+
+# sample for regular user
+#user jdoe roles { user_r } level s0 range s0 - s15:c0.c255;
+
+#
+# The following users correspond to special Unix identities
+#
+ifdef(`nx_server.te', `
+user nx roles nx_server_r level s0 range s0 - s15:c0.c255;
+')